From b318249a6d953924657a124f4e21e0d4799cb78b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 18 Aug 2023 16:20:08 +0300
Subject: [PATCH 001/127] chore: initial commit for akka to rpc migration.

Refs: XRDDEV-2468
---
 .gitignore                                    |   1 +
 src/build.gradle                              |  19 ++--
 src/common/common-rpc/build.gradle            |  12 +++
 .../org/niis/xroad/signer/grpc/RpcServer.java |  85 +++++++++++++++
 .../grpc/ServerCredentialsConfigurer.java     |  79 ++++++++++++++
 src/gradle.properties                         |   3 +
 src/settings.gradle                           |   1 +
 src/signer-protocol/build.gradle              |  35 ++++--
 .../run-containerized-int-tests.sh            |  24 +++++
 .../ria/xroad/signer/glue/SignerStepDefs.java |  19 +++-
 .../resources/application-override.yml        |  20 ++++
 .../src/intTest/resources/signer-logback.xml  |  19 ++++
 .../java/ee/ria/xroad/signer/SignerProxy.java |  39 ++++++-
 .../signer/protocol/RpcSignerClient.java      |  40 +++++++
 .../signer/protocol/dto/CertRequestInfo.java  |  35 ++++--
 .../signer/protocol/dto/CertificateInfo.java  |  56 +++++++---
 .../xroad/signer/protocol/dto/KeyInfo.java    |  56 +++++++---
 .../signer/protocol/dto/KeyUsageInfo.java     |  38 -------
 .../xroad/signer/protocol/dto/TokenInfo.java  |  71 +++++++++----
 .../signer/protocol/dto/TokenStatusInfo.java  |  44 --------
 .../signer/protocol/message/ListTokens.java   |  35 ------
 .../src/main/proto/SignerApi.proto            |  31 ++++++
 .../src/main/proto/TokenStatusInfo.proto      |  23 ++++
 .../src/main/proto/Tokens.proto               |  81 ++++++++++++++
 src/signer/build.gradle                       |   1 +
 .../java/ee/ria/xroad/signer/SignerMain.java  |  17 ++-
 .../java/ee/ria/xroad/signer/model/Cert.java  |  69 +++++++++---
 .../ria/xroad/signer/model/CertRequest.java   |  35 +++++-
 .../java/ee/ria/xroad/signer/model/Key.java   |  88 +++++++++++----
 .../java/ee/ria/xroad/signer/model/Token.java | 100 ++++++++++++++----
 .../handler/ImportCertRequestHandler.java     |   6 +-
 .../handler/ListTokensRequestHandler.java     |  55 ++++++++--
 .../signer/tokenmanager/TokenManager.java     |  28 +++--
 33 files changed, 982 insertions(+), 283 deletions(-)
 create mode 100644 src/common/common-rpc/build.gradle
 create mode 100644 src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
 create mode 100644 src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
 create mode 100755 src/signer-protocol/run-containerized-int-tests.sh
 create mode 100755 src/signer-protocol/src/intTest/resources/application-override.yml
 create mode 100644 src/signer-protocol/src/intTest/resources/signer-logback.xml
 create mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyUsageInfo.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenStatusInfo.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ListTokens.java
 create mode 100644 src/signer-protocol/src/main/proto/SignerApi.proto
 create mode 100644 src/signer-protocol/src/main/proto/TokenStatusInfo.proto
 create mode 100644 src/signer-protocol/src/main/proto/Tokens.proto

diff --git a/.gitignore b/.gitignore
index a306723224..bf39790c39 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,4 +17,5 @@ legacy/lib/
 .settings
 *.rpm
 .vagrant/
+gradle-cache
 **/.DS_Store
\ No newline at end of file
diff --git a/src/build.gradle b/src/build.gradle
index 14039040af..fd7c215c37 100644
--- a/src/build.gradle
+++ b/src/build.gradle
@@ -10,14 +10,14 @@ buildscript {
 }
 
 plugins {
-    id 'org.sonarqube' version '3.3'
-    id 'org.owasp.dependencycheck' version '8.0.2'
-    id 'jacoco'
-    id 'java'
-    id 'idea'
-    id "io.spring.dependency-management" version "${springDependenciesVersion}" apply false
-    id 'org.springframework.boot' version "${springBootVersion}" apply false
-    //id "com.dorongold.task-tree" version "2.1.0"
+  id 'org.sonarqube' version '3.3'
+  id 'org.owasp.dependencycheck' version '8.0.2'
+  id 'jacoco'
+  id 'java'
+  id 'idea'
+  id "io.spring.dependency-management" version "${springDependenciesVersion}" apply false
+  id 'org.springframework.boot' version "${springBootVersion}" apply false
+  id 'com.google.protobuf' version "$protobufGradleVersion" apply false
 }
 
 repositories {
@@ -258,6 +258,9 @@ configure(subprojects.findAll { !["frontend", "shared-ui", "ui"].contains(it.nam
         header rootProject.file('LICENSE.txt')
         include '**/*.java'
         skipExistingHeaders = true
+      mapping {
+        java = 'SLASHSTAR_STYLE'
+      }
     }
 
     licenseMain.source = fileTree('src/main')
diff --git a/src/common/common-rpc/build.gradle b/src/common/common-rpc/build.gradle
new file mode 100644
index 0000000000..9b1ad970ff
--- /dev/null
+++ b/src/common/common-rpc/build.gradle
@@ -0,0 +1,12 @@
+plugins {
+  id 'java-library'
+}
+
+dependencies {
+  implementation "org.slf4j:slf4j-api:${slf4jVersion}"
+  api "io.grpc:grpc-protobuf:${grpcVersion}"
+  api "io.grpc:grpc-stub:${grpcVersion}"
+  api "jakarta.annotation:jakarta.annotation-api:1.3.5"
+
+  runtimeOnly "io.grpc:grpc-netty-shaded:${grpcVersion}"
+}
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
new file mode 100644
index 0000000000..057b4d12d3
--- /dev/null
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
@@ -0,0 +1,85 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.signer.grpc;
+
+import io.grpc.Grpc;
+import io.grpc.Server;
+import io.grpc.ServerBuilder;
+import io.grpc.ServerCredentials;
+import lombok.extern.slf4j.Slf4j;
+
+import java.io.IOException;
+import java.util.function.Consumer;
+
+import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createServerCredentials;
+
+/**
+ * Server that manages startup/shutdown of RPC server.
+ */
+@Slf4j
+public class RpcServer {
+    private Server server;
+
+    private final int port;
+    private final ServerCredentials creds;
+
+    public RpcServer(int port, ServerCredentials creds) {
+        this.port = port;
+        this.creds = creds;
+    }
+
+    private void start(Consumer<ServerBuilder<?>> configFunc) throws IOException {
+        ServerBuilder<?> builder = Grpc.newServerBuilderForPort(port, creds);
+        configFunc.accept(builder);
+
+        server = builder.build()
+                .start();
+        log.info("Server started, listening on " + port);
+
+        Runtime.getRuntime().addShutdownHook(new Thread(() -> {
+            // Use stderr here since the logger may have been reset by its JVM shutdown hook.
+            log.info("*** shutting down gRPC server since JVM is shutting down");
+            RpcServer.this.stop();
+            log.info("*** server shut down");
+        }));
+    }
+
+    private void stop() {
+        if (server != null) {
+            server.shutdown();
+        }
+    }
+
+    public static void init(int port, Consumer<ServerBuilder<?>> configFunc) throws IOException {
+        log.info("Initializing grpc..");
+        final RpcServer server = new RpcServer(port, createServerCredentials());
+        server.start(configFunc);
+        log.info("Grpc is running..");
+    }
+
+
+}
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
new file mode 100644
index 0000000000..4290eac7e9
--- /dev/null
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
@@ -0,0 +1,79 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.signer.grpc;
+
+import io.grpc.ChannelCredentials;
+import io.grpc.InsecureChannelCredentials;
+import io.grpc.InsecureServerCredentials;
+import io.grpc.ServerCredentials;
+import io.grpc.TlsChannelCredentials;
+import io.grpc.TlsServerCredentials;
+
+import java.io.File;
+import java.io.IOException;
+
+public class ServerCredentialsConfigurer {
+    //TODO will be enabled in live env.
+    private static final boolean USE_TLS = false;
+
+    public static ServerCredentials createServerCredentials() throws IOException {
+        if (USE_TLS) {
+            //TODO fill to use tls auth.
+            File certChain = null;
+            File privateKey = null;
+            String privateKeyPassword = null;
+            File trustRootCert = null;
+
+            TlsServerCredentials.Builder tlsBuilder = TlsServerCredentials.newBuilder()
+                    .keyManager(certChain, privateKey, privateKeyPassword)
+                    .trustManager(trustRootCert)
+                    .clientAuth(TlsServerCredentials.ClientAuth.REQUIRE);
+
+            return tlsBuilder.build();
+        } else {
+            return InsecureServerCredentials.create();
+        }
+    }
+
+    public static ChannelCredentials createClientCredentials() throws IOException {
+        if (USE_TLS) {
+            //TODO fill to use tls auth.
+            File certChain = null;
+            File privateKey = null;
+            String privateKeyPassword = null;
+            File trustRootCert = null;
+
+            TlsChannelCredentials.Builder tlsBuilder = TlsChannelCredentials.newBuilder()
+                    .keyManager(certChain, privateKey, privateKeyPassword)
+                    .trustManager(trustRootCert);
+
+            return tlsBuilder.build();
+        } else {
+            return InsecureChannelCredentials.create();
+        }
+    }
+}
diff --git a/src/gradle.properties b/src/gradle.properties
index 3a67d5f62c..9bccda32d5 100644
--- a/src/gradle.properties
+++ b/src/gradle.properties
@@ -60,3 +60,6 @@ bucket4jVersion=7.4.0
 assertjVersion=3.24.1
 assertj.version=${assertjVersion}
 swaggerAnnotationsVersion=2.2.8
+protocVersion=3.24.0
+protobufGradleVersion=0.9.4
+grpcVersion=1.57.1
diff --git a/src/settings.gradle b/src/settings.gradle
index 3b0043623e..e7e7b6927c 100644
--- a/src/settings.gradle
+++ b/src/settings.gradle
@@ -21,6 +21,7 @@ include "common:common-op-monitoring"
 include "common:common-ui"
 include "common:common-util"
 include "common:common-verifier"
+include 'common:common-rpc'
 
 // Main projects
 include "proxy"
diff --git a/src/signer-protocol/build.gradle b/src/signer-protocol/build.gradle
index e18b5de243..4fa4e57ad3 100644
--- a/src/signer-protocol/build.gradle
+++ b/src/signer-protocol/build.gradle
@@ -1,24 +1,41 @@
+plugins {
+  id 'com.google.protobuf'
+}
 
-ext {
-  cucumberVersion = '7.12.1'
-  junitJupiterVersion = '5.9.3'
-  junitPlatformSuiteVersion = '1.9.3'
+sourceSets {
+  main {
+    java.srcDirs = [
+      'src/main/java'
+      , 'build/generated-sources'
+      , 'build/generated/source/proto/main/grpc'
+      , 'build/generated/source/proto/main/java']
+  }
 }
 
 dependencies {
   implementation project(':common:common-util')
+  implementation project(':common:common-rpc')
 
   intTestRuntimeOnly project(':signer')
   intTestRuntimeOnly project(':common:common-util')
 
-  intTestImplementation "org.junit.jupiter:junit-jupiter-api:$junitJupiterVersion"
+  intTestImplementation("com.nortal.test:test-automation-core:$testAutomationFrameworkVersion")
+  intTestImplementation("com.nortal.test:test-automation-allure:$testAutomationFrameworkVersion")
   intTestImplementation "org.assertj:assertj-core:$assertjVersion"
-  intTestImplementation "io.cucumber:cucumber-java:$cucumberVersion"
-  intTestImplementation "io.cucumber:cucumber-junit-platform-engine:$cucumberVersion"
-  intTestImplementation "org.junit.platform:junit-platform-suite:$junitPlatformSuiteVersion"
-  intTestRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitJupiterVersion"
 }
 
+protobuf {
+  protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+  plugins {
+    grpc { artifact = "io.grpc:protoc-gen-grpc-java:$grpcVersion" }
+  }
+  generateProtoTasks {
+    all()*.plugins { grpc {} }
+  }
+}
+
+compileJava.dependsOn generateProto
+
 test {
   useJUnitPlatform()
 }
diff --git a/src/signer-protocol/run-containerized-int-tests.sh b/src/signer-protocol/run-containerized-int-tests.sh
new file mode 100755
index 0000000000..2a1b202ae0
--- /dev/null
+++ b/src/signer-protocol/run-containerized-int-tests.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+cwd="$(pwd)"
+
+gradleModule="signer-protocol"
+gradleArgs="intTest"
+
+echo "Preparing container.."
+docker build -t docker-compile "$XROAD_HOME/src/packages/docker-compile"  || errorExit "Error building image."
+
+
+echo "Executing within container.."
+OPTS=("--rm" "-v" "$XROAD_HOME/:/mnt" "-u" "$(id -u):$(id -g)" "-e" "HOME=/workspace/src/packages")
+
+
+echo "Rebuilding signer locally.."
+cd "$XROAD_HOME/src"
+./gradlew assemble -p signer
+./gradlew clean -p $gradleModule
+
+echo "Running signer-protocol int tests.."
+cd "$cwd" || exit
+mkdir "build"
+docker run "${OPTS[@]}" docker-compile sh -c "cd /mnt/src/ && ./gradlew $gradleArgs -p $gradleModule" > build/containerized-test-exec.log
diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index fb9f13d5cf..e4de950592 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -41,6 +41,7 @@
 import ee.ria.xroad.signer.protocol.message.GetMemberCertsResponse;
 
 import akka.actor.ActorSystem;
+import com.nortal.test.core.report.TestReportService;
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigFactory;
 import io.cucumber.java.AfterAll;
@@ -50,8 +51,11 @@
 import io.cucumber.java.en.Then;
 import io.cucumber.java.en.When;
 import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.util.encoders.Base64;
 import org.junit.jupiter.api.Assertions;
+import org.springframework.beans.factory.annotation.Autowired;
 
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -76,10 +80,14 @@
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 import static org.assertj.core.api.Assertions.assertThat;
 
+@Slf4j
 public class SignerStepDefs {
 
     private static Process signerProcess;
 
+    @Autowired
+    private TestReportService testReportService;
+
     private String keyId;
     private String csrId;
     private String certHash;
@@ -148,9 +156,13 @@ public void tokenIsLoggedOut(String tokenId) throws Exception {
         SignerProxy.deactivateToken(tokenId);
     }
 
+    @SneakyThrows
     @Then("token {string} is active")
     public void tokenIsActive(String tokenId) throws Exception {
-        assertThat(SignerProxy.getToken(tokenId).isActive()).isTrue();
+        var tokenInfo = SignerProxy.getToken(tokenId);
+
+        testReportService.attachText("TokenInfo", tokenInfo.toString());
+        assertThat(tokenInfo.isActive()).isTrue();
     }
 
     @When("token {string} pin is updated from {string} to {string}")
@@ -352,6 +364,7 @@ private static void startSigner(int port) throws InterruptedException {
             try {
                 ProcessBuilder pb = new ProcessBuilder("java",
                         "-Dxroad.signer.port=" + port,
+                        "-Dlogback.configurationFile=build/resources/intTest/signer-logback.xml",
                         "-Dxroad.signer.key-configuration-file="
                                 + "build/resources/intTest/keyconf.xml",
                         "-Dxroad.signer.device-configuration-file="
@@ -381,10 +394,10 @@ public void run() {
                 BufferedReader br = new BufferedReader(new InputStreamReader(is));
                 String line;
                 while ((line = br.readLine()) != null) {
-                    System.out.println(line);
+                    log.info("[Signer] {}", line);
                 }
             } catch (IOException ioe) {
-                ioe.printStackTrace();
+                log.error("Failed to read process logs", ioe);
             }
         }
     }
diff --git a/src/signer-protocol/src/intTest/resources/application-override.yml b/src/signer-protocol/src/intTest/resources/application-override.yml
new file mode 100755
index 0000000000..27e1a82cad
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/application-override.yml
@@ -0,0 +1,20 @@
+---
+#Logging configuration
+logging:
+  level:
+    ROOT: INFO
+    cucumber: TRACE
+    liquibase: WARN
+    org.springframework: INFO
+    com.nortal.test: INFO # TRACE is helpful for development
+
+test-automation:
+  report-name: xroad-signer-test-suite
+  spring-component-scan: "ee.ria.xroad.signer"
+  cucumber:
+    execution:
+      parallel:
+        enabled: false
+    glue-append: "ee.ria.xroad.signer.glue"
+    filter:
+      tags: "not @Skip"
diff --git a/src/signer-protocol/src/intTest/resources/signer-logback.xml b/src/signer-protocol/src/intTest/resources/signer-logback.xml
new file mode 100644
index 0000000000..94fe28fc3a
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/signer-logback.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<configuration scan="true" scanPeriod="60 seconds">
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX"} %level [xroad-signer] [%thread] %logger{36} - %msg%n%rEx{3}</pattern>
+        </encoder>
+    </appender>
+
+    <logger name="ee.ria.xroad" level="TRACE" />
+    <logger name="akka" level="WARN" />
+
+    <!--TokenManager is very verbose /-->
+    <logger name="ee.ria.xroad.signer.tokenmanager.TokenManager" level="TRACE" />
+
+    <root level="TRACE">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index c99b3cc750..649f184e1b 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -28,6 +28,7 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.SignerClient;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
@@ -37,7 +38,6 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
 import ee.ria.xroad.signer.protocol.message.ActivateCert;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 import ee.ria.xroad.signer.protocol.message.DeleteCert;
 import ee.ria.xroad.signer.protocol.message.DeleteCertRequest;
@@ -69,7 +69,6 @@
 import ee.ria.xroad.signer.protocol.message.ImportCert;
 import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
 import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
-import ee.ria.xroad.signer.protocol.message.ListTokens;
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
 import ee.ria.xroad.signer.protocol.message.SetCertStatus;
@@ -84,6 +83,9 @@
 
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.Empty;
+import org.niis.xroad.signer.proto.ListTokensResponse;
 
 import java.security.PublicKey;
 import java.util.Arrays;
@@ -96,6 +98,7 @@
  */
 @Slf4j
 public final class SignerProxy {
+    private static RpcSignerClient signerClient;
 
     private SignerProxy() {
     }
@@ -121,7 +124,23 @@ public static void initSoftwareToken(char[] password) throws Exception {
      * @throws Exception if any errors occur
      */
     public static List<TokenInfo> getTokens() throws Exception {
-        return execute(new ListTokens());
+        ListTokensResponse response = getSignerClient().getSignerApiBlockingStub().listTokens(Empty.newBuilder().build());
+
+        return response.getTokensList().stream()
+                .map(TokenInfo::new)
+                .collect(Collectors.toList());
+    }
+
+    private static RpcSignerClient getSignerClient() {
+        //TODO this is unsafe, but works for poc.
+        if (signerClient == null) {
+            try {
+                signerClient = RpcSignerClient.init(5560);
+            } catch (Exception e) {
+                log.error("Failed to init client", e);
+            }
+        }
+        return signerClient;
     }
 
     /**
@@ -132,7 +151,9 @@ public static List<TokenInfo> getTokens() throws Exception {
      * @throws Exception if any errors occur
      */
     public static TokenInfo getToken(String tokenId) throws Exception {
+
         return execute(new GetTokenInfo(tokenId));
+
     }
 
     /**
@@ -147,7 +168,11 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
 
         log.trace("Activating token '{}'", tokenId);
 
-        execute(new ActivateToken(tokenId, true));
+        getSignerClient().getSignerApiBlockingStub()
+                .activateToken(ActivateTokenRequest.newBuilder()
+                        .setTokenId(tokenId)
+                        .setActivate(true)
+                        .build());
     }
 
     /**
@@ -175,7 +200,11 @@ public static void deactivateToken(String tokenId) throws Exception {
 
         log.trace("Deactivating token '{}'", tokenId);
 
-        execute(new ActivateToken(tokenId, false));
+        getSignerClient().getSignerApiBlockingStub()
+                .activateToken(ActivateTokenRequest.newBuilder()
+                        .setTokenId(tokenId)
+                        .setActivate(false)
+                        .build());
     }
 
     /**
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
new file mode 100644
index 0000000000..a33dfd5a67
--- /dev/null
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -0,0 +1,40 @@
+package ee.ria.xroad.signer.protocol;
+
+import io.grpc.Channel;
+import io.grpc.Grpc;
+import io.grpc.ManagedChannel;
+import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.SignerApiGrpc;
+
+import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
+
+@Slf4j
+public class RpcSignerClient {
+    @Getter
+    private final SignerApiGrpc.SignerApiStub signerApiStub;
+    @Getter
+    private final SignerApiGrpc.SignerApiBlockingStub signerApiBlockingStub;
+
+    /**
+     * Construct client for accessing RouteGuide server using the existing channel.
+     */
+    public RpcSignerClient(Channel channel) {
+        signerApiStub = SignerApiGrpc.newStub(channel);
+        signerApiBlockingStub = SignerApiGrpc.newBlockingStub(channel);
+    }
+
+    /**
+     * Greet server. If provided, the first element of {@code args} is the name to use in the
+     * greeting.
+     */
+    public static RpcSignerClient init(int port) throws Exception {
+        log.info("Starting grpc client init..");
+        ManagedChannel channel = Grpc.newChannelBuilderForAddress("127.0.0.1", port, createClientCredentials())
+                .build();
+
+        RpcSignerClient client = new RpcSignerClient(channel);
+
+        return client;
+    }
+}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
index ffd95d8a66..a87e60eafd 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
+ * <p>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- *
+ * <p>
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- *
+ * <p>
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -27,20 +27,39 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 
-import lombok.Value;
+import lombok.RequiredArgsConstructor;
 
 import java.io.Serializable;
 
 /**
  * Certificate request info DTO.
  */
-@Value
+@RequiredArgsConstructor
 public class CertRequestInfo implements Serializable {
 
-    private final String id;
+    private final CertRequestInfoProto message;
 
-    private final ClientId memberId;
+    public String getId() {
+        return message.getId();
+    }
 
-    private final String subjectName;
+    public ClientId getMemberId() {
+        ClientIdProto memberId = message.getMemberId();
+        //TODO:grpc refine this check
+        if (message.getMemberId().hasField(ClientIdProto.getDescriptor().findFieldByName("subsystem_code"))) {
+            return ClientId.Conf.create(memberId.getXroadInstance(),
+                    memberId.getMemberClass(),
+                    memberId.getMemberCode(),
+                    memberId.getSubsystemCode());
+        } else {
+            return ClientId.Conf.create(memberId.getXroadInstance(),
+                    memberId.getMemberClass(),
+                    memberId.getMemberCode());
+        }
+    }
+
+    public String getSubjectName() {
+        return message.getSubjectName();
+    }
 
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
index 6be0359503..6c829141a8 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
+ * <p>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- *
+ * <p>
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- *
+ * <p>
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -27,16 +27,16 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 
+import lombok.RequiredArgsConstructor;
 import lombok.ToString;
-import lombok.Value;
 
 import java.io.Serializable;
 
 /**
  * Certificate info DTO.
  */
-@Value
-@ToString(exclude = { "certificateBytes", "ocspBytes" })
+@RequiredArgsConstructor
+@ToString(exclude = {"certificateBytes", "ocspBytes"})//TODO:grpc
 public class CertificateInfo implements Serializable {
 
     public static final String STATUS_SAVED = "saved";
@@ -50,23 +50,45 @@ public class CertificateInfo implements Serializable {
     public static final String OCSP_RESPONSE_UNKNOWN = "unknown";
     public static final String OCSP_RESPONSE_SUSPENDED = "suspended";
 
-    private final ClientId.Conf memberId;
+    private final CertificateInfoProto message;
 
-    private final boolean active;
+    public ClientId.Conf getMemberId() {
+        ClientIdProto memberId = message.getMemberId();
+        //TODO:grpc refine this check
+        if (message.getMemberId().hasField(ClientIdProto.getDescriptor().findFieldByName("subsystem_code"))) {
+            return ClientId.Conf.create(memberId.getXroadInstance(),
+                    memberId.getMemberClass(),
+                    memberId.getMemberCode(),
+                    memberId.getSubsystemCode());
+        } else {
+            return ClientId.Conf.create(memberId.getXroadInstance(),
+                    memberId.getMemberClass(),
+                    memberId.getMemberCode());
+        }
+    }
 
-    private final boolean savedToConfiguration;
+    public boolean isActive() {
+        return message.getActive();
+    }
 
-    private final String status;
+    public boolean isSavedToConfiguration() {
+        return message.getSavedToConfiguration();
+    }
 
-    private final String id;
+    public String getStatus() {
+        return message.getStatus();
+    }
 
-    private final byte[] certificateBytes;
-    private final byte[] ocspBytes;
+    public String getId() {
+        return message.getId();
+    }
 
-    /**
-     * @return returns the certificate as byte array
-     */
     public byte[] getCertificateBytes() {
-        return certificateBytes;
+        return message.getCertificateBytes().toByteArray();
+    }
+
+    public byte[] getOcspBytes() {
+        return message.getOcspBytes().toByteArray();
     }
+
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
index 9407b785ac..230064fa3f 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,37 +25,63 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
+import lombok.RequiredArgsConstructor;
 import lombok.Value;
 
 import java.io.Serializable;
 import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * Tiny container class to help handle the key list
  */
-@Value
+@RequiredArgsConstructor
 public final class KeyInfo implements Serializable {
 
-    private final boolean available;
+    private final KeyInfoProto message;
 
-    private final KeyUsageInfo usage;
+    public boolean isAvailable() {
+        return message.getAvailable();
+    }
 
-    private final String friendlyName;
+    public KeyUsageInfo getUsage() {
+        return message.getUsage();
+    }
 
-    private final String id;
+    public String getFriendlyName() {
+        return message.getFriendlyName();
+    }
 
-    private final String label;
+    public String getId() {
+        return message.getId();
+    }
 
-    private final String publicKey;
+    public String getLabel() {
+        return message.getLabel();
+    }
 
-    private final List<CertificateInfo> certs;
+    public String getPublicKey() {
+        return message.getPublicKey();
+    }
 
-    private final List<CertRequestInfo> certRequests;
+    public List<CertificateInfo> getCerts() {
+        return message.getCertsList().stream()
+                .map(CertificateInfo::new)
+                .collect(Collectors.toList());
+    }
 
-    private final String signMechanismName;
+    public List<CertRequestInfo> getCertRequests() {
+        return message.getCertRequestsList().stream()
+                .map(CertRequestInfo::new)
+                .collect(Collectors.toList());
+    }
+
+    public String getSignMechanismName() {
+        return message.getSignMechanismName();
+    }
 
     public boolean isForSigning() {
-        return usage == KeyUsageInfo.SIGNING;
+        return getUsage() == KeyUsageInfo.SIGNING;
     }
 
     /**
@@ -64,11 +90,11 @@ public boolean isForSigning() {
      * (logic originally from token_renderer.rb#key_saved_to_configuration)
      */
     public boolean isSavedToConfiguration() {
-        if (!certRequests.isEmpty()) {
+        if (!getCertRequests().isEmpty()) {
             return true;
         }
-        return certs.stream()
-                .anyMatch(certificateInfo -> certificateInfo.isSavedToConfiguration());
+        return getCerts().stream()
+                .anyMatch(CertificateInfo::isSavedToConfiguration);
 
     }
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyUsageInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyUsageInfo.java
deleted file mode 100644
index cb5d17b10c..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyUsageInfo.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.dto;
-
-import java.io.Serializable;
-
-/**
- * Key usage can either be signing or authentication.
- */
-public enum KeyUsageInfo implements Serializable {
-
-    SIGNING,
-    AUTHENTICATION;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
index b79bf2236d..fe0e895ccf 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,51 +25,86 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
-import lombok.Value;
+import lombok.RequiredArgsConstructor;
+import lombok.ToString;
 
 import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
+
 
 /**
  * Token info DTO.
  */
-@Value
+@ToString
+@RequiredArgsConstructor
 public final class TokenInfo implements Serializable {
 
     public static final String SOFTWARE_MODULE_TYPE = "softToken";
 
-    private final String type;
+    private final TokenInfoProto message;
 
-    private final String friendlyName;
+    public String getType() {
+        return message.getType();
+    }
 
-    private final String id;
+    public String getFriendlyName() {
+        return message.getFriendlyName();
+    }
 
-    private final boolean readOnly;
+    public String getId() {
+        return message.getId();
+    }
 
-    private final boolean available;
+    public boolean isReadOnly() {
+        return message.getReadOnly();
+    }
 
-    private final boolean active;
+    public boolean isAvailable() {
+        return message.getAvailable();
+    }
 
-    private final String serialNumber;
+    public boolean isActive() {
+        return message.getActive();
+    }
 
-    private final String label;
+    public String getSerialNumber() {
+        return message.getSerialNumber();
+    }
 
-    private final int slotIndex;
+    public String getLabel() {
+        return message.getLabel();
+    }
+
+    public int getSlotIndex() {
+        return message.getSlotIndex();
+    }
+
+    public TokenStatusInfo getStatus() {
+        return message.getStatus();
+    }
 
-    private final TokenStatusInfo status;
+    public List<KeyInfo> getKeyInfo() {
+        return message.getKeyInfoList().stream()
+                .map(KeyInfo::new)
+                .collect(Collectors.toList());
+    }
 
-    private final List<KeyInfo> keyInfo;
+    public Map<String, String> getTokenInfo() {
+        return message.getTokenInfoMap();
+    }
 
-    /** Contains label-value pairs of information about token. */
-    private final Map<String, String> tokenInfo;
+    public TokenInfoProto asMessage() {
+        return message;
+    }
 
     /**
      * Logic to determine if a token is saved to configuration.
      * True if there is at least one key which is saved to configuration
      */
     public boolean isSavedToConfiguration() {
-        return keyInfo.stream()
-                .anyMatch(k -> k.isSavedToConfiguration());
+        return getKeyInfo().stream()
+                .anyMatch(KeyInfo::isSavedToConfiguration);
     }
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenStatusInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenStatusInfo.java
deleted file mode 100644
index 6cc54f3f07..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenStatusInfo.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.dto;
-
-import java.io.Serializable;
-
-/**
- * Token status info DTO.
- */
-public enum TokenStatusInfo implements Serializable {
-
-    OK, // Normal operation status
-    USER_PIN_LOCKED, // Blocked
-    USER_PIN_INCORRECT, // Incorrect PIN was entered
-    USER_PIN_INVALID, // Invalid PIN
-    USER_PIN_EXPIRED, // PIN expired
-    USER_PIN_COUNT_LOW, // Only a few tries left
-    USER_PIN_FINAL_TRY, // Final try
-    NOT_INITIALIZED // PIN not initialized
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ListTokens.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ListTokens.java
deleted file mode 100644
index 169274a3eb..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ListTokens.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-public class ListTokens implements Serializable {
-
-}
diff --git a/src/signer-protocol/src/main/proto/SignerApi.proto b/src/signer-protocol/src/main/proto/SignerApi.proto
new file mode 100644
index 0000000000..f8b21f806f
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/SignerApi.proto
@@ -0,0 +1,31 @@
+syntax = "proto3";
+
+option java_multiple_files = true;
+//option java_package = "org.niis.xroad.signer.proto";
+
+import "Tokens.proto";
+import "TokenStatusInfo.proto";
+
+
+package org.niis.xroad.signer.proto;
+
+service SignerApi {
+
+  rpc listTokens (Empty) returns (ListTokensResponse) {}
+
+  rpc activateToken (ActivateTokenRequest) returns (Empty) {}
+}
+
+/* Generic empty request/response. */
+message Empty {
+}
+
+message ListTokensResponse {
+  repeated TokenInfoProto tokens = 1;
+}
+
+message ActivateTokenRequest{
+  string tokenId = 1;
+  bool  activate = 2;
+}
+
diff --git a/src/signer-protocol/src/main/proto/TokenStatusInfo.proto b/src/signer-protocol/src/main/proto/TokenStatusInfo.proto
new file mode 100644
index 0000000000..71bdb7b63c
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/TokenStatusInfo.proto
@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+//package protocol;
+
+option java_multiple_files = true;
+option java_package = "ee.ria.xroad.signer.protocol.dto";
+
+//option java_outer_classname = "TokenStatusInfo";
+//option objc_class_prefix = "HLW";
+
+//import "google/protobuf/empty.proto";
+
+/* Token status info DTO. */
+enum TokenStatusInfo {
+  OK = 0; // Normal operation status
+  USER_PIN_LOCKED = 1;// Blocked
+  USER_PIN_INCORRECT = 2; // Incorrect PIN was entered
+  USER_PIN_INVALID = 3; // Invalid PIN
+  USER_PIN_EXPIRED = 4; // PIN expired
+  USER_PIN_COUNT_LOW = 5; // Only a few tries left
+  USER_PIN_FINAL_TRY = 6; // Final try
+  NOT_INITIALIZED = 7; // PIN not initialized
+}
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
new file mode 100644
index 0000000000..05c30aba33
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -0,0 +1,81 @@
+syntax = "proto3";
+import "TokenStatusInfo.proto";
+
+//package protocol;
+
+option java_multiple_files = true;
+option java_package = "ee.ria.xroad.signer.protocol.dto";
+//option java_outer_classname = "TokenStatusInfo";
+//option objc_class_prefix = "HLW";
+
+//import "google/protobuf/empty.proto";
+
+
+message TokenInfoProto {
+  string type = 1;
+  string friendlyName = 2;
+  string id = 3;
+  bool readOnly = 4;
+  bool available = 5;
+  bool active = 6;
+  string serialNumber = 7;
+  string label = 8;
+  int32 slotIndex = 9;
+  TokenStatusInfo status = 10;
+  repeated KeyInfoProto keyInfo = 11;
+  map<string, string> tokenInfo = 12;
+}
+
+message KeyInfoProto {
+  bool available = 1;
+  KeyUsageInfo usage = 2;
+  string friendly_name = 3;
+  string id = 4;
+  string label = 5;
+  string public_key = 6;
+  repeated CertificateInfoProto certs = 7;
+  repeated CertRequestInfoProto cert_requests = 8;
+  string sign_mechanism_name = 9;
+}
+
+message CertificateInfoProto {
+  ClientIdProto memberId = 1;
+  bool active = 2;
+  bool savedToConfiguration = 3;
+  string status = 4;
+  string id = 5;
+  bytes certificate_bytes = 6;
+  bytes ocsp_bytes = 7;
+  // Add other fields as needed
+}
+
+message CertRequestInfoProto {
+  string id = 1;
+  ClientIdProto memberId = 2;
+  string subject_name = 3;
+  // Add other fields as needed
+}
+
+message ClientIdProto {
+  string member_class = 1;
+  string member_code = 2;
+  string subsystem_code = 3;
+
+  string xroad_instance = 4;
+  XRoadObjectType object_type = 5;
+}
+
+enum XRoadObjectType {
+  SERVER = 0;
+  SERVICE = 1;
+  MEMBER = 2;
+  SUBSYSTEM = 3;
+  GLOBALGROUP = 4;
+  LOCALGROUP = 5 [deprecated = true]; // Deprecated
+}
+
+/* Key usage can either be signing or authentication. */
+enum KeyUsageInfo {
+  SIGNING = 0;
+  AUTHENTICATION = 1;
+}
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index 8426ef035d..fa2abd630d 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -16,6 +16,7 @@ sourceSets {
 dependencies {
     implementation project(':common:common-util')
     implementation project(':common:common-verifier')
+    implementation project(':common:common-rpc')
     implementation project(':signer-protocol')
 
     // Necessary since there are jars with no adequate Maven dependencies
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 2625b45f45..9b0600709a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -32,6 +32,7 @@
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+import ee.ria.xroad.signer.protocol.handler.ListTokensRequestHandler;
 import ee.ria.xroad.signer.util.SignerUtil;
 
 import akka.actor.ActorSystem;
@@ -40,6 +41,7 @@
 import com.typesafe.config.ConfigFactory;
 import com.typesafe.config.ConfigValueFactory;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.grpc.RpcServer;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -82,6 +84,7 @@ private SignerMain() {
 
     /**
      * Entry point to Signer.
+     *
      * @param args the arguments
      * @throws Exception if an error occurs
      */
@@ -95,6 +98,7 @@ public static void main(String[] args) throws Exception {
     }
 
     private static void startup() throws Exception {
+        long start=System.currentTimeMillis();
         Version.outputVersionInfo(APP_NAME);
         int signerPort = SystemProperties.getSignerPort();
         log.info("Starting Signer on port {}...", signerPort);
@@ -105,6 +109,17 @@ private static void startup() throws Exception {
         CoordinatedShutdown.get(actorSystem).addJvmShutdownHook(SignerMain::shutdown);
         signer.start();
         adminPort.start();
+
+        initGrpc();
+        log.info("Signer has been initialized in {} ms.", System.currentTimeMillis() - start);
+    }
+
+    private static void initGrpc() throws Exception {
+        int port = 5560;
+        log.info("Initializing GRPC server on port {}.. ", port);
+        RpcServer.init(port, builder -> {
+            builder.addService(new ListTokensRequestHandler(actorSystem));
+        });
     }
 
     private static void shutdown() {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
index 69a963f2ce..965fb4fff7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,7 +27,9 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 
+import com.google.protobuf.ByteString;
 import lombok.AccessLevel;
 import lombok.Data;
 import lombok.Setter;
@@ -39,6 +41,7 @@
 import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
 import static ee.ria.xroad.common.util.CryptoUtils.readCertificate;
+import static ee.ria.xroad.signer.model.CertRequest.toDto;
 
 /**
  * Model object that holds the information associated with a certificate.
@@ -46,34 +49,51 @@
 @Data
 public class Cert {
 
-    /** ID for cert that is used by the OCSP request keys. (optional) */
+    /**
+     * ID for cert that is used by the OCSP request keys. (optional)
+     */
     private final String id;
 
-    /** If this certificate belongs to signing key, then this attribute contains
-     * identifier of the member that uses this certificate. */
+    /**
+     * If this certificate belongs to signing key, then this attribute contains
+     * identifier of the member that uses this certificate.
+     */
     private ClientId.Conf memberId;
 
-    /** Whether this certificate can be used by the proxy. */
+    /**
+     * Whether this certificate can be used by the proxy.
+     */
     private boolean active;
 
-    /** Whether this certificate is in the configuration. */
+    /**
+     * Whether this certificate is in the configuration.
+     */
     private boolean savedToConfiguration;
 
-    /** Holds the status of the certificate. */
+    /**
+     * Holds the status of the certificate.
+     */
     private String status;
 
-    /** Holds the precalculated hash of the certificate. */
+    /**
+     * Holds the precalculated hash of the certificate.
+     */
     @Setter(AccessLevel.PRIVATE)
     private String hash;
 
-    /** Holds the certificate instance. */
+    /**
+     * Holds the certificate instance.
+     */
     private X509Certificate certificate;
 
-    /** Holds the OCSP response of the certificate. */
+    /**
+     * Holds the OCSP response of the certificate.
+     */
     private OCSPResp ocspResponse;
 
     /**
      * Sets the certificate and hash
+     *
      * @param cert the certificate
      */
     public void setCertificate(X509Certificate cert) {
@@ -87,6 +107,7 @@ public void setCertificate(X509Certificate cert) {
 
     /**
      * Sets the certificate and hash
+     *
      * @param certBytes the bytes of the certificate
      */
     public void setCertificate(byte[] certBytes) {
@@ -99,6 +120,7 @@ public void setCertificate(byte[] certBytes) {
 
     /**
      * Sets the ocsp response
+     *
      * @param ocspBytes the bytes of the ocsp response
      */
     public void setOcspResponse(byte[] ocspBytes) {
@@ -115,6 +137,7 @@ public void setOcspResponse(byte[] ocspBytes) {
 
     /**
      * Sets the ocsp response
+     *
      * @param ocsp the ocsp response
      */
     public void setOcspResponse(OCSPResp ocsp) {
@@ -132,15 +155,35 @@ public byte[] getBytes() {
         }
     }
 
+    public CertificateInfoProto toProtoDTO() {
+        try {
+            var builder = CertificateInfoProto.newBuilder()
+                    .setMemberId(toDto(memberId))
+                    .setActive(active)
+                    .setSavedToConfiguration(savedToConfiguration)
+                    .setStatus(status)
+                    .setId(id);
+
+            if (certificate != null) {
+                builder.setCertificateBytes(ByteString.copyFrom(certificate.getEncoded()));
+            }
+            if (ocspResponse != null) {
+                builder.setOcspBytes(ByteString.copyFrom(ocspResponse.getEncoded()));
+            }
+            return builder.build();
+        } catch (Exception e) {
+            throw translateException(e);
+        }
+    }
+
     /**
      * Converts this object to value object.
+     *
      * @return the value object
      */
     public CertificateInfo toDTO() {
         try {
-            return new CertificateInfo(memberId, active, savedToConfiguration,
-                    status, id, certificate.getEncoded(),
-                    ocspResponse != null ? ocspResponse.getEncoded() : null);
+            return new CertificateInfo(toProtoDTO());
         } catch (Exception e) {
             throw translateException(e);
         }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
index c53bdfbba2..3efe6c667e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,6 +27,9 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
+import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
+import ee.ria.xroad.signer.protocol.dto.ClientIdProto;
+import ee.ria.xroad.signer.protocol.dto.XRoadObjectType;
 
 import lombok.Value;
 
@@ -44,9 +47,37 @@ public class CertRequest {
 
     /**
      * Converts this object to value object.
+     *
+     * @return the value object
+     */
+    public CertRequestInfoProto toProtoDTO() {
+        return CertRequestInfoProto.newBuilder()
+                .setId(id)
+                .setMemberId(toDto(memberId))
+                .setSubjectName(subjectName)
+                .build();
+    }
+
+    //TODO:grpc move to a separate place.
+    public static ClientIdProto toDto(ClientId.Conf input) {
+        var builder = ClientIdProto.newBuilder()
+                .setMemberClass(input.getMemberClass())
+                .setMemberCode(input.getMemberCode())
+                .setXroadInstance(input.getXRoadInstance())
+                .setObjectType(XRoadObjectType.valueOf(input.getObjectType().name()));
+
+        if (input.getSubsystemCode() != null) {
+            builder.setSubsystemCode(input.getSubsystemCode());
+        }
+        return builder.build();
+    }
+
+    /**
+     * Converts this object to value object.
+     *
      * @return the value object
      */
     public CertRequestInfo toDTO() {
-        return new CertRequestInfo(id, memberId, subjectName);
+        return new CertRequestInfo(toProtoDTO());
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Key.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Key.java
index 6a443f0a38..60625dbdef 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Key.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Key.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,19 +25,21 @@
  */
 package ee.ria.xroad.signer.model;
 
-import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 
 import lombok.Data;
 import lombok.ToString;
 
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 import java.util.stream.Collectors;
 
+import static java.util.Collections.unmodifiableList;
+
 /**
  * Model object representing a key.
  */
@@ -46,35 +48,54 @@
 @ToString(exclude = {"token"})
 public final class Key {
 
-    /** Reference to the token this key belongs to. */
+    /**
+     * Reference to the token this key belongs to.
+     */
     private final Token token;
 
-    /** The unique key id. */
+    /**
+     * The unique key id.
+     */
     private final String id;
 
-    /** Whether of not this key is available. */
+    /**
+     * Whether of not this key is available.
+     */
     private boolean available;
 
-    /** Key usage info. */
+    /**
+     * Key usage info.
+     */
     private KeyUsageInfo usage;
 
-    /** The friendly name of the key. */
+    /**
+     * The friendly name of the key.
+     */
     private String friendlyName;
 
-    /** The label of the key. */
+    /**
+     * The label of the key.
+     */
     private String label;
 
-    /** The X509 encoded public key. */
+    /**
+     * The X509 encoded public key.
+     */
     private String publicKey;
 
-    /** List of certificates. */
+    /**
+     * List of certificates.
+     */
     private final List<Cert> certs = new ArrayList<>();
 
-    /** List of certificate requests. */
+    /**
+     * List of certificate requests.
+     */
     private final List<CertRequest> certRequests = new ArrayList<>();
 
     /**
      * Adds a certificate to this key.
+     *
      * @param cert the certificate to add
      */
     public void addCert(Cert cert) {
@@ -83,20 +104,47 @@ public void addCert(Cert cert) {
 
     /**
      * Adds a certificate request to this key.
+     *
      * @param certReq the certificate request to add
      */
     public void addCertRequest(CertRequest certReq) {
         certRequests.add(certReq);
     }
 
+    public KeyInfoProto toProtoDTO() {
+        var builder = KeyInfoProto.newBuilder()
+                .setId(id)
+                .setAvailable(available)
+                .addAllCerts(unmodifiableList(getCertsAsDTOs()))
+                .addAllCertRequests(unmodifiableList(getCertRequestsAsDTOs()))
+                .setSignMechanismName(token.getSignMechanismName());
+
+        if (usage != null) {
+            builder.setUsage(usage);
+        }
+
+        if (friendlyName != null) {
+            builder.setFriendlyName(friendlyName);
+        }
+
+        if (label != null) {
+            builder.setLabel(label);
+        }
+
+        if (publicKey != null) {
+            builder.setPublicKey(publicKey);
+        }
+
+        return builder.build();
+    }
+
     /**
      * Converts this object to value object.
+     *
      * @return the value object
      */
     public KeyInfo toDTO() {
-        return new KeyInfo(available, usage, friendlyName, id, label, publicKey,
-                Collections.unmodifiableList(getCertsAsDTOs()), Collections.unmodifiableList(getCertRequestsAsDTOs()),
-                token.getSignMechanismName());
+        return new KeyInfo(toProtoDTO());
     }
 
     /**
@@ -106,12 +154,12 @@ public boolean isValidForSigning() {
         return isAvailable() && getUsage() == KeyUsageInfo.SIGNING;
     }
 
-    private List<CertificateInfo> getCertsAsDTOs() {
-        return certs.stream().map(c -> c.toDTO()).collect(Collectors.toList());
+    private List<CertificateInfoProto> getCertsAsDTOs() {
+        return certs.stream().map(Cert::toProtoDTO).collect(Collectors.toList());
     }
 
-    private List<CertRequestInfo> getCertRequestsAsDTOs() {
-        return certRequests.stream().map(c -> c.toDTO()).collect(Collectors.toList());
+    private List<CertRequestInfoProto> getCertRequestsAsDTOs() {
+        return certRequests.stream().map(CertRequest::toProtoDTO).collect(Collectors.toList());
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
index 9c330c846a..e76d04b090 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,8 +25,9 @@
  */
 package ee.ria.xroad.signer.model;
 
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 import ee.ria.xroad.signer.tokenmanager.token.TokenType;
 
@@ -40,59 +41,92 @@
 import java.util.Map;
 import java.util.stream.Collectors;
 
+import static java.util.Collections.unmodifiableMap;
+
 /**
  * Model object representing a token.
  */
 @Data
 public final class Token {
 
-    /** The module type as configured in Signer's module configuration. */
+    /**
+     * The module type as configured in Signer's module configuration.
+     */
     private final String type;
 
-    /** The token id. */
+    /**
+     * The token id.
+     */
     private final String id;
 
-    /** The module id. */
+    /**
+     * The module id.
+     */
     private String moduleId;
 
-    /** The name to display in UI. */
+    /**
+     * The name to display in UI.
+     */
     private String friendlyName;
 
-    /** True, if token is read-only */
+    /**
+     * True, if token is read-only
+     */
     private boolean readOnly;
 
-    /** True, if token is available (in module) */
+    /**
+     * True, if token is available (in module)
+     */
     private boolean available;
 
-    /** True, if password is inserted */
+    /**
+     * True, if password is inserted
+     */
     private boolean active;
 
-    /** The token serial number (optional). */
+    /**
+     * The token serial number (optional).
+     */
     private String serialNumber;
 
-    /** The token label (optional). */
+    /**
+     * The token label (optional).
+     */
     private String label;
 
-    /** The pin index to further specify the token (optional). */
+    /**
+     * The pin index to further specify the token (optional).
+     */
     private int slotIndex;
 
-    /** Whether batch signing should be enabled for this token. */
+    /**
+     * Whether batch signing should be enabled for this token.
+     */
     private boolean batchSigningEnabled = true;
 
-    /** Holds the currect status of the token. */
+    /**
+     * Holds the currect status of the token.
+     */
     private TokenStatusInfo status = TokenStatusInfo.OK;
 
-    /** Contains the the keys of this token. */
+    /**
+     * Contains the the keys of this token.
+     */
     private final List<Key> keys = new ArrayList<>();
 
-    /** Contains label-value pairs of information about token. */
+    /**
+     * Contains label-value pairs of information about token.
+     */
     private final Map<String, String> tokenInfo = new LinkedHashMap<>();
 
-    /** Signing (PKCS#11) mechanism name. */
+    /**
+     * Signing (PKCS#11) mechanism name.
+     */
     private final String signMechanismName;
 
     /**
      * Adds a key to this token.
+     *
      * @param key the key to add
      */
     public void addKey(Key key) {
@@ -101,6 +135,7 @@ public void addKey(Key key) {
 
     /**
      * Sets the token info.
+     *
      * @param info the token info
      */
     public void setInfo(Map<String, String> info) {
@@ -110,13 +145,30 @@ public void setInfo(Map<String, String> info) {
 
     /**
      * Converts this object to value object.
+     *
      * @return the value object
      */
     public TokenInfo toDTO() {
-        return new TokenInfo(type, friendlyName, id, readOnly, available,
-                active, serialNumber, label, slotIndex, status,
-                Collections.unmodifiableList(getKeysAsDTOs()),
-                Collections.unmodifiableMap(tokenInfo));
+        var messageBuilder = TokenInfoProto.newBuilder()
+                .setType(type)
+                .setFriendlyName(friendlyName)
+                .setId(id)
+                .setReadOnly(readOnly)
+                .setAvailable(available)
+                .setActive(active)
+                .setSlotIndex(slotIndex)
+                .setStatus(status)
+                .addAllKeyInfo(Collections.unmodifiableList(getKeysAsDTOs()))
+                .putAllTokenInfo(unmodifiableMap(tokenInfo));
+
+        if (serialNumber != null) {
+            messageBuilder.setSerialNumber(serialNumber);
+        }
+        if (label != null) {
+            messageBuilder.setLabel(label);
+        }
+
+        return new TokenInfo(messageBuilder.build());
     }
 
     /**
@@ -146,8 +198,10 @@ public boolean isInActive() {
         return !isActive() || !isAvailable();
     }
 
-    private List<KeyInfo> getKeysAsDTOs() {
-        return keys.stream().map(k -> k.toDTO()).collect(Collectors.toList());
+    private List<KeyInfoProto> getKeysAsDTOs() {
+        return keys.stream()
+                .map(Key::toProtoDTO)
+                .collect(Collectors.toList());
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
index 3ae278636c..32a34a3810 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
@@ -157,11 +157,9 @@ private void importCertificateToKey(KeyInfo keyInfo, X509Certificate cert,
             TokenManager.removeCert(existingCert.getId());
         }
 
-        CertificateInfo certType = new CertificateInfo(memberId,
+        TokenManager.addCert(keyInfo.getId(), memberId,
                 !authentication, true, initialStatus, SignerUtil.randomId(),
-                cert.getEncoded(), null);
-
-        TokenManager.addCert(keyInfo.getId(), certType);
+                cert.getEncoded());
         TokenManager.setKeyUsage(keyInfo.getId(), keyUsage);
         updateOcspResponse(cert);
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
index 217c0f2e9b..90afadf965 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
+ * <p>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- *
+ * <p>
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- *
+ * <p>
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -25,19 +25,56 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.ListTokens;
+import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
+import akka.actor.ActorSystem;
+import akka.pattern.Patterns;
+import akka.util.Timeout;
+import io.grpc.stub.StreamObserver;
+import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.Empty;
+import org.niis.xroad.signer.proto.ListTokensResponse;
+import org.niis.xroad.signer.proto.SignerApiGrpc;
+import scala.concurrent.Await;
+
+import java.util.concurrent.TimeUnit;
+
+import static ee.ria.xroad.signer.protocol.ComponentNames.REQUEST_PROCESSOR;
+
 /**
  * Handles requests for token list.
  */
-public class ListTokensRequestHandler
-        extends AbstractRequestHandler<ListTokens> {
+@Slf4j
+@RequiredArgsConstructor
+public class ListTokensRequestHandler extends SignerApiGrpc.SignerApiImplBase {
+    private final ActorSystem actorSystem;
 
     @Override
-    protected Object handle(ListTokens message) throws Exception {
-        return TokenManager.listTokens();
+    public void listTokens(Empty request, StreamObserver<ListTokensResponse> responseObserver) {
+        final ListTokensResponse.Builder builder = ListTokensResponse.newBuilder();
+
+        TokenManager.listTokens().forEach(tokenInfo -> builder.addTokens(tokenInfo.asMessage()));
+
+        responseObserver.onNext(builder.build());
+        responseObserver.onCompleted();
     }
 
+    @SneakyThrows
+    @Override
+    public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> responseObserver) {
+        ActivateToken actorMsg = new ActivateToken(request.getTokenId(), request.getActivate());
+        //TODO:grpc this is for debugging purposes.
+        log.info("Resending back to actor system..");
+
+        Timeout timeout = new Timeout(10, TimeUnit.SECONDS);
+        Await.result(Patterns.ask(actorSystem.actorSelection("/user/" + REQUEST_PROCESSOR), actorMsg, timeout),
+                timeout.duration());
+
+        responseObserver.onNext(Empty.getDefaultInstance());
+        responseObserver.onCompleted();
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java
index a78fdb9eb6..8e009fc4bd 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -116,6 +116,7 @@ public static synchronized void saveToConf() throws Exception {
     /**
      * Merge the in-memory configuration and the on-disk configuration if the configuration on
      * disk has changed.
+     *
      * @param listener
      */
     public static void merge(TokenMergeAddedCertificatesListener listener) {
@@ -157,7 +158,7 @@ public static void merge(TokenMergeAddedCertificatesListener listener) {
     public static synchronized List<TokenInfo> listTokens() {
         return unmodifiableList(
                 currentTokens.stream()
-                        .map(t -> t.toDTO())
+                        .map(Token::toDTO)
                         .collect(Collectors.toList()));
     }
 
@@ -214,7 +215,7 @@ public static synchronized TokenInfo getTokenInfo(String tokenId) {
 
         return currentTokens.stream()
                 .filter(t -> t.getId().equals(tokenId))
-                .map(t -> t.toDTO())
+                .map(Token::toDTO)
                 .findFirst().orElse(null);
     }
 
@@ -728,6 +729,11 @@ public static synchronized void addCert(String keyId, byte[] certBytes) {
         key.addCert(cert);
     }
 
+    public static synchronized void addCert(String keyId,
+                                            CertificateInfo certInfo) {
+        //TODO check if needed
+
+    }
     /**
      * Adds a certificate to a key. Throws exception, if key cannot be found.
      *
@@ -735,18 +741,18 @@ public static synchronized void addCert(String keyId, byte[] certBytes) {
      * @param certInfo the certificate info
      */
     public static synchronized void addCert(String keyId,
-                                            CertificateInfo certInfo) {
+                                            ClientId.Conf memberId, boolean active,boolean savedToConfiguration,
+                                            String initialStatus,String id,byte[] certificate) {
         log.trace("addCert({})", keyId);
 
         Key key = findKey(keyId);
 
-        Cert cert = new Cert(certInfo.getId());
-        cert.setActive(certInfo.isActive());
-        cert.setCertificate(certInfo.getCertificateBytes());
-        cert.setOcspResponse(certInfo.getOcspBytes());
-        cert.setMemberId(certInfo.getMemberId());
-        cert.setSavedToConfiguration(certInfo.isSavedToConfiguration());
-        cert.setStatus(certInfo.getStatus());
+        Cert cert = new Cert(id);
+        cert.setActive(active);
+        cert.setCertificate(certificate);
+        cert.setMemberId(memberId);
+        cert.setSavedToConfiguration(savedToConfiguration);
+        cert.setStatus(initialStatus);
 
         key.addCert(cert);
     }

From 7d196e0baac1e694872b4ab292df51a24b2a9f8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 18 Aug 2023 16:38:26 +0300
Subject: [PATCH 002/127] chore: align grpc api names

Refs: XRDDEV-2468
---
 .../ee/ria/xroad/signer/protocol/RpcSignerClient.java  | 10 +++++-----
 .../main/proto/{SignerApi.proto => TokensApi.proto}    |  4 +---
 .../src/main/java/ee/ria/xroad/signer/SignerMain.java  |  2 +-
 .../{handler => }/ListTokensRequestHandler.java        |  6 +++---
 4 files changed, 10 insertions(+), 12 deletions(-)
 rename src/signer-protocol/src/main/proto/{SignerApi.proto => TokensApi.proto} (86%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/{handler => }/ListTokensRequestHandler.java (94%)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index a33dfd5a67..33091f6fc3 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -5,23 +5,23 @@
 import io.grpc.ManagedChannel;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.SignerApiGrpc;
+import org.niis.xroad.signer.proto.TokensApiGrpc;
 
 import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
 
 @Slf4j
 public class RpcSignerClient {
     @Getter
-    private final SignerApiGrpc.SignerApiStub signerApiStub;
+    private final TokensApiGrpc.TokensApiStub signerApiStub;
     @Getter
-    private final SignerApiGrpc.SignerApiBlockingStub signerApiBlockingStub;
+    private final TokensApiGrpc.TokensApiBlockingStub signerApiBlockingStub;
 
     /**
      * Construct client for accessing RouteGuide server using the existing channel.
      */
     public RpcSignerClient(Channel channel) {
-        signerApiStub = SignerApiGrpc.newStub(channel);
-        signerApiBlockingStub = SignerApiGrpc.newBlockingStub(channel);
+        signerApiStub = TokensApiGrpc.newStub(channel);
+        signerApiBlockingStub = TokensApiGrpc.newBlockingStub(channel);
     }
 
     /**
diff --git a/src/signer-protocol/src/main/proto/SignerApi.proto b/src/signer-protocol/src/main/proto/TokensApi.proto
similarity index 86%
rename from src/signer-protocol/src/main/proto/SignerApi.proto
rename to src/signer-protocol/src/main/proto/TokensApi.proto
index f8b21f806f..3b56cbf659 100644
--- a/src/signer-protocol/src/main/proto/SignerApi.proto
+++ b/src/signer-protocol/src/main/proto/TokensApi.proto
@@ -1,15 +1,13 @@
 syntax = "proto3";
 
 option java_multiple_files = true;
-//option java_package = "org.niis.xroad.signer.proto";
 
 import "Tokens.proto";
 import "TokenStatusInfo.proto";
 
-
 package org.niis.xroad.signer.proto;
 
-service SignerApi {
+service TokensApi {
 
   rpc listTokens (Empty) returns (ListTokensResponse) {}
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 9b0600709a..6ffb01780a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -32,7 +32,7 @@
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
-import ee.ria.xroad.signer.protocol.handler.ListTokensRequestHandler;
+import ee.ria.xroad.signer.protocol.ListTokensRequestHandler;
 import ee.ria.xroad.signer.util.SignerUtil;
 
 import akka.actor.ActorSystem;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/ListTokensRequestHandler.java
similarity index 94%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/ListTokensRequestHandler.java
index 90afadf965..96b4eae44a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/ListTokensRequestHandler.java
@@ -23,7 +23,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.signer.protocol.handler;
+package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
@@ -38,7 +38,7 @@
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
 import org.niis.xroad.signer.proto.Empty;
 import org.niis.xroad.signer.proto.ListTokensResponse;
-import org.niis.xroad.signer.proto.SignerApiGrpc;
+import org.niis.xroad.signer.proto.TokensApiGrpc;
 import scala.concurrent.Await;
 
 import java.util.concurrent.TimeUnit;
@@ -50,7 +50,7 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class ListTokensRequestHandler extends SignerApiGrpc.SignerApiImplBase {
+public class ListTokensRequestHandler extends TokensApiGrpc.TokensApiImplBase {
     private final ActorSystem actorSystem;
 
     @Override

From c7c27c451b2d9d2a77b5a9fe9399fb86fae4c008 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 18 Aug 2023 16:39:54 +0300
Subject: [PATCH 003/127] chore: align grpc api names

Refs: XRDDEV-2468
---
 src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java  | 4 ++--
 .../{ListTokensRequestHandler.java => TokensApi.java}         | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/{ListTokensRequestHandler.java => TokensApi.java} (97%)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 6ffb01780a..d8cc1bd7c7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -32,7 +32,7 @@
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
-import ee.ria.xroad.signer.protocol.ListTokensRequestHandler;
+import ee.ria.xroad.signer.protocol.TokensApi;
 import ee.ria.xroad.signer.util.SignerUtil;
 
 import akka.actor.ActorSystem;
@@ -118,7 +118,7 @@ private static void initGrpc() throws Exception {
         int port = 5560;
         log.info("Initializing GRPC server on port {}.. ", port);
         RpcServer.init(port, builder -> {
-            builder.addService(new ListTokensRequestHandler(actorSystem));
+            builder.addService(new TokensApi(actorSystem));
         });
     }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/ListTokensRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
similarity index 97%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/ListTokensRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
index 96b4eae44a..fdc974c8bf 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/ListTokensRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
@@ -50,7 +50,7 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class ListTokensRequestHandler extends TokensApiGrpc.TokensApiImplBase {
+public class TokensApi extends TokensApiGrpc.TokensApiImplBase {
     private final ActorSystem actorSystem;
 
     @Override

From b44e72fc4959f880a0b96e72913f511aed3f0905 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 18 Aug 2023 18:00:09 +0300
Subject: [PATCH 004/127] chore: add getToken rpc endpoints

Refs: XRDDEV-2468
---
 .../java/ee/ria/xroad/signer/SignerProxy.java | 33 +++++++------
 .../protocol/dto/TokenInfoAndKeyId.java       | 11 ++++-
 .../signer/protocol/message/GetTokenInfo.java | 40 ----------------
 .../GetTokenInfoAndKeyIdForCertHash.java      | 40 ----------------
 .../GetTokenInfoAndKeyIdForCertRequestId.java | 40 ----------------
 .../message/GetTokenInfoForKeyId.java         | 40 ----------------
 .../src/main/proto/Tokens.proto               | 12 ++---
 .../src/main/proto/TokensApi.proto            | 22 +++++++++
 .../ria/xroad/signer/protocol/TokensApi.java  | 40 ++++++++++++++--
 ...InfoAndKeyIdForCertHashRequestHandler.java | 45 ------------------
 ...ndKeyIdForCertRequestIdRequestHandler.java | 46 -------------------
 .../GetTokenInfoForKeyIdRequestHandler.java   | 45 ------------------
 .../handler/GetTokenInfoRequestHandler.java   | 44 ------------------
 13 files changed, 93 insertions(+), 365 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfo.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertHash.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertRequestId.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoForKeyId.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 649f184e1b..55811ec8fc 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -62,10 +62,6 @@
 import ee.ria.xroad.signer.protocol.message.GetSignMechanism;
 import ee.ria.xroad.signer.protocol.message.GetSignMechanismResponse;
 import ee.ria.xroad.signer.protocol.message.GetTokenBatchSigningEnabled;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfo;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfoAndKeyIdForCertHash;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfoAndKeyIdForCertRequestId;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfoForKeyId;
 import ee.ria.xroad.signer.protocol.message.ImportCert;
 import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
 import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
@@ -85,6 +81,10 @@
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
 import org.niis.xroad.signer.proto.Empty;
+import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
+import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
+import org.niis.xroad.signer.proto.GetTokenByIdRequest;
+import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
 import org.niis.xroad.signer.proto.ListTokensResponse;
 
 import java.security.PublicKey;
@@ -151,9 +151,10 @@ private static RpcSignerClient getSignerClient() {
      * @throws Exception if any errors occur
      */
     public static TokenInfo getToken(String tokenId) throws Exception {
-
-        return execute(new GetTokenInfo(tokenId));
-
+        return new TokenInfo(getSignerClient().getSignerApiBlockingStub()
+                .getTokenById(GetTokenByIdRequest.newBuilder()
+                        .setTokenId(tokenId)
+                        .build()));
     }
 
     /**
@@ -483,11 +484,13 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws
         hash = hash.toLowerCase();
         log.trace("Getting token and key id by cert hash '{}'", hash);
 
-        TokenInfoAndKeyId response = execute(new GetTokenInfoAndKeyIdForCertHash(hash));
-
+        var response = getSignerClient().getSignerApiBlockingStub()
+                .getTokenAndKeyIdByCertHash(GetTokenByCertHashRequest.newBuilder()
+                        .setCertHash(hash)
+                        .build());
         log.trace("Token and key id with hash '{}' found", hash);
 
-        return response;
+        return new TokenInfoAndKeyId(new TokenInfo(response.getTokenInfo()), response.getKeyId());
     }
 
     /**
@@ -536,11 +539,14 @@ public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception
     public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws Exception {
         log.trace("Getting token and key id by cert request id '{}'", certRequestId);
 
-        TokenInfoAndKeyId response = execute(new GetTokenInfoAndKeyIdForCertRequestId(certRequestId));
+        var response = getSignerClient().getSignerApiBlockingStub()
+                .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdRequest.newBuilder()
+                        .setCertRequestId(certRequestId)
+                        .build());
 
         log.trace("Token and key id with cert request id '{}' found", certRequestId);
 
-        return response;
+        return new TokenInfoAndKeyId(new TokenInfo(response.getTokenInfo()), response.getKeyId());
     }
 
     /**
@@ -551,7 +557,8 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequ
      * @throws Exception if any errors occur
      */
     public static TokenInfo getTokenForKeyId(String keyId) throws Exception {
-        return execute(new GetTokenInfoForKeyId(keyId));
+        return new TokenInfo(getSignerClient().getSignerApiBlockingStub()
+                .getTokenByKey(GetTokenByKeyIdRequest.newBuilder().setKeyId(keyId).build()));
     }
 
     public static String getSignMechanism(String keyId) throws Exception {
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java
index 026b267849..a3c34728f4 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -44,11 +44,18 @@ public final class TokenInfoAndKeyId implements Serializable {
      * or null if no match
      */
     public KeyInfo getKeyInfo() {
-        for (KeyInfo keyInfo: tokenInfo.getKeyInfo()) {
+        for (KeyInfo keyInfo : tokenInfo.getKeyInfo()) {
             if (keyId.equals(keyInfo.getId())) {
                 return keyInfo;
             }
         }
         return null;
     }
+
+    public TokenInfoAndKeyIdProto asMessage() {
+        return TokenInfoAndKeyIdProto.newBuilder()
+                .setTokenInfo(tokenInfo.asMessage())
+                .setKeyId(keyId)
+                .build();
+    }
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfo.java
deleted file mode 100644
index 6bc19fc156..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfo.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetTokenInfo implements Serializable {
-
-    private final String tokenId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertHash.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertHash.java
deleted file mode 100644
index d741f88640..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertHash.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetTokenInfoAndKeyIdForCertHash implements Serializable {
-
-    private final String certHash;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertRequestId.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertRequestId.java
deleted file mode 100644
index 35f470dbb3..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoAndKeyIdForCertRequestId.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetTokenInfoAndKeyIdForCertRequestId implements Serializable {
-
-    private final String certRequestId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoForKeyId.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoForKeyId.java
deleted file mode 100644
index abc1937fa0..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenInfoForKeyId.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetTokenInfoForKeyId implements Serializable {
-
-    private final String keyId;
-
-}
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
index 05c30aba33..b952b105f5 100644
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -1,15 +1,8 @@
 syntax = "proto3";
 import "TokenStatusInfo.proto";
 
-//package protocol;
-
 option java_multiple_files = true;
 option java_package = "ee.ria.xroad.signer.protocol.dto";
-//option java_outer_classname = "TokenStatusInfo";
-//option objc_class_prefix = "HLW";
-
-//import "google/protobuf/empty.proto";
-
 
 message TokenInfoProto {
   string type = 1;
@@ -26,6 +19,11 @@ message TokenInfoProto {
   map<string, string> tokenInfo = 12;
 }
 
+message TokenInfoAndKeyIdProto {
+  TokenInfoProto tokenInfo = 1;
+  string keyId = 2;
+}
+
 message KeyInfoProto {
   bool available = 1;
   KeyUsageInfo usage = 2;
diff --git a/src/signer-protocol/src/main/proto/TokensApi.proto b/src/signer-protocol/src/main/proto/TokensApi.proto
index 3b56cbf659..13442af250 100644
--- a/src/signer-protocol/src/main/proto/TokensApi.proto
+++ b/src/signer-protocol/src/main/proto/TokensApi.proto
@@ -8,6 +8,13 @@ import "TokenStatusInfo.proto";
 package org.niis.xroad.signer.proto;
 
 service TokensApi {
+  rpc getTokenById (GetTokenByIdRequest) returns (TokenInfoProto) {}
+
+  rpc getTokenByKey (GetTokenByKeyIdRequest) returns (TokenInfoProto) {}
+
+  rpc getTokenAndKeyIdByCertRequestId (GetTokenByCertRequestIdRequest) returns (TokenInfoAndKeyIdProto) {}
+
+  rpc getTokenAndKeyIdByCertHash (GetTokenByCertHashRequest) returns (TokenInfoAndKeyIdProto) {}
 
   rpc listTokens (Empty) returns (ListTokensResponse) {}
 
@@ -27,3 +34,18 @@ message ActivateTokenRequest{
   bool  activate = 2;
 }
 
+message GetTokenByIdRequest {
+  string tokenId = 1;
+}
+
+message GetTokenByKeyIdRequest {
+  string keyId = 1;
+}
+
+message GetTokenByCertRequestIdRequest {
+  string certRequestId = 1;
+}
+
+message GetTokenByCertHashRequest {
+  string certHash = 1;
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
index fdc974c8bf..d13b101b9f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
@@ -25,18 +25,25 @@
  */
 package ee.ria.xroad.signer.protocol;
 
+import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
 import akka.actor.ActorSystem;
 import akka.pattern.Patterns;
 import akka.util.Timeout;
+import com.google.protobuf.AbstractMessage;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
 import org.niis.xroad.signer.proto.Empty;
+import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
+import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
+import org.niis.xroad.signer.proto.GetTokenByIdRequest;
+import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
 import org.niis.xroad.signer.proto.ListTokensResponse;
 import org.niis.xroad.signer.proto.TokensApiGrpc;
 import scala.concurrent.Await;
@@ -59,8 +66,7 @@ public void listTokens(Empty request, StreamObserver<ListTokensResponse> respons
 
         TokenManager.listTokens().forEach(tokenInfo -> builder.addTokens(tokenInfo.asMessage()));
 
-        responseObserver.onNext(builder.build());
-        responseObserver.onCompleted();
+        emitSingleAndClose(responseObserver, builder.build());
     }
 
     @SneakyThrows
@@ -74,7 +80,35 @@ public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> re
         Await.result(Patterns.ask(actorSystem.actorSelection("/user/" + REQUEST_PROCESSOR), actorMsg, timeout),
                 timeout.duration());
 
-        responseObserver.onNext(Empty.getDefaultInstance());
+        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+    }
+
+    @Override
+    public void getTokenById(GetTokenByIdRequest request, StreamObserver<TokenInfoProto> responseObserver) {
+        var token = TokenManager.findTokenInfo(request.getTokenId());
+        emitSingleAndClose(responseObserver, token.asMessage());
+    }
+
+    @Override
+    public void getTokenByKey(GetTokenByKeyIdRequest request, StreamObserver<TokenInfoProto> responseObserver) {
+        var token = TokenManager.findTokenInfoForKeyId(request.getKeyId());
+        emitSingleAndClose(responseObserver, token.asMessage());
+    }
+
+    @Override
+    public void getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdRequest request, StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
+        var token = TokenManager.findTokenAndKeyIdForCertRequestId(request.getCertRequestId());
+        emitSingleAndClose(responseObserver, token.asMessage());
+    }
+
+    @Override
+    public void getTokenAndKeyIdByCertHash(GetTokenByCertHashRequest request, StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
+        var token = TokenManager.findTokenAndKeyIdForCertHash(request.getCertHash());
+        emitSingleAndClose(responseObserver, token.asMessage());
+    }
+
+    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
+        responseObserver.onNext(value);
         responseObserver.onCompleted();
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
deleted file mode 100644
index 8dca69180e..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfoAndKeyIdForCertHash;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for TokenInfo + key id based on certificate hashes.
- */
-public class GetTokenInfoAndKeyIdForCertHashRequestHandler
-        extends AbstractRequestHandler<GetTokenInfoAndKeyIdForCertHash> {
-
-    @Override
-    protected Object handle(GetTokenInfoAndKeyIdForCertHash message) throws Exception {
-        TokenInfoAndKeyId tokenInfoAndKeyId = TokenManager.findTokenAndKeyIdForCertHash(message.getCertHash());
-        return tokenInfoAndKeyId;
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
deleted file mode 100644
index 6bbcabee58..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfoAndKeyIdForCertRequestId;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for TokenInfo + key id based on certificate request ids.
- */
-public class GetTokenInfoAndKeyIdForCertRequestIdRequestHandler
-        extends AbstractRequestHandler<GetTokenInfoAndKeyIdForCertRequestId> {
-
-    @Override
-    protected Object handle(GetTokenInfoAndKeyIdForCertRequestId message) throws Exception {
-        TokenInfoAndKeyId tokenInfoAndKeyId = TokenManager.findTokenAndKeyIdForCertRequestId(
-                message.getCertRequestId());
-        return tokenInfoAndKeyId;
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
deleted file mode 100644
index e8c3dbe5ef..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfoForKeyId;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for TokenInfo based on key id.
- */
-public class GetTokenInfoForKeyIdRequestHandler
-        extends AbstractRequestHandler<GetTokenInfoForKeyId> {
-
-    @Override
-    protected Object handle(GetTokenInfoForKeyId message) throws Exception {
-        TokenInfo tokenInfo = TokenManager.findTokenInfoForKeyId(message.getKeyId());
-        return tokenInfo;
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java
deleted file mode 100644
index da9539a7b0..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.GetTokenInfo;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for token info.
- */
-public class GetTokenInfoRequestHandler
-        extends AbstractRequestHandler<GetTokenInfo> {
-
-    @Override
-    protected Object handle(GetTokenInfo message) throws Exception {
-        // findTokenInfo throws exception if not found. We want this since null means timeout for caller.
-        return TokenManager.findTokenInfo(message.getTokenId());
-    }
-
-}

From 6006df84506384dac4395488f864cdd2914d47a8 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 21 Aug 2023 10:49:15 +0300
Subject: [PATCH 005/127] test: Signer protocol intTest with exceptions

Refs: XRDDEV-2461
---
 .../ria/xroad/signer/glue/SignerStepDefs.java | 43 +++++++++++++++++++
 .../resources/behavior/0500-signer.feature    |  6 +++
 2 files changed, 49 insertions(+)

diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index e4de950592..79c78eedcf 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -27,6 +27,7 @@
 
 package ee.ria.xroad.signer.glue;
 
+import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.SignerProxy;
@@ -77,8 +78,11 @@
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.time.Instant.now;
 import static java.time.temporal.ChronoUnit.DAYS;
+import static java.util.UUID.randomUUID;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 @Slf4j
 public class SignerStepDefs {
@@ -351,6 +355,45 @@ public void certificateCanBeSignedUsingKeyFromToken(String keyName, String token
         assertThat(bytes).isNotEmpty();
     }
 
+    @Then("Set token name fails with TokenNotFound exception when token does not exist")
+    public void setTokenNameFail() throws Exception {
+        String tokenId = randomUUID().toString();
+        try {
+            SignerProxy.setTokenFriendlyName(tokenId, randomUUID().toString());
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertEquals("Signer.TokenNotFound", codedException.getFaultCode());
+            assertEquals("token_not_found", codedException.getTranslationCode());
+            assertEquals("Signer.TokenNotFound: Token '" + tokenId + "' not found", codedException.getMessage());
+        }
+    }
+
+    @Then("Deleting not existing certificate from token fails")
+    public void failOnDeleteCert() throws Exception {
+        String cerId = randomUUID().toString();
+        try {
+            SignerProxy.deleteCert(cerId);
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertEquals("Signer.CertNotFound", codedException.getFaultCode());
+            assertEquals("cert_with_id_not_found", codedException.getTranslationCode());
+            assertEquals("Signer.CertNotFound: Certificate with id '" + cerId + "' not found", codedException.getMessage());
+        }
+    }
+
+    @Then("Retrieving token info by not existing key fails")
+    public void retrievingTokenInfoCanByNotExistingKeyFails() throws Exception {
+        String keyId = randomUUID().toString();
+        try {
+            SignerProxy.getTokenForKeyId(keyId);
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertEquals("Signer.KeyNotFound", codedException.getFaultCode());
+            assertEquals("key_not_found", codedException.getTranslationCode());
+            assertEquals("Signer.KeyNotFound: Key '" + keyId + "' not found", codedException.getMessage());
+        }
+    }
+
     private static Config getConf() {
         return ConfigFactory.load().getConfig("signer-integration-test")
                 .withFallback(ConfigFactory.load());
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
index fceccc4bc1..f38bd2e4d4 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
@@ -76,6 +76,12 @@ Feature: 0500 - Signer
   Scenario: Miscellaneous checks
     * check token "0" key "First key" batch signing enabled
 
+  Scenario: Exceptions
+    * Set token name fails with TokenNotFound exception when token does not exist
+    * Deleting not existing certificate from token fails
+    * Retrieving token info by not existing key fails
+
+
 #  not covered SignerProxy methods:
 #  String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId) #partly in GenerateSelfSignedCert
 #  AuthKeyInfo getAuthKey(SecurityServerId serverId)                            #requires valid ocsp response

From cffe54095b4cdbfce3514d1bb2835e5fd69bdee8 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 21 Aug 2023 11:59:53 +0300
Subject: [PATCH 006/127] test: Signer protocol intTest with exceptions

Refs: XRDDEV-2461
---
 .../ria/xroad/signer/glue/SignerStepDefs.java | 82 +++++++++++++++++--
 .../resources/behavior/0500-signer.feature    |  6 ++
 2 files changed, 79 insertions(+), 9 deletions(-)

diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index 79c78eedcf..671b6e56d9 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -362,9 +362,8 @@ public void setTokenNameFail() throws Exception {
             SignerProxy.setTokenFriendlyName(tokenId, randomUUID().toString());
             fail("Exception expected");
         } catch (CodedException codedException) {
-            assertEquals("Signer.TokenNotFound", codedException.getFaultCode());
-            assertEquals("token_not_found", codedException.getTranslationCode());
-            assertEquals("Signer.TokenNotFound: Token '" + tokenId + "' not found", codedException.getMessage());
+            assertException("Signer.TokenNotFound", "token_not_found",
+                    "Signer.TokenNotFound: Token '" + tokenId + "' not found", codedException);
         }
     }
 
@@ -375,9 +374,8 @@ public void failOnDeleteCert() throws Exception {
             SignerProxy.deleteCert(cerId);
             fail("Exception expected");
         } catch (CodedException codedException) {
-            assertEquals("Signer.CertNotFound", codedException.getFaultCode());
-            assertEquals("cert_with_id_not_found", codedException.getTranslationCode());
-            assertEquals("Signer.CertNotFound: Certificate with id '" + cerId + "' not found", codedException.getMessage());
+            assertException("Signer.CertNotFound", "cert_with_id_not_found",
+                    "Signer.CertNotFound: Certificate with id '" + cerId + "' not found", codedException);
         }
     }
 
@@ -388,12 +386,78 @@ public void retrievingTokenInfoCanByNotExistingKeyFails() throws Exception {
             SignerProxy.getTokenForKeyId(keyId);
             fail("Exception expected");
         } catch (CodedException codedException) {
-            assertEquals("Signer.KeyNotFound", codedException.getFaultCode());
-            assertEquals("key_not_found", codedException.getTranslationCode());
-            assertEquals("Signer.KeyNotFound: Key '" + keyId + "' not found", codedException.getMessage());
+            assertException("Signer.KeyNotFound", "key_not_found",
+                    "Signer.KeyNotFound: Key '" + keyId + "' not found", codedException);
         }
     }
 
+    @Then("Deleting not existing certRequest fails")
+    public void deletingCertRequestFails() throws Exception {
+        String csrId = randomUUID().toString();
+        try {
+            SignerProxy.deleteCertRequest(csrId);
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertException("Signer.CsrNotFound", "csr_not_found",
+                    "Signer.CsrNotFound: Certificate request '" + csrId + "' not found", codedException);
+        }
+    }
+
+    @Then("Signing with unknown key fails")
+    public void signKeyFail() throws Exception {
+        String keyId = randomUUID().toString();
+        try {
+            SignerProxy.sign(keyId, randomUUID().toString(), new byte[0]);
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertException("Signer.KeyNotFound", "key_not_found",
+                    "Signer.KeyNotFound: Key '" + keyId + "' not found", codedException);
+        }
+    }
+
+    @Then("Signing with unknown algorithm fails using key {string} from token {string}")
+    public void signAlgorithmFail(String keyName, String tokenId) throws Exception {
+        try {
+            final KeyInfo key = findKeyInToken(tokenId, keyName);
+            SignerProxy.sign(key.getId(), "NOT-ALGORITHM-ID", calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
+
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertException("Signer.CannotSign.InternalError", null,
+                    "Signer.CannotSign.InternalError: Unknown sign algorithm id: NOT-ALGORITHM-ID", codedException);
+        }
+    }
+
+    @Then("Getting key by not existing cert hash fails")
+    public void getKeyIdByHashFail() throws Exception {
+        String hash = randomUUID().toString();
+        try {
+            SignerProxy.getKeyIdForCertHash(hash);
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertException("Signer.CertNotFound", "certificate_with_hash_not_found",
+                    "Signer.CertNotFound: Certificate with hash '" + hash + "' not found", codedException);
+        }
+    }
+
+    @Then("Not existing certificate can not be activated")
+    public void notExistingCertActivateFail() throws Exception {
+        String certId = randomUUID().toString();
+        try {
+            SignerProxy.activateCert(certId);
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertException("Signer.CertNotFound", "cert_with_id_not_found",
+                    "Signer.CertNotFound: Certificate with id '" + certId + "' not found", codedException);
+        }
+    }
+
+    private void assertException(String faultCode, String translationCode, String message, CodedException codedException) {
+        assertEquals(faultCode, codedException.getFaultCode());
+        assertEquals(translationCode, codedException.getTranslationCode());
+        assertEquals(message, codedException.getMessage());
+    }
+
     private static Config getConf() {
         return ConfigFactory.load().getConfig("signer-integration-test")
                 .withFallback(ConfigFactory.load());
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
index f38bd2e4d4..7300533c02 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
@@ -46,6 +46,7 @@ Feature: 0500 - Signer
 
   Scenario: Sign
     Given digest can be signed using key "KeyX" from token "0"
+    And Signing with unknown algorithm fails using key "KeyX" from token "0"
 
   Scenario: Generate/Regenerate cert request
     When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
@@ -80,6 +81,11 @@ Feature: 0500 - Signer
     * Set token name fails with TokenNotFound exception when token does not exist
     * Deleting not existing certificate from token fails
     * Retrieving token info by not existing key fails
+    * Deleting not existing certRequest fails
+    * Signing with unknown key fails
+    * Getting key by not existing cert hash fails
+    * Not existing certificate can not be activated
+
 
 
 #  not covered SignerProxy methods:

From 6034fc697f27eb677c66d7b04f0b55141ce04944 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 21 Aug 2023 18:52:59 +0300
Subject: [PATCH 007/127] chore: enable TLS for akka and grpc in signer tests

Refs: XRDDEV-2468
---
 src/common/common-rpc/build.gradle            |   2 +
 .../org/niis/xroad/signer/grpc/RpcServer.java |  10 +-
 .../grpc/ServerCredentialsConfigurer.java     |  99 ++++++++++++------
 .../ee/ria/xroad/common/SystemProperties.java |  53 ++++++++++
 .../ria/xroad/signer/glue/SignerStepDefs.java |  27 +++++
 .../resources/application-override.yml        |   1 +
 .../transport-keystore/akka-keystore.p12      | Bin 0 -> 1008 bytes
 .../resources/transport-keystore/gen-cert.sh  |  20 ++++
 .../grpc-internal-keystore.jks                | Bin 0 -> 2614 bytes
 9 files changed, 176 insertions(+), 36 deletions(-)
 create mode 100644 src/signer-protocol/src/intTest/resources/transport-keystore/akka-keystore.p12
 create mode 100644 src/signer-protocol/src/intTest/resources/transport-keystore/gen-cert.sh
 create mode 100644 src/signer-protocol/src/intTest/resources/transport-keystore/grpc-internal-keystore.jks

diff --git a/src/common/common-rpc/build.gradle b/src/common/common-rpc/build.gradle
index 9b1ad970ff..bdbe08934b 100644
--- a/src/common/common-rpc/build.gradle
+++ b/src/common/common-rpc/build.gradle
@@ -3,7 +3,9 @@ plugins {
 }
 
 dependencies {
+  implementation project(':common:common-util')
   implementation "org.slf4j:slf4j-api:${slf4jVersion}"
+
   api "io.grpc:grpc-protobuf:${grpcVersion}"
   api "io.grpc:grpc-stub:${grpcVersion}"
   api "jakarta.annotation:jakarta.annotation-api:1.3.5"
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
index 057b4d12d3..352982b793 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
@@ -33,6 +33,9 @@
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.IOException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
 import java.util.function.Consumer;
 
 import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createServerCredentials;
@@ -74,9 +77,10 @@ private void stop() {
         }
     }
 
-    public static void init(int port, Consumer<ServerBuilder<?>> configFunc) throws IOException {
-        log.info("Initializing grpc..");
-        final RpcServer server = new RpcServer(port, createServerCredentials());
+    public static void init(int port, Consumer<ServerBuilder<?>> configFunc) throws IOException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
+        var serverCredentials = createServerCredentials();
+        log.info("Initializing grpc with {} credentials..",serverCredentials.getClass().getSimpleName());
+        final RpcServer server = new RpcServer(port, serverCredentials);
         server.start(configFunc);
         log.info("Grpc is running..");
     }
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
index 4290eac7e9..bb4e4cc16e 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
@@ -26,54 +26,87 @@
  */
 package org.niis.xroad.signer.grpc;
 
+import ee.ria.xroad.common.SystemProperties;
+
 import io.grpc.ChannelCredentials;
-import io.grpc.InsecureChannelCredentials;
-import io.grpc.InsecureServerCredentials;
 import io.grpc.ServerCredentials;
 import io.grpc.TlsChannelCredentials;
 import io.grpc.TlsServerCredentials;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 
-import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
 
+@Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class ServerCredentialsConfigurer {
-    //TODO will be enabled in live env.
-    private static final boolean USE_TLS = false;
 
-    public static ServerCredentials createServerCredentials() throws IOException {
-        if (USE_TLS) {
-            //TODO fill to use tls auth.
-            File certChain = null;
-            File privateKey = null;
-            String privateKeyPassword = null;
-            File trustRootCert = null;
+    public static ServerCredentials createServerCredentials() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
+        TlsServerCredentials.Builder tlsBuilder = TlsServerCredentials.newBuilder()
+                .keyManager(getKeyManagers())
+                .trustManager(getTrustManagers())
+                .clientAuth(TlsServerCredentials.ClientAuth.REQUIRE);
 
-            TlsServerCredentials.Builder tlsBuilder = TlsServerCredentials.newBuilder()
-                    .keyManager(certChain, privateKey, privateKeyPassword)
-                    .trustManager(trustRootCert)
-                    .clientAuth(TlsServerCredentials.ClientAuth.REQUIRE);
+        return tlsBuilder.build();
+    }
 
-            return tlsBuilder.build();
-        } else {
-            return InsecureServerCredentials.create();
-        }
+    public static ChannelCredentials createClientCredentials() throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
+        TlsChannelCredentials.Builder tlsBuilder = TlsChannelCredentials.newBuilder()
+                .keyManager(getKeyManagers())
+                .trustManager(getTrustManagers());
+
+        return tlsBuilder.build();
     }
 
-    public static ChannelCredentials createClientCredentials() throws IOException {
-        if (USE_TLS) {
-            //TODO fill to use tls auth.
-            File certChain = null;
-            File privateKey = null;
-            String privateKeyPassword = null;
-            File trustRootCert = null;
+    private static KeyManager[] getKeyManagers()
+            throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException {
+        final var path = SystemProperties.getGrpcInternalKeyStore();
+        final var password = SystemProperties.getGrpcInternalKeyStorePassword();
 
-            TlsChannelCredentials.Builder tlsBuilder = TlsChannelCredentials.newBuilder()
-                    .keyManager(certChain, privateKey, privateKeyPassword)
-                    .trustManager(trustRootCert);
+        KeyStore keystore = getKeystore(path, password);
+        KeyManagerFactory keyManagerFactory =
+                KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        keyManagerFactory.init(keystore, password.toCharArray());
+        return keyManagerFactory.getKeyManagers();
+    }
+
+    private static TrustManager[] getTrustManagers()
+            throws NoSuchAlgorithmException, KeyStoreException {
+        final var path = SystemProperties.getGrpcInternalTrustStore();
+        final var password = SystemProperties.getGrpcInternalTruststorePassword();
+
+        KeyStore truststore = getKeystore(path, password);
+        TrustManagerFactory trustManagerFactory =
+                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        trustManagerFactory.init(truststore);
+        return trustManagerFactory.getTrustManagers();
+    }
 
-            return tlsBuilder.build();
-        } else {
-            return InsecureChannelCredentials.create();
+    private static KeyStore getKeystore(String filePath, String password) {
+        log.trace("Loading keystore for RPC operation from path {}", filePath);
+        Path path = Paths.get(filePath);
+        KeyStore keystore = null;
+        try (InputStream in = Files.newInputStream(path)) {
+            keystore = KeyStore.getInstance("JKS");
+            keystore.load(in, password.toCharArray());
+        } catch (IOException | CertificateException | NoSuchAlgorithmException | KeyStoreException e) {
+            log.error("Failed to read gRPC keystore.", e);
         }
+        return keystore;
     }
 }
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
index bdb6a10c2d..5a6b0b6e38 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -614,6 +614,31 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
 
     public static final String ONE_DAY_AS_SECONDS = String.valueOf(24 * 60 * 60);
 
+    // gRPC internal cross-component transport configuration  -------------------------- //
+
+    /**
+     * Property name for gRPC internal keystore location.
+     */
+    public static final String GRPC_INTERNAL_KEYSTORE =
+            PREFIX + "grpc.internal.keystore";
+
+    /**
+     * Property name for gRPC internal keystore password.
+     */
+    public static final String GRPC_INTERNAL_KEYSTORE_PASSWORD =
+            PREFIX + "grpc.internal.keystore-password";
+
+    /**
+     * Property name for gRPC internal truststore location.
+     */
+    public static final String GRPC_INTERNAL_TRUSTSTORE =
+            PREFIX + "grpc.internal.truststore";
+
+    /**
+     * Property name for gRPC internal truststore password.
+     */
+    public static final String GRPC_INTERNAL_TRUSTSTORE_PASSWORD =
+            PREFIX + "grpc.internal.truststore-password";
     // Cluster node configuration ------------------------------------------ //
 
     /**
@@ -1653,4 +1678,32 @@ public static String getBackupEncryptionKeyIds() {
     public static boolean isHSMHealthCheckEnabled() {
         return Boolean.parseBoolean(System.getProperty(HSM_HEALTH_CHECK_ENABLED, DEFAULT_HSM_HEALTH_CHECK_ENABLED));
     }
+
+    /**
+     * @return gRPC internal key store path. Uses JKS format.
+     */
+    public static String getGrpcInternalKeyStore() {
+        return System.getProperty(GRPC_INTERNAL_KEYSTORE, "var/run/xroad/xroad-grpc-internal-keystore.jks");
+    }
+
+    /**
+     * @return gRPC internal key store password.
+     */
+    public static String getGrpcInternalKeyStorePassword() {
+        return System.getProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, "");
+    }
+
+    /**
+     * @return gRPC internal trust store path. Uses JKS format.
+     */
+    public static String getGrpcInternalTrustStore() {
+        return System.getProperty(GRPC_INTERNAL_TRUSTSTORE, "var/run/xroad/xroad-grpc-internal-truststore.jks");
+    }
+
+    /**
+     * @return gRPC internal trust store path password.
+     */
+    public static String getGrpcInternalTruststorePassword() {
+        return System.getProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "");
+    }
 }
diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index 79c78eedcf..0b399af4fc 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -68,7 +68,9 @@
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.SystemProperties.SIGNER_PORT;
@@ -412,9 +414,17 @@ private static void startSigner(int port) throws InterruptedException {
                                 + "build/resources/intTest/keyconf.xml",
                         "-Dxroad.signer.device-configuration-file="
                                 + "build/resources/intTest/devices.ini",
+                        "-Dxroad.grpc.internal.keystore=build/resources/intTest/transport-keystore/grpc-internal-keystore.jks",
+                        "-Dxroad.grpc.internal.keystore-password=111111",
+                        "-Dxroad.grpc.internal.truststore=build/resources/intTest/transport-keystore/grpc-internal-keystore.jks",
+                        "-Dxroad.grpc.internal.truststore-password=111111",
                         "-Djava.library.path=../passwordstore/",
                         "-jar", signerPath);
 
+                var transportKeystore = getTransportProperties();
+                transportKeystore.forEach((key, value) -> pb.environment().put(key, value));
+                transportKeystore.forEach(System::setProperty);
+
                 signerProcess = pb.start();
 
                 new StreamGobbler(signerProcess.getErrorStream()).start();
@@ -428,6 +438,23 @@ private static void startSigner(int port) throws InterruptedException {
         MILLISECONDS.sleep(3000);
     }
 
+    private static Map<String, String> getTransportProperties() {
+        var transportKeystore = new HashMap<String, String>();
+
+        transportKeystore.put("XROAD_COMMON_AKKA_REMOTE_TRANSPORT", "tls-tcp");
+        transportKeystore.put("XROAD_COMMON_AKKA_KEYSTORE", "build/resources/intTest/transport-keystore/akka-keystore.p12");
+        transportKeystore.put("XROAD_COMMON_AKKA_KEYSTORE_PASSWORD", "xJllPJVmRoEAf2ApuJxeMpBxSOxCHBbJ");
+        transportKeystore.put("XROAD_COMMON_AKKA_TRUSTSTORE", "build/resources/intTest/transport-keystore/akka-keystore.p12");
+        transportKeystore.put("XROAD_COMMON_AKKA_TRUSTSTORE_PASSWORD", "xJllPJVmRoEAf2ApuJxeMpBxSOxCHBbJ");
+
+        transportKeystore.put("xroad.grpc.internal.keystore", "build/resources/intTest/transport-keystore/grpc-internal-keystore.jks");
+        transportKeystore.put("xroad.grpc.internal.keystore-password", "111111");
+        transportKeystore.put("xroad.grpc.internal.truststore", "build/resources/intTest/transport-keystore/grpc-internal-keystore.jks");
+        transportKeystore.put("xroad.grpc.internal.truststore-password", "111111");
+
+        return transportKeystore;
+    }
+
     @RequiredArgsConstructor
     static class StreamGobbler extends Thread {
         private final InputStream is;
diff --git a/src/signer-protocol/src/intTest/resources/application-override.yml b/src/signer-protocol/src/intTest/resources/application-override.yml
index 27e1a82cad..133ccb25b5 100755
--- a/src/signer-protocol/src/intTest/resources/application-override.yml
+++ b/src/signer-protocol/src/intTest/resources/application-override.yml
@@ -6,6 +6,7 @@ logging:
     cucumber: TRACE
     liquibase: WARN
     org.springframework: INFO
+    org.niis: TRACE
     com.nortal.test: INFO # TRACE is helpful for development
 
 test-automation:
diff --git a/src/signer-protocol/src/intTest/resources/transport-keystore/akka-keystore.p12 b/src/signer-protocol/src/intTest/resources/transport-keystore/akka-keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..0006306951ca2ea36cd2fc0ddd00c31cbf50d17c
GIT binary patch
literal 1008
zcmXqLVt&KK$ZXKWJdKT0tIebBJ1-+U<ANsUc9tgQW}tArK@+1IiWH+bOB16oP?#Tx
zx!Jg(x_G!4nHDteHE7&rkOo)J%4-m5V1eNB7-+MI-0yRjKX>Cbhy6a`gqZsW*2-1S
zn8L)QF2Ka7V8Fx10Wpt>la;|hmW?x^&4V$OnT1h{Mc|C+wsj5<CoFDy#FFvY>{}yC
zK*d+5;wO`sDtML5e@)sLy?@io*cwqr)_ENZ_|AS@Yglr+L+*vEvCx~jx2v3OL;{#g
z7A0hOt0-u%waTbF{r}x2+d|FWpVoe5W#Pe3jyARF7}^+!!yU^hV#p=O!H~$14TOmX
ziU<i&LlG9Ckj&gv1w%7SBQpa_LqijD15<-0ra-tNcD4mgOin-{J0?a3AZ3n_VI&kl
zx2jIA<NnI?hB;i)`o`pa8R;yV1;hkU$>&E>lh3qpaL)3&C{oWO($K_s;D63X!*8t(
z9j{kqcxnDtEt`1!U+3*TSH7qJGOrEV`S+QI{v7G=$6nQku-&?Dsyf;G`~Fn<S=$&d
zeoQjH?9<EpJj94|o?v$0j(EmTX6Ad}cSW5%Z(MzX@%xcijF+EXo+~N$O7HON<g<!C
z$0c7rTw(UzZA*go(xa!f{7-j$vF<BtT4}!GmhR@hOz|4;5{5gw4MJr$*6sNFZ7ri#
zjpO$dmUb-4_a4Um{qMxL|7tNa<L6`7ZrW++Nw8E!dp#+7{9QsI{h?&t`{U16oZT;N
zQu*%6whzyLwg0%KyIO21&xI5-rRl224YCjHYmVf(U-bJVTaRMM@n4bLDXlqk{A7-b
z1<JSmO6{LLd+v74e$TfbLgYLJR;)f6q7^jttZK{sB@w?(8~?3dbbhIN?VY|huImr~
z^zPoMdhX7zj*IeVZK~J``&xNyv#WP!ZCkW()!AFm-Z({=J)Xl@Q}NJ0+0pF!;T%=F
zD;pW*vbcPB7;@w}G6k=*H=e#drNbaV`hsZ7&JAks&3Ep9nC$faM6}aNmTPY}M7)T5
z8r3nkFR1d6$E!-oZC|d7n>fE-ew4Ly#o1T0qP(6jd-GL*zq@XZ@7tau6WLhb8uA$U
z8W<Yz!t((WBP#=o!k0aJzT7^c)7&O19IvtE{;k}})(@*2f`2XHyEd~?c=aR}k&Ixb
Zzml_hLMtPb%x`>}xMSDLmCry)2mmEgm~{XE

literal 0
HcmV?d00001

diff --git a/src/signer-protocol/src/intTest/resources/transport-keystore/gen-cert.sh b/src/signer-protocol/src/intTest/resources/transport-keystore/gen-cert.sh
new file mode 100644
index 0000000000..9bb951f5dc
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/transport-keystore/gen-cert.sh
@@ -0,0 +1,20 @@
+echo "----------------------------------------------------------"
+echo "       Generating test private keys and certs for gRPC    "
+echo "----------------------------------------------------------"
+
+readonly KEYTOOL=$(which keytool)
+if [[ ! ${KEYTOOL} ]]
+then
+    echo "keytool is not installed. Exiting !"
+    exit 1
+fi
+
+echo "Generating keystore for grpc-internal.........."
+${KEYTOOL} -genkey -alias grpc-internal -keyalg RSA -keysize 2048 \
+        -storetype PKCS12 \
+        -keystore grpc-internal-keystore.jks \
+        -dname "CN=127.0.0.1" \
+        -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
+        -validity 9999 \
+        -storepass 111111 \
+        -keypass 111111
diff --git a/src/signer-protocol/src/intTest/resources/transport-keystore/grpc-internal-keystore.jks b/src/signer-protocol/src/intTest/resources/transport-keystore/grpc-internal-keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..f0368a6f6d5b1d177b04d27dd51b73af376498ce
GIT binary patch
literal 2614
zcma)8c{CJ?8lQcPE!inM*UngG=vr?WToQ$`6$WDsA!|%VmdQG}mh2>SjU|(0XG9Ab
zvZOMygz;|HtcBM*@15>>f4%p|cfRxemhZpscRnPMRUHHbBZ-KQFoZ&qS<*fS5DqLS
zB1RxY#LFM>b0iVk`Ck;20wF@{e!$f~sshIL9~V0-5L8Zt8vX!vk@%kuC<oFJsr~oJ
zj#Py3-i=3gxBDUM{m6|g=2B%*9Rwl=2qen|0*WKqVJ!dN2tq&sND&yqEy)b%1%?0>
zAYAD5B&Lg@5O?%)IEp)9<|~8<p?4eG3LBf^TvJxHeofP3zun-j*H-q0rTbw`tY=f^
z43CPaG@*9~jbHi&=Oxs+$9-zNVv#XBHD+lVm|_+Cc0fdEK{r90R2<S5N$}VT?I(^-
zd8(9GD7nWuOpMLYR|`lpzo?N%nqY>2GWOk@N=5eecq%^en?XB>I&U=2T4P<LNC$l3
zD-R3Y!AIE_RC#7ut1=WtlV9&14V&CrmR;YvM`2(p9t(2#^ya3NGpd5W?j#eJR&*<*
zbktkA)(hF<u9-CDMP=pcV7*IfADM*22N$W@NX}RgL){6t>-Yr#4MPqlXV-f4C0~B6
zzlc8cWwN<^>k|TCNf~$4s!(TD*wIo^-g1QO=QE>D3RMa67MJCH!k@%WDnc>4P85=s
zZbxuO*+XT17Eh5j(X`aY?6o}=Tp7ihGcuIgQepi<JG`kEzEw&Ivwo`-U~sEn=nt4>
zWGJ}F>kMNo7`2S=VjgN_n5Ku5=`eY+N|t;CNhXi;G@zF6ERO4R%o&y?v!T=%5~iuv
z!@ah|Gp35)k!gP5tOXw`M-{f{JD!Y0<t+^``)cJ@^AiGc3=5X;yxMzToweLlWbJP=
zeI!5_G$ohP$OqglSPAGn?J57IPch5Nh<lsE)fQ7udEDmsiW|Zbe7_|@#7>8+BCiOG
zr6_LaE0s#Zf?wO^9=sQ?@Lo?<sjEY8FIJ>u;VlC1Cxcg0)-*+K0HmdHo<Ry7IdM<H
zrt5-!fmuPHP9KDp2CywkxiMrLEsMc19?b=9X@t#3Iqcf<@v%*};4Y&WSnKXPU-9p~
z9|7|+Nxhl5PmK5{c4GG&>5<95Pj+K<Xuobs+~Lw~d)Mp?&Z6KjvIyajnFrCKpQB5v
zq{`Y3o0{t}RtA9?#uEedp-12aDs8o6rN_eZ%dSmX^J<T#!|0t@F6Sqtmf>zavXq$l
z2T)g#UR8JSg1|A2`GLl#U&{FW(J`d5z1zQ_(NH?0+oR3LCg}1%iib_(ZTA*Y$4Wut
z`R+t2+AZvGsUUg(xlJQALu{HO#!YME<YvGIpLExxN!I>ftr9!9VTt!o<r+Qgct)T|
z_!jd!iJChQty)>5-oQ_sL@k<$o76Cc6}k&i-!6J7zGycE@?3Pr#KWdJA&$qEvHjz>
zJs#8x)zSG)#l+et9<~qEZ7xf}LNnejm|QClQ#5No_8!uGE*&9JqG1mtz0y@!$MdAU
zl;nuC@-d9IGbv&4?OML6y){pI)8ZwZfw1VFb(Iz5o{Mm$4e@A9JbD(*xqox6rk6-N
zrcL_Oi!hsfr&0aEo|y%mtJ!npR}euxBR8%l^sc|li^&GglMg6ae^l|_WWs6OUoVUn
ztRKc$BGt+S7CUFnvluUtr^d?to@98fNot$*{evQ!%g~#!)WLAKmvgKclfwQrspt8x
z*-Gq8i4O^;_By^BH}W;^x0Y7<&;`Uj#$zh@^W>0cMtX6j6;Q$fDvZt4W=N*=Yy|d2
zzyZKiJ3K{haA6=ywGRVha%TJg6|PIIIbbz&17Za1E4T0ld`xjV|8@9=$lk)0CzmI2
z?tiwgCR${?j=lVbqDFiBrT7FsZ>qSEMz_#dTSN8W=_gi4SWQRmP_)!I2&N55y!Bh6
zniW$1XIvt9)y|6w1H1ttfM9?JKpEf*2n2)yynf7q0CzwDQsQqZpBgWO+t&Anm$(}G
zf;w75T^)^9M`|O95a3S{99B*QZzGA|br2BnqpkeS0RLBL=USY91vppWbpLBalszGa
zMNB0w^ZyBL%lJ2>uFehi#dLue`oa4rcZlF%%{W74=8<wl8()Z1<JBbKVUYOImkU%D
zyxUns`7`i*gv&^P)`vUC&S}Gk;WsUDBL@>l`{GR?tK}?NjJuC8hgsm%xkNG|(r+Ji
zc=zJ<KBs&ygXr<1Y(9;Vi1zxe8{*oYJ&a#>8;%NN>h()dtDCuL@+H*)vPM-DGmBoT
z{Y2+7Tk0%bkLfT-7(64Uf_K2u#(1a^8s9}vfpWp3Q5m_7(;EU?K0>(iYURCE!{n+M
zSoXB)eYH!Utn0Jg>#tKbaji)IOCs)&B?h5<ec(8^%SS|&Ek2vUvzj+<VuxOlG9$<v
zNX0eDb(fC&7kYR<uH0EaY=xsI3Q3y{jE1C8Gv+swS&XOjnr-s}4E9IZpRI%oHdqjI
z>{Mo}huX>cSV@Az9n^^NZAh8UcQ~U!PH>x{eT$Y%an$S97#66sK6hU2sGe`1QE#w{
z>9I}OHpq1E-cKre7uF>sW5syK8}_K-yv57<YbtveJlJf%m6_ib6w#5<s^&_KiQ~Xk
zayhs@)i7ncup4_h_LJ_X>|EFmd8N%g)S54RW%{bX=1hm9ChJ_@Nlqbm?Qcgyk=#qy
zG)4XPoc@8Iea}%$HWw>8UJGYoS#-@6_pwWa3W>%B7f`@g@z}|eb4KTfGqLen-1<(Z
zLBGqi89eCz{p``eqA&?`vbjakDIWw<$P$sH>e1(d;SO=Wl3}^1REm?K&-I13o^Qr%
z2T;0JCWF6}$*73Zv^7dv#qM&3dJvk2?7qv(9|-26Kgq-AzqII}Ii@Bg06lxWWs8O&
z=#^wfvG2klGY8nG6?%@Ob$a+&I*LW|ZYL-n<jE<T!&;P>F%E)$k5tmFfd?HTrpl06
zw~i5yiwt#gKo*66I&&n*Q7@!mDdy%HNR8}(kU9BC3=-Q(t=tEvv&gLm;pKCly}qwx
zVJU`AUyk34;fIr{{^E2{kGb>BH3M1Id*C3j&57bwLEn+iZ@Q?dD^dw-1<uBb{Kxss
z8s$r4z2M+hrDxj@P_wctdb;bb`c1BOqj%>tFlXZCM@^(hI-;F2H_{Q~HN=x=H0pPE
zm8Brz9!q+*azmtx${D}DYKpLDF?_fBv&}tMqczo?GR2XLHn<6PYhDS2$5AYK{bTL>
zcy~{q2$}(xp{G$cGI~-jZDO%a7<mb)hUED9OM!q;07P6(V4J94F(=8bdVASSx5auG
tyL#0q`e2{)Va2mGW}Ya7*L(l7-*Rl-U`6>-^7G5*g3$L3-T!s+{{*O{qUitt

literal 0
HcmV?d00001


From 6b95a61bdfc9db42023334e2f82cb2e6699a6470 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 22 Aug 2023 09:41:31 +0300
Subject: [PATCH 008/127] feat: error handling interceptor on signer

Refs: XRDDEV-2461
---
 .../src/main/proto/ErrorHandling.proto        |  37 ++++++
 .../java/ee/ria/xroad/signer/SignerMain.java  |   2 +
 .../SignerExceptionHandlerInterceptor.java    | 109 ++++++++++++++++++
 3 files changed, 148 insertions(+)
 create mode 100644 src/signer-protocol/src/main/proto/ErrorHandling.proto
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java

diff --git a/src/signer-protocol/src/main/proto/ErrorHandling.proto b/src/signer-protocol/src/main/proto/ErrorHandling.proto
new file mode 100644
index 0000000000..d7d76f4ddd
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/ErrorHandling.proto
@@ -0,0 +1,37 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+option java_multiple_files = true;
+option java_package = "ee.ria.xroad.signer.protocol.dto";
+
+message CodedExceptionProto {
+  string faultCode = 1;
+  string faultActor = 2;
+  string faultDetail = 3;
+  string faultString = 4;
+  string translationCode = 5;
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index d8cc1bd7c7..16323b8b2d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -32,6 +32,7 @@
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+import ee.ria.xroad.signer.protocol.SignerExceptionHandlerInterceptor;
 import ee.ria.xroad.signer.protocol.TokensApi;
 import ee.ria.xroad.signer.util.SignerUtil;
 
@@ -119,6 +120,7 @@ private static void initGrpc() throws Exception {
         log.info("Initializing GRPC server on port {}.. ", port);
         RpcServer.init(port, builder -> {
             builder.addService(new TokensApi(actorSystem));
+            builder.intercept(new SignerExceptionHandlerInterceptor());
         });
     }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java
new file mode 100644
index 0000000000..e782e558f5
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java
@@ -0,0 +1,109 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
+
+import io.grpc.ForwardingServerCallListener;
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptor;
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
+import io.grpc.protobuf.StatusProto;
+
+import static com.google.protobuf.Any.pack;
+import static java.util.Optional.ofNullable;
+
+public class SignerExceptionHandlerInterceptor implements ServerInterceptor {
+
+    @Override
+    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call,
+                                                                 Metadata headers,
+                                                                 ServerCallHandler<ReqT, RespT> next) {
+        ServerCall.Listener<ReqT> delegate = next.startCall(call, headers);
+        return new ExceptionHandler<>(delegate, call, headers);
+    }
+
+    private static class ExceptionHandler<T, R> extends ForwardingServerCallListener.SimpleForwardingServerCallListener<T> {
+
+        private final ServerCall<T, R> delegate;
+        private final Metadata headers;
+
+        ExceptionHandler(ServerCall.Listener<T> listener, ServerCall<T, R> serverCall, Metadata headers) {
+            super(listener);
+            this.delegate = serverCall;
+            this.headers = headers;
+        }
+
+        @Override
+        public void onHalfClose() {
+            try {
+                super.onHalfClose();
+            } catch (RuntimeException ex) {
+                handleException(ex, delegate, headers);
+                throw ex;
+            }
+        }
+
+        private void handleException(RuntimeException exception, ServerCall<T, R> serverCall, Metadata headers) {
+            if (exception instanceof CodedException) {
+                CodedException codedException = (CodedException) exception;
+
+                com.google.rpc.Status rpcStatus = com.google.rpc.Status.newBuilder()
+                        .setCode(Status.Code.INTERNAL.value())
+                        .setMessage(codedException.getMessage())
+                        .addDetails(pack(toProto(codedException)))
+                        .build();
+
+                StatusRuntimeException statusRuntimeException = StatusProto.toStatusRuntimeException(rpcStatus);
+
+                var newStatus = Status.fromThrowable(statusRuntimeException);
+                // Get metadata from statusRuntimeException
+                Metadata newHeaders = statusRuntimeException.getTrailers();
+
+                serverCall.close(newStatus, newHeaders);
+            } else {
+                serverCall.close(Status.UNKNOWN, headers);
+            }
+        }
+
+        private CodedExceptionProto toProto(CodedException codedException) {
+            final CodedExceptionProto.Builder codedExceptionBuilder = CodedExceptionProto.newBuilder();
+
+            ofNullable(codedException.getFaultCode()).ifPresent(codedExceptionBuilder::setFaultCode);
+            ofNullable(codedException.getFaultActor()).ifPresent(codedExceptionBuilder::setFaultActor);
+            ofNullable(codedException.getFaultDetail()).ifPresent(codedExceptionBuilder::setFaultDetail);
+            ofNullable(codedException.getFaultString()).ifPresent(codedExceptionBuilder::setFaultString);
+            ofNullable(codedException.getTranslationCode()).ifPresent(codedExceptionBuilder::setTranslationCode);
+
+            return codedExceptionBuilder.build();
+        }
+    }
+
+}

From 0bccf9c59f6f7603f8beea3d68f31493ddccc3bb Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 22 Aug 2023 14:28:30 +0300
Subject: [PATCH 009/127] feat: initial error handling on grpc client side

Refs: XRDDEV-2461
---
 .../java/ee/ria/xroad/signer/SignerProxy.java | 69 ++++++++++++++-----
 .../signer/protocol/RpcSignerClient.java      | 29 +++++++-
 .../src/main/proto/ErrorHandling.proto        |  1 +
 3 files changed, 78 insertions(+), 21 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 55811ec8fc..a1a6a4c530 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -25,6 +25,7 @@
  */
 package ee.ria.xroad.signer;
 
+import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
@@ -32,6 +33,7 @@
 import ee.ria.xroad.signer.protocol.SignerClient;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.MemberSigningInfo;
@@ -77,6 +79,9 @@
 import ee.ria.xroad.signer.protocol.message.SignResponse;
 import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
 
+import com.google.protobuf.Any;
+import com.google.protobuf.InvalidProtocolBufferException;
+import io.grpc.StatusRuntimeException;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
@@ -91,8 +96,11 @@
 import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
+import java.util.concurrent.Callable;
 import java.util.stream.Collectors;
 
+import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
+
 /**
  * Responsible for managing cryptographic tokens (smartcards, HSMs, etc.) through the signer.
  */
@@ -105,6 +113,30 @@ private SignerProxy() {
 
     public static final String SSL_TOKEN_ID = "0";
 
+    private static <V> V executeAndHandleException(Callable<V> grpcCall) {
+        try {
+            return grpcCall.call();
+        } catch (StatusRuntimeException error) {
+            com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
+            if (status != null) {
+                for (Any any : status.getDetailsList()) {
+                    if (any.is(CodedExceptionProto.class)) {
+                        try {
+                            final CodedExceptionProto ce = any.unpack(CodedExceptionProto.class);
+                            throw CodedException.tr(ce.getFaultCode(), ce.getTranslationCode(), ce.getFaultString())
+                                    .withPrefix(SIGNER_X);
+                        } catch (InvalidProtocolBufferException e) {
+                            throw new RuntimeException("Failed to parse grpc message", e);
+                        }
+                    }
+                }
+            }
+            throw error;
+        } catch (Exception e) {
+            throw new RuntimeException("Error in grpc call", e);
+        }
+    }
+
     /**
      * Initialize the software token with the given password.
      *
@@ -124,7 +156,8 @@ public static void initSoftwareToken(char[] password) throws Exception {
      * @throws Exception if any errors occur
      */
     public static List<TokenInfo> getTokens() throws Exception {
-        ListTokensResponse response = getSignerClient().getSignerApiBlockingStub().listTokens(Empty.newBuilder().build());
+        ListTokensResponse response = executeAndHandleException(() ->
+                getSignerClient().getSignerApiBlockingStub().listTokens(Empty.newBuilder().build()));
 
         return response.getTokensList().stream()
                 .map(TokenInfo::new)
@@ -151,10 +184,10 @@ private static RpcSignerClient getSignerClient() {
      * @throws Exception if any errors occur
      */
     public static TokenInfo getToken(String tokenId) throws Exception {
-        return new TokenInfo(getSignerClient().getSignerApiBlockingStub()
+        return executeAndHandleException(() -> new TokenInfo(getSignerClient().getSignerApiBlockingStub()
                 .getTokenById(GetTokenByIdRequest.newBuilder()
                         .setTokenId(tokenId)
-                        .build()));
+                        .build())));
     }
 
     /**
@@ -169,11 +202,11 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
 
         log.trace("Activating token '{}'", tokenId);
 
-        getSignerClient().getSignerApiBlockingStub()
+        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
                 .activateToken(ActivateTokenRequest.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(true)
-                        .build());
+                        .build()));
     }
 
     /**
@@ -201,11 +234,11 @@ public static void deactivateToken(String tokenId) throws Exception {
 
         log.trace("Deactivating token '{}'", tokenId);
 
-        getSignerClient().getSignerApiBlockingStub()
+        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
                 .activateToken(ActivateTokenRequest.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(false)
-                        .build());
+                        .build()));
     }
 
     /**
@@ -480,15 +513,15 @@ public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
      * @return TokenInfoAndKeyId
      * @throws Exception
      */
-    public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws Exception {
-        hash = hash.toLowerCase();
-        log.trace("Getting token and key id by cert hash '{}'", hash);
+    public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) {
+        String hashLowercase = hash.toLowerCase();
+        log.trace("Getting token and key id by cert hash '{}'", hashLowercase);
 
-        var response = getSignerClient().getSignerApiBlockingStub()
+        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
                 .getTokenAndKeyIdByCertHash(GetTokenByCertHashRequest.newBuilder()
-                        .setCertHash(hash)
-                        .build());
-        log.trace("Token and key id with hash '{}' found", hash);
+                        .setCertHash(hashLowercase)
+                        .build()));
+        log.trace("Token and key id with hash '{}' found", hashLowercase);
 
         return new TokenInfoAndKeyId(new TokenInfo(response.getTokenInfo()), response.getKeyId());
     }
@@ -539,10 +572,10 @@ public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception
     public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws Exception {
         log.trace("Getting token and key id by cert request id '{}'", certRequestId);
 
-        var response = getSignerClient().getSignerApiBlockingStub()
+        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
                 .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdRequest.newBuilder()
                         .setCertRequestId(certRequestId)
-                        .build());
+                        .build()));
 
         log.trace("Token and key id with cert request id '{}' found", certRequestId);
 
@@ -557,8 +590,8 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequ
      * @throws Exception if any errors occur
      */
     public static TokenInfo getTokenForKeyId(String keyId) throws Exception {
-        return new TokenInfo(getSignerClient().getSignerApiBlockingStub()
-                .getTokenByKey(GetTokenByKeyIdRequest.newBuilder().setKeyId(keyId).build()));
+        return executeAndHandleException(() -> new TokenInfo(getSignerClient().getSignerApiBlockingStub()
+                .getTokenByKey(GetTokenByKeyIdRequest.newBuilder().setKeyId(keyId).build())));
     }
 
     public static String getSignMechanism(String keyId) throws Exception {
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index 33091f6fc3..8921bb6995 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.protocol;
 
 import io.grpc.Channel;
@@ -33,8 +58,6 @@ public static RpcSignerClient init(int port) throws Exception {
         ManagedChannel channel = Grpc.newChannelBuilderForAddress("127.0.0.1", port, createClientCredentials())
                 .build();
 
-        RpcSignerClient client = new RpcSignerClient(channel);
-
-        return client;
+        return new RpcSignerClient(channel);
     }
 }
diff --git a/src/signer-protocol/src/main/proto/ErrorHandling.proto b/src/signer-protocol/src/main/proto/ErrorHandling.proto
index d7d76f4ddd..7a625c9d4a 100644
--- a/src/signer-protocol/src/main/proto/ErrorHandling.proto
+++ b/src/signer-protocol/src/main/proto/ErrorHandling.proto
@@ -28,6 +28,7 @@ syntax = "proto3";
 option java_multiple_files = true;
 option java_package = "ee.ria.xroad.signer.protocol.dto";
 
+// todo rename the exception and the fields. should not be using soap fault naming inside signer.
 message CodedExceptionProto {
   string faultCode = 1;
   string faultActor = 2;

From 789e633dba4d873b9be2355eac06f4298743e340 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 22 Aug 2023 15:18:03 +0300
Subject: [PATCH 010/127] chore: unused method deleted

Refs: XRDDEV-2461
---
 .../xroad/signer/tokenmanager/ServiceLocator.java | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
index c80d593a48..0abee02a4e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -32,7 +32,6 @@
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_RESPONSE_MANAGER;
 import static ee.ria.xroad.signer.protocol.ComponentNames.REQUEST_PROCESSOR;
 import static ee.ria.xroad.signer.protocol.ComponentNames.TOKEN_SIGNER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.TOKEN_WORKER;
 import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotFound;
 
 /**
@@ -73,18 +72,6 @@ public static ActorSelection getToken(ActorContext context,
         return context.actorSelection(path);
     }
 
-    /**
-     * @param context the actor context
-     * @param tokenId the token id
-     * @return the token worker actor
-     */
-    public static ActorSelection getTokenWorker(ActorContext context,
-            String tokenId) {
-        String path = String.format("/user/%s/%s/%s/%s", MODULE_MANAGER,
-                getModuleId(tokenId), tokenId, TOKEN_WORKER);
-        return context.actorSelection(path);
-    }
-
     /**
      * @param context the actor context
      * @param tokenId the token id

From 3c9dc2271791bf814903866908d418e18402db56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 23 Aug 2023 09:57:58 +0300
Subject: [PATCH 011/127] chore: migrate signer handlers to grpc

Refs: XRDDEV-2468
---
 .../ria/xroad/signer/console/SignerCLI.java   |   5 +-
 src/signer-protocol/build.gradle              |   3 +-
 .../ria/xroad/signer/glue/SignerStepDefs.java |   5 +-
 .../java/ee/ria/xroad/signer/SignerProxy.java | 148 +++++++++---------
 .../xroad/signer/protocol/ClientIdMapper.java |  37 +++++
 .../signer/protocol/RpcSignerClient.java      |  23 ++-
 .../signer/protocol/dto/CertificateInfo.java  |  17 +-
 .../signer/protocol/message/ActivateCert.java |  41 -----
 .../protocol/message/ActivateToken.java       |   1 +
 .../message/GetCertificateInfoForHash.java    |  39 -----
 .../message/GetCertificateInfoResponse.java   |  42 -----
 .../protocol/message/GetKeyIdForCertHash.java |  39 -----
 .../message/GetKeyIdForCertHashResponse.java  |  44 ------
 .../protocol/message/GetMemberCerts.java      |  41 -----
 .../message/GetMemberCertsResponse.java       |  45 ------
 .../protocol/message/GetSignMechanism.java    |  42 -----
 .../message/GetSignMechanismResponse.java     |  42 -----
 .../message/GetTokenBatchSigningEnabled.java  |  40 -----
 .../protocol/message/InitSoftwareToken.java   |   1 +
 .../protocol/message/SetCertStatus.java       |  41 -----
 .../protocol/message/SetKeyFriendlyName.java  |  41 -----
 .../message/SetTokenFriendlyName.java         |  41 -----
 .../src/main/proto/CertificateService.proto   |  44 ++++++
 .../src/main/proto/KeyService.proto           |  41 +++++
 .../src/main/proto/TokenService.proto         |  70 +++++++++
 .../src/main/proto/Tokens.proto               |   4 +
 .../src/main/proto/TokensApi.proto            |  51 ------
 .../java/ee/ria/xroad/signer/SignerMain.java  |   8 +-
 .../java/ee/ria/xroad/signer/model/Cert.java  |   4 +-
 .../ria/xroad/signer/model/CertRequest.java   |  19 +--
 .../signer/protocol/CertificateService.java   | 123 +++++++++++++++
 .../ria/xroad/signer/protocol/KeyService.java | 104 ++++++++++++
 .../{TokensApi.java => TokensService.java}    |  55 ++++++-
 .../handler/ActivateCertRequestHandler.java   |  45 ------
 ...tCertificateInfoForHashRequestHandler.java |  54 -------
 .../GetKeyIdForCertHashRequestHandler.java    |  54 -------
 .../handler/GetMemberCertsRequestHandler.java |  66 --------
 .../GetSignMechanismRequestHandler.java       |  52 ------
 ...okenBatchSigningEnabledRequestHandler.java |  45 ------
 .../InitSoftwareTokenRequestHandler.java      |  52 ------
 .../handler/SetCertStatusRequestHandler.java  |  44 ------
 .../SetKeyFriendlyNameRequestHandler.java     |  46 ------
 .../SetTokenFriendlyNameRequestHandler.java   |  46 ------
 43 files changed, 581 insertions(+), 1224 deletions(-)
 create mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateCert.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoForHash.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoResponse.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHash.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHashResponse.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCerts.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCertsResponse.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanism.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanismResponse.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenBatchSigningEnabled.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetCertStatus.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetKeyFriendlyName.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetTokenFriendlyName.java
 create mode 100644 src/signer-protocol/src/main/proto/CertificateService.proto
 create mode 100644 src/signer-protocol/src/main/proto/KeyService.proto
 create mode 100644 src/signer-protocol/src/main/proto/TokenService.proto
 delete mode 100644 src/signer-protocol/src/main/proto/TokensApi.proto
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/{TokensApi.java => TokensService.java} (67%)
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java

diff --git a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
index 6ce6ec0c94..636e0bf191 100644
--- a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
+++ b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
@@ -41,7 +41,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
-import ee.ria.xroad.signer.protocol.message.GetMemberCertsResponse;
 
 import akka.actor.ActorSystem;
 import asg.cliche.CLIException;
@@ -279,11 +278,11 @@ public void getKeyIdForCertHash(@Param(name = "certHash", description = "Certifi
     @Command(description = "Returns all certificates of a member")
     public void getMemberCerts(
             @Param(name = "memberId", description = "Member identifier") ClientId memberId) throws Exception {
-        GetMemberCertsResponse response = SignerProxy.getMemberCerts(memberId);
+        List<CertificateInfo> certificateInfos = SignerProxy.getMemberCerts(memberId);
 
         System.out.println("Certs of member " + memberId + ":");
 
-        for (CertificateInfo cert : response.getCerts()) {
+        for (CertificateInfo cert : certificateInfos) {
             System.out.println("\tId:\t" + cert.getId());
             System.out.println("\t\tStatus:\t" + cert.getStatus());
             System.out.println("\t\tActive:\t" + cert.isActive());
diff --git a/src/signer-protocol/build.gradle b/src/signer-protocol/build.gradle
index 4fa4e57ad3..dc0ed4c5b8 100644
--- a/src/signer-protocol/build.gradle
+++ b/src/signer-protocol/build.gradle
@@ -1,4 +1,5 @@
 plugins {
+  id 'java-library'
   id 'com.google.protobuf'
 }
 
@@ -14,7 +15,7 @@ sourceSets {
 
 dependencies {
   implementation project(':common:common-util')
-  implementation project(':common:common-rpc')
+  api project(':common:common-rpc')
 
   intTestRuntimeOnly project(':signer')
   intTestRuntimeOnly project(':common:common-util')
diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index 3bc55d6fc6..f4b0ff1302 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -39,7 +39,6 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
-import ee.ria.xroad.signer.protocol.message.GetMemberCertsResponse;
 
 import akka.actor.ActorSystem;
 import com.nortal.test.core.report.TestReportService;
@@ -271,8 +270,8 @@ public void signMechanismForTokenKeyIsNotNull(String tokenId, String keyName) th
 
     @Then("member {string} has {int} certificate")
     public void memberHasCertificate(String memberId, int certCount) throws Exception {
-        final GetMemberCertsResponse memberCerts = SignerProxy.getMemberCerts(getClientId(memberId));
-        assertThat(memberCerts.getCerts()).hasSize(certCount);
+        final List<CertificateInfo> memberCerts = SignerProxy.getMemberCerts(getClientId(memberId));
+        assertThat(memberCerts).hasSize(certCount);
     }
 
     @When("check token {string} key {string} batch signing enabled")
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index a1a6a4c530..edd4e83026 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -25,72 +25,23 @@
  */
 package ee.ria.xroad.signer;
 
+import com.google.protobuf.Any;
+import com.google.protobuf.InvalidProtocolBufferException;
+
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.SignerClient;
-import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.dto.MemberSigningInfo;
-import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.ActivateCert;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
-import ee.ria.xroad.signer.protocol.message.DeleteCert;
-import ee.ria.xroad.signer.protocol.message.DeleteCertRequest;
-import ee.ria.xroad.signer.protocol.message.DeleteKey;
-import ee.ria.xroad.signer.protocol.message.GenerateCertRequest;
-import ee.ria.xroad.signer.protocol.message.GenerateCertRequestResponse;
-import ee.ria.xroad.signer.protocol.message.GenerateKey;
-import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCert;
-import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCertResponse;
-import ee.ria.xroad.signer.protocol.message.GetAuthKey;
-import ee.ria.xroad.signer.protocol.message.GetCertificateInfoForHash;
-import ee.ria.xroad.signer.protocol.message.GetCertificateInfoResponse;
-import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfo;
-import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfoResponse;
-import ee.ria.xroad.signer.protocol.message.GetKeyIdForCertHash;
-import ee.ria.xroad.signer.protocol.message.GetKeyIdForCertHashResponse;
-import ee.ria.xroad.signer.protocol.message.GetMemberCerts;
-import ee.ria.xroad.signer.protocol.message.GetMemberCertsResponse;
-import ee.ria.xroad.signer.protocol.message.GetMemberSigningInfo;
-import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
-import ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse;
-import ee.ria.xroad.signer.protocol.message.GetSignMechanism;
-import ee.ria.xroad.signer.protocol.message.GetSignMechanismResponse;
-import ee.ria.xroad.signer.protocol.message.GetTokenBatchSigningEnabled;
-import ee.ria.xroad.signer.protocol.message.ImportCert;
-import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
-import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
-import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
-import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
-import ee.ria.xroad.signer.protocol.message.SetCertStatus;
-import ee.ria.xroad.signer.protocol.message.SetKeyFriendlyName;
-import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
-import ee.ria.xroad.signer.protocol.message.SetTokenFriendlyName;
-import ee.ria.xroad.signer.protocol.message.Sign;
-import ee.ria.xroad.signer.protocol.message.SignCertificate;
-import ee.ria.xroad.signer.protocol.message.SignCertificateResponse;
-import ee.ria.xroad.signer.protocol.message.SignResponse;
-import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
+import ee.ria.xroad.signer.protocol.dto.*;
+import ee.ria.xroad.signer.protocol.message.*;
 
-import com.google.protobuf.Any;
-import com.google.protobuf.InvalidProtocolBufferException;
 import io.grpc.StatusRuntimeException;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.ActivateTokenRequest;
-import org.niis.xroad.signer.proto.Empty;
-import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
-import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
-import org.niis.xroad.signer.proto.GetTokenByIdRequest;
-import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
-import org.niis.xroad.signer.proto.ListTokensResponse;
+import org.niis.xroad.signer.proto.*;
 
 import java.security.PublicKey;
 import java.util.Arrays;
@@ -146,7 +97,10 @@ private static <V> V executeAndHandleException(Callable<V> grpcCall) {
     public static void initSoftwareToken(char[] password) throws Exception {
         log.trace("Initializing software token");
 
-        execute(new InitSoftwareToken(password));
+        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+                .initSoftwareToken(InitSoftwareTokenRequest.newBuilder()
+                        .setPin(new String(password))
+                        .build()));
     }
 
     /**
@@ -251,7 +205,11 @@ public static void deactivateToken(String tokenId) throws Exception {
     public static void setTokenFriendlyName(String tokenId, String friendlyName) throws Exception {
         log.trace("Setting friendly name '{}' for token '{}'", friendlyName, tokenId);
 
-        execute(new SetTokenFriendlyName(tokenId, friendlyName));
+        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+                .setTokenFriendlyName(SetTokenFriendlyNameRequest.newBuilder()
+                        .setTokenId(tokenId)
+                        .setFriendlyName(friendlyName)
+                        .build()));
     }
 
     /**
@@ -264,7 +222,11 @@ public static void setTokenFriendlyName(String tokenId, String friendlyName) thr
     public static void setKeyFriendlyName(String keyId, String friendlyName) throws Exception {
         log.trace("Setting friendly name '{}' for key '{}'", friendlyName, keyId);
 
-        execute(new SetKeyFriendlyName(keyId, friendlyName));
+        executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .setKeyFriendlyName(SetKeyFriendlyNameRequest.newBuilder()
+                        .setKeyId(keyId)
+                        .setFriendlyName(friendlyName)
+                        .build()));
     }
 
     /**
@@ -339,7 +301,11 @@ public static String importCert(byte[] certBytes, String initialStatus, ClientId
     public static void activateCert(String certId) throws Exception {
         log.trace("Activating cert '{}'", certId);
 
-        execute(new ActivateCert(certId, true));
+        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .activateCert(ActivateCertRequest.newBuilder()
+                        .setCertIdOrHash(certId)
+                        .setActive(true)
+                        .build()));
     }
 
     /**
@@ -351,7 +317,11 @@ public static void activateCert(String certId) throws Exception {
     public static void deactivateCert(String certId) throws Exception {
         log.trace("Deactivating cert '{}'", certId);
 
-        execute(new ActivateCert(certId, false));
+        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .activateCert(ActivateCertRequest.newBuilder()
+                        .setCertIdOrHash(certId)
+                        .setActive(false)
+                        .build()));
     }
 
     /**
@@ -466,7 +436,11 @@ public static void deleteKey(String keyId, boolean deleteFromToken) throws Excep
     public static void setCertStatus(String certId, String status) throws Exception {
         log.trace("Setting cert ('{}') status to '{}'", certId, status);
 
-        execute(new SetCertStatus(certId, status));
+        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .setCertStatus(SetCertStatusRequest.newBuilder()
+                        .setCertId(certId)
+                        .setStatus(status)
+                        .build()));
     }
 
     /**
@@ -477,15 +451,17 @@ public static void setCertStatus(String certId, String status) throws Exception
      * @throws Exception
      */
     public static CertificateInfo getCertForHash(String hash) throws Exception {
-        hash = hash.toLowerCase();
+        final String finalHash = hash.toLowerCase();
         log.trace("Getting cert by hash '{}'", hash);
 
-        GetCertificateInfoResponse response = execute(new GetCertificateInfoForHash(hash));
-        CertificateInfo certificateInfo = response.getCertificateInfo();
+        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .getCertificateInfoForHash(GetCertificateInfoForHashRequest.newBuilder()
+                        .setCertHash(finalHash)
+                        .build()));
 
-        log.trace("Cert with hash '{}' found", hash);
+        log.trace("Cert with hash '{}' found", finalHash);
 
-        return certificateInfo;
+        return new CertificateInfo(response.getCertificateInfo());
     }
 
     /**
@@ -496,12 +472,15 @@ public static CertificateInfo getCertForHash(String hash) throws Exception {
      * @throws Exception
      */
     public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
-        hash = hash.toLowerCase();
-        log.trace("Getting cert by hash '{}'", hash);
+        final String finalHash = hash.toLowerCase();
+        log.trace("Getting cert by hash '{}'", finalHash);
 
-        GetKeyIdForCertHashResponse response = execute(new GetKeyIdForCertHash(hash));
+        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .getKeyIdForCertHash(GetKeyIdForCertHashRequest.newBuilder()
+                        .setCertHash(finalHash)
+                        .build()));
 
-        log.trace("Cert with hash '{}' found", hash);
+        log.trace("Cert with hash '{}' found", finalHash);
 
         return new KeyIdInfo(response.getKeyId(), response.getSignMechanismName());
     }
@@ -595,8 +574,12 @@ public static TokenInfo getTokenForKeyId(String keyId) throws Exception {
     }
 
     public static String getSignMechanism(String keyId) throws Exception {
-        final GetSignMechanismResponse signMechanismResponse = execute(new GetSignMechanism(keyId));
-        return signMechanismResponse.getSignMechanismName();
+        GetSignMechanismResponse response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .getSignMechanism(GetSignMechanismRequest.newBuilder()
+                        .setKeyId(keyId)
+                        .build()));
+
+        return response.getSignMechanismName();
     }
 
     public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) throws Exception {
@@ -604,8 +587,13 @@ public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] dige
         return signResponse.getSignature();
     }
 
-    public static Boolean isTokenBatchSigningEnabled(String keyId) throws Exception {
-        return execute(new GetTokenBatchSigningEnabled(keyId));
+    public static Boolean isTokenBatchSigningEnabled(String keyId) {
+        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+                .getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest.newBuilder()
+                        .setKeyId(keyId)
+                        .build()));
+
+        return response.getBatchingSigningEnabled();
     }
 
     public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throws Exception {
@@ -613,8 +601,14 @@ public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throw
         return new MemberSigningInfoDto(response.getKeyId(), response.getCert(), response.getSignMechanismName());
     }
 
-    public static GetMemberCertsResponse getMemberCerts(ClientId memberId) throws Exception {
-        return execute(new GetMemberCerts(memberId));
+    public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exception {
+        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .getMemberCerts(GetMemberCertsRequest.newBuilder()
+                        .setMemberId(ClientIdMapper.toDto(memberId))
+                        .build()));
+        return response.getCertsList().stream()
+                .map(CertificateInfo::new)
+                .collect(Collectors.toList());
     }
 
     public static boolean isHSMOperational() throws Exception {
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
new file mode 100644
index 0000000000..301349d90d
--- /dev/null
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
@@ -0,0 +1,37 @@
+package ee.ria.xroad.signer.protocol;
+
+import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.protocol.dto.ClientIdProto;
+import ee.ria.xroad.signer.protocol.dto.XRoadObjectType;
+
+public class ClientIdMapper {
+
+    public static ClientId.Conf fromDto(ClientIdProto input) {
+
+        //TODO:grpc refine this check
+        if (input.hasField(ClientIdProto.getDescriptor().findFieldByName("subsystem_code"))) {
+            return ClientId.Conf.create(input.getXroadInstance(),
+                    input.getMemberClass(),
+                    input.getMemberCode(),
+                    input.getSubsystemCode());
+        } else {
+            return ClientId.Conf.create(input.getXroadInstance(),
+                    input.getMemberClass(),
+                    input.getMemberCode());
+        }
+    }
+
+    //TODO:grpc move to a separate place.
+    public static ClientIdProto toDto(ClientId input) {
+        var builder = ClientIdProto.newBuilder()
+                .setMemberClass(input.getMemberClass())
+                .setMemberCode(input.getMemberCode())
+                .setXroadInstance(input.getXRoadInstance())
+                .setObjectType(XRoadObjectType.valueOf(input.getObjectType().name()));
+
+        if (input.getSubsystemCode() != null) {
+            builder.setSubsystemCode(input.getSubsystemCode());
+        }
+        return builder.build();
+    }
+}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index 8921bb6995..e2e36178fd 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -30,23 +30,31 @@
 import io.grpc.ManagedChannel;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.TokensApiGrpc;
+import org.niis.xroad.signer.proto.CertificateServiceGrpc;
+import org.niis.xroad.signer.proto.KeyServiceGrpc;
+import org.niis.xroad.signer.proto.TokenServiceGrpc;
 
 import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
 
 @Slf4j
 public class RpcSignerClient {
     @Getter
-    private final TokensApiGrpc.TokensApiStub signerApiStub;
+    private final TokenServiceGrpc.TokenServiceStub signerApiStub;
     @Getter
-    private final TokensApiGrpc.TokensApiBlockingStub signerApiBlockingStub;
+    private final TokenServiceGrpc.TokenServiceBlockingStub signerApiBlockingStub;
+    @Getter
+    private final CertificateServiceGrpc.CertificateServiceBlockingStub certificateServiceBlockingStub;
+    @Getter
+    private final KeyServiceGrpc.KeyServiceBlockingStub keyServiceBlockingStub;
 
     /**
      * Construct client for accessing RouteGuide server using the existing channel.
      */
     public RpcSignerClient(Channel channel) {
-        signerApiStub = TokensApiGrpc.newStub(channel);
-        signerApiBlockingStub = TokensApiGrpc.newBlockingStub(channel);
+        signerApiStub = TokenServiceGrpc.newStub(channel);
+        signerApiBlockingStub = TokenServiceGrpc.newBlockingStub(channel);
+        certificateServiceBlockingStub = CertificateServiceGrpc.newBlockingStub(channel);
+        keyServiceBlockingStub = KeyServiceGrpc.newBlockingStub(channel);
     }
 
     /**
@@ -54,8 +62,9 @@ public RpcSignerClient(Channel channel) {
      * greeting.
      */
     public static RpcSignerClient init(int port) throws Exception {
-        log.info("Starting grpc client init..");
-        ManagedChannel channel = Grpc.newChannelBuilderForAddress("127.0.0.1", port, createClientCredentials())
+        var credentials = createClientCredentials();
+        log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
+        ManagedChannel channel = Grpc.newChannelBuilderForAddress("127.0.0.1", port, credentials)
                 .build();
 
         return new RpcSignerClient(channel);
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
index 6c829141a8..a0c3d05a0b 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.signer.protocol.dto;
 
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 
 import lombok.RequiredArgsConstructor;
 import lombok.ToString;
@@ -53,18 +54,7 @@ public class CertificateInfo implements Serializable {
     private final CertificateInfoProto message;
 
     public ClientId.Conf getMemberId() {
-        ClientIdProto memberId = message.getMemberId();
-        //TODO:grpc refine this check
-        if (message.getMemberId().hasField(ClientIdProto.getDescriptor().findFieldByName("subsystem_code"))) {
-            return ClientId.Conf.create(memberId.getXroadInstance(),
-                    memberId.getMemberClass(),
-                    memberId.getMemberCode(),
-                    memberId.getSubsystemCode());
-        } else {
-            return ClientId.Conf.create(memberId.getXroadInstance(),
-                    memberId.getMemberClass(),
-                    memberId.getMemberCode());
-        }
+        return ClientIdMapper.fromDto(message.getMemberId());
     }
 
     public boolean isActive() {
@@ -91,4 +81,7 @@ public byte[] getOcspBytes() {
         return message.getOcspBytes().toByteArray();
     }
 
+    public CertificateInfoProto asMessage() {
+        return message;
+    }
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateCert.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateCert.java
deleted file mode 100644
index 108d021c88..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateCert.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class ActivateCert implements Serializable {
-
-    private final String certIdOrHash;
-    private final boolean active;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java
index 24ee1b03e8..09452c8b78 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class ActivateToken implements Serializable {
 
     private final String tokenId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoForHash.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoForHash.java
deleted file mode 100644
index 04ab69e3bb..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoForHash.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetCertificateInfoForHash implements Serializable {
-
-    private final String certHash;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoResponse.java
deleted file mode 100644
index 7bbde4ad3a..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetCertificateInfoResponse.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetCertificateInfoResponse implements Serializable {
-
-    private final CertificateInfo certificateInfo;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHash.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHash.java
deleted file mode 100644
index 25c1ee0d4e..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHash.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetKeyIdForCertHash implements Serializable {
-
-    private final String certHash;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHashResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHashResponse.java
deleted file mode 100644
index e3d969dbed..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetKeyIdForCertHashResponse.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetKeyIdForCertHashResponse implements Serializable {
-
-    private static final long serialVersionUID = -506185905371113286L;
-
-    private final String keyId;
-
-    private final String signMechanismName;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCerts.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCerts.java
deleted file mode 100644
index 4ee73d743d..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCerts.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.common.identifier.ClientId;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetMemberCerts implements Serializable {
-
-    private final ClientId memberId;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCertsResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCertsResponse.java
deleted file mode 100644
index 3d24e27ac3..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberCertsResponse.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-import java.util.List;
-
-/**
- * Signer API message.
- */
-@Value
-@ToString(exclude = "certs")
-public class GetMemberCertsResponse implements Serializable {
-
-    private final List<CertificateInfo> certs;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanism.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanism.java
deleted file mode 100644
index 1a235d8a51..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanism.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetSignMechanism implements Serializable {
-
-    private static final long serialVersionUID = 1L;
-
-    private final String keyId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanismResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanismResponse.java
deleted file mode 100644
index 1f5b5e2912..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetSignMechanismResponse.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetSignMechanismResponse implements Serializable {
-
-    private static final long serialVersionUID = 1L;
-
-    String signMechanismName;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenBatchSigningEnabled.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenBatchSigningEnabled.java
deleted file mode 100644
index 6966377999..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetTokenBatchSigningEnabled.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetTokenBatchSigningEnabled implements Serializable {
-
-    private final String keyId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java
index eb5327265f..7640c9d689 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class InitSoftwareToken implements Serializable {
 
     private final char[] pin;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetCertStatus.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetCertStatus.java
deleted file mode 100644
index adf66bf97b..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetCertStatus.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class SetCertStatus implements Serializable {
-
-    private final String certId;
-    private final String status;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetKeyFriendlyName.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetKeyFriendlyName.java
deleted file mode 100644
index 951237828c..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetKeyFriendlyName.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class SetKeyFriendlyName implements Serializable {
-
-    private final String keyId;
-    private final String friendlyName;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetTokenFriendlyName.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetTokenFriendlyName.java
deleted file mode 100644
index 126a7af619..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetTokenFriendlyName.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class SetTokenFriendlyName implements Serializable {
-
-    private final String tokenId;
-    private final String friendlyName;
-
-}
diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
new file mode 100644
index 0000000000..dd373fc6a9
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/CertificateService.proto
@@ -0,0 +1,44 @@
+syntax = "proto3";
+
+option java_multiple_files = true;
+
+import "Tokens.proto";
+import "TokenStatusInfo.proto";
+
+package org.niis.xroad.signer.proto;
+
+service CertificateService {
+  rpc ActivateCert (ActivateCertRequest) returns (Empty) {}
+
+  rpc GetCertificateInfoForHash (GetCertificateInfoForHashRequest) returns (GetCertificateInfoResponse) {}
+
+  rpc GetMemberCerts (GetMemberCertsRequest) returns (GetMemberCertsResponse) {}
+
+  rpc SetCertStatus (SetCertStatusRequest) returns (Empty) {}
+}
+
+message GetCertificateInfoForHashRequest {
+  string certHash = 1;
+}
+
+message GetCertificateInfoResponse {
+  CertificateInfoProto certificateInfo = 1;
+}
+
+message ActivateCertRequest {
+  string certIdOrHash = 1;
+  bool  active = 2;
+}
+
+message SetCertStatusRequest{
+  string certId = 1;
+  string status = 2;
+}
+
+message GetMemberCertsRequest{
+  ClientIdProto memberId = 1;
+}
+
+message GetMemberCertsResponse{
+  repeated CertificateInfoProto certs = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
new file mode 100644
index 0000000000..c53a099fca
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/KeyService.proto
@@ -0,0 +1,41 @@
+syntax = "proto3";
+
+option java_multiple_files = true;
+
+import "Tokens.proto";
+import "TokenStatusInfo.proto";
+
+package org.niis.xroad.signer.proto;
+
+service KeyService {
+  rpc SetKeyFriendlyName (SetKeyFriendlyNameRequest) returns (Empty) {}
+
+  rpc GetKeyIdForCertHash (GetKeyIdForCertHashRequest) returns (GetKeyIdForCertHashResponse) {}
+
+  rpc GetSignMechanism (GetSignMechanismRequest) returns (GetSignMechanismResponse) {}
+
+}
+
+
+message GetKeyIdForCertHashRequest {
+  string certHash = 1;
+}
+
+message GetKeyIdForCertHashResponse {
+  string keyId = 1;
+  string signMechanismName = 2;
+}
+
+message SetKeyFriendlyNameRequest {
+  string keyId = 1;
+  string friendlyName = 2;
+}
+
+
+message GetSignMechanismRequest {
+  string keyId = 1;
+}
+
+message GetSignMechanismResponse {
+  string signMechanismName = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/TokenService.proto b/src/signer-protocol/src/main/proto/TokenService.proto
new file mode 100644
index 0000000000..e93798252b
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/TokenService.proto
@@ -0,0 +1,70 @@
+syntax = "proto3";
+
+option java_multiple_files = true;
+
+import "Tokens.proto";
+import "TokenStatusInfo.proto";
+
+package org.niis.xroad.signer.proto;
+
+service TokenService {
+  rpc GetTokenById (GetTokenByIdRequest) returns (TokenInfoProto) {}
+
+  rpc GetTokenByKey (GetTokenByKeyIdRequest) returns (TokenInfoProto) {}
+
+  rpc GetTokenAndKeyIdByCertRequestId (GetTokenByCertRequestIdRequest) returns (TokenInfoAndKeyIdProto) {}
+
+  rpc GetTokenAndKeyIdByCertHash (GetTokenByCertHashRequest) returns (TokenInfoAndKeyIdProto) {}
+
+  rpc ListTokens (Empty) returns (ListTokensResponse) {}
+
+  rpc ActivateToken (ActivateTokenRequest) returns (Empty) {}
+
+  rpc SetTokenFriendlyName (SetTokenFriendlyNameRequest) returns (Empty) {}
+
+  rpc GetTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest) returns (GetTokenBatchSigningEnabledResponse){}
+
+  rpc InitSoftwareToken(InitSoftwareTokenRequest) returns (Empty) {}
+}
+
+message ListTokensResponse {
+  repeated TokenInfoProto tokens = 1;
+}
+
+message ActivateTokenRequest{
+  string tokenId = 1;
+  bool  activate = 2;
+}
+
+message GetTokenByIdRequest {
+  string tokenId = 1;
+}
+
+message GetTokenByKeyIdRequest {
+  string keyId = 1;
+}
+
+message GetTokenByCertRequestIdRequest {
+  string certRequestId = 1;
+}
+
+message GetTokenByCertHashRequest {
+  string certHash = 1;
+}
+
+message SetTokenFriendlyNameRequest {
+  string tokenId = 1;
+  string friendlyName = 2;
+}
+
+message GetTokenBatchSigningEnabledRequest {
+  string keyId = 1;
+}
+
+message GetTokenBatchSigningEnabledResponse {
+  bool batchingSigningEnabled = 1;
+}
+
+message InitSoftwareTokenRequest {
+  string pin = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
index b952b105f5..497c926b3b 100644
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -4,6 +4,10 @@ import "TokenStatusInfo.proto";
 option java_multiple_files = true;
 option java_package = "ee.ria.xroad.signer.protocol.dto";
 
+/* Generic empty request/response. */
+message Empty {
+}
+
 message TokenInfoProto {
   string type = 1;
   string friendlyName = 2;
diff --git a/src/signer-protocol/src/main/proto/TokensApi.proto b/src/signer-protocol/src/main/proto/TokensApi.proto
deleted file mode 100644
index 13442af250..0000000000
--- a/src/signer-protocol/src/main/proto/TokensApi.proto
+++ /dev/null
@@ -1,51 +0,0 @@
-syntax = "proto3";
-
-option java_multiple_files = true;
-
-import "Tokens.proto";
-import "TokenStatusInfo.proto";
-
-package org.niis.xroad.signer.proto;
-
-service TokensApi {
-  rpc getTokenById (GetTokenByIdRequest) returns (TokenInfoProto) {}
-
-  rpc getTokenByKey (GetTokenByKeyIdRequest) returns (TokenInfoProto) {}
-
-  rpc getTokenAndKeyIdByCertRequestId (GetTokenByCertRequestIdRequest) returns (TokenInfoAndKeyIdProto) {}
-
-  rpc getTokenAndKeyIdByCertHash (GetTokenByCertHashRequest) returns (TokenInfoAndKeyIdProto) {}
-
-  rpc listTokens (Empty) returns (ListTokensResponse) {}
-
-  rpc activateToken (ActivateTokenRequest) returns (Empty) {}
-}
-
-/* Generic empty request/response. */
-message Empty {
-}
-
-message ListTokensResponse {
-  repeated TokenInfoProto tokens = 1;
-}
-
-message ActivateTokenRequest{
-  string tokenId = 1;
-  bool  activate = 2;
-}
-
-message GetTokenByIdRequest {
-  string tokenId = 1;
-}
-
-message GetTokenByKeyIdRequest {
-  string keyId = 1;
-}
-
-message GetTokenByCertRequestIdRequest {
-  string certRequestId = 1;
-}
-
-message GetTokenByCertHashRequest {
-  string certHash = 1;
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 16323b8b2d..a81edbf6d2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -32,8 +32,10 @@
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+import ee.ria.xroad.signer.protocol.CertificateService;
+import ee.ria.xroad.signer.protocol.KeyService;
 import ee.ria.xroad.signer.protocol.SignerExceptionHandlerInterceptor;
-import ee.ria.xroad.signer.protocol.TokensApi;
+import ee.ria.xroad.signer.protocol.TokensService;
 import ee.ria.xroad.signer.util.SignerUtil;
 
 import akka.actor.ActorSystem;
@@ -119,7 +121,9 @@ private static void initGrpc() throws Exception {
         int port = 5560;
         log.info("Initializing GRPC server on port {}.. ", port);
         RpcServer.init(port, builder -> {
-            builder.addService(new TokensApi(actorSystem));
+            builder.addService(new CertificateService(actorSystem));
+            builder.addService(new TokensService(actorSystem));
+            builder.addService(new KeyService(actorSystem));
             builder.intercept(new SignerExceptionHandlerInterceptor());
         });
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
index 965fb4fff7..d6afaee66e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.signer.model;
 
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 
@@ -41,7 +42,6 @@
 import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
 import static ee.ria.xroad.common.util.CryptoUtils.readCertificate;
-import static ee.ria.xroad.signer.model.CertRequest.toDto;
 
 /**
  * Model object that holds the information associated with a certificate.
@@ -158,7 +158,7 @@ public byte[] getBytes() {
     public CertificateInfoProto toProtoDTO() {
         try {
             var builder = CertificateInfoProto.newBuilder()
-                    .setMemberId(toDto(memberId))
+                    .setMemberId(ClientIdMapper.toDto(memberId))
                     .setActive(active)
                     .setSavedToConfiguration(savedToConfiguration)
                     .setStatus(status)
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
index 3efe6c667e..09a3521420 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
@@ -26,10 +26,9 @@
 package ee.ria.xroad.signer.model;
 
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
-import ee.ria.xroad.signer.protocol.dto.ClientIdProto;
-import ee.ria.xroad.signer.protocol.dto.XRoadObjectType;
 
 import lombok.Value;
 
@@ -53,25 +52,11 @@ public class CertRequest {
     public CertRequestInfoProto toProtoDTO() {
         return CertRequestInfoProto.newBuilder()
                 .setId(id)
-                .setMemberId(toDto(memberId))
+                .setMemberId(ClientIdMapper.toDto(memberId))
                 .setSubjectName(subjectName)
                 .build();
     }
 
-    //TODO:grpc move to a separate place.
-    public static ClientIdProto toDto(ClientId.Conf input) {
-        var builder = ClientIdProto.newBuilder()
-                .setMemberClass(input.getMemberClass())
-                .setMemberCode(input.getMemberCode())
-                .setXroadInstance(input.getXRoadInstance())
-                .setObjectType(XRoadObjectType.valueOf(input.getObjectType().name()));
-
-        if (input.getSubsystemCode() != null) {
-            builder.setSubsystemCode(input.getSubsystemCode());
-        }
-        return builder.build();
-    }
-
     /**
      * Converts this object to value object.
      *
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
new file mode 100644
index 0000000000..6d1facae36
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
@@ -0,0 +1,123 @@
+/**
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
+import ee.ria.xroad.signer.protocol.dto.Empty;
+import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+
+import akka.actor.ActorSystem;
+import akka.util.Timeout;
+import com.google.protobuf.AbstractMessage;
+import io.grpc.stub.StreamObserver;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.ActivateCertRequest;
+import org.niis.xroad.signer.proto.CertificateServiceGrpc;
+import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
+import org.niis.xroad.signer.proto.GetCertificateInfoResponse;
+import org.niis.xroad.signer.proto.GetMemberCertsRequest;
+import org.niis.xroad.signer.proto.GetMemberCertsResponse;
+import org.niis.xroad.signer.proto.SetCertStatusRequest;
+
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
+
+import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
+
+/**
+ * Handles requests for token list.
+ */
+@Slf4j
+@RequiredArgsConstructor
+public class CertificateService extends CertificateServiceGrpc.CertificateServiceImplBase {
+    @Deprecated
+    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
+
+    private final ActorSystem actorSystem;
+
+    @Override
+    public void activateCert(ActivateCertRequest request, StreamObserver<ee.ria.xroad.signer.protocol.dto.Empty> responseObserver) {
+        TokenManager.setCertActive(request.getCertIdOrHash(),
+                request.getActive());
+        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+    }
+
+    @Override
+    public void getCertificateInfoForHash(GetCertificateInfoForHashRequest request, StreamObserver<GetCertificateInfoResponse> responseObserver) {
+        CertificateInfo certificateInfo = TokenManager.getCertificateInfoForCertHash(request.getCertHash());
+
+        if (certificateInfo == null) {
+            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
+                    "Certificate with hash '%s' not found", request.getCertHash());
+        }
+
+        emitSingleAndClose(responseObserver, GetCertificateInfoResponse.newBuilder()
+                .setCertificateInfo(certificateInfo.asMessage())
+                .build());
+    }
+
+    @Override
+    public void setCertStatus(SetCertStatusRequest request, StreamObserver<Empty> responseObserver) {
+        TokenManager.setCertStatus(request.getCertId(), request.getStatus());
+
+        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+    }
+
+    @Override
+    public void getMemberCerts(GetMemberCertsRequest request, StreamObserver<GetMemberCertsResponse> responseObserver) {
+        final var memberId = ClientIdMapper.fromDto(request.getMemberId());
+        List<CertificateInfoProto> memberCerts = TokenManager.listTokens().stream()
+                .flatMap(t -> t.getKeyInfo().stream())
+                .filter(k -> k.getUsage() == KeyUsageInfo.SIGNING)
+                .flatMap(k -> k.getCerts().stream())
+                .filter(c -> containsMember(c.getMemberId(), memberId))
+                .map(CertificateInfo::asMessage)
+                .collect(Collectors.toList());
+
+        emitSingleAndClose(responseObserver, GetMemberCertsResponse.newBuilder()
+                .addAllCerts(memberCerts)
+                .build());
+    }
+
+    private static boolean containsMember(ClientId first, ClientId second) {
+        if (first == null || second == null) {
+            return false;
+        }
+
+        return first.equals(second) || second.subsystemContainsMember(first);
+    }
+
+    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
+        responseObserver.onNext(value);
+        responseObserver.onCompleted();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
new file mode 100644
index 0000000000..d8c1843328
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
@@ -0,0 +1,104 @@
+/**
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.ErrorCodes;
+import ee.ria.xroad.signer.protocol.dto.Empty;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+
+import akka.actor.ActorSystem;
+import akka.util.Timeout;
+import com.google.protobuf.AbstractMessage;
+import io.grpc.stub.StreamObserver;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashResponse;
+import org.niis.xroad.signer.proto.GetSignMechanismRequest;
+import org.niis.xroad.signer.proto.GetSignMechanismResponse;
+import org.niis.xroad.signer.proto.KeyServiceGrpc;
+import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
+
+import java.util.concurrent.TimeUnit;
+
+import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
+
+/**
+ * Handles requests for token list.
+ */
+@Slf4j
+@RequiredArgsConstructor
+public class KeyService extends KeyServiceGrpc.KeyServiceImplBase {
+    @Deprecated
+    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
+
+    private final ActorSystem actorSystem;
+
+    @Override
+    public void getKeyIdForCertHash(GetKeyIdForCertHashRequest request, StreamObserver<GetKeyIdForCertHashResponse> responseObserver) {
+        KeyInfo keyInfo = TokenManager.getKeyInfoForCertHash(request.getCertHash());
+
+        if (keyInfo == null) {
+            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
+                    "Certificate with hash '%s' not found", request.getCertHash());
+        }
+
+        emitSingleAndClose(responseObserver, GetKeyIdForCertHashResponse.newBuilder()
+                .setKeyId(keyInfo.getId())
+                .setSignMechanismName(keyInfo.getSignMechanismName())
+                .build());
+    }
+
+    @Override
+    public void setKeyFriendlyName(SetKeyFriendlyNameRequest request, StreamObserver<Empty> responseObserver) {
+        TokenManager.setKeyFriendlyName(request.getKeyId(),
+                request.getFriendlyName());
+        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+    }
+
+
+    @Override
+    public void getSignMechanism(GetSignMechanismRequest request, StreamObserver<GetSignMechanismResponse> responseObserver) {
+        KeyInfo keyInfo = TokenManager.getKeyInfo(request.getKeyId());
+
+        if (keyInfo == null) {
+            throw CodedException.tr(ErrorCodes.X_KEY_NOT_FOUND, "key_not_found", "Key '%s' not found",
+                    request.getKeyId());
+        }
+
+        emitSingleAndClose(responseObserver, GetSignMechanismResponse.newBuilder()
+                .setSignMechanismName(keyInfo.getSignMechanismName())
+                .build());
+    }
+
+
+    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
+        responseObserver.onNext(value);
+        responseObserver.onCompleted();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
similarity index 67%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index d13b101b9f..e3d8938b35 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensApi.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -25,9 +25,12 @@
  */
 package ee.ria.xroad.signer.protocol;
 
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.protocol.dto.Empty;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
+import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
 import akka.actor.ActorSystem;
@@ -39,17 +42,21 @@
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
-import org.niis.xroad.signer.proto.Empty;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResponse;
 import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
 import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
 import org.niis.xroad.signer.proto.GetTokenByIdRequest;
 import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
+import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
 import org.niis.xroad.signer.proto.ListTokensResponse;
-import org.niis.xroad.signer.proto.TokensApiGrpc;
+import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
+import org.niis.xroad.signer.proto.TokenServiceGrpc;
 import scala.concurrent.Await;
 
 import java.util.concurrent.TimeUnit;
 
+import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.signer.protocol.ComponentNames.REQUEST_PROCESSOR;
 
 /**
@@ -57,7 +64,10 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class TokensApi extends TokensApiGrpc.TokensApiImplBase {
+public class TokensService extends TokenServiceGrpc.TokenServiceImplBase {
+    @Deprecated
+    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
+
     private final ActorSystem actorSystem;
 
     @Override
@@ -75,10 +85,8 @@ public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> re
         ActivateToken actorMsg = new ActivateToken(request.getTokenId(), request.getActivate());
         //TODO:grpc this is for debugging purposes.
         log.info("Resending back to actor system..");
-
-        Timeout timeout = new Timeout(10, TimeUnit.SECONDS);
-        Await.result(Patterns.ask(actorSystem.actorSelection("/user/" + REQUEST_PROCESSOR), actorMsg, timeout),
-                timeout.duration());
+        Await.result(Patterns.ask(actorSystem.actorSelection("/user/" + REQUEST_PROCESSOR), actorMsg, AKKA_TIMEOUT),
+                AKKA_TIMEOUT.duration());
 
         emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
     }
@@ -107,6 +115,39 @@ public void getTokenAndKeyIdByCertHash(GetTokenByCertHashRequest request, Stream
         emitSingleAndClose(responseObserver, token.asMessage());
     }
 
+    @Override
+    public void setTokenFriendlyName(SetTokenFriendlyNameRequest request, StreamObserver<Empty> responseObserver) {
+        TokenManager.setTokenFriendlyName(
+                request.getTokenId(),
+                request.getFriendlyName());
+
+        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+    }
+
+    @Override
+    public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest request, StreamObserver<GetTokenBatchSigningEnabledResponse> responseObserver) {
+        String tokenId = TokenManager.findTokenIdForKeyId(request.getKeyId());
+
+        emitSingleAndClose(responseObserver, GetTokenBatchSigningEnabledResponse.newBuilder()
+                .setBatchingSigningEnabled(TokenManager.isBatchSigningEnabled(tokenId))
+                .build());
+    }
+
+    @Override
+    @SneakyThrows
+    public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<Empty> responseObserver) {
+        String softwareTokenId = TokenManager.getSoftwareTokenId();
+        if (softwareTokenId != null) {
+            log.info("Resending back to actor system..");
+            var actorMsg = new InitSoftwareToken(request.getPin().toCharArray());
+            Await.result(Patterns.ask(actorSystem.actorSelection("/user/" + REQUEST_PROCESSOR), actorMsg, AKKA_TIMEOUT),
+                    AKKA_TIMEOUT.duration());
+            emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        }
+
+        throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
+    }
+
     private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
         responseObserver.onNext(value);
         responseObserver.onCompleted();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
deleted file mode 100644
index ad44eed3ce..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.ActivateCert;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles certificate activations and deactivations.
- */
-public class ActivateCertRequestHandler
-        extends AbstractRequestHandler<ActivateCert> {
-
-    @Override
-    protected Object handle(ActivateCert message) throws Exception {
-        TokenManager.setCertActive(message.getCertIdOrHash(),
-                message.isActive());
-        return success();
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
deleted file mode 100644
index cad274fe4a..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.message.GetCertificateInfoForHash;
-import ee.ria.xroad.signer.protocol.message.GetCertificateInfoResponse;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
-
-/**
- * Handles requests for certificates based on certificate hashes.
- */
-public class GetCertificateInfoForHashRequestHandler extends AbstractRequestHandler<GetCertificateInfoForHash> {
-
-    @Override
-    protected Object handle(GetCertificateInfoForHash message) throws Exception {
-        CertificateInfo certificateInfo = TokenManager.getCertificateInfoForCertHash(message.getCertHash());
-
-        if (certificateInfo == null) {
-            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
-                    "Certificate with hash '%s' not found", message.getCertHash());
-        }
-
-        return new GetCertificateInfoResponse(certificateInfo);
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
deleted file mode 100644
index 17f1740bd1..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.protocol.message.GetKeyIdForCertHash;
-import ee.ria.xroad.signer.protocol.message.GetKeyIdForCertHashResponse;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
-
-/**
- * Handles requests for key id based on certificate hashes.
- */
-public class GetKeyIdForCertHashRequestHandler extends AbstractRequestHandler<GetKeyIdForCertHash> {
-
-    @Override
-    protected Object handle(GetKeyIdForCertHash message) throws Exception {
-        KeyInfo keyInfo = TokenManager.getKeyInfoForCertHash(message.getCertHash());
-
-        if (keyInfo == null) {
-            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
-                    "Certificate with hash '%s' not found", message.getCertHash());
-        }
-
-        return new GetKeyIdForCertHashResponse(keyInfo.getId(), keyInfo.getSignMechanismName());
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
deleted file mode 100644
index da85eb5f8e..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.message.GetMemberCerts;
-import ee.ria.xroad.signer.protocol.message.GetMemberCertsResponse;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-import java.util.List;
-import java.util.stream.Collectors;
-
-/**
- * Handles requests for member certificates.
- */
-public class GetMemberCertsRequestHandler
-        extends AbstractRequestHandler<GetMemberCerts> {
-
-    @Override
-    protected Object handle(GetMemberCerts message) throws Exception {
-        List<CertificateInfo> memberCerts = TokenManager.listTokens().stream()
-                .flatMap(t -> t.getKeyInfo().stream())
-                .filter(k -> k.getUsage() == KeyUsageInfo.SIGNING)
-                .flatMap(k -> k.getCerts().stream())
-                .filter(c -> containsMember(c.getMemberId(),
-                        message.getMemberId()))
-                .collect(Collectors.toList());
-
-        return new GetMemberCertsResponse(memberCerts);
-    }
-
-    private static boolean containsMember(ClientId first, ClientId second) {
-        if (first == null || second == null) {
-            return false;
-        }
-
-        return first.equals(second) || second.subsystemContainsMember(first);
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
deleted file mode 100644
index d390584caf..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.ErrorCodes;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.protocol.message.GetSignMechanism;
-import ee.ria.xroad.signer.protocol.message.GetSignMechanismResponse;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for signing mechanism based on key id.
- */
-public class GetSignMechanismRequestHandler extends AbstractRequestHandler<GetSignMechanism> {
-
-    @Override
-    protected Object handle(GetSignMechanism message) throws Exception {
-        KeyInfo keyInfo = TokenManager.getKeyInfo(message.getKeyId());
-
-        if (keyInfo == null) {
-            throw CodedException.tr(ErrorCodes.X_KEY_NOT_FOUND, "key_not_found", "Key '%s' not found",
-                    message.getKeyId());
-        }
-
-        return new GetSignMechanismResponse(keyInfo.getSignMechanismName());
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
deleted file mode 100644
index 3d60bd0e21..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.GetTokenBatchSigningEnabled;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles queries for batch signing capabilities of a token.
- */
-public class GetTokenBatchSigningEnabledRequestHandler
-        extends AbstractRequestHandler<GetTokenBatchSigningEnabled> {
-
-    @Override
-    protected Object handle(GetTokenBatchSigningEnabled message)
-            throws Exception {
-        String tokenId = TokenManager.findTokenIdForKeyId(message.getKeyId());
-        return new Boolean(TokenManager.isBatchSigningEnabled(tokenId));
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
deleted file mode 100644
index 211f44a7b9..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-
-/**
- * Handles requests for software token initialization.
- */
-public class InitSoftwareTokenRequestHandler
-        extends AbstractRequestHandler<InitSoftwareToken> {
-
-    @Override
-    protected Object handle(InitSoftwareToken message) throws Exception {
-        String softwareTokenId = TokenManager.getSoftwareTokenId();
-        if (softwareTokenId != null) {
-            tellToken(message, softwareTokenId);
-            return nothing();
-        }
-
-        throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
deleted file mode 100644
index f79b4cdaf5..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.SetCertStatus;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for setting the certificate status.
- */
-public class SetCertStatusRequestHandler
-        extends AbstractRequestHandler<SetCertStatus> {
-
-    @Override
-    protected Object handle(SetCertStatus message) throws Exception {
-        TokenManager.setCertStatus(message.getCertId(), message.getStatus());
-        return success();
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
deleted file mode 100644
index 6a43155d24..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.SetKeyFriendlyName;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for setting the key friendly name.
- */
-public class SetKeyFriendlyNameRequestHandler
-        extends AbstractRequestHandler<SetKeyFriendlyName> {
-
-    @Override
-    protected Object handle(SetKeyFriendlyName message)
-            throws Exception {
-        TokenManager.setKeyFriendlyName(message.getKeyId(),
-                message.getFriendlyName());
-        return success();
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java
deleted file mode 100644
index 57631de66e..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.SetTokenFriendlyName;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-/**
- * Handles requests for setting the token friendly name.
- */
-public class SetTokenFriendlyNameRequestHandler
-        extends AbstractRequestHandler<SetTokenFriendlyName> {
-
-    @Override
-    protected Object handle(SetTokenFriendlyName message)
-            throws Exception {
-        TokenManager.setTokenFriendlyName(message.getTokenId(),
-                message.getFriendlyName());
-        return success();
-    }
-
-}

From 92dbe054f7fb0df6bd0491545237982d20ed93fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 23 Aug 2023 11:43:59 +0300
Subject: [PATCH 012/127] chore: add temporary way to resend messages to tokens

Refs: XRDDEV-2468
---
 .../run-containerized-int-tests.sh            |  2 +-
 .../xroad/signer/protocol/TokensService.java  | 30 ++++++++-----
 .../handler/ActivateTokenRequestHandler.java  | 43 -------------------
 .../signer/tokenmanager/ServiceLocator.java   |  8 ++++
 4 files changed, 28 insertions(+), 55 deletions(-)
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java

diff --git a/src/signer-protocol/run-containerized-int-tests.sh b/src/signer-protocol/run-containerized-int-tests.sh
index 2a1b202ae0..e0c4e77bcb 100755
--- a/src/signer-protocol/run-containerized-int-tests.sh
+++ b/src/signer-protocol/run-containerized-int-tests.sh
@@ -15,7 +15,7 @@ OPTS=("--rm" "-v" "$XROAD_HOME/:/mnt" "-u" "$(id -u):$(id -g)" "-e" "HOME=/works
 
 echo "Rebuilding signer locally.."
 cd "$XROAD_HOME/src"
-./gradlew assemble -p signer
+./gradlew clean assemble -p signer
 ./gradlew clean -p $gradleModule
 
 echo "Running signer-protocol int tests.."
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index e3d8938b35..7525882bed 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -57,7 +57,8 @@
 import java.util.concurrent.TimeUnit;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.signer.protocol.ComponentNames.REQUEST_PROCESSOR;
+import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
+import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
 
 /**
  * Handles requests for token list.
@@ -84,10 +85,9 @@ public void listTokens(Empty request, StreamObserver<ListTokensResponse> respons
     public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> responseObserver) {
         ActivateToken actorMsg = new ActivateToken(request.getTokenId(), request.getActivate());
         //TODO:grpc this is for debugging purposes.
-        log.info("Resending back to actor system..");
-        Await.result(Patterns.ask(actorSystem.actorSelection("/user/" + REQUEST_PROCESSOR), actorMsg, AKKA_TIMEOUT),
-                AKKA_TIMEOUT.duration());
 
+        log.info("Resending back to actor system..");
+        tellToken(actorMsg, request.getTokenId());
         emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
     }
 
@@ -134,22 +134,30 @@ public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest reque
     }
 
     @Override
-    @SneakyThrows
     public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<Empty> responseObserver) {
         String softwareTokenId = TokenManager.getSoftwareTokenId();
         if (softwareTokenId != null) {
-            log.info("Resending back to actor system..");
-            var actorMsg = new InitSoftwareToken(request.getPin().toCharArray());
-            Await.result(Patterns.ask(actorSystem.actorSelection("/user/" + REQUEST_PROCESSOR), actorMsg, AKKA_TIMEOUT),
-                    AKKA_TIMEOUT.duration());
+            var message = new InitSoftwareToken(request.getPin().toCharArray());
+            tellToken(message, softwareTokenId);
+
             emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        } else {
+            throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
         }
-
-        throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
     }
 
     private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
         responseObserver.onNext(value);
         responseObserver.onCompleted();
     }
+
+    @SneakyThrows
+    protected void tellToken(Object message, String tokenId) {
+        if (!TokenManager.isTokenAvailable(tokenId)) {
+            throw tokenNotAvailable(tokenId);
+        }
+
+        Await.result(Patterns.ask(getToken(actorSystem, tokenId), message, AKKA_TIMEOUT),
+                AKKA_TIMEOUT.duration());
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
deleted file mode 100644
index 04e0657ee7..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
-
-/**
- * Handles token activations and deactivations.
- */
-public class ActivateTokenRequestHandler
-        extends AbstractRequestHandler<ActivateToken> {
-
-    @Override
-    protected Object handle(ActivateToken message) throws Exception {
-        tellToken(message, message.getTokenId());
-        return nothing();
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
index 0abee02a4e..48d7a96d0d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
@@ -27,6 +27,7 @@
 
 import akka.actor.ActorContext;
 import akka.actor.ActorSelection;
+import akka.actor.ActorSystem;
 
 import static ee.ria.xroad.signer.protocol.ComponentNames.MODULE_MANAGER;
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_RESPONSE_MANAGER;
@@ -72,6 +73,13 @@ public static ActorSelection getToken(ActorContext context,
         return context.actorSelection(path);
     }
 
+    @Deprecated
+    public static ActorSelection getToken(ActorSystem actorSystem,
+                                          String tokenId) {
+        String path = String.format("/user/%s/%s/%s", MODULE_MANAGER,
+                getModuleId(tokenId), tokenId);
+        return actorSystem.actorSelection(path);
+    }
     /**
      * @param context the actor context
      * @param tokenId the token id

From 4bf444ac0e00e3ae3940ba54b7688739b91732ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 23 Aug 2023 13:35:52 +0300
Subject: [PATCH 013/127] chore: add signing through grpc

Refs: XRDDEV-2468
---
 .../ria/xroad/signer/glue/SignerStepDefs.java |  2 +-
 .../java/ee/ria/xroad/signer/SignerProxy.java | 88 ++++++++++++++++---
 .../xroad/signer/protocol/message/Sign.java   |  1 +
 .../protocol/message/SignCertificate.java     |  1 +
 .../message/SignCertificateResponse.java      |  1 +
 .../signer/protocol/message/SignResponse.java |  1 +
 .../message/UpdateSoftwareTokenPin.java       |  1 +
 .../src/main/proto/KeyService.proto           | 26 ++++++
 .../src/main/proto/TokenService.proto         |  9 ++
 .../java/ee/ria/xroad/signer/SignerMain.java  |  8 +-
 .../signer/protocol/CertificateService.java   |  8 +-
 .../ria/xroad/signer/protocol/KeyService.java | 49 +++++++++--
 .../protocol/TemporaryAkkaMessenger.java      | 44 ++++++++++
 .../xroad/signer/protocol/TokensService.java  | 37 ++++----
 .../SignCertificateRequestHandler.java        | 41 ---------
 .../protocol/handler/SignRequestHandler.java  | 45 ----------
 .../UpdateSoftwareTokenPinRequestHandler.java | 43 ---------
 17 files changed, 225 insertions(+), 180 deletions(-)
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java

diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index f4b0ff1302..664e7d570e 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -424,7 +424,7 @@ public void signAlgorithmFail(String keyName, String tokenId) throws Exception {
 
             fail("Exception expected");
         } catch (CodedException codedException) {
-            assertException("Signer.CannotSign.InternalError", null,
+            assertException("Signer.CannotSign.InternalError", "",
                     "Signer.CannotSign.InternalError: Unknown sign algorithm id: NOT-ALGORITHM-ID", codedException);
         }
     }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index edd4e83026..962e41b861 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -25,9 +25,6 @@
  */
 package ee.ria.xroad.signer;
 
-import com.google.protobuf.Any;
-import com.google.protobuf.InvalidProtocolBufferException;
-
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
@@ -35,13 +32,63 @@
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.SignerClient;
-import ee.ria.xroad.signer.protocol.dto.*;
-import ee.ria.xroad.signer.protocol.message.*;
+import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
+import ee.ria.xroad.signer.protocol.dto.Empty;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.protocol.dto.MemberSigningInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
+import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
+import ee.ria.xroad.signer.protocol.message.DeleteCert;
+import ee.ria.xroad.signer.protocol.message.DeleteCertRequest;
+import ee.ria.xroad.signer.protocol.message.DeleteKey;
+import ee.ria.xroad.signer.protocol.message.GenerateCertRequest;
+import ee.ria.xroad.signer.protocol.message.GenerateCertRequestResponse;
+import ee.ria.xroad.signer.protocol.message.GenerateKey;
+import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCert;
+import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCertResponse;
+import ee.ria.xroad.signer.protocol.message.GetAuthKey;
+import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfo;
+import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfoResponse;
+import ee.ria.xroad.signer.protocol.message.GetMemberSigningInfo;
+import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
+import ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse;
+import ee.ria.xroad.signer.protocol.message.ImportCert;
+import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
+import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
+import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
+import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
+import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
 
+import com.google.protobuf.Any;
+import com.google.protobuf.ByteString;
+import com.google.protobuf.InvalidProtocolBufferException;
 import io.grpc.StatusRuntimeException;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.*;
+import org.niis.xroad.signer.proto.ActivateCertRequest;
+import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
+import org.niis.xroad.signer.proto.GetMemberCertsRequest;
+import org.niis.xroad.signer.proto.GetSignMechanismRequest;
+import org.niis.xroad.signer.proto.GetSignMechanismResponse;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
+import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
+import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
+import org.niis.xroad.signer.proto.GetTokenByIdRequest;
+import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
+import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
+import org.niis.xroad.signer.proto.ListTokensResponse;
+import org.niis.xroad.signer.proto.SetCertStatusRequest;
+import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
+import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
+import org.niis.xroad.signer.proto.SignCertificateRequest;
+import org.niis.xroad.signer.proto.SignRequest;
+import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
 
 import java.security.PublicKey;
 import java.util.Arrays;
@@ -174,7 +221,12 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
     public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin) throws Exception {
         log.trace("Updating token pin '{}'", tokenId);
 
-        execute(new UpdateSoftwareTokenPin(tokenId, oldPin, newPin));
+        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+                .updateSoftwareTokenPin(UpdateSoftwareTokenPinRequest.newBuilder()
+                        .setTokenId(tokenId)
+                        .setOldPin(new String(oldPin))//TODO:grpc its not great that we're doing this transformation
+                        .setNewPin(new String(newPin))
+                        .build()));
     }
 
     /**
@@ -583,8 +635,14 @@ public static String getSignMechanism(String keyId) throws Exception {
     }
 
     public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) throws Exception {
-        final SignResponse signResponse = execute(new Sign(keyId, signatureAlgorithmId, digest));
-        return signResponse.getSignature();
+        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .sign(SignRequest.newBuilder()
+                        .setKeyId(keyId)
+                        .setSignatureAlgorithmId(signatureAlgorithmId)
+                        .setDigest(ByteString.copyFrom(digest))
+                        .build()));
+
+        return response.getSignature().toByteArray();
     }
 
     public static Boolean isTokenBatchSigningEnabled(String keyId) {
@@ -617,9 +675,15 @@ public static boolean isHSMOperational() throws Exception {
 
     public static byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey)
             throws Exception {
-        final SignCertificateResponse signCertificateResponse =
-                execute(new SignCertificate(keyId, signatureAlgorithmId, subjectName, publicKey));
-        return signCertificateResponse.getCertificateChain();
+        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .signCertificate(SignCertificateRequest.newBuilder()
+                        .setKeyId(keyId)
+                        .setSignatureAlgorithmId(signatureAlgorithmId)
+                        .setSubjectName(subjectName)
+                        .setPublicKey(ByteString.copyFrom(publicKey.getEncoded()))
+                        .build()));
+
+        return response.getCertificateChain().toByteArray();
     }
 
     private static <T> T execute(Object message) throws Exception {
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java
index 24723c8793..ac2ee57112 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java
@@ -34,6 +34,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 @ToString(exclude = "digest")
 public class Sign implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java
index d97e793a2e..89ece8ef9c 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java
@@ -32,6 +32,7 @@
 import java.security.PublicKey;
 
 @Value
+@Deprecated
 public class SignCertificate implements Serializable {
 
     String keyId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java
index b24d0d7a31..4b2efa6988 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java
@@ -32,6 +32,7 @@
 import java.io.Serializable;
 
 @Value
+@Deprecated
 @ToString(exclude = "certificateChain")
 public class SignCertificateResponse implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java
index 7263f36042..796c540e41 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java
@@ -34,6 +34,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 @ToString(exclude = "signature")
 public class SignResponse implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java
index f950d7e08d..0511c3f2eb 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java
@@ -33,6 +33,7 @@
  * Signer API message for updating software token pin.
  */
 @Value
+@Deprecated
 public class UpdateSoftwareTokenPin implements Serializable {
 
     private final String tokenId;
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
index c53a099fca..0b561f642d 100644
--- a/src/signer-protocol/src/main/proto/KeyService.proto
+++ b/src/signer-protocol/src/main/proto/KeyService.proto
@@ -14,6 +14,10 @@ service KeyService {
 
   rpc GetSignMechanism (GetSignMechanismRequest) returns (GetSignMechanismResponse) {}
 
+
+  rpc Sign(SignRequest) returns (SignResponse) {}
+
+  rpc SignCertificate(SignCertificateRequest) returns (SignCertificateResponse) {}
 }
 
 
@@ -39,3 +43,25 @@ message GetSignMechanismRequest {
 message GetSignMechanismResponse {
   string signMechanismName = 1;
 }
+
+message SignRequest {
+  string keyId = 1;
+  string signatureAlgorithmId = 2;
+  bytes digest = 3;
+}
+
+message SignResponse {
+  bytes signature = 1;
+}
+
+message SignCertificateRequest {
+  string keyId = 1;
+  string signatureAlgorithmId = 2;
+  string subjectName = 3;
+  bytes publicKey = 4;
+
+}
+
+message SignCertificateResponse {
+  bytes certificateChain = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/TokenService.proto b/src/signer-protocol/src/main/proto/TokenService.proto
index e93798252b..bd1b647aab 100644
--- a/src/signer-protocol/src/main/proto/TokenService.proto
+++ b/src/signer-protocol/src/main/proto/TokenService.proto
@@ -25,6 +25,9 @@ service TokenService {
   rpc GetTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest) returns (GetTokenBatchSigningEnabledResponse){}
 
   rpc InitSoftwareToken(InitSoftwareTokenRequest) returns (Empty) {}
+
+  rpc UpdateSoftwareTokenPin(UpdateSoftwareTokenPinRequest) returns (Empty) {}
+
 }
 
 message ListTokensResponse {
@@ -68,3 +71,9 @@ message GetTokenBatchSigningEnabledResponse {
 message InitSoftwareTokenRequest {
   string pin = 1;
 }
+
+message UpdateSoftwareTokenPinRequest {
+  string tokenId = 1;
+  string oldPin = 2;
+  string newPin = 3;
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index a81edbf6d2..58b6c1e917 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -35,6 +35,7 @@
 import ee.ria.xroad.signer.protocol.CertificateService;
 import ee.ria.xroad.signer.protocol.KeyService;
 import ee.ria.xroad.signer.protocol.SignerExceptionHandlerInterceptor;
+import ee.ria.xroad.signer.protocol.TemporaryAkkaMessenger;
 import ee.ria.xroad.signer.protocol.TokensService;
 import ee.ria.xroad.signer.util.SignerUtil;
 
@@ -120,10 +121,11 @@ private static void startup() throws Exception {
     private static void initGrpc() throws Exception {
         int port = 5560;
         log.info("Initializing GRPC server on port {}.. ", port);
+        var temporaryAkkaMessnger = new TemporaryAkkaMessenger(actorSystem);
         RpcServer.init(port, builder -> {
-            builder.addService(new CertificateService(actorSystem));
-            builder.addService(new TokensService(actorSystem));
-            builder.addService(new KeyService(actorSystem));
+            builder.addService(new CertificateService(temporaryAkkaMessnger));
+            builder.addService(new TokensService(temporaryAkkaMessnger));
+            builder.addService(new KeyService(temporaryAkkaMessnger));
             builder.intercept(new SignerExceptionHandlerInterceptor());
         });
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
index 6d1facae36..64ca0e4ace 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
@@ -33,8 +33,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import akka.actor.ActorSystem;
-import akka.util.Timeout;
 import com.google.protobuf.AbstractMessage;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
@@ -48,7 +46,6 @@
 import org.niis.xroad.signer.proto.SetCertStatusRequest;
 
 import java.util.List;
-import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
@@ -59,10 +56,7 @@
 @Slf4j
 @RequiredArgsConstructor
 public class CertificateService extends CertificateServiceGrpc.CertificateServiceImplBase {
-    @Deprecated
-    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
-
-    private final ActorSystem actorSystem;
+    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
 
     @Override
     public void activateCert(ActivateCertRequest request, StreamObserver<ee.ria.xroad.signer.protocol.dto.Empty> responseObserver) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
index d8c1843328..9575f875fe 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
@@ -27,15 +27,18 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.ErrorCodes;
+import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.protocol.dto.Empty;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.message.Sign;
+import ee.ria.xroad.signer.protocol.message.SignCertificate;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import akka.actor.ActorSystem;
-import akka.util.Timeout;
 import com.google.protobuf.AbstractMessage;
+import com.google.protobuf.ByteString;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashResponse;
@@ -43,10 +46,15 @@
 import org.niis.xroad.signer.proto.GetSignMechanismResponse;
 import org.niis.xroad.signer.proto.KeyServiceGrpc;
 import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
+import org.niis.xroad.signer.proto.SignCertificateRequest;
+import org.niis.xroad.signer.proto.SignCertificateResponse;
+import org.niis.xroad.signer.proto.SignRequest;
+import org.niis.xroad.signer.proto.SignResponse;
 
-import java.util.concurrent.TimeUnit;
+import java.security.PublicKey;
 
 import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
+import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
 
 /**
  * Handles requests for token list.
@@ -54,10 +62,8 @@
 @Slf4j
 @RequiredArgsConstructor
 public class KeyService extends KeyServiceGrpc.KeyServiceImplBase {
-    @Deprecated
-    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
 
-    private final ActorSystem actorSystem;
+    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
 
     @Override
     public void getKeyIdForCertHash(GetKeyIdForCertHashRequest request, StreamObserver<GetKeyIdForCertHashResponse> responseObserver) {
@@ -96,6 +102,37 @@ public void getSignMechanism(GetSignMechanismRequest request, StreamObserver<Get
                 .build());
     }
 
+    @Override
+    public void sign(SignRequest request, StreamObserver<SignResponse> responseObserver) {
+        var message = new Sign(request.getKeyId(),
+                request.getSignatureAlgorithmId(),
+                request.getDigest().toByteArray());
+
+        ee.ria.xroad.signer.protocol.message.SignResponse response = temporaryAkkaMessenger
+                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
+
+        emitSingleAndClose(responseObserver, SignResponse.newBuilder()
+                .setSignature(ByteString.copyFrom(response.getSignature()))
+                .build());
+    }
+
+    @SneakyThrows //TODO:grpc handle it
+    @Override
+    public void signCertificate(SignCertificateRequest request, StreamObserver<SignCertificateResponse> responseObserver) {
+        PublicKey publicKey = CryptoUtils.readX509PublicKey(request.getPublicKey().toByteArray());
+        var message = new SignCertificate(request.getKeyId(),
+                request.getSignatureAlgorithmId(),
+                request.getSubjectName(),
+                publicKey);
+
+        ee.ria.xroad.signer.protocol.message.SignCertificateResponse response = temporaryAkkaMessenger
+                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
+
+        emitSingleAndClose(responseObserver, SignCertificateResponse.newBuilder()
+                .setCertificateChain(ByteString.copyFrom(response.getCertificateChain()))
+                .build());
+    }
+
 
     private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
         responseObserver.onNext(value);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
new file mode 100644
index 0000000000..9f314959b8
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
@@ -0,0 +1,44 @@
+package ee.ria.xroad.signer.protocol;
+
+import akka.actor.ActorSystem;
+import akka.pattern.Patterns;
+
+import akka.util.Timeout;
+
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+
+import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+import scala.concurrent.Await;
+
+import java.util.concurrent.TimeUnit;
+
+import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
+import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
+
+@Deprecated
+@RequiredArgsConstructor
+public class TemporaryAkkaMessenger {
+    @Deprecated
+    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
+
+    private final ActorSystem actorSystem;
+
+    public  <T> T tellTokenWithResponse(Object message, String tokenId) {
+        return (T) tellToken(message, tokenId);
+    }
+
+    @SneakyThrows
+    public Object tellToken(Object message, String tokenId) {
+        if (!TokenManager.isTokenAvailable(tokenId)) {
+            throw tokenNotAvailable(tokenId);
+        }
+
+        Object response = Await.result(Patterns.ask(getToken(actorSystem, tokenId), message, AKKA_TIMEOUT),
+                AKKA_TIMEOUT.duration());
+        if (response instanceof Exception) {
+            throw (Throwable) response;
+        }
+        return response;
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index 7525882bed..6a02042d3b 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -31,11 +31,9 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
+import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import akka.actor.ActorSystem;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
 import com.google.protobuf.AbstractMessage;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
@@ -52,13 +50,9 @@
 import org.niis.xroad.signer.proto.ListTokensResponse;
 import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
 import org.niis.xroad.signer.proto.TokenServiceGrpc;
-import scala.concurrent.Await;
-
-import java.util.concurrent.TimeUnit;
+import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
-import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
 
 /**
  * Handles requests for token list.
@@ -66,10 +60,7 @@
 @Slf4j
 @RequiredArgsConstructor
 public class TokensService extends TokenServiceGrpc.TokenServiceImplBase {
-    @Deprecated
-    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
-
-    private final ActorSystem actorSystem;
+    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
 
     @Override
     public void listTokens(Empty request, StreamObserver<ListTokensResponse> responseObserver) {
@@ -87,7 +78,7 @@ public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> re
         //TODO:grpc this is for debugging purposes.
 
         log.info("Resending back to actor system..");
-        tellToken(actorMsg, request.getTokenId());
+        temporaryAkkaMessenger.tellToken(actorMsg, request.getTokenId());
         emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
     }
 
@@ -138,7 +129,7 @@ public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<E
         String softwareTokenId = TokenManager.getSoftwareTokenId();
         if (softwareTokenId != null) {
             var message = new InitSoftwareToken(request.getPin().toCharArray());
-            tellToken(message, softwareTokenId);
+            temporaryAkkaMessenger.tellToken(message, softwareTokenId);
 
             emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
         } else {
@@ -146,18 +137,20 @@ public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<E
         }
     }
 
+    @Override
+    public void updateSoftwareTokenPin(UpdateSoftwareTokenPinRequest request, StreamObserver<Empty> responseObserver) {
+        var message = new UpdateSoftwareTokenPin(request.getTokenId(),
+                request.getOldPin().toCharArray(),
+                request.getNewPin().toCharArray());
+
+        temporaryAkkaMessenger.tellToken(message, message.getTokenId());
+        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+    }
+
     private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
         responseObserver.onNext(value);
         responseObserver.onCompleted();
     }
 
-    @SneakyThrows
-    protected void tellToken(Object message, String tokenId) {
-        if (!TokenManager.isTokenAvailable(tokenId)) {
-            throw tokenNotAvailable(tokenId);
-        }
 
-        Await.result(Patterns.ask(getToken(actorSystem, tokenId), message, AKKA_TIMEOUT),
-                AKKA_TIMEOUT.duration());
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
deleted file mode 100644
index 9178950905..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * The MIT License
- *
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.SignCertificate;
-
-import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
-
-public class SignCertificateRequestHandler extends AbstractRequestHandler<SignCertificate> {
-    @Override
-    protected Object handle(SignCertificate message) throws Exception {
-        tellToken(message, findTokenIdForKeyId(message.getKeyId()));
-
-        return nothing();
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
deleted file mode 100644
index 56d0a5d050..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.Sign;
-
-import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
-
-/**
- * Handles signing requests.
- */
-public class SignRequestHandler extends AbstractRequestHandler<Sign> {
-
-    @Override
-    protected Object handle(Sign message) throws Exception {
-        tellToken(message, findTokenIdForKeyId(message.getKeyId()));
-
-        return nothing();
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
deleted file mode 100644
index 77b2e74518..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
-
-/**
- * Handles token pin update
- */
-public class UpdateSoftwareTokenPinRequestHandler
-        extends AbstractRequestHandler<UpdateSoftwareTokenPin> {
-
-    @Override
-    protected Object handle(UpdateSoftwareTokenPin message) throws Exception {
-        tellToken(message, message.getTokenId());
-        return nothing();
-    }
-
-}

From 1d433593708e1bf078d277b0108ac86ec5314e29 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 23 Aug 2023 17:28:52 +0300
Subject: [PATCH 014/127] chore: using token worker without akka

Refs: XRDDEV-2461
---
 .../token/HardwareTokenWorker.java            |  3 +-
 .../java/ee/ria/xroad/signer/SignerProxy.java |  1 -
 .../protocol/message/InitSoftwareToken.java   | 41 ----------------
 .../ee/ria/xroad/signer/TemporaryHelper.java} | 33 ++++++++-----
 .../xroad/signer/protocol/TokensService.java  | 49 +++++++++++++------
 .../tokenmanager/token/AbstractToken.java     |  7 ++-
 .../token/AbstractTokenWorker.java            | 19 ++++---
 .../token/SoftwareTokenWorker.java            | 34 ++++++-------
 8 files changed, 88 insertions(+), 99 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java
 rename src/{signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java => signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java} (64%)

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
index 702705062e..2ccb9780b1 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -186,6 +186,7 @@ private static Mechanism createRsaPkcsPssMechanism(long hashMechanism) {
 
     @Override
     public void preStart() throws Exception {
+        super.preStart();
         try {
             initialize();
             setTokenAvailable(tokenId, true);
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 962e41b861..20632217a2 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -61,7 +61,6 @@
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
 import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
-import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
 
 import com.google.protobuf.Any;
 import com.google.protobuf.ByteString;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java
deleted file mode 100644
index 7640c9d689..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/InitSoftwareToken.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class InitSoftwareToken implements Serializable {
-
-    private final char[] pin;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
similarity index 64%
rename from src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
index 0511c3f2eb..674b2b7850 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/UpdateSoftwareTokenPin.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -23,23 +23,32 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.signer.protocol.message;
+package ee.ria.xroad.signer;
 
-import lombok.Value;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 
-import java.io.Serializable;
+import java.util.HashMap;
+import java.util.Map;
 
 /**
- * Signer API message for updating software token pin.
+ * FOR TEMPORARY USE DURING MIGRATION FROM AKKA ONLY!!!!
  */
-@Value
-@Deprecated
-public class UpdateSoftwareTokenPin implements Serializable {
-
-    private final String tokenId;
+@Deprecated(forRemoval = true)
+public class TemporaryHelper {
 
-    private final char[] oldPin;
+    @Deprecated
+    private static Map<String, AbstractTokenWorker> TOKEN_WORKERS = new HashMap<>();
 
-    private final char[] newPin;
+    @Deprecated
+    public static AbstractTokenWorker getTokenWorker(String tokenId) {
+        if (!TOKEN_WORKERS.containsKey(tokenId)) {
+            throw new RuntimeException("Token workder not available");
+        }
+        return TOKEN_WORKERS.get(tokenId);
+    }
 
+    @Deprecated
+    public static void addTokenWorker(String tokenId, AbstractTokenWorker tokenWorker) {
+        TOKEN_WORKERS.put(tokenId, tokenWorker);
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index 6a02042d3b..f9a45385ce 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -1,20 +1,20 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -26,13 +26,14 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.Empty;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
-import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
-import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
 
 import com.google.protobuf.AbstractMessage;
 import io.grpc.stub.StreamObserver;
@@ -75,10 +76,10 @@ public void listTokens(Empty request, StreamObserver<ListTokensResponse> respons
     @Override
     public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> responseObserver) {
         ActivateToken actorMsg = new ActivateToken(request.getTokenId(), request.getActivate());
-        //TODO:grpc this is for debugging purposes.
 
-        log.info("Resending back to actor system..");
-        temporaryAkkaMessenger.tellToken(actorMsg, request.getTokenId());
+        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
+        tokenWorker.handleActivateToken(actorMsg);
+
         emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
     }
 
@@ -127,11 +128,20 @@ public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest reque
     @Override
     public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<Empty> responseObserver) {
         String softwareTokenId = TokenManager.getSoftwareTokenId();
+
         if (softwareTokenId != null) {
-            var message = new InitSoftwareToken(request.getPin().toCharArray());
-            temporaryAkkaMessenger.tellToken(message, softwareTokenId);
 
-            emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+            final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(softwareTokenId);
+            if (tokenWorker instanceof SoftwareTokenWorker) {
+                try {
+                    ((SoftwareTokenWorker) tokenWorker).initializeToken(request.getPin().toCharArray());
+                } catch (Exception e) {
+                    throw new CodedException(X_INTERNAL_ERROR, e); //todo move to worker
+                }
+                emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+            } else {
+                throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
+            }
         } else {
             throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
         }
@@ -139,11 +149,18 @@ public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<E
 
     @Override
     public void updateSoftwareTokenPin(UpdateSoftwareTokenPinRequest request, StreamObserver<Empty> responseObserver) {
-        var message = new UpdateSoftwareTokenPin(request.getTokenId(),
-                request.getOldPin().toCharArray(),
-                request.getNewPin().toCharArray());
+        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
+        if (tokenWorker instanceof SoftwareTokenWorker) {
+            try {
+                ((SoftwareTokenWorker) tokenWorker).handleUpdateTokenPin(request.getOldPin().toCharArray(), request.getNewPin().toCharArray());
+            } catch (Exception e) {
+                // todo move to tokenworker
+                throw new CodedException(X_INTERNAL_ERROR, e);
+            }
+        } else {
+            throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
+        }
 
-        temporaryAkkaMessenger.tellToken(message, message.getTokenId());
         emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
     }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
index df8005157f..e54eea4fba 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -28,7 +28,6 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
-import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
 import ee.ria.xroad.signer.protocol.message.Sign;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractSignerActor;
@@ -130,8 +129,8 @@ void stopWatchedActor(ActorRef actor) {
 
     boolean isTokenActive(Object message) {
         if (message instanceof Update
-                || message instanceof ActivateToken
-                || message instanceof InitSoftwareToken) {
+                || message instanceof ActivateToken) {
+//                || message instanceof InitSoftwareToken) {
             return true;
         }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index 5e18ea447a..b3dc4730a7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,6 +27,7 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.util.PasswordStore;
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.DeleteCert;
@@ -69,6 +70,12 @@ public abstract class AbstractTokenWorker extends AbstractUpdateableActor {
 
     private final String workerId;
 
+    @Override
+    @Deprecated
+    public void preStart() throws Exception {
+        TemporaryHelper.addTokenWorker(tokenId, this);
+    }
+
     AbstractTokenWorker(TokenInfo tokenInfo) {
         this.tokenId = tokenInfo.getId();
         this.workerId = SignerUtil.getWorkerId(tokenInfo);
@@ -100,9 +107,9 @@ protected Exception customizeException(Exception e) {
     protected void onMessage(Object message) throws Exception {
         log.trace("onMessage()");
 
-        if (message instanceof ActivateToken) {
-            handleActivateToken((ActivateToken) message);
-        } else if (message instanceof GenerateKey) {
+//        if (message instanceof ActivateToken) {
+//            handleActivateToken((ActivateToken) message);
+        if (message instanceof GenerateKey) {
             handleGenerateKey((GenerateKey) message);
         } else if (message instanceof DeleteKey) {
             handleDeleteKey((DeleteKey) message);
@@ -122,13 +129,13 @@ public void postStop() throws Exception {
         setTokenAvailable(tokenId, false);
     }
 
-    private void handleActivateToken(ActivateToken message) throws Exception {
+    public void handleActivateToken(ActivateToken message) throws Exception {
         try {
             activateToken(message);
 
             onUpdate();
 
-            sendSuccessResponse();
+//            sendSuccessResponse();
         } catch (Exception e) {
             log.error("Failed to activate token '{}': {}", getWorkerId(), e.getMessage());
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
index e06e4ed357..91e586a33e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -36,8 +36,6 @@
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.GenerateKey;
-import ee.ria.xroad.signer.protocol.message.InitSoftwareToken;
-import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.SignerUtil;
 
@@ -146,19 +144,19 @@ protected void onUpdate() {
         }
     }
 
-    @Override
-    protected void onMessage(Object message) throws Exception {
-        if (message instanceof InitSoftwareToken) {
-            initializeToken(((InitSoftwareToken) message).getPin());
-            sendSuccessResponse();
-        } else if (message instanceof UpdateSoftwareTokenPin) {
-            UpdateSoftwareTokenPin updateTokenPinMessage = (UpdateSoftwareTokenPin) message;
-            handleUpdateTokenPin(updateTokenPinMessage.getOldPin(), updateTokenPinMessage.getNewPin());
-            sendSuccessResponse();
-        } else {
-            super.onMessage(message);
-        }
-    }
+//    @Override
+//    protected void onMessage(Object message) throws Exception {
+//        if (message instanceof InitSoftwareToken) {
+//            initializeToken(((InitSoftwareToken) message).getPin());
+//            sendSuccessResponse();
+//        if (message instanceof UpdateSoftwareTokenPin) {
+//            UpdateSoftwareTokenPin updateTokenPinMessage = (UpdateSoftwareTokenPin) message;
+//            handleUpdateTokenPin(updateTokenPinMessage.getOldPin(), updateTokenPinMessage.getNewPin());
+//            sendSuccessResponse();
+//        } else {
+//            super.onMessage(message);
+//        }
+//    }
 
     @Override
     protected void activateToken(ActivateToken message) {
@@ -349,7 +347,7 @@ private void initializePrivateKey(String keyId) throws Exception {
         }
     }
 
-    private void initializeToken(char[] pin) throws Exception {
+    public void initializeToken(char[] pin) throws Exception {
         verifyPinProvided(pin);
 
         log.info("Initializing software token with new pin...");
@@ -429,7 +427,7 @@ private void createKeyDirBackup() throws IOException {
         Files.move(getKeyDir().toPath(), getBackupKeyDir(), ATOMIC_MOVE);
     }
 
-    private void handleUpdateTokenPin(char[] oldPin, char[] newPin) throws Exception {
+    public void handleUpdateTokenPin(char[] oldPin, char[] newPin) throws Exception {
         log.info("Updating the software token pin to a new one...");
 
         isTokenLoginAllowed = false; // Prevent token login for the time of pin update

From 8c0d767bda716e53aabb02e83e23dc97d16f9612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 23 Aug 2023 17:54:41 +0300
Subject: [PATCH 015/127] chore: add spring DI support. Other grpc WIP things..

Refs: XRDDEV-2468
---
 .../ria/xroad/signer/glue/SignerStepDefs.java |  2 +-
 .../resources/application-override.yml        |  2 +-
 .../java/ee/ria/xroad/signer/SignerProxy.java | 32 +++++++-----
 .../signer/protocol/RpcSignerClient.java      |  4 ++
 .../message/CertificateRequestFormat.java     | 34 -------------
 .../protocol/message/GenerateCertRequest.java |  1 +
 .../message/GenerateCertRequestResponse.java  |  1 +
 .../protocol/message/GetOcspResponses.java    |  1 +
 .../message/GetOcspResponsesResponse.java     |  1 +
 .../message/RegenerateCertRequest.java        |  1 +
 .../RegenerateCertRequestResponse.java        |  1 +
 .../protocol/message/SetOcspResponses.java    |  1 +
 .../src/main/proto/CertificateService.proto   | 22 ++++++++
 .../src/main/proto/CommonMessages.proto       |  9 ++++
 .../src/main/proto/KeyService.proto           |  1 +
 .../src/main/proto/OcspService.proto          | 26 ++++++++++
 .../src/main/proto/TokenService.proto         |  1 +
 .../src/main/proto/Tokens.proto               |  4 --
 src/signer/build.gradle                       | 10 +++-
 .../ee/ria/xroad/signer/SignerConfig.java     | 31 ++++++++++++
 .../java/ee/ria/xroad/signer/SignerMain.java  | 26 ++++++----
 .../signer/protocol/CertificateService.java   | 14 +++++-
 .../ria/xroad/signer/protocol/KeyService.java |  4 +-
 .../xroad/signer/protocol/OcspService.java    | 50 +++++++++++++++++++
 .../protocol/TemporaryAkkaMessenger.java      | 23 ++++++++-
 .../xroad/signer/protocol/TokensService.java  |  4 +-
 .../handler/AbstractGenerateCertRequest.java  | 11 ++--
 .../signer/tokenmanager/ServiceLocator.java   | 11 +++-
 28 files changed, 249 insertions(+), 79 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/CertificateRequestFormat.java
 create mode 100644 src/signer-protocol/src/main/proto/CommonMessages.proto
 create mode 100644 src/signer-protocol/src/main/proto/OcspService.proto
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java

diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index 664e7d570e..511effe34b 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -38,7 +38,6 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import akka.actor.ActorSystem;
 import com.nortal.test.core.report.TestReportService;
@@ -55,6 +54,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.util.encoders.Base64;
 import org.junit.jupiter.api.Assertions;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.beans.factory.annotation.Autowired;
 
 import java.io.BufferedReader;
diff --git a/src/signer-protocol/src/intTest/resources/application-override.yml b/src/signer-protocol/src/intTest/resources/application-override.yml
index 133ccb25b5..f16517419d 100755
--- a/src/signer-protocol/src/intTest/resources/application-override.yml
+++ b/src/signer-protocol/src/intTest/resources/application-override.yml
@@ -11,7 +11,7 @@ logging:
 
 test-automation:
   report-name: xroad-signer-test-suite
-  spring-component-scan: "ee.ria.xroad.signer"
+  spring-component-scan: "ee.ria.xroad.signer.glue"
   cucumber:
     execution:
       parallel:
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 962e41b861..f44b881c3f 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -35,13 +35,11 @@
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
-import ee.ria.xroad.signer.protocol.dto.Empty;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.MemberSigningInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 import ee.ria.xroad.signer.protocol.message.DeleteCert;
 import ee.ria.xroad.signer.protocol.message.DeleteCertRequest;
 import ee.ria.xroad.signer.protocol.message.DeleteKey;
@@ -54,14 +52,10 @@
 import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfo;
 import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfoResponse;
 import ee.ria.xroad.signer.protocol.message.GetMemberSigningInfo;
-import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
-import ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse;
 import ee.ria.xroad.signer.protocol.message.ImportCert;
 import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
-import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
-import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin;
 
 import com.google.protobuf.Any;
 import com.google.protobuf.ByteString;
@@ -71,9 +65,11 @@
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateCertRequest;
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
 import org.niis.xroad.signer.proto.GetMemberCertsRequest;
+import org.niis.xroad.signer.proto.GetOcspResponsesRequest;
 import org.niis.xroad.signer.proto.GetSignMechanismRequest;
 import org.niis.xroad.signer.proto.GetSignMechanismResponse;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
@@ -85,10 +81,12 @@
 import org.niis.xroad.signer.proto.ListTokensResponse;
 import org.niis.xroad.signer.proto.SetCertStatusRequest;
 import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
+import org.niis.xroad.signer.proto.SetOcspResponsesRequest;
 import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
 import org.niis.xroad.signer.proto.SignCertificateRequest;
 import org.niis.xroad.signer.proto.SignRequest;
 import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
 
 import java.security.PublicKey;
 import java.util.Arrays;
@@ -98,6 +96,7 @@
 import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
+import static java.util.Arrays.asList;
 
 /**
  * Responsible for managing cryptographic tokens (smartcards, HSMs, etc.) through the signer.
@@ -566,20 +565,27 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) {
      * @throws Exception if something failed
      */
     public static String[] getOcspResponses(String[] certHashes) throws Exception {
-        String[] lowerCaseHashes = toLowerCase(certHashes);
-        GetOcspResponsesResponse response = execute(new GetOcspResponses(lowerCaseHashes));
-        return response.getBase64EncodedResponses();
+
+        var response = executeAndHandleException(() -> getSignerClient().getOcspServiceBlockingStub()
+                .getOcspResponses(GetOcspResponsesRequest.newBuilder()
+                        .addAllCertHash(toLowerCase(certHashes))
+                        .build()));
+
+        return response.getBase64EncodedResponsesList().toArray(new String[0]);
     }
 
     public static void setOcspResponses(String[] certHashes, String[] base64EncodedResponses) throws Exception {
-        execute(new SetOcspResponses(certHashes, base64EncodedResponses));
+        executeAndHandleException(() -> getSignerClient().getOcspServiceBlockingStub()
+                .setOcspResponses(SetOcspResponsesRequest.newBuilder()
+                        .addAllCertHashes(asList(certHashes))
+                        .addAllBase64EncodedResponses(asList(base64EncodedResponses))
+                        .build()));
     }
 
-    private static String[] toLowerCase(String[] certHashes) {
+    private static List<String> toLowerCase(String[] certHashes) {
         return Arrays.stream(certHashes)
                 .map(String::toLowerCase)
-                .collect(Collectors.toList())
-                .toArray(new String[]{});
+                .collect(Collectors.toList());
     }
 
     /**
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index e2e36178fd..0e270102c9 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -32,6 +32,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.CertificateServiceGrpc;
 import org.niis.xroad.signer.proto.KeyServiceGrpc;
+import org.niis.xroad.signer.proto.OcspServiceGrpc;
 import org.niis.xroad.signer.proto.TokenServiceGrpc;
 
 import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
@@ -46,6 +47,8 @@ public class RpcSignerClient {
     private final CertificateServiceGrpc.CertificateServiceBlockingStub certificateServiceBlockingStub;
     @Getter
     private final KeyServiceGrpc.KeyServiceBlockingStub keyServiceBlockingStub;
+    @Getter
+    private final OcspServiceGrpc.OcspServiceBlockingStub ocspServiceBlockingStub;
 
     /**
      * Construct client for accessing RouteGuide server using the existing channel.
@@ -55,6 +58,7 @@ public RpcSignerClient(Channel channel) {
         signerApiBlockingStub = TokenServiceGrpc.newBlockingStub(channel);
         certificateServiceBlockingStub = CertificateServiceGrpc.newBlockingStub(channel);
         keyServiceBlockingStub = KeyServiceGrpc.newBlockingStub(channel);
+        ocspServiceBlockingStub = OcspServiceGrpc.newBlockingStub(channel);
     }
 
     /**
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/CertificateRequestFormat.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/CertificateRequestFormat.java
deleted file mode 100644
index 2ad3e913a1..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/CertificateRequestFormat.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-/**
- * Specifies the cert request format to return.
- */
-public enum CertificateRequestFormat {
-    PEM,
-    DER
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
index cedd7656bb..a95f251383 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
@@ -29,6 +29,7 @@
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 
 import lombok.Value;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.io.Serializable;
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
index 63f88bc17b..8bb3d09e2e 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.signer.protocol.message;
 
 import lombok.Value;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.io.Serializable;
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponses.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponses.java
index 8394e5b1b4..2e4e98aa75 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponses.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponses.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class GetOcspResponses implements Serializable {
 
     private final String[] certHash;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponsesResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponsesResponse.java
index b386867983..e09b3062b8 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponsesResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetOcspResponsesResponse.java
@@ -34,6 +34,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 @ToString(exclude = "base64EncodedResponses")
 public class GetOcspResponsesResponse implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java
index cd9081a5a4..5a8a66a0f5 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.signer.protocol.message;
 
 import lombok.Value;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.io.Serializable;
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java
index 0fcddecc61..a32b735b12 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java
@@ -29,6 +29,7 @@
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 
 import lombok.Value;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.io.Serializable;
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java
index 31887b9a14..da1c4536ae 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java
@@ -34,6 +34,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 @ToString(exclude = "base64EncodedResponses")
 public class SetOcspResponses implements Serializable {
 
diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
index dd373fc6a9..89ade528db 100644
--- a/src/signer-protocol/src/main/proto/CertificateService.proto
+++ b/src/signer-protocol/src/main/proto/CertificateService.proto
@@ -2,6 +2,7 @@ syntax = "proto3";
 
 option java_multiple_files = true;
 
+import "CommonMessages.proto";
 import "Tokens.proto";
 import "TokenStatusInfo.proto";
 
@@ -15,6 +16,8 @@ service CertificateService {
   rpc GetMemberCerts (GetMemberCertsRequest) returns (GetMemberCertsResponse) {}
 
   rpc SetCertStatus (SetCertStatusRequest) returns (Empty) {}
+
+  rpc RegenerateCertReq (RegenerateCertReqRequest) returns (RegenerateCertReqResponse) {}
 }
 
 message GetCertificateInfoForHashRequest {
@@ -42,3 +45,22 @@ message GetMemberCertsRequest{
 message GetMemberCertsResponse{
   repeated CertificateInfoProto certs = 1;
 }
+
+message RegenerateCertReqRequest {//TODO:grpc consider swapping req and request places..
+  string certRequestId = 1;
+  CertificateRequestFormat format = 2;
+}
+
+message RegenerateCertReqResponse {
+  string certReqId = 1;
+  bytes certRequest = 2;
+  CertificateRequestFormat format = 3;
+  ClientIdProto memberId = 4;
+  KeyUsageInfo keyUsage = 5;
+}
+
+/** Specifies the cert request format to return. */
+enum CertificateRequestFormat {
+  PEM = 0;
+  DER = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/CommonMessages.proto b/src/signer-protocol/src/main/proto/CommonMessages.proto
new file mode 100644
index 0000000000..84f859faed
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/CommonMessages.proto
@@ -0,0 +1,9 @@
+syntax = "proto3";
+import "TokenStatusInfo.proto";
+
+option java_multiple_files = true;
+option java_package = "org.niis.xroad.signer.protocol.dto";
+
+/* Generic empty request/response. */
+message Empty {
+}
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
index 0b561f642d..8235f3c18f 100644
--- a/src/signer-protocol/src/main/proto/KeyService.proto
+++ b/src/signer-protocol/src/main/proto/KeyService.proto
@@ -2,6 +2,7 @@ syntax = "proto3";
 
 option java_multiple_files = true;
 
+import "CommonMessages.proto";
 import "Tokens.proto";
 import "TokenStatusInfo.proto";
 
diff --git a/src/signer-protocol/src/main/proto/OcspService.proto b/src/signer-protocol/src/main/proto/OcspService.proto
new file mode 100644
index 0000000000..34583fd729
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/OcspService.proto
@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+option java_multiple_files = true;
+
+package org.niis.xroad.signer.proto;
+
+import "CommonMessages.proto";
+
+service OcspService {
+  rpc SetOcspResponses (SetOcspResponsesRequest) returns (Empty) {}
+
+  rpc GetOcspResponses (GetOcspResponsesRequest) returns (GetOcspResponsesResponse) {}
+}
+
+message SetOcspResponsesRequest {
+  repeated string certHashes = 1;
+  repeated string base64EncodedResponses = 2;
+}
+
+message GetOcspResponsesRequest{
+  repeated string certHash = 1;
+}
+
+message GetOcspResponsesResponse{
+  repeated string base64EncodedResponses = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/TokenService.proto b/src/signer-protocol/src/main/proto/TokenService.proto
index bd1b647aab..fe49c9edc6 100644
--- a/src/signer-protocol/src/main/proto/TokenService.proto
+++ b/src/signer-protocol/src/main/proto/TokenService.proto
@@ -2,6 +2,7 @@ syntax = "proto3";
 
 option java_multiple_files = true;
 
+import "CommonMessages.proto";
 import "Tokens.proto";
 import "TokenStatusInfo.proto";
 
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
index 497c926b3b..b952b105f5 100644
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -4,10 +4,6 @@ import "TokenStatusInfo.proto";
 option java_multiple_files = true;
 option java_package = "ee.ria.xroad.signer.protocol.dto";
 
-/* Generic empty request/response. */
-message Empty {
-}
-
 message TokenInfoProto {
   string type = 1;
   string friendlyName = 2;
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index fa2abd630d..35f9edc602 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -1,6 +1,9 @@
 plugins {
-    id 'com.github.johnrengelman.shadow'
+  id 'io.spring.dependency-management'
+  id 'org.springframework.boot'
+  id 'com.github.johnrengelman.shadow'
 }
+
 project.ext.schemaTargetDir = new File("$buildDir/generated-sources")
 
 configurations {
@@ -19,6 +22,7 @@ dependencies {
     implementation project(':common:common-rpc')
     implementation project(':signer-protocol')
 
+    implementation('org.springframework:spring-context')
     // Necessary since there are jars with no adequate Maven dependencies
     implementation fileTree(dir: '../libs', include: '*.jar')
 
@@ -40,6 +44,10 @@ jar {
     archiveClassifier = 'plain'
 }
 
+bootJar {
+  enabled = false
+}
+
 shadowJar {
     archiveClassifier = ''
     exclude('**/module-info.class')
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
new file mode 100644
index 0000000000..27658197ca
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
@@ -0,0 +1,31 @@
+package ee.ria.xroad.signer;
+
+import ee.ria.xroad.common.SystemProperties;
+
+import akka.actor.ActorSystem;
+import com.typesafe.config.Config;
+import com.typesafe.config.ConfigFactory;
+import com.typesafe.config.ConfigValueFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+
+import static ee.ria.xroad.signer.protocol.ComponentNames.SIGNER;
+
+@ComponentScan("ee.ria.xroad.signer.protocol")
+@Configuration
+public class SignerConfig {
+
+    @Bean
+    @Deprecated
+    public ActorSystem actorSystem() {
+        return ActorSystem.create(SIGNER, getConf(SystemProperties.getSignerPort()));
+    }
+
+    private static Config getConf(int signerPort) {
+        Config conf = ConfigFactory.load().getConfig("signer-main")
+                .withFallback(ConfigFactory.load());
+        return conf.withValue("akka.remote.artery.canonical.port",
+                ConfigValueFactory.fromAnyRef(signerPort));
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 58b6c1e917..296b5009d9 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -46,6 +46,9 @@
 import com.typesafe.config.ConfigValueFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.grpc.RpcServer;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.support.GenericApplicationContext;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -78,6 +81,8 @@ public final class SignerMain {
         diagnosticsDefault = new CertificationServiceDiagnostics();
     }
 
+    private static GenericApplicationContext springCtx;
+
     private static ActorSystem actorSystem;
     private static Signer signer;
     private static AdminPort adminPort;
@@ -107,7 +112,10 @@ private static void startup() throws Exception {
         int signerPort = SystemProperties.getSignerPort();
         log.info("Starting Signer on port {}...", signerPort);
 
-        actorSystem = ActorSystem.create(SIGNER, getConf(signerPort));
+        springCtx = new AnnotationConfigApplicationContext(SignerConfig.class);
+        springCtx.registerShutdownHook();
+
+        actorSystem = springCtx.getBean(ActorSystem.class);
         signer = new Signer(actorSystem);
         adminPort = createAdminPort(SystemProperties.getSignerAdminPort());
         CoordinatedShutdown.get(actorSystem).addJvmShutdownHook(SignerMain::shutdown);
@@ -121,11 +129,13 @@ private static void startup() throws Exception {
     private static void initGrpc() throws Exception {
         int port = 5560;
         log.info("Initializing GRPC server on port {}.. ", port);
-        var temporaryAkkaMessnger = new TemporaryAkkaMessenger(actorSystem);
+
         RpcServer.init(port, builder -> {
-            builder.addService(new CertificateService(temporaryAkkaMessnger));
-            builder.addService(new TokensService(temporaryAkkaMessnger));
-            builder.addService(new KeyService(temporaryAkkaMessnger));
+            springCtx.getBeansOfType(io.grpc.BindableService.class).forEach((s, bindableService) -> {
+                log.info("Registering {} gRPC service.",bindableService.getClass().getSimpleName());
+                builder.addService(bindableService);
+            });
+
             builder.intercept(new SignerExceptionHandlerInterceptor());
         });
     }
@@ -198,10 +208,4 @@ public void handle(HttpServletRequest request, HttpServletResponse response) {
         return port;
     }
 
-    private static Config getConf(int signerPort) {
-        Config conf = ConfigFactory.load().getConfig("signer-main")
-                .withFallback(ConfigFactory.load());
-        return conf.withValue("akka.remote.artery.canonical.port",
-                ConfigValueFactory.fromAnyRef(signerPort));
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
index 64ca0e4ace..7dc52f16f5 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
@@ -29,7 +29,6 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
-import ee.ria.xroad.signer.protocol.dto.Empty;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
@@ -43,7 +42,11 @@
 import org.niis.xroad.signer.proto.GetCertificateInfoResponse;
 import org.niis.xroad.signer.proto.GetMemberCertsRequest;
 import org.niis.xroad.signer.proto.GetMemberCertsResponse;
+import org.niis.xroad.signer.proto.RegenerateCertReqRequest;
+import org.niis.xroad.signer.proto.RegenerateCertReqResponse;
 import org.niis.xroad.signer.proto.SetCertStatusRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Service;
 
 import java.util.List;
 import java.util.stream.Collectors;
@@ -54,12 +57,13 @@
  * Handles requests for token list.
  */
 @Slf4j
+@Service
 @RequiredArgsConstructor
 public class CertificateService extends CertificateServiceGrpc.CertificateServiceImplBase {
     private final TemporaryAkkaMessenger temporaryAkkaMessenger;
 
     @Override
-    public void activateCert(ActivateCertRequest request, StreamObserver<ee.ria.xroad.signer.protocol.dto.Empty> responseObserver) {
+    public void activateCert(ActivateCertRequest request, StreamObserver<Empty> responseObserver) {
         TokenManager.setCertActive(request.getCertIdOrHash(),
                 request.getActive());
         emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
@@ -110,6 +114,12 @@ private static boolean containsMember(ClientId first, ClientId second) {
         return first.equals(second) || second.subsystemContainsMember(first);
     }
 
+
+    @Override
+    public void regenerateCertReq(RegenerateCertReqRequest request, StreamObserver<RegenerateCertReqResponse> responseObserver) {
+        super.regenerateCertReq(request, responseObserver);
+    }
+
     private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
         responseObserver.onNext(value);
         responseObserver.onCompleted();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
index 9575f875fe..afd2a073d2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
@@ -28,7 +28,6 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.ErrorCodes;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.protocol.dto.Empty;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.message.Sign;
 import ee.ria.xroad.signer.protocol.message.SignCertificate;
@@ -50,6 +49,8 @@
 import org.niis.xroad.signer.proto.SignCertificateResponse;
 import org.niis.xroad.signer.proto.SignRequest;
 import org.niis.xroad.signer.proto.SignResponse;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Service;
 
 import java.security.PublicKey;
 
@@ -60,6 +61,7 @@
  * Handles requests for token list.
  */
 @Slf4j
+@Service
 @RequiredArgsConstructor
 public class KeyService extends KeyServiceGrpc.KeyServiceImplBase {
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
new file mode 100644
index 0000000000..b05c2d2f77
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
@@ -0,0 +1,50 @@
+package ee.ria.xroad.signer.protocol;
+
+import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
+import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
+
+import com.google.protobuf.AbstractMessage;
+import io.grpc.stub.StreamObserver;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.GetOcspResponsesRequest;
+import org.niis.xroad.signer.proto.GetOcspResponsesResponse;
+import org.niis.xroad.signer.proto.OcspServiceGrpc;
+import org.niis.xroad.signer.proto.SetOcspResponsesRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Service;
+
+import static java.util.Arrays.asList;
+
+@Slf4j
+@Service
+@RequiredArgsConstructor
+public class OcspService extends OcspServiceGrpc.OcspServiceImplBase {
+    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
+
+    @Override
+    public void setOcspResponses(SetOcspResponsesRequest request, StreamObserver<Empty> responseObserver) {
+        var message = new SetOcspResponses(
+                request.getCertHashesList().toArray(new String[0]),
+                request.getBase64EncodedResponsesList().toArray(new String[0]));
+
+        temporaryAkkaMessenger.tellOcspManager(message);
+        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+    }
+
+    @Override
+    public void getOcspResponses(GetOcspResponsesRequest request, StreamObserver<GetOcspResponsesResponse> responseObserver) {
+        var message = new GetOcspResponses(
+                request.getCertHashList().toArray(new String[0]));
+
+        ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse response = temporaryAkkaMessenger.tellOcspManagerWithResponse(message);
+        emitSingleAndClose(responseObserver, GetOcspResponsesResponse.newBuilder()
+                .addAllBase64EncodedResponses(asList(response.getBase64EncodedResponses()))
+                .build());
+    }
+
+    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
+        responseObserver.onNext(value);
+        responseObserver.onCompleted();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
index 9f314959b8..92689a5249 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
@@ -2,21 +2,23 @@
 
 import akka.actor.ActorSystem;
 import akka.pattern.Patterns;
-
 import akka.util.Timeout;
 
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
+import org.springframework.stereotype.Component;
 import scala.concurrent.Await;
 
 import java.util.concurrent.TimeUnit;
 
+import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getOcspResponseManager;
 import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
 import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
 
 @Deprecated
+@Component
 @RequiredArgsConstructor
 public class TemporaryAkkaMessenger {
     @Deprecated
@@ -24,7 +26,7 @@ public class TemporaryAkkaMessenger {
 
     private final ActorSystem actorSystem;
 
-    public  <T> T tellTokenWithResponse(Object message, String tokenId) {
+    public <T> T tellTokenWithResponse(Object message, String tokenId) {
         return (T) tellToken(message, tokenId);
     }
 
@@ -41,4 +43,21 @@ public Object tellToken(Object message, String tokenId) {
         }
         return response;
     }
+
+    public <T> T tellOcspManagerWithResponse(Object message) {
+        return (T) tellOcspManager(message);
+    }
+
+    @SneakyThrows
+    public Object tellOcspManager(Object message) {
+
+
+        Object response = Await.result(Patterns.ask(getOcspResponseManager(actorSystem), message, AKKA_TIMEOUT),
+                AKKA_TIMEOUT.duration());
+        if (response instanceof Exception) {
+            throw (Throwable) response;
+        }
+        return response;
+    }
+
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index 6a02042d3b..3593e2f379 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -26,7 +26,6 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.Empty;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.message.ActivateToken;
@@ -51,6 +50,8 @@
 import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
 import org.niis.xroad.signer.proto.TokenServiceGrpc;
 import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Service;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 
@@ -58,6 +59,7 @@
  * Handles requests for token list.
  */
 @Slf4j
+@Service
 @RequiredArgsConstructor
 public class TokensService extends TokenServiceGrpc.TokenServiceImplBase {
     private final TemporaryAkkaMessenger temporaryAkkaMessenger;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
index 1a68a37e5c..971e5a7615 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
@@ -29,7 +29,6 @@
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 import ee.ria.xroad.signer.util.CalculateSignature;
 import ee.ria.xroad.signer.util.CalculatedSignature;
 import ee.ria.xroad.signer.util.TokenAndKey;
@@ -45,6 +44,7 @@
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.io.ByteArrayOutputStream;
 import java.io.OutputStream;
@@ -91,11 +91,10 @@ private static PublicKey readPublicKey(String publicKeyBase64) throws Exception
 
     static byte[] convert(PKCS10CertificationRequest request, CertificateRequestFormat format)
             throws Exception {
-        switch (format) {
-            case PEM:
-                return toPem(request);
-            default:
-                return request.getEncoded(); // DER
+        if (CertificateRequestFormat.PEM == format) {
+            return toPem(request);
+        } else {
+            return request.getEncoded(); // DER
         }
     }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
index 48d7a96d0d..4e6e463d77 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
@@ -61,13 +61,19 @@ public static ActorSelection getOcspResponseManager(
         return context.actorSelection("/user/" + OCSP_RESPONSE_MANAGER);
     }
 
+    @Deprecated
+    public static ActorSelection getOcspResponseManager(
+            ActorSystem actorSystem) {
+        return actorSystem.actorSelection("/user/" + OCSP_RESPONSE_MANAGER);
+    }
+
     /**
      * @param context the actor context
      * @param tokenId the token id
      * @return the token actor
      */
     public static ActorSelection getToken(ActorContext context,
-            String tokenId) {
+                                          String tokenId) {
         String path = String.format("/user/%s/%s/%s", MODULE_MANAGER,
                 getModuleId(tokenId), tokenId);
         return context.actorSelection(path);
@@ -80,13 +86,14 @@ public static ActorSelection getToken(ActorSystem actorSystem,
                 getModuleId(tokenId), tokenId);
         return actorSystem.actorSelection(path);
     }
+
     /**
      * @param context the actor context
      * @param tokenId the token id
      * @return the token signer actor
      */
     public static ActorSelection getTokenSigner(ActorContext context,
-            String tokenId) {
+                                                String tokenId) {
         String path = String.format("/user/%s/%s/%s/%s", MODULE_MANAGER,
                 getModuleId(tokenId), tokenId, TOKEN_SIGNER);
         return context.actorSelection(path);

From 34d920ec6ed2a0dcac2612263635f7c8971882c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 24 Aug 2023 12:20:47 +0300
Subject: [PATCH 016/127] chore: migrate existing handlers to spring components

Refs: XRDDEV-2468
---
 .../java/ee/ria/xroad/signer/SignerMain.java  |  12 --
 .../signer/protocol/AbstractRpcHandler.java   |  66 ++++++++++
 .../signer/protocol/CertificateService.java   |  74 +++--------
 .../ria/xroad/signer/protocol/KeyService.java |  97 +++-----------
 .../xroad/signer/protocol/OcspService.java    |  29 +----
 .../SignerExceptionHandlerInterceptor.java    | 109 ----------------
 .../protocol/TemporaryAkkaMessenger.java      |   2 +-
 .../xroad/signer/protocol/TokensService.java  | 118 ++++++------------
 .../handler/AbstractDeleteFromKeyInfo.java    |   2 +-
 .../handler/AbstractGenerateCertRequest.java  |   2 +-
 .../handler/ActivateCertRequestHandler.java   |  47 +++++++
 .../handler/ActivateTokenRequestHandler.java  |  52 ++++++++
 .../handler/DeleteCertRequestHandler.java     |   2 +-
 .../DeleteCertRequestRequestHandler.java      |   2 +-
 .../handler/DeleteKeyRequestHandler.java      |   2 +-
 .../GenerateCertRequestRequestHandler.java    |   2 +-
 .../handler/GenerateKeyRequestHandler.java    |   2 +-
 .../GenerateSelfSignedCertRequestHandler.java |   2 +-
 .../handler/GetAuthKeyRequestHandler.java     |   2 +-
 ...tCertificateInfoForHashRequestHandler.java |  57 +++++++++
 .../GetHSMOperationalInfoRequestHandler.java  |   8 +-
 .../GetKeyIdForCertHashRequestHandler.java    |  58 +++++++++
 .../handler/GetMemberCertsRequestHandler.java |  72 +++++++++++
 .../GetMemberSigningInfoRequestHandler.java   |   2 +-
 .../GetOcspResponsesRequestHandler.java       |  24 ++--
 .../GetSignMechanismRequestHandler.java       |  56 +++++++++
 ...okenBatchSigningEnabledRequestHandler.java |  49 ++++++++
 ...InfoAndKeyIdForCertHashRequestHandler.java |  47 +++++++
 ...ndKeyIdForCertRequestIdRequestHandler.java |  46 +++++++
 .../GetTokenInfoForKeyIdRequestHandler.java   |  46 +++++++
 .../handler/GetTokenInfoRequestHandler.java   |  46 +++++++
 .../handler/ImportCertRequestHandler.java     |   2 +-
 .../InitSoftwareTokenRequestHandler.java      |  64 ++++++++++
 .../handler/ListTokensRequestHandler.java     |  49 ++++++++
 .../RegenerateCertRequestRequestHandler.java  |   2 +-
 .../handler/SetCertStatusRequestHandler.java  |  47 +++++++
 .../SetKeyFriendlyNameRequestHandler.java     |  47 +++++++
 .../SetOcspResponsesRequestHandler.java       |  23 ++--
 .../SetTokenFriendlyNameRequestHandler.java   |  49 ++++++++
 .../SignCertificateRequestHandler.java        |  59 +++++++++
 .../protocol/handler/SignRequestHandler.java  |  56 +++++++++
 .../UpdateSoftwareTokenPinRequestHandler.java |  62 +++++++++
 42 files changed, 1200 insertions(+), 395 deletions(-)
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 296b5009d9..64da8fd3b2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -32,21 +32,12 @@
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
-import ee.ria.xroad.signer.protocol.CertificateService;
-import ee.ria.xroad.signer.protocol.KeyService;
-import ee.ria.xroad.signer.protocol.SignerExceptionHandlerInterceptor;
-import ee.ria.xroad.signer.protocol.TemporaryAkkaMessenger;
-import ee.ria.xroad.signer.protocol.TokensService;
 import ee.ria.xroad.signer.util.SignerUtil;
 
 import akka.actor.ActorSystem;
 import akka.actor.CoordinatedShutdown;
-import com.typesafe.config.Config;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigValueFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.grpc.RpcServer;
-import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.context.support.GenericApplicationContext;
 
@@ -61,7 +52,6 @@
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_PROXY;
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_SIGNER;
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT;
-import static ee.ria.xroad.signer.protocol.ComponentNames.SIGNER;
 
 /**
  * Signer main program.
@@ -135,8 +125,6 @@ private static void initGrpc() throws Exception {
                 log.info("Registering {} gRPC service.",bindableService.getClass().getSimpleName());
                 builder.addService(bindableService);
             });
-
-            builder.intercept(new SignerExceptionHandlerInterceptor());
         });
     }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
new file mode 100644
index 0000000000..e1af893c27
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
@@ -0,0 +1,66 @@
+package ee.ria.xroad.signer.protocol;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
+
+import com.google.protobuf.AbstractMessage;
+import io.grpc.Status;
+import io.grpc.protobuf.StatusProto;
+import io.grpc.stub.StreamObserver;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import static com.google.protobuf.Any.pack;
+import static java.util.Optional.ofNullable;
+
+/**
+ * @param <R>
+ * @param <T>
+ */
+@Slf4j
+public abstract class AbstractRpcHandler<R extends AbstractMessage, T extends AbstractMessage> {
+    @Autowired
+    protected TemporaryAkkaMessenger temporaryAkkaMessenger;
+
+    protected abstract T handle(R request) throws Exception;
+
+    public void processSingle(R request, StreamObserver<T> responseObserver) {
+        try {
+            var response = handle(request);
+
+            responseObserver.onNext(response);
+            responseObserver.onCompleted();
+        } catch (Exception e) {
+            handleException(e, responseObserver);
+        }
+    }
+
+    private void handleException(Exception exception, StreamObserver<T> responseObserver) {
+        if (exception instanceof CodedException) {
+            CodedException codedException = (CodedException) exception;
+
+            com.google.rpc.Status status = com.google.rpc.Status.newBuilder()
+                    .setCode(Status.Code.INTERNAL.value())
+                    .setMessage(codedException.getMessage())
+                    .addDetails(pack(toProto(codedException)))
+                    .build();
+
+            responseObserver.onError(StatusProto.toStatusRuntimeException(status));
+        } else {
+            log.warn("Unhandled exception was thrown by gRPC handler.", exception);
+            responseObserver.onError(exception);
+        }
+    }
+
+    private CodedExceptionProto toProto(CodedException codedException) {
+        final CodedExceptionProto.Builder codedExceptionBuilder = CodedExceptionProto.newBuilder();
+
+        ofNullable(codedException.getFaultCode()).ifPresent(codedExceptionBuilder::setFaultCode);
+        ofNullable(codedException.getFaultActor()).ifPresent(codedExceptionBuilder::setFaultActor);
+        ofNullable(codedException.getFaultDetail()).ifPresent(codedExceptionBuilder::setFaultDetail);
+        ofNullable(codedException.getFaultString()).ifPresent(codedExceptionBuilder::setFaultString);
+        ofNullable(codedException.getTranslationCode()).ifPresent(codedExceptionBuilder::setTranslationCode);
+
+        return codedExceptionBuilder.build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
index 7dc52f16f5..cc9ee3acf1 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
@@ -25,14 +25,11 @@
  */
 package ee.ria.xroad.signer.protocol;
 
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
-import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import ee.ria.xroad.signer.protocol.handler.ActivateCertRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetCertificateInfoForHashRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetMemberCertsRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.SetCertStatusRequestHandler;
 
-import com.google.protobuf.AbstractMessage;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -48,80 +45,41 @@
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
-import java.util.List;
-import java.util.stream.Collectors;
-
-import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
-
 /**
- * Handles requests for token list.
+ * Certificate gRPC service.
  */
 @Slf4j
 @Service
 @RequiredArgsConstructor
 public class CertificateService extends CertificateServiceGrpc.CertificateServiceImplBase {
-    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
+    private final ActivateCertRequestHandler activateCertRequestHandler;
+    private final GetCertificateInfoForHashRequestHandler getCertificateInfoForHashRequestHandler;
+    private final GetMemberCertsRequestHandler getMemberCertsRequestHandler;
+    private final SetCertStatusRequestHandler setCertStatusRequestHandler;
 
     @Override
     public void activateCert(ActivateCertRequest request, StreamObserver<Empty> responseObserver) {
-        TokenManager.setCertActive(request.getCertIdOrHash(),
-                request.getActive());
-        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        activateCertRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getCertificateInfoForHash(GetCertificateInfoForHashRequest request, StreamObserver<GetCertificateInfoResponse> responseObserver) {
-        CertificateInfo certificateInfo = TokenManager.getCertificateInfoForCertHash(request.getCertHash());
-
-        if (certificateInfo == null) {
-            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
-                    "Certificate with hash '%s' not found", request.getCertHash());
-        }
-
-        emitSingleAndClose(responseObserver, GetCertificateInfoResponse.newBuilder()
-                .setCertificateInfo(certificateInfo.asMessage())
-                .build());
+    public void getCertificateInfoForHash(GetCertificateInfoForHashRequest request,
+                                          StreamObserver<GetCertificateInfoResponse> responseObserver) {
+        getCertificateInfoForHashRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void setCertStatus(SetCertStatusRequest request, StreamObserver<Empty> responseObserver) {
-        TokenManager.setCertStatus(request.getCertId(), request.getStatus());
-
-        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        setCertStatusRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void getMemberCerts(GetMemberCertsRequest request, StreamObserver<GetMemberCertsResponse> responseObserver) {
-        final var memberId = ClientIdMapper.fromDto(request.getMemberId());
-        List<CertificateInfoProto> memberCerts = TokenManager.listTokens().stream()
-                .flatMap(t -> t.getKeyInfo().stream())
-                .filter(k -> k.getUsage() == KeyUsageInfo.SIGNING)
-                .flatMap(k -> k.getCerts().stream())
-                .filter(c -> containsMember(c.getMemberId(), memberId))
-                .map(CertificateInfo::asMessage)
-                .collect(Collectors.toList());
-
-        emitSingleAndClose(responseObserver, GetMemberCertsResponse.newBuilder()
-                .addAllCerts(memberCerts)
-                .build());
+        getMemberCertsRequestHandler.processSingle(request, responseObserver);
     }
 
-    private static boolean containsMember(ClientId first, ClientId second) {
-        if (first == null || second == null) {
-            return false;
-        }
-
-        return first.equals(second) || second.subsystemContainsMember(first);
-    }
-
-
     @Override
     public void regenerateCertReq(RegenerateCertReqRequest request, StreamObserver<RegenerateCertReqResponse> responseObserver) {
-        super.regenerateCertReq(request, responseObserver);
-    }
-
-    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
-        responseObserver.onNext(value);
-        responseObserver.onCompleted();
+        //TODO
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
index afd2a073d2..8321645e7c 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
@@ -1,20 +1,20 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -25,20 +25,14 @@
  */
 package ee.ria.xroad.signer.protocol;
 
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.ErrorCodes;
-import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.protocol.message.Sign;
-import ee.ria.xroad.signer.protocol.message.SignCertificate;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import ee.ria.xroad.signer.protocol.handler.GetKeyIdForCertHashRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetSignMechanismRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.SetKeyFriendlyNameRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.SignCertificateRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.SignRequestHandler;
 
-import com.google.protobuf.AbstractMessage;
-import com.google.protobuf.ByteString;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashResponse;
 import org.niis.xroad.signer.proto.GetSignMechanismRequest;
@@ -52,92 +46,41 @@
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
-import java.security.PublicKey;
-
-import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
-import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
-
 /**
- * Handles requests for token list.
+ * Token Key gRPC service.
  */
-@Slf4j
 @Service
 @RequiredArgsConstructor
 public class KeyService extends KeyServiceGrpc.KeyServiceImplBase {
-
-    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
+    private final SignRequestHandler signRequestHandler;
+    private final SignCertificateRequestHandler signCertificateRequestHandler;
+    private final GetSignMechanismRequestHandler getSignMechanismRequestHandler;
+    private final GetKeyIdForCertHashRequestHandler getKeyIdForCertHashRequestHandler;
+    private final SetKeyFriendlyNameRequestHandler setKeyFriendlyNameRequestHandler;
 
     @Override
     public void getKeyIdForCertHash(GetKeyIdForCertHashRequest request, StreamObserver<GetKeyIdForCertHashResponse> responseObserver) {
-        KeyInfo keyInfo = TokenManager.getKeyInfoForCertHash(request.getCertHash());
-
-        if (keyInfo == null) {
-            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
-                    "Certificate with hash '%s' not found", request.getCertHash());
-        }
-
-        emitSingleAndClose(responseObserver, GetKeyIdForCertHashResponse.newBuilder()
-                .setKeyId(keyInfo.getId())
-                .setSignMechanismName(keyInfo.getSignMechanismName())
-                .build());
+        getKeyIdForCertHashRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void setKeyFriendlyName(SetKeyFriendlyNameRequest request, StreamObserver<Empty> responseObserver) {
-        TokenManager.setKeyFriendlyName(request.getKeyId(),
-                request.getFriendlyName());
-        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        setKeyFriendlyNameRequestHandler.processSingle(request, responseObserver);
     }
 
-
     @Override
     public void getSignMechanism(GetSignMechanismRequest request, StreamObserver<GetSignMechanismResponse> responseObserver) {
-        KeyInfo keyInfo = TokenManager.getKeyInfo(request.getKeyId());
-
-        if (keyInfo == null) {
-            throw CodedException.tr(ErrorCodes.X_KEY_NOT_FOUND, "key_not_found", "Key '%s' not found",
-                    request.getKeyId());
-        }
-
-        emitSingleAndClose(responseObserver, GetSignMechanismResponse.newBuilder()
-                .setSignMechanismName(keyInfo.getSignMechanismName())
-                .build());
+        getSignMechanismRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void sign(SignRequest request, StreamObserver<SignResponse> responseObserver) {
-        var message = new Sign(request.getKeyId(),
-                request.getSignatureAlgorithmId(),
-                request.getDigest().toByteArray());
-
-        ee.ria.xroad.signer.protocol.message.SignResponse response = temporaryAkkaMessenger
-                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
-
-        emitSingleAndClose(responseObserver, SignResponse.newBuilder()
-                .setSignature(ByteString.copyFrom(response.getSignature()))
-                .build());
+        signRequestHandler.processSingle(request, responseObserver);
     }
 
-    @SneakyThrows //TODO:grpc handle it
     @Override
     public void signCertificate(SignCertificateRequest request, StreamObserver<SignCertificateResponse> responseObserver) {
-        PublicKey publicKey = CryptoUtils.readX509PublicKey(request.getPublicKey().toByteArray());
-        var message = new SignCertificate(request.getKeyId(),
-                request.getSignatureAlgorithmId(),
-                request.getSubjectName(),
-                publicKey);
-
-        ee.ria.xroad.signer.protocol.message.SignCertificateResponse response = temporaryAkkaMessenger
-                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
-
-        emitSingleAndClose(responseObserver, SignCertificateResponse.newBuilder()
-                .setCertificateChain(ByteString.copyFrom(response.getCertificateChain()))
-                .build());
+        signCertificateRequestHandler.processSingle(request, responseObserver);
     }
 
-
-    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
-        responseObserver.onNext(value);
-        responseObserver.onCompleted();
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
index b05c2d2f77..725c21a3fd 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
@@ -1,9 +1,8 @@
 package ee.ria.xroad.signer.protocol;
 
-import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
-import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
+import ee.ria.xroad.signer.protocol.handler.GetOcspResponsesRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.SetOcspResponsesRequestHandler;
 
-import com.google.protobuf.AbstractMessage;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -14,37 +13,21 @@
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
-import static java.util.Arrays.asList;
-
 @Slf4j
 @Service
 @RequiredArgsConstructor
 public class OcspService extends OcspServiceGrpc.OcspServiceImplBase {
-    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
+    private final SetOcspResponsesRequestHandler setOcspResponsesRequestHandler;
+    private final GetOcspResponsesRequestHandler getOcspResponsesRequestHandler;
 
     @Override
     public void setOcspResponses(SetOcspResponsesRequest request, StreamObserver<Empty> responseObserver) {
-        var message = new SetOcspResponses(
-                request.getCertHashesList().toArray(new String[0]),
-                request.getBase64EncodedResponsesList().toArray(new String[0]));
-
-        temporaryAkkaMessenger.tellOcspManager(message);
-        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        setOcspResponsesRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void getOcspResponses(GetOcspResponsesRequest request, StreamObserver<GetOcspResponsesResponse> responseObserver) {
-        var message = new GetOcspResponses(
-                request.getCertHashList().toArray(new String[0]));
-
-        ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse response = temporaryAkkaMessenger.tellOcspManagerWithResponse(message);
-        emitSingleAndClose(responseObserver, GetOcspResponsesResponse.newBuilder()
-                .addAllBase64EncodedResponses(asList(response.getBase64EncodedResponses()))
-                .build());
+        getOcspResponsesRequestHandler.processSingle(request, responseObserver);
     }
 
-    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
-        responseObserver.onNext(value);
-        responseObserver.onCompleted();
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java
deleted file mode 100644
index e782e558f5..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerExceptionHandlerInterceptor.java
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
-
-import io.grpc.ForwardingServerCallListener;
-import io.grpc.Metadata;
-import io.grpc.ServerCall;
-import io.grpc.ServerCallHandler;
-import io.grpc.ServerInterceptor;
-import io.grpc.Status;
-import io.grpc.StatusRuntimeException;
-import io.grpc.protobuf.StatusProto;
-
-import static com.google.protobuf.Any.pack;
-import static java.util.Optional.ofNullable;
-
-public class SignerExceptionHandlerInterceptor implements ServerInterceptor {
-
-    @Override
-    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call,
-                                                                 Metadata headers,
-                                                                 ServerCallHandler<ReqT, RespT> next) {
-        ServerCall.Listener<ReqT> delegate = next.startCall(call, headers);
-        return new ExceptionHandler<>(delegate, call, headers);
-    }
-
-    private static class ExceptionHandler<T, R> extends ForwardingServerCallListener.SimpleForwardingServerCallListener<T> {
-
-        private final ServerCall<T, R> delegate;
-        private final Metadata headers;
-
-        ExceptionHandler(ServerCall.Listener<T> listener, ServerCall<T, R> serverCall, Metadata headers) {
-            super(listener);
-            this.delegate = serverCall;
-            this.headers = headers;
-        }
-
-        @Override
-        public void onHalfClose() {
-            try {
-                super.onHalfClose();
-            } catch (RuntimeException ex) {
-                handleException(ex, delegate, headers);
-                throw ex;
-            }
-        }
-
-        private void handleException(RuntimeException exception, ServerCall<T, R> serverCall, Metadata headers) {
-            if (exception instanceof CodedException) {
-                CodedException codedException = (CodedException) exception;
-
-                com.google.rpc.Status rpcStatus = com.google.rpc.Status.newBuilder()
-                        .setCode(Status.Code.INTERNAL.value())
-                        .setMessage(codedException.getMessage())
-                        .addDetails(pack(toProto(codedException)))
-                        .build();
-
-                StatusRuntimeException statusRuntimeException = StatusProto.toStatusRuntimeException(rpcStatus);
-
-                var newStatus = Status.fromThrowable(statusRuntimeException);
-                // Get metadata from statusRuntimeException
-                Metadata newHeaders = statusRuntimeException.getTrailers();
-
-                serverCall.close(newStatus, newHeaders);
-            } else {
-                serverCall.close(Status.UNKNOWN, headers);
-            }
-        }
-
-        private CodedExceptionProto toProto(CodedException codedException) {
-            final CodedExceptionProto.Builder codedExceptionBuilder = CodedExceptionProto.newBuilder();
-
-            ofNullable(codedException.getFaultCode()).ifPresent(codedExceptionBuilder::setFaultCode);
-            ofNullable(codedException.getFaultActor()).ifPresent(codedExceptionBuilder::setFaultActor);
-            ofNullable(codedException.getFaultDetail()).ifPresent(codedExceptionBuilder::setFaultDetail);
-            ofNullable(codedException.getFaultString()).ifPresent(codedExceptionBuilder::setFaultString);
-            ofNullable(codedException.getTranslationCode()).ifPresent(codedExceptionBuilder::setTranslationCode);
-
-            return codedExceptionBuilder.build();
-        }
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
index 92689a5249..4b11225671 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
@@ -17,7 +17,7 @@
 import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
 import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
 
-@Deprecated
+@Deprecated(forRemoval = true)
 @Component
 @RequiredArgsConstructor
 public class TemporaryAkkaMessenger {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index 1de27adcdc..58111e5461 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -25,20 +25,21 @@
  */
 package ee.ria.xroad.signer.protocol;
 
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
-import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
+import ee.ria.xroad.signer.protocol.handler.ActivateTokenRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenBatchSigningEnabledRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertHashRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertRequestIdRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoForKeyIdRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.InitSoftwareTokenRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.ListTokensRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.SetTokenFriendlyNameRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.UpdateSoftwareTokenPinRequestHandler;
 
-import com.google.protobuf.AbstractMessage;
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResponse;
@@ -54,122 +55,73 @@
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
-import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-
 /**
- * Handles requests for token list.
+ * Token gRPC service.
  */
-@Slf4j
 @Service
 @RequiredArgsConstructor
 public class TokensService extends TokenServiceGrpc.TokenServiceImplBase {
-    private final TemporaryAkkaMessenger temporaryAkkaMessenger;
+    private final ActivateTokenRequestHandler activateTokenRequestHandler;
+    private final UpdateSoftwareTokenPinRequestHandler updateSoftwareTokenPinRequestHandler;
+    private final InitSoftwareTokenRequestHandler initSoftwareTokenRequestHandler;
+    private final GetTokenInfoRequestHandler getTokenInfoRequestHandler;
+    private final GetTokenInfoForKeyIdRequestHandler getTokenInfoForKeyIdRequestHandler;
+    private final GetTokenBatchSigningEnabledRequestHandler getTokenBatchSigningEnabledRequestHandler;
+    private final GetTokenInfoAndKeyIdForCertHashRequestHandler getTokenInfoAndKeyIdForCertHashRequestHandler;
+    private final GetTokenInfoAndKeyIdForCertRequestIdRequestHandler getTokenInfoAndKeyIdForCertRequestIdRequestHandler;
+    private final SetTokenFriendlyNameRequestHandler setTokenFriendlyNameRequestHandler;
+    private final ListTokensRequestHandler listTokensRequestHandler;
 
     @Override
     public void listTokens(Empty request, StreamObserver<ListTokensResponse> responseObserver) {
-        final ListTokensResponse.Builder builder = ListTokensResponse.newBuilder();
-
-        TokenManager.listTokens().forEach(tokenInfo -> builder.addTokens(tokenInfo.asMessage()));
-
-        emitSingleAndClose(responseObserver, builder.build());
+        listTokensRequestHandler.processSingle(request, responseObserver);
     }
 
-    @SneakyThrows
     @Override
     public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> responseObserver) {
-        ActivateToken actorMsg = new ActivateToken(request.getTokenId(), request.getActivate());
-
-        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
-        tokenWorker.handleActivateToken(actorMsg);
-
-        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        activateTokenRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void getTokenById(GetTokenByIdRequest request, StreamObserver<TokenInfoProto> responseObserver) {
-        var token = TokenManager.findTokenInfo(request.getTokenId());
-        emitSingleAndClose(responseObserver, token.asMessage());
+        getTokenInfoRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void getTokenByKey(GetTokenByKeyIdRequest request, StreamObserver<TokenInfoProto> responseObserver) {
-        var token = TokenManager.findTokenInfoForKeyId(request.getKeyId());
-        emitSingleAndClose(responseObserver, token.asMessage());
+        getTokenInfoForKeyIdRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdRequest request, StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
-        var token = TokenManager.findTokenAndKeyIdForCertRequestId(request.getCertRequestId());
-        emitSingleAndClose(responseObserver, token.asMessage());
+    public void getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdRequest request,
+                                                StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
+        getTokenInfoAndKeyIdForCertRequestIdRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void getTokenAndKeyIdByCertHash(GetTokenByCertHashRequest request, StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
-        var token = TokenManager.findTokenAndKeyIdForCertHash(request.getCertHash());
-        emitSingleAndClose(responseObserver, token.asMessage());
+        getTokenInfoAndKeyIdForCertHashRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void setTokenFriendlyName(SetTokenFriendlyNameRequest request, StreamObserver<Empty> responseObserver) {
-        TokenManager.setTokenFriendlyName(
-                request.getTokenId(),
-                request.getFriendlyName());
-
-        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        setTokenFriendlyNameRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest request, StreamObserver<GetTokenBatchSigningEnabledResponse> responseObserver) {
-        String tokenId = TokenManager.findTokenIdForKeyId(request.getKeyId());
-
-        emitSingleAndClose(responseObserver, GetTokenBatchSigningEnabledResponse.newBuilder()
-                .setBatchingSigningEnabled(TokenManager.isBatchSigningEnabled(tokenId))
-                .build());
+    public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest request,
+                                            StreamObserver<GetTokenBatchSigningEnabledResponse> responseObserver) {
+        getTokenBatchSigningEnabledRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<Empty> responseObserver) {
-        String softwareTokenId = TokenManager.getSoftwareTokenId();
-
-        if (softwareTokenId != null) {
-
-            final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(softwareTokenId);
-            if (tokenWorker instanceof SoftwareTokenWorker) {
-                try {
-                    ((SoftwareTokenWorker) tokenWorker).initializeToken(request.getPin().toCharArray());
-                } catch (Exception e) {
-                    throw new CodedException(X_INTERNAL_ERROR, e); //todo move to worker
-                }
-                emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
-            } else {
-                throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
-            }
-        } else {
-            throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
-        }
+        initSoftwareTokenRequestHandler.processSingle(request, responseObserver);
     }
 
     @Override
     public void updateSoftwareTokenPin(UpdateSoftwareTokenPinRequest request, StreamObserver<Empty> responseObserver) {
-        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
-        if (tokenWorker instanceof SoftwareTokenWorker) {
-            try {
-                ((SoftwareTokenWorker) tokenWorker).handleUpdateTokenPin(request.getOldPin().toCharArray(), request.getNewPin().toCharArray());
-            } catch (Exception e) {
-                // todo move to tokenworker
-                throw new CodedException(X_INTERNAL_ERROR, e);
-            }
-        } else {
-            throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
-        }
-
-        emitSingleAndClose(responseObserver, Empty.getDefaultInstance());
+        updateSoftwareTokenPinRequestHandler.processSingle(request, responseObserver);
     }
 
-    private <T extends AbstractMessage> void emitSingleAndClose(StreamObserver<T> responseObserver, T value) {
-        responseObserver.onNext(value);
-        responseObserver.onCompleted();
-    }
-
-
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractDeleteFromKeyInfo.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractDeleteFromKeyInfo.java
index e292bea116..784829d8fa 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractDeleteFromKeyInfo.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractDeleteFromKeyInfo.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
index 971e5a7615..a0684f062d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
new file mode 100644
index 0000000000..471ba47ecf
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
@@ -0,0 +1,47 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.ActivateCertRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles certificate activations and deactivations.
+ */
+@Component
+public class ActivateCertRequestHandler
+        extends AbstractRpcHandler<ActivateCertRequest, Empty> {
+
+    @Override
+    protected Empty handle(ActivateCertRequest request) throws Exception {
+        TokenManager.setCertActive(request.getCertIdOrHash(), request.getActive());
+
+        return Empty.getDefaultInstance();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
new file mode 100644
index 0000000000..2ad9bb1d6a
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
@@ -0,0 +1,52 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.TemporaryHelper;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.message.ActivateToken;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
+import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles token activations and deactivations.
+ */
+@Component
+public class ActivateTokenRequestHandler
+        extends AbstractRpcHandler<ActivateTokenRequest, Empty> {
+
+    @Override
+    protected Empty handle(ActivateTokenRequest request) throws Exception {
+        ActivateToken actorMsg = new ActivateToken(request.getTokenId(), request.getActivate());
+
+        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
+        tokenWorker.handleActivateToken(actorMsg);
+
+        return Empty.getDefaultInstance();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestHandler.java
index 544222f341..380435b17c 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java
index 12e79d8239..e2be4e6e38 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyRequestHandler.java
index 1eb0a3958e..45d2e299b7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertRequestRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertRequestRequestHandler.java
index aa8754a01b..379ebfb699 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertRequestRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertRequestRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyRequestHandler.java
index 5f6f455e04..6b58abd8c1 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
index 9d3de364cd..af508f7a51 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyRequestHandler.java
index 8aecde8dbf..ab98d6a2e2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
new file mode 100644
index 0000000000..f726e72ce3
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
@@ -0,0 +1,57 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
+import org.niis.xroad.signer.proto.GetCertificateInfoResponse;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
+
+/**
+ * Handles requests for certificates based on certificate hashes.
+ */
+@Component
+public class GetCertificateInfoForHashRequestHandler extends AbstractRpcHandler<GetCertificateInfoForHashRequest, GetCertificateInfoResponse> {
+
+    @Override
+    protected GetCertificateInfoResponse handle(GetCertificateInfoForHashRequest request) throws Exception {
+        CertificateInfo certificateInfo = TokenManager.getCertificateInfoForCertHash(request.getCertHash());
+
+        if (certificateInfo == null) {
+            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
+                    "Certificate with hash '%s' not found", request.getCertHash());
+        }
+
+        return GetCertificateInfoResponse.newBuilder()
+                .setCertificateInfo(certificateInfo.asMessage())
+                .build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoRequestHandler.java
index 597cae43fb..424aad34e7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoRequestHandler.java
@@ -1,20 +1,20 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
new file mode 100644
index 0000000000..9192595091
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
@@ -0,0 +1,58 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashResponse;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
+
+/**
+ * Handles requests for key id based on certificate hashes.
+ */
+@Component
+public class GetKeyIdForCertHashRequestHandler extends AbstractRpcHandler<GetKeyIdForCertHashRequest, GetKeyIdForCertHashResponse> {
+
+    @Override
+    protected GetKeyIdForCertHashResponse handle(GetKeyIdForCertHashRequest request) throws Exception {
+        KeyInfo keyInfo = TokenManager.getKeyInfoForCertHash(request.getCertHash());
+
+        if (keyInfo == null) {
+            throw CodedException.tr(X_CERT_NOT_FOUND, "certificate_with_hash_not_found",
+                    "Certificate with hash '%s' not found", request.getCertHash());
+        }
+
+        return GetKeyIdForCertHashResponse.newBuilder()
+                .setKeyId(keyInfo.getId())
+                .setSignMechanismName(keyInfo.getSignMechanismName())
+                .build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
new file mode 100644
index 0000000000..c3bad9a954
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
@@ -0,0 +1,72 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
+import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetMemberCertsRequest;
+import org.niis.xroad.signer.proto.GetMemberCertsResponse;
+import org.springframework.stereotype.Component;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Handles requests for member certificates.
+ */
+@Component
+public class GetMemberCertsRequestHandler
+        extends AbstractRpcHandler<GetMemberCertsRequest, GetMemberCertsResponse> {
+
+    @Override
+    protected GetMemberCertsResponse handle(GetMemberCertsRequest request) throws Exception {
+        final var memberId = ClientIdMapper.fromDto(request.getMemberId());
+        List<CertificateInfoProto> memberCerts = TokenManager.listTokens().stream()
+                .flatMap(t -> t.getKeyInfo().stream())
+                .filter(k -> k.getUsage() == KeyUsageInfo.SIGNING)
+                .flatMap(k -> k.getCerts().stream())
+                .filter(c -> containsMember(c.getMemberId(), memberId))
+                .map(CertificateInfo::asMessage)
+                .collect(Collectors.toList());
+
+        return GetMemberCertsResponse.newBuilder()
+                .addAllCerts(memberCerts)
+                .build();
+    }
+
+    private static boolean containsMember(ClientId first, ClientId second) {
+        if (first == null || second == null) {
+            return false;
+        }
+
+        return first.equals(second) || second.subsystemContainsMember(first);
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoRequestHandler.java
index 29d32afd5b..4848751ecf 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesRequestHandler.java
index d7275203d6..334f3a4abc 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,21 +25,31 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 
-import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getOcspResponseManager;
+import org.niis.xroad.signer.proto.GetOcspResponsesRequest;
+import org.niis.xroad.signer.proto.GetOcspResponsesResponse;
+import org.springframework.stereotype.Component;
+
+import static java.util.Arrays.asList;
 
 /**
  * Handles OCSP requests.
  */
+@Component
 public class GetOcspResponsesRequestHandler
-        extends AbstractRequestHandler<GetOcspResponses> {
+        extends AbstractRpcHandler<GetOcspResponsesRequest, GetOcspResponsesResponse> {
 
     @Override
-    protected Object handle(GetOcspResponses message) throws Exception {
-        getOcspResponseManager(getContext()).tell(message, getSender());
-        return nothing();
+    protected GetOcspResponsesResponse handle(GetOcspResponsesRequest request) throws Exception {
+        var message = new GetOcspResponses(
+                request.getCertHashList().toArray(new String[0]));
+
+        ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse response = temporaryAkkaMessenger.tellOcspManagerWithResponse(message);
+        return GetOcspResponsesResponse.newBuilder()
+                .addAllBase64EncodedResponses(asList(response.getBase64EncodedResponses()))
+                .build();
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
new file mode 100644
index 0000000000..6b52e5319b
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
@@ -0,0 +1,56 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.ErrorCodes;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetSignMechanismRequest;
+import org.niis.xroad.signer.proto.GetSignMechanismResponse;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for signing mechanism based on key id.
+ */
+@Component
+public class GetSignMechanismRequestHandler extends AbstractRpcHandler<GetSignMechanismRequest, GetSignMechanismResponse> {
+
+    @Override
+    protected GetSignMechanismResponse handle(GetSignMechanismRequest request) throws Exception {
+        KeyInfo keyInfo = TokenManager.getKeyInfo(request.getKeyId());
+
+        if (keyInfo == null) {
+            throw CodedException.tr(ErrorCodes.X_KEY_NOT_FOUND, "key_not_found", "Key '%s' not found",
+                    request.getKeyId());
+        }
+
+        return GetSignMechanismResponse.newBuilder()
+                .setSignMechanismName(keyInfo.getSignMechanismName())
+                .build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
new file mode 100644
index 0000000000..80b24e9fdd
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
@@ -0,0 +1,49 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResponse;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles queries for batch signing capabilities of a token.
+ */
+@Component
+public class GetTokenBatchSigningEnabledRequestHandler
+        extends AbstractRpcHandler<GetTokenBatchSigningEnabledRequest, GetTokenBatchSigningEnabledResponse> {
+
+    @Override
+    protected GetTokenBatchSigningEnabledResponse handle(GetTokenBatchSigningEnabledRequest request) throws Exception {
+        String tokenId = TokenManager.findTokenIdForKeyId(request.getKeyId());
+
+        return GetTokenBatchSigningEnabledResponse.newBuilder()
+                .setBatchingSigningEnabled(TokenManager.isBatchSigningEnabled(tokenId))
+                .build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
new file mode 100644
index 0000000000..75eb0f7376
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
@@ -0,0 +1,47 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for TokenInfo + key id based on certificate hashes.
+ */
+@Component
+public class GetTokenInfoAndKeyIdForCertHashRequestHandler
+        extends AbstractRpcHandler<GetTokenByCertHashRequest, TokenInfoAndKeyIdProto> {
+
+
+    @Override
+    protected TokenInfoAndKeyIdProto handle(GetTokenByCertHashRequest request) throws Exception {
+        var token = TokenManager.findTokenAndKeyIdForCertHash(request.getCertHash());
+        return token.asMessage();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
new file mode 100644
index 0000000000..bab17dd324
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
@@ -0,0 +1,46 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for TokenInfo + key id based on certificate request ids.
+ */
+@Component
+public class GetTokenInfoAndKeyIdForCertRequestIdRequestHandler
+        extends AbstractRpcHandler<GetTokenByCertRequestIdRequest, TokenInfoAndKeyIdProto> {
+
+    @Override
+    protected TokenInfoAndKeyIdProto handle(GetTokenByCertRequestIdRequest request) throws Exception {
+        var token = TokenManager.findTokenAndKeyIdForCertRequestId(request.getCertRequestId());
+        return token.asMessage();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
new file mode 100644
index 0000000000..cbfdfc7ad2
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
@@ -0,0 +1,46 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for TokenInfo based on key id.
+ */
+@Component
+public class GetTokenInfoForKeyIdRequestHandler
+        extends AbstractRpcHandler<GetTokenByKeyIdRequest, TokenInfoProto> {
+
+    @Override
+    protected TokenInfoProto handle(GetTokenByKeyIdRequest request) throws Exception {
+        var token = TokenManager.findTokenInfoForKeyId(request.getKeyId());
+        return token.asMessage();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java
new file mode 100644
index 0000000000..722faeb8e7
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java
@@ -0,0 +1,46 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.GetTokenByIdRequest;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for token info.
+ */
+@Component
+public class GetTokenInfoRequestHandler
+        extends AbstractRpcHandler<GetTokenByIdRequest, TokenInfoProto> {
+
+    @Override
+    protected TokenInfoProto handle(GetTokenByIdRequest request) throws Exception {
+        var token = TokenManager.findTokenInfo(request.getTokenId());
+        return token.asMessage();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
index 32a34a3810..e1ceb26610 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
new file mode 100644
index 0000000000..0bfcaa5250
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
@@ -0,0 +1,64 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.TemporaryHelper;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
+import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
+
+/**
+ * Handles requests for software token initialization.
+ */
+@Component
+public class InitSoftwareTokenRequestHandler
+        extends AbstractRpcHandler<InitSoftwareTokenRequest, Empty> {
+
+    @Override
+    protected Empty handle(InitSoftwareTokenRequest request) throws Exception {
+        String softwareTokenId = TokenManager.getSoftwareTokenId();
+
+        if (softwareTokenId != null) {
+            final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(softwareTokenId);
+            if (tokenWorker instanceof SoftwareTokenWorker) {
+                try {
+                    ((SoftwareTokenWorker) tokenWorker).initializeToken(request.getPin().toCharArray());
+                } catch (Exception e) {
+                    throw new CodedException(X_INTERNAL_ERROR, e); //todo move to worker
+                }
+                return Empty.getDefaultInstance();
+            }
+        }
+        throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
new file mode 100644
index 0000000000..166c4543e7
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
@@ -0,0 +1,49 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+
+import org.niis.xroad.signer.proto.ListTokensResponse;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for token list.
+ */
+@Component
+public class ListTokensRequestHandler extends AbstractRpcHandler<Empty, ListTokensResponse> {
+
+    @Override
+    protected ListTokensResponse handle(Empty request) throws Exception {
+        final ListTokensResponse.Builder builder = ListTokensResponse.newBuilder();
+
+        TokenManager.listTokens().forEach(tokenInfo -> builder.addTokens(tokenInfo.asMessage()));
+
+        return builder.build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestRequestHandler.java
index eaccee5cec..fd286353d6 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
new file mode 100644
index 0000000000..f7e5251a0b
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
@@ -0,0 +1,47 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.SetCertStatusRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for setting the certificate status.
+ */
+@Component
+public class SetCertStatusRequestHandler
+        extends AbstractRpcHandler<SetCertStatusRequest, Empty> {
+
+    @Override
+    protected Empty handle(SetCertStatusRequest request) throws Exception {
+        TokenManager.setCertStatus(request.getCertId(), request.getStatus());
+
+        return Empty.getDefaultInstance();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
new file mode 100644
index 0000000000..59bc744031
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
@@ -0,0 +1,47 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for setting the key friendly name.
+ */
+@Component
+public class SetKeyFriendlyNameRequestHandler
+        extends AbstractRpcHandler<SetKeyFriendlyNameRequest, Empty> {
+
+    @Override
+    protected Empty handle(SetKeyFriendlyNameRequest request) throws Exception {
+        TokenManager.setKeyFriendlyName(request.getKeyId(),
+                request.getFriendlyName());
+        return Empty.getDefaultInstance();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesRequestHandler.java
index 3f07237cad..2c2a7b2717 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesRequestHandler.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,21 +25,26 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
 
-import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getOcspResponseManager;
+import org.niis.xroad.signer.proto.SetOcspResponsesRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
 
 /**
  * Handles requests for setting the OCSP responses for certificates.
  */
+@Component
 public class SetOcspResponsesRequestHandler
-        extends AbstractRequestHandler<SetOcspResponses> {
-
+        extends AbstractRpcHandler<SetOcspResponsesRequest, Empty> {
     @Override
-    protected Object handle(SetOcspResponses message) throws Exception {
-        getOcspResponseManager(getContext()).tell(message, getSender());
-        return success();
-    }
+    protected Empty handle(SetOcspResponsesRequest request) throws Exception {
+        var message = new SetOcspResponses(
+                request.getCertHashesList().toArray(new String[0]),
+                request.getBase64EncodedResponsesList().toArray(new String[0]));
 
+        temporaryAkkaMessenger.tellOcspManager(message);
+        return Empty.getDefaultInstance();
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java
new file mode 100644
index 0000000000..409175e2da
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java
@@ -0,0 +1,49 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+/**
+ * Handles requests for setting the token friendly name.
+ */
+@Component
+public class SetTokenFriendlyNameRequestHandler
+        extends AbstractRpcHandler<SetTokenFriendlyNameRequest, Empty> {
+
+    @Override
+    protected Empty handle(SetTokenFriendlyNameRequest request) throws Exception {
+        TokenManager.setTokenFriendlyName(
+                request.getTokenId(),
+                request.getFriendlyName());
+
+        return Empty.getDefaultInstance();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
new file mode 100644
index 0000000000..2550d9a108
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
@@ -0,0 +1,59 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import com.google.protobuf.ByteString;
+import ee.ria.xroad.common.util.CryptoUtils;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.message.SignCertificate;
+import org.niis.xroad.signer.proto.SignCertificateRequest;
+import org.niis.xroad.signer.proto.SignCertificateResponse;
+import org.springframework.stereotype.Component;
+
+import java.security.PublicKey;
+
+import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
+
+@Component
+public class SignCertificateRequestHandler extends AbstractRpcHandler<SignCertificateRequest, SignCertificateResponse> {
+
+    @Override
+    protected SignCertificateResponse handle(SignCertificateRequest request) throws Exception {
+        PublicKey publicKey = CryptoUtils.readX509PublicKey(request.getPublicKey().toByteArray());
+        var message = new SignCertificate(request.getKeyId(),
+                request.getSignatureAlgorithmId(),
+                request.getSubjectName(),
+                publicKey);
+
+        ee.ria.xroad.signer.protocol.message.SignCertificateResponse response = temporaryAkkaMessenger
+                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
+
+        return SignCertificateResponse.newBuilder()
+                .setCertificateChain(ByteString.copyFrom(response.getCertificateChain()))
+                .build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
new file mode 100644
index 0000000000..d68e0b9557
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
@@ -0,0 +1,56 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import com.google.protobuf.ByteString;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.message.Sign;
+import org.niis.xroad.signer.proto.SignRequest;
+import org.niis.xroad.signer.proto.SignResponse;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
+
+/**
+ * Handles signing requests.
+ */
+@Component
+public class SignRequestHandler extends AbstractRpcHandler<SignRequest, SignResponse> {
+
+    @Override
+    protected SignResponse handle(SignRequest request) throws Exception {
+        var message = new Sign(request.getKeyId(),
+                request.getSignatureAlgorithmId(),
+                request.getDigest().toByteArray());
+
+        ee.ria.xroad.signer.protocol.message.SignResponse response = temporaryAkkaMessenger
+                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
+
+        return SignResponse.newBuilder()
+                .setSignature(ByteString.copyFrom(response.getSignature()))
+                .build();
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
new file mode 100644
index 0000000000..f5be72b9e6
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
@@ -0,0 +1,62 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.protocol.handler;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.TemporaryHelper;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
+import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
+
+/**
+ * Handles token pin update
+ */
+@Component
+public class UpdateSoftwareTokenPinRequestHandler
+        extends AbstractRpcHandler<UpdateSoftwareTokenPinRequest, Empty> {
+
+    @Override
+    protected Empty handle(UpdateSoftwareTokenPinRequest request) throws Exception {
+        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
+        if (tokenWorker instanceof SoftwareTokenWorker) {
+            try {
+                ((SoftwareTokenWorker) tokenWorker).handleUpdateTokenPin(request.getOldPin().toCharArray(), request.getNewPin().toCharArray());
+            } catch (Exception e) {
+                // todo move to tokenworker
+                throw new CodedException(X_INTERNAL_ERROR, e);
+            }
+        } else {
+            throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
+        }
+
+        return Empty.getDefaultInstance();
+    }
+}

From dd91374e9fe6dce2114ca150335921a21669a24f Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 24 Aug 2023 12:50:42 +0300
Subject: [PATCH 017/127] chore: using token worker without akka

Refs: XRDDEV-2461
---
 .../token/HardwareTokenWorker.java            |  6 +--
 .../protocol/message/ActivateToken.java       | 43 ----------------
 .../protocol/message/SignCertificate.java     | 42 ----------------
 .../message/SignCertificateResponse.java      | 40 ---------------
 .../signer/protocol/AbstractRpcHandler.java   | 32 ++++++++++++
 .../handler/ActivateTokenRequestHandler.java  | 10 ++--
 .../InitSoftwareTokenRequestHandler.java      |  6 +--
 .../SignCertificateRequestHandler.java        | 19 ++-----
 .../protocol/handler/SignRequestHandler.java  | 14 ++----
 .../UpdateSoftwareTokenPinRequestHandler.java |  7 ++-
 .../tokenmanager/token/AbstractToken.java     |  6 +--
 .../token/AbstractTokenWorker.java            | 50 +++++++++++++------
 .../token/SoftwareTokenWorker.java            |  6 +--
 .../tokenmanager/token/TokenSigner.java       | 13 +++--
 14 files changed, 102 insertions(+), 192 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
index 2ccb9780b1..27e972ef57 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
@@ -32,7 +32,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.GenerateKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.module.ModuleConf;
@@ -55,6 +54,7 @@
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+import org.niis.xroad.signer.proto.ActivateTokenRequest;
 
 import javax.xml.bind.DatatypeConverter;
 
@@ -251,8 +251,8 @@ protected Exception customizeException(Exception e) {
     // ----------------------- Message handlers -------------------------------
 
     @Override
-    protected void activateToken(ActivateToken message) throws Exception {
-        if (message.isActivate()) { // login
+    protected void activateToken(ActivateTokenRequest message) throws Exception {
+        if (message.getActivate()) { // login
             log.info("Logging in token '{}'", getWorkerId());
 
             try {
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java
deleted file mode 100644
index 09452c8b78..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ActivateToken.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class ActivateToken implements Serializable {
-
-    private final String tokenId;
-
-    private final boolean activate;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java
deleted file mode 100644
index 89ece8ef9c..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * The MIT License
- *
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-import java.security.PublicKey;
-
-@Value
-@Deprecated
-public class SignCertificate implements Serializable {
-
-    String keyId;
-    String signatureAlgorithmId;
-    String subjectName;
-    PublicKey publicKey;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java
deleted file mode 100644
index 4b2efa6988..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * The MIT License
- *
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-
-@Value
-@Deprecated
-@ToString(exclude = "certificateChain")
-public class SignCertificateResponse implements Serializable {
-
-    byte[] certificateChain;
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
index e1af893c27..495d464b20 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
@@ -1,7 +1,35 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 
 import com.google.protobuf.AbstractMessage;
 import io.grpc.Status;
@@ -35,6 +63,10 @@ public void processSingle(R request, StreamObserver<T> responseObserver) {
         }
     }
 
+    protected AbstractTokenWorker getTokenWorker(String tokenId) {
+        return TemporaryHelper.getTokenWorker(tokenId);
+    }
+
     private void handleException(Exception exception, StreamObserver<T> responseObserver) {
         if (exception instanceof CodedException) {
             CodedException codedException = (CodedException) exception;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
index 2ad9bb1d6a..23e828d6c5 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
@@ -25,10 +25,8 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
-import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
+
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
@@ -42,10 +40,8 @@ public class ActivateTokenRequestHandler
 
     @Override
     protected Empty handle(ActivateTokenRequest request) throws Exception {
-        ActivateToken actorMsg = new ActivateToken(request.getTokenId(), request.getActivate());
-
-        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
-        tokenWorker.handleActivateToken(actorMsg);
+        getTokenWorker(request.getTokenId())
+                .handleActivateToken(request);
 
         return Empty.getDefaultInstance();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
index 0bfcaa5250..aedc5d163c 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
@@ -26,11 +26,11 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
+
 import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
@@ -49,14 +49,14 @@ protected Empty handle(InitSoftwareTokenRequest request) throws Exception {
         String softwareTokenId = TokenManager.getSoftwareTokenId();
 
         if (softwareTokenId != null) {
-            final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(softwareTokenId);
+            final AbstractTokenWorker tokenWorker = getTokenWorker(softwareTokenId);
             if (tokenWorker instanceof SoftwareTokenWorker) {
                 try {
                     ((SoftwareTokenWorker) tokenWorker).initializeToken(request.getPin().toCharArray());
+                    return Empty.getDefaultInstance();
                 } catch (Exception e) {
                     throw new CodedException(X_INTERNAL_ERROR, e); //todo move to worker
                 }
-                return Empty.getDefaultInstance();
             }
         }
         throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
index 2550d9a108..06252610b1 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
@@ -26,16 +26,13 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import com.google.protobuf.ByteString;
-import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.message.SignCertificate;
+
+import com.google.protobuf.ByteString;
 import org.niis.xroad.signer.proto.SignCertificateRequest;
 import org.niis.xroad.signer.proto.SignCertificateResponse;
 import org.springframework.stereotype.Component;
 
-import java.security.PublicKey;
-
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
 
 @Component
@@ -43,17 +40,11 @@ public class SignCertificateRequestHandler extends AbstractRpcHandler<SignCertif
 
     @Override
     protected SignCertificateResponse handle(SignCertificateRequest request) throws Exception {
-        PublicKey publicKey = CryptoUtils.readX509PublicKey(request.getPublicKey().toByteArray());
-        var message = new SignCertificate(request.getKeyId(),
-                request.getSignatureAlgorithmId(),
-                request.getSubjectName(),
-                publicKey);
-
-        ee.ria.xroad.signer.protocol.message.SignCertificateResponse response = temporaryAkkaMessenger
-                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
+        final byte[] signedCertificate = getTokenWorker(findTokenIdForKeyId(request.getKeyId()))
+                .handleSignCertificate(request);
 
         return SignCertificateResponse.newBuilder()
-                .setCertificateChain(ByteString.copyFrom(response.getCertificateChain()))
+                .setCertificateChain(ByteString.copyFrom(signedCertificate))
                 .build();
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
index d68e0b9557..39267ae740 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
@@ -25,9 +25,9 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import com.google.protobuf.ByteString;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.message.Sign;
+
+import com.google.protobuf.ByteString;
 import org.niis.xroad.signer.proto.SignRequest;
 import org.niis.xroad.signer.proto.SignResponse;
 import org.springframework.stereotype.Component;
@@ -42,15 +42,11 @@ public class SignRequestHandler extends AbstractRpcHandler<SignRequest, SignResp
 
     @Override
     protected SignResponse handle(SignRequest request) throws Exception {
-        var message = new Sign(request.getKeyId(),
-                request.getSignatureAlgorithmId(),
-                request.getDigest().toByteArray());
-
-        ee.ria.xroad.signer.protocol.message.SignResponse response = temporaryAkkaMessenger
-                .tellTokenWithResponse(message, findTokenIdForKeyId(message.getKeyId()));
+        final byte[] signature = getTokenWorker(findTokenIdForKeyId(request.getKeyId()))
+                .handleSign(request);
 
         return SignResponse.newBuilder()
-                .setSignature(ByteString.copyFrom(response.getSignature()))
+                .setSignature(ByteString.copyFrom(signature))
                 .build();
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
index f5be72b9e6..ac81c1d3f1 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
@@ -26,10 +26,10 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
+
 import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
@@ -45,10 +45,11 @@ public class UpdateSoftwareTokenPinRequestHandler
 
     @Override
     protected Empty handle(UpdateSoftwareTokenPinRequest request) throws Exception {
-        final AbstractTokenWorker tokenWorker = TemporaryHelper.getTokenWorker(request.getTokenId());
+        final AbstractTokenWorker tokenWorker = getTokenWorker(request.getTokenId());
         if (tokenWorker instanceof SoftwareTokenWorker) {
             try {
                 ((SoftwareTokenWorker) tokenWorker).handleUpdateTokenPin(request.getOldPin().toCharArray(), request.getNewPin().toCharArray());
+                return Empty.getDefaultInstance();
             } catch (Exception e) {
                 // todo move to tokenworker
                 throw new CodedException(X_INTERNAL_ERROR, e);
@@ -56,7 +57,5 @@ protected Empty handle(UpdateSoftwareTokenPinRequest request) throws Exception {
         } else {
             throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
         }
-
-        return Empty.getDefaultInstance();
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
index e54eea4fba..a9014a5115 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
@@ -27,7 +27,6 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.Sign;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractSignerActor;
@@ -112,6 +111,7 @@ protected CodedException translateError(Exception e) {
     }
 
     protected abstract Props createSigner();
+
     protected abstract Props createWorker();
 
     ActorRef createWatchedActor(Props props, String name) {
@@ -128,8 +128,8 @@ void stopWatchedActor(ActorRef actor) {
     }
 
     boolean isTokenActive(Object message) {
-        if (message instanceof Update
-                || message instanceof ActivateToken) {
+        if (message instanceof Update) {
+//                || message instanceof ActivateToken) {
 //                || message instanceof InitSoftwareToken) {
             return true;
         }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index b3dc4730a7..b7db6b8550 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -26,21 +26,20 @@
 package ee.ria.xroad.signer.tokenmanager.token;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.common.util.PasswordStore;
 import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.DeleteCert;
 import ee.ria.xroad.signer.protocol.message.DeleteKey;
 import ee.ria.xroad.signer.protocol.message.GenerateKey;
-import ee.ria.xroad.signer.protocol.message.SignCertificate;
-import ee.ria.xroad.signer.protocol.message.SignCertificateResponse;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractUpdateableActor;
 import ee.ria.xroad.signer.util.CalculateSignature;
 import ee.ria.xroad.signer.util.CalculatedSignature;
 import ee.ria.xroad.signer.util.SignerUtil;
 
+import com.google.protobuf.ByteString;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.asn1.x500.X500Name;
@@ -49,6 +48,9 @@
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.cert.CertIOException;
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.SignCertificateRequest;
+import org.niis.xroad.signer.proto.SignRequest;
 
 import java.math.BigInteger;
 import java.security.PublicKey;
@@ -117,8 +119,8 @@ protected void onMessage(Object message) throws Exception {
             handleDeleteCert((DeleteCert) message);
         } else if (message instanceof CalculateSignature) {
             handleCalculateSignature((CalculateSignature) message);
-        } else if (message instanceof SignCertificate) {
-            handleSignCertificate((SignCertificate) message);
+//        } else if (message instanceof SignCertificate) {
+//            handleSignCertificate((SignCertificate) message);
         } else {
             unhandled(message);
         }
@@ -129,7 +131,7 @@ public void postStop() throws Exception {
         setTokenAvailable(tokenId, false);
     }
 
-    public void handleActivateToken(ActivateToken message) throws Exception {
+    public void handleActivateToken(ActivateTokenRequest message) throws Exception {
         try {
             activateToken(message);
 
@@ -196,12 +198,19 @@ private void handleDeleteCert(DeleteCert message) {
         sendSuccessResponse();
     }
 
+    @Deprecated
     private void handleCalculateSignature(CalculateSignature signRequest) {
         try {
-            byte data[] = SignerUtil.createDataToSign(signRequest.getDigest(), signRequest.getSignatureAlgorithmId());
+            SignRequest request = SignRequest.newBuilder()
+                    .setKeyId(signRequest.getKeyId())
+                    .setSignatureAlgorithmId(signRequest.getSignatureAlgorithmId())
+                    .setDigest(ByteString.copyFrom(signRequest.getDigest()))
+                    .build();
 
-            byte[] signature = sign(signRequest.getKeyId(), signRequest.getSignatureAlgorithmId(), data);
+            byte[] signature = handleSign(request);
             sendResponse(new CalculatedSignature(signRequest, signature, null));
+        } catch (CodedException codedException) {
+            sendResponse(new CalculatedSignature(signRequest, null, codedException));
         } catch (Exception e) { // catch-log-rethrow
             log.error("Error while signing with key '{}'", signRequest.getKeyId(), e);
 
@@ -210,24 +219,37 @@ private void handleCalculateSignature(CalculateSignature signRequest) {
         }
     }
 
-    private void handleSignCertificate(SignCertificate message) {
+    public byte[] handleSign(SignRequest request) {
+        try {
+            byte data[] = SignerUtil.createDataToSign(request.getDigest().toByteArray(), request.getSignatureAlgorithmId());
+
+            return sign(request.getKeyId(), request.getSignatureAlgorithmId(), data);
+        } catch (Exception e) {
+            log.error("Error while signing with key '{}'", request.getKeyId(), e);
+
+            throw translateError(customizeException(e)).withPrefix(X_CANNOT_SIGN);
+        }
+    }
+
+    public byte[] handleSignCertificate(SignCertificateRequest request) {
         try {
-            byte[] certificate = signCertificate(message.getKeyId(), message.getSignatureAlgorithmId(),
-                                                 message.getSubjectName(), message.getPublicKey());
-            sendResponse(new SignCertificateResponse(certificate));
+            PublicKey publicKey = CryptoUtils.readX509PublicKey(request.getPublicKey().toByteArray());
+            return signCertificate(request.getKeyId(), request.getSignatureAlgorithmId(),
+                    request.getSubjectName(), publicKey);
         } catch (Exception e) {
-            log.error("Error while signing certificate with key '{}'", message.getKeyId(), e);
+            log.error("Error while signing certificate with key '{}'", request.getKeyId(), e);
             throw translateError(customizeException(e)).withPrefix(X_CANNOT_SIGN);
         }
     }
 
     // ------------------------------------------------------------------------
 
-    protected abstract void activateToken(ActivateToken message) throws Exception;
+    protected abstract void activateToken(ActivateTokenRequest message) throws Exception;
 
     protected abstract GenerateKeyResult generateKey(GenerateKey message) throws Exception;
 
     protected abstract void deleteKey(String keyId) throws Exception;
+
     protected abstract void deleteCert(String certId) throws Exception;
 
     protected abstract byte[] sign(String keyId, String signatureAlgorithmId, byte[] data) throws Exception;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
index 91e586a33e..30223ad985 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
@@ -34,7 +34,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
-import ee.ria.xroad.signer.protocol.message.ActivateToken;
 import ee.ria.xroad.signer.protocol.message.GenerateKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.SignerUtil;
@@ -46,6 +45,7 @@
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.niis.xroad.signer.proto.ActivateTokenRequest;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -159,8 +159,8 @@ protected void onUpdate() {
 //    }
 
     @Override
-    protected void activateToken(ActivateToken message) {
-        if (message.isActivate()) {
+    protected void activateToken(ActivateTokenRequest message) {
+        if (message.getActivate()) {
             if (!isTokenLoginAllowed) {
                 throw loginFailed("PIN change in progress – token login not allowed");
             }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java
index f8bdba8ea2..ffaec9a23d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -28,7 +28,6 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.signer.protocol.ComponentNames;
 import ee.ria.xroad.signer.protocol.message.Sign;
-import ee.ria.xroad.signer.protocol.message.SignCertificate;
 import ee.ria.xroad.signer.protocol.message.SignResponse;
 import ee.ria.xroad.signer.util.CalculateSignature;
 import ee.ria.xroad.signer.util.CalculatedSignature;
@@ -58,8 +57,8 @@ public void onReceive(Object message) throws Exception {
                 handleSignRequest((Sign) message);
             } else if (message instanceof CalculatedSignature) {
                 handleCalculatedSignature((CalculatedSignature) message);
-            } else if (message instanceof SignCertificate) {
-                handleSignCertificate((SignCertificate) message);
+//            } else if (message instanceof SignCertificate) {
+//                handleSignCertificate((SignCertificate) message);
             } else {
                 unhandled(message);
             }
@@ -104,8 +103,8 @@ private void sendResponse(ActorRef client, Object message) {
         }
     }
 
-    private void handleSignCertificate(SignCertificate message) {
-        tokenWorker.tell(message, getSelf());
-    }
+//    private void handleSignCertificate(SignCertificate message) {
+//        tokenWorker.tell(message, getSelf());
+//    }
 
 }

From 65be7e7b3f0be8c24dcb957537144e8ec9639ba4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 24 Aug 2023 15:40:21 +0300
Subject: [PATCH 018/127] chore: add delete/generate-cert rpc actions

Refs: XRDDEV-2468
---
 .../java/ee/ria/xroad/signer/SignerProxy.java | 54 ++++++++----
 .../signer/protocol/message/DeleteCert.java   |  1 +
 .../protocol/message/DeleteCertRequest.java   |  1 +
 .../signer/protocol/message/DeleteKey.java    |  1 +
 .../message/GenerateSelfSignedCert.java       |  1 +
 .../GenerateSelfSignedCertResponse.java       |  1 +
 .../signer/protocol/message/ImportCert.java   |  1 +
 .../protocol/message/ImportCertResponse.java  |  1 +
 .../certmanager/OcspResponseManager.java      | 12 +--
 .../protocol/TemporaryAkkaMessenger.java      |  2 +
 .../handler/AbstractGenerateCertRequest.java  |  1 +
 .../handler/ActivateCertRequestHandler.java   |  7 +-
 ...KeyInfo.java => DeleteCertReqHandler.java} | 56 +++++++-----
 ....java => DeleteCertRequestReqHandler.java} | 46 +++++-----
 .../DeleteCertRequestRequestHandler.java      | 41 ---------
 ...tHandler.java => DeleteKeyReqHandler.java} | 34 +++++---
 .../GenerateSelfSignedCertRequestHandler.java | 87 +++++++++----------
 ...Handler.java => ImportCertReqHandler.java} | 61 ++++++-------
 .../protocol/handler/SignRequestHandler.java  |  8 +-
 .../token/AbstractTokenWorker.java            |  2 +-
 20 files changed, 216 insertions(+), 202 deletions(-)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{AbstractDeleteFromKeyInfo.java => DeleteCertReqHandler.java} (59%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{DeleteCertRequestHandler.java => DeleteCertRequestReqHandler.java} (59%)
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{DeleteKeyRequestHandler.java => DeleteKeyReqHandler.java} (66%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{ImportCertRequestHandler.java => ImportCertReqHandler.java} (81%)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index f44b881c3f..77ff13235e 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -40,20 +40,13 @@
 import ee.ria.xroad.signer.protocol.dto.MemberSigningInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.DeleteCert;
-import ee.ria.xroad.signer.protocol.message.DeleteCertRequest;
-import ee.ria.xroad.signer.protocol.message.DeleteKey;
 import ee.ria.xroad.signer.protocol.message.GenerateCertRequest;
 import ee.ria.xroad.signer.protocol.message.GenerateCertRequestResponse;
 import ee.ria.xroad.signer.protocol.message.GenerateKey;
-import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCert;
-import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCertResponse;
 import ee.ria.xroad.signer.protocol.message.GetAuthKey;
 import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfo;
 import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfoResponse;
 import ee.ria.xroad.signer.protocol.message.GetMemberSigningInfo;
-import ee.ria.xroad.signer.protocol.message.ImportCert;
-import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
 import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
 
@@ -63,9 +56,13 @@
 import io.grpc.StatusRuntimeException;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.ActivateCertRequest;
+import org.niis.xroad.signer.proto.ActivateCertReq;
 import org.niis.xroad.signer.proto.ActivateTokenRequest;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
+import org.niis.xroad.signer.proto.DeleteCertReq;
+import org.niis.xroad.signer.proto.DeleteCertRequestReq;
+import org.niis.xroad.signer.proto.DeleteKeyReq;
+import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
 import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
 import org.niis.xroad.signer.proto.GetMemberCertsRequest;
@@ -77,6 +74,7 @@
 import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
 import org.niis.xroad.signer.proto.GetTokenByIdRequest;
 import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
+import org.niis.xroad.signer.proto.ImportCertReq;
 import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
 import org.niis.xroad.signer.proto.ListTokensResponse;
 import org.niis.xroad.signer.proto.SetCertStatusRequest;
@@ -314,10 +312,17 @@ public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId
                                                 String commonName, Date notBefore, Date notAfter) throws Exception {
         log.trace("Generate self-signed cert for key '{}'", keyId);
 
-        GenerateSelfSignedCertResponse response = execute(new GenerateSelfSignedCert(keyId, commonName,
-                notBefore, notAfter, keyUsage, memberId));
+        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .generateSelfSignedCert(GenerateSelfSignedCertReq.newBuilder()
+                        .setKeyId(keyId)
+                        .setCommonName(commonName)
+                        .setDateNotBefore(notBefore.getTime())
+                        .setDateNotAfter(notAfter.getTime())
+                        .setKeyUsage(keyUsage)
+                        .setMemberId(ClientIdMapper.toDto(memberId))
+                        .build()));
 
-        byte[] certificateBytes = response.getCertificateBytes();
+        byte[] certificateBytes = response.getCertificateBytes().toByteArray();
 
         log.trace("Certificate with length of {} bytes generated", certificateBytes.length);
 
@@ -336,7 +341,12 @@ public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId
     public static String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId) throws Exception {
         log.trace("Importing cert from file with length of '{}' bytes", certBytes.length);
 
-        ImportCertResponse response = execute(new ImportCert(certBytes, initialStatus, clientId));
+        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .importCert(ImportCertReq.newBuilder()
+                        .setCertData(ByteString.copyFrom(certBytes))
+                        .setInitialStatus(initialStatus)
+                        .setMemberId(ClientIdMapper.toDto(clientId))
+                        .build()));
 
         log.trace("Cert imported successfully, keyId received: {}", response.getKeyId());
 
@@ -353,7 +363,7 @@ public static void activateCert(String certId) throws Exception {
         log.trace("Activating cert '{}'", certId);
 
         executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
-                .activateCert(ActivateCertRequest.newBuilder()
+                .activateCert(ActivateCertReq.newBuilder()
                         .setCertIdOrHash(certId)
                         .setActive(true)
                         .build()));
@@ -369,7 +379,7 @@ public static void deactivateCert(String certId) throws Exception {
         log.trace("Deactivating cert '{}'", certId);
 
         executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
-                .activateCert(ActivateCertRequest.newBuilder()
+                .activateCert(ActivateCertReq.newBuilder()
                         .setCertIdOrHash(certId)
                         .setActive(false)
                         .build()));
@@ -448,7 +458,10 @@ public static class GeneratedCertRequestInfo {
     public static void deleteCertRequest(String certRequestId) throws Exception {
         log.trace("Deleting cert request '{}'", certRequestId);
 
-        execute(new DeleteCertRequest(certRequestId));
+        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .deleteCertRequest(DeleteCertRequestReq.newBuilder()
+                        .setCertRequestId(certRequestId)
+                        .build()));
     }
 
     /**
@@ -460,7 +473,10 @@ public static void deleteCertRequest(String certRequestId) throws Exception {
     public static void deleteCert(String certId) throws Exception {
         log.trace("Deleting cert '{}'", certId);
 
-        execute(new DeleteCert(certId));
+        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .deleteCert(DeleteCertReq.newBuilder()
+                        .setCertId(certId)
+                        .build()));
     }
 
     /**
@@ -474,7 +490,11 @@ public static void deleteCert(String certId) throws Exception {
     public static void deleteKey(String keyId, boolean deleteFromToken) throws Exception {
         log.trace("Deleting key '{}', from token = {}", keyId, deleteFromToken);
 
-        execute(new DeleteKey(keyId, deleteFromToken));
+        executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .deleteKey(DeleteKeyReq.newBuilder()
+                        .setKeyId(keyId)
+                        .setDeleteFromDevice(deleteFromToken)
+                        .build()));
     }
 
     /**
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java
index 6fba2babd1..bd5678739f 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class DeleteCert implements Serializable {
 
     private final String certId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java
index 2e51f6ec3d..5bcf8b35ae 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class DeleteCertRequest implements Serializable {
 
     private final String certRequestId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java
index 9960778283..f762366818 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class DeleteKey implements Serializable {
 
     private String keyId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java
index 0c2cfb5fa9..c01ded9974 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java
@@ -37,6 +37,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class GenerateSelfSignedCert implements Serializable {
 
     private final String keyId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java
index 696077ab02..81004efed2 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java
@@ -34,6 +34,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 @ToString(exclude = "certificateBytes")
 public class GenerateSelfSignedCertResponse implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java
index cf23bed308..eab3e1bafd 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java
@@ -36,6 +36,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 @ToString(exclude = "certData")
 public class ImportCert implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java
index 5a9b0b0233..7f08dbfb28 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class ImportCertResponse implements Serializable {
 
     private final String keyId;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
index 38ad95e5c0..8ec39aa353 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
@@ -25,6 +25,8 @@
  */
 package ee.ria.xroad.signer.certmanager;
 
+import akka.actor.ActorSystem;
+
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse;
 import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
@@ -89,9 +91,9 @@ public static class IsCachedOcspResponse implements Serializable {
      * @return OCSP response as byte array
      * @throws Exception if an error occurs
      */
-    public static byte[] getOcspResponse(ActorContext ctx,
+    public static byte[] getOcspResponse(ActorSystem actorSystem,
             X509Certificate cert) throws Exception {
-        return getOcspResponse(ctx, calculateCertHexHash(cert));
+        return getOcspResponse(actorSystem, calculateCertHexHash(cert));
     }
 
     /**
@@ -101,14 +103,14 @@ public static byte[] getOcspResponse(ActorContext ctx,
      * @return OCSP response as byte array
      * @throws Exception if an error occurs
      */
-    public static byte[] getOcspResponse(ActorContext ctx,
-            String certHash) throws Exception {
+    public static byte[] getOcspResponse(ActorSystem actorSystem,
+                                         String certHash) throws Exception {
         GetOcspResponses message =
                 new GetOcspResponses(new String[] {certHash});
 
         GetOcspResponsesResponse result =
                 (GetOcspResponsesResponse) SignerUtil.ask(
-                        ServiceLocator.getOcspResponseManager(ctx), message);
+                        ServiceLocator.getOcspResponseManager(actorSystem), message);
 
         if (result.getBase64EncodedResponses().length > 0
                 && result.getBase64EncodedResponses()[0] != null) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
index 4b11225671..66bbbe7896 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
@@ -6,6 +6,7 @@
 
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
+import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import org.springframework.stereotype.Component;
@@ -24,6 +25,7 @@ public class TemporaryAkkaMessenger {
     @Deprecated
     private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
 
+    @Getter
     private final ActorSystem actorSystem;
 
     public <T> T tellTokenWithResponse(Object message, String tokenId) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
index a0684f062d..e0e1b815ff 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
@@ -65,6 +65,7 @@
  * @param <T> the type of generate cert request message this handler handles
  */
 @Slf4j
+@Deprecated
 public abstract class AbstractGenerateCertRequest<T> extends AbstractRequestHandler<T> {
 
     PKCS10CertificationRequest buildSignedCertRequest(TokenAndKey tokenAndKey, String subjectName)
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
index 471ba47ecf..ecb108f838 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
@@ -27,7 +27,8 @@
 
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.ActivateCertRequest;
+
+import org.niis.xroad.signer.proto.ActivateCertReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -36,10 +37,10 @@
  */
 @Component
 public class ActivateCertRequestHandler
-        extends AbstractRpcHandler<ActivateCertRequest, Empty> {
+        extends AbstractRpcHandler<ActivateCertReq, Empty> {
 
     @Override
-    protected Empty handle(ActivateCertRequest request) throws Exception {
+    protected Empty handle(ActivateCertReq request) throws Exception {
         TokenManager.setCertActive(request.getCertIdOrHash(), request.getActive());
 
         return Empty.getDefaultInstance();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractDeleteFromKeyInfo.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertReqHandler.java
similarity index 59%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractDeleteFromKeyInfo.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertReqHandler.java
index 784829d8fa..637f3d8dcb 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractDeleteFromKeyInfo.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertReqHandler.java
@@ -26,27 +26,53 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.message.DeleteCert;
-import ee.ria.xroad.signer.protocol.message.DeleteKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.DeleteCertReq;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
 
-import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
+import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
+import static ee.ria.xroad.signer.util.ExceptionHelper.certWithIdNotFound;
 
-@Slf4j
-abstract class AbstractDeleteFromKeyInfo<T> extends AbstractRequestHandler<T> {
+/**
+ * Handles certificate deletions. If certificate is not saved in configuration,
+ * we delete it on the token. Otherwise we remove the certificate from the
+ * configuration.
+ */
+@Component
+public class DeleteCertReqHandler
+        extends AbstractRpcHandler<DeleteCertReq, Empty> {
+
+    @Override
+    protected Empty handle(DeleteCertReq request) throws Exception {
+        CertificateInfo certInfo = TokenManager.getCertificateInfo(request.getCertId());
+        if (certInfo == null) {
+            throw certWithIdNotFound(request.getCertId());
+        }
+
+        if (!certInfo.isSavedToConfiguration()) {
+            deleteCertOnToken(request);
+            return Empty.getDefaultInstance();
+        } else if (TokenManager.removeCert(request.getCertId())) {
+            return Empty.getDefaultInstance();
+        }
+
+        throw new CodedException(X_INTERNAL_ERROR, "Failed to delete certificate");
+    }
 
-    protected void deleteCertOnToken(DeleteCert deleteCert) {
+    protected void deleteCertOnToken(DeleteCertReq deleteCert) {
         for (TokenInfo tokenInfo : TokenManager.listTokens()) {
             for (KeyInfo keyInfo : tokenInfo.getKeyInfo()) {
                 for (CertificateInfo certInfo : keyInfo.getCerts()) {
                     if (deleteCert.getCertId().equals(certInfo.getId())) {
-                        tellToken(deleteCert, tokenInfo.getId());
+                        var message = new DeleteCert(deleteCert.getCertId());
+                        temporaryAkkaMessenger.tellToken(message, tokenInfo.getId());
                         return;
                     }
                 }
@@ -54,18 +80,4 @@ protected void deleteCertOnToken(DeleteCert deleteCert) {
         }
     }
 
-    protected void deleteKeyFile(String tokenId, DeleteKey message) {
-        tellToken(message, tokenId);
-    }
-
-    protected Object deleteCertRequest(String certId) {
-        String keyId = TokenManager.removeCertRequest(certId);
-        if (keyId != null) {
-            log.info("Deleted certificate request under key '{}'", keyId);
-            return success();
-        }
-
-        throw CodedException.tr(X_CSR_NOT_FOUND,
-                "csr_not_found", "Certificate request '%s' not found", certId);
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestReqHandler.java
similarity index 59%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestReqHandler.java
index 380435b17c..11a7a5d1a5 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestReqHandler.java
@@ -26,37 +26,37 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.message.DeleteCert;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.signer.util.ExceptionHelper.certWithIdNotFound;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.DeleteCertRequestReq;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
 
 /**
- * Handles certificate deletions. If certificate is not saved in configuration,
- * we delete it on the token. Otherwise we remove the certificate from the
- * configuration.
+ * Handles certificate request deletions.
  */
-public class DeleteCertRequestHandler
-        extends AbstractDeleteFromKeyInfo<DeleteCert> {
+@Slf4j
+@Component
+public class DeleteCertRequestReqHandler
+        extends AbstractRpcHandler<DeleteCertRequestReq, Empty> {
 
     @Override
-    protected Object handle(DeleteCert message) throws Exception {
-        CertificateInfo certInfo =
-                TokenManager.getCertificateInfo(message.getCertId());
-        if (certInfo == null) {
-            throw certWithIdNotFound(message.getCertId());
-        }
+    protected Empty handle(DeleteCertRequestReq request) throws Exception {
+        deleteCertRequest(request.getCertRequestId());
 
-        if (!certInfo.isSavedToConfiguration()) {
-            deleteCertOnToken(message);
-            return success();
-        } else if (TokenManager.removeCert(message.getCertId())) {
-            return success();
-        }
+        return Empty.getDefaultInstance();
+    }
 
-        throw new CodedException(X_INTERNAL_ERROR,
-                "Failed to delete certificate");
+    public void deleteCertRequest(String certId) {
+        String removedKeyId = TokenManager.removeCertRequest(certId);
+        if (removedKeyId == null) {
+            throw CodedException.tr(X_CSR_NOT_FOUND,
+                    "csr_not_found", "Certificate request '%s' not found", certId);
+        }
+        log.info("Deleted certificate request under key '{}'", removedKeyId);
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java
deleted file mode 100644
index e2be4e6e38..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertRequestRequestHandler.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.handler;
-
-import ee.ria.xroad.signer.protocol.message.DeleteCertRequest;
-
-/**
- * Handles certificate request deletions.
- */
-public class DeleteCertRequestRequestHandler
-        extends AbstractDeleteFromKeyInfo<DeleteCertRequest> {
-
-    @Override
-    protected Object handle(DeleteCertRequest message) throws Exception {
-        return deleteCertRequest(message.getCertRequestId());
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyReqHandler.java
similarity index 66%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyReqHandler.java
index 45d2e299b7..a7178721e2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyReqHandler.java
@@ -25,6 +25,7 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
@@ -33,38 +34,45 @@
 import ee.ria.xroad.signer.util.TokenAndKey;
 
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.DeleteKeyReq;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
 
 /**
  * Handles key deletions.
  */
 @Slf4j
-public class DeleteKeyRequestHandler
-        extends AbstractDeleteFromKeyInfo<DeleteKey> {
+@Component
+public class DeleteKeyReqHandler extends AbstractRpcHandler<DeleteKeyReq, Empty> {
 
     @Override
-    protected Object handle(DeleteKey message) throws Exception {
+    protected Empty handle(DeleteKeyReq request) throws Exception {
         TokenAndKey tokenAndKey =
-                TokenManager.findTokenAndKey(message.getKeyId());
+                TokenManager.findTokenAndKey(request.getKeyId());
 
-        if (message.isDeleteFromDevice()) {
-            log.trace("Deleting key '{}' from device", message.getKeyId());
+        if (request.getDeleteFromDevice()) {
+            log.trace("Deleting key '{}' from device", request.getKeyId());
 
-            deleteKeyFile(tokenAndKey.getTokenId(), message);
-            return nothing();
+            deleteKeyFile(tokenAndKey.getTokenId(), request);
         } else {
-            log.trace("Deleting key '{}' from configuration",
-                    message.getKeyId());
+            log.trace("Deleting key '{}' from configuration", request.getKeyId());
 
             removeCertsFromKey(tokenAndKey.getKey());
-            return success();
         }
+        return Empty.getDefaultInstance();
+    }
+
+
+    private void deleteKeyFile(String tokenId, DeleteKeyReq request) {
+        var message = new DeleteKey(request.getKeyId(), request.getDeleteFromDevice());
+        temporaryAkkaMessenger.tellToken(message, tokenId);
     }
 
     private static void removeCertsFromKey(KeyInfo keyInfo) {
         keyInfo.getCerts().stream().filter(CertificateInfo::isSavedToConfiguration)
-            .map(CertificateInfo::getId).forEach(TokenManager::removeCert);
+                .map(CertificateInfo::getId).forEach(TokenManager::removeCert);
 
         keyInfo.getCertRequests().stream()
-            .map(CertRequestInfo::getId).forEach(TokenManager::removeCertRequest);
+                .map(CertRequestInfo::getId).forEach(TokenManager::removeCertRequest);
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
index af508f7a51..ac05c28344 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
@@ -25,23 +25,19 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
+import com.google.protobuf.ByteString;
+
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCert;
-import ee.ria.xroad.signer.protocol.message.GenerateSelfSignedCertResponse;
-import ee.ria.xroad.signer.protocol.message.ImportCert;
-import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
-import ee.ria.xroad.signer.protocol.message.Sign;
-import ee.ria.xroad.signer.protocol.message.SignResponse;
-import ee.ria.xroad.signer.tokenmanager.ServiceLocator;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.util.SignerUtil;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
 import lombok.Data;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
@@ -53,12 +49,18 @@
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
+import org.niis.xroad.signer.proto.GenerateSelfSignedCertResp;
+import org.niis.xroad.signer.proto.SignRequest;
+import org.springframework.stereotype.Component;
 
 import java.io.ByteArrayOutputStream;
 import java.io.OutputStream;
 import java.math.BigInteger;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.util.Date;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.common.ErrorCodes.translateException;
@@ -74,21 +76,25 @@
  */
 @Slf4j
 @SuppressWarnings("deprecation")
-public class GenerateSelfSignedCertRequestHandler extends AbstractRequestHandler<GenerateSelfSignedCert> {
+@Component
+@RequiredArgsConstructor
+public class GenerateSelfSignedCertRequestHandler extends AbstractRpcHandler<GenerateSelfSignedCertReq, GenerateSelfSignedCertResp> {
+    private final SignRequestHandler signRequestHandler;
+    private final ImportCertReqHandler importCertReqHandler;
 
     // TODO make configurable
     private static final String SIGNATURE_DIGEST_ALGORITHM = SHA512_ID;
 
     @Override
-    protected Object handle(GenerateSelfSignedCert message) throws Exception {
-        TokenAndKey tokenAndKey = TokenManager.findTokenAndKey(message.getKeyId());
+    protected GenerateSelfSignedCertResp handle(GenerateSelfSignedCertReq request) throws Exception {
+        TokenAndKey tokenAndKey = TokenManager.findTokenAndKey(request.getKeyId());
 
         if (!TokenManager.isKeyAvailable(tokenAndKey.getKeyId())) {
             throw keyNotAvailable(tokenAndKey.getKeyId());
         }
 
         if (tokenAndKey.getKey().getPublicKey() == null) {
-            throw new CodedException(X_INTERNAL_ERROR, "Key '%s' has no public key", message.getKeyId());
+            throw new CodedException(X_INTERNAL_ERROR, "Key '%s' has no public key", request.getKeyId());
         }
 
         PublicKey pk = readX509PublicKey(decodeBase64(tokenAndKey.getKey().getPublicKey()));
@@ -96,43 +102,32 @@ protected Object handle(GenerateSelfSignedCert message) throws Exception {
         String signAlgoId = CryptoUtils.getSignatureAlgorithmId(SIGNATURE_DIGEST_ALGORITHM,
                 tokenAndKey.getSignMechanism());
 
-        X509Certificate cert = new DummyCertBuilder().build(tokenAndKey, message, pk, signAlgoId);
-
-        byte[] certData = cert.getEncoded();
-
-        importCert(new ImportCert(certData, CertificateInfo.STATUS_REGISTERED, message.getMemberId()));
-
-        return new GenerateSelfSignedCertResponse(certData);
-    }
-
-    private void importCert(ImportCert importCert) throws Exception {
-        Object response = SignerUtil.ask(ServiceLocator.getRequestProcessor(getContext()), importCert);
+        X509Certificate cert = new DummyCertBuilder().build(tokenAndKey, request, pk, signAlgoId);
 
-        if (!(response instanceof ImportCertResponse)) {
-            if (response instanceof Exception) {
-                throw (Exception) response;
-            }
-
-            log.error("Received unexpected response: " + response.getClass());
+        importCertReqHandler.importCertificate(cert,
+                CertificateInfo.STATUS_REGISTERED,
+                ClientIdMapper.fromDto(request.getMemberId()));
 
-            throw new CodedException(X_INTERNAL_ERROR, "Failed to import certificate to key");
-        }
+        return GenerateSelfSignedCertResp.newBuilder()
+                .setCertificateBytes(ByteString.copyFrom(cert.getEncoded()))
+                .build();
     }
 
     class DummyCertBuilder {
 
-        X509Certificate build(TokenAndKey tokenAndKey, GenerateSelfSignedCert message, PublicKey publicKey,
-                String signAlgoId) throws Exception {
+        X509Certificate build(TokenAndKey tokenAndKey, GenerateSelfSignedCertReq message, PublicKey publicKey,
+                              String signAlgoId) throws Exception {
             X500Name subject = new X500Name("CN=" + message.getCommonName());
 
             JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(subject, BigInteger.ONE,
-                    message.getNotBefore(), message.getNotAfter(), subject, publicKey);
+                    fromUnixTimestamp(message.getDateNotBefore()),
+                    fromUnixTimestamp(message.getDateNotAfter()), subject, publicKey);
 
             if (message.getKeyUsage() == KeyUsageInfo.SIGNING) {
                 KeyUsage keyUsage = new KeyUsage(KeyUsage.nonRepudiation | KeyUsage.keyCertSign);
                 builder.addExtension(X509Extension.keyUsage, true, keyUsage);
                 builder.addExtension(X509Extension.basicConstraints,
-                                      true, new BasicConstraints(true));
+                        true, new BasicConstraints(true));
             } else {
                 KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);
                 builder.addExtension(X509Extension.keyUsage, true, keyUsage);
@@ -145,6 +140,10 @@ X509Certificate build(TokenAndKey tokenAndKey, GenerateSelfSignedCert message, P
             return new JcaX509CertificateConverter().getCertificate(holder);
         }
 
+        private Date fromUnixTimestamp(long unixDate) {
+            return Date.from(Instant.ofEpochMilli(unixDate));
+        }
+
         @Data
         private class CertContentSigner implements ContentSigner {
 
@@ -173,17 +172,13 @@ public byte[] getSignature() {
                     String digAlgoId = getDigestAlgorithmId(signAlgoId);
                     digest = calculateDigest(digAlgoId, dataToSign);
 
-                    Sign message = new Sign(tokenAndKey.getKeyId(), signAlgoId, digest);
-
-                    Object response = SignerUtil.ask(ServiceLocator.getTokenSigner(getContext(),
-                            tokenAndKey.getTokenId()), message);
+                    var message = SignRequest.newBuilder()
+                            .setKeyId(tokenAndKey.getKeyId())
+                            .setSignatureAlgorithmId(signAlgoId)
+                            .setDigest(ByteString.copyFrom(digest))
+                            .build();
+                    return signRequestHandler.signData(message);
 
-                    if (response instanceof SignResponse) {
-                        return ((SignResponse) response).getSignature();
-                    } else {
-                        throw new RuntimeException("Failed to sign with key " + tokenAndKey.getKeyId()
-                                + "; response was " + response);
-                    }
                 } catch (Exception e) {
                     throw translateException(e);
                 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
similarity index 81%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
index e1ceb26610..8073af44c6 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
@@ -32,17 +32,17 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
-import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.ImportCert;
-import ee.ria.xroad.signer.protocol.message.ImportCertResponse;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.dto.*;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.SignerUtil;
 
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.ImportCertReq;
+import org.niis.xroad.signer.proto.ImportCertResp;
+import org.springframework.stereotype.Component;
 
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -61,27 +61,32 @@
  * Handles certificate import requests.
  */
 @Slf4j
-public class ImportCertRequestHandler
-        extends AbstractDeleteFromKeyInfo<ImportCert> {
+@Component
+@RequiredArgsConstructor
+public class ImportCertReqHandler extends AbstractRpcHandler<ImportCertReq, ImportCertResp> {
+    private final DeleteCertRequestReqHandler deleteCertRequestReqHandler;
 
     @Override
-    protected Object handle(ImportCert message) throws Exception {
+    protected ImportCertResp handle(ImportCertReq request) throws Exception {
         X509Certificate cert = null;
         try {
-            cert = readCertificate(message.getCertData());
+            cert = readCertificate(request.getCertData().toByteArray());
         } catch (Exception e) {
             throw CodedException.tr(X_INCORRECT_CERTIFICATE,
                     "failed_to_parse_cert",
                     "Failed to parse certificate: %s", e.getMessage());
         }
 
-        String keyId = importCertificate(cert, message.getInitialStatus(),
-                message.getMemberId());
-        return new ImportCertResponse(keyId);
+        String keyId = importCertificate(cert, request.getInitialStatus(),
+                ClientIdMapper.fromDto(request.getMemberId()));
+
+        return ImportCertResp.newBuilder()
+                .setKeyId(keyId)
+                .build();
     }
 
-    private String importCertificate(X509Certificate cert,
-            String initialStatus, ClientId.Conf memberId) throws Exception {
+    public String importCertificate(X509Certificate cert,
+                                     String initialStatus, ClientId.Conf memberId) throws Exception {
         String publicKey = encodeBase64(cert.getPublicKey().getEncoded());
 
         // Find the key based on the public key of the cert
@@ -103,11 +108,11 @@ private String importCertificate(X509Certificate cert,
                 "Could not find key that has public key that matches the "
                         + "public key of certificate");
     }
-
     // XXX: #2955 Currently, if the key does not have public key, we also check
     // if the key contains the (unsaved) certificate
+
     private boolean matchesPublicKeyOrExistingCert(String publicKey,
-            X509Certificate cert, KeyInfo keyInfo) throws Exception {
+                                                   X509Certificate cert, KeyInfo keyInfo) throws Exception {
         if (keyInfo.getPublicKey() != null
                 && keyInfo.getPublicKey().equals(publicKey)) {
             return true;
@@ -124,7 +129,7 @@ private boolean matchesPublicKeyOrExistingCert(String publicKey,
     }
 
     private void importCertificateToKey(KeyInfo keyInfo, X509Certificate cert,
-            String initialStatus, ClientId.Conf memberId) throws Exception {
+                                        String initialStatus, ClientId.Conf memberId) throws Exception {
         String certHash = calculateCertHexHash(cert.getEncoded());
 
         CertificateInfo existingCert =
@@ -134,8 +139,8 @@ private void importCertificateToKey(KeyInfo keyInfo, X509Certificate cert,
                     "cert_exists_under_key",
                     "Certificate already exists under key '%s'",
                     keyInfo.getFriendlyName() == null
-                        ? keyInfo.getId()
-                        : keyInfo.getFriendlyName());
+                            ? keyInfo.getId()
+                            : keyInfo.getFriendlyName());
         }
 
         boolean signing = CertUtils.isSigningCert(cert);
@@ -171,7 +176,7 @@ private void importCertificateToKey(KeyInfo keyInfo, X509Certificate cert,
 
     private void updateOcspResponse(X509Certificate cert) {
         try {
-            OcspResponseManager.getOcspResponse(getContext(), cert);
+            OcspResponseManager.getOcspResponse(temporaryAkkaMessenger.getActorSystem(), cert);
         } catch (Exception e) {
             log.error("Failed to update OCSP response for certificate "
                     + cert.getSerialNumber(), e);
@@ -179,7 +184,7 @@ private void updateOcspResponse(X509Certificate cert) {
     }
 
     private void validateCertKeyUsage(boolean signing, boolean authentication,
-            KeyUsageInfo keyUsage) {
+                                      KeyUsageInfo keyUsage) {
         // Check that the cert is a signing or auth cert
         if (!signing && !authentication) {
             throw CodedException.tr(X_WRONG_CERT_USAGE,
@@ -223,18 +228,16 @@ private void verifyCertChain(X509Certificate cert) {
         }
     }
 
-    protected void deleteCertRequest(String keyId, ClientId memberId)
-            throws Exception {
-        CertRequestInfo certReq =
-                TokenManager.getCertRequestInfo(keyId, memberId);
+    private void deleteCertRequest(String keyId, ClientId memberId) throws Exception {
+        CertRequestInfo certReq = TokenManager.getCertRequestInfo(keyId, memberId);
         if (certReq != null) {
-            deleteCertRequest(certReq.getId());
+            deleteCertRequestReqHandler.deleteCertRequest(certReq.getId());
         }
     }
 
     private static KeyUsageInfo getKeyUsage(KeyInfo keyInfo, boolean sign) {
         KeyUsageInfo keyUsage = keyInfo.getUsage();
-        if (keyUsage == null) {
+        if (keyUsage == null) {//TODO:grpc to we need to support nulls?
             return sign ? KeyUsageInfo.SIGNING : KeyUsageInfo.AUTHENTICATION;
         }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
index 39267ae740..4edab4e6bc 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
@@ -42,11 +42,15 @@ public class SignRequestHandler extends AbstractRpcHandler<SignRequest, SignResp
 
     @Override
     protected SignResponse handle(SignRequest request) throws Exception {
-        final byte[] signature = getTokenWorker(findTokenIdForKeyId(request.getKeyId()))
-                .handleSign(request);
+        final byte[] signature = signData(request);
 
         return SignResponse.newBuilder()
                 .setSignature(ByteString.copyFrom(signature))
                 .build();
     }
+
+    public byte[] signData(SignRequest request) {
+        return getTokenWorker(findTokenIdForKeyId(request.getKeyId()))
+                .handleSign(request);
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index b7db6b8550..90be5488ea 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -221,7 +221,7 @@ private void handleCalculateSignature(CalculateSignature signRequest) {
 
     public byte[] handleSign(SignRequest request) {
         try {
-            byte data[] = SignerUtil.createDataToSign(request.getDigest().toByteArray(), request.getSignatureAlgorithmId());
+            byte[] data = SignerUtil.createDataToSign(request.getDigest().toByteArray(), request.getSignatureAlgorithmId());
 
             return sign(request.getKeyId(), request.getSignatureAlgorithmId(), data);
         } catch (Exception e) {

From f022afe70443e0be010211f779e9e81881c488b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 24 Aug 2023 15:40:40 +0300
Subject: [PATCH 019/127] chore: add delete/generate-cert rpc actions

Refs: XRDDEV-2468
---
 .../src/main/proto/CertificateService.proto   | 43 ++++++++++++++++-
 .../src/main/proto/KeyService.proto           |  8 +++-
 .../protocol/AbstractRequestHandler.java      |  1 +
 .../signer/protocol/AbstractRpcHandler.java   | 13 +++---
 .../signer/protocol/CertificateService.java   | 46 ++++++++++++++++---
 .../ria/xroad/signer/protocol/KeyService.java |  7 +++
 6 files changed, 103 insertions(+), 15 deletions(-)

diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
index 89ade528db..1e5770eeb9 100644
--- a/src/signer-protocol/src/main/proto/CertificateService.proto
+++ b/src/signer-protocol/src/main/proto/CertificateService.proto
@@ -9,7 +9,7 @@ import "TokenStatusInfo.proto";
 package org.niis.xroad.signer.proto;
 
 service CertificateService {
-  rpc ActivateCert (ActivateCertRequest) returns (Empty) {}
+  rpc ActivateCert (ActivateCertReq) returns (Empty) {}
 
   rpc GetCertificateInfoForHash (GetCertificateInfoForHashRequest) returns (GetCertificateInfoResponse) {}
 
@@ -18,6 +18,14 @@ service CertificateService {
   rpc SetCertStatus (SetCertStatusRequest) returns (Empty) {}
 
   rpc RegenerateCertReq (RegenerateCertReqRequest) returns (RegenerateCertReqResponse) {}
+
+  rpc DeleteCert (DeleteCertReq) returns (Empty) {}
+
+  rpc DeleteCertRequest (DeleteCertRequestReq) returns (Empty) {}
+
+  rpc ImportCert (ImportCertReq) returns (ImportCertResp) {}
+
+  rpc GenerateSelfSignedCert (GenerateSelfSignedCertReq) returns (GenerateSelfSignedCertResp) {}
 }
 
 message GetCertificateInfoForHashRequest {
@@ -28,7 +36,7 @@ message GetCertificateInfoResponse {
   CertificateInfoProto certificateInfo = 1;
 }
 
-message ActivateCertRequest {
+message ActivateCertReq {
   string certIdOrHash = 1;
   bool  active = 2;
 }
@@ -64,3 +72,34 @@ enum CertificateRequestFormat {
   PEM = 0;
   DER = 1;
 }
+
+message DeleteCertReq {
+  string certId = 1;
+}
+
+message DeleteCertRequestReq {
+  string certRequestId = 1;
+}
+
+message ImportCertReq {
+  bytes certData = 1;
+  string initialStatus = 2;
+  ClientIdProto memberId = 3;
+}
+
+message ImportCertResp {
+  string keyId = 1;
+}
+
+message GenerateSelfSignedCertReq {
+  string keyId = 1;
+  string commonName = 2;
+  int64 dateNotBefore = 3;
+  int64 dateNotAfter = 4;
+  KeyUsageInfo keyUsage = 5;
+  ClientIdProto memberId = 6;
+}
+
+message GenerateSelfSignedCertResp {
+  bytes certificateBytes = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
index 8235f3c18f..acdb6565c9 100644
--- a/src/signer-protocol/src/main/proto/KeyService.proto
+++ b/src/signer-protocol/src/main/proto/KeyService.proto
@@ -15,10 +15,11 @@ service KeyService {
 
   rpc GetSignMechanism (GetSignMechanismRequest) returns (GetSignMechanismResponse) {}
 
-
   rpc Sign(SignRequest) returns (SignResponse) {}
 
   rpc SignCertificate(SignCertificateRequest) returns (SignCertificateResponse) {}
+
+  rpc DeleteKey (DeleteKeyReq) returns (Empty) {}
 }
 
 
@@ -66,3 +67,8 @@ message SignCertificateRequest {
 message SignCertificateResponse {
   bytes certificateChain = 1;
 }
+
+message DeleteKeyReq {
+  string keyId = 1;
+  bool deleteFromDevice = 2;
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java
index 5a82a5180b..e2287c1c9a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java
@@ -45,6 +45,7 @@
  */
 @SuppressWarnings("unchecked")
 @Slf4j
+@Deprecated
 public abstract class AbstractRequestHandler<T> extends UntypedAbstractActor {
 
     private static final Object SUCCESS = new SuccessResponse();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
index 495d464b20..17e814020c 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
@@ -42,17 +42,18 @@
 import static java.util.Optional.ofNullable;
 
 /**
- * @param <R>
- * @param <T>
+ * @param <ReqT>
+ * @param <RespT>
  */
 @Slf4j
-public abstract class AbstractRpcHandler<R extends AbstractMessage, T extends AbstractMessage> {
+@SuppressWarnings("squid:S119")
+public abstract class AbstractRpcHandler<ReqT extends AbstractMessage, RespT extends AbstractMessage> {
     @Autowired
     protected TemporaryAkkaMessenger temporaryAkkaMessenger;
 
-    protected abstract T handle(R request) throws Exception;
+    protected abstract RespT handle(ReqT request) throws Exception;
 
-    public void processSingle(R request, StreamObserver<T> responseObserver) {
+    public void processSingle(ReqT request, StreamObserver<RespT> responseObserver) {
         try {
             var response = handle(request);
 
@@ -67,7 +68,7 @@ protected AbstractTokenWorker getTokenWorker(String tokenId) {
         return TemporaryHelper.getTokenWorker(tokenId);
     }
 
-    private void handleException(Exception exception, StreamObserver<T> responseObserver) {
+    private void handleException(Exception exception, StreamObserver<RespT> responseObserver) {
         if (exception instanceof CodedException) {
             CodedException codedException = (CodedException) exception;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
index cc9ee3acf1..df39c3b272 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
@@ -1,20 +1,20 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -26,19 +26,29 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.signer.protocol.handler.ActivateCertRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.DeleteCertReqHandler;
+import ee.ria.xroad.signer.protocol.handler.DeleteCertRequestReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GenerateSelfSignedCertRequestHandler;
 import ee.ria.xroad.signer.protocol.handler.GetCertificateInfoForHashRequestHandler;
 import ee.ria.xroad.signer.protocol.handler.GetMemberCertsRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.ImportCertReqHandler;
 import ee.ria.xroad.signer.protocol.handler.SetCertStatusRequestHandler;
 
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.ActivateCertRequest;
+import org.niis.xroad.signer.proto.ActivateCertReq;
 import org.niis.xroad.signer.proto.CertificateServiceGrpc;
+import org.niis.xroad.signer.proto.DeleteCertReq;
+import org.niis.xroad.signer.proto.DeleteCertRequestReq;
+import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
+import org.niis.xroad.signer.proto.GenerateSelfSignedCertResp;
 import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
 import org.niis.xroad.signer.proto.GetCertificateInfoResponse;
 import org.niis.xroad.signer.proto.GetMemberCertsRequest;
 import org.niis.xroad.signer.proto.GetMemberCertsResponse;
+import org.niis.xroad.signer.proto.ImportCertReq;
+import org.niis.xroad.signer.proto.ImportCertResp;
 import org.niis.xroad.signer.proto.RegenerateCertReqRequest;
 import org.niis.xroad.signer.proto.RegenerateCertReqResponse;
 import org.niis.xroad.signer.proto.SetCertStatusRequest;
@@ -56,9 +66,13 @@ public class CertificateService extends CertificateServiceGrpc.CertificateServic
     private final GetCertificateInfoForHashRequestHandler getCertificateInfoForHashRequestHandler;
     private final GetMemberCertsRequestHandler getMemberCertsRequestHandler;
     private final SetCertStatusRequestHandler setCertStatusRequestHandler;
+    private final DeleteCertReqHandler deleteCertReqHandler;
+    private final DeleteCertRequestReqHandler deleteCertRequestReqHandler;
+    private final ImportCertReqHandler importCertReqHandler;
+    private final GenerateSelfSignedCertRequestHandler generateSelfSignedCertRequestHandler;
 
     @Override
-    public void activateCert(ActivateCertRequest request, StreamObserver<Empty> responseObserver) {
+    public void activateCert(ActivateCertReq request, StreamObserver<Empty> responseObserver) {
         activateCertRequestHandler.processSingle(request, responseObserver);
     }
 
@@ -78,6 +92,26 @@ public void getMemberCerts(GetMemberCertsRequest request, StreamObserver<GetMemb
         getMemberCertsRequestHandler.processSingle(request, responseObserver);
     }
 
+    @Override
+    public void deleteCert(DeleteCertReq request, StreamObserver<Empty> responseObserver) {
+        deleteCertReqHandler.processSingle(request, responseObserver);
+    }
+
+    @Override
+    public void deleteCertRequest(DeleteCertRequestReq request, StreamObserver<Empty> responseObserver) {
+        deleteCertRequestReqHandler.processSingle(request, responseObserver);
+    }
+
+    @Override
+    public void importCert(ImportCertReq request, StreamObserver<ImportCertResp> responseObserver) {
+        importCertReqHandler.processSingle(request, responseObserver);
+    }
+
+    @Override
+    public void generateSelfSignedCert(GenerateSelfSignedCertReq request, StreamObserver<GenerateSelfSignedCertResp> responseObserver) {
+        generateSelfSignedCertRequestHandler.processSingle(request, responseObserver);
+    }
+
     @Override
     public void regenerateCertReq(RegenerateCertReqRequest request, StreamObserver<RegenerateCertReqResponse> responseObserver) {
         //TODO
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
index 8321645e7c..9e7ce730c7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
@@ -25,6 +25,7 @@
  */
 package ee.ria.xroad.signer.protocol;
 
+import ee.ria.xroad.signer.protocol.handler.DeleteKeyReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetKeyIdForCertHashRequestHandler;
 import ee.ria.xroad.signer.protocol.handler.GetSignMechanismRequestHandler;
 import ee.ria.xroad.signer.protocol.handler.SetKeyFriendlyNameRequestHandler;
@@ -33,6 +34,7 @@
 
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
+import org.niis.xroad.signer.proto.DeleteKeyReq;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashResponse;
 import org.niis.xroad.signer.proto.GetSignMechanismRequest;
@@ -57,6 +59,7 @@ public class KeyService extends KeyServiceGrpc.KeyServiceImplBase {
     private final GetSignMechanismRequestHandler getSignMechanismRequestHandler;
     private final GetKeyIdForCertHashRequestHandler getKeyIdForCertHashRequestHandler;
     private final SetKeyFriendlyNameRequestHandler setKeyFriendlyNameRequestHandler;
+    private final DeleteKeyReqHandler deleteKeyReqHandler;
 
     @Override
     public void getKeyIdForCertHash(GetKeyIdForCertHashRequest request, StreamObserver<GetKeyIdForCertHashResponse> responseObserver) {
@@ -83,4 +86,8 @@ public void signCertificate(SignCertificateRequest request, StreamObserver<SignC
         signCertificateRequestHandler.processSingle(request, responseObserver);
     }
 
+    @Override
+    public void deleteKey(DeleteKeyReq request, StreamObserver<Empty> responseObserver) {
+        deleteKeyReqHandler.processSingle(request, responseObserver);
+    }
 }

From eac4f57db3e6bf4c547c2719c8b8d5e313414dac Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 24 Aug 2023 16:11:01 +0300
Subject: [PATCH 020/127] chore: using token worker without akka

Refs: XRDDEV-2461
---
 .../signer/protocol/message/DeleteCert.java   | 41 ------------------
 .../signer/protocol/message/DeleteKey.java    | 43 -------------------
 .../handler/DeleteCertReqHandler.java         |  5 +--
 .../protocol/handler/DeleteKeyReqHandler.java |  5 +--
 .../token/AbstractTokenWorker.java            | 32 +++-----------
 5 files changed, 11 insertions(+), 115 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java
deleted file mode 100644
index bd5678739f..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCert.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class DeleteCert implements Serializable {
-
-    private final String certId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java
deleted file mode 100644
index f762366818..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteKey.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class DeleteKey implements Serializable {
-
-    private String keyId;
-
-    private boolean deleteFromDevice;
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertReqHandler.java
index 637f3d8dcb..31284f804d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteCertReqHandler.java
@@ -30,7 +30,6 @@
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.DeleteCert;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
 import org.niis.xroad.signer.proto.DeleteCertReq;
@@ -71,8 +70,8 @@ protected void deleteCertOnToken(DeleteCertReq deleteCert) {
             for (KeyInfo keyInfo : tokenInfo.getKeyInfo()) {
                 for (CertificateInfo certInfo : keyInfo.getCerts()) {
                     if (deleteCert.getCertId().equals(certInfo.getId())) {
-                        var message = new DeleteCert(deleteCert.getCertId());
-                        temporaryAkkaMessenger.tellToken(message, tokenInfo.getId());
+                        getTokenWorker(tokenInfo.getId())
+                                .handleDeleteCert(deleteCert.getCertId());
                         return;
                     }
                 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyReqHandler.java
index a7178721e2..b254eef9d3 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/DeleteKeyReqHandler.java
@@ -29,7 +29,6 @@
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.protocol.message.DeleteKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
@@ -64,8 +63,8 @@ protected Empty handle(DeleteKeyReq request) throws Exception {
 
 
     private void deleteKeyFile(String tokenId, DeleteKeyReq request) {
-        var message = new DeleteKey(request.getKeyId(), request.getDeleteFromDevice());
-        temporaryAkkaMessenger.tellToken(message, tokenId);
+        getTokenWorker(tokenId)
+                .handleDeleteKey(request.getKeyId());
     }
 
     private static void removeCertsFromKey(KeyInfo keyInfo) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index 90be5488ea..2af48330f6 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -30,8 +30,6 @@
 import ee.ria.xroad.common.util.PasswordStore;
 import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.DeleteCert;
-import ee.ria.xroad.signer.protocol.message.DeleteKey;
 import ee.ria.xroad.signer.protocol.message.GenerateKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractUpdateableActor;
@@ -108,19 +106,10 @@ protected Exception customizeException(Exception e) {
     @Override
     protected void onMessage(Object message) throws Exception {
         log.trace("onMessage()");
-
-//        if (message instanceof ActivateToken) {
-//            handleActivateToken((ActivateToken) message);
         if (message instanceof GenerateKey) {
             handleGenerateKey((GenerateKey) message);
-        } else if (message instanceof DeleteKey) {
-            handleDeleteKey((DeleteKey) message);
-        } else if (message instanceof DeleteCert) {
-            handleDeleteCert((DeleteCert) message);
         } else if (message instanceof CalculateSignature) {
             handleCalculateSignature((CalculateSignature) message);
-//        } else if (message instanceof SignCertificate) {
-//            handleSignCertificate((SignCertificate) message);
         } else {
             unhandled(message);
         }
@@ -136,8 +125,6 @@ public void handleActivateToken(ActivateTokenRequest message) throws Exception {
             activateToken(message);
 
             onUpdate();
-
-//            sendSuccessResponse();
         } catch (Exception e) {
             log.error("Failed to activate token '{}': {}", getWorkerId(), e.getMessage());
 
@@ -172,30 +159,25 @@ private void handleGenerateKey(GenerateKey message) {
         sendResponse(TokenManager.findKeyInfo(keyId));
     }
 
-    private void handleDeleteKey(DeleteKey message) {
+    public void handleDeleteKey(String keyId) {
         try {
-            deleteKey(message.getKeyId());
+            deleteKey(keyId);
         } catch (Exception e) {
-            log.error("Failed to delete key '{}'", message.getKeyId(), e);
+            log.error("Failed to delete key '{}'", keyId, e);
 
             throw translateError(customizeException(e));
         }
 
-        TokenManager.removeKey(message.getKeyId());
-
-        sendSuccessResponse();
+        TokenManager.removeKey(keyId);
     }
 
-    private void handleDeleteCert(DeleteCert message) {
+    public void handleDeleteCert(String certificateId) {
         try {
-            deleteCert(message.getCertId());
+            deleteCert(certificateId);
         } catch (Exception e) {
-            log.error("Failed to delete cert '{}'", message.getCertId(), e);
-
+            log.error("Failed to delete cert '{}'", certificateId, e);
             throw translateError(customizeException(e));
         }
-
-        sendSuccessResponse();
     }
 
     @Deprecated

From 0ac17bb2df0dbe8850bc3d8272158fd09c158d5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 24 Aug 2023 16:16:23 +0300
Subject: [PATCH 021/127] chore: refactor dto/handler naming

Refs: XRDDEV-2468
---
 .../java/ee/ria/xroad/signer/SignerProxy.java |  86 +++++++--------
 .../src/main/proto/CertificateService.proto   |  22 ++--
 .../src/main/proto/KeyService.proto           |  28 ++---
 .../src/main/proto/OcspService.proto          |  10 +-
 .../src/main/proto/TokenService.proto         |  42 +++----
 .../signer/protocol/CertificateService.java   |  50 ++++-----
 .../ria/xroad/signer/protocol/KeyService.java |  58 +++++-----
 .../xroad/signer/protocol/OcspService.java    |  22 ++--
 .../xroad/signer/protocol/TokensService.java  | 104 +++++++++---------
 ...dler.java => ActivateTokenReqHandler.java} |   8 +-
 ... => GenerateSelfSignedCertReqHandler.java} |  13 +--
 ... GetCertificateInfoForHashReqHandler.java} |  11 +-
 ...ava => GetKeyIdForCertHashReqHandler.java} |  11 +-
 ...ler.java => GetMemberCertsReqHandler.java} |  13 ++-
 ...r.java => GetOcspResponsesReqHandler.java} |  12 +-
 ...r.java => GetSignMechanismReqHandler.java} |  11 +-
 ...etTokenBatchSigningEnabledReqHandler.java} |  13 ++-
 ...kenInfoAndKeyIdForCertHashReqHandler.java} |   9 +-
 ...foAndKeyIdForCertRequestIdReqHandler.java} |   9 +-
 ...va => GetTokenInfoForKeyIdReqHandler.java} |   9 +-
 ...ndler.java => GetTokenInfoReqHandler.java} |   9 +-
 ....java => InitSoftwareTokenReqHandler.java} |   8 +-
 ...Handler.java => ListTokensReqHandler.java} |   8 +-
 ...a => RegenerateCertRequestReqHandler.java} |  26 +++--
 ...dler.java => SetCertStatusReqHandler.java} |   9 +-
 ...java => SetKeyFriendlyNameReqHandler.java} |   9 +-
 ...r.java => SetOcspResponsesReqHandler.java} |   8 +-
 ...va => SetTokenFriendlyNameReqHandler.java} |   8 +-
 ...er.java => SignCertificateReqHandler.java} |  10 +-
 ...equestHandler.java => SignReqHandler.java} |  12 +-
 ... => UpdateSoftwareTokenPinReqHandler.java} |   8 +-
 .../token/AbstractTokenWorker.java            |  16 +--
 .../token/SoftwareTokenWorker.java            |  10 +-
 33 files changed, 347 insertions(+), 335 deletions(-)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{ActivateTokenRequestHandler.java => ActivateTokenReqHandler.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GenerateSelfSignedCertRequestHandler.java => GenerateSelfSignedCertReqHandler.java} (95%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetCertificateInfoForHashRequestHandler.java => GetCertificateInfoForHashReqHandler.java} (84%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetKeyIdForCertHashRequestHandler.java => GetKeyIdForCertHashReqHandler.java} (84%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetMemberCertsRequestHandler.java => GetMemberCertsReqHandler.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetOcspResponsesRequestHandler.java => GetOcspResponsesReqHandler.java} (84%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetSignMechanismRequestHandler.java => GetSignMechanismReqHandler.java} (84%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetTokenBatchSigningEnabledRequestHandler.java => GetTokenBatchSigningEnabledReqHandler.java} (87%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetTokenInfoAndKeyIdForCertHashRequestHandler.java => GetTokenInfoAndKeyIdForCertHashReqHandler.java} (89%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java => GetTokenInfoAndKeyIdForCertRequestIdReqHandler.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetTokenInfoForKeyIdRequestHandler.java => GetTokenInfoForKeyIdReqHandler.java} (87%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetTokenInfoRequestHandler.java => GetTokenInfoReqHandler.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{InitSoftwareTokenRequestHandler.java => InitSoftwareTokenReqHandler.java} (91%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{ListTokensRequestHandler.java => ListTokensReqHandler.java} (86%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{RegenerateCertRequestRequestHandler.java => RegenerateCertRequestReqHandler.java} (79%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{SetCertStatusRequestHandler.java => SetCertStatusReqHandler.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{SetKeyFriendlyNameRequestHandler.java => SetKeyFriendlyNameReqHandler.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{SetOcspResponsesRequestHandler.java => SetOcspResponsesReqHandler.java} (89%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{SetTokenFriendlyNameRequestHandler.java => SetTokenFriendlyNameReqHandler.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{SignCertificateRequestHandler.java => SignCertificateReqHandler.java} (83%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{SignRequestHandler.java => SignReqHandler.java} (85%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{UpdateSoftwareTokenPinRequestHandler.java => UpdateSoftwareTokenPinReqHandler.java} (90%)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 77ff13235e..98c411da50 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -57,33 +57,33 @@
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateCertReq;
-import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.ActivateTokenReq;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.niis.xroad.signer.proto.DeleteCertReq;
 import org.niis.xroad.signer.proto.DeleteCertRequestReq;
 import org.niis.xroad.signer.proto.DeleteKeyReq;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
-import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
-import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
-import org.niis.xroad.signer.proto.GetMemberCertsRequest;
-import org.niis.xroad.signer.proto.GetOcspResponsesRequest;
-import org.niis.xroad.signer.proto.GetSignMechanismRequest;
-import org.niis.xroad.signer.proto.GetSignMechanismResponse;
-import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
-import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
-import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
-import org.niis.xroad.signer.proto.GetTokenByIdRequest;
-import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
+import org.niis.xroad.signer.proto.GetCertificateInfoForHashReq;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashReq;
+import org.niis.xroad.signer.proto.GetMemberCertsReq;
+import org.niis.xroad.signer.proto.GetOcspResponsesReq;
+import org.niis.xroad.signer.proto.GetSignMechanismReq;
+import org.niis.xroad.signer.proto.GetSignMechanismResp;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledReq;
+import org.niis.xroad.signer.proto.GetTokenByCertHashReq;
+import org.niis.xroad.signer.proto.GetTokenByCertRequestIdReq;
+import org.niis.xroad.signer.proto.GetTokenByIdReq;
+import org.niis.xroad.signer.proto.GetTokenByKeyIdReq;
 import org.niis.xroad.signer.proto.ImportCertReq;
-import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
-import org.niis.xroad.signer.proto.ListTokensResponse;
-import org.niis.xroad.signer.proto.SetCertStatusRequest;
-import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
-import org.niis.xroad.signer.proto.SetOcspResponsesRequest;
-import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
-import org.niis.xroad.signer.proto.SignCertificateRequest;
-import org.niis.xroad.signer.proto.SignRequest;
-import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
+import org.niis.xroad.signer.proto.InitSoftwareTokenReq;
+import org.niis.xroad.signer.proto.ListTokensResp;
+import org.niis.xroad.signer.proto.SetCertStatusReq;
+import org.niis.xroad.signer.proto.SetKeyFriendlyNameReq;
+import org.niis.xroad.signer.proto.SetOcspResponsesReq;
+import org.niis.xroad.signer.proto.SetTokenFriendlyNameReq;
+import org.niis.xroad.signer.proto.SignCertificateReq;
+import org.niis.xroad.signer.proto.SignReq;
+import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 
 import java.security.PublicKey;
@@ -142,7 +142,7 @@ public static void initSoftwareToken(char[] password) throws Exception {
         log.trace("Initializing software token");
 
         executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .initSoftwareToken(InitSoftwareTokenRequest.newBuilder()
+                .initSoftwareToken(InitSoftwareTokenReq.newBuilder()
                         .setPin(new String(password))
                         .build()));
     }
@@ -154,7 +154,7 @@ public static void initSoftwareToken(char[] password) throws Exception {
      * @throws Exception if any errors occur
      */
     public static List<TokenInfo> getTokens() throws Exception {
-        ListTokensResponse response = executeAndHandleException(() ->
+        ListTokensResp response = executeAndHandleException(() ->
                 getSignerClient().getSignerApiBlockingStub().listTokens(Empty.newBuilder().build()));
 
         return response.getTokensList().stream()
@@ -183,7 +183,7 @@ private static RpcSignerClient getSignerClient() {
      */
     public static TokenInfo getToken(String tokenId) throws Exception {
         return executeAndHandleException(() -> new TokenInfo(getSignerClient().getSignerApiBlockingStub()
-                .getTokenById(GetTokenByIdRequest.newBuilder()
+                .getTokenById(GetTokenByIdReq.newBuilder()
                         .setTokenId(tokenId)
                         .build())));
     }
@@ -201,7 +201,7 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
         log.trace("Activating token '{}'", tokenId);
 
         executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .activateToken(ActivateTokenRequest.newBuilder()
+                .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(true)
                         .build()));
@@ -219,7 +219,7 @@ public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin)
         log.trace("Updating token pin '{}'", tokenId);
 
         executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .updateSoftwareTokenPin(UpdateSoftwareTokenPinRequest.newBuilder()
+                .updateSoftwareTokenPin(UpdateSoftwareTokenPinReq.newBuilder()
                         .setTokenId(tokenId)
                         .setOldPin(new String(oldPin))//TODO:grpc its not great that we're doing this transformation
                         .setNewPin(new String(newPin))
@@ -238,7 +238,7 @@ public static void deactivateToken(String tokenId) throws Exception {
         log.trace("Deactivating token '{}'", tokenId);
 
         executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .activateToken(ActivateTokenRequest.newBuilder()
+                .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(false)
                         .build()));
@@ -255,7 +255,7 @@ public static void setTokenFriendlyName(String tokenId, String friendlyName) thr
         log.trace("Setting friendly name '{}' for token '{}'", friendlyName, tokenId);
 
         executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .setTokenFriendlyName(SetTokenFriendlyNameRequest.newBuilder()
+                .setTokenFriendlyName(SetTokenFriendlyNameReq.newBuilder()
                         .setTokenId(tokenId)
                         .setFriendlyName(friendlyName)
                         .build()));
@@ -272,7 +272,7 @@ public static void setKeyFriendlyName(String keyId, String friendlyName) throws
         log.trace("Setting friendly name '{}' for key '{}'", friendlyName, keyId);
 
         executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
-                .setKeyFriendlyName(SetKeyFriendlyNameRequest.newBuilder()
+                .setKeyFriendlyName(SetKeyFriendlyNameReq.newBuilder()
                         .setKeyId(keyId)
                         .setFriendlyName(friendlyName)
                         .build()));
@@ -508,7 +508,7 @@ public static void setCertStatus(String certId, String status) throws Exception
         log.trace("Setting cert ('{}') status to '{}'", certId, status);
 
         executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
-                .setCertStatus(SetCertStatusRequest.newBuilder()
+                .setCertStatus(SetCertStatusReq.newBuilder()
                         .setCertId(certId)
                         .setStatus(status)
                         .build()));
@@ -526,7 +526,7 @@ public static CertificateInfo getCertForHash(String hash) throws Exception {
         log.trace("Getting cert by hash '{}'", hash);
 
         var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
-                .getCertificateInfoForHash(GetCertificateInfoForHashRequest.newBuilder()
+                .getCertificateInfoForHash(GetCertificateInfoForHashReq.newBuilder()
                         .setCertHash(finalHash)
                         .build()));
 
@@ -547,7 +547,7 @@ public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
         log.trace("Getting cert by hash '{}'", finalHash);
 
         var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
-                .getKeyIdForCertHash(GetKeyIdForCertHashRequest.newBuilder()
+                .getKeyIdForCertHash(GetKeyIdForCertHashReq.newBuilder()
                         .setCertHash(finalHash)
                         .build()));
 
@@ -568,7 +568,7 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) {
         log.trace("Getting token and key id by cert hash '{}'", hashLowercase);
 
         var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .getTokenAndKeyIdByCertHash(GetTokenByCertHashRequest.newBuilder()
+                .getTokenAndKeyIdByCertHash(GetTokenByCertHashReq.newBuilder()
                         .setCertHash(hashLowercase)
                         .build()));
         log.trace("Token and key id with hash '{}' found", hashLowercase);
@@ -587,7 +587,7 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) {
     public static String[] getOcspResponses(String[] certHashes) throws Exception {
 
         var response = executeAndHandleException(() -> getSignerClient().getOcspServiceBlockingStub()
-                .getOcspResponses(GetOcspResponsesRequest.newBuilder()
+                .getOcspResponses(GetOcspResponsesReq.newBuilder()
                         .addAllCertHash(toLowerCase(certHashes))
                         .build()));
 
@@ -596,7 +596,7 @@ public static String[] getOcspResponses(String[] certHashes) throws Exception {
 
     public static void setOcspResponses(String[] certHashes, String[] base64EncodedResponses) throws Exception {
         executeAndHandleException(() -> getSignerClient().getOcspServiceBlockingStub()
-                .setOcspResponses(SetOcspResponsesRequest.newBuilder()
+                .setOcspResponses(SetOcspResponsesReq.newBuilder()
                         .addAllCertHashes(asList(certHashes))
                         .addAllBase64EncodedResponses(asList(base64EncodedResponses))
                         .build()));
@@ -630,7 +630,7 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequ
         log.trace("Getting token and key id by cert request id '{}'", certRequestId);
 
         var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdRequest.newBuilder()
+                .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdReq.newBuilder()
                         .setCertRequestId(certRequestId)
                         .build()));
 
@@ -648,12 +648,12 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequ
      */
     public static TokenInfo getTokenForKeyId(String keyId) throws Exception {
         return executeAndHandleException(() -> new TokenInfo(getSignerClient().getSignerApiBlockingStub()
-                .getTokenByKey(GetTokenByKeyIdRequest.newBuilder().setKeyId(keyId).build())));
+                .getTokenByKey(GetTokenByKeyIdReq.newBuilder().setKeyId(keyId).build())));
     }
 
     public static String getSignMechanism(String keyId) throws Exception {
-        GetSignMechanismResponse response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
-                .getSignMechanism(GetSignMechanismRequest.newBuilder()
+        GetSignMechanismResp response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .getSignMechanism(GetSignMechanismReq.newBuilder()
                         .setKeyId(keyId)
                         .build()));
 
@@ -662,7 +662,7 @@ public static String getSignMechanism(String keyId) throws Exception {
 
     public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) throws Exception {
         var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
-                .sign(SignRequest.newBuilder()
+                .sign(SignReq.newBuilder()
                         .setKeyId(keyId)
                         .setSignatureAlgorithmId(signatureAlgorithmId)
                         .setDigest(ByteString.copyFrom(digest))
@@ -673,7 +673,7 @@ public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] dige
 
     public static Boolean isTokenBatchSigningEnabled(String keyId) {
         var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
-                .getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest.newBuilder()
+                .getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq.newBuilder()
                         .setKeyId(keyId)
                         .build()));
 
@@ -687,7 +687,7 @@ public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throw
 
     public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exception {
         var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
-                .getMemberCerts(GetMemberCertsRequest.newBuilder()
+                .getMemberCerts(GetMemberCertsReq.newBuilder()
                         .setMemberId(ClientIdMapper.toDto(memberId))
                         .build()));
         return response.getCertsList().stream()
@@ -702,7 +702,7 @@ public static boolean isHSMOperational() throws Exception {
     public static byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey)
             throws Exception {
         var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
-                .signCertificate(SignCertificateRequest.newBuilder()
+                .signCertificate(SignCertificateReq.newBuilder()
                         .setKeyId(keyId)
                         .setSignatureAlgorithmId(signatureAlgorithmId)
                         .setSubjectName(subjectName)
diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
index 1e5770eeb9..37fbd43189 100644
--- a/src/signer-protocol/src/main/proto/CertificateService.proto
+++ b/src/signer-protocol/src/main/proto/CertificateService.proto
@@ -11,13 +11,13 @@ package org.niis.xroad.signer.proto;
 service CertificateService {
   rpc ActivateCert (ActivateCertReq) returns (Empty) {}
 
-  rpc GetCertificateInfoForHash (GetCertificateInfoForHashRequest) returns (GetCertificateInfoResponse) {}
+  rpc GetCertificateInfoForHash (GetCertificateInfoForHashReq) returns (GetCertificateInfoResp) {}
 
-  rpc GetMemberCerts (GetMemberCertsRequest) returns (GetMemberCertsResponse) {}
+  rpc GetMemberCerts (GetMemberCertsReq) returns (GetMemberCertsResp) {}
 
-  rpc SetCertStatus (SetCertStatusRequest) returns (Empty) {}
+  rpc SetCertStatus (SetCertStatusReq) returns (Empty) {}
 
-  rpc RegenerateCertReq (RegenerateCertReqRequest) returns (RegenerateCertReqResponse) {}
+  rpc RegenerateCertRequest (RegenerateCertRequestReq) returns (RegenerateCertRequestResp) {}
 
   rpc DeleteCert (DeleteCertReq) returns (Empty) {}
 
@@ -28,11 +28,11 @@ service CertificateService {
   rpc GenerateSelfSignedCert (GenerateSelfSignedCertReq) returns (GenerateSelfSignedCertResp) {}
 }
 
-message GetCertificateInfoForHashRequest {
+message GetCertificateInfoForHashReq {
   string certHash = 1;
 }
 
-message GetCertificateInfoResponse {
+message GetCertificateInfoResp {
   CertificateInfoProto certificateInfo = 1;
 }
 
@@ -41,25 +41,25 @@ message ActivateCertReq {
   bool  active = 2;
 }
 
-message SetCertStatusRequest{
+message SetCertStatusReq{
   string certId = 1;
   string status = 2;
 }
 
-message GetMemberCertsRequest{
+message GetMemberCertsReq{
   ClientIdProto memberId = 1;
 }
 
-message GetMemberCertsResponse{
+message GetMemberCertsResp{
   repeated CertificateInfoProto certs = 1;
 }
 
-message RegenerateCertReqRequest {//TODO:grpc consider swapping req and request places..
+message RegenerateCertRequestReq {//TODO:grpc consider swapping req and request places..
   string certRequestId = 1;
   CertificateRequestFormat format = 2;
 }
 
-message RegenerateCertReqResponse {
+message RegenerateCertRequestResp {
   string certReqId = 1;
   bytes certRequest = 2;
   CertificateRequestFormat format = 3;
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
index acdb6565c9..b11826cc9b 100644
--- a/src/signer-protocol/src/main/proto/KeyService.proto
+++ b/src/signer-protocol/src/main/proto/KeyService.proto
@@ -9,54 +9,54 @@ import "TokenStatusInfo.proto";
 package org.niis.xroad.signer.proto;
 
 service KeyService {
-  rpc SetKeyFriendlyName (SetKeyFriendlyNameRequest) returns (Empty) {}
+  rpc SetKeyFriendlyName (SetKeyFriendlyNameReq) returns (Empty) {}
 
-  rpc GetKeyIdForCertHash (GetKeyIdForCertHashRequest) returns (GetKeyIdForCertHashResponse) {}
+  rpc GetKeyIdForCertHash (GetKeyIdForCertHashReq) returns (GetKeyIdForCertHashResp) {}
 
-  rpc GetSignMechanism (GetSignMechanismRequest) returns (GetSignMechanismResponse) {}
+  rpc GetSignMechanism (GetSignMechanismReq) returns (GetSignMechanismResp) {}
 
-  rpc Sign(SignRequest) returns (SignResponse) {}
+  rpc Sign(SignReq) returns (SignResp) {}
 
-  rpc SignCertificate(SignCertificateRequest) returns (SignCertificateResponse) {}
+  rpc SignCertificate(SignCertificateReq) returns (SignCertificateResp) {}
 
   rpc DeleteKey (DeleteKeyReq) returns (Empty) {}
 }
 
 
-message GetKeyIdForCertHashRequest {
+message GetKeyIdForCertHashReq {
   string certHash = 1;
 }
 
-message GetKeyIdForCertHashResponse {
+message GetKeyIdForCertHashResp {
   string keyId = 1;
   string signMechanismName = 2;
 }
 
-message SetKeyFriendlyNameRequest {
+message SetKeyFriendlyNameReq {
   string keyId = 1;
   string friendlyName = 2;
 }
 
 
-message GetSignMechanismRequest {
+message GetSignMechanismReq {
   string keyId = 1;
 }
 
-message GetSignMechanismResponse {
+message GetSignMechanismResp {
   string signMechanismName = 1;
 }
 
-message SignRequest {
+message SignReq {
   string keyId = 1;
   string signatureAlgorithmId = 2;
   bytes digest = 3;
 }
 
-message SignResponse {
+message SignResp {
   bytes signature = 1;
 }
 
-message SignCertificateRequest {
+message SignCertificateReq {
   string keyId = 1;
   string signatureAlgorithmId = 2;
   string subjectName = 3;
@@ -64,7 +64,7 @@ message SignCertificateRequest {
 
 }
 
-message SignCertificateResponse {
+message SignCertificateResp {
   bytes certificateChain = 1;
 }
 
diff --git a/src/signer-protocol/src/main/proto/OcspService.proto b/src/signer-protocol/src/main/proto/OcspService.proto
index 34583fd729..ccef5a26b3 100644
--- a/src/signer-protocol/src/main/proto/OcspService.proto
+++ b/src/signer-protocol/src/main/proto/OcspService.proto
@@ -7,20 +7,20 @@ package org.niis.xroad.signer.proto;
 import "CommonMessages.proto";
 
 service OcspService {
-  rpc SetOcspResponses (SetOcspResponsesRequest) returns (Empty) {}
+  rpc SetOcspResponses (SetOcspResponsesReq) returns (Empty) {}
 
-  rpc GetOcspResponses (GetOcspResponsesRequest) returns (GetOcspResponsesResponse) {}
+  rpc GetOcspResponses (GetOcspResponsesReq) returns (GetOcspResponsesResp) {}
 }
 
-message SetOcspResponsesRequest {
+message SetOcspResponsesReq {
   repeated string certHashes = 1;
   repeated string base64EncodedResponses = 2;
 }
 
-message GetOcspResponsesRequest{
+message GetOcspResponsesReq{
   repeated string certHash = 1;
 }
 
-message GetOcspResponsesResponse{
+message GetOcspResponsesResp{
   repeated string base64EncodedResponses = 1;
 }
diff --git a/src/signer-protocol/src/main/proto/TokenService.proto b/src/signer-protocol/src/main/proto/TokenService.proto
index fe49c9edc6..5c077cdfeb 100644
--- a/src/signer-protocol/src/main/proto/TokenService.proto
+++ b/src/signer-protocol/src/main/proto/TokenService.proto
@@ -9,71 +9,71 @@ import "TokenStatusInfo.proto";
 package org.niis.xroad.signer.proto;
 
 service TokenService {
-  rpc GetTokenById (GetTokenByIdRequest) returns (TokenInfoProto) {}
+  rpc GetTokenById (GetTokenByIdReq) returns (TokenInfoProto) {}
 
-  rpc GetTokenByKey (GetTokenByKeyIdRequest) returns (TokenInfoProto) {}
+  rpc GetTokenByKey (GetTokenByKeyIdReq) returns (TokenInfoProto) {}
 
-  rpc GetTokenAndKeyIdByCertRequestId (GetTokenByCertRequestIdRequest) returns (TokenInfoAndKeyIdProto) {}
+  rpc GetTokenAndKeyIdByCertRequestId (GetTokenByCertRequestIdReq) returns (TokenInfoAndKeyIdProto) {}
 
-  rpc GetTokenAndKeyIdByCertHash (GetTokenByCertHashRequest) returns (TokenInfoAndKeyIdProto) {}
+  rpc GetTokenAndKeyIdByCertHash (GetTokenByCertHashReq) returns (TokenInfoAndKeyIdProto) {}
 
-  rpc ListTokens (Empty) returns (ListTokensResponse) {}
+  rpc ListTokens (Empty) returns (ListTokensResp) {}
 
-  rpc ActivateToken (ActivateTokenRequest) returns (Empty) {}
+  rpc ActivateToken (ActivateTokenReq) returns (Empty) {}
 
-  rpc SetTokenFriendlyName (SetTokenFriendlyNameRequest) returns (Empty) {}
+  rpc SetTokenFriendlyName (SetTokenFriendlyNameReq) returns (Empty) {}
 
-  rpc GetTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest) returns (GetTokenBatchSigningEnabledResponse){}
+  rpc GetTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq) returns (GetTokenBatchSigningEnabledResp){}
 
-  rpc InitSoftwareToken(InitSoftwareTokenRequest) returns (Empty) {}
+  rpc InitSoftwareToken(InitSoftwareTokenReq) returns (Empty) {}
 
-  rpc UpdateSoftwareTokenPin(UpdateSoftwareTokenPinRequest) returns (Empty) {}
+  rpc UpdateSoftwareTokenPin(UpdateSoftwareTokenPinReq) returns (Empty) {}
 
 }
 
-message ListTokensResponse {
+message ListTokensResp {
   repeated TokenInfoProto tokens = 1;
 }
 
-message ActivateTokenRequest{
+message ActivateTokenReq{
   string tokenId = 1;
   bool  activate = 2;
 }
 
-message GetTokenByIdRequest {
+message GetTokenByIdReq {
   string tokenId = 1;
 }
 
-message GetTokenByKeyIdRequest {
+message GetTokenByKeyIdReq {
   string keyId = 1;
 }
 
-message GetTokenByCertRequestIdRequest {
+message GetTokenByCertRequestIdReq {
   string certRequestId = 1;
 }
 
-message GetTokenByCertHashRequest {
+message GetTokenByCertHashReq {
   string certHash = 1;
 }
 
-message SetTokenFriendlyNameRequest {
+message SetTokenFriendlyNameReq {
   string tokenId = 1;
   string friendlyName = 2;
 }
 
-message GetTokenBatchSigningEnabledRequest {
+message GetTokenBatchSigningEnabledReq {
   string keyId = 1;
 }
 
-message GetTokenBatchSigningEnabledResponse {
+message GetTokenBatchSigningEnabledResp {
   bool batchingSigningEnabled = 1;
 }
 
-message InitSoftwareTokenRequest {
+message InitSoftwareTokenReq {
   string pin = 1;
 }
 
-message UpdateSoftwareTokenPinRequest {
+message UpdateSoftwareTokenPinReq {
   string tokenId = 1;
   string oldPin = 2;
   string newPin = 3;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
index df39c3b272..7afc0c9f85 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
@@ -28,11 +28,11 @@
 import ee.ria.xroad.signer.protocol.handler.ActivateCertRequestHandler;
 import ee.ria.xroad.signer.protocol.handler.DeleteCertReqHandler;
 import ee.ria.xroad.signer.protocol.handler.DeleteCertRequestReqHandler;
-import ee.ria.xroad.signer.protocol.handler.GenerateSelfSignedCertRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetCertificateInfoForHashRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetMemberCertsRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GenerateSelfSignedCertReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetCertificateInfoForHashReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetMemberCertsReqHandler;
 import ee.ria.xroad.signer.protocol.handler.ImportCertReqHandler;
-import ee.ria.xroad.signer.protocol.handler.SetCertStatusRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.SetCertStatusReqHandler;
 
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
@@ -43,15 +43,15 @@
 import org.niis.xroad.signer.proto.DeleteCertRequestReq;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertResp;
-import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
-import org.niis.xroad.signer.proto.GetCertificateInfoResponse;
-import org.niis.xroad.signer.proto.GetMemberCertsRequest;
-import org.niis.xroad.signer.proto.GetMemberCertsResponse;
+import org.niis.xroad.signer.proto.GetCertificateInfoForHashReq;
+import org.niis.xroad.signer.proto.GetCertificateInfoResp;
+import org.niis.xroad.signer.proto.GetMemberCertsReq;
+import org.niis.xroad.signer.proto.GetMemberCertsResp;
 import org.niis.xroad.signer.proto.ImportCertReq;
 import org.niis.xroad.signer.proto.ImportCertResp;
-import org.niis.xroad.signer.proto.RegenerateCertReqRequest;
-import org.niis.xroad.signer.proto.RegenerateCertReqResponse;
-import org.niis.xroad.signer.proto.SetCertStatusRequest;
+import org.niis.xroad.signer.proto.RegenerateCertRequestReq;
+import org.niis.xroad.signer.proto.RegenerateCertRequestResp;
+import org.niis.xroad.signer.proto.SetCertStatusReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
@@ -63,13 +63,13 @@
 @RequiredArgsConstructor
 public class CertificateService extends CertificateServiceGrpc.CertificateServiceImplBase {
     private final ActivateCertRequestHandler activateCertRequestHandler;
-    private final GetCertificateInfoForHashRequestHandler getCertificateInfoForHashRequestHandler;
-    private final GetMemberCertsRequestHandler getMemberCertsRequestHandler;
-    private final SetCertStatusRequestHandler setCertStatusRequestHandler;
+    private final GetCertificateInfoForHashReqHandler getCertificateInfoForHashReqHandler;
+    private final GetMemberCertsReqHandler getMemberCertsReqHandler;
+    private final SetCertStatusReqHandler setCertStatusReqHandler;
     private final DeleteCertReqHandler deleteCertReqHandler;
     private final DeleteCertRequestReqHandler deleteCertRequestReqHandler;
     private final ImportCertReqHandler importCertReqHandler;
-    private final GenerateSelfSignedCertRequestHandler generateSelfSignedCertRequestHandler;
+    private final GenerateSelfSignedCertReqHandler generateSelfSignedCertReqHandler;
 
     @Override
     public void activateCert(ActivateCertReq request, StreamObserver<Empty> responseObserver) {
@@ -77,19 +77,19 @@ public void activateCert(ActivateCertReq request, StreamObserver<Empty> response
     }
 
     @Override
-    public void getCertificateInfoForHash(GetCertificateInfoForHashRequest request,
-                                          StreamObserver<GetCertificateInfoResponse> responseObserver) {
-        getCertificateInfoForHashRequestHandler.processSingle(request, responseObserver);
+    public void getCertificateInfoForHash(GetCertificateInfoForHashReq request,
+                                          StreamObserver<GetCertificateInfoResp> responseObserver) {
+        getCertificateInfoForHashReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void setCertStatus(SetCertStatusRequest request, StreamObserver<Empty> responseObserver) {
-        setCertStatusRequestHandler.processSingle(request, responseObserver);
+    public void setCertStatus(SetCertStatusReq request, StreamObserver<Empty> responseObserver) {
+        setCertStatusReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getMemberCerts(GetMemberCertsRequest request, StreamObserver<GetMemberCertsResponse> responseObserver) {
-        getMemberCertsRequestHandler.processSingle(request, responseObserver);
+    public void getMemberCerts(GetMemberCertsReq request, StreamObserver<GetMemberCertsResp> responseObserver) {
+        getMemberCertsReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
@@ -109,11 +109,11 @@ public void importCert(ImportCertReq request, StreamObserver<ImportCertResp> res
 
     @Override
     public void generateSelfSignedCert(GenerateSelfSignedCertReq request, StreamObserver<GenerateSelfSignedCertResp> responseObserver) {
-        generateSelfSignedCertRequestHandler.processSingle(request, responseObserver);
+        generateSelfSignedCertReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void regenerateCertReq(RegenerateCertReqRequest request, StreamObserver<RegenerateCertReqResponse> responseObserver) {
-        //TODO
+    public void regenerateCertRequest(RegenerateCertRequestReq request, StreamObserver<RegenerateCertRequestResp> responseObserver) {
+        super.regenerateCertRequest(request, responseObserver);
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
index 9e7ce730c7..4a7cfdd285 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
@@ -26,25 +26,25 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.signer.protocol.handler.DeleteKeyReqHandler;
-import ee.ria.xroad.signer.protocol.handler.GetKeyIdForCertHashRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetSignMechanismRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.SetKeyFriendlyNameRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.SignCertificateRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.SignRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetKeyIdForCertHashReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetSignMechanismReqHandler;
+import ee.ria.xroad.signer.protocol.handler.SetKeyFriendlyNameReqHandler;
+import ee.ria.xroad.signer.protocol.handler.SignCertificateReqHandler;
+import ee.ria.xroad.signer.protocol.handler.SignReqHandler;
 
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
 import org.niis.xroad.signer.proto.DeleteKeyReq;
-import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
-import org.niis.xroad.signer.proto.GetKeyIdForCertHashResponse;
-import org.niis.xroad.signer.proto.GetSignMechanismRequest;
-import org.niis.xroad.signer.proto.GetSignMechanismResponse;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashReq;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashResp;
+import org.niis.xroad.signer.proto.GetSignMechanismReq;
+import org.niis.xroad.signer.proto.GetSignMechanismResp;
 import org.niis.xroad.signer.proto.KeyServiceGrpc;
-import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
-import org.niis.xroad.signer.proto.SignCertificateRequest;
-import org.niis.xroad.signer.proto.SignCertificateResponse;
-import org.niis.xroad.signer.proto.SignRequest;
-import org.niis.xroad.signer.proto.SignResponse;
+import org.niis.xroad.signer.proto.SetKeyFriendlyNameReq;
+import org.niis.xroad.signer.proto.SignCertificateReq;
+import org.niis.xroad.signer.proto.SignCertificateResp;
+import org.niis.xroad.signer.proto.SignReq;
+import org.niis.xroad.signer.proto.SignResp;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
@@ -54,36 +54,36 @@
 @Service
 @RequiredArgsConstructor
 public class KeyService extends KeyServiceGrpc.KeyServiceImplBase {
-    private final SignRequestHandler signRequestHandler;
-    private final SignCertificateRequestHandler signCertificateRequestHandler;
-    private final GetSignMechanismRequestHandler getSignMechanismRequestHandler;
-    private final GetKeyIdForCertHashRequestHandler getKeyIdForCertHashRequestHandler;
-    private final SetKeyFriendlyNameRequestHandler setKeyFriendlyNameRequestHandler;
+    private final SignReqHandler signReqHandler;
+    private final SignCertificateReqHandler signCertificateReqHandler;
+    private final GetSignMechanismReqHandler getSignMechanismReqHandler;
+    private final GetKeyIdForCertHashReqHandler getKeyIdForCertHashReqHandler;
+    private final SetKeyFriendlyNameReqHandler setKeyFriendlyNameReqHandler;
     private final DeleteKeyReqHandler deleteKeyReqHandler;
 
     @Override
-    public void getKeyIdForCertHash(GetKeyIdForCertHashRequest request, StreamObserver<GetKeyIdForCertHashResponse> responseObserver) {
-        getKeyIdForCertHashRequestHandler.processSingle(request, responseObserver);
+    public void getKeyIdForCertHash(GetKeyIdForCertHashReq request, StreamObserver<GetKeyIdForCertHashResp> responseObserver) {
+        getKeyIdForCertHashReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void setKeyFriendlyName(SetKeyFriendlyNameRequest request, StreamObserver<Empty> responseObserver) {
-        setKeyFriendlyNameRequestHandler.processSingle(request, responseObserver);
+    public void setKeyFriendlyName(SetKeyFriendlyNameReq request, StreamObserver<Empty> responseObserver) {
+        setKeyFriendlyNameReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getSignMechanism(GetSignMechanismRequest request, StreamObserver<GetSignMechanismResponse> responseObserver) {
-        getSignMechanismRequestHandler.processSingle(request, responseObserver);
+    public void getSignMechanism(GetSignMechanismReq request, StreamObserver<GetSignMechanismResp> responseObserver) {
+        getSignMechanismReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void sign(SignRequest request, StreamObserver<SignResponse> responseObserver) {
-        signRequestHandler.processSingle(request, responseObserver);
+    public void sign(SignReq request, StreamObserver<SignResp> responseObserver) {
+        signReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void signCertificate(SignCertificateRequest request, StreamObserver<SignCertificateResponse> responseObserver) {
-        signCertificateRequestHandler.processSingle(request, responseObserver);
+    public void signCertificate(SignCertificateReq request, StreamObserver<SignCertificateResp> responseObserver) {
+        signCertificateReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
index 725c21a3fd..0cbfbf1981 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
@@ -1,15 +1,15 @@
 package ee.ria.xroad.signer.protocol;
 
-import ee.ria.xroad.signer.protocol.handler.GetOcspResponsesRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.SetOcspResponsesRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.GetOcspResponsesReqHandler;
+import ee.ria.xroad.signer.protocol.handler.SetOcspResponsesReqHandler;
 
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.GetOcspResponsesRequest;
-import org.niis.xroad.signer.proto.GetOcspResponsesResponse;
+import org.niis.xroad.signer.proto.GetOcspResponsesReq;
+import org.niis.xroad.signer.proto.GetOcspResponsesResp;
 import org.niis.xroad.signer.proto.OcspServiceGrpc;
-import org.niis.xroad.signer.proto.SetOcspResponsesRequest;
+import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
@@ -17,17 +17,17 @@
 @Service
 @RequiredArgsConstructor
 public class OcspService extends OcspServiceGrpc.OcspServiceImplBase {
-    private final SetOcspResponsesRequestHandler setOcspResponsesRequestHandler;
-    private final GetOcspResponsesRequestHandler getOcspResponsesRequestHandler;
+    private final SetOcspResponsesReqHandler setOcspResponsesReqHandler;
+    private final GetOcspResponsesReqHandler getOcspResponsesReqHandler;
 
     @Override
-    public void setOcspResponses(SetOcspResponsesRequest request, StreamObserver<Empty> responseObserver) {
-        setOcspResponsesRequestHandler.processSingle(request, responseObserver);
+    public void setOcspResponses(SetOcspResponsesReq request, StreamObserver<Empty> responseObserver) {
+        setOcspResponsesReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getOcspResponses(GetOcspResponsesRequest request, StreamObserver<GetOcspResponsesResponse> responseObserver) {
-        getOcspResponsesRequestHandler.processSingle(request, responseObserver);
+    public void getOcspResponses(GetOcspResponsesReq request, StreamObserver<GetOcspResponsesResp> responseObserver) {
+        getOcspResponsesReqHandler.processSingle(request, responseObserver);
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index 58111e5461..c252c2742f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -27,31 +27,31 @@
 
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
-import ee.ria.xroad.signer.protocol.handler.ActivateTokenRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetTokenBatchSigningEnabledRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertHashRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertRequestIdRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetTokenInfoForKeyIdRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.GetTokenInfoRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.InitSoftwareTokenRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.ListTokensRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.SetTokenFriendlyNameRequestHandler;
-import ee.ria.xroad.signer.protocol.handler.UpdateSoftwareTokenPinRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.ActivateTokenReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenBatchSigningEnabledReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertHashReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertRequestIdReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoForKeyIdReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetTokenInfoReqHandler;
+import ee.ria.xroad.signer.protocol.handler.InitSoftwareTokenReqHandler;
+import ee.ria.xroad.signer.protocol.handler.ListTokensReqHandler;
+import ee.ria.xroad.signer.protocol.handler.SetTokenFriendlyNameReqHandler;
+import ee.ria.xroad.signer.protocol.handler.UpdateSoftwareTokenPinReqHandler;
 
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
-import org.niis.xroad.signer.proto.ActivateTokenRequest;
-import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
-import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResponse;
-import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
-import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
-import org.niis.xroad.signer.proto.GetTokenByIdRequest;
-import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
-import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
-import org.niis.xroad.signer.proto.ListTokensResponse;
-import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
+import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledReq;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResp;
+import org.niis.xroad.signer.proto.GetTokenByCertHashReq;
+import org.niis.xroad.signer.proto.GetTokenByCertRequestIdReq;
+import org.niis.xroad.signer.proto.GetTokenByIdReq;
+import org.niis.xroad.signer.proto.GetTokenByKeyIdReq;
+import org.niis.xroad.signer.proto.InitSoftwareTokenReq;
+import org.niis.xroad.signer.proto.ListTokensResp;
+import org.niis.xroad.signer.proto.SetTokenFriendlyNameReq;
 import org.niis.xroad.signer.proto.TokenServiceGrpc;
-import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
+import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Service;
 
@@ -61,67 +61,67 @@
 @Service
 @RequiredArgsConstructor
 public class TokensService extends TokenServiceGrpc.TokenServiceImplBase {
-    private final ActivateTokenRequestHandler activateTokenRequestHandler;
-    private final UpdateSoftwareTokenPinRequestHandler updateSoftwareTokenPinRequestHandler;
-    private final InitSoftwareTokenRequestHandler initSoftwareTokenRequestHandler;
-    private final GetTokenInfoRequestHandler getTokenInfoRequestHandler;
-    private final GetTokenInfoForKeyIdRequestHandler getTokenInfoForKeyIdRequestHandler;
-    private final GetTokenBatchSigningEnabledRequestHandler getTokenBatchSigningEnabledRequestHandler;
-    private final GetTokenInfoAndKeyIdForCertHashRequestHandler getTokenInfoAndKeyIdForCertHashRequestHandler;
-    private final GetTokenInfoAndKeyIdForCertRequestIdRequestHandler getTokenInfoAndKeyIdForCertRequestIdRequestHandler;
-    private final SetTokenFriendlyNameRequestHandler setTokenFriendlyNameRequestHandler;
-    private final ListTokensRequestHandler listTokensRequestHandler;
+    private final ActivateTokenReqHandler activateTokenReqHandler;
+    private final UpdateSoftwareTokenPinReqHandler updateSoftwareTokenPinReqHandler;
+    private final InitSoftwareTokenReqHandler initSoftwareTokenReqHandler;
+    private final GetTokenInfoReqHandler getTokenInfoReqHandler;
+    private final GetTokenInfoForKeyIdReqHandler getTokenInfoForKeyIdReqHandler;
+    private final GetTokenBatchSigningEnabledReqHandler getTokenBatchSigningEnabledReqHandler;
+    private final GetTokenInfoAndKeyIdForCertHashReqHandler getTokenInfoAndKeyIdForCertHashReqHandler;
+    private final GetTokenInfoAndKeyIdForCertRequestIdReqHandler getTokenInfoAndKeyIdForCertRequestIdReqHandler;
+    private final SetTokenFriendlyNameReqHandler setTokenFriendlyNameReqHandler;
+    private final ListTokensReqHandler listTokensReqHandler;
 
     @Override
-    public void listTokens(Empty request, StreamObserver<ListTokensResponse> responseObserver) {
-        listTokensRequestHandler.processSingle(request, responseObserver);
+    public void listTokens(Empty request, StreamObserver<ListTokensResp> responseObserver) {
+        listTokensReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void activateToken(ActivateTokenRequest request, StreamObserver<Empty> responseObserver) {
-        activateTokenRequestHandler.processSingle(request, responseObserver);
+    public void activateToken(ActivateTokenReq request, StreamObserver<Empty> responseObserver) {
+        activateTokenReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getTokenById(GetTokenByIdRequest request, StreamObserver<TokenInfoProto> responseObserver) {
-        getTokenInfoRequestHandler.processSingle(request, responseObserver);
+    public void getTokenById(GetTokenByIdReq request, StreamObserver<TokenInfoProto> responseObserver) {
+        getTokenInfoReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getTokenByKey(GetTokenByKeyIdRequest request, StreamObserver<TokenInfoProto> responseObserver) {
-        getTokenInfoForKeyIdRequestHandler.processSingle(request, responseObserver);
+    public void getTokenByKey(GetTokenByKeyIdReq request, StreamObserver<TokenInfoProto> responseObserver) {
+        getTokenInfoForKeyIdReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdRequest request,
+    public void getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdReq request,
                                                 StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
-        getTokenInfoAndKeyIdForCertRequestIdRequestHandler.processSingle(request, responseObserver);
+        getTokenInfoAndKeyIdForCertRequestIdReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getTokenAndKeyIdByCertHash(GetTokenByCertHashRequest request, StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
-        getTokenInfoAndKeyIdForCertHashRequestHandler.processSingle(request, responseObserver);
+    public void getTokenAndKeyIdByCertHash(GetTokenByCertHashReq request, StreamObserver<TokenInfoAndKeyIdProto> responseObserver) {
+        getTokenInfoAndKeyIdForCertHashReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void setTokenFriendlyName(SetTokenFriendlyNameRequest request, StreamObserver<Empty> responseObserver) {
-        setTokenFriendlyNameRequestHandler.processSingle(request, responseObserver);
+    public void setTokenFriendlyName(SetTokenFriendlyNameReq request, StreamObserver<Empty> responseObserver) {
+        setTokenFriendlyNameReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledRequest request,
-                                            StreamObserver<GetTokenBatchSigningEnabledResponse> responseObserver) {
-        getTokenBatchSigningEnabledRequestHandler.processSingle(request, responseObserver);
+    public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq request,
+                                            StreamObserver<GetTokenBatchSigningEnabledResp> responseObserver) {
+        getTokenBatchSigningEnabledReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void initSoftwareToken(InitSoftwareTokenRequest request, StreamObserver<Empty> responseObserver) {
-        initSoftwareTokenRequestHandler.processSingle(request, responseObserver);
+    public void initSoftwareToken(InitSoftwareTokenReq request, StreamObserver<Empty> responseObserver) {
+        initSoftwareTokenReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
-    public void updateSoftwareTokenPin(UpdateSoftwareTokenPinRequest request, StreamObserver<Empty> responseObserver) {
-        updateSoftwareTokenPinRequestHandler.processSingle(request, responseObserver);
+    public void updateSoftwareTokenPin(UpdateSoftwareTokenPinReq request, StreamObserver<Empty> responseObserver) {
+        updateSoftwareTokenPinReqHandler.processSingle(request, responseObserver);
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenReqHandler.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenReqHandler.java
index 23e828d6c5..15b3f26d0b 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateTokenReqHandler.java
@@ -27,7 +27,7 @@
 
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 
-import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.ActivateTokenReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -35,11 +35,11 @@
  * Handles token activations and deactivations.
  */
 @Component
-public class ActivateTokenRequestHandler
-        extends AbstractRpcHandler<ActivateTokenRequest, Empty> {
+public class ActivateTokenReqHandler
+        extends AbstractRpcHandler<ActivateTokenReq, Empty> {
 
     @Override
-    protected Empty handle(ActivateTokenRequest request) throws Exception {
+    protected Empty handle(ActivateTokenReq request) throws Exception {
         getTokenWorker(request.getTokenId())
                 .handleActivateToken(request);
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
similarity index 95%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
index ac05c28344..abd0256dbc 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
@@ -25,8 +25,6 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import com.google.protobuf.ByteString;
-
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
@@ -36,6 +34,7 @@
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
+import com.google.protobuf.ByteString;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -51,7 +50,7 @@
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertResp;
-import org.niis.xroad.signer.proto.SignRequest;
+import org.niis.xroad.signer.proto.SignReq;
 import org.springframework.stereotype.Component;
 
 import java.io.ByteArrayOutputStream;
@@ -78,8 +77,8 @@
 @SuppressWarnings("deprecation")
 @Component
 @RequiredArgsConstructor
-public class GenerateSelfSignedCertRequestHandler extends AbstractRpcHandler<GenerateSelfSignedCertReq, GenerateSelfSignedCertResp> {
-    private final SignRequestHandler signRequestHandler;
+public class GenerateSelfSignedCertReqHandler extends AbstractRpcHandler<GenerateSelfSignedCertReq, GenerateSelfSignedCertResp> {
+    private final SignReqHandler signReqHandler;
     private final ImportCertReqHandler importCertReqHandler;
 
     // TODO make configurable
@@ -172,12 +171,12 @@ public byte[] getSignature() {
                     String digAlgoId = getDigestAlgorithmId(signAlgoId);
                     digest = calculateDigest(digAlgoId, dataToSign);
 
-                    var message = SignRequest.newBuilder()
+                    var message = SignReq.newBuilder()
                             .setKeyId(tokenAndKey.getKeyId())
                             .setSignatureAlgorithmId(signAlgoId)
                             .setDigest(ByteString.copyFrom(digest))
                             .build();
-                    return signRequestHandler.signData(message);
+                    return signReqHandler.signData(message);
 
                 } catch (Exception e) {
                     throw translateException(e);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashReqHandler.java
similarity index 84%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashReqHandler.java
index f726e72ce3..e47c872665 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetCertificateInfoForHashReqHandler.java
@@ -29,8 +29,9 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetCertificateInfoForHashRequest;
-import org.niis.xroad.signer.proto.GetCertificateInfoResponse;
+
+import org.niis.xroad.signer.proto.GetCertificateInfoForHashReq;
+import org.niis.xroad.signer.proto.GetCertificateInfoResp;
 import org.springframework.stereotype.Component;
 
 import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
@@ -39,10 +40,10 @@
  * Handles requests for certificates based on certificate hashes.
  */
 @Component
-public class GetCertificateInfoForHashRequestHandler extends AbstractRpcHandler<GetCertificateInfoForHashRequest, GetCertificateInfoResponse> {
+public class GetCertificateInfoForHashReqHandler extends AbstractRpcHandler<GetCertificateInfoForHashReq, GetCertificateInfoResp> {
 
     @Override
-    protected GetCertificateInfoResponse handle(GetCertificateInfoForHashRequest request) throws Exception {
+    protected GetCertificateInfoResp handle(GetCertificateInfoForHashReq request) throws Exception {
         CertificateInfo certificateInfo = TokenManager.getCertificateInfoForCertHash(request.getCertHash());
 
         if (certificateInfo == null) {
@@ -50,7 +51,7 @@ protected GetCertificateInfoResponse handle(GetCertificateInfoForHashRequest req
                     "Certificate with hash '%s' not found", request.getCertHash());
         }
 
-        return GetCertificateInfoResponse.newBuilder()
+        return GetCertificateInfoResp.newBuilder()
                 .setCertificateInfo(certificateInfo.asMessage())
                 .build();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashReqHandler.java
similarity index 84%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashReqHandler.java
index 9192595091..57b96e91db 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetKeyIdForCertHashReqHandler.java
@@ -29,8 +29,9 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetKeyIdForCertHashRequest;
-import org.niis.xroad.signer.proto.GetKeyIdForCertHashResponse;
+
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashReq;
+import org.niis.xroad.signer.proto.GetKeyIdForCertHashResp;
 import org.springframework.stereotype.Component;
 
 import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
@@ -39,10 +40,10 @@
  * Handles requests for key id based on certificate hashes.
  */
 @Component
-public class GetKeyIdForCertHashRequestHandler extends AbstractRpcHandler<GetKeyIdForCertHashRequest, GetKeyIdForCertHashResponse> {
+public class GetKeyIdForCertHashReqHandler extends AbstractRpcHandler<GetKeyIdForCertHashReq, GetKeyIdForCertHashResp> {
 
     @Override
-    protected GetKeyIdForCertHashResponse handle(GetKeyIdForCertHashRequest request) throws Exception {
+    protected GetKeyIdForCertHashResp handle(GetKeyIdForCertHashReq request) throws Exception {
         KeyInfo keyInfo = TokenManager.getKeyInfoForCertHash(request.getCertHash());
 
         if (keyInfo == null) {
@@ -50,7 +51,7 @@ protected GetKeyIdForCertHashResponse handle(GetKeyIdForCertHashRequest request)
                     "Certificate with hash '%s' not found", request.getCertHash());
         }
 
-        return GetKeyIdForCertHashResponse.newBuilder()
+        return GetKeyIdForCertHashResp.newBuilder()
                 .setKeyId(keyInfo.getId())
                 .setSignMechanismName(keyInfo.getSignMechanismName())
                 .build();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
index c3bad9a954..fd5141f1f0 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
@@ -32,8 +32,9 @@
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetMemberCertsRequest;
-import org.niis.xroad.signer.proto.GetMemberCertsResponse;
+
+import org.niis.xroad.signer.proto.GetMemberCertsReq;
+import org.niis.xroad.signer.proto.GetMemberCertsResp;
 import org.springframework.stereotype.Component;
 
 import java.util.List;
@@ -43,11 +44,11 @@
  * Handles requests for member certificates.
  */
 @Component
-public class GetMemberCertsRequestHandler
-        extends AbstractRpcHandler<GetMemberCertsRequest, GetMemberCertsResponse> {
+public class GetMemberCertsReqHandler
+        extends AbstractRpcHandler<GetMemberCertsReq, GetMemberCertsResp> {
 
     @Override
-    protected GetMemberCertsResponse handle(GetMemberCertsRequest request) throws Exception {
+    protected GetMemberCertsResp handle(GetMemberCertsReq request) throws Exception {
         final var memberId = ClientIdMapper.fromDto(request.getMemberId());
         List<CertificateInfoProto> memberCerts = TokenManager.listTokens().stream()
                 .flatMap(t -> t.getKeyInfo().stream())
@@ -57,7 +58,7 @@ protected GetMemberCertsResponse handle(GetMemberCertsRequest request) throws Ex
                 .map(CertificateInfo::asMessage)
                 .collect(Collectors.toList());
 
-        return GetMemberCertsResponse.newBuilder()
+        return GetMemberCertsResp.newBuilder()
                 .addAllCerts(memberCerts)
                 .build();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
similarity index 84%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
index 334f3a4abc..aa734c6dc9 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
@@ -28,8 +28,8 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 
-import org.niis.xroad.signer.proto.GetOcspResponsesRequest;
-import org.niis.xroad.signer.proto.GetOcspResponsesResponse;
+import org.niis.xroad.signer.proto.GetOcspResponsesReq;
+import org.niis.xroad.signer.proto.GetOcspResponsesResp;
 import org.springframework.stereotype.Component;
 
 import static java.util.Arrays.asList;
@@ -38,16 +38,16 @@
  * Handles OCSP requests.
  */
 @Component
-public class GetOcspResponsesRequestHandler
-        extends AbstractRpcHandler<GetOcspResponsesRequest, GetOcspResponsesResponse> {
+public class GetOcspResponsesReqHandler
+        extends AbstractRpcHandler<GetOcspResponsesReq, GetOcspResponsesResp> {
 
     @Override
-    protected GetOcspResponsesResponse handle(GetOcspResponsesRequest request) throws Exception {
+    protected GetOcspResponsesResp handle(GetOcspResponsesReq request) throws Exception {
         var message = new GetOcspResponses(
                 request.getCertHashList().toArray(new String[0]));
 
         ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse response = temporaryAkkaMessenger.tellOcspManagerWithResponse(message);
-        return GetOcspResponsesResponse.newBuilder()
+        return GetOcspResponsesResp.newBuilder()
                 .addAllBase64EncodedResponses(asList(response.getBase64EncodedResponses()))
                 .build();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismReqHandler.java
similarity index 84%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismReqHandler.java
index 6b52e5319b..39d79c9e3f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetSignMechanismReqHandler.java
@@ -30,18 +30,19 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetSignMechanismRequest;
-import org.niis.xroad.signer.proto.GetSignMechanismResponse;
+
+import org.niis.xroad.signer.proto.GetSignMechanismReq;
+import org.niis.xroad.signer.proto.GetSignMechanismResp;
 import org.springframework.stereotype.Component;
 
 /**
  * Handles requests for signing mechanism based on key id.
  */
 @Component
-public class GetSignMechanismRequestHandler extends AbstractRpcHandler<GetSignMechanismRequest, GetSignMechanismResponse> {
+public class GetSignMechanismReqHandler extends AbstractRpcHandler<GetSignMechanismReq, GetSignMechanismResp> {
 
     @Override
-    protected GetSignMechanismResponse handle(GetSignMechanismRequest request) throws Exception {
+    protected GetSignMechanismResp handle(GetSignMechanismReq request) throws Exception {
         KeyInfo keyInfo = TokenManager.getKeyInfo(request.getKeyId());
 
         if (keyInfo == null) {
@@ -49,7 +50,7 @@ protected GetSignMechanismResponse handle(GetSignMechanismRequest request) throw
                     request.getKeyId());
         }
 
-        return GetSignMechanismResponse.newBuilder()
+        return GetSignMechanismResp.newBuilder()
                 .setSignMechanismName(keyInfo.getSignMechanismName())
                 .build();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledReqHandler.java
similarity index 87%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledReqHandler.java
index 80b24e9fdd..c30b20010a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenBatchSigningEnabledReqHandler.java
@@ -27,22 +27,23 @@
 
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledRequest;
-import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResponse;
+
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledReq;
+import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResp;
 import org.springframework.stereotype.Component;
 
 /**
  * Handles queries for batch signing capabilities of a token.
  */
 @Component
-public class GetTokenBatchSigningEnabledRequestHandler
-        extends AbstractRpcHandler<GetTokenBatchSigningEnabledRequest, GetTokenBatchSigningEnabledResponse> {
+public class GetTokenBatchSigningEnabledReqHandler
+        extends AbstractRpcHandler<GetTokenBatchSigningEnabledReq, GetTokenBatchSigningEnabledResp> {
 
     @Override
-    protected GetTokenBatchSigningEnabledResponse handle(GetTokenBatchSigningEnabledRequest request) throws Exception {
+    protected GetTokenBatchSigningEnabledResp handle(GetTokenBatchSigningEnabledReq request) throws Exception {
         String tokenId = TokenManager.findTokenIdForKeyId(request.getKeyId());
 
-        return GetTokenBatchSigningEnabledResponse.newBuilder()
+        return GetTokenBatchSigningEnabledResp.newBuilder()
                 .setBatchingSigningEnabled(TokenManager.isBatchSigningEnabled(tokenId))
                 .build();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashReqHandler.java
similarity index 89%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashReqHandler.java
index 75eb0f7376..9dd437a5eb 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertHashReqHandler.java
@@ -28,19 +28,20 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetTokenByCertHashRequest;
+
+import org.niis.xroad.signer.proto.GetTokenByCertHashReq;
 import org.springframework.stereotype.Component;
 
 /**
  * Handles requests for TokenInfo + key id based on certificate hashes.
  */
 @Component
-public class GetTokenInfoAndKeyIdForCertHashRequestHandler
-        extends AbstractRpcHandler<GetTokenByCertHashRequest, TokenInfoAndKeyIdProto> {
+public class GetTokenInfoAndKeyIdForCertHashReqHandler
+        extends AbstractRpcHandler<GetTokenByCertHashReq, TokenInfoAndKeyIdProto> {
 
 
     @Override
-    protected TokenInfoAndKeyIdProto handle(GetTokenByCertHashRequest request) throws Exception {
+    protected TokenInfoAndKeyIdProto handle(GetTokenByCertHashReq request) throws Exception {
         var token = TokenManager.findTokenAndKeyIdForCertHash(request.getCertHash());
         return token.asMessage();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdReqHandler.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdReqHandler.java
index bab17dd324..663ff359fb 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoAndKeyIdForCertRequestIdReqHandler.java
@@ -28,18 +28,19 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetTokenByCertRequestIdRequest;
+
+import org.niis.xroad.signer.proto.GetTokenByCertRequestIdReq;
 import org.springframework.stereotype.Component;
 
 /**
  * Handles requests for TokenInfo + key id based on certificate request ids.
  */
 @Component
-public class GetTokenInfoAndKeyIdForCertRequestIdRequestHandler
-        extends AbstractRpcHandler<GetTokenByCertRequestIdRequest, TokenInfoAndKeyIdProto> {
+public class GetTokenInfoAndKeyIdForCertRequestIdReqHandler
+        extends AbstractRpcHandler<GetTokenByCertRequestIdReq, TokenInfoAndKeyIdProto> {
 
     @Override
-    protected TokenInfoAndKeyIdProto handle(GetTokenByCertRequestIdRequest request) throws Exception {
+    protected TokenInfoAndKeyIdProto handle(GetTokenByCertRequestIdReq request) throws Exception {
         var token = TokenManager.findTokenAndKeyIdForCertRequestId(request.getCertRequestId());
         return token.asMessage();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdReqHandler.java
similarity index 87%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdReqHandler.java
index cbfdfc7ad2..33dd65d055 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoForKeyIdReqHandler.java
@@ -28,18 +28,19 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetTokenByKeyIdRequest;
+
+import org.niis.xroad.signer.proto.GetTokenByKeyIdReq;
 import org.springframework.stereotype.Component;
 
 /**
  * Handles requests for TokenInfo based on key id.
  */
 @Component
-public class GetTokenInfoForKeyIdRequestHandler
-        extends AbstractRpcHandler<GetTokenByKeyIdRequest, TokenInfoProto> {
+public class GetTokenInfoForKeyIdReqHandler
+        extends AbstractRpcHandler<GetTokenByKeyIdReq, TokenInfoProto> {
 
     @Override
-    protected TokenInfoProto handle(GetTokenByKeyIdRequest request) throws Exception {
+    protected TokenInfoProto handle(GetTokenByKeyIdReq request) throws Exception {
         var token = TokenManager.findTokenInfoForKeyId(request.getKeyId());
         return token.asMessage();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoReqHandler.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoReqHandler.java
index 722faeb8e7..a953b224d2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetTokenInfoReqHandler.java
@@ -28,18 +28,19 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.GetTokenByIdRequest;
+
+import org.niis.xroad.signer.proto.GetTokenByIdReq;
 import org.springframework.stereotype.Component;
 
 /**
  * Handles requests for token info.
  */
 @Component
-public class GetTokenInfoRequestHandler
-        extends AbstractRpcHandler<GetTokenByIdRequest, TokenInfoProto> {
+public class GetTokenInfoReqHandler
+        extends AbstractRpcHandler<GetTokenByIdReq, TokenInfoProto> {
 
     @Override
-    protected TokenInfoProto handle(GetTokenByIdRequest request) throws Exception {
+    protected TokenInfoProto handle(GetTokenByIdReq request) throws Exception {
         var token = TokenManager.findTokenInfo(request.getTokenId());
         return token.asMessage();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenReqHandler.java
similarity index 91%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenReqHandler.java
index aedc5d163c..0e09c42290 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenReqHandler.java
@@ -31,7 +31,7 @@
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
 
-import org.niis.xroad.signer.proto.InitSoftwareTokenRequest;
+import org.niis.xroad.signer.proto.InitSoftwareTokenReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -41,11 +41,11 @@
  * Handles requests for software token initialization.
  */
 @Component
-public class InitSoftwareTokenRequestHandler
-        extends AbstractRpcHandler<InitSoftwareTokenRequest, Empty> {
+public class InitSoftwareTokenReqHandler
+        extends AbstractRpcHandler<InitSoftwareTokenReq, Empty> {
 
     @Override
-    protected Empty handle(InitSoftwareTokenRequest request) throws Exception {
+    protected Empty handle(InitSoftwareTokenReq request) throws Exception {
         String softwareTokenId = TokenManager.getSoftwareTokenId();
 
         if (softwareTokenId != null) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensReqHandler.java
similarity index 86%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensReqHandler.java
index 166c4543e7..e01621fff8 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ListTokensReqHandler.java
@@ -28,7 +28,7 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import org.niis.xroad.signer.proto.ListTokensResponse;
+import org.niis.xroad.signer.proto.ListTokensResp;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -36,11 +36,11 @@
  * Handles requests for token list.
  */
 @Component
-public class ListTokensRequestHandler extends AbstractRpcHandler<Empty, ListTokensResponse> {
+public class ListTokensReqHandler extends AbstractRpcHandler<Empty, ListTokensResp> {
 
     @Override
-    protected ListTokensResponse handle(Empty request) throws Exception {
-        final ListTokensResponse.Builder builder = ListTokensResponse.newBuilder();
+    protected ListTokensResp handle(Empty request) throws Exception {
+        final ListTokensResp.Builder builder = ListTokensResp.newBuilder();
 
         TokenManager.listTokens().forEach(tokenInfo -> builder.addTokens(tokenInfo.asMessage()));
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestReqHandler.java
similarity index 79%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestReqHandler.java
index fd286353d6..7d2e4b64c8 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestReqHandler.java
@@ -26,18 +26,19 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
-import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.niis.xroad.signer.proto.RegenerateCertRequestReq;
+import org.niis.xroad.signer.proto.RegenerateCertRequestResp;
 
 import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
@@ -47,10 +48,10 @@
  * Handles certificate request re-generations.
  */
 @Slf4j
-public class RegenerateCertRequestRequestHandler extends AbstractGenerateCertRequest<RegenerateCertRequest> {
+public class RegenerateCertRequestReqHandler extends AbstractRpcHandler<RegenerateCertRequestReq, RegenerateCertRequestResp> {
 
     @Override
-    protected Object handle(RegenerateCertRequest message) throws Exception {
+    protected RegenerateCertRequestResp handle(RegenerateCertRequestReq message) throws Exception {
         TokenAndKey tokenAndKey = findTokenAndKeyForCsrId(message.getCertRequestId());
 
         if (!TokenManager.isKeyAvailable(tokenAndKey.getKeyId())) {
@@ -73,14 +74,15 @@ protected Object handle(RegenerateCertRequest message) throws Exception {
 
         String subjectName = certRequestInfo.getSubjectName();
 
-        PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, subjectName);
-
-        return new RegenerateCertRequestResponse(message.getCertRequestId(),
-                convert(generatedRequest, message.getFormat()),
-                message.getFormat(),
-                certRequestInfo.getMemberId(),
-                tokenAndKey.getKey().getUsage()
-        );
+//        PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, subjectName);
+        PKCS10CertificationRequest generatedRequest =null;//TODO:Grpc
+//        return new RegenerateCertRequestResponse(message.getCertRequestId(),
+//                convert(generatedRequest, message.getFormat()),
+//                message.getFormat(),
+//                certRequestInfo.getMemberId(),
+//                tokenAndKey.getKey().getUsage()
+//        );
+        return null;
     }
 
     private TokenAndKey findTokenAndKeyForCsrId(String certRequestId) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusReqHandler.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusReqHandler.java
index f7e5251a0b..b2e33dea2d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetCertStatusReqHandler.java
@@ -27,7 +27,8 @@
 
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.SetCertStatusRequest;
+
+import org.niis.xroad.signer.proto.SetCertStatusReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -35,11 +36,11 @@
  * Handles requests for setting the certificate status.
  */
 @Component
-public class SetCertStatusRequestHandler
-        extends AbstractRpcHandler<SetCertStatusRequest, Empty> {
+public class SetCertStatusReqHandler
+        extends AbstractRpcHandler<SetCertStatusReq, Empty> {
 
     @Override
-    protected Empty handle(SetCertStatusRequest request) throws Exception {
+    protected Empty handle(SetCertStatusReq request) throws Exception {
         TokenManager.setCertStatus(request.getCertId(), request.getStatus());
 
         return Empty.getDefaultInstance();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameReqHandler.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameReqHandler.java
index 59bc744031..aa856d64bc 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetKeyFriendlyNameReqHandler.java
@@ -27,7 +27,8 @@
 
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.SetKeyFriendlyNameRequest;
+
+import org.niis.xroad.signer.proto.SetKeyFriendlyNameReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -35,11 +36,11 @@
  * Handles requests for setting the key friendly name.
  */
 @Component
-public class SetKeyFriendlyNameRequestHandler
-        extends AbstractRpcHandler<SetKeyFriendlyNameRequest, Empty> {
+public class SetKeyFriendlyNameReqHandler
+        extends AbstractRpcHandler<SetKeyFriendlyNameReq, Empty> {
 
     @Override
-    protected Empty handle(SetKeyFriendlyNameRequest request) throws Exception {
+    protected Empty handle(SetKeyFriendlyNameReq request) throws Exception {
         TokenManager.setKeyFriendlyName(request.getKeyId(),
                 request.getFriendlyName());
         return Empty.getDefaultInstance();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
similarity index 89%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
index 2c2a7b2717..6b4143ae78 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
@@ -28,7 +28,7 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
 
-import org.niis.xroad.signer.proto.SetOcspResponsesRequest;
+import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -36,10 +36,10 @@
  * Handles requests for setting the OCSP responses for certificates.
  */
 @Component
-public class SetOcspResponsesRequestHandler
-        extends AbstractRpcHandler<SetOcspResponsesRequest, Empty> {
+public class SetOcspResponsesReqHandler
+        extends AbstractRpcHandler<SetOcspResponsesReq, Empty> {
     @Override
-    protected Empty handle(SetOcspResponsesRequest request) throws Exception {
+    protected Empty handle(SetOcspResponsesReq request) throws Exception {
         var message = new SetOcspResponses(
                 request.getCertHashesList().toArray(new String[0]),
                 request.getBase64EncodedResponsesList().toArray(new String[0]));
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameReqHandler.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameReqHandler.java
index 409175e2da..4c5826c6c6 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetTokenFriendlyNameReqHandler.java
@@ -27,7 +27,8 @@
 
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import org.niis.xroad.signer.proto.SetTokenFriendlyNameRequest;
+
+import org.niis.xroad.signer.proto.SetTokenFriendlyNameReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -35,11 +36,10 @@
  * Handles requests for setting the token friendly name.
  */
 @Component
-public class SetTokenFriendlyNameRequestHandler
-        extends AbstractRpcHandler<SetTokenFriendlyNameRequest, Empty> {
+public class SetTokenFriendlyNameReqHandler extends AbstractRpcHandler<SetTokenFriendlyNameReq, Empty> {
 
     @Override
-    protected Empty handle(SetTokenFriendlyNameRequest request) throws Exception {
+    protected Empty handle(SetTokenFriendlyNameReq request) throws Exception {
         TokenManager.setTokenFriendlyName(
                 request.getTokenId(),
                 request.getFriendlyName());
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateReqHandler.java
similarity index 83%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateReqHandler.java
index 06252610b1..6356fed200 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateReqHandler.java
@@ -29,21 +29,21 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 
 import com.google.protobuf.ByteString;
-import org.niis.xroad.signer.proto.SignCertificateRequest;
-import org.niis.xroad.signer.proto.SignCertificateResponse;
+import org.niis.xroad.signer.proto.SignCertificateReq;
+import org.niis.xroad.signer.proto.SignCertificateResp;
 import org.springframework.stereotype.Component;
 
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
 
 @Component
-public class SignCertificateRequestHandler extends AbstractRpcHandler<SignCertificateRequest, SignCertificateResponse> {
+public class SignCertificateReqHandler extends AbstractRpcHandler<SignCertificateReq, SignCertificateResp> {
 
     @Override
-    protected SignCertificateResponse handle(SignCertificateRequest request) throws Exception {
+    protected SignCertificateResp handle(SignCertificateReq request) throws Exception {
         final byte[] signedCertificate = getTokenWorker(findTokenIdForKeyId(request.getKeyId()))
                 .handleSignCertificate(request);
 
-        return SignCertificateResponse.newBuilder()
+        return SignCertificateResp.newBuilder()
                 .setCertificateChain(ByteString.copyFrom(signedCertificate))
                 .build();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignReqHandler.java
similarity index 85%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignReqHandler.java
index 4edab4e6bc..4ec42acf1d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignReqHandler.java
@@ -28,8 +28,8 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 
 import com.google.protobuf.ByteString;
-import org.niis.xroad.signer.proto.SignRequest;
-import org.niis.xroad.signer.proto.SignResponse;
+import org.niis.xroad.signer.proto.SignReq;
+import org.niis.xroad.signer.proto.SignResp;
 import org.springframework.stereotype.Component;
 
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId;
@@ -38,18 +38,18 @@
  * Handles signing requests.
  */
 @Component
-public class SignRequestHandler extends AbstractRpcHandler<SignRequest, SignResponse> {
+public class SignReqHandler extends AbstractRpcHandler<SignReq, SignResp> {
 
     @Override
-    protected SignResponse handle(SignRequest request) throws Exception {
+    protected SignResp handle(SignReq request) throws Exception {
         final byte[] signature = signData(request);
 
-        return SignResponse.newBuilder()
+        return SignResp.newBuilder()
                 .setSignature(ByteString.copyFrom(signature))
                 .build();
     }
 
-    public byte[] signData(SignRequest request) {
+    public byte[] signData(SignReq request) {
         return getTokenWorker(findTokenIdForKeyId(request.getKeyId()))
                 .handleSign(request);
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
similarity index 90%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
index ac81c1d3f1..537ec6809e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
@@ -30,7 +30,7 @@
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
 
-import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinRequest;
+import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
 
@@ -40,11 +40,11 @@
  * Handles token pin update
  */
 @Component
-public class UpdateSoftwareTokenPinRequestHandler
-        extends AbstractRpcHandler<UpdateSoftwareTokenPinRequest, Empty> {
+public class UpdateSoftwareTokenPinReqHandler
+        extends AbstractRpcHandler<UpdateSoftwareTokenPinReq, Empty> {
 
     @Override
-    protected Empty handle(UpdateSoftwareTokenPinRequest request) throws Exception {
+    protected Empty handle(UpdateSoftwareTokenPinReq request) throws Exception {
         final AbstractTokenWorker tokenWorker = getTokenWorker(request.getTokenId());
         if (tokenWorker instanceof SoftwareTokenWorker) {
             try {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index 90be5488ea..dfe05c4785 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -48,9 +48,9 @@
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.cert.CertIOException;
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.niis.xroad.signer.proto.ActivateTokenRequest;
-import org.niis.xroad.signer.proto.SignCertificateRequest;
-import org.niis.xroad.signer.proto.SignRequest;
+import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.SignCertificateReq;
+import org.niis.xroad.signer.proto.SignReq;
 
 import java.math.BigInteger;
 import java.security.PublicKey;
@@ -131,7 +131,7 @@ public void postStop() throws Exception {
         setTokenAvailable(tokenId, false);
     }
 
-    public void handleActivateToken(ActivateTokenRequest message) throws Exception {
+    public void handleActivateToken(ActivateTokenReq message) throws Exception {
         try {
             activateToken(message);
 
@@ -201,7 +201,7 @@ private void handleDeleteCert(DeleteCert message) {
     @Deprecated
     private void handleCalculateSignature(CalculateSignature signRequest) {
         try {
-            SignRequest request = SignRequest.newBuilder()
+            SignReq request = SignReq.newBuilder()
                     .setKeyId(signRequest.getKeyId())
                     .setSignatureAlgorithmId(signRequest.getSignatureAlgorithmId())
                     .setDigest(ByteString.copyFrom(signRequest.getDigest()))
@@ -219,7 +219,7 @@ private void handleCalculateSignature(CalculateSignature signRequest) {
         }
     }
 
-    public byte[] handleSign(SignRequest request) {
+    public byte[] handleSign(SignReq request) {
         try {
             byte[] data = SignerUtil.createDataToSign(request.getDigest().toByteArray(), request.getSignatureAlgorithmId());
 
@@ -231,7 +231,7 @@ public byte[] handleSign(SignRequest request) {
         }
     }
 
-    public byte[] handleSignCertificate(SignCertificateRequest request) {
+    public byte[] handleSignCertificate(SignCertificateReq request) {
         try {
             PublicKey publicKey = CryptoUtils.readX509PublicKey(request.getPublicKey().toByteArray());
             return signCertificate(request.getKeyId(), request.getSignatureAlgorithmId(),
@@ -244,7 +244,7 @@ public byte[] handleSignCertificate(SignCertificateRequest request) {
 
     // ------------------------------------------------------------------------
 
-    protected abstract void activateToken(ActivateTokenRequest message) throws Exception;
+    protected abstract void activateToken(ActivateTokenReq message) throws Exception;
 
     protected abstract GenerateKeyResult generateKey(GenerateKey message) throws Exception;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
index 30223ad985..7b81b313cf 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
@@ -45,7 +45,7 @@
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.ActivateTokenReq;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -121,7 +121,7 @@ public class SoftwareTokenWorker extends AbstractTokenWorker {
      * Creates new worker.
      *
      * @param tokenInfo the token info
-     * @param ignored token type (not used)
+     * @param ignored   token type (not used)
      */
     public SoftwareTokenWorker(TokenInfo tokenInfo, SoftwareTokenType ignored) {
         super(tokenInfo);
@@ -159,7 +159,7 @@ protected void onUpdate() {
 //    }
 
     @Override
-    protected void activateToken(ActivateTokenRequest message) {
+    protected void activateToken(ActivateTokenReq message) {
         if (message.getActivate()) {
             if (!isTokenLoginAllowed) {
                 throw loginFailed("PIN change in progress – token login not allowed");
@@ -255,7 +255,7 @@ protected byte[] signCertificate(String keyId, String signatureAlgorithmId, Stri
         X509Certificate issuerX509Certificate = readCertificate(certificateInfo.getCertificateBytes());
         PrivateKey privateKey = getPrivateKey(keyId);
         JcaX509v3CertificateBuilder certificateBuilder = getCertificateBuilder(subjectName, publicKey,
-                                                                                        issuerX509Certificate);
+                issuerX509Certificate);
 
         log.debug("Signing certificate with key '{}' and signature algorithm '{}'", keyId, signatureAlgorithmId);
         ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithmId).build(privateKey);
@@ -366,7 +366,7 @@ public void initializeToken(char[] pin) throws Exception {
     }
 
     private void rewriteKeyStoreWithNewPin(String keyFile, String keyAlias, char[] oldPin, char[] newPin,
-            Path tempKeyDir) throws Exception {
+                                           Path tempKeyDir) throws Exception {
         String keyStoreFile = getKeyStoreFileName(keyFile);
         Path tempKeyStoreFile = tempKeyDir.resolve(keyFile + P12);
 

From e0141fe0f2e83f1eb143b94e48eff3437977ee48 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 24 Aug 2023 16:45:06 +0300
Subject: [PATCH 022/127] chore: using SetOcspResponses without akka

Refs: XRDDEV-2461
---
 .../protocol/message/SetOcspResponses.java    | 44 -------------------
 .../ee/ria/xroad/signer/TemporaryHelper.java  | 14 +++++-
 .../signer/certmanager/OcspClientWorker.java  | 16 +++++--
 .../certmanager/OcspResponseManager.java      | 23 +++++-----
 .../handler/SetOcspResponsesReqHandler.java   |  8 ++--
 5 files changed, 40 insertions(+), 65 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java
deleted file mode 100644
index da1c4536ae..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SetOcspResponses.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-@ToString(exclude = "base64EncodedResponses")
-public class SetOcspResponses implements Serializable {
-
-    String[] certHashes;
-    String[] base64EncodedResponses;
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
index 674b2b7850..06d89fcfca 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
@@ -25,6 +25,7 @@
  */
 package ee.ria.xroad.signer;
 
+import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 
 import java.util.HashMap;
@@ -39,14 +40,25 @@ public class TemporaryHelper {
     @Deprecated
     private static Map<String, AbstractTokenWorker> TOKEN_WORKERS = new HashMap<>();
 
+    @Deprecated
+    public static OcspResponseManager ocspResponseManager;
+
     @Deprecated
     public static AbstractTokenWorker getTokenWorker(String tokenId) {
         if (!TOKEN_WORKERS.containsKey(tokenId)) {
-            throw new RuntimeException("Token workder not available");
+            throw new RuntimeException("Token worker not available");
         }
         return TOKEN_WORKERS.get(tokenId);
     }
 
+    @Deprecated
+    public static OcspResponseManager getOcspResponseManager() {
+        if (ocspResponseManager != null) {
+            return ocspResponseManager;
+        }
+        throw new RuntimeException("OcspResponseManager not available");
+    }
+
     @Deprecated
     public static void addTokenWorker(String tokenId, AbstractTokenWorker tokenWorker) {
         TOKEN_WORKERS.put(tokenId, tokenWorker);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
index 579b29d5e6..08ef2dd3ba 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -38,9 +38,9 @@
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.signer.OcspClientJob;
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.certmanager.OcspResponseManager.IsCachedOcspResponse;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractSignerActor;
 import ee.ria.xroad.signer.util.SignerUtil;
@@ -50,6 +50,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPException;
 import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 
 import java.io.IOException;
 import java.net.ConnectException;
@@ -377,8 +378,15 @@ void updateCertStatuses(Map<String, OCSPResp> statuses) throws Exception {
             responses.add(encodeBase64(e.getValue().getEncoded()));
         }
 
-        getOcspResponseManager(getContext()).tell(new SetOcspResponses(hashes.toArray(
-                new String[statuses.size()]), responses.toArray(new String[statuses.size()])), getSelf());
+//        getOcspResponseManager(getContext()).tell(new SetOcspResponses(hashes.toArray(
+//                new String[statuses.size()]), responses.toArray(new String[statuses.size()])), getSelf());
+
+        SetOcspResponsesReq setOcspResponsesReq = SetOcspResponsesReq.newBuilder()
+                .addAllCertHashes(hashes)
+                .addAllBase64EncodedResponses(responses)
+                .build();
+
+        TemporaryHelper.getOcspResponseManager().handleSetOcspResponses(setOcspResponsesReq);
     }
 
     /**
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
index 8ec39aa353..547a964dbe 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,21 +25,21 @@
  */
 package ee.ria.xroad.signer.certmanager;
 
-import akka.actor.ActorSystem;
-
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse;
-import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
 import ee.ria.xroad.signer.tokenmanager.ServiceLocator;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractSignerActor;
 import ee.ria.xroad.signer.util.SignerUtil;
 
+import akka.actor.ActorSystem;
 import akka.actor.Props;
 import lombok.RequiredArgsConstructor;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 
 import java.io.Serializable;
 import java.security.cert.X509Certificate;
@@ -134,6 +134,7 @@ public void preStart() throws Exception {
         } catch (Exception e) {
             log.error("Failed to load OCSP responses from disk", e);
         }
+        TemporaryHelper.ocspResponseManager = this;
     }
 
     /**
@@ -150,8 +151,8 @@ public void onReceive(Object message) throws Exception {
         try {
             if (message instanceof GetOcspResponses) {
                 handleGetOcspResponses((GetOcspResponses) message);
-            } else if (message instanceof SetOcspResponses) {
-                handleSetOcspResponses((SetOcspResponses) message);
+//            } else if (message instanceof SetOcspResponses) {
+//                handleSetOcspResponses((SetOcspResponses) message);
             } else if (message instanceof IsCachedOcspResponse) {
                 handleIsCachedOcspResponse((IsCachedOcspResponse) message);
             } else {
@@ -169,12 +170,12 @@ void handleGetOcspResponses(GetOcspResponses message) throws Exception {
         getContext().actorOf(props).tell(message.getCertHash(), getSender());
     }
 
-    void handleSetOcspResponses(SetOcspResponses message) throws Exception {
+    public void handleSetOcspResponses(SetOcspResponsesReq message) throws Exception {
         log.trace("handleSetOcspResponses()");
 
-        for (int i = 0; i < message.getCertHashes().length; i++) {
-            setResponse(message.getCertHashes()[i], new OCSPResp(
-                    decodeBase64(message.getBase64EncodedResponses()[i])));
+        for (int i = 0; i < message.getCertHashesCount(); i++) {
+            setResponse(message.getCertHashes(i), new OCSPResp(
+                    decodeBase64(message.getBase64EncodedResponses(i))));
         }
     }
 
@@ -189,7 +190,7 @@ OCSPResp getResponse(String certHash) throws Exception {
         return responseCache.get(certHash);
     }
 
-    void setResponse(String certHash, OCSPResp response) throws Exception {
+    void setResponse(String certHash, OCSPResp response) {
         log.debug("Setting a new response to cache for cert: {}", certHash);
         try {
             responseCache.put(certHash, response);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
index 6b4143ae78..6b9a5b7111 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
@@ -25,8 +25,8 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.message.SetOcspResponses;
 
 import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
@@ -40,11 +40,9 @@ public class SetOcspResponsesReqHandler
         extends AbstractRpcHandler<SetOcspResponsesReq, Empty> {
     @Override
     protected Empty handle(SetOcspResponsesReq request) throws Exception {
-        var message = new SetOcspResponses(
-                request.getCertHashesList().toArray(new String[0]),
-                request.getBase64EncodedResponsesList().toArray(new String[0]));
+        TemporaryHelper.getOcspResponseManager()
+                .handleSetOcspResponses(request);
 
-        temporaryAkkaMessenger.tellOcspManager(message);
         return Empty.getDefaultInstance();
     }
 }

From 3a415078c56199dee8b30efbd53cd3adfbdb4141 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 25 Aug 2023 12:22:57 +0300
Subject: [PATCH 023/127] chore: migrate remaining request handlers

Refs: XRDDEV-2468
---
 .../token/HardwareTokenWorker.java            |  4 +-
 .../src/intTest/resources/signer-logback.xml  |  2 +-
 .../java/ee/ria/xroad/signer/SignerProxy.java | 79 ++++++++++++-------
 .../xroad/signer/protocol/ClientIdMapper.java |  6 +-
 .../protocol/SecurityServerIdMapper.java      | 24 ++++++
 .../xroad/signer/protocol/SignerClient.java   |  1 +
 .../signer/protocol/dto/AuthKeyInfo.java      |  1 +
 .../signer/protocol/dto/CertRequestInfo.java  | 14 +---
 .../xroad/signer/protocol/dto/KeyInfo.java    |  5 +-
 .../protocol/dto/MemberSigningInfo.java       | 45 -----------
 .../protocol/message/GenerateCertRequest.java |  1 +
 .../message/GenerateCertRequestResponse.java  |  1 +
 .../signer/protocol/message/GenerateKey.java  |  1 +
 .../message/GetHSMOperationalInfo.java        | 34 --------
 .../GetHSMOperationalInfoResponse.java        |  1 +
 .../message/GetMemberSigningInfo.java         |  1 +
 .../src/main/proto/CertificateService.proto   | 18 ++++-
 .../src/main/proto/CommonMessages.proto       | 27 +++++++
 .../src/main/proto/KeyService.proto           | 22 +++++-
 .../src/main/proto/TokenService.proto         | 23 +++++-
 .../src/main/proto/Tokens.proto               | 20 +----
 .../signer/protocol/CertificateService.java   | 19 ++++-
 .../ria/xroad/signer/protocol/KeyService.java | 18 +++++
 .../xroad/signer/protocol/TokensService.java  |  8 ++
 ...uest.java => AbstractGenerateCertReq.java} | 28 ++++---
 ...ndler.java => ActivateCertReqHandler.java} |  2 +-
 ...er.java => GenerateCertReqReqHandler.java} | 31 +++++---
 ...andler.java => GenerateKeyReqHandler.java} | 21 +++--
 ...Handler.java => GetAuthKeyReqHandler.java} | 49 +++++++-----
 ...a => GetHSMOperationalInfoReqHandler.java} | 17 ++--
 ...va => GetMemberSigningInfoReqHandler.java} | 29 ++++---
 ....java => RegenerateCertReqReqHandler.java} | 26 +++---
 32 files changed, 346 insertions(+), 232 deletions(-)
 create mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/MemberSigningInfo.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfo.java
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{AbstractGenerateCertRequest.java => AbstractGenerateCertReq.java} (88%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{ActivateCertRequestHandler.java => ActivateCertReqHandler.java} (98%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GenerateCertRequestRequestHandler.java => GenerateCertReqReqHandler.java} (70%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GenerateKeyRequestHandler.java => GenerateKeyReqHandler.java} (70%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetAuthKeyRequestHandler.java => GetAuthKeyReqHandler.java} (81%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetHSMOperationalInfoRequestHandler.java => GetHSMOperationalInfoReqHandler.java} (72%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{GetMemberSigningInfoRequestHandler.java => GetMemberSigningInfoReqHandler.java} (82%)
 rename src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/{RegenerateCertRequestReqHandler.java => RegenerateCertReqReqHandler.java} (82%)

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
index 27e972ef57..226fb79064 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
@@ -54,7 +54,7 @@
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
-import org.niis.xroad.signer.proto.ActivateTokenRequest;
+import org.niis.xroad.signer.proto.ActivateTokenReq;
 
 import javax.xml.bind.DatatypeConverter;
 
@@ -251,7 +251,7 @@ protected Exception customizeException(Exception e) {
     // ----------------------- Message handlers -------------------------------
 
     @Override
-    protected void activateToken(ActivateTokenRequest message) throws Exception {
+    protected void activateToken(ActivateTokenReq message) throws Exception {
         if (message.getActivate()) { // login
             log.info("Logging in token '{}'", getWorkerId());
 
diff --git a/src/signer-protocol/src/intTest/resources/signer-logback.xml b/src/signer-protocol/src/intTest/resources/signer-logback.xml
index 94fe28fc3a..2b2af3dbad 100644
--- a/src/signer-protocol/src/intTest/resources/signer-logback.xml
+++ b/src/signer-protocol/src/intTest/resources/signer-logback.xml
@@ -13,7 +13,7 @@
     <!--TokenManager is very verbose /-->
     <logger name="ee.ria.xroad.signer.tokenmanager.TokenManager" level="TRACE" />
 
-    <root level="TRACE">
+    <root level="INFO">
         <appender-ref ref="STDOUT" />
     </root>
 </configuration>
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 98c411da50..e3fc21f94a 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -31,24 +31,14 @@
 import ee.ria.xroad.common.util.PasswordStore;
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.SecurityServerIdMapper;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.dto.MemberSigningInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.GenerateCertRequest;
-import ee.ria.xroad.signer.protocol.message.GenerateCertRequestResponse;
-import ee.ria.xroad.signer.protocol.message.GenerateKey;
-import ee.ria.xroad.signer.protocol.message.GetAuthKey;
-import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfo;
-import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfoResponse;
-import ee.ria.xroad.signer.protocol.message.GetMemberSigningInfo;
-import ee.ria.xroad.signer.protocol.message.RegenerateCertRequest;
-import ee.ria.xroad.signer.protocol.message.RegenerateCertRequestResponse;
 
 import com.google.protobuf.Any;
 import com.google.protobuf.ByteString;
@@ -62,10 +52,14 @@
 import org.niis.xroad.signer.proto.DeleteCertReq;
 import org.niis.xroad.signer.proto.DeleteCertRequestReq;
 import org.niis.xroad.signer.proto.DeleteKeyReq;
+import org.niis.xroad.signer.proto.GenerateCertRequestReq;
+import org.niis.xroad.signer.proto.GenerateKeyReq;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
+import org.niis.xroad.signer.proto.GetAuthKeyReq;
 import org.niis.xroad.signer.proto.GetCertificateInfoForHashReq;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashReq;
 import org.niis.xroad.signer.proto.GetMemberCertsReq;
+import org.niis.xroad.signer.proto.GetMemberSigningInfoReq;
 import org.niis.xroad.signer.proto.GetOcspResponsesReq;
 import org.niis.xroad.signer.proto.GetSignMechanismReq;
 import org.niis.xroad.signer.proto.GetSignMechanismResp;
@@ -77,6 +71,7 @@
 import org.niis.xroad.signer.proto.ImportCertReq;
 import org.niis.xroad.signer.proto.InitSoftwareTokenReq;
 import org.niis.xroad.signer.proto.ListTokensResp;
+import org.niis.xroad.signer.proto.RegenerateCertRequestReq;
 import org.niis.xroad.signer.proto.SetCertStatusReq;
 import org.niis.xroad.signer.proto.SetKeyFriendlyNameReq;
 import org.niis.xroad.signer.proto.SetOcspResponsesReq;
@@ -289,7 +284,13 @@ public static void setKeyFriendlyName(String keyId, String friendlyName) throws
     public static KeyInfo generateKey(String tokenId, String keyLabel) throws Exception {
         log.trace("Generating key for token '{}'", tokenId);
 
-        KeyInfo keyInfo = execute(new GenerateKey(tokenId, keyLabel));
+        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .generateKey(GenerateKeyReq.newBuilder()
+                        .setTokenId(tokenId)
+                        .setKeyLabel(keyLabel)
+                        .build()));
+
+        KeyInfo keyInfo = new KeyInfo(response);
 
         log.trace("Received key with keyId '{}' and public key '{}'", keyInfo.getId(), keyInfo.getPublicKey());
 
@@ -400,16 +401,22 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
                                                                KeyUsageInfo keyUsage, String subjectName,
                                                                CertificateRequestFormat format) throws Exception {
 
-        GenerateCertRequestResponse response = execute(new GenerateCertRequest(keyId, memberId, keyUsage, subjectName,
-                format));
+        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .generateCertRequest(GenerateCertRequestReq.newBuilder()
+                        .setKeyId(keyId)
+                        .setMemberId(ClientIdMapper.toDto(memberId))
+                        .setKeyUsage(keyUsage)
+                        .setSubjectName(subjectName)
+                        .setFormat(format)
+                        .build()));
 
-        byte[] certRequestBytes = response.getCertRequest();
+        byte[] certRequestBytes = response.getCertRequest().toByteArray();
 
         log.trace("Cert request with length of {} bytes generated", certRequestBytes.length);
 
         return new GeneratedCertRequestInfo(
                 response.getCertReqId(),
-                response.getCertRequest(),
+                certRequestBytes,
                 response.getFormat(),
                 memberId,
                 keyUsage);
@@ -425,15 +432,20 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
      */
     public static GeneratedCertRequestInfo regenerateCertRequest(String certRequestId,
                                                                  CertificateRequestFormat format) throws Exception {
-        RegenerateCertRequestResponse response = execute(new RegenerateCertRequest(certRequestId, format));
 
-        log.trace("Cert request with length of {} bytes generated", response.getCertRequest().length);
+        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+                .regenerateCertRequest(RegenerateCertRequestReq.newBuilder()
+                        .setCertRequestId(certRequestId)
+                        .setFormat(format)
+                        .build()));
+
+        log.trace("Cert request with length of {} bytes generated", response.getCertRequest().size());
 
         return new GeneratedCertRequestInfo(
                 response.getCertReqId(),
-                response.getCertRequest(),
+                response.getCertRequest().toByteArray(),
                 response.getFormat(),
-                response.getMemberId(),
+                ClientIdMapper.fromDto(response.getMemberId()),
                 response.getKeyUsage());
     }
 
@@ -616,7 +628,15 @@ private static List<String> toLowerCase(String[] certHashes) {
      * @throws Exception
      */
     public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception {
-        return execute(new GetAuthKey(serverId));
+        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+                .getAuthKey(GetAuthKeyReq.newBuilder()
+                        .setSecurityServer(SecurityServerIdMapper.toDto(serverId))
+                        .build()));
+
+        return new AuthKeyInfo(response.getAlias(),
+                response.getKeyStoreFileName(),
+                response.getPassword().toCharArray(),
+                new CertificateInfo(response.getCert()));
     }
 
     /**
@@ -681,8 +701,12 @@ public static Boolean isTokenBatchSigningEnabled(String keyId) {
     }
 
     public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throws Exception {
-        final MemberSigningInfo response = execute(new GetMemberSigningInfo(clientId));
-        return new MemberSigningInfoDto(response.getKeyId(), response.getCert(), response.getSignMechanismName());
+        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+                .getMemberSigningInfo(GetMemberSigningInfoReq.newBuilder()
+                        .setMemberId(ClientIdMapper.toDto(clientId))
+                        .build()));
+
+        return new MemberSigningInfoDto(response.getKeyId(), new CertificateInfo(response.getCert()), response.getSignMechanismName());
     }
 
     public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exception {
@@ -696,7 +720,10 @@ public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exc
     }
 
     public static boolean isHSMOperational() throws Exception {
-        return ((GetHSMOperationalInfoResponse) execute(new GetHSMOperationalInfo())).isOperational();
+        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+                .getHSMOperationalInfo(Empty.getDefaultInstance()));
+
+        return response.getOperational();
     }
 
     public static byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey)
@@ -712,10 +739,6 @@ public static byte[] signCertificate(String keyId, String signatureAlgorithmId,
         return response.getCertificateChain().toByteArray();
     }
 
-    private static <T> T execute(Object message) throws Exception {
-        return SignerClient.execute(message);
-    }
-
     @Value
     public static class MemberSigningInfoDto {
         String keyId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
index 301349d90d..a1097a9a92 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
@@ -1,15 +1,15 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.dto.ClientIdProto;
-import ee.ria.xroad.signer.protocol.dto.XRoadObjectType;
+import org.niis.xroad.signer.protocol.dto.ClientIdProto;
+import org.niis.xroad.signer.protocol.dto.XRoadObjectType;
 
 public class ClientIdMapper {
 
     public static ClientId.Conf fromDto(ClientIdProto input) {
 
         //TODO:grpc refine this check
-        if (input.hasField(ClientIdProto.getDescriptor().findFieldByName("subsystem_code"))) {
+        if (input.hasField(ClientIdProto.getDescriptor().findFieldByName("subsystemCode"))) {
             return ClientId.Conf.create(input.getXroadInstance(),
                     input.getMemberClass(),
                     input.getMemberCode(),
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
new file mode 100644
index 0000000000..3a35c32a91
--- /dev/null
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
@@ -0,0 +1,24 @@
+package ee.ria.xroad.signer.protocol;
+
+import ee.ria.xroad.common.identifier.SecurityServerId;
+
+import org.niis.xroad.signer.protocol.dto.SecurityServerIdProto;
+import org.niis.xroad.signer.protocol.dto.XRoadObjectType;
+
+public class SecurityServerIdMapper {
+
+    public static SecurityServerId.Conf fromDto(SecurityServerIdProto input) {
+        return SecurityServerId.Conf.create(input.getXroadInstance(), input.getMemberClass(), input.getMemberCode(),
+                input.getServerCode());
+    }
+
+    public static SecurityServerIdProto toDto(SecurityServerId input) {
+        return SecurityServerIdProto.newBuilder()
+                .setMemberClass(input.getMemberClass())
+                .setMemberCode(input.getMemberCode())
+                .setServerCode(input.getServerCode())
+                .setXroadInstance(input.getXRoadInstance())
+                .setObjectType(XRoadObjectType.valueOf(input.getObjectType().name()))
+                .build();
+    }
+}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
index 17f46c52fa..fbde985ffe 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
@@ -108,6 +108,7 @@ public static void execute(Object message, ActorRef receiver) {
      * @return the response
      * @throws Exception if the response is an exception
      */
+    @Deprecated
     public static <T> T execute(Object message) throws Exception {
         try {
             return result(Await.result(Patterns.ask(requestProcessor(), message, TIMEOUT), TIMEOUT.duration()));
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
index 8782560d44..0faf6ab448 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
@@ -34,6 +34,7 @@
  * Authentication key info DTO.
  */
 @Value
+@Deprecated
 @ToString(exclude = { "password" })
 public class AuthKeyInfo implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
index a87e60eafd..84f22478b9 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.signer.protocol.dto;
 
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 
 import lombok.RequiredArgsConstructor;
 
@@ -44,18 +45,7 @@ public String getId() {
     }
 
     public ClientId getMemberId() {
-        ClientIdProto memberId = message.getMemberId();
-        //TODO:grpc refine this check
-        if (message.getMemberId().hasField(ClientIdProto.getDescriptor().findFieldByName("subsystem_code"))) {
-            return ClientId.Conf.create(memberId.getXroadInstance(),
-                    memberId.getMemberClass(),
-                    memberId.getMemberCode(),
-                    memberId.getSubsystemCode());
-        } else {
-            return ClientId.Conf.create(memberId.getXroadInstance(),
-                    memberId.getMemberClass(),
-                    memberId.getMemberCode());
-        }
+        return ClientIdMapper.fromDto(message.getMemberId());
     }
 
     public String getSubjectName() {
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
index 230064fa3f..b3e1bc32e2 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
@@ -26,7 +26,6 @@
 package ee.ria.xroad.signer.protocol.dto;
 
 import lombok.RequiredArgsConstructor;
-import lombok.Value;
 
 import java.io.Serializable;
 import java.util.List;
@@ -97,4 +96,8 @@ public boolean isSavedToConfiguration() {
                 .anyMatch(CertificateInfo::isSavedToConfiguration);
 
     }
+
+    public KeyInfoProto asMessage() {
+        return message;
+    }
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/MemberSigningInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/MemberSigningInfo.java
deleted file mode 100644
index f93a296678..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/MemberSigningInfo.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.dto;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Member signing info DTO.
- */
-@Value
-@ToString(exclude = "cert")
-public class MemberSigningInfo implements Serializable {
-
-    private final String keyId;
-
-    private final CertificateInfo cert;
-
-    private final String signMechanismName;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
index a95f251383..5ba7b57a51 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
@@ -37,6 +37,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class GenerateCertRequest implements Serializable {
 
     private final String keyId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
index 8bb3d09e2e..c8cf21b974 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
@@ -34,6 +34,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class GenerateCertRequestResponse implements Serializable {
 
     private final String certReqId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java
index 9231156fd0..dde440c227 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class GenerateKey implements Serializable {
 
     private final String tokenId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfo.java
deleted file mode 100644
index ef1ed4fa6d..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfo.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- * <p>
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- * <p>
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-public class GetHSMOperationalInfo implements Serializable {
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java
index 78401c339b..b4313fc1f1 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java
@@ -33,6 +33,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class GetHSMOperationalInfoResponse implements Serializable {
 
     boolean operational;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java
index b20d451afb..6869b461b2 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java
@@ -35,6 +35,7 @@
  * Signer API message.
  */
 @Value
+@Deprecated
 public class GetMemberSigningInfo implements Serializable {
 
     private final ClientId memberId;
diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
index 37fbd43189..979d602aa9 100644
--- a/src/signer-protocol/src/main/proto/CertificateService.proto
+++ b/src/signer-protocol/src/main/proto/CertificateService.proto
@@ -17,6 +17,8 @@ service CertificateService {
 
   rpc SetCertStatus (SetCertStatusReq) returns (Empty) {}
 
+  rpc GenerateCertRequest (GenerateCertRequestReq) returns (GenerateCertRequestResp) {}
+
   rpc RegenerateCertRequest (RegenerateCertRequestReq) returns (RegenerateCertRequestResp) {}
 
   rpc DeleteCert (DeleteCertReq) returns (Empty) {}
@@ -54,7 +56,7 @@ message GetMemberCertsResp{
   repeated CertificateInfoProto certs = 1;
 }
 
-message RegenerateCertRequestReq {//TODO:grpc consider swapping req and request places..
+message RegenerateCertRequestReq {
   string certRequestId = 1;
   CertificateRequestFormat format = 2;
 }
@@ -103,3 +105,17 @@ message GenerateSelfSignedCertReq {
 message GenerateSelfSignedCertResp {
   bytes certificateBytes = 1;
 }
+
+message GenerateCertRequestReq {
+  string keyId = 1;
+  ClientIdProto memberId = 2;
+  KeyUsageInfo keyUsage = 3;
+  string subjectName = 4;
+  CertificateRequestFormat format = 5;
+}
+
+message GenerateCertRequestResp {
+  string certReqId = 1;
+  bytes certRequest = 2;
+  CertificateRequestFormat format = 3;
+}
diff --git a/src/signer-protocol/src/main/proto/CommonMessages.proto b/src/signer-protocol/src/main/proto/CommonMessages.proto
index 84f859faed..7ad46cb0f8 100644
--- a/src/signer-protocol/src/main/proto/CommonMessages.proto
+++ b/src/signer-protocol/src/main/proto/CommonMessages.proto
@@ -7,3 +7,30 @@ option java_package = "org.niis.xroad.signer.protocol.dto";
 /* Generic empty request/response. */
 message Empty {
 }
+
+message ClientIdProto {
+  string memberClass = 1;
+  string memberCode = 2;
+  string subsystemCode = 3;
+
+  string xroadInstance = 4;
+  XRoadObjectType objectType = 5;
+}
+
+message SecurityServerIdProto {
+  string memberClass = 1;
+  string memberCode = 2;
+  string serverCode = 3;
+
+  string xroadInstance = 4;
+  XRoadObjectType objectType = 5;
+}
+
+enum XRoadObjectType {
+  SERVER = 0;
+  SERVICE = 1;
+  MEMBER = 2;
+  SUBSYSTEM = 3;
+  GLOBALGROUP = 4;
+  LOCALGROUP = 5 [deprecated = true]; // Deprecated
+}
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
index b11826cc9b..4de54efc88 100644
--- a/src/signer-protocol/src/main/proto/KeyService.proto
+++ b/src/signer-protocol/src/main/proto/KeyService.proto
@@ -9,6 +9,8 @@ import "TokenStatusInfo.proto";
 package org.niis.xroad.signer.proto;
 
 service KeyService {
+  rpc GenerateKey (GenerateKeyReq) returns (KeyInfoProto) {}
+
   rpc SetKeyFriendlyName (SetKeyFriendlyNameReq) returns (Empty) {}
 
   rpc GetKeyIdForCertHash (GetKeyIdForCertHashReq) returns (GetKeyIdForCertHashResp) {}
@@ -20,8 +22,9 @@ service KeyService {
   rpc SignCertificate(SignCertificateReq) returns (SignCertificateResp) {}
 
   rpc DeleteKey (DeleteKeyReq) returns (Empty) {}
-}
 
+  rpc GetAuthKey (GetAuthKeyReq) returns (AuthKeyInfoProto) {}
+}
 
 message GetKeyIdForCertHashReq {
   string certHash = 1;
@@ -61,7 +64,6 @@ message SignCertificateReq {
   string signatureAlgorithmId = 2;
   string subjectName = 3;
   bytes publicKey = 4;
-
 }
 
 message SignCertificateResp {
@@ -72,3 +74,19 @@ message DeleteKeyReq {
   string keyId = 1;
   bool deleteFromDevice = 2;
 }
+
+message GenerateKeyReq {
+  string tokenId = 1;
+  string keyLabel = 2;
+}
+
+message GetAuthKeyReq {
+  SecurityServerIdProto securityServer = 1;
+}
+
+message AuthKeyInfoProto {
+  string  alias = 1;
+  string keyStoreFileName = 2;
+  string password = 3;
+  CertificateInfoProto cert = 4;
+}
diff --git a/src/signer-protocol/src/main/proto/TokenService.proto b/src/signer-protocol/src/main/proto/TokenService.proto
index 5c077cdfeb..a376f08d1a 100644
--- a/src/signer-protocol/src/main/proto/TokenService.proto
+++ b/src/signer-protocol/src/main/proto/TokenService.proto
@@ -23,12 +23,15 @@ service TokenService {
 
   rpc SetTokenFriendlyName (SetTokenFriendlyNameReq) returns (Empty) {}
 
-  rpc GetTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq) returns (GetTokenBatchSigningEnabledResp){}
+  rpc GetTokenBatchSigningEnabled (GetTokenBatchSigningEnabledReq) returns (GetTokenBatchSigningEnabledResp){}
 
-  rpc InitSoftwareToken(InitSoftwareTokenReq) returns (Empty) {}
+  rpc InitSoftwareToken (InitSoftwareTokenReq) returns (Empty) {}
 
-  rpc UpdateSoftwareTokenPin(UpdateSoftwareTokenPinReq) returns (Empty) {}
+  rpc UpdateSoftwareTokenPin (UpdateSoftwareTokenPinReq) returns (Empty) {}
 
+  rpc GetHSMOperationalInfo  (Empty) returns (GetHSMOperationalInfoResp) {}
+
+  rpc GetMemberSigningInfo (GetMemberSigningInfoReq) returns (GetMemberSigningInfoResp) {}
 }
 
 message ListTokensResp {
@@ -78,3 +81,17 @@ message UpdateSoftwareTokenPinReq {
   string oldPin = 2;
   string newPin = 3;
 }
+
+message GetHSMOperationalInfoResp {
+  bool operational = 1;
+}
+
+message GetMemberSigningInfoReq {
+  ClientIdProto memberId = 1;
+}
+
+message GetMemberSigningInfoResp {
+  string keyId = 1;
+  CertificateInfoProto cert = 2;
+  string signMechanismName = 3;
+}
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
index b952b105f5..b37660436a 100644
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -1,4 +1,6 @@
 syntax = "proto3";
+
+import "CommonMessages.proto";
 import "TokenStatusInfo.proto";
 
 option java_multiple_files = true;
@@ -54,24 +56,6 @@ message CertRequestInfoProto {
   // Add other fields as needed
 }
 
-message ClientIdProto {
-  string member_class = 1;
-  string member_code = 2;
-  string subsystem_code = 3;
-
-  string xroad_instance = 4;
-  XRoadObjectType object_type = 5;
-}
-
-enum XRoadObjectType {
-  SERVER = 0;
-  SERVICE = 1;
-  MEMBER = 2;
-  SUBSYSTEM = 3;
-  GLOBALGROUP = 4;
-  LOCALGROUP = 5 [deprecated = true]; // Deprecated
-}
-
 /* Key usage can either be signing or authentication. */
 enum KeyUsageInfo {
   SIGNING = 0;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
index 7afc0c9f85..3440ffc2c7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/CertificateService.java
@@ -25,13 +25,15 @@
  */
 package ee.ria.xroad.signer.protocol;
 
-import ee.ria.xroad.signer.protocol.handler.ActivateCertRequestHandler;
+import ee.ria.xroad.signer.protocol.handler.ActivateCertReqHandler;
 import ee.ria.xroad.signer.protocol.handler.DeleteCertReqHandler;
 import ee.ria.xroad.signer.protocol.handler.DeleteCertRequestReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GenerateCertReqReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GenerateSelfSignedCertReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetCertificateInfoForHashReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetMemberCertsReqHandler;
 import ee.ria.xroad.signer.protocol.handler.ImportCertReqHandler;
+import ee.ria.xroad.signer.protocol.handler.RegenerateCertReqReqHandler;
 import ee.ria.xroad.signer.protocol.handler.SetCertStatusReqHandler;
 
 import io.grpc.stub.StreamObserver;
@@ -41,6 +43,8 @@
 import org.niis.xroad.signer.proto.CertificateServiceGrpc;
 import org.niis.xroad.signer.proto.DeleteCertReq;
 import org.niis.xroad.signer.proto.DeleteCertRequestReq;
+import org.niis.xroad.signer.proto.GenerateCertRequestReq;
+import org.niis.xroad.signer.proto.GenerateCertRequestResp;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertReq;
 import org.niis.xroad.signer.proto.GenerateSelfSignedCertResp;
 import org.niis.xroad.signer.proto.GetCertificateInfoForHashReq;
@@ -62,7 +66,7 @@
 @Service
 @RequiredArgsConstructor
 public class CertificateService extends CertificateServiceGrpc.CertificateServiceImplBase {
-    private final ActivateCertRequestHandler activateCertRequestHandler;
+    private final ActivateCertReqHandler activateCertReqHandler;
     private final GetCertificateInfoForHashReqHandler getCertificateInfoForHashReqHandler;
     private final GetMemberCertsReqHandler getMemberCertsReqHandler;
     private final SetCertStatusReqHandler setCertStatusReqHandler;
@@ -70,10 +74,12 @@ public class CertificateService extends CertificateServiceGrpc.CertificateServic
     private final DeleteCertRequestReqHandler deleteCertRequestReqHandler;
     private final ImportCertReqHandler importCertReqHandler;
     private final GenerateSelfSignedCertReqHandler generateSelfSignedCertReqHandler;
+    private final RegenerateCertReqReqHandler regenerateCertReqReqHandler;
+    private final GenerateCertReqReqHandler generateCertReqReqHandler;
 
     @Override
     public void activateCert(ActivateCertReq request, StreamObserver<Empty> responseObserver) {
-        activateCertRequestHandler.processSingle(request, responseObserver);
+        activateCertReqHandler.processSingle(request, responseObserver);
     }
 
     @Override
@@ -112,8 +118,13 @@ public void generateSelfSignedCert(GenerateSelfSignedCertReq request, StreamObse
         generateSelfSignedCertReqHandler.processSingle(request, responseObserver);
     }
 
+    @Override
+    public void generateCertRequest(GenerateCertRequestReq request, StreamObserver<GenerateCertRequestResp> responseObserver) {
+        generateCertReqReqHandler.processSingle(request, responseObserver);
+    }
+
     @Override
     public void regenerateCertRequest(RegenerateCertRequestReq request, StreamObserver<RegenerateCertRequestResp> responseObserver) {
-        super.regenerateCertRequest(request, responseObserver);
+        regenerateCertReqReqHandler.processSingle(request, responseObserver);
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
index 4a7cfdd285..beb2de9773 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/KeyService.java
@@ -25,7 +25,10 @@
  */
 package ee.ria.xroad.signer.protocol;
 
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.handler.DeleteKeyReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GenerateKeyReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetAuthKeyReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetKeyIdForCertHashReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetSignMechanismReqHandler;
 import ee.ria.xroad.signer.protocol.handler.SetKeyFriendlyNameReqHandler;
@@ -34,7 +37,10 @@
 
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
+import org.niis.xroad.signer.proto.AuthKeyInfoProto;
 import org.niis.xroad.signer.proto.DeleteKeyReq;
+import org.niis.xroad.signer.proto.GenerateKeyReq;
+import org.niis.xroad.signer.proto.GetAuthKeyReq;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashReq;
 import org.niis.xroad.signer.proto.GetKeyIdForCertHashResp;
 import org.niis.xroad.signer.proto.GetSignMechanismReq;
@@ -58,8 +64,10 @@ public class KeyService extends KeyServiceGrpc.KeyServiceImplBase {
     private final SignCertificateReqHandler signCertificateReqHandler;
     private final GetSignMechanismReqHandler getSignMechanismReqHandler;
     private final GetKeyIdForCertHashReqHandler getKeyIdForCertHashReqHandler;
+    private final GenerateKeyReqHandler generateKeyReqHandler;
     private final SetKeyFriendlyNameReqHandler setKeyFriendlyNameReqHandler;
     private final DeleteKeyReqHandler deleteKeyReqHandler;
+    private final GetAuthKeyReqHandler getAuthKeyReqHandler;
 
     @Override
     public void getKeyIdForCertHash(GetKeyIdForCertHashReq request, StreamObserver<GetKeyIdForCertHashResp> responseObserver) {
@@ -90,4 +98,14 @@ public void signCertificate(SignCertificateReq request, StreamObserver<SignCerti
     public void deleteKey(DeleteKeyReq request, StreamObserver<Empty> responseObserver) {
         deleteKeyReqHandler.processSingle(request, responseObserver);
     }
+
+    @Override
+    public void generateKey(GenerateKeyReq request, StreamObserver<KeyInfoProto> responseObserver) {
+        generateKeyReqHandler.processSingle(request, responseObserver);
+    }
+
+    @Override
+    public void getAuthKey(GetAuthKeyReq request, StreamObserver<AuthKeyInfoProto> responseObserver) {
+        getAuthKeyReqHandler.processSingle(request, responseObserver);
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index c252c2742f..7a2f43c452 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -28,6 +28,7 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyIdProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.handler.ActivateTokenReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetHSMOperationalInfoReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetTokenBatchSigningEnabledReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertHashReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertRequestIdReqHandler;
@@ -41,6 +42,7 @@
 import io.grpc.stub.StreamObserver;
 import lombok.RequiredArgsConstructor;
 import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.GetHSMOperationalInfoResp;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledReq;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResp;
 import org.niis.xroad.signer.proto.GetTokenByCertHashReq;
@@ -69,6 +71,7 @@ public class TokensService extends TokenServiceGrpc.TokenServiceImplBase {
     private final GetTokenBatchSigningEnabledReqHandler getTokenBatchSigningEnabledReqHandler;
     private final GetTokenInfoAndKeyIdForCertHashReqHandler getTokenInfoAndKeyIdForCertHashReqHandler;
     private final GetTokenInfoAndKeyIdForCertRequestIdReqHandler getTokenInfoAndKeyIdForCertRequestIdReqHandler;
+    private final GetHSMOperationalInfoReqHandler getHSMOperationalInfoReqHandler;
     private final SetTokenFriendlyNameReqHandler setTokenFriendlyNameReqHandler;
     private final ListTokensReqHandler listTokensReqHandler;
 
@@ -114,6 +117,11 @@ public void getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq request,
         getTokenBatchSigningEnabledReqHandler.processSingle(request, responseObserver);
     }
 
+    @Override
+    public void getHSMOperationalInfo(Empty request, StreamObserver<GetHSMOperationalInfoResp> responseObserver) {
+        getHSMOperationalInfoReqHandler.processSingle(request, responseObserver);
+    }
+
     @Override
     public void initSoftwareToken(InitSoftwareTokenReq request, StreamObserver<Empty> responseObserver) {
         initSoftwareTokenReqHandler.processSingle(request, responseObserver);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
similarity index 88%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
index e0e1b815ff..b656f4cdf6 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
@@ -28,14 +28,16 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.util.CalculateSignature;
 import ee.ria.xroad.signer.util.CalculatedSignature;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
+import akka.actor.Actor;
 import akka.actor.ActorRef;
 import akka.actor.Props;
 import akka.actor.UntypedAbstractActor;
+import com.google.protobuf.AbstractMessage;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
@@ -62,11 +64,12 @@
 
 /**
  * Abstract base class for GenerateCertRequestRequestHandler and RegenerateCertRequestRequestHandler.
+ *
  * @param <T> the type of generate cert request message this handler handles
  */
 @Slf4j
-@Deprecated
-public abstract class AbstractGenerateCertRequest<T> extends AbstractRequestHandler<T> {
+public abstract class AbstractGenerateCertReq<ReqT extends AbstractMessage,
+        RespT extends AbstractMessage> extends AbstractRpcHandler<ReqT, RespT> {
 
     PKCS10CertificationRequest buildSignedCertRequest(TokenAndKey tokenAndKey, String subjectName)
             throws Exception {
@@ -109,6 +112,7 @@ private static byte[] toPem(PKCS10CertificationRequest req) throws Exception {
         return out.toByteArray();
     }
 
+    //TODO:grpc this should be refactored..
     private static class TokenContentSigner implements ContentSigner {
 
         private static final int SIGNATURE_TIMEOUT_SECONDS = 10;
@@ -116,7 +120,7 @@ private static class TokenContentSigner implements ContentSigner {
         private final ByteArrayOutputStream out = new ByteArrayOutputStream();
 
         private final TokenAndKey tokenAndKey;
-        private final AbstractGenerateCertRequest abstractGenerateCertRequest;
+        private final AbstractGenerateCertReq abstractGenerateCertReq;
 
         private final String digestAlgoId;
         private final String signAlgoId;
@@ -125,10 +129,10 @@ private static class TokenContentSigner implements ContentSigner {
 
         private volatile CalculatedSignature signature;
 
-        TokenContentSigner(TokenAndKey tokenAndKey, AbstractGenerateCertRequest abstractGenerateCertRequest)
+        TokenContentSigner(TokenAndKey tokenAndKey, AbstractGenerateCertReq abstractGenerateCertReq)
                 throws NoSuchAlgorithmException {
             this.tokenAndKey = tokenAndKey;
-            this.abstractGenerateCertRequest = abstractGenerateCertRequest;
+            this.abstractGenerateCertReq = abstractGenerateCertReq;
 
             digestAlgoId = SystemProperties.getSignerCsrSignatureDigestAlgorithm();
             signAlgoId = CryptoUtils.getSignatureAlgorithmId(digestAlgoId, tokenAndKey.getSignMechanism());
@@ -156,15 +160,17 @@ public byte[] getSignature() {
                 throw new CodedException(X_INTERNAL_ERROR, e);
             }
 
-            ActorRef signatureReceiver = abstractGenerateCertRequest.getContext().actorOf(
+            var actorSystem = abstractGenerateCertReq.temporaryAkkaMessenger.getActorSystem();
+            ActorRef signatureReceiver = actorSystem.actorOf(
                     Props.create(SignatureReceiverActor.class, this));
 
             try {
-                abstractGenerateCertRequest.tellToken(new CalculateSignature(abstractGenerateCertRequest.getSelf(),
+
+                signature = abstractGenerateCertReq.temporaryAkkaMessenger.tellTokenWithResponse(new CalculateSignature(Actor.noSender(),
                                 tokenAndKey.getKeyId(), signAlgoId, digest),
-                        tokenAndKey.getTokenId(), signatureReceiver);
+                        tokenAndKey.getTokenId());
 
-                waitForSignature();
+//                waitForSignature();
 
                 if (signature.getException() != null) {
                     throw translateException(signature.getException());
@@ -172,7 +178,7 @@ public byte[] getSignature() {
 
                 return signature.getSignature();
             } finally {
-                abstractGenerateCertRequest.getContext().stop(signatureReceiver);
+                actorSystem.stop(signatureReceiver);
             }
         }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertReqHandler.java
similarity index 98%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertReqHandler.java
index ecb108f838..469ad3c84f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ActivateCertReqHandler.java
@@ -36,7 +36,7 @@
  * Handles certificate activations and deactivations.
  */
 @Component
-public class ActivateCertRequestHandler
+public class ActivateCertReqHandler
         extends AbstractRpcHandler<ActivateCertReq, Empty> {
 
     @Override
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertRequestRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
similarity index 70%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertRequestRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
index 379ebfb699..c56ce58ac9 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertRequestRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
@@ -26,15 +26,18 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.message.GenerateCertRequest;
-import ee.ria.xroad.signer.protocol.message.GenerateCertRequestResponse;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
+import com.google.protobuf.ByteString;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.niis.xroad.signer.proto.GenerateCertRequestReq;
+import org.niis.xroad.signer.proto.GenerateCertRequestResp;
+import org.springframework.stereotype.Component;
 
 import static ee.ria.xroad.common.ErrorCodes.X_WRONG_CERT_USAGE;
 import static ee.ria.xroad.signer.util.ExceptionHelper.keyNotAvailable;
@@ -43,29 +46,35 @@
  * Handles certificate request generations.
  */
 @Slf4j
-public class GenerateCertRequestRequestHandler extends AbstractGenerateCertRequest<GenerateCertRequest> {
+@Component
+public class GenerateCertReqReqHandler extends AbstractGenerateCertReq<GenerateCertRequestReq, GenerateCertRequestResp> {
 
     @Override
-    protected Object handle(GenerateCertRequest message) throws Exception {
-        TokenAndKey tokenAndKey = TokenManager.findTokenAndKey(message.getKeyId());
+    protected GenerateCertRequestResp handle(GenerateCertRequestReq request) throws Exception {
+        TokenAndKey tokenAndKey = TokenManager.findTokenAndKey(request.getKeyId());
 
         if (!TokenManager.isKeyAvailable(tokenAndKey.getKeyId())) {
             throw keyNotAvailable(tokenAndKey.getKeyId());
         }
 
-        if (message.getKeyUsage() == KeyUsageInfo.AUTHENTICATION
+        if (request.getKeyUsage() == KeyUsageInfo.AUTHENTICATION
                 && !SoftwareTokenType.ID.equals(tokenAndKey.getTokenId())) {
             throw CodedException.tr(X_WRONG_CERT_USAGE,
                     "auth_cert_under_softtoken",
                     "Authentication certificate requests can only be created under software tokens");
         }
 
-        PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, message.getSubjectName());
+        PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, request.getSubjectName());
 
-        String certReqId = TokenManager.addCertRequest(tokenAndKey.getKeyId(), message.getMemberId(),
-                message.getSubjectName(), message.getKeyUsage());
+        String certReqId = TokenManager.addCertRequest(tokenAndKey.getKeyId(),
+                ClientIdMapper.fromDto(request.getMemberId()),
+                request.getSubjectName(), request.getKeyUsage());
 
-        return new GenerateCertRequestResponse(certReqId, convert(generatedRequest, message.getFormat()),
-                message.getFormat());
+        return GenerateCertRequestResp.newBuilder()
+                .setCertReqId(certReqId)
+                .setCertRequest(ByteString.copyFrom(convert(generatedRequest, request.getFormat())))
+                .setFormat(request.getFormat())
+                .build();
     }
+
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyReqHandler.java
similarity index 70%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyReqHandler.java
index 6b58abd8c1..bb7ade7003 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyReqHandler.java
@@ -25,19 +25,26 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.message.GenerateKey;
 
+import org.niis.xroad.signer.proto.GenerateKeyReq;
+import org.springframework.stereotype.Component;
+
 /**
  * Handles key generations.
  */
-public class GenerateKeyRequestHandler
-        extends AbstractRequestHandler<GenerateKey> {
+@Component
+public class GenerateKeyReqHandler extends AbstractRpcHandler<GenerateKeyReq, KeyInfoProto> {
 
     @Override
-    protected Object handle(GenerateKey message) throws Exception {
-        tellToken(message, message.getTokenId());
-        return nothing();
-    }
+    protected KeyInfoProto handle(GenerateKeyReq request) throws Exception {
+        var message = new GenerateKey(request.getTokenId(), request.getKeyLabel());
 
+        KeyInfo keyInfo = temporaryAkkaMessenger.tellTokenWithResponse(message, request.getTokenId());
+
+        return keyInfo.asMessage();
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
similarity index 81%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
index ab98d6a2e2..1346a85784 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
@@ -33,12 +33,11 @@
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.common.util.PasswordStore;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
-import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.SecurityServerIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.GetAuthKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.module.SoftwareModuleType;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
@@ -46,6 +45,9 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.niis.xroad.signer.proto.AuthKeyInfoProto;
+import org.niis.xroad.signer.proto.GetAuthKeyReq;
+import org.springframework.stereotype.Component;
 
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -54,18 +56,21 @@
 import static ee.ria.xroad.common.util.CryptoUtils.readCertificate;
 import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotActive;
 import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotInitialized;
+import static java.util.Optional.ofNullable;
 
 /**
  * Handles authentication key retrieval requests.
  */
 @Slf4j
-public class GetAuthKeyRequestHandler
-        extends AbstractRequestHandler<GetAuthKey> {
+@Component
+public class GetAuthKeyReqHandler
+        extends AbstractRpcHandler<GetAuthKeyReq, AuthKeyInfoProto> {
 
     @Override
-    protected Object handle(GetAuthKey message) throws Exception {
+    protected AuthKeyInfoProto handle(GetAuthKeyReq request) throws Exception {
+        var securityServer = SecurityServerIdMapper.fromDto(request.getSecurityServer());
         log.trace("Selecting authentication key for security server {}",
-                message.getSecurityServer());
+                securityServer);
 
         validateToken();
 
@@ -88,9 +93,8 @@ protected Object handle(GetAuthKey message) throws Exception {
                 }
 
                 for (CertificateInfo certInfo : keyInfo.getCerts()) {
-                    if (authCertValid(certInfo, message.getSecurityServer())) {
-                        log.trace("Found suitable authentication key {}",
-                                keyInfo.getId());
+                    if (authCertValid(certInfo, securityServer)) {
+                        log.trace("Found suitable authentication key {}", keyInfo.getId());
                         return authKeyResponse(keyInfo, certInfo);
                     }
                 }
@@ -100,7 +104,7 @@ protected Object handle(GetAuthKey message) throws Exception {
         throw CodedException.tr(X_KEY_NOT_FOUND,
                 "auth_key_not_found_for_server",
                 "Could not find active authentication key for "
-                        + "security server '%s'", message.getSecurityServer());
+                        + "security server '%s'", securityServer);
     }
 
     private void validateToken() throws CodedException {
@@ -113,17 +117,23 @@ private void validateToken() throws CodedException {
         }
     }
 
-    private AuthKeyInfo authKeyResponse(KeyInfo keyInfo,
-            CertificateInfo certInfo) throws Exception {
+    private AuthKeyInfoProto authKeyResponse(KeyInfo keyInfo,
+                                             CertificateInfo certInfo) throws Exception {
         String alias = keyInfo.getId();
         String keyStoreFileName = SoftwareTokenUtil.getKeyStoreFileName(alias);
         char[] password = PasswordStore.getPassword(SoftwareTokenType.ID);
 
-        return new AuthKeyInfo(alias, keyStoreFileName, password, certInfo);
+        var builder = AuthKeyInfoProto.newBuilder()
+                .setAlias(alias)
+                .setKeyStoreFileName(keyStoreFileName)
+                .setCert(certInfo.asMessage());
+
+        ofNullable(password).ifPresent(passwd -> builder.setPassword(new String(passwd)));
+        return builder.build();
     }
 
     private boolean authCertValid(CertificateInfo certInfo,
-            SecurityServerId securityServer) throws Exception {
+                                  SecurityServerId securityServer) throws Exception {
         X509Certificate cert = readCertificate(certInfo.getCertificateBytes());
 
         if (!certInfo.isActive()) {
@@ -161,15 +171,15 @@ private boolean authCertValid(CertificateInfo certInfo,
 
         log.trace("Ignoring authentication certificate {} because it does "
                 + "not belong to security server {} "
-                + "(server id from global conf: {})", new Object[] {
-                        CertUtils.identify(cert),
-                        securityServer, serverIdFromConf});
+                + "(server id from global conf: {})", new Object[]{
+                CertUtils.identify(cert),
+                securityServer, serverIdFromConf});
 
         return false;
     }
 
     private void verifyOcspResponse(String instanceIdentifier,
-            X509Certificate subject, byte[] ocspBytes, OcspVerifierOptions verifierOptions) throws Exception {
+                                    X509Certificate subject, byte[] ocspBytes, OcspVerifierOptions verifierOptions) throws Exception {
         if (ocspBytes == null) {
             throw new CertificateException("OCSP response not found");
         }
@@ -187,4 +197,5 @@ private static boolean isRegistered(String status) {
                 && status.startsWith(CertificateInfo.STATUS_REGISTERED);
     }
 
+
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoReqHandler.java
similarity index 72%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoReqHandler.java
index 424aad34e7..31ea59381a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoReqHandler.java
@@ -25,19 +25,24 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.ComponentNames;
-import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfo;
 import ee.ria.xroad.signer.util.SignerUtil;
 
+import org.niis.xroad.signer.proto.GetHSMOperationalInfoResp;
+import org.niis.xroad.signer.protocol.dto.Empty;
+import org.springframework.stereotype.Component;
+
 /**
  * Handles requests for checking HSMs operational status.
  */
-public class GetHSMOperationalInfoRequestHandler extends AbstractRequestHandler<GetHSMOperationalInfo> {
+@Component
+public class GetHSMOperationalInfoReqHandler extends AbstractRpcHandler<Empty, GetHSMOperationalInfoResp> {
+
     @Override
-    protected Object handle(GetHSMOperationalInfo message) throws Exception {
+    protected GetHSMOperationalInfoResp handle(Empty request) throws Exception {
+        var actorSelection = temporaryAkkaMessenger.getActorSystem().actorSelection("/user/" + ComponentNames.MODULE_MANAGER);
 
-        return SignerUtil.ask(getContext().actorSelection("/user/" + ComponentNames.MODULE_MANAGER),
-                "HsmOperationalInfo");
+        return (GetHSMOperationalInfoResp) SignerUtil.ask(actorSelection, "HsmOperationalInfo");
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
similarity index 82%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoRequestHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
index 4848751ecf..0ec90d5e0b 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoRequestHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
@@ -31,16 +31,17 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.ocsp.OcspVerifier;
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
-import ee.ria.xroad.signer.protocol.AbstractRequestHandler;
+import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.protocol.dto.MemberSigningInfo;
-import ee.ria.xroad.signer.protocol.message.GetMemberSigningInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
 import lombok.Data;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.niis.xroad.signer.proto.GetMemberSigningInfoReq;
+import org.niis.xroad.signer.proto.GetMemberSigningInfoResp;
 
 import java.security.cert.X509Certificate;
 import java.util.List;
@@ -54,7 +55,7 @@
  * Handles requests for member signing info.
  */
 @Slf4j
-public class GetMemberSigningInfoRequestHandler extends AbstractRequestHandler<GetMemberSigningInfo> {
+public class GetMemberSigningInfoReqHandler extends AbstractRpcHandler<GetMemberSigningInfoReq, GetMemberSigningInfoResp> {
 
     @Data
     private static class SelectedCertificate {
@@ -63,24 +64,28 @@ private static class SelectedCertificate {
     }
 
     @Override
-    protected Object handle(GetMemberSigningInfo message) throws Exception {
-        List<KeyInfo> memberKeys = TokenManager.getKeyInfo(message.getMemberId());
+    protected GetMemberSigningInfoResp handle(GetMemberSigningInfoReq request) throws Exception {
+        var memberId = ClientIdMapper.fromDto(request.getMemberId());
+        List<KeyInfo> memberKeys = TokenManager.getKeyInfo(memberId);
 
         if (memberKeys.isEmpty()) {
             throw CodedException.tr(X_UNKNOWN_MEMBER, "member_certs_not_found",
                     "Could not find any certificates for member '%s'. "
-                        + "Are you sure tokens containing the certificates are logged in?", message.getMemberId());
+                            + "Are you sure tokens containing the certificates are logged in?", memberId);
         }
 
-        SelectedCertificate memberCert = selectMemberCert(memberKeys, message.getMemberId());
+        SelectedCertificate memberCert = selectMemberCert(memberKeys, memberId);
 
         if (memberCert == null) {
             throw CodedException.tr(X_INTERNAL_ERROR, "member_has_no_suitable_certs",
-                    "Member '%s' has no suitable certificates", message.getMemberId());
+                    "Member '%s' has no suitable certificates", memberId);
         }
 
-        return new MemberSigningInfo(memberCert.getKey().getId(), memberCert.getCert(),
-                memberCert.getKey().getSignMechanismName());
+        return GetMemberSigningInfoResp.newBuilder()
+                .setKeyId(memberCert.getKey().getId())
+                .setCert(memberCert.getCert().asMessage())
+                .setSignMechanismName(memberCert.getKey().getSignMechanismName())
+                .build();
     }
 
     private SelectedCertificate selectMemberCert(List<KeyInfo> memberKey, ClientId memberId) {
@@ -123,7 +128,7 @@ private void checkValidity(String instanceIdentifier, byte[] certBytes, byte[] o
     }
 
     private void verifyOcspResponse(String instanceIdentifier, byte[] ocspBytes, X509Certificate subject,
-            OcspVerifierOptions verifierOptions) throws Exception {
+                                    OcspVerifierOptions verifierOptions) throws Exception {
         if (ocspBytes == null) {
             throw new Exception("OCSP response for certificate " + subject.getSubjectX500Principal().getName()
                     + " not found");
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
similarity index 82%
rename from src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestReqHandler.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
index 7d2e4b64c8..36ce572782 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertRequestReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
@@ -25,8 +25,10 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
+import com.google.protobuf.ByteString;
+
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -39,6 +41,7 @@
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.niis.xroad.signer.proto.RegenerateCertRequestReq;
 import org.niis.xroad.signer.proto.RegenerateCertRequestResp;
+import org.springframework.stereotype.Component;
 
 import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
@@ -48,7 +51,8 @@
  * Handles certificate request re-generations.
  */
 @Slf4j
-public class RegenerateCertRequestReqHandler extends AbstractRpcHandler<RegenerateCertRequestReq, RegenerateCertRequestResp> {
+@Component
+public class RegenerateCertReqReqHandler extends AbstractGenerateCertReq<RegenerateCertRequestReq, RegenerateCertRequestResp> {
 
     @Override
     protected RegenerateCertRequestResp handle(RegenerateCertRequestReq message) throws Exception {
@@ -74,15 +78,15 @@ protected RegenerateCertRequestResp handle(RegenerateCertRequestReq message) thr
 
         String subjectName = certRequestInfo.getSubjectName();
 
-//        PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, subjectName);
-        PKCS10CertificationRequest generatedRequest =null;//TODO:Grpc
-//        return new RegenerateCertRequestResponse(message.getCertRequestId(),
-//                convert(generatedRequest, message.getFormat()),
-//                message.getFormat(),
-//                certRequestInfo.getMemberId(),
-//                tokenAndKey.getKey().getUsage()
-//        );
-        return null;
+        PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, subjectName);
+
+        return RegenerateCertRequestResp.newBuilder()
+                .setCertReqId(message.getCertRequestId())
+                .setCertRequest(ByteString.copyFrom(convert(generatedRequest, message.getFormat())))
+                .setFormat(message.getFormat())
+                .setMemberId(ClientIdMapper.toDto(certRequestInfo.getMemberId()))
+                .setKeyUsage(tokenAndKey.getKey().getUsage())
+                .build();
     }
 
     private TokenAndKey findTokenAndKeyForCsrId(String certRequestId) {

From ef42e7f0b5b86e22631b8b07c2ec97a30516855f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 25 Aug 2023 12:43:53 +0300
Subject: [PATCH 024/127] chore: remove signer request handler actors

Refs: XRDDEV-2468
---
 .../xroad/signer/protocol/ComponentNames.java |   6 +-
 .../xroad/signer/protocol/SignerClient.java   |   9 +-
 .../main/java/ee/ria/xroad/signer/Signer.java |   6 +-
 .../protocol/AbstractRequestHandler.java      | 115 ----------------
 .../protocol/SignerRequestProcessor.java      | 125 ------------------
 .../signer/tokenmanager/ServiceLocator.java   |  23 ----
 6 files changed, 4 insertions(+), 280 deletions(-)
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerRequestProcessor.java

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
index 5793102e8e..94e31851a5 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -32,10 +32,6 @@ public final class ComponentNames {
 
     public static final String SIGNER = "Signer";
 
-    public static final String SIGNER_CLIENT = "SignerClient";
-
-    public static final String REQUEST_PROCESSOR = "RequestProcessor";
-
     public static final String TOKEN_SIGNER = "TokenSigner";
 
     public static final String TOKEN_WORKER = "TokenWorker";
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
index fbde985ffe..6207b83913 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -30,9 +30,7 @@
 
 import akka.actor.ActorIdentity;
 import akka.actor.ActorRef;
-import akka.actor.ActorSelection;
 import akka.actor.ActorSystem;
-import akka.actor.Identify;
 import akka.actor.Props;
 import akka.actor.UntypedAbstractActor;
 import akka.pattern.Patterns;
@@ -49,7 +47,6 @@
 import java.util.concurrent.TimeoutException;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.signer.protocol.ComponentNames.REQUEST_PROCESSOR;
 import static ee.ria.xroad.signer.protocol.ComponentNames.SIGNER;
 import static ee.ria.xroad.signer.protocol.SignerClient.SignerWatcher.requestProcessor;
 
@@ -207,7 +204,7 @@ private static synchronized void resetRequestProcessorFuture(CompletableFuture<A
         //can be null if the actor is not know yet (we are starting, or signer has just restarted)
         private ActorRef requestProcessorRef;
 
-        private ActorSelection requestProcessorAddress;
+
         private final String signerIpAddress;
 
         interface Watch {
@@ -219,7 +216,6 @@ interface Watch {
 
         @Override
         public void preStart() {
-            requestProcessorAddress = context().actorSelection(getSignerPath() + "/user/" + REQUEST_PROCESSOR);
             self().tell(Watch.class, self());
         }
 
@@ -289,7 +285,6 @@ private void attachProcessor(final ActorIdentity message) {
 
         private void identifyProcessor() {
             correlationId++;
-            requestProcessorAddress.tell(new Identify(correlationId), self());
         }
 
         private String getSignerPath() {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
index 3dc406d8a9..d8254f2b63 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -31,7 +31,6 @@
 import ee.ria.xroad.common.util.filewatcher.FileWatcherRunner;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
-import ee.ria.xroad.signer.protocol.SignerRequestProcessor;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
 import ee.ria.xroad.signer.tokenmanager.module.DefaultModuleManagerImpl;
@@ -54,7 +53,6 @@
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT_JOB;
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT_RELOAD;
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_RESPONSE_MANAGER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.REQUEST_PROCESSOR;
 
 /**
  * Signer application.
@@ -99,8 +97,6 @@ public void start() throws Exception {
         createComponent(OCSP_CLIENT_JOB, OcspClientJob.class);
         createComponent(OCSP_CLIENT_RELOAD, OcspClientReload.class);
         createComponent(ModuleManagerJob.class);
-
-        createComponent(REQUEST_PROCESSOR, SignerRequestProcessor.class);
     }
 
     /**
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java
deleted file mode 100644
index e2287c1c9a..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRequestHandler.java
+++ /dev/null
@@ -1,115 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.message.SuccessResponse;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-import akka.actor.ActorRef;
-import akka.actor.UntypedAbstractActor;
-import lombok.extern.slf4j.Slf4j;
-
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.common.ErrorCodes.translateException;
-import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
-import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
-
-/**
- * An abstract request handler.
- * @param <T> the type of message this handler handles
- */
-@SuppressWarnings("unchecked")
-@Slf4j
-@Deprecated
-public abstract class AbstractRequestHandler<T> extends UntypedAbstractActor {
-
-    private static final Object SUCCESS = new SuccessResponse();
-    private static final Object NOTHING = null;
-
-    @Override
-    public void onReceive(Object message) {
-        if (log.isTraceEnabled()) {
-            log.trace("onReceive({}) from {}", message, sender());
-        }
-        try {
-            Object result = handle((T) message);
-            if (result != nothing()) {
-                if (result instanceof Exception) {
-                    handleError(translateException((Exception) result));
-                } else if (hasSender()) {
-                    //use parent as sender (avoids leaking the temp request handler ref)
-                    getSender().tell(result, context().parent());
-                }
-            }
-        } catch (ClassCastException e) {
-            handleError(new CodedException(X_INTERNAL_ERROR,
-                    "Unexpected message: %s", message.getClass()));
-        } catch (Exception e) {
-            handleError(translateException(e));
-        } finally {
-            getContext().stop(getSelf());
-        }
-    }
-
-    protected void tellToken(Object message, String tokenId) {
-        tellToken(message, tokenId, getSender());
-    }
-
-    protected void tellToken(Object message, String tokenId,
-            ActorRef sender) {
-        if (!TokenManager.isTokenAvailable(tokenId)) {
-            throw tokenNotAvailable(tokenId);
-        }
-
-        getToken(getContext(), tokenId).tell(message, sender);
-    }
-
-    protected abstract Object handle(T message) throws Exception;
-
-    private void handleError(CodedException e) {
-        log.error("Error in request handler", e);
-
-        if (hasSender()) {
-            //use parent as sender (avoids leaking the temp request handler ref)
-            getSender().tell(e.withPrefix(SIGNER_X), context().parent());
-        }
-    }
-
-    private boolean hasSender() {
-        return getSender() != ActorRef.noSender();
-    }
-
-    protected static Object success() {
-        return SUCCESS;
-    }
-
-    protected static Object nothing() {
-        return NOTHING;
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerRequestProcessor.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerRequestProcessor.java
deleted file mode 100644
index 9cd51af859..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/SignerRequestProcessor.java
+++ /dev/null
@@ -1,125 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.message.ConnectionPing;
-import ee.ria.xroad.signer.protocol.message.ConnectionPong;
-
-import akka.actor.ActorRef;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
-import lombok.extern.slf4j.Slf4j;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.common.ErrorCodes.translateException;
-
-/**
- * Request handler will handle all incoming requests...
- */
-@Slf4j
-public class SignerRequestProcessor extends UntypedAbstractActor {
-
-    private static final String HANDLER_PACKAGE_NAME =
-            "ee.ria.xroad.signer.protocol.handler.";
-    private static final String HANDLER_CLASS_SUFFIX = "RequestHandler";
-
-    private static Map<String, Class<? extends AbstractRequestHandler<?>>>
-            handlerClassCache = new HashMap<>();
-
-    @Override
-    public void onReceive(Object message) {
-        if (message instanceof ConnectionPing) {
-            getSender().tell(new ConnectionPong(), getSelf());
-            return;
-        }
-        if (log.isTraceEnabled()) {
-            log.trace("onReceive({}) from {}", message, sender());
-        }
-        try {
-            handle(message);
-        } catch (Exception e) {
-            log.error("Error in request processor", e);
-        }
-    }
-
-    private void handle(Object message) {
-        try {
-            // For handling the request, create a temporary actor, that will
-            // stop itself, after it has finished handling the message
-            Class<? extends AbstractRequestHandler<?>> handlerClass =
-                    getRequestHandler(message);
-            if (handlerClass != null) {
-                ActorRef handlerActor =
-                        getContext().actorOf(Props.create(handlerClass));
-                handlerActor.tell(message, getSender());
-            } else {
-                throw new CodedException(X_INTERNAL_ERROR, "Unknown request");
-            }
-        } catch (Exception e) {
-            log.error("Error in request processor", e);
-            if (getSender() != ActorRef.noSender()) {
-                CodedException translated = translateException(e).withPrefix(SIGNER_X);
-                getSender().tell(translated, getSelf());
-            }
-        }
-    }
-
-    @SuppressWarnings("unchecked")
-    private Class<? extends AbstractRequestHandler<?>> getRequestHandler(
-            Object message) throws Exception {
-        String handlerName = message.getClass().getSimpleName()
-                + HANDLER_CLASS_SUFFIX;
-        String handlerClass = HANDLER_PACKAGE_NAME + handlerName;
-
-        if (handlerClassCache.containsKey(handlerClass)) {
-            return handlerClassCache.get(handlerClass);
-        }
-
-        log.trace("Looking for request processor '{}'", handlerClass);
-        try {
-            Class<?> clazz = Class.forName(handlerClass);
-
-            if (AbstractRequestHandler.class.isAssignableFrom(clazz)) {
-                Class<? extends AbstractRequestHandler<?>> h =
-                        (Class<? extends AbstractRequestHandler<?>>) clazz;
-                handlerClassCache.put(handlerClass, h);
-                return h;
-            } else {
-                log.error("Invalid request handler '{}'; must be subclass"
-                        + " of {}", clazz, AbstractRequestHandler.class);
-                return null;
-            }
-        } catch (Exception e) {
-            log.error("Error while getting request handler", e);
-            return null;
-        }
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
index 4e6e463d77..0c340dacb3 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
@@ -31,8 +31,6 @@
 
 import static ee.ria.xroad.signer.protocol.ComponentNames.MODULE_MANAGER;
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_RESPONSE_MANAGER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.REQUEST_PROCESSOR;
-import static ee.ria.xroad.signer.protocol.ComponentNames.TOKEN_SIGNER;
 import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotFound;
 
 /**
@@ -43,15 +41,6 @@ public final class ServiceLocator {
     private ServiceLocator() {
     }
 
-    /**
-     * @param context the actor context
-     * @return the request processor actor
-     */
-    public static ActorSelection getRequestProcessor(
-            ActorContext context) {
-        return context.actorSelection("/user/" + REQUEST_PROCESSOR);
-    }
-
     /**
      * @param context the actor context
      * @return the OCSP response manager actor
@@ -87,18 +76,6 @@ public static ActorSelection getToken(ActorSystem actorSystem,
         return actorSystem.actorSelection(path);
     }
 
-    /**
-     * @param context the actor context
-     * @param tokenId the token id
-     * @return the token signer actor
-     */
-    public static ActorSelection getTokenSigner(ActorContext context,
-                                                String tokenId) {
-        String path = String.format("/user/%s/%s/%s/%s", MODULE_MANAGER,
-                getModuleId(tokenId), tokenId, TOKEN_SIGNER);
-        return context.actorSelection(path);
-    }
-
     private static String getModuleId(String tokenId) {
         String moduleId = TokenManager.getModuleId(tokenId);
         if (moduleId == null) {

From 432914f7f70f2deed7d5547b70c625b23acc26cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 25 Aug 2023 17:32:58 +0300
Subject: [PATCH 025/127] chore: add additional signer tests

Refs: XRDDEV-2468
---
 .../ria/xroad/signer/glue/SignerStepDefs.java | 51 +++++++++++++++++--
 .../resources/behavior/0500-signer.feature    | 20 ++++++--
 .../src/intTest/resources/cert-01.pem         | 33 ++++++++++++
 .../xroad/signer/protocol/dto/KeyInfo.java    |  8 ++-
 .../xroad/signer/protocol/TokensService.java  |  8 +++
 .../GetMemberSigningInfoReqHandler.java       |  2 +
 6 files changed, 110 insertions(+), 12 deletions(-)
 create mode 100644 src/signer-protocol/src/intTest/resources/cert-01.pem

diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index 511effe34b..e8f256f76c 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -47,17 +47,20 @@
 import io.cucumber.java.BeforeAll;
 import io.cucumber.java.en.And;
 import io.cucumber.java.en.Given;
+import io.cucumber.java.en.Step;
 import io.cucumber.java.en.Then;
 import io.cucumber.java.en.When;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.IOUtils;
 import org.bouncycastle.util.encoders.Base64;
 import org.junit.jupiter.api.Assertions;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.beans.factory.annotation.Autowired;
 
 import java.io.BufferedReader;
+import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -84,6 +87,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 
 @Slf4j
 public class SignerStepDefs {
@@ -97,6 +101,7 @@ public class SignerStepDefs {
     private String csrId;
     private String certHash;
     private CertificateInfo certInfo;
+    private byte[] cert;
 
     @BeforeAll
     public static void setup() throws Exception {
@@ -144,7 +149,9 @@ public void assertTokenStatus(String tokenId, String status) throws Exception {
 
     @Given("tokens list contains token {string}")
     public void tokensListContainsToken(String tokenId) throws Exception {
-        final TokenInfo tokenInfo = SignerProxy.getTokens().stream()
+        var tokens = SignerProxy.getTokens();
+        testReportService.attachText("Tokens", Arrays.toString(tokens.toArray()));
+        final TokenInfo tokenInfo = tokens.stream()
                 .filter(token -> token.getId().equals(tokenId))
                 .findFirst()
                 .orElseThrow();
@@ -217,19 +224,44 @@ public void keyIsDeletedFromToken(String keyName, String tokenId) throws Excepti
     }
 
     private KeyInfo findKeyInToken(String tokenId, String keyName) throws Exception {
-        return SignerProxy.getToken(tokenId).getKeyInfo().stream()
+        var foundKeyInfo = SignerProxy.getToken(tokenId).getKeyInfo().stream()
                 .filter(keyInfo -> keyInfo.getFriendlyName().equals(keyName))
                 .findFirst()
                 .orElseThrow();
+        testReportService.attachText("Key [" + keyName + "]", foundKeyInfo.toString());
+        return foundKeyInfo;
+    }
+
+    @Step("Certificate is imported for client {string}")
+    public void certificateIsImported(String client) throws Exception {
+        keyId = SignerProxy.importCert(cert, CertificateInfo.STATUS_REGISTERED, getClientId(client));
+    }
+
+    @Step("Wrong Certificate is not imported for client {string}")
+    public void certImportFails(String client) throws Exception {
+        byte[] certBytes = fileToBytes("src/intTest/resources/cert-01.pem");
+        try {
+            SignerProxy.importCert(certBytes, CertificateInfo.STATUS_REGISTERED, getClientId(client));
+        } catch (CodedException codedException) {
+            assertException("Signer.KeyNotFound", "key_not_found_for_certificate",
+                    "Signer.KeyNotFound: Could not find key that has public key that matches the public key of certificate", codedException);
+        }
+    }
+
+
+    private byte[] fileToBytes(String fileName) throws Exception {
+        try (FileInputStream in = new FileInputStream(fileName)) {
+            return IOUtils.toByteArray(in);
+        }
     }
 
     @Given("self signed cert generated for token {string} key {string}, client {string}")
     public void selfSignedCertGeneratedForTokenKeyForClient(String tokenId, String keyName, String client) throws Exception {
         final KeyInfo keyInToken = findKeyInToken(tokenId, keyName);
 
-        final byte[] certBytes = SignerProxy.generateSelfSignedCert(keyInToken.getId(), getClientId(client), KeyUsageInfo.SIGNING,
+        cert = SignerProxy.generateSelfSignedCert(keyInToken.getId(), getClientId(client), KeyUsageInfo.SIGNING,
                 "CN=" + client, Date.from(now().minus(5, DAYS)), Date.from(now().plus(5, DAYS)));
-        this.certHash = CryptoUtils.calculateCertHexHash(certBytes);
+        this.certHash = CryptoUtils.calculateCertHexHash(cert);
     }
 
     private ClientId.Conf getClientId(String client) {
@@ -453,6 +485,17 @@ public void notExistingCertActivateFail() throws Exception {
         }
     }
 
+    @Step("Member signing info for client {string} is retrieved")
+    public void getMemberSigningInfo(String client) throws Exception {
+        var memberInfo = SignerProxy.getMemberSigningInfo(getClientId(client));
+        testReportService.attachText("MemberSigningInfo", memberInfo.toString());
+    }
+
+    @And("HSM is not operational")
+    public void hsmIsNotOperational() throws Exception {
+        assertFalse(SignerProxy.isHSMOperational());
+    }
+
     private void assertException(String faultCode, String translationCode, String message, CodedException codedException) {
         assertEquals(faultCode, codedException.getFaultCode());
         assertEquals(translationCode, codedException.getTranslationCode());
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
index 7300533c02..a65d6b3495 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
@@ -55,6 +55,23 @@ Feature: 0500 - Signer
     When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
     And cert request is regenerated
 
+  Scenario: Certificate can be (re)imported
+    Given tokens list contains token "0"
+    When Wrong Certificate is not imported for client "cs:test:member-1"
+    And self signed cert generated for token "0" key "First key", client "cs:test:member-1"
+    And certificate info can be retrieved by cert hash
+    When certificate can be deleted
+    Then token "0" key "First key" has 0 certificates
+    When Certificate is imported for client "cs:test:member-1"
+    Then token "0" key "First key" has 1 certificates
+
+  Scenario: Member test
+    Given tokens list contains token "0"
+    * Member signing info for client "cs:test:member-1" is retrieved
+
+  Scenario: HSM status is not operational
+    * HSM is not operational
+
   Scenario: Self signed certificate
     Given token "0" key "First key" has 0 certificates
     When self signed cert generated for token "0" key "First key", client "cs:test:member-1"
@@ -86,10 +103,7 @@ Feature: 0500 - Signer
     * Getting key by not existing cert hash fails
     * Not existing certificate can not be activated
 
-
-
 #  not covered SignerProxy methods:
-#  String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId) #partly in GenerateSelfSignedCert
 #  AuthKeyInfo getAuthKey(SecurityServerId serverId)                            #requires valid ocsp response
 #  void setOcspResponses(String[] certHashes, String[] base64EncodedResponses)  #requires valid ocsp responses
 #  String[] getOcspResponses(String[] certHashes)                               #requires valid ocsp responses
diff --git a/src/signer-protocol/src/intTest/resources/cert-01.pem b/src/signer-protocol/src/intTest/resources/cert-01.pem
new file mode 100644
index 0000000000..2820194df1
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/cert-01.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEU
+MBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9V
+MRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00
+MTAzMDUwNzM1NTdaMF8xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVz
+dDEcMBoGA1UECwwTWC1Sb2FkIFRlc3QgT0NTUCBPVTEcMBoGA1UEAwwTWC1Sb2Fk
+IFRlc3QgT0NTUCBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANXy
+MQ3LgRPe6DGIUTOTjofOi6ir7GvUpD4CN4Xv5Ahari1npD4eGVqHfH4Kor6D2m0t
+dzkzOaizqpG2o+U2wFowZCEcWpjOH97ZgV87QkdT/5sv1R0mQ9BtaPPYQlgyJuRt
+P3VVoj9BeMcwzPIkPvNqvX+ro7cgNz3JvUbwuyn8JU0oP1LBgGmy8aFLblSD22Vi
+n0LqFFYfPzUlFCRDwUVJwoF2NFwsWSbxi5cmWBPPHDhcX8dQTSEDWOzC0jtg8ers
+AGFvTUslhkGtuixZAtAQJXc49SHOIjllYlS+D9h1bfo/5wakrcNIdaVGER7Yq0I6
+yfvpI6oTOBmjicepAcyNCQOf0/8ghh04sBAJGwTkY75b89gHCHnXlEWpHhiyqbli
+n5M18MJxEDfz/G9LG9a0qcDST4WKs6ijCItmJzkJuaYpEAIvHXBKC3NlkPvkjp/k
+W260iTRhWKeQjczvDqZ7atN3wu0jA/auouTitGuOfo3vOXc1frlpzTcw/jadHTch
+OjsufK7beuWr0CAcMzKy8AA9wrlYSy0qmzLxPybqoBGt3ljU8MnJapmqojd/ECMK
+rIamprm/xzEeaijVbPdEzGgD9DKtL0PbGqBcRQjUL72LCtY9H1pwVtgDRqW/eyod
+z7IrQZRq760c8HVgtS/uSjjslwif2mHZiBdTSUPTAgMBAAGjdTBzMAkGA1UdEwQC
+MAAwHQYDVR0OBBYEFCgPXe/DXrBZTbe1hYo+rPKATzLsMB8GA1UdIwQYMBaAFM51
+u32TzwxNT6vzD/4qyBUgKlCcMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAK
+BggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAgEAWPcf+ObBEyZofQQZYHU673qz
+aooWohCa/IQ7ZXiQmt+s0YpUXZepYw9UXrv1nPRLzpTy7788bzUvl6vVvnGTCOom
+LPYSZ5Qwm0VoAXMeyluIkNKKKemeF5e5Mbr7tmGGGaN/HKKQNa6qXEQndbdhjhoD
+6mxJKMDAgj1hi+slm0/QaKkd2qqjmc+w38RNv0wi+9Zamkl0LZ743/KeH6CtVJEU
+ARxYT+Q1i81adFICYqoDlmDSPpzq7VUir1lZejC3qTnJAVMgGCHw28vp4ROvOkZ9
+5lEFRTOpR7+a/iVetkOcenIWiGJGybUYZ9sAUwl4+GTcDT5aF9UJECnkfHpG4XYs
+/0Fn9wnqqw+zVNB/JocFdYxjPTe4YpjG9vKaQniK6ZjleLTQwom8SuQAAXarffIX
+3FNq0qc35T9fmrOzX+E7heFaC4Xg/HT7Lhz4XvQeXx00d/Ej72BS2ffAumeY0yqA
+OtAHnhq7u7ahhZ6B/VCsM95slKiqi72SQGqF/iy1ndRAzk/8xkJWnlvqbMfeNFOn
+bCJ7U1jxoxEmoBi31Cx1UQvdLvaAjz6MRo1kS/sJwVXpR3x7ooJjTGt4+/4gL4Ix
+KqObE3sbjYnmA9i9iKCwrOWxPhavASyDVwr6XKz3MRffTHVk5uQSlmtIUSJsEPiV
+/LIzwcKPZX1eWoLpI08=
+-----END CERTIFICATE-----
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
index b3e1bc32e2..a00aad52aa 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
@@ -25,16 +25,14 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
-import lombok.RequiredArgsConstructor;
+import lombok.Value;
 
 import java.io.Serializable;
 import java.util.List;
 import java.util.stream.Collectors;
 
-/**
- * Tiny container class to help handle the key list
- */
-@RequiredArgsConstructor
+
+@Value
 public final class KeyInfo implements Serializable {
 
     private final KeyInfoProto message;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
index 7a2f43c452..af361698d3 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TokensService.java
@@ -29,6 +29,7 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.handler.ActivateTokenReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetHSMOperationalInfoReqHandler;
+import ee.ria.xroad.signer.protocol.handler.GetMemberSigningInfoReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetTokenBatchSigningEnabledReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertHashReqHandler;
 import ee.ria.xroad.signer.protocol.handler.GetTokenInfoAndKeyIdForCertRequestIdReqHandler;
@@ -43,6 +44,8 @@
 import lombok.RequiredArgsConstructor;
 import org.niis.xroad.signer.proto.ActivateTokenReq;
 import org.niis.xroad.signer.proto.GetHSMOperationalInfoResp;
+import org.niis.xroad.signer.proto.GetMemberSigningInfoReq;
+import org.niis.xroad.signer.proto.GetMemberSigningInfoResp;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledReq;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledResp;
 import org.niis.xroad.signer.proto.GetTokenByCertHashReq;
@@ -72,6 +75,7 @@ public class TokensService extends TokenServiceGrpc.TokenServiceImplBase {
     private final GetTokenInfoAndKeyIdForCertHashReqHandler getTokenInfoAndKeyIdForCertHashReqHandler;
     private final GetTokenInfoAndKeyIdForCertRequestIdReqHandler getTokenInfoAndKeyIdForCertRequestIdReqHandler;
     private final GetHSMOperationalInfoReqHandler getHSMOperationalInfoReqHandler;
+    private final GetMemberSigningInfoReqHandler getMemberSigningInfoReqHandler;
     private final SetTokenFriendlyNameReqHandler setTokenFriendlyNameReqHandler;
     private final ListTokensReqHandler listTokensReqHandler;
 
@@ -132,4 +136,8 @@ public void updateSoftwareTokenPin(UpdateSoftwareTokenPinReq request, StreamObse
         updateSoftwareTokenPinReqHandler.processSingle(request, responseObserver);
     }
 
+    @Override
+    public void getMemberSigningInfo(GetMemberSigningInfoReq request, StreamObserver<GetMemberSigningInfoResp> responseObserver) {
+        getMemberSigningInfoReqHandler.processSingle(request, responseObserver);
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
index 0ec90d5e0b..85aea0d72e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
@@ -42,6 +42,7 @@
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.niis.xroad.signer.proto.GetMemberSigningInfoReq;
 import org.niis.xroad.signer.proto.GetMemberSigningInfoResp;
+import org.springframework.stereotype.Component;
 
 import java.security.cert.X509Certificate;
 import java.util.List;
@@ -55,6 +56,7 @@
  * Handles requests for member signing info.
  */
 @Slf4j
+@Component
 public class GetMemberSigningInfoReqHandler extends AbstractRpcHandler<GetMemberSigningInfoReq, GetMemberSigningInfoResp> {
 
     @Data

From 9cc1542d0c59a3fce2b9be169d23c9f86beb714b Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 28 Aug 2023 10:33:54 +0300
Subject: [PATCH 026/127] chore: using token worker without akka

Refs: XRDDEV-2461
---
 .../token/HardwareTokenWorker.java            |  4 +-
 .../signer/protocol/message/GenerateKey.java  | 42 -------------------
 .../handler/GenerateKeyReqHandler.java        |  6 +--
 .../token/AbstractTokenWorker.java            | 13 +++---
 .../token/SoftwareTokenWorker.java            |  4 +-
 5 files changed, 11 insertions(+), 58 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
index 226fb79064..d1e7f7f603 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
@@ -32,7 +32,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
-import ee.ria.xroad.signer.protocol.message.GenerateKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.module.ModuleConf;
 import ee.ria.xroad.signer.util.SignerUtil;
@@ -55,6 +54,7 @@
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
 import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.GenerateKeyReq;
 
 import javax.xml.bind.DatatypeConverter;
 
@@ -280,7 +280,7 @@ protected void activateToken(ActivateTokenReq message) throws Exception {
     }
 
     @Override
-    protected GenerateKeyResult generateKey(GenerateKey message) throws Exception {
+    protected GenerateKeyResult generateKey(GenerateKeyReq message) throws Exception {
         log.trace("generateKeys()");
 
         assertTokenWritable();
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java
deleted file mode 100644
index dde440c227..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateKey.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class GenerateKey implements Serializable {
-
-    private final String tokenId;
-    private final String keyLabel;
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyReqHandler.java
index bb7ade7003..51b5c44a6e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateKeyReqHandler.java
@@ -28,7 +28,6 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
-import ee.ria.xroad.signer.protocol.message.GenerateKey;
 
 import org.niis.xroad.signer.proto.GenerateKeyReq;
 import org.springframework.stereotype.Component;
@@ -41,10 +40,7 @@ public class GenerateKeyReqHandler extends AbstractRpcHandler<GenerateKeyReq, Ke
 
     @Override
     protected KeyInfoProto handle(GenerateKeyReq request) throws Exception {
-        var message = new GenerateKey(request.getTokenId(), request.getKeyLabel());
-
-        KeyInfo keyInfo = temporaryAkkaMessenger.tellTokenWithResponse(message, request.getTokenId());
-
+        final KeyInfo keyInfo = getTokenWorker(request.getTokenId()).handleGenerateKey(request);
         return keyInfo.asMessage();
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index 30f702064b..69f075554d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -29,8 +29,8 @@
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.common.util.PasswordStore;
 import ee.ria.xroad.signer.TemporaryHelper;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.GenerateKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractUpdateableActor;
 import ee.ria.xroad.signer.util.CalculateSignature;
@@ -47,6 +47,7 @@
 import org.bouncycastle.cert.CertIOException;
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.GenerateKeyReq;
 import org.niis.xroad.signer.proto.SignCertificateReq;
 import org.niis.xroad.signer.proto.SignReq;
 
@@ -106,9 +107,7 @@ protected Exception customizeException(Exception e) {
     @Override
     protected void onMessage(Object message) throws Exception {
         log.trace("onMessage()");
-        if (message instanceof GenerateKey) {
-            handleGenerateKey((GenerateKey) message);
-        } else if (message instanceof CalculateSignature) {
+        if (message instanceof CalculateSignature) {
             handleCalculateSignature((CalculateSignature) message);
         } else {
             unhandled(message);
@@ -134,7 +133,7 @@ public void handleActivateToken(ActivateTokenReq message) throws Exception {
         }
     }
 
-    private void handleGenerateKey(GenerateKey message) {
+    public KeyInfo handleGenerateKey(GenerateKeyReq message) {
         GenerateKeyResult result;
 
         try {
@@ -156,7 +155,7 @@ private void handleGenerateKey(GenerateKey message) {
             TokenManager.setKeyFriendlyName(keyId, message.getKeyLabel());
         }
 
-        sendResponse(TokenManager.findKeyInfo(keyId));
+        return TokenManager.findKeyInfo(keyId);
     }
 
     public void handleDeleteKey(String keyId) {
@@ -228,7 +227,7 @@ public byte[] handleSignCertificate(SignCertificateReq request) {
 
     protected abstract void activateToken(ActivateTokenReq message) throws Exception;
 
-    protected abstract GenerateKeyResult generateKey(GenerateKey message) throws Exception;
+    protected abstract GenerateKeyResult generateKey(GenerateKeyReq message) throws Exception;
 
     protected abstract void deleteKey(String keyId) throws Exception;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
index 7b81b313cf..0c96bbf44a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
@@ -34,7 +34,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
-import ee.ria.xroad.signer.protocol.message.GenerateKey;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.SignerUtil;
 
@@ -46,6 +45,7 @@
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.GenerateKeyReq;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -173,7 +173,7 @@ protected void activateToken(ActivateTokenReq message) {
     }
 
     @Override
-    protected GenerateKeyResult generateKey(GenerateKey message)
+    protected GenerateKeyResult generateKey(GenerateKeyReq message)
             throws Exception {
         log.trace("generateKeys()");
 

From af72532ff7365df8ec4ec8485aae1e1af840e5eb Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 28 Aug 2023 10:53:54 +0300
Subject: [PATCH 027/127] chore: deleting unused classes

Refs: XRDDEV-2461
---
 .../protocol/message/ConnectionPing.java      | 35 ------------
 .../protocol/message/ConnectionPong.java      | 35 ------------
 .../protocol/message/DeleteCertRequest.java   | 41 --------------
 .../protocol/message/GenerateCertRequest.java | 52 ------------------
 .../message/GenerateCertRequestResponse.java  | 45 ----------------
 .../message/GenerateSelfSignedCert.java       | 54 -------------------
 .../GenerateSelfSignedCertResponse.java       | 43 ---------------
 .../signer/protocol/message/GetAuthKey.java   | 41 --------------
 .../message/GetMemberSigningInfo.java         | 42 ---------------
 .../signer/protocol/message/ImportCert.java   | 47 ----------------
 .../protocol/message/ImportCertResponse.java  | 41 --------------
 .../message/RegenerateCertRequest.java        | 43 ---------------
 .../RegenerateCertRequestResponse.java        | 52 ------------------
 13 files changed, 571 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPing.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPong.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetAuthKey.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPing.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPing.java
deleted file mode 100644
index 92d2ac4080..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPing.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import java.io.Serializable;
-
-/**
- * Internal Signer message.
- */
-public class ConnectionPing implements Serializable {
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPong.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPong.java
deleted file mode 100644
index f86d2d1302..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ConnectionPong.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import java.io.Serializable;
-
-/**
- * Internal Signer message.
- */
-public class ConnectionPong implements Serializable {
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java
deleted file mode 100644
index 5bcf8b35ae..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/DeleteCertRequest.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class DeleteCertRequest implements Serializable {
-
-    private final String certRequestId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
deleted file mode 100644
index 5ba7b57a51..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequest.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-
-import lombok.Value;
-import org.niis.xroad.signer.proto.CertificateRequestFormat;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class GenerateCertRequest implements Serializable {
-
-    private final String keyId;
-
-    private final ClientId.Conf memberId;
-
-    private final KeyUsageInfo keyUsage;
-
-    private final String subjectName;
-
-    private final CertificateRequestFormat format;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
deleted file mode 100644
index c8cf21b974..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateCertRequestResponse.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-import org.niis.xroad.signer.proto.CertificateRequestFormat;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class GenerateCertRequestResponse implements Serializable {
-
-    private final String certReqId;
-
-    private final byte[] certRequest;
-
-    private CertificateRequestFormat format;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java
deleted file mode 100644
index c01ded9974..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCert.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-
-import lombok.Value;
-
-import java.io.Serializable;
-import java.util.Date;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class GenerateSelfSignedCert implements Serializable {
-
-    private final String keyId;
-
-    private final String commonName;
-
-    private final Date notBefore;
-
-    private final Date notAfter;
-
-    private final KeyUsageInfo keyUsage;
-
-    private final ClientId.Conf memberId;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java
deleted file mode 100644
index 81004efed2..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GenerateSelfSignedCertResponse.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-@ToString(exclude = "certificateBytes")
-public class GenerateSelfSignedCertResponse implements Serializable {
-
-    private final byte[] certificateBytes;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetAuthKey.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetAuthKey.java
deleted file mode 100644
index 6e26a23473..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetAuthKey.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.common.identifier.SecurityServerId;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class GetAuthKey implements Serializable {
-
-    private final SecurityServerId securityServer;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java
deleted file mode 100644
index 6869b461b2..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetMemberSigningInfo.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.common.identifier.ClientId;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class GetMemberSigningInfo implements Serializable {
-
-    private final ClientId memberId;
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java
deleted file mode 100644
index eab3e1bafd..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCert.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.common.identifier.ClientId;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-@ToString(exclude = "certData")
-public class ImportCert implements Serializable {
-
-    private final byte[] certData;
-    private final String initialStatus;
-    private final ClientId.Conf memberId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java
deleted file mode 100644
index 7f08dbfb28..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/ImportCertResponse.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class ImportCertResponse implements Serializable {
-
-    private final String keyId;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java
deleted file mode 100644
index 5a8a66a0f5..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequest.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-import org.niis.xroad.signer.proto.CertificateRequestFormat;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class RegenerateCertRequest implements Serializable {
-
-    private final String certRequestId;
-
-    private final CertificateRequestFormat format;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java
deleted file mode 100644
index a32b735b12..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/RegenerateCertRequestResponse.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-
-import lombok.Value;
-import org.niis.xroad.signer.proto.CertificateRequestFormat;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-public class RegenerateCertRequestResponse implements Serializable {
-
-    private final String certReqId;
-
-    private final byte[] certRequest;
-
-    private CertificateRequestFormat format;
-
-    private final ClientId memberId;
-
-    private final KeyUsageInfo keyUsage;
-
-}

From b50a8543ab6ac3fb31b4198be273393e164f1b18 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 28 Aug 2023 15:30:44 +0300
Subject: [PATCH 028/127] test: additional signer tests

Refs: XRDDEV-2461
---
 src/signer-protocol/build.gradle                |  1 +
 .../ria/xroad/signer/glue/SignerStepDefs.java   | 17 +++++++++++++++++
 .../resources/behavior/0500-signer.feature      |  4 ++++
 3 files changed, 22 insertions(+)

diff --git a/src/signer-protocol/build.gradle b/src/signer-protocol/build.gradle
index dc0ed4c5b8..e9fd425af8 100644
--- a/src/signer-protocol/build.gradle
+++ b/src/signer-protocol/build.gradle
@@ -20,6 +20,7 @@ dependencies {
   intTestRuntimeOnly project(':signer')
   intTestRuntimeOnly project(':common:common-util')
 
+  intTestImplementation project(":common:common-test")
   intTestImplementation("com.nortal.test:test-automation-core:$testAutomationFrameworkVersion")
   intTestImplementation("com.nortal.test:test-automation-allure:$testAutomationFrameworkVersion")
   intTestImplementation "org.assertj:assertj-core:$assertjVersion"
diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index e8f256f76c..b3949ba624 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -28,6 +28,8 @@
 package ee.ria.xroad.signer.glue;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.OcspTestUtils;
+import ee.ria.xroad.common.TestCertUtil;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.SignerProxy;
@@ -54,6 +56,8 @@
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
+import org.bouncycastle.cert.ocsp.CertificateStatus;
+import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.bouncycastle.util.encoders.Base64;
 import org.junit.jupiter.api.Assertions;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
@@ -67,6 +71,7 @@
 import java.net.ServerSocket;
 import java.security.KeyFactory;
 import java.security.PublicKey;
+import java.security.cert.X509Certificate;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Arrays;
 import java.util.Date;
@@ -78,6 +83,7 @@
 import static ee.ria.xroad.common.SystemProperties.SIGNER_PORT;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256_ID;
+import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.time.Instant.now;
@@ -516,6 +522,7 @@ private static void startSigner(int port) throws InterruptedException {
                 ProcessBuilder pb = new ProcessBuilder("java",
                         "-Dxroad.signer.port=" + port,
                         "-Dlogback.configurationFile=build/resources/intTest/signer-logback.xml",
+                        "-Dxroad.signer.ocsp-cache-path=build/tmp",
                         "-Dxroad.signer.key-configuration-file="
                                 + "build/resources/intTest/keyconf.xml",
                         "-Dxroad.signer.device-configuration-file="
@@ -561,6 +568,16 @@ private static Map<String, String> getTransportProperties() {
         return transportKeystore;
     }
 
+    @When("ocsp responses are set")
+    public void ocspResponsesAreSet() throws Exception {
+        X509Certificate subject = TestCertUtil.getConsumer().certChain[0];
+        final OCSPResp ocspResponse = OcspTestUtils.createOCSPResponse(subject, TestCertUtil.getCaCert(), TestCertUtil.getOcspSigner().certChain[0],
+                TestCertUtil.getOcspSigner().key, CertificateStatus.GOOD);
+
+        SignerProxy.setOcspResponses(new String[]{calculateCertHexHash(subject)},
+                new String[]{Base64.toBase64String(ocspResponse.getEncoded())});
+    }
+
     @RequiredArgsConstructor
     static class StreamGobbler extends Thread {
         private final InputStream is;
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
index a65d6b3495..6613367687 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
@@ -103,6 +103,10 @@ Feature: 0500 - Signer
     * Getting key by not existing cert hash fails
     * Not existing certificate can not be activated
 
+  Scenario: Ocsp responses
+    When ocsp responses are set
+
+
 #  not covered SignerProxy methods:
 #  AuthKeyInfo getAuthKey(SecurityServerId serverId)                            #requires valid ocsp response
 #  void setOcspResponses(String[] certHashes, String[] base64EncodedResponses)  #requires valid ocsp responses

From e5e6ffaba35d6cc93d93cad09628cffe2314436d Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 28 Aug 2023 17:39:07 +0300
Subject: [PATCH 029/127] test: additional signer tests

Refs: XRDDEV-2461
---
 .../ria/xroad/signer/glue/SignerStepDefs.java |  18 ++-
 .../resources/behavior/0500-signer.feature    |   2 +
 .../globalconf/cs/private-params.xml          |  15 +++
 .../globalconf/cs/private-params.xml.metadata |   1 +
 .../resources/globalconf/cs/shared-params.xml | 106 ++++++++++++++++++
 .../globalconf/cs/shared-params.xml.metadata  |   1 +
 .../resources/globalconf/instance-identifier  |   1 +
 7 files changed, 139 insertions(+), 5 deletions(-)
 create mode 100644 src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml
 create mode 100644 src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml.metadata
 create mode 100644 src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml
 create mode 100644 src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml.metadata
 create mode 100644 src/signer-protocol/src/intTest/resources/globalconf/instance-identifier

diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index b3949ba624..a23c9e3522 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -520,13 +520,12 @@ private static void startSigner(int port) throws InterruptedException {
         Thread t = new Thread(() -> {
             try {
                 ProcessBuilder pb = new ProcessBuilder("java",
-                        "-Dxroad.signer.port=" + port,
                         "-Dlogback.configurationFile=build/resources/intTest/signer-logback.xml",
+                        "-Dxroad.common.configuration-path=build/resources/intTest/globalconf",
+                        "-Dxroad.signer.port=" + port,
                         "-Dxroad.signer.ocsp-cache-path=build/tmp",
-                        "-Dxroad.signer.key-configuration-file="
-                                + "build/resources/intTest/keyconf.xml",
-                        "-Dxroad.signer.device-configuration-file="
-                                + "build/resources/intTest/devices.ini",
+                        "-Dxroad.signer.key-configuration-file=build/resources/intTest/keyconf.xml",
+                        "-Dxroad.signer.device-configuration-file=build/resources/intTest/devices.ini",
                         "-Dxroad.grpc.internal.keystore=build/resources/intTest/transport-keystore/grpc-internal-keystore.jks",
                         "-Dxroad.grpc.internal.keystore-password=111111",
                         "-Dxroad.grpc.internal.truststore=build/resources/intTest/transport-keystore/grpc-internal-keystore.jks",
@@ -578,6 +577,15 @@ public void ocspResponsesAreSet() throws Exception {
                 new String[]{Base64.toBase64String(ocspResponse.getEncoded())});
     }
 
+    @Then("ocsp responses can be retrieved")
+    public void ocspResponsesCanBeRetrieved() throws Exception {
+        X509Certificate subject = TestCertUtil.getConsumer().certChain[0];
+        final String certHash = calculateCertHexHash(subject);
+
+        final String[] ocspResponses = SignerProxy.getOcspResponses(new String[]{certHash});
+        assertThat(ocspResponses).isNotEmpty();
+    }
+
     @RequiredArgsConstructor
     static class StreamGobbler extends Thread {
         private final InputStream is;
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
index 6613367687..ac34c1e84a 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
@@ -105,6 +105,8 @@ Feature: 0500 - Signer
 
   Scenario: Ocsp responses
     When ocsp responses are set
+    Then ocsp responses can be retrieved
+
 
 
 #  not covered SignerProxy methods:
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml b/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml
new file mode 100644
index 0000000000..3d409f1133
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
+    <instanceIdentifier>cs</instanceIdentifier>
+    <managementService>
+        <authCertRegServiceAddress>https://cs:4001/managementservice/</authCertRegServiceAddress>
+        <authCertRegServiceCert>MIIDJTCCAg2gAwIBAgIUNgaUk43F5+vevqBASzzr0SYP0ZEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDYwODA2MzA0N1oXDTQzMDYwMzA2MzA0N1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9vvBY+4gB+W+LWa4spLrpkDqrwx7BBo/0ESZrWL39jqsKEJtc5vkD2CjiMJUgKUiP6tRT+92gbzjOH8R5H8STJOGrwYP+VzjZ+cxYnU+20SdlsCJktcVRFNb+J6Njcq8unr5uao6aD1bJ0uElXi5e/WMuQ9VlMXwkuEeQa1QzrMHvLUNmtGjL8X8i9miDvFMuTSmul5W16i+3haciYdJpf7hxRjf/bqxkEEKkyRoMwQNt+c8Zt2FHo12kzlP2RnvJUB8md/nWJBv4i5GF3Vv3fAZTU2GZKZwXXmSqGXPqNgkZStDv1CUNBkiYv2uD45kLpuVJIVi4B+02AZ0j6HRywIDAQABo28wbTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIC5DArBgNVHREEJDAihwSsEQAEgglsb2NhbGhvc3SCD2J1aWxka2l0c2FuZGJveDAdBgNVHQ4EFgQUpFMff9ahuMTcKc5FKIi6TroAzRcwDQYJKoZIhvcNAQELBQADggEBABdut81ygN3TrSmC4HKxGcTvjJYUM+8LtadC9/3RGIXwZUEg2C5xa0e0MZwF3/RrfalSA6McNYBOR4F7AGnkSnRTPe0296M/Sg/w5k9ku/x4I3aDF9WJD1QfMFrpUfTv0+jt7UashHr063fmcvptkioTjgOia0cX//bPAelAuhKJccsI6ajPeeywmQrhwjN6ce6nr9GNkk0jNZYRhNW7iHtu1S8tjPUMxsMwD3yYyzPU3w/09tV69dcWX9rHcQiSCO2/eoUMySXSAT8/T/01pJLHIMh+yskxL59iXRvQVtwfNlPmquTx47vrCox54ay+ydzLCZySUWLPxzrfI+Qc/6c=</authCertRegServiceCert>
+        <managementRequestServiceProviderId ns2:objectType="SUBSYSTEM">
+            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
+            <ns2:memberClass>ORG</ns2:memberClass>
+            <ns2:memberCode>2908758-4</ns2:memberCode>
+            <ns2:subsystemCode>Management</ns2:subsystemCode>
+        </managementRequestServiceProviderId>
+    </managementService>
+    <timeStampingIntervalSeconds>60</timeStampingIntervalSeconds>
+</ns3:conf>
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml.metadata b/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml.metadata
new file mode 100644
index 0000000000..e4102000b5
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml.metadata
@@ -0,0 +1 @@
+{"contentIdentifier":"PRIVATE-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml b/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml
new file mode 100644
index 0000000000..2d9967ce7c
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
+    <instanceIdentifier>CS</instanceIdentifier>
+    <approvedCA>
+        <name>X-Road Test CA CN</name>
+        <topCA>
+            <cert>MIIFpzCCA4+gAwIBAgIUEbcXVQkWWEC88FwTg2ctua926BQwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCRkkxFDASBgNVBAoMC1gtUm9hZCBUZXN0MRowGAYDVQQLDBFYLVJvYWQgVGVzdCBDQSBPVTEaMBgGA1UEAwwRWC1Sb2FkIFRlc3QgQ0EgQ04wHhcNMjEwMzEwMDczNTU2WhcNNDEwMzA1MDczNTU2WjBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJJiNMU5G5Ufv6+N1iMkrlaD3PI3k11THgE/SJ2NcTJUD79CjIFYJtJrWLQS536FadtKgJ7ym3eYR0+PlU/mX6lxt1MIspLdTYTC1TRR/Cg533aJ+hJnG2IsE6or6Bl3hPstFH4caKyjpyBg0xPyQnKhEA89VY/bUdIQOJK0zgH3gsckxNlT/udyJ732CS2vZHyrWx6dZ6UAamyD0hwj6e8quU3vMrtTeHF3LqzlKxatlayWorkSj1uA4q6qfMiCZ3yKiFUU4MULV6h1x39YAoGIyj0+aMIbENWnIRY7E0KqGvVotMCpEQO8DUhJbixzzFVPuL6b+NVzLJu4tqtAao3s7SUElhQjmiPmTNCfs16NMnMpUkr9Pz6nnybqnNy7fA0g2l8tguQoec6AABodgtNDRvLX4j/OOmSutVYIS/FDCO+YG8/Xp8MbAV2o24X7rDhBFGM9yf0/i77yQ4BC/SFrNXlBCXP8E1v3O/w99SjVQvD6uQ4fsxWQFmGUQK+959pJ0R2YzSB4qRkpX1/yK1rt5LO+8pHQ1WM28W5BJNsisN2OarplszAleoGjBQAyAPO+8nO/5n5xcs0Dzw1NshWyH2kFDBS4xmp6N9KFhW7MQTmHlzCSQ0YTNmEnOi7W7n+gsxZVfiV8aA5lsABsFRQ+uL9z49FQyuidtfsyVB23AgMBAAGjYzBhMB0GA1UdDgQWBBTOdbt9k88MTU+r8w/+KsgVICpQnDAfBgNVHSMEGDAWgBTOdbt9k88MTU+r8w/+KsgVICpQnDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAUA07frwkTioAToWsW1LQWxGZ3s3uK06OmiAV13RFZf3YeIg+AF/sRpu6mfaPwZat0FQKz55NUk70HnJmlWjtkbtNemZFZhedyqbtEzce6e7uqkakaKUZUCnu4tDivUa6zOboYvFhjGNQ2A/C69SRztH5sYDALycUv/BB1o6sURknNqgbvoJmySHrONEQiEYWnnmHcIFOa+muvTrDwHfRB+if2zT2duLHCuy1aiBZM9koz7R00M/8/wXCIzliQFq1iUnckocWc2Lcrh+gJCjuMURAfWwH00Lk+n2lTBY66yRbCt0QEHYxSjXmf+6ACU9zg9m1Sg+xBMqZ8E2u9SumIUmcDHyWfFAbEb8bcl3drnxxE1LiZea9TsyamtGAUegg4PcjbSjtULWnX6h6ruva3s6+brnoJCrBf3nmmggFVWCkDF4RsVPw3PZS342gRsHMy2V7B4Qo2pglB0AiMu5iWHs6tw6iFojeYEBDysQxaLcJtKew7BPxR8ZQjLP1FYQkOPwsphPYHUC2f6z6k2bVf/N4QUqeFCqJSr+NeFUX35ZdZv5NK+oQTbEKftNEb2N/Kv3Gflkyc7DLEwhYJ7B9c+zsVT6fBlm14UlWoUiy63BrsSYwnq7j5HaFnAh6DocQ+7XMFy7UMTueK9MTHsaXlWg4909fZFN975Y+qJXFfBo=</cert>
+            <ocsp>
+                <url>http://cs:8888</url>
+                <cert>MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF8xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEcMBoGA1UECwwTWC1Sb2FkIFRlc3QgT0NTUCBPVTEcMBoGA1UEAwwTWC1Sb2FkIFRlc3QgT0NTUCBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANXyMQ3LgRPe6DGIUTOTjofOi6ir7GvUpD4CN4Xv5Ahari1npD4eGVqHfH4Kor6D2m0tdzkzOaizqpG2o+U2wFowZCEcWpjOH97ZgV87QkdT/5sv1R0mQ9BtaPPYQlgyJuRtP3VVoj9BeMcwzPIkPvNqvX+ro7cgNz3JvUbwuyn8JU0oP1LBgGmy8aFLblSD22Vin0LqFFYfPzUlFCRDwUVJwoF2NFwsWSbxi5cmWBPPHDhcX8dQTSEDWOzC0jtg8ersAGFvTUslhkGtuixZAtAQJXc49SHOIjllYlS+D9h1bfo/5wakrcNIdaVGER7Yq0I6yfvpI6oTOBmjicepAcyNCQOf0/8ghh04sBAJGwTkY75b89gHCHnXlEWpHhiyqblin5M18MJxEDfz/G9LG9a0qcDST4WKs6ijCItmJzkJuaYpEAIvHXBKC3NlkPvkjp/kW260iTRhWKeQjczvDqZ7atN3wu0jA/auouTitGuOfo3vOXc1frlpzTcw/jadHTchOjsufK7beuWr0CAcMzKy8AA9wrlYSy0qmzLxPybqoBGt3ljU8MnJapmqojd/ECMKrIamprm/xzEeaijVbPdEzGgD9DKtL0PbGqBcRQjUL72LCtY9H1pwVtgDRqW/eyodz7IrQZRq760c8HVgtS/uSjjslwif2mHZiBdTSUPTAgMBAAGjdTBzMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCgPXe/DXrBZTbe1hYo+rPKATzLsMB8GA1UdIwQYMBaAFM51u32TzwxNT6vzD/4qyBUgKlCcMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAgEAWPcf+ObBEyZofQQZYHU673qzaooWohCa/IQ7ZXiQmt+s0YpUXZepYw9UXrv1nPRLzpTy7788bzUvl6vVvnGTCOomLPYSZ5Qwm0VoAXMeyluIkNKKKemeF5e5Mbr7tmGGGaN/HKKQNa6qXEQndbdhjhoD6mxJKMDAgj1hi+slm0/QaKkd2qqjmc+w38RNv0wi+9Zamkl0LZ743/KeH6CtVJEUARxYT+Q1i81adFICYqoDlmDSPpzq7VUir1lZejC3qTnJAVMgGCHw28vp4ROvOkZ95lEFRTOpR7+a/iVetkOcenIWiGJGybUYZ9sAUwl4+GTcDT5aF9UJECnkfHpG4XYs/0Fn9wnqqw+zVNB/JocFdYxjPTe4YpjG9vKaQniK6ZjleLTQwom8SuQAAXarffIX3FNq0qc35T9fmrOzX+E7heFaC4Xg/HT7Lhz4XvQeXx00d/Ej72BS2ffAumeY0yqAOtAHnhq7u7ahhZ6B/VCsM95slKiqi72SQGqF/iy1ndRAzk/8xkJWnlvqbMfeNFOnbCJ7U1jxoxEmoBi31Cx1UQvdLvaAjz6MRo1kS/sJwVXpR3x7ooJjTGt4+/4gL4IxKqObE3sbjYnmA9i9iKCwrOWxPhavASyDVwr6XKz3MRffTHVk5uQSlmtIUSJsEPiV/LIzwcKPZX1eWoLpI08=</cert>
+            </ocsp>
+        </topCA>
+        <certificateProfileInfo>ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider</certificateProfileInfo>
+    </approvedCA>
+    <approvedTSA>
+        <name>X-Road Test TSA CN</name>
+        <url>http://cs:8899</url>
+        <cert>MIIFXTCCA0WgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF0xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEbMBkGA1UECwwSWC1Sb2FkIFRlc3QgVFNBIE9VMRswGQYDVQQDDBJYLVJvYWQgVGVzdCBUU0EgQ04wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/9WmHOot4PgLCtjwMP2jRNs1N0ZdwdajqA7S1nK9YKhTHwipGK+odCZ3OO1YKLHa4DEsPk9tkHCULcDObeb2HKJg/tjHdj2CVFfTqsLTgJuubR6T5wsfYfK7SuHP9708NPQtMQm8HkGoP7RlcQ0eQQ1j0gW8Vz8oY5qWWaEhQyQD0ZLmsUATn3NmCvwTshQacdwgV5JPnJJIetk893N3vJdyWaCO64FQxF35SHLwADXwDKVy9h+qiabx5dO3jHsJV87kr/37Jxsw/r2hxAppKXfUcuftY0RaMJAkvmL5K8UuVvI0cZw6NgCivMxe2XPdS3B2O9cb2HQ7Q3DodTgLDoFMYuQVU2VsFEBw0m7AOH5LXSehNWBDD0XzYntMYg/L4J83jIxEnEPjwdl2tKwOQWxnAqpCyNabiqVt+kS5SOOj3GCeavJGgAp8TN825JMT8bXPievuZEAVu/aR0TJ2dOoC6mwm9hgwY6eLzoElxiDqOBnMsFPOuJkSn6ShIA8FSefzEYg4OnN74f+tqE3lemsf+KBZeJfy5p1vR5UaeOqW8FBIwrLi1ufBnT1AhMmQfgwppZCPV0OCMXMI6XRp6S4C4go8aQpXWMenLiiVW9oTawQd8bPbv87ZEMplghvMpTju2YVogha4btQNcvJjN9RYrZcyHEHXIEgleGx6gwQIDAQABoyowKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCBkAwDQYJKoZIhvcNAQELBQADggIBAAWbwH+dA2G0B0zAgkB8DsFwYvqz8NGckU/I1M5jrw5Ln6JgedCFStcQLWfDUQA9fHIOCt3tKOyXWYI1pSWAE6IG0a6IhtoxgHEKD+/lFal3p2ikyt46IDW3hab5DVrnYT/hrEptxygE901U/D8EshN4HJL3G1XC1uMAjFr1YjPMrkIvffG2Z9Nv3QEJ1MdS/N3Mfv9LHNojQZYc72JwocDzf8SwUNbBNQEQEPd/RZg1dEoVwApBmQAOEbBVCVyfcVV9fOR0m7s/dHxb5y1AHfLOZDAf8lpkzhNUQc1Xth7ihICzJH5jnzW3EYuTOTM3LXCPRWtsYW3F0M3cJQEthjU4hHDoGp/8xOlU2TJuuD5rhvpqS+IFDnaAlSd7cPXYHej58ivya5l9VlCazo5TaI/Q0lwkKL6HJuQJbNVkbookTxV554IPX3Q6Tg35tI3rdc6mqztKfTb8HUtoBy5WM2fKQGHu+0oXoNynpPOFgD+2O86lEemZPdoC1vytmybKZ0iDYBercxl70HFXLCAFZB0jB5UWOopoh1NMzdYpQjCPQJ9rhuTxBLxwuLbabWNbLRwv0mvC1kFbRQEOu8hiQTo6ao3oY9s0qnSfXLHDc3Rc0OXgU+P4EnTY9DHJXcSfGUyOngMxwh5ciFV4dpNwBGTk/1P3vOGGthCnjtL1VPkz</cert>
+    </approvedTSA>
+    <member id="id0">
+        <memberClass>
+            <code>ORG</code>
+            <description>Non-profit organisations</description>
+        </memberClass>
+        <memberCode>2908758-4</memberCode>
+        <name>TestOrg</name>
+        <subsystem id="id1">
+            <subsystemCode>Management</subsystemCode>
+        </subsystem>
+    </member>
+    <member id="id2">
+        <memberClass>
+            <code>COM</code>
+            <description>Private companies</description>
+        </memberClass>
+        <memberCode>1710128-9</memberCode>
+        <name>TestCom</name>
+        <subsystem id="id3">
+            <subsystemCode>TestClient</subsystemCode>
+        </subsystem>
+    </member>
+    <member id="id4">
+        <memberClass>
+            <code>GOV</code>
+            <description>Governmental organisations</description>
+        </memberClass>
+        <memberCode>0245437-2</memberCode>
+        <name>TestGov</name>
+        <subsystem id="id5">
+            <subsystemCode>TestSaved</subsystemCode>
+        </subsystem>
+        <subsystem id="id6">
+            <subsystemCode>TestService</subsystemCode>
+        </subsystem>
+        <subsystem id="id7">
+            <subsystemCode>test-consumer</subsystemCode>
+        </subsystem>
+    </member>
+    <securityServer>
+        <owner>id0</owner>
+        <serverCode>SS0</serverCode>
+        <address>ss0</address>
+        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <client>id1</client>
+        <client>id7</client>
+    </securityServer>
+    <securityServer>
+        <owner>id4</owner>
+        <serverCode>SS1</serverCode>
+        <address>ss1</address>
+        <authCertHash>03SfHhv+L5OJrJaod/sOZn6vp1c=</authCertHash>
+        <client>id5</client>
+        <client>id6</client>
+        <client>id3</client>
+        <client>id1</client>
+    </securityServer>
+    <globalGroup>
+        <groupCode>security-server-owners</groupCode>
+        <description>Security server owners</description>
+        <groupMember ns2:objectType="MEMBER">
+            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
+            <ns2:memberClass>ORG</ns2:memberClass>
+            <ns2:memberCode>2908758-4</ns2:memberCode>
+        </groupMember>
+        <groupMember ns2:objectType="MEMBER">
+            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
+            <ns2:memberClass>GOV</ns2:memberClass>
+            <ns2:memberCode>0245437-2</ns2:memberCode>
+        </groupMember>
+    </globalGroup>
+    <globalSettings>
+        <memberClass>
+            <code>COM</code>
+            <description>Private companies</description>
+        </memberClass>
+        <memberClass>
+            <code>GOV</code>
+            <description>Governmental organisations</description>
+        </memberClass>
+        <memberClass>
+            <code>ORG</code>
+            <description>Non-profit organisations</description>
+        </memberClass>
+        <ocspFreshnessSeconds>3600</ocspFreshnessSeconds>
+    </globalSettings>
+</ns3:conf>
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml.metadata b/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml.metadata
new file mode 100644
index 0000000000..20014b1e9e
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml.metadata
@@ -0,0 +1 @@
+{"contentIdentifier":"SHARED-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/instance-identifier b/src/signer-protocol/src/intTest/resources/globalconf/instance-identifier
new file mode 100644
index 0000000000..841618abad
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/globalconf/instance-identifier
@@ -0,0 +1 @@
+cs

From 1b35af396fd1ff78fa00408c01e5a2f20694ea41 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 29 Aug 2023 10:47:23 +0300
Subject: [PATCH 030/127] test: unused code deleted

Refs: XRDDEV-2461
---
 .../protocol/message/SuccessResponse.java     | 35 -------------------
 .../signer/util/AbstractSignerActor.java      |  7 +---
 2 files changed, 1 insertion(+), 41 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SuccessResponse.java

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SuccessResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SuccessResponse.java
deleted file mode 100644
index 5e8d444eb0..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SuccessResponse.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import java.io.Serializable;
-
-/**
- * Dummy class for responses that do not return anything.
- */
-public class SuccessResponse implements Serializable {
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java
index 312c335a50..f15cbf0872 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,7 +26,6 @@
 package ee.ria.xroad.signer.util;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.message.SuccessResponse;
 
 import akka.actor.ActorRef;
 import akka.actor.UntypedAbstractActor;
@@ -49,10 +48,6 @@ protected void sendResponse(Object message) {
         }
     }
 
-    protected void sendSuccessResponse() {
-        sendResponse(new SuccessResponse());
-    }
-
     protected CodedException translateError(Exception e) {
         return translateException(e);
     }

From 726ece480c68eb73f3b641caa830f8de2b8136f1 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 29 Aug 2023 12:23:27 +0300
Subject: [PATCH 031/127] chore: GetOcspResponsesResp refactored from array to
 map

Refs: XRDDEV-2461
---
 .../ee/ria/xroad/signer/glue/SignerStepDefs.java  | 15 ++++++++++++---
 .../resources/behavior/0500-signer.feature        |  1 +
 .../java/ee/ria/xroad/signer/SignerProxy.java     | 11 ++++++++++-
 .../src/main/proto/OcspService.proto              |  2 +-
 .../handler/GetOcspResponsesReqHandler.java       | 15 +++++++++++++--
 5 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
index a23c9e3522..e49d80ca40 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
@@ -338,7 +338,7 @@ public void keyidCanBeRetrievedByCertHash() throws Exception {
     }
 
     @And("token and keyId can be retrieved by cert hash")
-    public void tokenAndKeyIdCanBeRetrievedByCertHash() throws Exception {
+    public void tokenAndKeyIdCanBeRetrievedByCertHash() {
         final TokenInfoAndKeyId tokenAndKeyIdForCertHash = SignerProxy.getTokenAndKeyIdForCertHash(this.certHash);
         assertThat(tokenAndKeyIdForCertHash).isNotNull();
     }
@@ -580,12 +580,20 @@ public void ocspResponsesAreSet() throws Exception {
     @Then("ocsp responses can be retrieved")
     public void ocspResponsesCanBeRetrieved() throws Exception {
         X509Certificate subject = TestCertUtil.getConsumer().certChain[0];
-        final String certHash = calculateCertHexHash(subject);
+        final String hash = calculateCertHexHash(subject);
 
-        final String[] ocspResponses = SignerProxy.getOcspResponses(new String[]{certHash});
+        final String[] ocspResponses = SignerProxy.getOcspResponses(new String[]{hash});
         assertThat(ocspResponses).isNotEmpty();
     }
 
+    @And("null ocsp response is returned for unknown certificate")
+    public void emptyOcspResponseIsReturnedForUnknownCertificate() throws Exception {
+        final String[] ocspResponses = SignerProxy
+                .getOcspResponses(new String[]{calculateCertHexHash("not a cert".getBytes())});
+        assertThat(ocspResponses).hasSize(1);
+        assertThat(ocspResponses[0]).isNull();
+    }
+
     @RequiredArgsConstructor
     static class StreamGobbler extends Thread {
         private final InputStream is;
@@ -602,4 +610,5 @@ public void run() {
             }
         }
     }
+
 }
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
index ac34c1e84a..8ec1887c52 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
@@ -106,6 +106,7 @@ Feature: 0500 - Signer
   Scenario: Ocsp responses
     When ocsp responses are set
     Then ocsp responses can be retrieved
+    And null ocsp response is returned for unknown certificate
 
 
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index e3fc21f94a..26c760b6ef 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -85,6 +85,7 @@
 import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.Callable;
 import java.util.stream.Collectors;
 
@@ -603,7 +604,15 @@ public static String[] getOcspResponses(String[] certHashes) throws Exception {
                         .addAllCertHash(toLowerCase(certHashes))
                         .build()));
 
-        return response.getBase64EncodedResponsesList().toArray(new String[0]);
+        final Map<String, String> responsesMap = response.getBase64EncodedResponsesMap();
+        String[] result = new String[certHashes.length];
+        for (int i = 0; i < certHashes.length; i++) {
+            if (responsesMap.containsKey(certHashes[i])) {
+                result[i] = responsesMap.get(certHashes[i]);
+            }
+        }
+
+        return result;
     }
 
     public static void setOcspResponses(String[] certHashes, String[] base64EncodedResponses) throws Exception {
diff --git a/src/signer-protocol/src/main/proto/OcspService.proto b/src/signer-protocol/src/main/proto/OcspService.proto
index ccef5a26b3..a53b56da44 100644
--- a/src/signer-protocol/src/main/proto/OcspService.proto
+++ b/src/signer-protocol/src/main/proto/OcspService.proto
@@ -22,5 +22,5 @@ message GetOcspResponsesReq{
 }
 
 message GetOcspResponsesResp{
-  repeated string base64EncodedResponses = 1;
+  map<string, string> base64EncodedResponses = 1;
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
index aa734c6dc9..6e235b337a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
@@ -28,11 +28,13 @@
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 
+import org.apache.commons.lang3.ArrayUtils;
 import org.niis.xroad.signer.proto.GetOcspResponsesReq;
 import org.niis.xroad.signer.proto.GetOcspResponsesResp;
 import org.springframework.stereotype.Component;
 
-import static java.util.Arrays.asList;
+import java.util.HashMap;
+import java.util.Map;
 
 /**
  * Handles OCSP requests.
@@ -47,8 +49,17 @@ protected GetOcspResponsesResp handle(GetOcspResponsesReq request) throws Except
                 request.getCertHashList().toArray(new String[0]));
 
         ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse response = temporaryAkkaMessenger.tellOcspManagerWithResponse(message);
+
+        // todo return map from ocsp responses manager
+        Map<String, String> ocspResponses = new HashMap<>();
+        for (int i = 0; i < message.getCertHash().length; i++) {
+            if (ArrayUtils.get(response.getBase64EncodedResponses(), i) != null) {
+                ocspResponses.put(request.getCertHash(i), response.getBase64EncodedResponses()[i]);
+            }
+        }
+
         return GetOcspResponsesResp.newBuilder()
-                .addAllBase64EncodedResponses(asList(response.getBase64EncodedResponses()))
+                .putAllBase64EncodedResponses(ocspResponses)
                 .build();
     }
 

From c7773554e23adb6e2166bcaed74f0d3df33dd246 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Tue, 29 Aug 2023 15:15:33 +0300
Subject: [PATCH 032/127] chore: remove unused methods

Refs: XRDDEV-2468
---
 .../xroad/signer/protocol/SignerClient.java   | 27 -------------------
 1 file changed, 27 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
index 6207b83913..69dd6224ff 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
@@ -33,10 +33,7 @@
 import akka.actor.ActorSystem;
 import akka.actor.Props;
 import akka.actor.UntypedAbstractActor;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.Await;
 
 import java.time.Duration;
 import java.util.Objects;
@@ -47,7 +44,6 @@
 import java.util.concurrent.TimeoutException;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.signer.protocol.ComponentNames.SIGNER;
 import static ee.ria.xroad.signer.protocol.SignerClient.SignerWatcher.requestProcessor;
 
 /**
@@ -57,8 +53,6 @@
 @Slf4j
 public final class SignerClient {
 
-    private static final Timeout TIMEOUT =
-            Timeout.apply(SystemProperties.getSignerClientTimeout(), TimeUnit.MILLISECONDS);
     public static final String LOCALHOST_IP = "127.0.0.1";
 
     private SignerClient() {
@@ -96,24 +90,6 @@ public static void execute(Object message, ActorRef receiver) {
         requestProcessor().tell(message, receiver);
     }
 
-    /**
-     * Sends a message and waits for a response, returning it. If the response
-     * is an exception, throws it.
-     *
-     * @param <T>     the type of result
-     * @param message the message
-     * @return the response
-     * @throws Exception if the response is an exception
-     */
-    @Deprecated
-    public static <T> T execute(Object message) throws Exception {
-        try {
-            return result(Await.result(Patterns.ask(requestProcessor(), message, TIMEOUT), TIMEOUT.duration()));
-        } catch (TimeoutException e) {
-            throw new CodedException(X_INTERNAL_ERROR, e, "Request to Signer timed out");
-        }
-    }
-
     /**
      * Returns the object as the instance or throws exception, if the object
      * is throwable.
@@ -287,8 +263,5 @@ private void identifyProcessor() {
             correlationId++;
         }
 
-        private String getSignerPath() {
-            return "akka://" + SIGNER + "@" + signerIpAddress + ":" + SystemProperties.getSignerPort();
-        }
     }
 }

From 877c545dc18a51c4c387af638a09262653a52162 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 29 Aug 2023 16:46:36 +0300
Subject: [PATCH 033/127] chore: ModuleManagerReload job

Refs: XRDDEV-2461
---
 .../main/java/ee/ria/xroad/signer/Signer.java | 25 +--------
 .../ee/ria/xroad/signer/SignerConfig.java     | 30 +++++++++-
 .../ee/ria/xroad/signer/TemporaryHelper.java  | 18 ++++++
 .../signer/job/ModuleManagerReloadJob.java}   | 56 +++++--------------
 .../module/AbstractModuleManager.java         | 22 +++++---
 5 files changed, 75 insertions(+), 76 deletions(-)
 rename src/{common/common-util/src/main/java/ee/ria/xroad/common/util/PeriodicJob.java => signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java} (52%)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
index d8254f2b63..ac7ae60771 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
@@ -26,7 +26,6 @@
 package ee.ria.xroad.signer;
 
 import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.common.util.PeriodicJob;
 import ee.ria.xroad.common.util.StartStop;
 import ee.ria.xroad.common.util.filewatcher.FileWatcherRunner;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
@@ -41,11 +40,8 @@
 import akka.actor.Props;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
-import scala.concurrent.duration.FiniteDuration;
 
 import java.nio.file.Paths;
-import java.util.concurrent.TimeUnit;
 
 import static ee.ria.xroad.common.SystemProperties.NodeType.SLAVE;
 import static ee.ria.xroad.signer.protocol.ComponentNames.MODULE_MANAGER;
@@ -64,17 +60,12 @@ public class Signer implements StartStop {
     private static final String MODULE_MANAGER_IMPL_CLASS =
             SystemProperties.PREFIX + "signer.moduleManagerImpl";
 
-    private static final int MODULE_MANAGER_UPDATE_INTERVAL_SECONDS = SystemProperties.getModuleManagerUpdateInterval();
-
-    private static final FiniteDuration MODULE_MANAGER_UPDATE_INTERVAL =
-            Duration.create(MODULE_MANAGER_UPDATE_INTERVAL_SECONDS, TimeUnit.SECONDS);
-
     private final ActorSystem actorSystem;
 
     private FileWatcherRunner keyConfFileWatcherRunner;
 
     @Override
-    public void start() throws Exception {
+    public void start() {
         log.trace("start()");
 
         TokenManager.init();
@@ -96,7 +87,6 @@ public void start() throws Exception {
         createComponent(OCSP_CLIENT, OcspClientWorker.class);
         createComponent(OCSP_CLIENT_JOB, OcspClientJob.class);
         createComponent(OCSP_CLIENT_RELOAD, OcspClientReload.class);
-        createComponent(ModuleManagerJob.class);
     }
 
     /**
@@ -126,10 +116,6 @@ public void join() {
         //NOP
     }
 
-    private ActorRef createComponent(Class<?> clazz, Object... arg) {
-        return createComponent(clazz.getName(), clazz, arg);
-    }
-
     private ActorRef createComponent(String name, Class<?> clazz, Object... arg) {
         return actorSystem.actorOf(Props.create(clazz, arg), name);
     }
@@ -145,13 +131,4 @@ private Class<? extends AbstractModuleManager> getModuleManagerImpl() {
         }
     }
 
-    /**
-     * Periodically updates the ModuleManager
-     */
-    private static class ModuleManagerJob extends PeriodicJob {
-        ModuleManagerJob() {
-            super(MODULE_MANAGER, new Update(), MODULE_MANAGER_UPDATE_INTERVAL);
-        }
-    }
-
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
index 27658197ca..d2522e004a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer;
 
 import ee.ria.xroad.common.SystemProperties;
@@ -9,11 +34,13 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.annotation.EnableScheduling;
 
 import static ee.ria.xroad.signer.protocol.ComponentNames.SIGNER;
 
-@ComponentScan("ee.ria.xroad.signer.protocol")
+@ComponentScan({"ee.ria.xroad.signer.protocol", "ee.ria.xroad.signer.job"})
 @Configuration
+@EnableScheduling
 public class SignerConfig {
 
     @Bean
@@ -28,4 +55,5 @@ private static Config getConf(int signerPort) {
         return conf.withValue("akka.remote.artery.canonical.port",
                 ConfigValueFactory.fromAnyRef(signerPort));
     }
+
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
index 06d89fcfca..c43180c101 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.signer;
 
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
+import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 
 import java.util.HashMap;
@@ -40,6 +41,10 @@ public class TemporaryHelper {
     @Deprecated
     private static Map<String, AbstractTokenWorker> TOKEN_WORKERS = new HashMap<>();
 
+
+    @Deprecated
+    private static AbstractModuleManager moduleManager;
+
     @Deprecated
     public static OcspResponseManager ocspResponseManager;
 
@@ -63,4 +68,17 @@ public static OcspResponseManager getOcspResponseManager() {
     public static void addTokenWorker(String tokenId, AbstractTokenWorker tokenWorker) {
         TOKEN_WORKERS.put(tokenId, tokenWorker);
     }
+
+    @Deprecated
+    public static void setModuleManager(AbstractModuleManager manager) {
+        moduleManager = manager;
+    }
+
+    @Deprecated
+    public static AbstractModuleManager getModuleManager() {
+        if (moduleManager != null) {
+            return moduleManager;
+        }
+        throw new RuntimeException("Module manager not available.");
+    }
 }
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PeriodicJob.java b/src/signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java
similarity index 52%
rename from src/common/common-util/src/main/java/ee/ria/xroad/common/util/PeriodicJob.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java
index 59779995aa..2c01b36cba 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PeriodicJob.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -23,53 +23,25 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.common.util;
 
-import akka.actor.ActorRef;
-import akka.actor.Cancellable;
-import akka.actor.UntypedAbstractActor;
-import lombok.RequiredArgsConstructor;
-import scala.concurrent.duration.FiniteDuration;
+package ee.ria.xroad.signer.job;
 
-/**
- * Actor that periodically sends a message to another actor.
- */
-@RequiredArgsConstructor
-public abstract class PeriodicJob extends UntypedAbstractActor {
-
-    private final String actor;
-    private final Object message;
-    private final FiniteDuration interval;
 
-    private Cancellable tick;
+import ee.ria.xroad.signer.TemporaryHelper;
 
-    @Override
-    public void onReceive(Object incomingMessage) throws Exception {
-        if (incomingMessage.equals(this.message)) {
-            getContext().actorSelection("/user/" + actor).tell(incomingMessage,
-                    getSelf());
-        } else {
-            unhandled(incomingMessage);
-        }
-    }
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.stereotype.Component;
 
-    @Override
-    public void preStart() throws Exception {
-        tick = start();
-    }
+@Slf4j
+@Component
+public class ModuleManagerReloadJob {
 
-    @Override
-    public void postStop() {
-        tick.cancel();
+    @Scheduled(fixedDelayString = "#{T(ee.ria.xroad.common.SystemProperties).getModuleManagerUpdateInterval() * 1000}")
+    public void update() {
+        log.trace("Triggering ModuleManager update");
+        // todo ModuleManager should be injected
+        TemporaryHelper.getModuleManager().onUpdate();
     }
 
-    protected FiniteDuration getInitialDelay() {
-        return interval;
-    }
-
-    private Cancellable start() {
-        return getContext().system().scheduler().schedule(getInitialDelay(),
-                interval, getSelf(), message, getContext().dispatcher(),
-                ActorRef.noSender());
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
index 9c2b3b369e..efbe466cec 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,6 +27,7 @@
 
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.CryptoUtils;
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.model.Cert;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 import ee.ria.xroad.signer.tokenmanager.ServiceLocator;
@@ -57,6 +58,12 @@ public abstract class AbstractModuleManager extends AbstractUpdateableActor {
 
     private final SystemProperties.NodeType serverNodeType = SystemProperties.getServerNodeType();
 
+    @Override
+    @Deprecated(forRemoval = true)
+    public void preStart() throws Exception {
+        TemporaryHelper.setModuleManager(this);
+    }
+
     @Override
     public SupervisorStrategy supervisorStrategy() {
         return new OneForOneStrategy(-1, Duration.Inf(),
@@ -74,7 +81,8 @@ public SupervisorStrategy supervisorStrategy() {
     }
 
     @Override
-    protected void onUpdate() throws Exception {
+    public void onUpdate() {
+        log.trace("onUpdate()");
         loadModules();
 
         if (SLAVE.equals(serverNodeType)) {
@@ -95,7 +103,7 @@ public void onMessage(Object message) throws Exception {
 
     protected abstract void initializeModule(ModuleType module);
 
-    private void loadModules() throws Exception {
+    private void loadModules() {
         log.trace("loadModules()");
 
         if (!ModuleConf.hasChanged()) {
@@ -186,11 +194,7 @@ boolean isModuleInitialized(ModuleType module) {
         return getContext().findChild(module.getType()).isPresent();
     }
 
-    private static boolean containsModule(String moduleId,
-            Collection<ModuleType> modules) {
-        return modules.stream()
-                .filter(m -> m.getType().equals(moduleId))
-                .findFirst()
-                .isPresent();
+    private static boolean containsModule(String moduleId, Collection<ModuleType> modules) {
+        return modules.stream().anyMatch(m -> m.getType().equals(moduleId));
     }
 }

From 1758eb81058925e7cb2cad2323673b24b9b58991 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 31 Aug 2023 10:34:28 +0300
Subject: [PATCH 034/127] chore: add file based passwordstore provider

Refs: XRDDEV-2468
---
 .../util/FilePasswordStoreProvider.java       | 83 +++++++++++++++++++
 .../util/MemoryPasswordStoreProvider.java     | 47 +++++++++++
 .../ria/xroad/common/util/PasswordStore.java  | 50 +++++++----
 src/passwordstore/Makefile                    |  4 +-
 ...common_util_MemoryPasswordStoreProvider.c} |  8 +-
 ..._common_util_MemoryPasswordStoreProvider.h | 37 +++++++++
 .../ee_ria_xroad_common_util_PasswordStore.h  | 37 ---------
 7 files changed, 206 insertions(+), 60 deletions(-)
 create mode 100644 src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
 create mode 100644 src/common/common-util/src/main/java/ee/ria/xroad/common/util/MemoryPasswordStoreProvider.java
 rename src/passwordstore/{ee_ria_xroad_common_util_PasswordStore.c => ee_ria_xroad_common_util_MemoryPasswordStoreProvider.c} (94%)
 create mode 100644 src/passwordstore/ee_ria_xroad_common_util_MemoryPasswordStoreProvider.h
 delete mode 100644 src/passwordstore/ee_ria_xroad_common_util_PasswordStore.h

diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
new file mode 100644
index 0000000000..83acc28562
--- /dev/null
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
@@ -0,0 +1,83 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.common.util;
+
+import ee.ria.xroad.common.SystemProperties;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.FileUtils;
+import org.bouncycastle.util.Arrays;
+
+import java.io.File;
+
+import static java.lang.String.format;
+
+/**
+ * A simplified password store implementation which uses files as storage medium. This implementation is designed purely for testing purposes.
+ */
+@Slf4j
+public class FilePasswordStoreProvider implements PasswordStore.PasswordStoreProvider {
+    private static final String CFG_FILE_PASSWORD_STORE_PATH = SystemProperties.PREFIX + "internal.passwordstore-file-path";
+
+    private static final String PATTERN_FILE_PASSWORDSTORE = "%s/.passwordstore-%s";
+
+    @Override
+    public byte[] read(String pathnameForFtok, String id) throws Exception {
+        var file = getFileById(id);
+
+        log.warn("Reading password from {}. File exists? {}", file, file.exists());
+        if (file.exists()) {
+            return FileUtils.readFileToByteArray(file);
+        } else {
+            return null;
+        }
+    }
+
+    @Override
+    public void write(String pathnameForFtok, String id, byte[] password, int permissions) throws Exception {
+        var file = getFileById(id);
+
+        log.warn("Writing password to {}", file);
+        if (Arrays.isNullOrEmpty(password)) {
+            FileUtils.delete(file);
+        } else {
+            FileUtils.writeByteArrayToFile(file, password, false);
+        }
+    }
+
+    @Override
+    public void clear(String pathnameForFtok, int permissions) throws Exception {
+        //NO-OP
+    }
+
+    private File getFileById(String id) {
+        return new File(format(PATTERN_FILE_PASSWORDSTORE, getPasswordStorePath(), id));
+    }
+
+    private String getPasswordStorePath() {
+        return System.getProperty(CFG_FILE_PASSWORD_STORE_PATH, "/tmp/xroad/passwordstore/");
+    }
+}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MemoryPasswordStoreProvider.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MemoryPasswordStoreProvider.java
new file mode 100644
index 0000000000..57bc0297ea
--- /dev/null
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MemoryPasswordStoreProvider.java
@@ -0,0 +1,47 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.common.util;
+
+/**
+ * Manages passwords stored in the shared memory segment.
+ */
+public class MemoryPasswordStoreProvider implements PasswordStore.PasswordStoreProvider {
+
+    static {
+        System.loadLibrary("passwordstore");
+    }
+
+    @Override
+    public native byte[] read(String pathnameForFtok, String id) throws Exception;
+
+    @Override
+    public native void write(String pathnameForFtok, String id, byte[] password, int permissions) throws Exception;
+
+    @Override
+    public native void clear(String pathnameForFtok, int permissions) throws Exception;
+
+
+}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
index c75fafd2c3..332e7cd4ee 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,6 +27,9 @@
 
 import ee.ria.xroad.common.SystemProperties;
 
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.output.WriterOutputStream;
 
 import java.io.ByteArrayOutputStream;
@@ -37,49 +40,63 @@
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 /**
- * Manages passwords stored in the shared memory segment.
+ * Manages passwords that are shared across different JVMs.
  */
+@Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class PasswordStore {
-
+    private static final String CFG_PASSWORD_STORE_PROVIDER = SystemProperties.PREFIX + "internal.passwordstore-provider";
+    private static final String CFG_PASSWORD_STORE_FILE = "file";
     private static final int PERMISSIONS = 0600;
 
+    private static final PasswordStoreProvider passwordStoreProvider;
+
     static {
-        System.loadLibrary("passwordstore");
+        if (isFilePasswordStoreEnabled()) {
+            log.warn("WARNING: FilePasswordStoreProvider is enabled. This provider is not production ready.");
+            passwordStoreProvider = new FilePasswordStoreProvider();
+        } else {
+            passwordStoreProvider = new MemoryPasswordStoreProvider();
+        }
     }
 
-    private PasswordStore() {
+    private static boolean isFilePasswordStoreEnabled() {
+        return CFG_PASSWORD_STORE_FILE.equals(System.getProperty(CFG_PASSWORD_STORE_PROVIDER));
     }
 
     /**
      * Returns stored password with identifier id.
+     *
      * @param id identifier of the password
      * @return password value or null, if password with this ID was not found.
      * @throws Exception in case of any errors
      */
     public static char[] getPassword(String id) throws Exception {
-        byte[] raw = read(getPathnameForFtok(), id);
+        byte[] raw = passwordStoreProvider.read(getPathnameForFtok(), id);
         return raw == null ? null : byteToChar(raw);
     }
 
     /**
      * Stores the password in shared memory.
      * Use null as password parameter to remove password from memory.
-     * @param id identifier of the password
+     *
+     * @param id       identifier of the password
      * @param password password to be stored
      * @throws Exception in case of any errors
      */
     public static void storePassword(String id, char[] password)
             throws Exception {
         byte[] raw = charToByte(password);
-        write(getPathnameForFtok(), id, raw, PERMISSIONS);
+        passwordStoreProvider.write(getPathnameForFtok(), id, raw, PERMISSIONS);
     }
 
     /**
      * Clears the password store. Useful for testing purposes.
+     *
      * @throws Exception in case of any errors
      */
     public static void clearStore() throws Exception {
-        clear(getPathnameForFtok(), PERMISSIONS);
+        passwordStoreProvider.clear(getPathnameForFtok(), PERMISSIONS);
     }
 
     private static byte[] charToByte(char[] buffer) throws IOException {
@@ -107,16 +124,15 @@ private static char[] byteToChar(byte[] bytes) throws IOException {
         return writer.toCharArray();
     }
 
-    private static native byte[] read(String pathnameForFtok, String id)
-            throws Exception;
+    private static String getPathnameForFtok() {
+        return SystemProperties.getSignerPasswordStoreIPCKeyPathname();
+    }
 
-    private static native void write(String pathnameForFtok,
-            String id, byte[] password, int permissions) throws Exception;
+    public interface PasswordStoreProvider {
+        byte[] read(String pathnameForFtok, String id) throws Exception;
 
-    private static native void clear(String pathnameForFtok, int permissions)
-            throws Exception;
+        void write(String pathnameForFtok, String id, byte[] password, int permissions) throws Exception;
 
-    private static String getPathnameForFtok() {
-        return SystemProperties.getSignerPasswordStoreIPCKeyPathname();
+        void clear(String pathnameForFtok, int permissions) throws Exception;
     }
 }
diff --git a/src/passwordstore/Makefile b/src/passwordstore/Makefile
index 01d4dbd91a..d3644fa2cf 100644
--- a/src/passwordstore/Makefile
+++ b/src/passwordstore/Makefile
@@ -2,9 +2,9 @@ XROADTOP = $(shell cd ../ ; pwd)
 
 JAVA_HOME ?= $(shell dirname $$(dirname $$(readlink -f $$(which javac))))
 
-LIBSRC = xmem.c passwordstore.ci ee_ria_xroad_common_util_PasswordStore.c
+LIBSRC = xmem.c passwordstore.ci ee_ria_xroad_common_util_MemoryPasswordStoreProvider.c
 
-OBJECTS = xmem.o passwordstore.o ee_ria_xroad_common_util_PasswordStore.o
+OBJECTS = xmem.o passwordstore.o ee_ria_xroad_common_util_MemoryPasswordStoreProvider.o
 
 TEST_PROGRAMS = test_passwordstore_write test_passwordstore_read \
 		test_passwordstore_clear
diff --git a/src/passwordstore/ee_ria_xroad_common_util_PasswordStore.c b/src/passwordstore/ee_ria_xroad_common_util_MemoryPasswordStoreProvider.c
similarity index 94%
rename from src/passwordstore/ee_ria_xroad_common_util_PasswordStore.c
rename to src/passwordstore/ee_ria_xroad_common_util_MemoryPasswordStoreProvider.c
index 2fbd2356a7..f61f44f94a 100644
--- a/src/passwordstore/ee_ria_xroad_common_util_PasswordStore.c
+++ b/src/passwordstore/ee_ria_xroad_common_util_MemoryPasswordStoreProvider.c
@@ -23,7 +23,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-#include "ee_ria_xroad_common_util_PasswordStore.h"
+#include "ee_ria_xroad_common_util_MemoryPasswordStoreProvider.h"
 
 #include <stdlib.h>
 #include <string.h>
@@ -31,7 +31,7 @@
 #include "passwordstore.h"
 
 JNIEXPORT jbyteArray JNICALL
-Java_ee_ria_xroad_common_util_PasswordStore_read(JNIEnv *env, jclass jc,
+Java_ee_ria_xroad_common_util_MemoryPasswordStoreProvider_read(JNIEnv *env, jclass jc,
         jstring j_pathname_for_ftok, jstring j_id)
 {
     (void)jc;
@@ -103,7 +103,7 @@ Java_ee_ria_xroad_common_util_PasswordStore_read(JNIEnv *env, jclass jc,
 
 
 JNIEXPORT void JNICALL
-Java_ee_ria_xroad_common_util_PasswordStore_write(JNIEnv *env, jclass jc,
+Java_ee_ria_xroad_common_util_MemoryPasswordStoreProvider_write(JNIEnv *env, jclass jc,
         jstring j_pathname_for_ftok, jstring j_id,
         jbyteArray j_password, jint permissions)
 {
@@ -164,7 +164,7 @@ Java_ee_ria_xroad_common_util_PasswordStore_write(JNIEnv *env, jclass jc,
 }
 
 JNIEXPORT void JNICALL
-Java_ee_ria_xroad_common_util_PasswordStore_clear(JNIEnv *env, jclass jc,
+Java_ee_ria_xroad_common_util_MemoryPasswordStoreProvider_clear(JNIEnv *env, jclass jc,
         jstring j_pathname_for_ftok, jint permissions)
 {
     (void)jc;
diff --git a/src/passwordstore/ee_ria_xroad_common_util_MemoryPasswordStoreProvider.h b/src/passwordstore/ee_ria_xroad_common_util_MemoryPasswordStoreProvider.h
new file mode 100644
index 0000000000..01b470410d
--- /dev/null
+++ b/src/passwordstore/ee_ria_xroad_common_util_MemoryPasswordStoreProvider.h
@@ -0,0 +1,37 @@
+/* DO NOT EDIT THIS FILE - it is machine generated */
+#include <jni.h>
+/* Header for class ee_ria_xroad_common_util_MemoryPasswordStoreProvider */
+
+#ifndef _Included_ee_ria_xroad_common_util_MemoryPasswordStoreProvider
+#define _Included_ee_ria_xroad_common_util_MemoryPasswordStoreProvider
+#ifdef __cplusplus
+extern "C" {
+#endif
+/*
+ * Class:     ee_ria_xroad_common_util_MemoryPasswordStoreProvider
+ * Method:    read
+ * Signature: (ILjava/lang/String;Ljava/lang/String;)[B
+ */
+JNIEXPORT jbyteArray JNICALL Java_ee_ria_xroad_common_util_MemoryPasswordStoreProvider_read
+  (JNIEnv *, jclass, jstring, jstring);
+
+/*
+ * Class:     ee_ria_xroad_common_util_MemoryPasswordStoreProvider
+ * Method:    write
+ * Signature: (Ljava/lang/String;ILjava/lang/String;[BI)V
+ */
+JNIEXPORT void JNICALL Java_ee_ria_xroad_common_util_MemoryPasswordStoreProvider_write
+  (JNIEnv *, jclass, jstring, jstring, jbyteArray, jint);
+
+/*
+ * Class:     ee_ria_xroad_common_util_MemoryPasswordStoreProvider
+ * Method:    clear
+ * Signature: (Ljava/lang/String;)V
+ */
+JNIEXPORT void JNICALL Java_ee_ria_xroad_common_util_MemoryPasswordStoreProvider_clear
+  (JNIEnv *, jclass, jstring, jint);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/passwordstore/ee_ria_xroad_common_util_PasswordStore.h b/src/passwordstore/ee_ria_xroad_common_util_PasswordStore.h
deleted file mode 100644
index f3225e09f1..0000000000
--- a/src/passwordstore/ee_ria_xroad_common_util_PasswordStore.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/* DO NOT EDIT THIS FILE - it is machine generated */
-#include <jni.h>
-/* Header for class ee_ria_xroad_common_util_PasswordStore */
-
-#ifndef _Included_ee_ria_xroad_common_util_PasswordStore
-#define _Included_ee_ria_xroad_common_util_PasswordStore
-#ifdef __cplusplus
-extern "C" {
-#endif
-/*
- * Class:     ee_ria_xroad_common_util_PasswordStore
- * Method:    read
- * Signature: (ILjava/lang/String;Ljava/lang/String;)[B
- */
-JNIEXPORT jbyteArray JNICALL Java_ee_ria_xroad_common_util_PasswordStore_read
-  (JNIEnv *, jclass, jstring, jstring);
-
-/*
- * Class:     ee_ria_xroad_common_util_PasswordStore
- * Method:    write
- * Signature: (Ljava/lang/String;ILjava/lang/String;[BI)V
- */
-JNIEXPORT void JNICALL Java_ee_ria_xroad_common_util_PasswordStore_write
-  (JNIEnv *, jclass, jstring, jstring, jbyteArray, jint);
-
-/*
- * Class:     ee_ria_xroad_common_util_PasswordStore
- * Method:    clear
- * Signature: (Ljava/lang/String;)V
- */
-JNIEXPORT void JNICALL Java_ee_ria_xroad_common_util_PasswordStore_clear
-  (JNIEnv *, jclass, jstring, jint);
-
-#ifdef __cplusplus
-}
-#endif
-#endif

From b79b939a67484f31dcc16b7a15f8fb4078972686 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 31 Aug 2023 10:53:02 +0300
Subject: [PATCH 035/127] chore: add int test commons with test-ca extracted
 from ss tests

Refs: XRDDEV-2468
---
 src/common/common-int-test/build.gradle         |  16 ++++++++++++++++
 .../xroad/common/test}/api/TestCaFeignApi.java  |   4 +++-
 .../interceptor}/TestCaFeignInterceptor.java    |   6 ++++--
 .../container/TestCaAuxiliaryContainer.java     |  15 +++++++++------
 .../resources/META-INF}/ca-container/Dockerfile |   2 ++
 .../ca-container/files/ca-entrypoint.sh         |   0
 .../META-INF}/ca-container/files/ca-xroad.conf  |   0
 .../files/etc/nginx/sites-enabled/ca.nginx      |   0
 .../files/etc/nginx/sites-enabled/tsa.nginx     |   0
 .../ca-container/files/home/ca/CA/.init         |   0
 .../ca-container/files/home/ca/CA/CA.cnf        |   0
 .../ca-container/files/home/ca/CA/ca.py         |   0
 .../files/home/ca/CA/certs/ca.cert.pem          |   0
 .../files/home/ca/CA/certs/ocsp.cert.pem        |   0
 .../files/home/ca/CA/certs/tsa.cert.pem         |   0
 .../ca-container/files/home/ca/CA/changed       |   0
 .../ca-container/files/home/ca/CA/csr/03.csr    |   0
 .../ca-container/files/home/ca/CA/csr/04.csr    |   0
 .../ca-container/files/home/ca/CA/csr/05.csr    |   0
 .../ca-container/files/home/ca/CA/csr/06.csr    |   0
 .../ca-container/files/home/ca/CA/csr/07.csr    |   0
 .../ca-container/files/home/ca/CA/csr/08.csr    |   0
 .../ca-container/files/home/ca/CA/csr/09.csr    |   0
 .../ca-container/files/home/ca/CA/csr/0A.csr    |   0
 .../ca-container/files/home/ca/CA/csr/0B.csr    |   0
 .../ca-container/files/home/ca/CA/csr/0C.csr    |   0
 .../ca-container/files/home/ca/CA/csr/0D.csr    |   0
 .../ca-container/files/home/ca/CA/csr/0E.csr    |   0
 .../ca-container/files/home/ca/CA/csr/0F.csr    |   0
 .../ca-container/files/home/ca/CA/csr/10.csr    |   0
 .../ca-container/files/home/ca/CA/csr/11.csr    |   0
 .../ca-container/files/home/ca/CA/csr/12.csr    |   0
 .../ca-container/files/home/ca/CA/csr/13.csr    |   0
 .../files/home/ca/CA/csr/ocsp.csr.pem           |   0
 .../files/home/ca/CA/csr/tsa.csr.pem            |   0
 .../ca-container/files/home/ca/CA/index.txt     |   0
 .../files/home/ca/CA/index.txt.attr             |   0
 .../files/home/ca/CA/index.txt.attr.old         |   0
 .../ca-container/files/home/ca/CA/index.txt.old |   0
 .../files/home/ca/CA/intermediate.sh            |   0
 .../files/home/ca/CA/newcerts/01.pem            |   0
 .../files/home/ca/CA/newcerts/02.pem            |   0
 .../files/home/ca/CA/newcerts/03.pem            |   0
 .../files/home/ca/CA/newcerts/04.pem            |   0
 .../files/home/ca/CA/newcerts/05.pem            |   0
 .../files/home/ca/CA/newcerts/06.pem            |   0
 .../files/home/ca/CA/newcerts/07.pem            |   0
 .../files/home/ca/CA/newcerts/08.pem            |   0
 .../files/home/ca/CA/newcerts/09.pem            |   0
 .../files/home/ca/CA/newcerts/0A.pem            |   0
 .../files/home/ca/CA/newcerts/0B.pem            |   0
 .../files/home/ca/CA/newcerts/0C.pem            |   0
 .../files/home/ca/CA/newcerts/0D.pem            |   0
 .../files/home/ca/CA/newcerts/0E.pem            |   0
 .../files/home/ca/CA/newcerts/0F.pem            |   0
 .../files/home/ca/CA/newcerts/10.pem            |   0
 .../files/home/ca/CA/newcerts/11.pem            |   0
 .../files/home/ca/CA/newcerts/12.pem            |   0
 .../files/home/ca/CA/newcerts/13.pem            |   0
 .../ca-container/files/home/ca/CA/ocsp.py       |   0
 .../ca-container/files/home/ca/CA/ocsp.sh       |   0
 .../ca-container/files/home/ca/CA/private/.rnd  | Bin
 .../files/home/ca/CA/private/ca.key.pem         |   0
 .../files/home/ca/CA/private/ocsp.key.pem       |   0
 .../files/home/ca/CA/private/tmp.key.pem        |   0
 .../files/home/ca/CA/private/tsa.key.pem        |   0
 .../ca-container/files/home/ca/CA/revoke.sh     |   0
 .../ca-container/files/home/ca/CA/serial        |   0
 .../ca-container/files/home/ca/CA/serial.old    |   0
 .../ca-container/files/home/ca/CA/sign.sh       |   0
 .../ca-container/files/home/ca/CA/sign_req.sh   |   0
 .../ca-container/files/home/ca/TSA/TSA.cnf      |   0
 .../files/home/ca/TSA/tsa_server.py             |   0
 .../resources/META-INF}/ca-container/init.sh    |   0
 .../admin-service/ui-system-test/build.gradle   |   7 +------
 .../ui/CsAdminServiceTestConfiguration.java     |   5 ++++-
 .../xroad/ss/test/ui/glue/TestCaStepDefs.java   |   2 +-
 .../intTest/resources/application-override.yml  |   2 +-
 src/settings.gradle                             |   3 ++-
 79 files changed, 43 insertions(+), 19 deletions(-)
 create mode 100644 src/common/common-int-test/build.gradle
 rename src/{security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui => common/common-int-test/src/main/java/org/niis/xroad/common/test}/api/TestCaFeignApi.java (90%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/api/configuration => common/common-int-test/src/main/java/org/niis/xroad/common/test/api/interceptor}/TestCaFeignInterceptor.java (89%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui => common/common-int-test/src/main/java/org/niis/xroad/common/test}/container/TestCaAuxiliaryContainer.java (87%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/Dockerfile (96%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/ca-entrypoint.sh (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/ca-xroad.conf (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/etc/nginx/sites-enabled/ca.nginx (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/etc/nginx/sites-enabled/tsa.nginx (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/.init (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/CA.cnf (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/ca.py (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/certs/ca.cert.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/certs/ocsp.cert.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/certs/tsa.cert.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/changed (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/03.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/04.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/05.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/06.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/07.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/08.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/09.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/0A.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/0B.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/0C.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/0D.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/0E.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/0F.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/10.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/11.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/12.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/13.csr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/ocsp.csr.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/csr/tsa.csr.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/index.txt (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/index.txt.attr (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/index.txt.attr.old (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/index.txt.old (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/intermediate.sh (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/01.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/02.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/03.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/04.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/05.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/06.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/07.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/08.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/09.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/0A.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/0B.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/0C.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/0D.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/0E.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/0F.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/10.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/11.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/12.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/newcerts/13.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/ocsp.py (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/ocsp.sh (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/private/.rnd (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/private/ca.key.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/private/ocsp.key.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/private/tmp.key.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/private/tsa.key.pem (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/revoke.sh (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/serial (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/serial.old (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/sign.sh (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/CA/sign_req.sh (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/TSA/TSA.cnf (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/files/home/ca/TSA/tsa_server.py (100%)
 rename src/{security-server/admin-service/ui-system-test/src/intTest/resources => common/common-int-test/src/main/resources/META-INF}/ca-container/init.sh (100%)

diff --git a/src/common/common-int-test/build.gradle b/src/common/common-int-test/build.gradle
new file mode 100644
index 0000000000..2dd5783173
--- /dev/null
+++ b/src/common/common-int-test/build.gradle
@@ -0,0 +1,16 @@
+plugins {
+    id 'java-library'
+}
+
+dependencies {
+  api("com.nortal.test:test-automation-core:${testAutomationFrameworkVersion}")
+  api("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}")
+  api("com.nortal.test:test-automation-containers:${testAutomationFrameworkVersion}")
+  api("com.nortal.test:test-automation-feign:$testAutomationFrameworkVersion")
+  api("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}")
+  api("org.awaitility:awaitility:${awaitilityVersion}")
+}
+
+test {
+    useJUnitPlatform()
+}
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/api/TestCaFeignApi.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/TestCaFeignApi.java
similarity index 90%
rename from src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/api/TestCaFeignApi.java
rename to src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/TestCaFeignApi.java
index 4e356dbdcd..1f7d4d4f72 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/api/TestCaFeignApi.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/TestCaFeignApi.java
@@ -24,8 +24,9 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.niis.xroad.ss.test.ui.api;
+package org.niis.xroad.common.test.api;
 
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@@ -34,6 +35,7 @@
 import org.springframework.web.bind.annotation.RequestPart;
 import org.springframework.web.multipart.MultipartFile;
 
+@ConditionalOnProperty(value = "test-automation.containers.context-containers.ca-server.enabled", havingValue = "true")
 @FeignClient(name = "testCaFeignApi", url = "http://localhost", path = "/testca")
 public interface TestCaFeignApi {
 
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/api/configuration/TestCaFeignInterceptor.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/interceptor/TestCaFeignInterceptor.java
similarity index 89%
rename from src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/api/configuration/TestCaFeignInterceptor.java
rename to src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/interceptor/TestCaFeignInterceptor.java
index 96f3348263..23faf62f3a 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/api/configuration/TestCaFeignInterceptor.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/interceptor/TestCaFeignInterceptor.java
@@ -23,7 +23,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.niis.xroad.ss.test.ui.api.configuration;
+package org.niis.xroad.common.test.api.interceptor;
 
 import com.nortal.test.feign.interceptor.FeignClientInterceptor;
 import lombok.RequiredArgsConstructor;
@@ -31,13 +31,15 @@
 import okhttp3.Request;
 import okhttp3.Response;
 import org.jetbrains.annotations.NotNull;
-import org.niis.xroad.ss.test.ui.container.TestCaAuxiliaryContainer;
+import org.niis.xroad.common.test.container.TestCaAuxiliaryContainer;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
 import java.io.IOException;
 
 @Component
 @RequiredArgsConstructor
+@ConditionalOnProperty(value = "test-automation.containers.context-containers.ca-server.enabled", havingValue = "true")
 @SuppressWarnings("checkstyle:MagicNumber")
 public class TestCaFeignInterceptor implements FeignClientInterceptor {
     private static final int EXECUTION_ORDER = 50;
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/container/TestCaAuxiliaryContainer.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/container/TestCaAuxiliaryContainer.java
similarity index 87%
rename from src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/container/TestCaAuxiliaryContainer.java
rename to src/common/common-int-test/src/main/java/org/niis/xroad/common/test/container/TestCaAuxiliaryContainer.java
index 020fd01544..9b954a75f6 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/container/TestCaAuxiliaryContainer.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/container/TestCaAuxiliaryContainer.java
@@ -25,7 +25,7 @@
  * THE SOFTWARE.
  */
 
-package org.niis.xroad.ss.test.ui.container;
+package org.niis.xroad.common.test.container;
 
 import com.nortal.test.testcontainers.AbstractAuxiliaryContainer;
 import com.nortal.test.testcontainers.configuration.ContainerProperties;
@@ -33,17 +33,20 @@
 import com.nortal.test.testcontainers.images.builder.ReusableImageFromDockerfile;
 import lombok.NonNull;
 import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
 import org.jetbrains.annotations.NotNull;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 import org.testcontainers.containers.GenericContainer;
 
-import java.io.File;
-import java.nio.file.Paths;
 import java.util.concurrent.Future;
 
 
 @Component
+@Slf4j
 @RequiredArgsConstructor
+@ConditionalOnProperty(value = "test-automation.containers.context-containers.ca-server.enabled", havingValue = "true")
 @SuppressWarnings("checkstyle:MagicNumber")
 public class TestCaAuxiliaryContainer extends AbstractAuxiliaryContainer<TestCaAuxiliaryContainer.TestCaContainer> {
     private static final String NETWORK_ALIAS = "ca";
@@ -64,13 +67,13 @@ public TestCaContainer configure() {
                 .withNetworkAliases(NETWORK_ALIAS);
     }
 
+    @SneakyThrows
     private ImageFromDockerfile imageDefinition() {
-
-        File filesToAdd = Paths.get("src/intTest/resources/ca-container/").toFile();
+        log.info("Initializing test-ca..");
 
         var reuse = testableContainerProperties.getContextContainers().get(getConfigurationKey()).getReuseBetweenRuns();
         return new ReusableImageFromDockerfile("xrd-test-ca", !reuse, reuse)
-                .withFileFromFile(".", filesToAdd);
+                .withFileFromClasspath(".", "META-INF/ca-container/");
     }
 
     @NotNull
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/Dockerfile b/src/common/common-int-test/src/main/resources/META-INF/ca-container/Dockerfile
similarity index 96%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/Dockerfile
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/Dockerfile
index c1c771c1aa..986970e031 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/Dockerfile
+++ b/src/common/common-int-test/src/main/resources/META-INF/ca-container/Dockerfile
@@ -25,6 +25,8 @@ RUN chown -R ca:ca /home/ca/CA \
   && chmod 0754 /home/ca/CA/sign_req.sh
 
 COPY files/ca-entrypoint.sh /root/entrypoint.sh
+RUN chmod +x /root/entrypoint.sh
+
 COPY --chown=root:root files/ca-xroad.conf /etc/supervisor/conf.d/xroad.conf
 CMD ["/root/entrypoint.sh"]
 
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/ca-entrypoint.sh b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/ca-entrypoint.sh
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/ca-entrypoint.sh
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/ca-entrypoint.sh
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/ca-xroad.conf b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/ca-xroad.conf
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/ca-xroad.conf
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/ca-xroad.conf
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/etc/nginx/sites-enabled/ca.nginx b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/etc/nginx/sites-enabled/ca.nginx
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/etc/nginx/sites-enabled/ca.nginx
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/etc/nginx/sites-enabled/ca.nginx
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/etc/nginx/sites-enabled/tsa.nginx b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/etc/nginx/sites-enabled/tsa.nginx
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/etc/nginx/sites-enabled/tsa.nginx
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/etc/nginx/sites-enabled/tsa.nginx
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/.init b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/.init
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/.init
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/.init
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/CA.cnf b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/CA.cnf
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/CA.cnf
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/CA.cnf
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/ca.py b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/ca.py
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/ca.py
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/ca.py
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/certs/ca.cert.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/certs/ca.cert.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/certs/ca.cert.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/certs/ca.cert.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/certs/ocsp.cert.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/certs/ocsp.cert.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/certs/ocsp.cert.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/certs/ocsp.cert.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/certs/tsa.cert.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/certs/tsa.cert.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/certs/tsa.cert.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/certs/tsa.cert.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/changed b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/changed
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/changed
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/changed
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/03.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/03.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/03.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/03.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/04.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/04.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/04.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/04.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/05.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/05.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/05.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/05.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/06.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/06.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/06.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/06.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/07.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/07.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/07.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/07.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/08.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/08.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/08.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/08.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/09.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/09.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/09.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/09.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0A.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0A.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0A.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0A.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0B.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0B.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0B.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0B.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0C.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0C.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0C.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0C.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0D.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0D.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0D.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0D.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0E.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0E.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0E.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0E.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0F.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0F.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/0F.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/0F.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/10.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/10.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/10.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/10.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/11.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/11.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/11.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/11.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/12.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/12.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/12.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/12.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/13.csr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/13.csr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/13.csr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/13.csr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/ocsp.csr.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/ocsp.csr.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/ocsp.csr.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/ocsp.csr.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/tsa.csr.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/tsa.csr.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/csr/tsa.csr.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/csr/tsa.csr.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt.attr b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt.attr
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt.attr
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt.attr
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt.attr.old b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt.attr.old
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt.attr.old
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt.attr.old
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt.old b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt.old
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/index.txt.old
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/index.txt.old
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/intermediate.sh b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/intermediate.sh
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/intermediate.sh
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/intermediate.sh
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/01.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/01.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/01.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/01.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/02.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/02.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/02.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/02.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/03.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/03.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/03.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/03.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/04.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/04.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/04.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/04.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/05.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/05.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/05.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/05.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/06.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/06.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/06.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/06.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/07.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/07.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/07.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/07.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/08.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/08.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/08.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/08.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/09.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/09.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/09.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/09.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0A.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0A.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0A.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0A.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0B.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0B.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0B.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0B.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0C.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0C.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0C.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0C.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0D.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0D.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0D.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0D.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0E.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0E.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0E.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0E.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0F.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0F.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/0F.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/0F.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/10.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/10.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/10.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/10.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/11.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/11.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/11.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/11.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/12.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/12.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/12.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/12.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/13.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/13.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/newcerts/13.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/newcerts/13.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/ocsp.py b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/ocsp.py
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/ocsp.py
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/ocsp.py
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/ocsp.sh b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/ocsp.sh
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/ocsp.sh
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/ocsp.sh
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/.rnd b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/.rnd
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/.rnd
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/.rnd
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/ca.key.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/ca.key.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/ca.key.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/ca.key.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/ocsp.key.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/ocsp.key.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/ocsp.key.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/ocsp.key.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/tmp.key.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/tmp.key.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/tmp.key.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/tmp.key.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/tsa.key.pem b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/tsa.key.pem
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/private/tsa.key.pem
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/private/tsa.key.pem
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/revoke.sh b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/revoke.sh
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/revoke.sh
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/revoke.sh
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/serial b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/serial
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/serial
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/serial
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/serial.old b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/serial.old
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/serial.old
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/serial.old
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/sign.sh b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/sign.sh
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/sign.sh
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/sign.sh
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/sign_req.sh b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/sign_req.sh
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/CA/sign_req.sh
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/CA/sign_req.sh
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/TSA/TSA.cnf b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/TSA/TSA.cnf
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/TSA/TSA.cnf
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/TSA/TSA.cnf
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/TSA/tsa_server.py b/src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/TSA/tsa_server.py
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/files/home/ca/TSA/tsa_server.py
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/files/home/ca/TSA/tsa_server.py
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/init.sh b/src/common/common-int-test/src/main/resources/META-INF/ca-container/init.sh
similarity index 100%
rename from src/security-server/admin-service/ui-system-test/src/intTest/resources/ca-container/init.sh
rename to src/common/common-int-test/src/main/resources/META-INF/ca-container/init.sh
diff --git a/src/security-server/admin-service/ui-system-test/build.gradle b/src/security-server/admin-service/ui-system-test/build.gradle
index 9a7da50fb0..ba2f2a40a3 100644
--- a/src/security-server/admin-service/ui-system-test/build.gradle
+++ b/src/security-server/admin-service/ui-system-test/build.gradle
@@ -1,13 +1,8 @@
 dependencies {
   intTestImplementation project(":security-server:openapi-model")
 
-  intTestImplementation("com.nortal.test:test-automation-core:${testAutomationFrameworkVersion}")
+  intTestImplementation project(":common:common-int-test")
   intTestImplementation("com.nortal.test:test-automation-selenide:${testAutomationFrameworkVersion}")
-  intTestImplementation("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}")
-  intTestImplementation("com.nortal.test:test-automation-containers:${testAutomationFrameworkVersion}")
-  intTestImplementation("com.nortal.test:test-automation-feign:$testAutomationFrameworkVersion")
-  intTestImplementation("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}")
-  intTestImplementation("org.awaitility:awaitility:${awaitilityVersion}")
 }
 
 task systemTest(type: Test) {
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java b/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java
index 21a6038498..fa1b85da23 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java
+++ b/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java
@@ -29,6 +29,9 @@
 import org.springframework.context.annotation.Configuration;
 
 @Configuration
-@EnableFeignClients(basePackages = {"org.niis.xroad.ss.test.ui.api"})
+@EnableFeignClients(basePackages = {
+        "org.niis.xroad.common.test",
+        "org.niis.xroad.ss.test.ui.api"
+})
 public class CsAdminServiceTestConfiguration {
 }
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/TestCaStepDefs.java b/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/TestCaStepDefs.java
index ab2005533b..29495ae58a 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/TestCaStepDefs.java
+++ b/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/TestCaStepDefs.java
@@ -32,7 +32,7 @@
 import org.apache.commons.fileupload.FileItem;
 import org.apache.commons.fileupload.disk.DiskFileItem;
 import org.apache.commons.io.FileUtils;
-import org.niis.xroad.ss.test.ui.api.TestCaFeignApi;
+import org.niis.xroad.common.test.api.TestCaFeignApi;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.multipart.MultipartFile;
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml b/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml
index 5c30f1fff9..e24c713322 100755
--- a/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml
+++ b/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml
@@ -8,7 +8,7 @@ logging:
 test-automation:
   report-name: xroad-ss-ui-test-suite
   environment: disposable
-  spring-component-scan: "org.niis.xroad.ss.test"
+  spring-component-scan: "org.niis.xroad.common.test,org.niis.xroad.ss.test"
   cucumber:
     execution:
       parallel:
diff --git a/src/settings.gradle b/src/settings.gradle
index e7e7b6927c..19353b4234 100644
--- a/src/settings.gradle
+++ b/src/settings.gradle
@@ -21,7 +21,8 @@ include "common:common-op-monitoring"
 include "common:common-ui"
 include "common:common-util"
 include "common:common-verifier"
-include 'common:common-rpc'
+include "common:common-rpc"
+include "common:common-int-test"
 
 // Main projects
 include "proxy"

From 8d25a42ce5aad559d9eb40352edee5f1afea28ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 31 Aug 2023 11:12:52 +0300
Subject: [PATCH 036/127] chore: containerize signer int tests

Refs: XRDDEV-2468
---
 .../org/niis/xroad/signer/grpc/RpcServer.java |   7 +-
 .../ee/ria/xroad/common/SystemProperties.java |  26 ++++
 src/signer-protocol/build.gradle              |   6 +-
 .../run-containerized-int-tests.sh            |  24 ----
 .../xroad/signer/test}/SignerIntTest.java     |   2 +-
 .../signer/test/container/ContainerSetup.java | 125 ++++++++++++++++++
 .../signer/test}/glue/SignerStepDefs.java     | 122 +----------------
 .../signer/test/hook/SignerProxyInitHook.java |  46 +++++++
 .../resources/application-override.yml        |  19 ++-
 .../resources/container-files/Dockerfile      |  32 +++++
 .../etc/xroad/conf.d/signer.ini}              |   0
 .../xroad}/globalconf/cs/private-params.xml   |   0
 .../globalconf/cs/private-params.xml.metadata |   0
 .../xroad}/globalconf/cs/shared-params.xml    |   0
 .../globalconf/cs/shared-params.xml.metadata  |   0
 .../etc/xroad}/globalconf/instance-identifier |   0
 .../etc/xroad/signer}/devices.ini             |   2 +
 .../etc/xroad/signer}/keyconf.xml             |   0
 .../etc/xroad/signer}/signer-logback.xml      |   0
 .../etc/xroad/signer/softtoken/.gitkeep       |   0
 .../transport-keystore/akka-keystore.p12      | Bin
 .../etc/xroad}/transport-keystore/gen-cert.sh |   0
 .../grpc-internal-keystore.jks                | Bin
 .../container-files/var/cache/xroad/.gitkeep  |   0
 .../java/ee/ria/xroad/signer/SignerProxy.java |   3 +-
 .../signer/protocol/RpcSignerClient.java      |   4 +-
 .../UpdateSoftwareTokenPinReqHandler.java     |   3 +
 27 files changed, 264 insertions(+), 157 deletions(-)
 delete mode 100755 src/signer-protocol/run-containerized-int-tests.sh
 rename src/signer-protocol/src/intTest/java/{ee/ria/xroad/signer => org/niis/xroad/signer/test}/SignerIntTest.java (97%)
 create mode 100644 src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
 rename src/signer-protocol/src/intTest/java/{ee/ria/xroad/signer => org/niis/xroad/signer/test}/glue/SignerStepDefs.java (80%)
 create mode 100644 src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
 create mode 100644 src/signer-protocol/src/intTest/resources/container-files/Dockerfile
 rename src/signer-protocol/src/intTest/resources/{softtoken/.gitkeep => container-files/etc/xroad/conf.d/signer.ini} (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/globalconf/cs/private-params.xml (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/globalconf/cs/private-params.xml.metadata (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/globalconf/cs/shared-params.xml (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/globalconf/cs/shared-params.xml.metadata (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/globalconf/instance-identifier (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad/signer}/devices.ini (63%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad/signer}/keyconf.xml (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad/signer}/signer-logback.xml (100%)
 create mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/transport-keystore/akka-keystore.p12 (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/transport-keystore/gen-cert.sh (100%)
 rename src/signer-protocol/src/intTest/resources/{ => container-files/etc/xroad}/transport-keystore/grpc-internal-keystore.jks (100%)
 create mode 100644 src/signer-protocol/src/intTest/resources/container-files/var/cache/xroad/.gitkeep

diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
index 352982b793..5c7e6f843d 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
@@ -56,6 +56,11 @@ public RpcServer(int port, ServerCredentials creds) {
     }
 
     private void start(Consumer<ServerBuilder<?>> configFunc) throws IOException {
+        //TODO:grpc sample for setting 127.0.0.1
+//        NettyServerBuilder.forAddress(new InetSocketAddress("localhost", config.port()))
+//                .addService(new GRPCServiceImpl(serviceParams))
+//                .build()
+
         ServerBuilder<?> builder = Grpc.newServerBuilderForPort(port, creds);
         configFunc.accept(builder);
 
@@ -79,7 +84,7 @@ private void stop() {
 
     public static void init(int port, Consumer<ServerBuilder<?>> configFunc) throws IOException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
         var serverCredentials = createServerCredentials();
-        log.info("Initializing grpc with {} credentials..",serverCredentials.getClass().getSimpleName());
+        log.info("Initializing grpc with {} credentials..", serverCredentials.getClass().getSimpleName());
         final RpcServer server = new RpcServer(port, serverCredentials);
         server.start(configFunc);
         log.info("Grpc is running..");
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
index 5a6b0b6e38..419622872a 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -616,6 +616,18 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
 
     // gRPC internal cross-component transport configuration  -------------------------- //
 
+    /**
+     * Property name for gRPC signer host.
+     */
+    public static final String GRPC_SIGNER_HOST =
+            PREFIX + "grpc.signer.host";
+
+    /**
+     * Property name for gRPC signer port.
+     */
+    public static final String GRPC_SIGNER_PORT =
+            PREFIX + "grpc.signer.port";
+
     /**
      * Property name for gRPC internal keystore location.
      */
@@ -1679,6 +1691,20 @@ public static boolean isHSMHealthCheckEnabled() {
         return Boolean.parseBoolean(System.getProperty(HSM_HEALTH_CHECK_ENABLED, DEFAULT_HSM_HEALTH_CHECK_ENABLED));
     }
 
+    /**
+     * @return gRPC signer host.
+     */
+    public static String getGrpcSignerHost() {
+        return System.getProperty(GRPC_SIGNER_HOST, "127.0.0.1");
+    }
+
+    /**
+     * @return gRPC signer host.
+     */
+    public static int getGrpcSignerPort() {
+        return Integer.parseInt(System.getProperty(GRPC_SIGNER_PORT, String.valueOf(5560)));
+    }
+
     /**
      * @return gRPC internal key store path. Uses JKS format.
      */
diff --git a/src/signer-protocol/build.gradle b/src/signer-protocol/build.gradle
index e9fd425af8..464d822bd8 100644
--- a/src/signer-protocol/build.gradle
+++ b/src/signer-protocol/build.gradle
@@ -21,9 +21,7 @@ dependencies {
   intTestRuntimeOnly project(':common:common-util')
 
   intTestImplementation project(":common:common-test")
-  intTestImplementation("com.nortal.test:test-automation-core:$testAutomationFrameworkVersion")
-  intTestImplementation("com.nortal.test:test-automation-allure:$testAutomationFrameworkVersion")
-  intTestImplementation "org.assertj:assertj-core:$assertjVersion"
+  intTestImplementation project(":common:common-int-test")
 }
 
 protobuf {
@@ -51,8 +49,6 @@ tasks.register('intTest', Test) {
   testClassesDirs = sourceSets.intTest.output.classesDirs
   classpath = sourceSets.intTest.runtimeClasspath
 
-  systemProperty("java.library.path", "../passwordstore")
-
   testLogging {
     showStackTraces(true)
     showExceptions(true)
diff --git a/src/signer-protocol/run-containerized-int-tests.sh b/src/signer-protocol/run-containerized-int-tests.sh
deleted file mode 100755
index e0c4e77bcb..0000000000
--- a/src/signer-protocol/run-containerized-int-tests.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-
-cwd="$(pwd)"
-
-gradleModule="signer-protocol"
-gradleArgs="intTest"
-
-echo "Preparing container.."
-docker build -t docker-compile "$XROAD_HOME/src/packages/docker-compile"  || errorExit "Error building image."
-
-
-echo "Executing within container.."
-OPTS=("--rm" "-v" "$XROAD_HOME/:/mnt" "-u" "$(id -u):$(id -g)" "-e" "HOME=/workspace/src/packages")
-
-
-echo "Rebuilding signer locally.."
-cd "$XROAD_HOME/src"
-./gradlew clean assemble -p signer
-./gradlew clean -p $gradleModule
-
-echo "Running signer-protocol int tests.."
-cd "$cwd" || exit
-mkdir "build"
-docker run "${OPTS[@]}" docker-compile sh -c "cd /mnt/src/ && ./gradlew $gradleArgs -p $gradleModule" > build/containerized-test-exec.log
diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/SignerIntTest.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java
similarity index 97%
rename from src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/SignerIntTest.java
rename to src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java
index 664f14d031..d61cf34a6f 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/SignerIntTest.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java
@@ -25,7 +25,7 @@
  * THE SOFTWARE.
  */
 
-package ee.ria.xroad.signer;
+package org.niis.xroad.signer.test;
 
 import org.junit.platform.suite.api.IncludeEngines;
 import org.junit.platform.suite.api.SelectClasspathResource;
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
new file mode 100644
index 0000000000..9399ef65fd
--- /dev/null
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
@@ -0,0 +1,125 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.signer.test.container;
+
+import com.nortal.test.testcontainers.configuration.TestableContainerProperties;
+import com.nortal.test.testcontainers.configurator.TestContainerConfigurator;
+import com.nortal.test.testcontainers.images.builder.ImageFromDockerfile;
+import com.nortal.test.testcontainers.images.builder.ReusableImageFromDockerfile;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import okio.Path;
+import org.apache.commons.io.FileUtils;
+import org.jetbrains.annotations.NotNull;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.Wait;
+
+import java.io.File;
+import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+@Slf4j
+@Configuration
+@SuppressWarnings("checkstyle:MagicNumber")
+public class ContainerSetup {
+
+    @Bean
+    public TestContainerConfigurator testContainerConfigurator(
+            TestableContainerProperties testableContainerProperties) {
+        return new TestContainerConfigurator() {
+            @NotNull
+            @Override
+            public ImageFromDockerfile imageDefinition() {
+                var appJarPath = Paths.get("../signer/build/libs/signer-1.0.jar");
+
+                log.info("Will use {} jar for container creation", appJarPath);
+
+                File filesToAdd = Paths.get("src/intTest/resources/container-files/").toFile();
+
+                return new ReusableImageFromDockerfile("signer-int-test",
+                        !testableContainerProperties.getReuseBetweenRuns(),
+                        testableContainerProperties.getReuseBetweenRuns())
+                        .withFileFromFile(".", filesToAdd)
+                        .withFileFromPath("files/app.jar", appJarPath);
+            }
+
+            @NotNull
+            @Override
+            public Map<String, String> environmentalVariables() {
+                return new HashMap<>();
+            }
+
+            @NotNull
+            @Override
+            public List<Integer> exposedPorts() {
+                return List.of(5558, 5560);
+            }
+        };
+    }
+
+    @Bean
+    public TestContainerConfigurator.TestContainerInitListener testContainerInitListener() {
+        return new TestContainerConfigurator.TestContainerInitListener() {
+
+            @Override
+            public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
+                genericContainer
+                        .waitingFor(Wait.forLogMessage(".*Signer has been initialized in.*", 1));
+                genericContainer.withCommand("java",
+                        "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
+                        "-Dxroad.internal.passwordstore-provider=file",
+                        "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                        "-Dxroad.grpc.internal.keystore-password=111111",
+                        "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                        "-Dxroad.grpc.internal.truststore-password=111111",
+                        "-jar",
+                        "/usr/share/xroad/app.jar");
+
+                prepareSignerDirs();
+            }
+
+            @Override
+            @SneakyThrows
+            public void afterStart(@NotNull GenericContainer<?> genericContainer) {
+                //do nothing
+            }
+
+            @SneakyThrows
+            private void prepareSignerDirs() {
+                var softtokenDir = Path.get("build/resources/intTest/container-files/etc/xroad/signer/softtoken/");
+                if (softtokenDir.toFile().exists()) {
+                    FileUtils.cleanDirectory(softtokenDir.toFile());
+                }
+            }
+        };
+    }
+
+
+}
diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
similarity index 80%
rename from src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
rename to src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index e49d80ca40..3d26fd7b6e 100644
--- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -25,7 +25,7 @@
  * THE SOFTWARE.
  */
 
-package ee.ria.xroad.signer.glue;
+package org.niis.xroad.signer.test.glue;
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.OcspTestUtils;
@@ -33,7 +33,6 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.SignerProxy;
-import ee.ria.xroad.signer.protocol.SignerClient;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -41,18 +40,12 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
-import akka.actor.ActorSystem;
 import com.nortal.test.core.report.TestReportService;
-import com.typesafe.config.Config;
-import com.typesafe.config.ConfigFactory;
-import io.cucumber.java.AfterAll;
-import io.cucumber.java.BeforeAll;
 import io.cucumber.java.en.And;
 import io.cucumber.java.en.Given;
 import io.cucumber.java.en.Step;
 import io.cucumber.java.en.Then;
 import io.cucumber.java.en.When;
-import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
@@ -63,24 +56,16 @@
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import java.io.BufferedReader;
 import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.net.ServerSocket;
 import java.security.KeyFactory;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Arrays;
 import java.util.Date;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import java.util.stream.Collectors;
 
-import static ee.ria.xroad.common.SystemProperties.SIGNER_PORT;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
@@ -89,7 +74,6 @@
 import static java.time.Instant.now;
 import static java.time.temporal.ChronoUnit.DAYS;
 import static java.util.UUID.randomUUID;
-import static java.util.concurrent.TimeUnit.MILLISECONDS;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -97,9 +81,6 @@
 
 @Slf4j
 public class SignerStepDefs {
-
-    private static Process signerProcess;
-
     @Autowired
     private TestReportService testReportService;
 
@@ -109,32 +90,6 @@ public class SignerStepDefs {
     private CertificateInfo certInfo;
     private byte[] cert;
 
-    @BeforeAll
-    public static void setup() throws Exception {
-        int port = findAvailablePort();
-
-        System.setProperty(SIGNER_PORT, String.valueOf(port));
-
-        startSigner(port);
-
-        ActorSystem actorSystem = ActorSystem.create("SignerProxyIntTest", getConf());
-        SignerClient.init(actorSystem);
-    }
-
-    @AfterAll
-    public static void tearDown() {
-        signerProcess.destroy();
-    }
-
-    private static int findAvailablePort() {
-        try (ServerSocket socket = new ServerSocket(0)) {
-            socket.setReuseAddress(true);
-            return socket.getLocalPort();
-        } catch (IOException e) {
-            throw new RuntimeException("Failed to find available port", e);
-        }
-    }
-
     @When("signer is initialized with pin {string}")
     public void signerIsInitializedWithPin(String pin) throws Exception {
         SignerProxy.initSoftwareToken(pin.toCharArray());
@@ -508,64 +463,6 @@ private void assertException(String faultCode, String translationCode, String me
         assertEquals(message, codedException.getMessage());
     }
 
-    private static Config getConf() {
-        return ConfigFactory.load().getConfig("signer-integration-test")
-                .withFallback(ConfigFactory.load());
-    }
-
-    @SuppressWarnings("checkstyle:MagicNumber")
-    private static void startSigner(int port) throws InterruptedException {
-        String signerPath = "../signer/build/libs/signer-1.0.jar";
-
-        Thread t = new Thread(() -> {
-            try {
-                ProcessBuilder pb = new ProcessBuilder("java",
-                        "-Dlogback.configurationFile=build/resources/intTest/signer-logback.xml",
-                        "-Dxroad.common.configuration-path=build/resources/intTest/globalconf",
-                        "-Dxroad.signer.port=" + port,
-                        "-Dxroad.signer.ocsp-cache-path=build/tmp",
-                        "-Dxroad.signer.key-configuration-file=build/resources/intTest/keyconf.xml",
-                        "-Dxroad.signer.device-configuration-file=build/resources/intTest/devices.ini",
-                        "-Dxroad.grpc.internal.keystore=build/resources/intTest/transport-keystore/grpc-internal-keystore.jks",
-                        "-Dxroad.grpc.internal.keystore-password=111111",
-                        "-Dxroad.grpc.internal.truststore=build/resources/intTest/transport-keystore/grpc-internal-keystore.jks",
-                        "-Dxroad.grpc.internal.truststore-password=111111",
-                        "-Djava.library.path=../passwordstore/",
-                        "-jar", signerPath);
-
-                var transportKeystore = getTransportProperties();
-                transportKeystore.forEach((key, value) -> pb.environment().put(key, value));
-                transportKeystore.forEach(System::setProperty);
-
-                signerProcess = pb.start();
-
-                new StreamGobbler(signerProcess.getErrorStream()).start();
-                new StreamGobbler(signerProcess.getInputStream()).start();
-            } catch (Exception e) {
-                e.printStackTrace();
-            }
-        });
-
-        t.start();
-        MILLISECONDS.sleep(3000);
-    }
-
-    private static Map<String, String> getTransportProperties() {
-        var transportKeystore = new HashMap<String, String>();
-
-        transportKeystore.put("XROAD_COMMON_AKKA_REMOTE_TRANSPORT", "tls-tcp");
-        transportKeystore.put("XROAD_COMMON_AKKA_KEYSTORE", "build/resources/intTest/transport-keystore/akka-keystore.p12");
-        transportKeystore.put("XROAD_COMMON_AKKA_KEYSTORE_PASSWORD", "xJllPJVmRoEAf2ApuJxeMpBxSOxCHBbJ");
-        transportKeystore.put("XROAD_COMMON_AKKA_TRUSTSTORE", "build/resources/intTest/transport-keystore/akka-keystore.p12");
-        transportKeystore.put("XROAD_COMMON_AKKA_TRUSTSTORE_PASSWORD", "xJllPJVmRoEAf2ApuJxeMpBxSOxCHBbJ");
-
-        transportKeystore.put("xroad.grpc.internal.keystore", "build/resources/intTest/transport-keystore/grpc-internal-keystore.jks");
-        transportKeystore.put("xroad.grpc.internal.keystore-password", "111111");
-        transportKeystore.put("xroad.grpc.internal.truststore", "build/resources/intTest/transport-keystore/grpc-internal-keystore.jks");
-        transportKeystore.put("xroad.grpc.internal.truststore-password", "111111");
-
-        return transportKeystore;
-    }
 
     @When("ocsp responses are set")
     public void ocspResponsesAreSet() throws Exception {
@@ -594,21 +491,4 @@ public void emptyOcspResponseIsReturnedForUnknownCertificate() throws Exception
         assertThat(ocspResponses[0]).isNull();
     }
 
-    @RequiredArgsConstructor
-    static class StreamGobbler extends Thread {
-        private final InputStream is;
-
-        public void run() {
-            try {
-                BufferedReader br = new BufferedReader(new InputStreamReader(is));
-                String line;
-                while ((line = br.readLine()) != null) {
-                    log.info("[Signer] {}", line);
-                }
-            } catch (IOException ioe) {
-                log.error("Failed to read process logs", ioe);
-            }
-        }
-    }
-
 }
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
new file mode 100644
index 0000000000..e227ff2003
--- /dev/null
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
@@ -0,0 +1,46 @@
+package org.niis.xroad.signer.test.hook;
+
+import ee.ria.xroad.common.SystemProperties;
+
+import com.nortal.test.core.services.TestableApplicationInfoProvider;
+import com.nortal.test.core.services.hooks.BeforeSuiteHook;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE;
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE_PASSWORD;
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE;
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE_PASSWORD;
+import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_HOST;
+import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_PORT;
+
+@Slf4j
+@Component
+@RequiredArgsConstructor
+public class SignerProxyInitHook implements BeforeSuiteHook {
+    private final TestableApplicationInfoProvider testableApplicationInfoProvider;
+
+    @Override
+    public void beforeSuite() {
+        var host = testableApplicationInfoProvider.getHost();
+        var port = testableApplicationInfoProvider.getMappedPort(SystemProperties.getGrpcSignerPort());
+        log.info("Will use {}:{}  for signer RPC connection..", host, port);
+
+        System.setProperty(GRPC_SIGNER_HOST, host);
+        System.setProperty(GRPC_SIGNER_PORT, String.valueOf(port));
+
+        System.setProperty(GRPC_SIGNER_HOST, host);
+
+        System.setProperty(GRPC_INTERNAL_KEYSTORE,
+                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
+        System.setProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, "111111");
+        System.setProperty(GRPC_INTERNAL_TRUSTSTORE,
+                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
+        System.setProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "111111");
+
+        System.setProperty("xroad.internal.passwordstore-provider", "file");
+        System.setProperty("xroad.internal.passwordstore-file-path", "build/container-passwordstore/");
+    }
+
+}
diff --git a/src/signer-protocol/src/intTest/resources/application-override.yml b/src/signer-protocol/src/intTest/resources/application-override.yml
index f16517419d..6ae3cfa5cf 100755
--- a/src/signer-protocol/src/intTest/resources/application-override.yml
+++ b/src/signer-protocol/src/intTest/resources/application-override.yml
@@ -11,11 +11,26 @@ logging:
 
 test-automation:
   report-name: xroad-signer-test-suite
-  spring-component-scan: "ee.ria.xroad.signer.glue"
+  spring-component-scan: "org.niis.xroad.common.test,org.niis.xroad.signer.test"
   cucumber:
     execution:
       parallel:
         enabled: false
-    glue-append: "ee.ria.xroad.signer.glue"
+    glue-append: "org.niis.xroad.signer.test.glue"
     filter:
       tags: "not @Skip"
+  containers:
+    testable-container:
+      reuse-between-runs: ${reuse-between-runs}
+      directory-mounts:
+        - "/tmp/xroad/passwordstore/:build/container-passwordstore/"
+        - "/etc/xroad/signer/:build/resources/intTest/container-files/etc/xroad/signer/"
+    context-containers:
+      ca-server:
+        enabled: true
+        reuse-between-runs: ${reuse-between-runs}
+
+# toggle for reusable containers. This allows quicker test development as containers are not destroyed between runs.
+# WARNING: this leaves containers running indefinitely. They have to be stopped manually.
+# Note: this required testcontainers.reuse.enable=true property to be defined in your ~/.testcontainers.properties file
+reuse-between-runs: false
diff --git a/src/signer-protocol/src/intTest/resources/container-files/Dockerfile b/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
new file mode 100644
index 0000000000..a68c1347ae
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
@@ -0,0 +1,32 @@
+FROM ubuntu:22.04
+RUN apt-get clean && apt-get -y update && apt-get install -y locales && locale-gen en_US.UTF-8
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get -qq update \
+  && apt-get -qq upgrade \
+  && apt-get -qq install curl software-properties-common gawk \
+  openjdk-11-jdk-headless build-essential git unzip debhelper \
+  && apt-get -qq install softhsm opensc\
+  && apt-get -qq autoremove \
+  && apt-get -qq clean
+
+ARG uid=1000
+ARG gid=1000
+
+RUN groupadd -o -g $gid xroad && useradd -m -u $uid -g $gid xroad
+
+# Create token
+RUN mkdir -p /var/lib/softhsm/tokens/ && \
+    softhsm2-util --init-token --slot 0 --label 'X-Road HW' --so-pin 1234 --pin 1234
+
+COPY --chown=xroad:xroad files/app.jar /usr/share/xroad/app.jar
+COPY --chown=xroad:xroad etc /etc
+COPY --chown=xroad:xroad var /var
+
+USER xroad
+
+EXPOSE 5558 5559 5560
diff --git a/src/signer-protocol/src/intTest/resources/softtoken/.gitkeep b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/softtoken/.gitkeep
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml.metadata b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml.metadata
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/globalconf/cs/private-params.xml.metadata
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml.metadata
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml.metadata b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml.metadata
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/globalconf/cs/shared-params.xml.metadata
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml.metadata
diff --git a/src/signer-protocol/src/intTest/resources/globalconf/instance-identifier b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/globalconf/instance-identifier
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
diff --git a/src/signer-protocol/src/intTest/resources/devices.ini b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
similarity index 63%
rename from src/signer-protocol/src/intTest/resources/devices.ini
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
index 6e00714f3c..88f5cf6fd3 100644
--- a/src/signer-protocol/src/intTest/resources/devices.ini
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
@@ -1,2 +1,4 @@
 ; This configuration file defines the available Secure Signature
 ; Creation Devices (SSCD).
+[softhsm2]
+library = /usr/lib/softhsm/libsofthsm2.so
diff --git a/src/signer-protocol/src/intTest/resources/keyconf.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/keyconf.xml
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
diff --git a/src/signer-protocol/src/intTest/resources/signer-logback.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/signer-logback.xml
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/signer-protocol/src/intTest/resources/transport-keystore/akka-keystore.p12 b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/akka-keystore.p12
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/transport-keystore/akka-keystore.p12
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/akka-keystore.p12
diff --git a/src/signer-protocol/src/intTest/resources/transport-keystore/gen-cert.sh b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/transport-keystore/gen-cert.sh
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh
diff --git a/src/signer-protocol/src/intTest/resources/transport-keystore/grpc-internal-keystore.jks b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/transport-keystore/grpc-internal-keystore.jks
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
diff --git a/src/signer-protocol/src/intTest/resources/container-files/var/cache/xroad/.gitkeep b/src/signer-protocol/src/intTest/resources/container-files/var/cache/xroad/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 26c760b6ef..a0ddadc9ad 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.signer;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
@@ -162,7 +163,7 @@ private static RpcSignerClient getSignerClient() {
         //TODO this is unsafe, but works for poc.
         if (signerClient == null) {
             try {
-                signerClient = RpcSignerClient.init(5560);
+                signerClient = RpcSignerClient.init(SystemProperties.getGrpcSignerHost(), SystemProperties.getGrpcSignerPort());
             } catch (Exception e) {
                 log.error("Failed to init client", e);
             }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index 0e270102c9..ef262ff438 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -65,10 +65,10 @@ public RpcSignerClient(Channel channel) {
      * Greet server. If provided, the first element of {@code args} is the name to use in the
      * greeting.
      */
-    public static RpcSignerClient init(int port) throws Exception {
+    public static RpcSignerClient init(String host, int port) throws Exception {
         var credentials = createClientCredentials();
         log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
-        ManagedChannel channel = Grpc.newChannelBuilderForAddress("127.0.0.1", port, credentials)
+        ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
                 .build();
 
         return new RpcSignerClient(channel);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
index 537ec6809e..058370d846 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
@@ -30,6 +30,7 @@
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
 
+import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
@@ -39,6 +40,7 @@
 /**
  * Handles token pin update
  */
+@Slf4j
 @Component
 public class UpdateSoftwareTokenPinReqHandler
         extends AbstractRpcHandler<UpdateSoftwareTokenPinReq, Empty> {
@@ -52,6 +54,7 @@ protected Empty handle(UpdateSoftwareTokenPinReq request) throws Exception {
                 return Empty.getDefaultInstance();
             } catch (Exception e) {
                 // todo move to tokenworker
+                log.error("Failed  to update software token", e);
                 throw new CodedException(X_INTERNAL_ERROR, e);
             }
         } else {

From 3a9ddee07eba302f6bbdc7743497bcd49ba96fc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 31 Aug 2023 15:09:19 +0300
Subject: [PATCH 037/127] chore: enable softhsm for signer int tests

Refs: XRDDEV-2468
---
 src/addons/build.gradle                       |   3 +
 .../module/HardwareModuleManagerImpl.java     |   7 +-
 .../util/FilePasswordStoreProvider.java       |   6 +-
 src/signer-protocol/build.gradle              |   1 +
 .../signer/test/container/ContainerSetup.java |  33 +++--
 .../signer/test/glue/SignerStepDefs.java      |  98 +++++++--------
 ...500-signer.feature => 0100-signer.feature} |   5 +-
 .../0200-signer-hardware-token.feature        | 115 ++++++++++++++++++
 .../resources/container-files/Dockerfile      |  15 +--
 .../etc/xroad/signer/devices.ini              |   2 +
 .../GetHSMOperationalInfoResponse.java        |  40 ------
 11 files changed, 203 insertions(+), 122 deletions(-)
 create mode 100644 src/addons/build.gradle
 rename src/signer-protocol/src/intTest/resources/behavior/{0500-signer.feature => 0100-signer.feature} (98%)
 create mode 100644 src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java

diff --git a/src/addons/build.gradle b/src/addons/build.gradle
new file mode 100644
index 0000000000..091fae3f03
--- /dev/null
+++ b/src/addons/build.gradle
@@ -0,0 +1,3 @@
+tasks.withType(Jar).configureEach {
+    enabled = false
+}
diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java
index 1ed4df4bd2..2fce0b8a63 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java
@@ -25,10 +25,9 @@
  */
 package ee.ria.xroad.signer.tokenmanager.module;
 
-import ee.ria.xroad.signer.protocol.message.GetHSMOperationalInfoResponse;
-
 import akka.actor.Props;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.GetHSMOperationalInfoResp;
 
 /**
  * Module manager that supports hardware tokens.
@@ -73,7 +72,9 @@ private void handleGetHSMOperationalInfo() {
                 .noneMatch(moduleType -> moduleType instanceof HardwareModuleType
                         && !isModuleInitialized(moduleType));
 
-        GetHSMOperationalInfoResponse hsmOperationalInfo = new GetHSMOperationalInfoResponse(hsmOperationalStatus);
+        GetHSMOperationalInfoResp hsmOperationalInfo = GetHSMOperationalInfoResp.newBuilder()
+                .setOperational(hsmOperationalStatus)
+                .build();
         getSender().tell(hsmOperationalInfo, getSelf());
     }
 }
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
index 83acc28562..502178425e 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
@@ -45,7 +45,7 @@ public class FilePasswordStoreProvider implements PasswordStore.PasswordStorePro
     private static final String PATTERN_FILE_PASSWORDSTORE = "%s/.passwordstore-%s";
 
     @Override
-    public byte[] read(String pathnameForFtok, String id) throws Exception {
+    public synchronized byte[] read(String pathnameForFtok, String id) throws Exception {
         var file = getFileById(id);
 
         log.warn("Reading password from {}. File exists? {}", file, file.exists());
@@ -57,7 +57,7 @@ public byte[] read(String pathnameForFtok, String id) throws Exception {
     }
 
     @Override
-    public void write(String pathnameForFtok, String id, byte[] password, int permissions) throws Exception {
+    public synchronized void write(String pathnameForFtok, String id, byte[] password, int permissions) throws Exception {
         var file = getFileById(id);
 
         log.warn("Writing password to {}", file);
@@ -69,7 +69,7 @@ public void write(String pathnameForFtok, String id, byte[] password, int permis
     }
 
     @Override
-    public void clear(String pathnameForFtok, int permissions) throws Exception {
+    public synchronized void clear(String pathnameForFtok, int permissions) throws Exception {
         //NO-OP
     }
 
diff --git a/src/signer-protocol/build.gradle b/src/signer-protocol/build.gradle
index 464d822bd8..2378f7d711 100644
--- a/src/signer-protocol/build.gradle
+++ b/src/signer-protocol/build.gradle
@@ -18,6 +18,7 @@ dependencies {
   api project(':common:common-rpc')
 
   intTestRuntimeOnly project(':signer')
+  intTestRuntimeOnly project(':addons:hwtoken')
   intTestRuntimeOnly project(':common:common-util')
 
   intTestImplementation project(":common:common-test")
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
index 9399ef65fd..ee310fb8fb 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
@@ -50,6 +50,11 @@
 @SuppressWarnings("checkstyle:MagicNumber")
 public class ContainerSetup {
 
+    static {
+        //This is to set docker api version in testcontainers. By default it uses 1.32, which does not support platform setting.
+        System.setProperty("api.version", "1.41");
+    }
+
     @Bean
     public TestContainerConfigurator testContainerConfigurator(
             TestableContainerProperties testableContainerProperties) {
@@ -58,7 +63,7 @@ public TestContainerConfigurator testContainerConfigurator(
             @Override
             public ImageFromDockerfile imageDefinition() {
                 var appJarPath = Paths.get("../signer/build/libs/signer-1.0.jar");
-
+                var hwTokenJarPath = Paths.get("../addons/hwtoken/build/libs/hwtoken-1.0.jar");
                 log.info("Will use {} jar for container creation", appJarPath);
 
                 File filesToAdd = Paths.get("src/intTest/resources/container-files/").toFile();
@@ -67,7 +72,8 @@ public ImageFromDockerfile imageDefinition() {
                         !testableContainerProperties.getReuseBetweenRuns(),
                         testableContainerProperties.getReuseBetweenRuns())
                         .withFileFromFile(".", filesToAdd)
-                        .withFileFromPath("files/app.jar", appJarPath);
+                        .withFileFromPath("files/app.jar", appJarPath)
+                        .withFileFromPath("files/hwtoken.jar", hwTokenJarPath);
             }
 
             @NotNull
@@ -92,21 +98,24 @@ public TestContainerConfigurator.TestContainerInitListener testContainerInitList
             public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                 genericContainer
                         .waitingFor(Wait.forLogMessage(".*Signer has been initialized in.*", 1));
-                genericContainer.withCommand("java",
-                        "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
-                        "-Dxroad.internal.passwordstore-provider=file",
-                        "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
-                        "-Dxroad.grpc.internal.keystore-password=111111",
-                        "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
-                        "-Dxroad.grpc.internal.truststore-password=111111",
-                        "-jar",
-                        "/usr/share/xroad/app.jar");
+                genericContainer
+//                        .withCreateContainerCmdModifier(cmd -> cmd.withPlatform("linux/amd64"))
+                        .withCommand("java",
+                                "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
+                                "-Dxroad.internal.passwordstore-provider=file",
+                                "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                                "-Dxroad.grpc.internal.keystore-password=111111",
+                                "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                                "-Dxroad.grpc.internal.truststore-password=111111",
+                                "-Dxroad.signer.moduleManagerImpl=ee.ria.xroad.signer.tokenmanager.module.HardwareModuleManagerImpl",
+                                "-cp",
+                                "/root/lib/hwtoken.jar:/root/app.jar",
+                                "ee.ria.xroad.signer.SignerMain");
 
                 prepareSignerDirs();
             }
 
             @Override
-            @SneakyThrows
             public void afterStart(@NotNull GenericContainer<?> genericContainer) {
                 //do nothing
             }
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 3d26fd7b6e..39813ec840 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -41,11 +41,7 @@
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
 import com.nortal.test.core.report.TestReportService;
-import io.cucumber.java.en.And;
-import io.cucumber.java.en.Given;
 import io.cucumber.java.en.Step;
-import io.cucumber.java.en.Then;
-import io.cucumber.java.en.When;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
@@ -78,6 +74,7 @@
 import static org.assertj.core.api.Assertions.fail;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 @Slf4j
 public class SignerStepDefs {
@@ -90,25 +87,25 @@ public class SignerStepDefs {
     private CertificateInfo certInfo;
     private byte[] cert;
 
-    @When("signer is initialized with pin {string}")
+    @Step("signer is initialized with pin {string}")
     public void signerIsInitializedWithPin(String pin) throws Exception {
         SignerProxy.initSoftwareToken(pin.toCharArray());
     }
 
-    @Then("token {string} is not active")
+    @Step("token {string} is not active")
     public void tokenIsNotActive(String tokenId) throws Exception {
         final TokenInfo tokenInfo = SignerProxy.getToken(tokenId);
 
         Assertions.assertFalse(tokenInfo.isActive());
     }
 
-    @Given("token {string} status is {string}")
+    @Step("token {string} status is {string}")
     public void assertTokenStatus(String tokenId, String status) throws Exception {
         final TokenInfo token = SignerProxy.getToken(tokenId);
         assertThat(token.getStatus()).isEqualTo(TokenStatusInfo.valueOf(status));
     }
 
-    @Given("tokens list contains token {string}")
+    @Step("tokens list contains token {string}")
     public void tokensListContainsToken(String tokenId) throws Exception {
         var tokens = SignerProxy.getTokens();
         testReportService.attachText("Tokens", Arrays.toString(tokens.toArray()));
@@ -119,18 +116,18 @@ public void tokensListContainsToken(String tokenId) throws Exception {
         assertThat(tokenInfo).isNotNull();
     }
 
-    @When("token {string} is logged in with pin {string}")
+    @Step("token {string} is logged in with pin {string}")
     public void tokenIsActivatedWithPin(String tokenId, String pin) throws Exception {
         SignerProxy.activateToken(tokenId, pin.toCharArray());
     }
 
-    @When("token {string} is logged out")
+    @Step("token {string} is logged out")
     public void tokenIsLoggedOut(String tokenId) throws Exception {
         SignerProxy.deactivateToken(tokenId);
     }
 
     @SneakyThrows
-    @Then("token {string} is active")
+    @Step("token {string} is active")
     public void tokenIsActive(String tokenId) throws Exception {
         var tokenInfo = SignerProxy.getToken(tokenId);
 
@@ -138,33 +135,33 @@ public void tokenIsActive(String tokenId) throws Exception {
         assertThat(tokenInfo.isActive()).isTrue();
     }
 
-    @When("token {string} pin is updated from {string} to {string}")
+    @Step("token {string} pin is updated from {string} to {string}")
     public void tokenPinIsUpdatedFromTo(String tokenId, String oldPin, String newPin) throws Exception {
         SignerProxy.updateTokenPin(tokenId, oldPin.toCharArray(), newPin.toCharArray());
     }
 
-    @When("name {string} is set for token {string}")
+    @Step("name {string} is set for token {string}")
     public void nameIsSetForToken(String name, String tokenId) throws Exception {
         SignerProxy.setTokenFriendlyName(tokenId, name);
     }
 
-    @Then("token {string} name is {string}")
+    @Step("token {string} name is {string}")
     public void tokenNameIs(String tokenId, String name) throws Exception {
         assertThat(SignerProxy.getToken(tokenId).getFriendlyName()).isEqualTo(name);
     }
 
-    @When("new key {string} generated for token {string}")
+    @Step("new key {string} generated for token {string}")
     public void newKeyGeneratedForToken(String keyLabel, String tokenId) throws Exception {
         final KeyInfo keyInfo = SignerProxy.generateKey(tokenId, keyLabel);
         this.keyId = keyInfo.getId();
     }
 
-    @And("name {string} is set for generated key")
+    @Step("name {string} is set for generated key")
     public void nameIsSetForGeneratedKey(String keyFriendlyName) throws Exception {
         SignerProxy.setKeyFriendlyName(this.keyId, keyFriendlyName);
     }
 
-    @Then("token {string} has exact keys {string}")
+    @Step("token {string} has exact keys {string}")
     public void tokenHasKeys(String tokenId, String keyNames) throws Exception {
         final List<String> keys = Arrays.asList(keyNames.split(","));
         final TokenInfo token = SignerProxy.getToken(tokenId);
@@ -178,7 +175,7 @@ public void tokenHasKeys(String tokenId, String keyNames) throws Exception {
         assertThat(tokenKeyNames).containsExactlyInAnyOrderElementsOf(keys);
     }
 
-    @When("key {string} is deleted from token {string}")
+    @Step("key {string} is deleted from token {string}")
     public void keyIsDeletedFromToken(String keyName, String tokenId) throws Exception {
         final KeyInfo key = findKeyInToken(tokenId, keyName);
         SignerProxy.deleteKey(key.getId(), true);
@@ -209,14 +206,13 @@ public void certImportFails(String client) throws Exception {
         }
     }
 
-
     private byte[] fileToBytes(String fileName) throws Exception {
         try (FileInputStream in = new FileInputStream(fileName)) {
             return IOUtils.toByteArray(in);
         }
     }
 
-    @Given("self signed cert generated for token {string} key {string}, client {string}")
+    @Step("self signed cert generated for token {string} key {string}, client {string}")
     public void selfSignedCertGeneratedForTokenKeyForClient(String tokenId, String keyName, String client) throws Exception {
         final KeyInfo keyInToken = findKeyInToken(tokenId, keyName);
 
@@ -230,7 +226,7 @@ private ClientId.Conf getClientId(String client) {
         return ClientId.Conf.create(parts[0], parts[1], parts[2]);
     }
 
-    @When("cert request is generated for token {string} key {string} for client {string}")
+    @Step("cert request is generated for token {string} key {string} for client {string}")
     public void certRequestIsGeneratedForTokenKey(String tokenId, String keyName, String client) throws Exception {
         final KeyInfo key = findKeyInToken(tokenId, keyName);
         final ClientId.Conf clientId = getClientId(client);
@@ -241,19 +237,19 @@ public void certRequestIsGeneratedForTokenKey(String tokenId, String keyName, St
         this.csrId = csrInfo.getCertReqId();
     }
 
-    @And("cert request is regenerated")
+    @Step("cert request is regenerated")
     public void certRequestIsRegenerated() throws Exception {
         SignerProxy.regenerateCertRequest(this.csrId, CertificateRequestFormat.DER);
     }
 
-    @Given("token {string} key {string} has {int} certificates")
+    @Step("token {string} key {string} has {int} certificates")
     public void tokenKeyHasCertificates(String tokenId, String keyName, int certCount) throws Exception {
         final KeyInfo key = findKeyInToken(tokenId, keyName);
 
         assertThat(key.getCerts()).hasSize(certCount);
     }
 
-    @And("sign mechanism for token {string} key {string} is not null")
+    @Step("sign mechanism for token {string} key {string} is not null")
     public void signMechanismForTokenKeyIsNotNull(String tokenId, String keyName) throws Exception {
         final KeyInfo keyInToken = findKeyInToken(tokenId, keyName);
         final String signMechanism = SignerProxy.getSignMechanism(keyInToken.getId());
@@ -261,83 +257,83 @@ public void signMechanismForTokenKeyIsNotNull(String tokenId, String keyName) th
         assertThat(signMechanism).isNotBlank();
     }
 
-    @Then("member {string} has {int} certificate")
+    @Step("member {string} has {int} certificate")
     public void memberHasCertificate(String memberId, int certCount) throws Exception {
         final List<CertificateInfo> memberCerts = SignerProxy.getMemberCerts(getClientId(memberId));
         assertThat(memberCerts).hasSize(certCount);
     }
 
-    @When("check token {string} key {string} batch signing enabled")
+    @Step("check token {string} key {string} batch signing enabled")
     public void checkTokenBatchSigningEnabled(String tokenId, String keyname) throws Exception {
         final KeyInfo key = findKeyInToken(tokenId, keyname);
 
         assertThat(SignerProxy.isTokenBatchSigningEnabled(key.getId())).isNotNull();
     }
 
-    @Then("cert request can be deleted")
+    @Step("cert request can be deleted")
     public void certRequestCanBeDeleted() throws Exception {
         SignerProxy.deleteCertRequest(this.csrId);
     }
 
-    @And("certificate info can be retrieved by cert hash")
+    @Step("certificate info can be retrieved by cert hash")
     public void certificateInfoCanBeRetrievedByHash() throws Exception {
         final CertificateInfo certInfoResponse = SignerProxy.getCertForHash(this.certHash);
         assertThat(certInfoResponse).isNotNull();
         this.certInfo = certInfoResponse;
     }
 
-    @And("keyId can be retrieved by cert hash")
+    @Step("keyId can be retrieved by cert hash")
     public void keyidCanBeRetrievedByCertHash() throws Exception {
         final SignerProxy.KeyIdInfo keyIdForCertHash = SignerProxy.getKeyIdForCertHash(this.certHash);
         assertThat(keyIdForCertHash).isNotNull();
     }
 
-    @And("token and keyId can be retrieved by cert hash")
+    @Step("token and keyId can be retrieved by cert hash")
     public void tokenAndKeyIdCanBeRetrievedByCertHash() {
         final TokenInfoAndKeyId tokenAndKeyIdForCertHash = SignerProxy.getTokenAndKeyIdForCertHash(this.certHash);
         assertThat(tokenAndKeyIdForCertHash).isNotNull();
     }
 
-    @And("token and key can be retrieved by cert request")
+    @Step("token and key can be retrieved by cert request")
     public void tokenAndKeyCanBeRetrievedByCertRequest() throws Exception {
         final TokenInfoAndKeyId tokenAndKeyIdForCertRequestId = SignerProxy.getTokenAndKeyIdForCertRequestId(this.csrId);
         assertThat(tokenAndKeyIdForCertRequestId).isNotNull();
     }
 
-    @Then("token info can be retrieved by key id")
+    @Step("token info can be retrieved by key id")
     public void tokenInfoCanBeRetrievedByKeyId() throws Exception {
         final TokenInfo tokenForKeyId = SignerProxy.getTokenForKeyId(this.keyId);
         assertThat(tokenForKeyId).isNotNull();
     }
 
-    @Given("digest can be signed using key {string} from token {string}")
+    @Step("digest can be signed using key {string} from token {string}")
     public void digestCanBeSignedUsingKeyFromToken(String keyName, String tokenId) throws Exception {
         final KeyInfo key = findKeyInToken(tokenId, keyName);
 
         SignerProxy.sign(key.getId(), SHA256WITHRSA_ID, calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
     }
 
-    @Then("certificate can be deactivated")
+    @Step("certificate can be deactivated")
     public void certificateCanBeDeactivated() throws Exception {
         SignerProxy.deactivateCert(this.certInfo.getId());
     }
 
-    @And("certificate can be activated")
+    @Step("certificate can be activated")
     public void certificateCanBeActivated() throws Exception {
         SignerProxy.activateCert(this.certInfo.getId());
     }
 
-    @And("certificate can be deleted")
+    @Step("certificate can be deleted")
     public void certificateCanBeDeleted() throws Exception {
         SignerProxy.deleteCert(this.certInfo.getId());
     }
 
-    @And("certificate status can be changed to {string}")
+    @Step("certificate status can be changed to {string}")
     public void certificateStatusCanBeChangedTo(String status) throws Exception {
         SignerProxy.setCertStatus(this.certInfo.getId(), status);
     }
 
-    @And("certificate can be signed using key {string} from token {string}")
+    @Step("certificate can be signed using key {string} from token {string}")
     public void certificateCanBeSignedUsingKeyFromToken(String keyName, String tokenId) throws Exception {
         final KeyInfo key = findKeyInToken(tokenId, keyName);
         byte[] keyBytes = Base64.decode(key.getPublicKey().getBytes());
@@ -349,7 +345,7 @@ public void certificateCanBeSignedUsingKeyFromToken(String keyName, String token
         assertThat(bytes).isNotEmpty();
     }
 
-    @Then("Set token name fails with TokenNotFound exception when token does not exist")
+    @Step("Set token name fails with TokenNotFound exception when token does not exist")
     public void setTokenNameFail() throws Exception {
         String tokenId = randomUUID().toString();
         try {
@@ -361,7 +357,7 @@ public void setTokenNameFail() throws Exception {
         }
     }
 
-    @Then("Deleting not existing certificate from token fails")
+    @Step("Deleting not existing certificate from token fails")
     public void failOnDeleteCert() throws Exception {
         String cerId = randomUUID().toString();
         try {
@@ -373,7 +369,7 @@ public void failOnDeleteCert() throws Exception {
         }
     }
 
-    @Then("Retrieving token info by not existing key fails")
+    @Step("Retrieving token info by not existing key fails")
     public void retrievingTokenInfoCanByNotExistingKeyFails() throws Exception {
         String keyId = randomUUID().toString();
         try {
@@ -385,7 +381,7 @@ public void retrievingTokenInfoCanByNotExistingKeyFails() throws Exception {
         }
     }
 
-    @Then("Deleting not existing certRequest fails")
+    @Step("Deleting not existing certRequest fails")
     public void deletingCertRequestFails() throws Exception {
         String csrId = randomUUID().toString();
         try {
@@ -397,7 +393,7 @@ public void deletingCertRequestFails() throws Exception {
         }
     }
 
-    @Then("Signing with unknown key fails")
+    @Step("Signing with unknown key fails")
     public void signKeyFail() throws Exception {
         String keyId = randomUUID().toString();
         try {
@@ -409,7 +405,7 @@ public void signKeyFail() throws Exception {
         }
     }
 
-    @Then("Signing with unknown algorithm fails using key {string} from token {string}")
+    @Step("Signing with unknown algorithm fails using key {string} from token {string}")
     public void signAlgorithmFail(String keyName, String tokenId) throws Exception {
         try {
             final KeyInfo key = findKeyInToken(tokenId, keyName);
@@ -422,7 +418,7 @@ public void signAlgorithmFail(String keyName, String tokenId) throws Exception {
         }
     }
 
-    @Then("Getting key by not existing cert hash fails")
+    @Step("Getting key by not existing cert hash fails")
     public void getKeyIdByHashFail() throws Exception {
         String hash = randomUUID().toString();
         try {
@@ -434,7 +430,7 @@ public void getKeyIdByHashFail() throws Exception {
         }
     }
 
-    @Then("Not existing certificate can not be activated")
+    @Step("Not existing certificate can not be activated")
     public void notExistingCertActivateFail() throws Exception {
         String certId = randomUUID().toString();
         try {
@@ -452,9 +448,9 @@ public void getMemberSigningInfo(String client) throws Exception {
         testReportService.attachText("MemberSigningInfo", memberInfo.toString());
     }
 
-    @And("HSM is not operational")
+    @Step("HSM is operational")
     public void hsmIsNotOperational() throws Exception {
-        assertFalse(SignerProxy.isHSMOperational());
+        assertTrue(SignerProxy.isHSMOperational());
     }
 
     private void assertException(String faultCode, String translationCode, String message, CodedException codedException) {
@@ -464,7 +460,7 @@ private void assertException(String faultCode, String translationCode, String me
     }
 
 
-    @When("ocsp responses are set")
+    @Step("ocsp responses are set")
     public void ocspResponsesAreSet() throws Exception {
         X509Certificate subject = TestCertUtil.getConsumer().certChain[0];
         final OCSPResp ocspResponse = OcspTestUtils.createOCSPResponse(subject, TestCertUtil.getCaCert(), TestCertUtil.getOcspSigner().certChain[0],
@@ -474,7 +470,7 @@ public void ocspResponsesAreSet() throws Exception {
                 new String[]{Base64.toBase64String(ocspResponse.getEncoded())});
     }
 
-    @Then("ocsp responses can be retrieved")
+    @Step("ocsp responses can be retrieved")
     public void ocspResponsesCanBeRetrieved() throws Exception {
         X509Certificate subject = TestCertUtil.getConsumer().certChain[0];
         final String hash = calculateCertHexHash(subject);
@@ -483,7 +479,7 @@ public void ocspResponsesCanBeRetrieved() throws Exception {
         assertThat(ocspResponses).isNotEmpty();
     }
 
-    @And("null ocsp response is returned for unknown certificate")
+    @Step("null ocsp response is returned for unknown certificate")
     public void emptyOcspResponseIsReturnedForUnknownCertificate() throws Exception {
         final String[] ocspResponses = SignerProxy
                 .getOcspResponses(new String[]{calculateCertHexHash("not a cert".getBytes())});
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0100-signer.feature
similarity index 98%
rename from src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
rename to src/signer-protocol/src/intTest/resources/behavior/0100-signer.feature
index 8ec1887c52..34c2c4b774 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0100-signer.feature
@@ -1,4 +1,4 @@
-Feature: 0500 - Signer
+Feature: 0100 - Signer: SoftToken
 
   Scenario: Initialization
     Given tokens list contains token "0"
@@ -69,9 +69,6 @@ Feature: 0500 - Signer
     Given tokens list contains token "0"
     * Member signing info for client "cs:test:member-1" is retrieved
 
-  Scenario: HSM status is not operational
-    * HSM is not operational
-
   Scenario: Self signed certificate
     Given token "0" key "First key" has 0 certificates
     When self signed cert generated for token "0" key "First key", client "cs:test:member-1"
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
new file mode 100644
index 0000000000..41bbcd236b
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
@@ -0,0 +1,115 @@
+Feature: 0100 - Signer: HardwareToken
+  Uses SoftHSM to emulate hardware token.
+
+  Scenario: HSM is operational
+    * HSM is operational
+
+#
+#  Scenario: Initialization
+#    Given tokens list contains token "0"
+#    And token "0" status is "NOT_INITIALIZED"
+#    When signer is initialized with pin "1234"
+#    Then token "0" is not active
+#    And token "0" status is "OK"
+#
+#  Scenario: Activate token
+#    Given token "0" is not active
+#    When token "0" is logged in with pin "1234"
+#    Then token "0" is active
+#
+#  Scenario: Deactivate token
+#    When token "0" is logged out
+#    Then token "0" is not active
+#
+#  Scenario: Update token pin
+#    Given token "0" is not active
+#    And token "0" is logged in with pin "1234"
+#    When token "0" pin is updated from "1234" to "4321"
+#    And token "0" is logged in with pin "4321"
+#    Then token "0" is active
+#
+#  Scenario: Set token friendly name
+#    When name "New friendly name" is set for token "0"
+#    Then token "0" name is "New friendly name"
+#
+#  Scenario: Key generation
+#    When new key "key-1" generated for token "0"
+#    And name "First key" is set for generated key
+#    When new key "key-2" generated for token "0"
+#    And name "Second key" is set for generated key
+#    When new key "key-3" generated for token "0"
+#    And name "Third key" is set for generated key
+#    Then token "0" has exact keys "First key,Second key,Third key"
+#    And sign mechanism for token "0" key "Second key" is not null
+#
+#  Scenario: Delete key
+#    Given new key "key-X" generated for token "0"
+#    And name "KeyX" is set for generated key
+#    Then token info can be retrieved by key id
+#    When key "Third key" is deleted from token "0"
+#    Then token "0" has exact keys "First key,Second key,KeyX"
+#
+#  Scenario: Sign
+#    Given digest can be signed using key "KeyX" from token "0"
+#    And Signing with unknown algorithm fails using key "KeyX" from token "0"
+#
+#  Scenario: Generate/Regenerate cert request
+#    When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
+#    And token and key can be retrieved by cert request
+#    Then cert request can be deleted
+#    When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
+#    And cert request is regenerated
+#
+#  Scenario: Certificate can be (re)imported
+#    Given tokens list contains token "0"
+#    When Wrong Certificate is not imported for client "cs:test:member-1"
+#    And self signed cert generated for token "0" key "First key", client "cs:test:member-1"
+#    And certificate info can be retrieved by cert hash
+#    When certificate can be deleted
+#    Then token "0" key "First key" has 0 certificates
+#    When Certificate is imported for client "cs:test:member-1"
+#    Then token "0" key "First key" has 1 certificates
+#
+#  Scenario: Member test
+#    Given tokens list contains token "0"
+#    * Member signing info for client "cs:test:member-1" is retrieved
+#
+#  Scenario: HSM status is not operational
+#    * HSM is not operational
+#
+#  Scenario: Self signed certificate
+#    Given token "0" key "First key" has 0 certificates
+#    When self signed cert generated for token "0" key "First key", client "cs:test:member-1"
+#    Then token "0" key "First key" has 1 certificates
+#    And keyId can be retrieved by cert hash
+#    And token and keyId can be retrieved by cert hash
+#    And certificate can be signed using key "First key" from token "0"
+#
+#  Scenario: Member info
+#    Then member "cs:test:member-1" has 1 certificate
+#
+#  Scenario: Cert status
+#    Given self signed cert generated for token "0" key "KeyX", client "cs:test:member-2"
+#    And certificate info can be retrieved by cert hash
+#    Then certificate can be deactivated
+#    And certificate can be activated
+#    And certificate status can be changed to "deletion in progress"
+#    And certificate can be deleted
+#
+#  Scenario: Miscellaneous checks
+#    * check token "0" key "First key" batch signing enabled
+#
+#  Scenario: Exceptions
+#    * Set token name fails with TokenNotFound exception when token does not exist
+#    * Deleting not existing certificate from token fails
+#    * Retrieving token info by not existing key fails
+#    * Deleting not existing certRequest fails
+#    * Signing with unknown key fails
+#    * Getting key by not existing cert hash fails
+#    * Not existing certificate can not be activated
+#
+#  Scenario: Ocsp responses
+#    When ocsp responses are set
+#    Then ocsp responses can be retrieved
+#    And null ocsp response is returned for unknown certificate
+
diff --git a/src/signer-protocol/src/intTest/resources/container-files/Dockerfile b/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
index a68c1347ae..68ace653d9 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
+++ b/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
@@ -1,4 +1,5 @@
-FROM ubuntu:22.04
+# Explicitly defining linux/amd64 ubuntu:22.04 image
+FROM ubuntu@sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564
 RUN apt-get clean && apt-get -y update && apt-get install -y locales && locale-gen en_US.UTF-8
 ENV LANG en_US.UTF-8
 ENV LANGUAGE en_US:en
@@ -14,19 +15,15 @@ RUN apt-get -qq update \
   && apt-get -qq autoremove \
   && apt-get -qq clean
 
-ARG uid=1000
-ARG gid=1000
-
-RUN groupadd -o -g $gid xroad && useradd -m -u $uid -g $gid xroad
 
 # Create token
 RUN mkdir -p /var/lib/softhsm/tokens/ && \
     softhsm2-util --init-token --slot 0 --label 'X-Road HW' --so-pin 1234 --pin 1234
 
-COPY --chown=xroad:xroad files/app.jar /usr/share/xroad/app.jar
-COPY --chown=xroad:xroad etc /etc
-COPY --chown=xroad:xroad var /var
+COPY --chown=root:root files/app.jar /root/app.jar
+COPY --chown=root:root files/hwtoken.jar /root/lib/hwtoken.jar
 
-USER xroad
+COPY --chown=root:root etc /etc
+COPY --chown=root:root var /var
 
 EXPOSE 5558 5559 5560
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
index 88f5cf6fd3..25bf90d143 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
@@ -2,3 +2,5 @@
 ; Creation Devices (SSCD).
 [softhsm2]
 library = /usr/lib/softhsm/libsofthsm2.so
+os_locking_ok = true
+library_cant_create_os_threads = true
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java
deleted file mode 100644
index b4313fc1f1..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/GetHSMOperationalInfoResponse.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- * <p>
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- * <p>
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-public class GetHSMOperationalInfoResponse implements Serializable {
-
-    boolean operational;
-}

From 6d350d44390b17e9634ce0abfe6cf1d9a0d9f9af Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 31 Aug 2023 16:53:44 +0300
Subject: [PATCH 038/127] chore: ocsp scheduled jobs

Refs: XRDDEV-2461
---
 .../ee/ria/xroad/signer/OcspClientJob.java    | 131 ------------------
 .../ee/ria/xroad/signer/OcspClientReload.java |  62 ---------
 .../main/java/ee/ria/xroad/signer/Signer.java |  15 --
 .../ee/ria/xroad/signer/SignerConfig.java     |  39 ++++++
 .../java/ee/ria/xroad/signer/SignerMain.java  |  30 ++--
 .../signer/certmanager/OcspClientWorker.java  | 117 ++++------------
 .../certmanager/OcspResponseManager.java      |  31 +----
 .../job/OcspClientExecuteScheduler.java       | 122 ++++++++++++++++
 .../OcspClientReloadJob.java}                 |  39 +++---
 .../util/VariableIntervalPeriodicJob.java     |  97 -------------
 10 files changed, 234 insertions(+), 449 deletions(-)
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/OcspClientJob.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/OcspClientReload.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java
 rename src/signer/src/main/java/ee/ria/xroad/signer/{OcspRetrievalJob.java => job/OcspClientReloadJob.java} (63%)
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/util/VariableIntervalPeriodicJob.java

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/OcspClientJob.java b/src/signer/src/main/java/ee/ria/xroad/signer/OcspClientJob.java
deleted file mode 100644
index 6e805aad8e..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/OcspClientJob.java
+++ /dev/null
@@ -1,131 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer;
-
-import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.signer.certmanager.OcspClientWorker;
-
-import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.FiniteDuration;
-
-import java.util.concurrent.TimeUnit;
-
-import static ee.ria.xroad.signer.certmanager.OcspClientWorker.GLOBAL_CONF_INVALIDATED;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT;
-
-/**
- * Periodically executes OCSP-response refresh by sending {@link ee.ria.xroad.signer.certmanager.OcspClientWorker}
- * the message {@value OcspClientWorker#EXECUTE} and manages the refresh interval
- * based on the status of the last refresh.
- */
-@Slf4j
-public class OcspClientJob extends OcspRetrievalJob {
-
-    public static final String CANCEL = "Cancel";
-    public static final String FAILED = "Failed";
-    public static final String SUCCESS = "Success";
-    public static final String RESCHEDULE = "Reschedule";
-
-    private static final FiniteDuration INITIAL_DELAY =
-            FiniteDuration.create(5, TimeUnit.SECONDS);
-
-    private static final int RECOVER_FROM_INVALID_GLOBALCONF_DELAY = 60;
-    private static final int RETRY_DELAY = SystemProperties.getOcspResponseRetryDelay();
-
-    //flag for indicating backoff retry state
-    private boolean retryMode = false;
-
-    OcspClientJob() {
-        super(OCSP_CLIENT, OcspClientWorker.EXECUTE);
-    }
-
-    @Override
-    protected FiniteDuration getInitialDelay() {
-        return INITIAL_DELAY;
-    }
-
-    @Override
-    protected FiniteDuration getNextDelay() {
-        if (retryMode && RETRY_DELAY < OcspClientWorker.getNextOcspFetchIntervalSeconds()) {
-            log.info("Next OCSP refresh retry scheduled in {} seconds", RETRY_DELAY);
-            return FiniteDuration.create(RETRY_DELAY, TimeUnit.SECONDS);
-        } else {
-            log.info("Next OCSP refresh scheduled in {} seconds", OcspClientWorker.getNextOcspFetchIntervalSeconds());
-            return FiniteDuration.create(
-                    OcspClientWorker.getNextOcspFetchIntervalSeconds(),
-                    TimeUnit.SECONDS);
-        }
-    }
-
-    private FiniteDuration getNextDelayForInvalidGlobalConf() {
-        return FiniteDuration.create(RECOVER_FROM_INVALID_GLOBALCONF_DELAY, TimeUnit.SECONDS);
-    }
-
-    @Override
-    public void onReceive(Object incoming) throws Exception {
-        if (CANCEL.equals(incoming)) {
-            log.debug("received message OcspClientWorker.CANCEL");
-            cancelNextSend();
-        } else if (RESCHEDULE.equals(incoming)) {
-            log.debug("received message OcspClientWorker.RESCHEDULE");
-            log.info("OCSP-response refresh cycle rescheduling");
-            scheduleNextSend(getNextDelay());
-        } else if (SUCCESS.equals(incoming)) {
-            log.debug("received message OcspClientJob.SUCCESS");
-            log.info("OCSP-response refresh cycle successfully completed, continuing with normal scheduling");
-            retryMode = false;
-        } else if (FAILED.equals(incoming)) {
-            log.debug("received message OcspClientJob.FAILED");
-            if (!retryMode) {
-                log.info("OCSP-response refresh cycle failed, switching to retry backoff schedule");
-                // move into recover-from-failed state
-                // cancel next send and start backoff schedule
-                cancelNextSend();
-                retryMode = true;
-                scheduleNextSend(getNextDelay());
-            } else {
-                // no need to touch scheduling, we have already
-                // scheduled correctly in previous round's
-                // VariableIntervalPeriodicJob.onReceive(EXECUTE)
-                log.info("OCSP-response refresh retry failed, continuing along backoff schedule");
-            }
-        } else if (GLOBAL_CONF_INVALIDATED.equals(incoming)) {
-            log.debug("received message OcspClientWorker.GLOBAL_CONF_INVALIDATED");
-            log.info("OCSP-response refresh cycle failed due to invalid global configuration, "
-                    + "switching to global configuration recovery schedule");
-            // attempted to execute OCSP refresh, but global conf was
-            // invalid at that time -> reschedule
-            cancelNextSend();
-            scheduleNextSend(getNextDelayForInvalidGlobalConf());
-            retryMode = false;
-        } else {
-            // received either EXECUTE (VariableIntervalPeriodicJob
-            // executes, and schedules next EXECUTE) or something else
-            // (which is dismissed in VariableIntervalPeriodicJob)
-            super.onReceive(incoming);
-        }
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/OcspClientReload.java b/src/signer/src/main/java/ee/ria/xroad/signer/OcspClientReload.java
deleted file mode 100644
index 8d20bb504a..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/OcspClientReload.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer;
-
-import ee.ria.xroad.signer.certmanager.OcspClientWorker;
-
-import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.FiniteDuration;
-
-import java.util.concurrent.TimeUnit;
-
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT;
-
-/**
- * Periodically executes the Global Configuration reload by
- * sending {@link ee.ria.xroad.signer.certmanager.OcspClientWorker} the message {@value OcspClientWorker#RELOAD}
- */
-@Slf4j
-public class OcspClientReload extends OcspRetrievalJob {
-
-    private static final int INTERVAL_SECONDS = 60;
-
-    private static final FiniteDuration INITIAL_DELAY =
-            FiniteDuration.create(100, TimeUnit.MILLISECONDS);
-
-    OcspClientReload() {
-        super(OCSP_CLIENT, OcspClientWorker.RELOAD);
-    }
-
-    @Override
-    protected FiniteDuration getInitialDelay() {
-        return INITIAL_DELAY;
-    }
-
-    @Override
-    protected FiniteDuration getNextDelay() {
-        return FiniteDuration.create(INTERVAL_SECONDS, TimeUnit.SECONDS);
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
index ac7ae60771..60f11709ef 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
@@ -28,7 +28,6 @@
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.StartStop;
 import ee.ria.xroad.common.util.filewatcher.FileWatcherRunner;
-import ee.ria.xroad.signer.certmanager.OcspClientWorker;
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
@@ -45,9 +44,6 @@
 
 import static ee.ria.xroad.common.SystemProperties.NodeType.SLAVE;
 import static ee.ria.xroad.signer.protocol.ComponentNames.MODULE_MANAGER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT_JOB;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT_RELOAD;
 import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_RESPONSE_MANAGER;
 
 /**
@@ -84,17 +80,6 @@ public void start() {
         }
 
         createComponent(OCSP_RESPONSE_MANAGER, OcspResponseManager.class);
-        createComponent(OCSP_CLIENT, OcspClientWorker.class);
-        createComponent(OCSP_CLIENT_JOB, OcspClientJob.class);
-        createComponent(OCSP_CLIENT_RELOAD, OcspClientReload.class);
-    }
-
-    /**
-     * Executes polling immediately
-     */
-    public void execute() {
-        actorSystem.actorSelection("/user/" + OCSP_CLIENT_JOB).tell(OcspClientJob.CANCEL, ActorRef.noSender());
-        actorSystem.actorSelection("/user/" + OCSP_CLIENT_JOB).tell(OcspClientWorker.EXECUTE, ActorRef.noSender());
     }
 
     @Override
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
index d2522e004a..1c5369b6e0 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
@@ -26,15 +26,24 @@
 package ee.ria.xroad.signer;
 
 import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
 
 import akka.actor.ActorSystem;
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigFactory;
 import com.typesafe.config.ConfigValueFactory;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Condition;
+import org.springframework.context.annotation.ConditionContext;
+import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.type.AnnotatedTypeMetadata;
+import org.springframework.scheduling.TaskScheduler;
 import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
 
 import static ee.ria.xroad.signer.protocol.ComponentNames.SIGNER;
 
@@ -56,4 +65,34 @@ private static Config getConf(int signerPort) {
                 ConfigValueFactory.fromAnyRef(signerPort));
     }
 
+    @Bean
+    OcspClientWorker ocspClientWorker() {
+        return new OcspClientWorker();
+    }
+
+    @Bean
+    TaskScheduler taskScheduler() {
+        return new ThreadPoolTaskScheduler();
+    }
+
+    @Bean(name = "ocspClientExecuteScheduler")
+    @Conditional(IsOcspClientJobsActive.class)
+    OcspClientExecuteScheduler ocspClientExecuteScheduler(OcspClientWorker ocspClientWorker, TaskScheduler taskScheduler) {
+        OcspClientExecuteScheduler scheduler = new OcspClientExecuteScheduler(ocspClientWorker, taskScheduler);
+        scheduler.init();
+        return scheduler;
+    }
+
+    @Slf4j
+    public static class IsOcspClientJobsActive implements Condition {
+        @Override
+        public boolean matches(ConditionContext context, AnnotatedTypeMetadata metadata) {
+            boolean isActive = SystemProperties.isOcspResponseRetrievalActive();
+            if (!isActive) {
+                log.info("OCSP-retrieval configured to be inactive, job auto-scheduling disabled");
+            }
+            return isActive;
+        }
+    }
+
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 64da8fd3b2..b95aa42bb1 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -32,7 +32,7 @@
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
-import ee.ria.xroad.signer.util.SignerUtil;
+import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
 
 import akka.actor.ActorSystem;
 import akka.actor.CoordinatedShutdown;
@@ -51,7 +51,6 @@
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_NODE;
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_PROXY;
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_SIGNER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT;
 
 /**
  * Signer main program.
@@ -97,7 +96,7 @@ public static void main(String[] args) throws Exception {
     }
 
     private static void startup() throws Exception {
-        long start=System.currentTimeMillis();
+        long start = System.currentTimeMillis();
         Version.outputVersionInfo(APP_NAME);
         int signerPort = SystemProperties.getSignerPort();
         log.info("Starting Signer on port {}...", signerPort);
@@ -107,7 +106,15 @@ private static void startup() throws Exception {
 
         actorSystem = springCtx.getBean(ActorSystem.class);
         signer = new Signer(actorSystem);
-        adminPort = createAdminPort(SystemProperties.getSignerAdminPort());
+
+        OcspClientExecuteScheduler ocspClientExecuteScheduler = null;
+        if (springCtx.containsBean("ocspClientExecuteScheduler")) {
+            ocspClientExecuteScheduler = springCtx.getBean(OcspClientExecuteScheduler.class);
+        }
+
+        adminPort = createAdminPort(SystemProperties.getSignerAdminPort(),
+                springCtx.getBean(OcspClientWorker.class),
+                ocspClientExecuteScheduler);
         CoordinatedShutdown.get(actorSystem).addJvmShutdownHook(SignerMain::shutdown);
         signer.start();
         adminPort.start();
@@ -122,7 +129,7 @@ private static void initGrpc() throws Exception {
 
         RpcServer.init(port, builder -> {
             springCtx.getBeansOfType(io.grpc.BindableService.class).forEach((s, bindableService) -> {
-                log.info("Registering {} gRPC service.",bindableService.getClass().getSimpleName());
+                log.info("Registering {} gRPC service.", bindableService.getClass().getSimpleName());
                 builder.addService(bindableService);
             });
         });
@@ -151,14 +158,19 @@ private static void shutdown() {
 
     }
 
-    private static AdminPort createAdminPort(int signerPort) {
+    private static AdminPort createAdminPort(int signerPort, OcspClientWorker ocspClientWorker,
+                                             OcspClientExecuteScheduler ocspClientExecuteScheduler) {
         AdminPort port = new AdminPort(signerPort);
 
         port.addHandler("/execute", new AdminPort.SynchronousCallback() {
             @Override
             public void handle(HttpServletRequest request, HttpServletResponse response) {
                 try {
-                    signer.execute();
+                    if (ocspClientExecuteScheduler != null) {
+                        ocspClientExecuteScheduler.execute();
+                    } else {
+                        ocspClientWorker.execute(null);
+                    }
                 } catch (Exception ex) {
                     log.error("error occurred in execute handler", ex);
                 }
@@ -171,9 +183,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response) {
                 log.info("handler /status");
                 CertificationServiceDiagnostics diagnostics = null;
                 try {
-                    Object value = SignerUtil.ask(
-                            actorSystem.actorSelection("/user/" + OCSP_CLIENT), OcspClientWorker.DIAGNOSTICS);
-                    diagnostics = (CertificationServiceDiagnostics) value;
+                    diagnostics = ocspClientWorker.getDiagnostics();
                     if (diagnostics != null) {
                         diagnosticsDefault = diagnostics;
                     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
index 08ef2dd3ba..b69291152c 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
@@ -37,15 +37,11 @@
 import ee.ria.xroad.common.ocsp.OcspVerifier;
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
 import ee.ria.xroad.common.util.CertUtils;
-import ee.ria.xroad.signer.OcspClientJob;
 import ee.ria.xroad.signer.TemporaryHelper;
-import ee.ria.xroad.signer.certmanager.OcspResponseManager.IsCachedOcspResponse;
+import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.util.AbstractSignerActor;
-import ee.ria.xroad.signer.util.SignerUtil;
 
-import akka.actor.ActorRef;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPException;
@@ -73,67 +69,31 @@
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
 import static ee.ria.xroad.common.util.CryptoUtils.encodeBase64;
 import static ee.ria.xroad.common.util.CryptoUtils.readCertificate;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_CLIENT_JOB;
-import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getOcspResponseManager;
 import static java.util.Collections.emptyList;
 
 /**
  * This class is responsible for retrieving the OCSP responses from the OCSP
  * server and providing the responses to the message signer.
- *
+ * <p>
  * The certificate status is queried from the server at a fixed interval.
  */
 @Slf4j
 @RequiredArgsConstructor
-public class OcspClientWorker extends AbstractSignerActor {
-
-    public static final String EXECUTE = "Execute";
-    public static final String RELOAD = "Reload";
-    public static final String DIAGNOSTICS = "Diagnostics";
-    public static final String FAILED = "Failed";
-    public static final String SUCCESS = "Success";
-    public static final String GLOBAL_CONF_INVALIDATED = "GlobalConfInvalidated";
-
+public class OcspClientWorker {
     private static final String OCSP_FRESHNESS_SECONDS = "ocspFreshnessSeconds";
     private static final String VERIFY_OCSP_NEXTUPDATE = "verifyOcspNextUpdate";
     private static final String OCSP_FETCH_INTERVAL = "ocspFetchInterval";
 
-    private static final String OCSP_CLIENT_JOB_PATH = "/user/" + OCSP_CLIENT_JOB;
-
-    private GlobalConfChangeChecker changeChecker;
+    private final GlobalConfChangeChecker changeChecker = new GlobalConfChangeChecker();
 
-    private CertificationServiceDiagnostics certServDiagnostics;
+    private final CertificationServiceDiagnostics certServDiagnostics = new CertificationServiceDiagnostics();
 
-    @Override
-    public void preStart() throws Exception {
-        super.preStart();
-        changeChecker = new GlobalConfChangeChecker();
-        certServDiagnostics = new CertificationServiceDiagnostics();
+    public CertificationServiceDiagnostics getDiagnostics() {
+        return certServDiagnostics;
     }
 
-    @Override
-    public void onReceive(Object message) throws Exception {
-        if (EXECUTE.equals(message)) {
-            handleExecute();
-        } else if (RELOAD.equals(message)) {
-            handleReload();
-        } else if (DIAGNOSTICS.equals(message)) {
-            handleDiagnostics();
-        } else {
-            if (message instanceof Exception) {
-                log.error("received Exception message", ((Exception) message));
-            }
-
-            unhandled(message);
-        }
-    }
-
-    void handleDiagnostics() {
-        getSender().tell(certServDiagnostics, getSelf());
-    }
-
-    void handleReload() {
-        log.trace("handleReload()");
+    public void reload(OcspClientExecuteScheduler ocspClientExecuteScheduler) {
+        log.trace("reload()");
         log.debug("Checking global configuration for validity and extension changes");
 
         GlobalConf.reload();
@@ -171,37 +131,27 @@ void handleReload() {
         }
         if (sendExecute) {
             log.info("Launching a new OCSP-response refresh due to change in OcspFetchInterval");
-            log.debug("sending cancel");
-
-            getContext().actorSelection(OCSP_CLIENT_JOB_PATH).tell(OcspClientJob.CANCEL, ActorRef.noSender());
-
             log.debug("sending execute");
-
-            getContext().actorSelection(OCSP_CLIENT_JOB_PATH).tell(OcspClientWorker.EXECUTE, ActorRef.noSender());
+            ocspClientExecuteScheduler.execute();
         } else if (sendReschedule) {
             log.info("Rescheduling a new OCSP-response refresh due to "
                     + "change in global configuration's additional parameters");
-            log.debug("sending cancel");
-
-            getContext().actorSelection(OCSP_CLIENT_JOB_PATH).tell(OcspClientJob.CANCEL, ActorRef.noSender());
-
             log.debug("sending reschedule");
-
-            getContext().actorSelection(OCSP_CLIENT_JOB_PATH).tell(OcspClientJob.RESCHEDULE, ActorRef.noSender());
+            ocspClientExecuteScheduler.reschedule();
         } else {
             log.debug("No global configuration extension changes detected");
         }
     }
 
-    void handleExecute() {
-        log.trace("handleExecute()");
+    public void execute(OcspClientExecuteScheduler ocspClientExecuteScheduler) {
+        log.trace("execute()");
         log.info("OCSP-response refresh cycle started");
 
         if (!GlobalConf.isValid()) {
             log.debug("invalid global conf, returning");
-
-            getSender().tell(GLOBAL_CONF_INVALIDATED, getSelf());
-
+            if (ocspClientExecuteScheduler != null) {
+                ocspClientExecuteScheduler.globalConfInvalidated();
+            }
             return;
         }
 
@@ -215,7 +165,7 @@ void handleExecute() {
 
         log.info("Fetching OCSP responses for {} certificates", certs.size());
 
-        Boolean failed = false;
+        boolean failed = false;
         Map<String, OCSPResp> statuses = new HashMap<>();
 
         for (X509Certificate subject : certs) {
@@ -234,11 +184,12 @@ void handleExecute() {
                 log.error("Error when querying certificate '{}'", subject.getSerialNumber(), e);
             }
         }
-
-        if (failed) {
-            getSender().tell(FAILED, getSelf());
-        } else {
-            getSender().tell(SUCCESS, getSelf());
+        if (ocspClientExecuteScheduler != null) {
+            if (failed) {
+                ocspClientExecuteScheduler.failure();
+            } else {
+                ocspClientExecuteScheduler.success();
+            }
         }
 
         try {
@@ -348,7 +299,7 @@ OCSPResp queryCertStatus(X509Certificate subject, OcspVerifierOptions verifierOp
     }
 
     private void reportOcspDiagnostics(X509Certificate issuer, String responderURI, int statusCode,
-            OffsetDateTime prevUpdate, OffsetDateTime nextUpdate) {
+                                       OffsetDateTime prevUpdate, OffsetDateTime nextUpdate) {
 
         OcspResponderStatus responderStatus = new OcspResponderStatus(statusCode, responderURI, prevUpdate, nextUpdate);
 
@@ -378,9 +329,6 @@ void updateCertStatuses(Map<String, OCSPResp> statuses) throws Exception {
             responses.add(encodeBase64(e.getValue().getEncoded()));
         }
 
-//        getOcspResponseManager(getContext()).tell(new SetOcspResponses(hashes.toArray(
-//                new String[statuses.size()]), responses.toArray(new String[statuses.size()])), getSelf());
-
         SetOcspResponsesReq setOcspResponsesReq = SetOcspResponsesReq.newBuilder()
                 .addAllCertHashes(hashes)
                 .addAllBase64EncodedResponses(responses)
@@ -428,21 +376,10 @@ boolean isCertValid(X509Certificate subject) {
         }
     }
 
-    boolean isCachedOcspResponse(String certHash) throws Exception {
+    boolean isCachedOcspResponse(String certHash) {
         // Check if the OCSP response is in the cache
         Date atDate = new Date();
-        Object isCachedOcspResponseObject = SignerUtil.ask(getOcspResponseManager(getContext()),
-                new IsCachedOcspResponse(certHash, atDate));
-
-        if (isCachedOcspResponseObject instanceof Exception) {
-            Exception e = (Exception) isCachedOcspResponseObject;
-
-            log.debug("cannot figure out if IsCachedOcspResponse");
-
-            throw e;
-        }
-
-        Boolean isCachedOcspResponse = (Boolean) isCachedOcspResponseObject;
+        boolean isCachedOcspResponse = TemporaryHelper.getOcspResponseManager().handleIsCachedOcspResponse(certHash, atDate);
 
         log.trace("isCachedOcspResponse(certHash: {}, atDate: {}) = {}", certHash, atDate, isCachedOcspResponse);
 
@@ -481,7 +418,7 @@ private void initializeDiagnostics() {
             try {
                 final String key = caCertificate.getSubjectDN().toString();
                 final CertificationServiceStatus serviceStatus = serviceStatusMap
-                        .computeIfAbsent(key, k -> new CertificationServiceStatus(k));
+                        .computeIfAbsent(key, CertificationServiceStatus::new);
 
                 final List<String> addresses = GlobalConf.getOcspResponderAddressesForCaCertificate(caCertificate);
                 final Map<String, OcspResponderStatus> responderStatusMap = serviceStatus.getOcspResponderStatusMap();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
index 547a964dbe..d2f6271725 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
@@ -36,12 +36,10 @@
 import akka.actor.ActorSystem;
 import akka.actor.Props;
 import lombok.RequiredArgsConstructor;
-import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 
-import java.io.Serializable;
 import java.security.cert.X509Certificate;
 import java.util.Date;
 import java.util.Map.Entry;
@@ -69,16 +67,6 @@
 @Slf4j
 public class OcspResponseManager extends AbstractSignerActor {
 
-    /**
-     * Value object for checking if certificate has OCSP response at
-     * specified date.
-     */
-    @Value
-    public static class IsCachedOcspResponse implements Serializable {
-        private final String certHash;
-        private final Date atDate;
-    }
-
     /** Maps a certificate hash to an OCSP response. */
     private final FileBasedOcspCache responseCache = new FileBasedOcspCache();
 
@@ -151,10 +139,6 @@ public void onReceive(Object message) throws Exception {
         try {
             if (message instanceof GetOcspResponses) {
                 handleGetOcspResponses((GetOcspResponses) message);
-//            } else if (message instanceof SetOcspResponses) {
-//                handleSetOcspResponses((SetOcspResponses) message);
-            } else if (message instanceof IsCachedOcspResponse) {
-                handleIsCachedOcspResponse((IsCachedOcspResponse) message);
             } else {
                 unhandled(message);
             }
@@ -163,7 +147,7 @@ public void onReceive(Object message) throws Exception {
         }
     }
 
-    void handleGetOcspResponses(GetOcspResponses message) throws Exception {
+    void handleGetOcspResponses(GetOcspResponses message) {
         log.trace("handleGetOcspResponses()");
 
         Props props = Props.create(GetOcspResponseHandler.class, this);
@@ -179,14 +163,13 @@ public void handleSetOcspResponses(SetOcspResponsesReq message) throws Exception
         }
     }
 
-    void handleIsCachedOcspResponse(IsCachedOcspResponse message)
-            throws Exception {
-        OCSPResp response = responseCache.get(message.getCertHash(), message.getAtDate());
-        TokenManager.setOcspResponse(message.getCertHash(), response);
-        sendResponse(Boolean.FALSE);
+    public boolean handleIsCachedOcspResponse(String certHash, Date date) {
+        OCSPResp response = responseCache.get(certHash, date);
+        TokenManager.setOcspResponse(certHash, response);
+        return Boolean.FALSE;
     }
 
-    OCSPResp getResponse(String certHash) throws Exception {
+    OCSPResp getResponse(String certHash) {
         return responseCache.get(certHash);
     }
 
@@ -205,7 +188,7 @@ private static class GetOcspResponseHandler extends AbstractSignerActor {
         private final OcspResponseManager manager;
 
         @Override
-        public void onReceive(Object message) throws Exception {
+        public void onReceive(Object message) {
             try {
                 if (message instanceof String[]) { // cert hashes
                     handleGetOcspResponses((String[]) message);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java b/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java
new file mode 100644
index 0000000000..1f7c545ac8
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java
@@ -0,0 +1,122 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package ee.ria.xroad.signer.job;
+
+import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.scheduling.TaskScheduler;
+
+import java.time.Duration;
+import java.util.concurrent.ScheduledFuture;
+
+import static java.time.temporal.ChronoUnit.SECONDS;
+
+@Slf4j
+@RequiredArgsConstructor
+public class OcspClientExecuteScheduler {
+    private static final Duration RECOVER_FROM_INVALID_GLOBALCONF_DELAY = Duration.of(60, SECONDS);
+    private static final Duration INITIAL_DELAY = Duration.of(5, SECONDS);
+
+    private final OcspClientWorker ocspClientWorker;
+    private final TaskScheduler taskScheduler;
+
+    private ScheduledFuture<?> scheduledFuture;
+    private boolean retryMode;
+
+    public void init() {
+        reschedule(INITIAL_DELAY);
+    }
+
+    private Duration getNextDelay() {
+        final int retryDelay = SystemProperties.getOcspResponseRetryDelay();
+        if (retryMode && retryDelay < OcspClientWorker.getNextOcspFetchIntervalSeconds()) {
+            return Duration.of(retryDelay, SECONDS);
+        }
+        return Duration.of(OcspClientWorker.getNextOcspFetchIntervalSeconds(), SECONDS);
+    }
+
+    public void success() {
+        log.debug("received message OcspClientJob.SUCCESS");
+        log.info("OCSP-response refresh cycle successfully completed, continuing with normal scheduling");
+        retryMode = false;
+    }
+
+    public void failure() {
+        log.debug("received message OcspClientJob.FAILED");
+        if (!retryMode) {
+            log.info("OCSP-response refresh cycle failed, switching to retry backoff schedule");
+            retryMode = true;
+            reschedule(getNextDelay());
+        } else {
+            log.info("OCSP-response refresh retry failed, continuing along backoff schedule");
+        }
+    }
+
+    public void globalConfInvalidated() {
+        log.debug("received message OcspClientWorker.GLOBAL_CONF_INVALIDATED");
+        log.info("OCSP-response refresh cycle failed due to invalid global configuration, "
+                + "switching to global configuration recovery schedule");
+        // attempted to execute OCSP refresh, but global conf was
+        // invalid at that time -> reschedule
+        reschedule(RECOVER_FROM_INVALID_GLOBALCONF_DELAY);
+        retryMode = false;
+    }
+
+    public void execute() {
+        reschedule(Duration.ZERO);
+    }
+
+    private void runJob() {
+        try {
+            ocspClientWorker.execute(this);
+        } finally {
+            reschedule(getNextDelay());
+        }
+    }
+
+    public void reschedule() {
+        log.debug("received message OcspClientWorker.RESCHEDULE");
+        log.info("OCSP-response refresh cycle rescheduling");
+        this.reschedule(getNextDelay());
+    }
+
+    private void cancelNext() {
+        if (this.scheduledFuture != null) {
+            this.scheduledFuture.cancel(false);
+        }
+    }
+
+    private void reschedule(Duration delay) {
+        cancelNext();
+        log.trace("Rescheduling job after {}", delay);
+        this.scheduledFuture = taskScheduler.schedule(this::runJob, taskScheduler.getClock().instant().plus(delay));
+    }
+
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/OcspRetrievalJob.java b/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientReloadJob.java
similarity index 63%
rename from src/signer/src/main/java/ee/ria/xroad/signer/OcspRetrievalJob.java
rename to src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientReloadJob.java
index fa9e078f4a..e9aedaeb4f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/OcspRetrievalJob.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientReloadJob.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -23,32 +23,31 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.signer;
 
-import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.signer.util.VariableIntervalPeriodicJob;
+package ee.ria.xroad.signer.job;
 
+import ee.ria.xroad.signer.SignerConfig;
+import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.annotation.Conditional;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.stereotype.Component;
 
-/**
- * Base class for variable interval periodic jobs relating to OCSP-retrieval. Automatic preStart scheduling can be
- * disabled based on the signer configuration to prevent unnecessary OCSP-retrieval attempts on central server or
- * configuration proxy signers.
- */
 @Slf4j
-public abstract class OcspRetrievalJob extends VariableIntervalPeriodicJob {
+@RequiredArgsConstructor
+@Component
+@Conditional(SignerConfig.IsOcspClientJobsActive.class)
+public class OcspClientReloadJob {
 
-    OcspRetrievalJob(String actor, Object message) {
-        super(actor, message);
-    }
+    private final OcspClientWorker ocspClientWorker;
+    private final OcspClientExecuteScheduler ocspClientExecuteScheduler;
 
-    @Override
-    public void preStart() throws Exception {
-        if (SystemProperties.isOcspResponseRetrievalActive()) {
-            super.preStart();
-        } else {
-            log.info("OCSP-retrieval configured to be inactive, job auto-scheduling disabled");
-        }
+    @Scheduled(initialDelay = 100, fixedDelay = 60_000)
+    public void reload() {
+        log.trace("OcspClientReloadJob triggered");
+        ocspClientWorker.reload(ocspClientExecuteScheduler);
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/VariableIntervalPeriodicJob.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/VariableIntervalPeriodicJob.java
deleted file mode 100644
index 10befa212d..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/VariableIntervalPeriodicJob.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.util;
-
-import akka.actor.ActorRef;
-import akka.actor.Cancellable;
-import akka.actor.UntypedAbstractActor;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.FiniteDuration;
-
-import java.util.concurrent.TimeUnit;
-
-/**
- * Periodic job with potentially variable interval. The next interval is
- * calculated after each time the job is run.
- */
-@Slf4j
-@RequiredArgsConstructor
-public abstract class VariableIntervalPeriodicJob extends UntypedAbstractActor {
-
-    private final String actor;
-    private final Object message;
-
-    private Cancellable nextSend;
-
-    @Override
-    public void onReceive(Object incoming) throws Exception {
-        if (incoming.equals(this.message)) {
-            log.debug("received message {}", this.message);
-            getContext().actorSelection("/user/" + actor).tell(incoming,
-                    getSelf());
-            scheduleNextSend(getNextDelay());
-        } else {
-            log.debug("received an unknown message: {}, no handling defined", incoming);
-            unhandled(incoming);
-        }
-    }
-
-    @Override
-    public void preStart() throws Exception {
-        scheduleNextSend(getInitialDelay());
-    }
-
-    @Override
-    public void postStop() {
-        cancelNextSend();
-    }
-
-    protected void scheduleNextSend(FiniteDuration delay) {
-        log.debug("next '{}' message in {} seconds", message, delay.toSeconds());
-        nextSend = getContext().system().scheduler().scheduleOnce(delay,
-            this::sendMessage, getContext().dispatcher());
-    }
-
-    protected void sendMessage() {
-        getSelf().tell(message, ActorRef.noSender());
-    }
-
-    protected FiniteDuration getInitialDelay() {
-        return FiniteDuration.create(1, TimeUnit.SECONDS);
-    }
-
-    protected abstract FiniteDuration getNextDelay();
-
-    protected void cancelNextSend() {
-        if (nextSend != null) {
-            if (!nextSend.isCancelled()) {
-                boolean result = nextSend.cancel();
-                log.debug("cancelNextSend called, cancel() return value: {}", result);
-            }
-        }
-    }
-}

From 70f42019b7712c0f9f014a436e14236392ede154 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 1 Sep 2023 20:31:03 +0300
Subject: [PATCH 039/127] chore: add additional signer tests

Refs: XRDDEV-2468
---
 .../xroad/common/test/api/TestCaFeignApi.java |   2 -
 .../configuration/TestCaConfiguration.java    |  37 +++
 .../xroad/common/test/glue/BaseStepDefs.java  |  47 ++++
 .../common/test}/glue/TestCaStepDefs.java     |  22 +-
 .../util/FilePasswordStoreProvider.java       |  22 +-
 .../xroad/ss/test/ui/glue/BaseUiStepDefs.java |  42 +---
 .../resources/application-override.yml        |   2 +-
 .../signer/test/glue/SignerStepDefs.java      | 204 ++++++++++++-----
 .../resources/application-override.yml        |   2 +-
 .../0100-signer-software-token.feature        | 143 ++++++++++++
 .../resources/behavior/0100-signer.feature    | 115 ----------
 .../0200-signer-hardware-token.feature        | 215 +++++++++---------
 .../resources/container-files/Dockerfile      |   2 +-
 .../globalconf/cs/fetchinterval-params.xml    |   3 +
 .../xroad/globalconf/cs/private-params.xml    |   6 +-
 .../etc/xroad/globalconf/cs/shared-params.xml |   4 +-
 .../etc/xroad/signer/signer-logback.xml       |   2 +-
 .../signer/protocol/dto/CertRequestInfo.java  |  14 +-
 .../signer/protocol/dto/CertificateInfo.java  |  18 +-
 .../xroad/signer/protocol/dto/KeyInfo.java    |  16 +-
 .../xroad/signer/protocol/dto/TokenInfo.java  |  24 +-
 .../protocol/dto/TokenInfoAndKeyId.java       |  11 +-
 src/signer/build.gradle                       |   3 +-
 23 files changed, 597 insertions(+), 359 deletions(-)
 create mode 100644 src/common/common-int-test/src/main/java/org/niis/xroad/common/test/configuration/TestCaConfiguration.java
 create mode 100644 src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
 rename src/{security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui => common/common-int-test/src/main/java/org/niis/xroad/common/test}/glue/TestCaStepDefs.java (84%)
 create mode 100644 src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
 delete mode 100644 src/signer-protocol/src/intTest/resources/behavior/0100-signer.feature
 create mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/fetchinterval-params.xml

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/TestCaFeignApi.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/TestCaFeignApi.java
index 1f7d4d4f72..52c60497f2 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/TestCaFeignApi.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/api/TestCaFeignApi.java
@@ -26,7 +26,6 @@
  */
 package org.niis.xroad.common.test.api;
 
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@@ -35,7 +34,6 @@
 import org.springframework.web.bind.annotation.RequestPart;
 import org.springframework.web.multipart.MultipartFile;
 
-@ConditionalOnProperty(value = "test-automation.containers.context-containers.ca-server.enabled", havingValue = "true")
 @FeignClient(name = "testCaFeignApi", url = "http://localhost", path = "/testca")
 public interface TestCaFeignApi {
 
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/configuration/TestCaConfiguration.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/configuration/TestCaConfiguration.java
new file mode 100644
index 0000000000..be8471db48
--- /dev/null
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/configuration/TestCaConfiguration.java
@@ -0,0 +1,37 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.common.test.configuration;
+
+import org.niis.xroad.common.test.api.TestCaFeignApi;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.cloud.openfeign.EnableFeignClients;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConditionalOnProperty(value = "test-automation.containers.context-containers.ca-server.enabled", havingValue = "true")
+@EnableFeignClients(clients = TestCaFeignApi.class)
+public class TestCaConfiguration {
+}
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
new file mode 100644
index 0000000000..ce0448de78
--- /dev/null
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
@@ -0,0 +1,47 @@
+package org.niis.xroad.common.test.glue;
+
+import com.nortal.test.core.report.TestReportService;
+import com.nortal.test.core.services.CucumberScenarioProvider;
+import com.nortal.test.core.services.ScenarioContext;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import java.util.Optional;
+
+public class BaseStepDefs {
+    @Autowired
+    protected CucumberScenarioProvider scenarioProvider;
+    @Autowired
+    protected ScenarioContext scenarioContext;
+    @Autowired
+    protected TestReportService testReportService;
+
+    /**
+     * Put a value in scenario context. Value can be accessed through getStepData.
+     *
+     * @param key   value key. Non-null.
+     * @param value value
+     */
+    protected void putStepData(StepDataKey key, Object value) {
+        scenarioContext.putStepData(key.name(), value);
+    }
+
+    /**
+     * Get value from scenario context.
+     *
+     * @param key value key
+     * @return value from the context
+     */
+    protected <T> Optional<T> getStepData(StepDataKey key) {
+        return Optional.ofNullable(scenarioContext.getStepData(key.name()));
+    }
+
+    /**
+     * An enumerated key for data transfer between steps.
+     */
+    public enum StepDataKey {
+        TOKEN_TYPE,
+        MANAGEMENT_REQUEST_ID,
+        DOWNLOADED_FILE,
+        CERT_FILE
+    }
+}
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/TestCaStepDefs.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/TestCaStepDefs.java
similarity index 84%
rename from src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/TestCaStepDefs.java
rename to src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/TestCaStepDefs.java
index 29495ae58a..4bd1709c6f 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/TestCaStepDefs.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/TestCaStepDefs.java
@@ -24,7 +24,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.niis.xroad.ss.test.ui.glue;
+package org.niis.xroad.common.test.glue;
 
 import io.cucumber.java.en.Step;
 import lombok.SneakyThrows;
@@ -43,17 +43,31 @@
 import java.util.Optional;
 
 @Slf4j
-public class TestCaStepDefs extends BaseUiStepDefs {
+public class TestCaStepDefs extends BaseStepDefs {
     @Autowired
     private TestCaFeignApi testCaFeignApi;
 
-    @SneakyThrows
+    @Step("AUTH CSR is processed by test CA")
+    public void authCsrIsBeingProcessed() {
+        csrIsBeingProcessed(TestCaFeignApi.CsrType.AUTH);
+    }
+
+    @Step("SIGN CSR is processed by test CA")
+    public void signCsrIsBeingProcessed() {
+        csrIsBeingProcessed(TestCaFeignApi.CsrType.SIGN);
+    }
+
     @Step("CSR is processed by test CA")
     public void csrIsBeingProcessed() {
+        csrIsBeingProcessed(TestCaFeignApi.CsrType.AUTO);
+    }
+
+    @SneakyThrows
+    private void csrIsBeingProcessed(TestCaFeignApi.CsrType csrType) {
         Optional<File> csrFileOpt = getStepData(StepDataKey.DOWNLOADED_FILE);
         File csrFile = csrFileOpt.orElseThrow();
         log.info("Processing downloaded file {}", csrFile);
-        ResponseEntity<byte[]> certResponse = testCaFeignApi.signCert(convert(csrFile), TestCaFeignApi.CsrType.AUTO);
+        ResponseEntity<byte[]> certResponse = testCaFeignApi.signCert(convert(csrFile), csrType);
 
         File cert = File.createTempFile("tmp", "cert" + System.currentTimeMillis());
         FileUtils.writeByteArrayToFile(cert, certResponse.getBody());
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
index 502178425e..790cb54257 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
@@ -50,10 +50,14 @@ public synchronized byte[] read(String pathnameForFtok, String id) throws Except
 
         log.warn("Reading password from {}. File exists? {}", file, file.exists());
         if (file.exists()) {
-            return FileUtils.readFileToByteArray(file);
-        } else {
-            return null;
+            try {
+                return FileUtils.readFileToByteArray(file);
+            } catch (Exception e) {
+                log.warn("Failed to read passwordstore from file", e);
+            }
         }
+
+        return null;
     }
 
     @Override
@@ -61,10 +65,14 @@ public synchronized void write(String pathnameForFtok, String id, byte[] passwor
         var file = getFileById(id);
 
         log.warn("Writing password to {}", file);
-        if (Arrays.isNullOrEmpty(password)) {
-            FileUtils.delete(file);
-        } else {
-            FileUtils.writeByteArrayToFile(file, password, false);
+        try {
+            if (Arrays.isNullOrEmpty(password)) {
+                FileUtils.delete(file);
+            } else {
+                FileUtils.writeByteArrayToFile(file, password, false);
+            }
+        } catch (Exception e) {
+            log.warn("Failed to write to passwordstore", e);
         }
     }
 
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/BaseUiStepDefs.java b/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/BaseUiStepDefs.java
index 3d34bbadd5..de5f7ed862 100644
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/BaseUiStepDefs.java
+++ b/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/BaseUiStepDefs.java
@@ -27,9 +27,7 @@
 
 import com.codeborne.selenide.Selenide;
 import com.codeborne.selenide.SelenideElement;
-import com.nortal.test.core.report.TestReportService;
-import com.nortal.test.core.services.CucumberScenarioProvider;
-import com.nortal.test.core.services.ScenarioContext;
+import org.niis.xroad.common.test.glue.BaseStepDefs;
 import org.niis.xroad.ss.test.ui.TargetHostUrlProvider;
 import org.niis.xroad.ss.test.ui.container.MockServerService;
 import org.niis.xroad.ss.test.ui.page.CommonPageObj;
@@ -37,26 +35,18 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 
-import java.util.Optional;
-
 import static com.codeborne.selenide.Condition.empty;
 import static org.openqa.selenium.Keys.COMMAND;
 import static org.openqa.selenium.Keys.CONTROL;
 import static org.openqa.selenium.Keys.DELETE;
 
 @SuppressWarnings("SpringJavaAutowiredMembersInspection")
-public abstract class BaseUiStepDefs {
+public abstract class BaseUiStepDefs extends BaseStepDefs {
     protected final CommonPageObj commonPageObj = new CommonPageObj();
 
-    @Autowired
-    protected CucumberScenarioProvider scenarioProvider;
-    @Autowired
-    protected ScenarioContext scenarioContext;
     @Autowired
     protected TargetHostUrlProvider targetHostUrlProvider;
     @Autowired
-    protected TestReportService testReportService;
-    @Autowired
     protected MockServerService mockServerService;
 
     /**
@@ -83,37 +73,9 @@ protected void takeScreenshot(String screenshotName) {
         scenarioProvider.getCucumberScenario().attach(scr, MediaType.IMAGE_PNG_VALUE, screenshotName);
     }
 
-    /**
-     * Put a value in scenario context. Value can be accessed through getStepData.
-     *
-     * @param key   value key. Non-null.
-     * @param value value
-     */
-    protected void putStepData(StepDataKey key, Object value) {
-        scenarioContext.putStepData(key.name(), value);
-    }
-
-    /**
-     * Get value from scenario context.
-     *
-     * @param key value key
-     * @return value from the context
-     */
-    protected <T> Optional<T> getStepData(StepDataKey key) {
-        return Optional.ofNullable(scenarioContext.getStepData(key.name()));
-    }
 
     private boolean isMacOsBrowser() {
         return Selenide.webdriver().driver().getUserAgent().toUpperCase().contains("MAC OS");
     }
 
-    /**
-     * An enumerated key for data transfer between steps.
-     */
-    public enum StepDataKey {
-        TOKEN_TYPE,
-        MANAGEMENT_REQUEST_ID,
-        DOWNLOADED_FILE,
-        CERT_FILE
-    }
 }
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml b/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml
index e24c713322..4929c4fff3 100755
--- a/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml
+++ b/src/security-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml
@@ -13,7 +13,7 @@ test-automation:
     execution:
       parallel:
         enabled: false # Tests are executed in sequential order
-    glue-append: "org.niis.xroad.ss.test.ui.glue"
+    glue-append: "org.niis.xroad.ss.test.ui.glue,org.niis.xroad.common.test.glue"
     filter:
       tags: "not @Skip"
   containers:
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 39813ec840..fb78d7782c 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -40,18 +40,19 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
-import com.nortal.test.core.report.TestReportService;
 import io.cucumber.java.en.Step;
-import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.bouncycastle.cert.ocsp.CertificateStatus;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.bouncycastle.util.encoders.Base64;
 import org.junit.jupiter.api.Assertions;
+import org.niis.xroad.common.test.glue.BaseStepDefs;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
-import org.springframework.beans.factory.annotation.Autowired;
 
+import java.io.File;
 import java.io.FileInputStream;
 import java.security.KeyFactory;
 import java.security.PublicKey;
@@ -59,11 +60,15 @@
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256_ID;
+import static ee.ria.xroad.common.util.CryptoUtils.SHA512WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -73,86 +78,140 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 @Slf4j
-public class SignerStepDefs {
-    @Autowired
-    private TestReportService testReportService;
-
+public class SignerStepDefs extends BaseStepDefs {
     private String keyId;
     private String csrId;
     private String certHash;
     private CertificateInfo certInfo;
     private byte[] cert;
 
+    private final Map<String, String> tokenLabelToIdMapping = new HashMap<>();
+    private final Map<String, String> tokenFriendlyNameToIdMapping = new HashMap<>();
+
+    @Step("tokens are listed")
+    public void listTokens() throws Exception {
+        var tokens = SignerProxy.getTokens();
+        testReportService.attachJson("Tokens", tokens.toArray());
+
+        tokenLabelToIdMapping.clear();
+        tokenFriendlyNameToIdMapping.clear();
+
+        tokens.forEach(token -> {
+            if (StringUtils.isNotBlank(token.getLabel())) {
+                tokenLabelToIdMapping.put(token.getLabel(), token.getId());
+            }
+            if (StringUtils.isNotBlank(token.getFriendlyName())) {
+                tokenFriendlyNameToIdMapping.put(token.getFriendlyName(), token.getId());
+            }
+        });
+    }
+
     @Step("signer is initialized with pin {string}")
     public void signerIsInitializedWithPin(String pin) throws Exception {
         SignerProxy.initSoftwareToken(pin.toCharArray());
     }
 
     @Step("token {string} is not active")
-    public void tokenIsNotActive(String tokenId) throws Exception {
-        final TokenInfo tokenInfo = SignerProxy.getToken(tokenId);
+    public void tokenIsNotActive(String friendlyName) throws Exception {
+        final TokenInfo tokenInfo = getTokenInfoByFriendlyName(friendlyName);
 
         Assertions.assertFalse(tokenInfo.isActive());
     }
 
     @Step("token {string} status is {string}")
-    public void assertTokenStatus(String tokenId, String status) throws Exception {
-        final TokenInfo token = SignerProxy.getToken(tokenId);
+    public void assertTokenStatus(String friendlyName, String status) throws Exception {
+        final TokenInfo token = getTokenInfoByFriendlyName(friendlyName);
         assertThat(token.getStatus()).isEqualTo(TokenStatusInfo.valueOf(status));
     }
 
     @Step("tokens list contains token {string}")
-    public void tokensListContainsToken(String tokenId) throws Exception {
+    public void tokensListContainsToken(String friendlyName) throws Exception {
+        var tokens = SignerProxy.getTokens();
+
+        final TokenInfo tokenInfo = tokens.stream()
+                .filter(token -> token.getFriendlyName().equals(friendlyName))
+                .findFirst()
+                .orElseThrow();
+        assertThat(tokenInfo).isNotNull();
+    }
+
+    @Step("tokens list contains token with label {string}")
+    public void tokensListContainsTokenLabel(String label) throws Exception {
         var tokens = SignerProxy.getTokens();
-        testReportService.attachText("Tokens", Arrays.toString(tokens.toArray()));
+        testReportService.attachJson("Tokens", tokens);
         final TokenInfo tokenInfo = tokens.stream()
-                .filter(token -> token.getId().equals(tokenId))
+                .filter(token -> token.getLabel().equals(label))
                 .findFirst()
                 .orElseThrow();
         assertThat(tokenInfo).isNotNull();
     }
 
+
     @Step("token {string} is logged in with pin {string}")
-    public void tokenIsActivatedWithPin(String tokenId, String pin) throws Exception {
+    public void tokenIsActivatedWithPin(String friendlyName, String pin) throws Exception {
+        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
         SignerProxy.activateToken(tokenId, pin.toCharArray());
     }
 
     @Step("token {string} is logged out")
-    public void tokenIsLoggedOut(String tokenId) throws Exception {
+    public void tokenIsLoggedOut(String friendlyName) throws Exception {
+        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
         SignerProxy.deactivateToken(tokenId);
     }
 
-    @SneakyThrows
     @Step("token {string} is active")
-    public void tokenIsActive(String tokenId) throws Exception {
-        var tokenInfo = SignerProxy.getToken(tokenId);
-
-        testReportService.attachText("TokenInfo", tokenInfo.toString());
+    public void tokenIsActive(String friendlyName) throws Exception {
+        var tokenInfo = getTokenInfoByFriendlyName(friendlyName);
         assertThat(tokenInfo.isActive()).isTrue();
     }
 
     @Step("token {string} pin is updated from {string} to {string}")
-    public void tokenPinIsUpdatedFromTo(String tokenId, String oldPin, String newPin) throws Exception {
+    public void tokenPinIsUpdatedFromTo(String friendlyName, String oldPin, String newPin) throws Exception {
+        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
         SignerProxy.updateTokenPin(tokenId, oldPin.toCharArray(), newPin.toCharArray());
     }
 
-    @Step("name {string} is set for token {string}")
+    @Step("token {string} pin is update from {string} to {string} fails with an error")
+    public void tokenPinIsUpdatedFromToError(String friendlyName, String oldPin, String newPin) throws Exception {
+        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
+        try {
+            SignerProxy.updateTokenPin(tokenId, oldPin.toCharArray(), newPin.toCharArray());
+        } catch (CodedException codedException) {
+            assertException("Signer.InternalError", "",
+                    "Signer.InternalError: Software token not found", codedException);
+        }
+    }
+
+    @Step("name {string} is set for token with id {string}")
     public void nameIsSetForToken(String name, String tokenId) throws Exception {
         SignerProxy.setTokenFriendlyName(tokenId, name);
     }
 
-    @Step("token {string} name is {string}")
+    @Step("friendly name {string} is set for token with label {string}")
+    public void nameIsSetForTokenLabel(String name, String label) throws Exception {
+        var tokenId = tokenLabelToIdMapping.get(label);
+        SignerProxy.setTokenFriendlyName(tokenId, name);
+    }
+
+    @Step("token with id {string} name is {string}")
     public void tokenNameIs(String tokenId, String name) throws Exception {
         assertThat(SignerProxy.getToken(tokenId).getFriendlyName()).isEqualTo(name);
     }
 
+    @Step("token with label {string} name is {string}")
+    public void tokenNameByLabelIs(String label, String name) throws Exception {
+        var tokenId = tokenLabelToIdMapping.get(label);
+        assertThat(SignerProxy.getToken(tokenId).getFriendlyName()).isEqualTo(name);
+    }
+
     @Step("new key {string} generated for token {string}")
-    public void newKeyGeneratedForToken(String keyLabel, String tokenId) throws Exception {
+    public void newKeyGeneratedForToken(String keyLabel, String friendlyName) throws Exception {
+        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
         final KeyInfo keyInfo = SignerProxy.generateKey(tokenId, keyLabel);
+        testReportService.attachJson("keyInfo", keyInfo);
         this.keyId = keyInfo.getId();
     }
 
@@ -162,9 +221,9 @@ public void nameIsSetForGeneratedKey(String keyFriendlyName) throws Exception {
     }
 
     @Step("token {string} has exact keys {string}")
-    public void tokenHasKeys(String tokenId, String keyNames) throws Exception {
+    public void tokenHasKeys(String friendlyName, String keyNames) throws Exception {
         final List<String> keys = Arrays.asList(keyNames.split(","));
-        final TokenInfo token = SignerProxy.getToken(tokenId);
+        final TokenInfo token = getTokenInfoByFriendlyName(friendlyName);
 
         assertThat(token.getKeyInfo().size()).isEqualTo(keys.size());
 
@@ -176,17 +235,17 @@ public void tokenHasKeys(String tokenId, String keyNames) throws Exception {
     }
 
     @Step("key {string} is deleted from token {string}")
-    public void keyIsDeletedFromToken(String keyName, String tokenId) throws Exception {
-        final KeyInfo key = findKeyInToken(tokenId, keyName);
+    public void keyIsDeletedFromToken(String keyName, String friendlyName) throws Exception {
+        final KeyInfo key = findKeyInToken(friendlyName, keyName);
         SignerProxy.deleteKey(key.getId(), true);
     }
 
-    private KeyInfo findKeyInToken(String tokenId, String keyName) throws Exception {
-        var foundKeyInfo = SignerProxy.getToken(tokenId).getKeyInfo().stream()
+    private KeyInfo findKeyInToken(String friendlyName, String keyName) throws Exception {
+        var foundKeyInfo = getTokenInfoByFriendlyName(friendlyName).getKeyInfo().stream()
                 .filter(keyInfo -> keyInfo.getFriendlyName().equals(keyName))
                 .findFirst()
                 .orElseThrow();
-        testReportService.attachText("Key [" + keyName + "]", foundKeyInfo.toString());
+        testReportService.attachJson("Key [" + keyName + "]", foundKeyInfo);
         return foundKeyInfo;
     }
 
@@ -213,8 +272,8 @@ private byte[] fileToBytes(String fileName) throws Exception {
     }
 
     @Step("self signed cert generated for token {string} key {string}, client {string}")
-    public void selfSignedCertGeneratedForTokenKeyForClient(String tokenId, String keyName, String client) throws Exception {
-        final KeyInfo keyInToken = findKeyInToken(tokenId, keyName);
+    public void selfSignedCertGeneratedForTokenKeyForClient(String friendlyName, String keyName, String client) throws Exception {
+        final KeyInfo keyInToken = findKeyInToken(friendlyName, keyName);
 
         cert = SignerProxy.generateSelfSignedCert(keyInToken.getId(), getClientId(client), KeyUsageInfo.SIGNING,
                 "CN=" + client, Date.from(now().minus(5, DAYS)), Date.from(now().plus(5, DAYS)));
@@ -226,15 +285,37 @@ private ClientId.Conf getClientId(String client) {
         return ClientId.Conf.create(parts[0], parts[1], parts[2]);
     }
 
-    @Step("cert request is generated for token {string} key {string} for client {string}")
-    public void certRequestIsGeneratedForTokenKey(String tokenId, String keyName, String client) throws Exception {
-        final KeyInfo key = findKeyInToken(tokenId, keyName);
+    @Step("the {} cert request is generated for token {string} key {string} for client {string} throws exception")
+    public void certRequestIsGeneratedForTokenKeyException(String keyUsage, String friendlyName, String keyName, String client) throws Exception {
+        try {
+            certRequestIsGeneratedForTokenKey(keyUsage, friendlyName, keyName, client);
+        } catch (CodedException codedException) {
+            assertException("Signer.WrongCertUsage", "auth_cert_under_softtoken",
+                    "Signer.WrongCertUsage: Authentication certificate requests can only be created under software tokens", codedException);
+        }
+    }
+
+    @Step("the {} cert request is generated for token {string} key {string} for client {string}")
+    public void certRequestIsGeneratedForTokenKey(String keyUsage, String friendlyName, String keyName, String client) throws Exception {
+        final KeyInfo key = findKeyInToken(friendlyName, keyName);
         final ClientId.Conf clientId = getClientId(client);
-        final SignerProxy.GeneratedCertRequestInfo csrInfo =
-                SignerProxy.generateCertRequest(key.getId(), clientId, KeyUsageInfo.SIGNING,
-                        "CN=key-" + keyName, CertificateRequestFormat.DER);
+        SignerProxy.GeneratedCertRequestInfo csrInfo = SignerProxy.generateCertRequest(key.getId(), clientId, KeyUsageInfo.valueOf(keyUsage),
+                "CN=key-" + keyName, CertificateRequestFormat.DER);
 
         this.csrId = csrInfo.getCertReqId();
+
+        File csrFile = File.createTempFile("tmp", keyUsage.toLowerCase() + "_csr" + System.currentTimeMillis());
+        FileUtils.writeByteArrayToFile(csrFile, csrInfo.getCertRequest());
+        putStepData(StepDataKey.DOWNLOADED_FILE, csrFile);
+    }
+
+    @Step("Generated certificate with initial status {string} is imported for client {string}")
+    public void importCertFromFile(String initialStatus, String client) throws Exception {
+        final Optional<File> cert = getStepData(StepDataKey.CERT_FILE);
+        final ClientId.Conf clientId = getClientId(client);
+        final byte[] certBytes = FileUtils.readFileToByteArray(cert.orElseThrow());
+
+        keyId = SignerProxy.importCert(certBytes, initialStatus, clientId);
     }
 
     @Step("cert request is regenerated")
@@ -243,15 +324,15 @@ public void certRequestIsRegenerated() throws Exception {
     }
 
     @Step("token {string} key {string} has {int} certificates")
-    public void tokenKeyHasCertificates(String tokenId, String keyName, int certCount) throws Exception {
-        final KeyInfo key = findKeyInToken(tokenId, keyName);
+    public void tokenKeyHasCertificates(String friendlyName, String keyName, int certCount) throws Exception {
+        final KeyInfo key = findKeyInToken(friendlyName, keyName);
 
         assertThat(key.getCerts()).hasSize(certCount);
     }
 
     @Step("sign mechanism for token {string} key {string} is not null")
-    public void signMechanismForTokenKeyIsNotNull(String tokenId, String keyName) throws Exception {
-        final KeyInfo keyInToken = findKeyInToken(tokenId, keyName);
+    public void signMechanismForTokenKeyIsNotNull(String friendlyName, String keyName) throws Exception {
+        final KeyInfo keyInToken = findKeyInToken(friendlyName, keyName);
         final String signMechanism = SignerProxy.getSignMechanism(keyInToken.getId());
 
         assertThat(signMechanism).isNotBlank();
@@ -264,8 +345,8 @@ public void memberHasCertificate(String memberId, int certCount) throws Exceptio
     }
 
     @Step("check token {string} key {string} batch signing enabled")
-    public void checkTokenBatchSigningEnabled(String tokenId, String keyname) throws Exception {
-        final KeyInfo key = findKeyInToken(tokenId, keyname);
+    public void checkTokenBatchSigningEnabled(String friendlyName, String keyname) throws Exception {
+        final KeyInfo key = findKeyInToken(friendlyName, keyname);
 
         assertThat(SignerProxy.isTokenBatchSigningEnabled(key.getId())).isNotNull();
     }
@@ -303,12 +384,13 @@ public void tokenAndKeyCanBeRetrievedByCertRequest() throws Exception {
     @Step("token info can be retrieved by key id")
     public void tokenInfoCanBeRetrievedByKeyId() throws Exception {
         final TokenInfo tokenForKeyId = SignerProxy.getTokenForKeyId(this.keyId);
+        testReportService.attachJson("tokenInfo", tokenForKeyId);
         assertThat(tokenForKeyId).isNotNull();
     }
 
     @Step("digest can be signed using key {string} from token {string}")
-    public void digestCanBeSignedUsingKeyFromToken(String keyName, String tokenId) throws Exception {
-        final KeyInfo key = findKeyInToken(tokenId, keyName);
+    public void digestCanBeSignedUsingKeyFromToken(String keyName, String friendlyName) throws Exception {
+        final KeyInfo key = findKeyInToken(friendlyName, keyName);
 
         SignerProxy.sign(key.getId(), SHA256WITHRSA_ID, calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
     }
@@ -334,8 +416,8 @@ public void certificateStatusCanBeChangedTo(String status) throws Exception {
     }
 
     @Step("certificate can be signed using key {string} from token {string}")
-    public void certificateCanBeSignedUsingKeyFromToken(String keyName, String tokenId) throws Exception {
-        final KeyInfo key = findKeyInToken(tokenId, keyName);
+    public void certificateCanBeSignedUsingKeyFromToken(String keyName, String friendlyName) throws Exception {
+        final KeyInfo key = findKeyInToken(friendlyName, keyName);
         byte[] keyBytes = Base64.decode(key.getPublicKey().getBytes());
         X509EncodedKeySpec x509publicKey = new X509EncodedKeySpec(keyBytes);
         KeyFactory kf = KeyFactory.getInstance("RSA");
@@ -345,6 +427,15 @@ public void certificateCanBeSignedUsingKeyFromToken(String keyName, String token
         assertThat(bytes).isNotEmpty();
     }
 
+
+    @Step("Digest is signed using key {string} from token {string}")
+    public void sign(String keyName, String friendlyName) throws Exception {
+
+        final KeyInfo key = findKeyInToken(friendlyName, keyName);
+        byte[] bytes = SignerProxy.sign(key.getId(), SHA512WITHRSA_ID, calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
+        assertThat(bytes).isNotEmpty();
+    }
+
     @Step("Set token name fails with TokenNotFound exception when token does not exist")
     public void setTokenNameFail() throws Exception {
         String tokenId = randomUUID().toString();
@@ -406,9 +497,9 @@ public void signKeyFail() throws Exception {
     }
 
     @Step("Signing with unknown algorithm fails using key {string} from token {string}")
-    public void signAlgorithmFail(String keyName, String tokenId) throws Exception {
+    public void signAlgorithmFail(String keyName, String friendlyName) throws Exception {
         try {
-            final KeyInfo key = findKeyInToken(tokenId, keyName);
+            final KeyInfo key = findKeyInToken(friendlyName, keyName);
             SignerProxy.sign(key.getId(), "NOT-ALGORITHM-ID", calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
 
             fail("Exception expected");
@@ -445,7 +536,7 @@ public void notExistingCertActivateFail() throws Exception {
     @Step("Member signing info for client {string} is retrieved")
     public void getMemberSigningInfo(String client) throws Exception {
         var memberInfo = SignerProxy.getMemberSigningInfo(getClientId(client));
-        testReportService.attachText("MemberSigningInfo", memberInfo.toString());
+        testReportService.attachJson("MemberSigningInfo", memberInfo);
     }
 
     @Step("HSM is operational")
@@ -487,4 +578,9 @@ public void emptyOcspResponseIsReturnedForUnknownCertificate() throws Exception
         assertThat(ocspResponses[0]).isNull();
     }
 
+    private TokenInfo getTokenInfoByFriendlyName(String friendlyName) throws Exception {
+        var tokenInfo = SignerProxy.getToken(tokenFriendlyNameToIdMapping.get(friendlyName));
+        testReportService.attachJson("TokenInfo", tokenInfo);
+        return tokenInfo;
+    }
 }
diff --git a/src/signer-protocol/src/intTest/resources/application-override.yml b/src/signer-protocol/src/intTest/resources/application-override.yml
index 6ae3cfa5cf..648b79fe5f 100755
--- a/src/signer-protocol/src/intTest/resources/application-override.yml
+++ b/src/signer-protocol/src/intTest/resources/application-override.yml
@@ -16,7 +16,7 @@ test-automation:
     execution:
       parallel:
         enabled: false
-    glue-append: "org.niis.xroad.signer.test.glue"
+    glue-append: "org.niis.xroad.common.test.glue,org.niis.xroad.signer.test.glue"
     filter:
       tags: "not @Skip"
   containers:
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
new file mode 100644
index 0000000000..3675f2ffe2
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
@@ -0,0 +1,143 @@
+@SoftToken
+Feature: 0100 - Signer: SoftToken
+
+  Background:
+    Given tokens are listed
+
+  Scenario: Set token friendly name
+    When name "soft-token-000" is set for token with id "0"
+    Then token with id "0" name is "soft-token-000"
+
+  Scenario: Initialization
+    Given tokens list contains token "soft-token-000"
+    And token "soft-token-000" status is "NOT_INITIALIZED"
+    When signer is initialized with pin "1234"
+    Then token "soft-token-000" is not active
+    And token "soft-token-000" status is "OK"
+
+  Scenario: Activate token
+    Given token "soft-token-000" is not active
+    When token "soft-token-000" is logged in with pin "1234"
+    Then token "soft-token-000" is active
+
+  Scenario: Deactivate token
+    When token "soft-token-000" is logged out
+    Then token "soft-token-000" is not active
+
+  Scenario: Update token pin
+    Given token "soft-token-000" is not active
+    And token "soft-token-000" is logged in with pin "1234"
+    When token "soft-token-000" pin is updated from "1234" to "4321"
+    And token "soft-token-000" is logged in with pin "4321"
+    Then token "soft-token-000" is active
+
+  Scenario: Key generation
+    When new key "key-1" generated for token "soft-token-000"
+    And name "First key" is set for generated key
+    When new key "key-2" generated for token "soft-token-000"
+    And name "Second key" is set for generated key
+    When new key "key-3" generated for token "soft-token-000"
+    And name "Third key" is set for generated key
+    Then token "soft-token-000" has exact keys "First key,Second key,Third key"
+    And sign mechanism for token "soft-token-000" key "Second key" is not null
+
+  Scenario: Delete key
+    Given new key "key-X" generated for token "soft-token-000"
+    And name "KeyX" is set for generated key
+    Then token info can be retrieved by key id
+    When key "Third key" is deleted from token "soft-token-000"
+    Then token "soft-token-000" has exact keys "First key,Second key,KeyX"
+
+  Scenario: A key with Sign certificate is created
+    Given new key "key-10" generated for token "soft-token-000"
+    And name "SignKey from CA" is set for generated key
+    And token "soft-token-000" has exact keys "First key,Second key,KeyX,SignKey from CA"
+    And sign mechanism for token "soft-token-000" key "SignKey from CA" is not null
+    When the SIGNING cert request is generated for token "soft-token-000" key "SignKey from CA" for client "CS:ORG:2908758-4:Management"
+    And SIGN CSR is processed by test CA
+    And Generated certificate with initial status "registered" is imported for client "CS:ORG:2908758-4:Management"
+    Then token info can be retrieved by key id
+
+  Scenario: A key with Auth certificate is  created
+    Given new key "key-20" generated for token "soft-token-000"
+    And name "AuthKey from CA" is set for generated key
+    And token "soft-token-000" has exact keys "First key,Second key,KeyX,SignKey from CA,AuthKey from CA"
+    And sign mechanism for token "soft-token-000" key "AuthKey from CA" is not null
+    When the AUTHENTICATION cert request is generated for token "soft-token-000" key "AuthKey from CA" for client "CS:ORG:2908758-4:Management"
+    And CSR is processed by test CA
+    And Generated certificate with initial status "registered" is imported for client "CS:ORG:2908758-4:Management"
+    Then token info can be retrieved by key id
+
+  Scenario: Sign fails with an unknown algorithm error
+    Given digest can be signed using key "KeyX" from token "soft-token-000"
+    And Signing with unknown algorithm fails using key "KeyX" from token "soft-token-000"
+
+  Scenario: Generate/Regenerate cert request
+    When the SIGNING cert request is generated for token "soft-token-000" key "Second key" for client "cs:test:member-2"
+    And token and key can be retrieved by cert request
+    Then cert request can be deleted
+    When the SIGNING cert request is generated for token "soft-token-000" key "Second key" for client "cs:test:member-2"
+    And cert request is regenerated
+
+  Scenario: Self Signed certificate can be (re)imported
+    Given tokens list contains token "soft-token-000"
+    When Wrong Certificate is not imported for client "cs:test:member-2"
+    And self signed cert generated for token "soft-token-000" key "Second key", client "cs:test:member-2"
+    And certificate info can be retrieved by cert hash
+    When certificate can be deleted
+    Then token "soft-token-000" key "Second key" has 0 certificates
+    When Certificate is imported for client "cs:test:member-2"
+    Then token "soft-token-000" key "Second key" has 1 certificates
+
+  Scenario: Self signed certificate
+    Given token "soft-token-000" key "First key" has 0 certificates
+    When self signed cert generated for token "soft-token-000" key "First key", client "cs:test:member-1"
+    Then token "soft-token-000" key "First key" has 1 certificates
+    And keyId can be retrieved by cert hash
+    And token and keyId can be retrieved by cert hash
+    And certificate can be signed using key "First key" from token "soft-token-000"
+
+  Scenario: Member test
+    Given tokens list contains token "soft-token-000"
+    * Member signing info for client "CS:ORG:2908758-4:Management" is retrieved
+
+  Scenario: Member test failure
+    Given tokens list contains token "soft-token-000"
+    * Member signing info for client "cs:test:member-1" is retrieved
+
+  Scenario: Member info
+    Then member "cs:test:member-1" has 1 certificate
+
+  Scenario: Cert status
+    Given self signed cert generated for token "soft-token-000" key "KeyX", client "cs:test:member-2"
+    And certificate info can be retrieved by cert hash
+    Then certificate can be deactivated
+    And certificate can be activated
+    And certificate status can be changed to "deletion in progress"
+    And certificate can be deleted
+
+  Scenario: Miscellaneous checks
+    * check token "soft-token-000" key "First key" batch signing enabled
+
+  Scenario: Exceptions
+    * Set token name fails with TokenNotFound exception when token does not exist
+    * Deleting not existing certificate from token fails
+    * Retrieving token info by not existing key fails
+    * Deleting not existing certRequest fails
+    * Signing with unknown key fails
+    * Getting key by not existing cert hash fails
+    * Not existing certificate can not be activated
+
+  Scenario: Ocsp responses
+    When ocsp responses are set
+    Then ocsp responses can be retrieved
+    And null ocsp response is returned for unknown certificate
+
+
+
+#  not covered SignerProxy methods:
+#  AuthKeyInfo getAuthKey(SecurityServerId serverId)                            #requires valid ocsp response
+#  void setOcspResponses(String[] certHashes, String[] base64EncodedResponses)  #requires valid ocsp responses
+#  String[] getOcspResponses(String[] certHashes)                               #requires valid ocsp responses
+#  MemberSigningInfoDto getMemberSigningInfo(ClientId clientId)                 #requires valid ocsp response
+#  boolean isHSMOperational()                                                   #timeout. no ModuleManager actor
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0100-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0100-signer.feature
deleted file mode 100644
index 34c2c4b774..0000000000
--- a/src/signer-protocol/src/intTest/resources/behavior/0100-signer.feature
+++ /dev/null
@@ -1,115 +0,0 @@
-Feature: 0100 - Signer: SoftToken
-
-  Scenario: Initialization
-    Given tokens list contains token "0"
-    And token "0" status is "NOT_INITIALIZED"
-    When signer is initialized with pin "1234"
-    Then token "0" is not active
-    And token "0" status is "OK"
-
-  Scenario: Activate token
-    Given token "0" is not active
-    When token "0" is logged in with pin "1234"
-    Then token "0" is active
-
-  Scenario: Deactivate token
-    When token "0" is logged out
-    Then token "0" is not active
-
-  Scenario: Update token pin
-    Given token "0" is not active
-    And token "0" is logged in with pin "1234"
-    When token "0" pin is updated from "1234" to "4321"
-    And token "0" is logged in with pin "4321"
-    Then token "0" is active
-
-  Scenario: Set token friendly name
-    When name "New friendly name" is set for token "0"
-    Then token "0" name is "New friendly name"
-
-  Scenario: Key generation
-    When new key "key-1" generated for token "0"
-    And name "First key" is set for generated key
-    When new key "key-2" generated for token "0"
-    And name "Second key" is set for generated key
-    When new key "key-3" generated for token "0"
-    And name "Third key" is set for generated key
-    Then token "0" has exact keys "First key,Second key,Third key"
-    And sign mechanism for token "0" key "Second key" is not null
-
-  Scenario: Delete key
-    Given new key "key-X" generated for token "0"
-    And name "KeyX" is set for generated key
-    Then token info can be retrieved by key id
-    When key "Third key" is deleted from token "0"
-    Then token "0" has exact keys "First key,Second key,KeyX"
-
-  Scenario: Sign
-    Given digest can be signed using key "KeyX" from token "0"
-    And Signing with unknown algorithm fails using key "KeyX" from token "0"
-
-  Scenario: Generate/Regenerate cert request
-    When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
-    And token and key can be retrieved by cert request
-    Then cert request can be deleted
-    When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
-    And cert request is regenerated
-
-  Scenario: Certificate can be (re)imported
-    Given tokens list contains token "0"
-    When Wrong Certificate is not imported for client "cs:test:member-1"
-    And self signed cert generated for token "0" key "First key", client "cs:test:member-1"
-    And certificate info can be retrieved by cert hash
-    When certificate can be deleted
-    Then token "0" key "First key" has 0 certificates
-    When Certificate is imported for client "cs:test:member-1"
-    Then token "0" key "First key" has 1 certificates
-
-  Scenario: Member test
-    Given tokens list contains token "0"
-    * Member signing info for client "cs:test:member-1" is retrieved
-
-  Scenario: Self signed certificate
-    Given token "0" key "First key" has 0 certificates
-    When self signed cert generated for token "0" key "First key", client "cs:test:member-1"
-    Then token "0" key "First key" has 1 certificates
-    And keyId can be retrieved by cert hash
-    And token and keyId can be retrieved by cert hash
-    And certificate can be signed using key "First key" from token "0"
-
-  Scenario: Member info
-    Then member "cs:test:member-1" has 1 certificate
-
-  Scenario: Cert status
-    Given self signed cert generated for token "0" key "KeyX", client "cs:test:member-2"
-    And certificate info can be retrieved by cert hash
-    Then certificate can be deactivated
-    And certificate can be activated
-    And certificate status can be changed to "deletion in progress"
-    And certificate can be deleted
-
-  Scenario: Miscellaneous checks
-    * check token "0" key "First key" batch signing enabled
-
-  Scenario: Exceptions
-    * Set token name fails with TokenNotFound exception when token does not exist
-    * Deleting not existing certificate from token fails
-    * Retrieving token info by not existing key fails
-    * Deleting not existing certRequest fails
-    * Signing with unknown key fails
-    * Getting key by not existing cert hash fails
-    * Not existing certificate can not be activated
-
-  Scenario: Ocsp responses
-    When ocsp responses are set
-    Then ocsp responses can be retrieved
-    And null ocsp response is returned for unknown certificate
-
-
-
-#  not covered SignerProxy methods:
-#  AuthKeyInfo getAuthKey(SecurityServerId serverId)                            #requires valid ocsp response
-#  void setOcspResponses(String[] certHashes, String[] base64EncodedResponses)  #requires valid ocsp responses
-#  String[] getOcspResponses(String[] certHashes)                               #requires valid ocsp responses
-#  MemberSigningInfoDto getMemberSigningInfo(ClientId clientId)                 #requires valid ocsp response
-#  boolean isHSMOperational()                                                   #timeout. no ModuleManager actor
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
index 41bbcd236b..686eb2bc38 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
@@ -1,115 +1,112 @@
-Feature: 0100 - Signer: HardwareToken
+@HardwareToken
+Feature: 0200 - Signer: HardwareToken
   Uses SoftHSM to emulate hardware token.
 
+  Background:
+    Given tokens are listed
+
   Scenario: HSM is operational
     * HSM is operational
 
-#
-#  Scenario: Initialization
-#    Given tokens list contains token "0"
-#    And token "0" status is "NOT_INITIALIZED"
-#    When signer is initialized with pin "1234"
-#    Then token "0" is not active
-#    And token "0" status is "OK"
-#
-#  Scenario: Activate token
-#    Given token "0" is not active
-#    When token "0" is logged in with pin "1234"
-#    Then token "0" is active
-#
-#  Scenario: Deactivate token
-#    When token "0" is logged out
-#    Then token "0" is not active
-#
-#  Scenario: Update token pin
-#    Given token "0" is not active
-#    And token "0" is logged in with pin "1234"
-#    When token "0" pin is updated from "1234" to "4321"
-#    And token "0" is logged in with pin "4321"
-#    Then token "0" is active
-#
-#  Scenario: Set token friendly name
-#    When name "New friendly name" is set for token "0"
-#    Then token "0" name is "New friendly name"
-#
-#  Scenario: Key generation
-#    When new key "key-1" generated for token "0"
-#    And name "First key" is set for generated key
-#    When new key "key-2" generated for token "0"
-#    And name "Second key" is set for generated key
-#    When new key "key-3" generated for token "0"
-#    And name "Third key" is set for generated key
-#    Then token "0" has exact keys "First key,Second key,Third key"
-#    And sign mechanism for token "0" key "Second key" is not null
-#
-#  Scenario: Delete key
-#    Given new key "key-X" generated for token "0"
-#    And name "KeyX" is set for generated key
-#    Then token info can be retrieved by key id
-#    When key "Third key" is deleted from token "0"
-#    Then token "0" has exact keys "First key,Second key,KeyX"
-#
-#  Scenario: Sign
-#    Given digest can be signed using key "KeyX" from token "0"
-#    And Signing with unknown algorithm fails using key "KeyX" from token "0"
-#
-#  Scenario: Generate/Regenerate cert request
-#    When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
-#    And token and key can be retrieved by cert request
-#    Then cert request can be deleted
-#    When cert request is generated for token "0" key "Second key" for client "cs:test:member-2"
-#    And cert request is regenerated
-#
-#  Scenario: Certificate can be (re)imported
-#    Given tokens list contains token "0"
-#    When Wrong Certificate is not imported for client "cs:test:member-1"
-#    And self signed cert generated for token "0" key "First key", client "cs:test:member-1"
-#    And certificate info can be retrieved by cert hash
-#    When certificate can be deleted
-#    Then token "0" key "First key" has 0 certificates
-#    When Certificate is imported for client "cs:test:member-1"
-#    Then token "0" key "First key" has 1 certificates
-#
-#  Scenario: Member test
-#    Given tokens list contains token "0"
-#    * Member signing info for client "cs:test:member-1" is retrieved
-#
-#  Scenario: HSM status is not operational
-#    * HSM is not operational
-#
-#  Scenario: Self signed certificate
-#    Given token "0" key "First key" has 0 certificates
-#    When self signed cert generated for token "0" key "First key", client "cs:test:member-1"
-#    Then token "0" key "First key" has 1 certificates
-#    And keyId can be retrieved by cert hash
-#    And token and keyId can be retrieved by cert hash
-#    And certificate can be signed using key "First key" from token "0"
-#
-#  Scenario: Member info
-#    Then member "cs:test:member-1" has 1 certificate
-#
-#  Scenario: Cert status
-#    Given self signed cert generated for token "0" key "KeyX", client "cs:test:member-2"
-#    And certificate info can be retrieved by cert hash
-#    Then certificate can be deactivated
-#    And certificate can be activated
-#    And certificate status can be changed to "deletion in progress"
-#    And certificate can be deleted
-#
-#  Scenario: Miscellaneous checks
-#    * check token "0" key "First key" batch signing enabled
-#
-#  Scenario: Exceptions
-#    * Set token name fails with TokenNotFound exception when token does not exist
-#    * Deleting not existing certificate from token fails
-#    * Retrieving token info by not existing key fails
-#    * Deleting not existing certRequest fails
-#    * Signing with unknown key fails
-#    * Getting key by not existing cert hash fails
-#    * Not existing certificate can not be activated
-#
-#  Scenario: Ocsp responses
-#    When ocsp responses are set
-#    Then ocsp responses can be retrieved
-#    And null ocsp response is returned for unknown certificate
+  Scenario: Token has its friendly name updated
+    When friendly name "xrd-softhsm-0" is set for token with label "x-road-softhsm2"
+    Then token with label "x-road-softhsm2" name is "xrd-softhsm-0"
+
+  Scenario: Token is in initialized and active state
+    Given tokens list contains token "xrd-softhsm-0"
+    And token "xrd-softhsm-0" status is "OK"
+    Then token "xrd-softhsm-0" is active
+
+  Scenario: Token is deactivated
+    When token "xrd-softhsm-0" is logged out
+    Then token "xrd-softhsm-0" is not active
+
+  Scenario: Update token pin is not supported for hardware token
+    Given token "xrd-softhsm-0" is not active
+    And token "xrd-softhsm-0" is logged in with pin "1234"
+    When token "xrd-softhsm-0" pin is update from "1234" to "4321" fails with an error
+    Then token "xrd-softhsm-0" is active
+
+  Scenario: Keys are generated
+    When new key "key-1" generated for token "xrd-softhsm-0"
+    And name "First key" is set for generated key
+    When new key "key-2" generated for token "xrd-softhsm-0"
+    And name "Second key" is set for generated key
+    When new key "key-3" generated for token "xrd-softhsm-0"
+    And name "Third key" is set for generated key
+    Then token "xrd-softhsm-0" has exact keys "First key,Second key,Third key"
+    And sign mechanism for token "xrd-softhsm-0" key "Second key" is not null
+
+  Scenario: Key is deleted
+    Given new key "key-X" generated for token "xrd-softhsm-0"
+    And name "KeyX" is set for generated key
+    Then token info can be retrieved by key id
+    When key "Third key" is deleted from token "xrd-softhsm-0"
+    Then token "xrd-softhsm-0" has exact keys "First key,Second key,KeyX"
+
+  Scenario: Cert request is (re)generated
+    When the SIGNING cert request is generated for token "xrd-softhsm-0" key "Second key" for client "cs:test:member-2"
+    And token and key can be retrieved by cert request
+    Then cert request can be deleted
+    When the SIGNING cert request is generated for token "xrd-softhsm-0" key "Second key" for client "cs:test:member-2"
+    And cert request is regenerated
+
+  Scenario: A key with Sign certificate is created
+    Given new key "key-100" generated for token "xrd-softhsm-0"
+    And name "SignKey from CA" is set for generated key
+    And token "xrd-softhsm-0" has exact keys "First key,Second key,KeyX,SignKey from CA"
+    And sign mechanism for token "xrd-softhsm-0" key "SignKey from CA" is not null
+    When the SIGNING cert request is generated for token "xrd-softhsm-0" key "SignKey from CA" for client "CS:ORG:2908758-4:Management"
+    And SIGN CSR is processed by test CA
+    And Generated certificate with initial status "registered" is imported for client "CS:ORG:2908758-4:Management"
+    Then token info can be retrieved by key id
+
+  Scenario: A key with Auth certificate is not created in hardware token
+    Given new key "key-200" generated for token "xrd-softhsm-0"
+    And name "BadAuthKey from CA" is set for generated key
+    When token "xrd-softhsm-0" has exact keys "First key,Second key,KeyX,SignKey from CA,BadAuthKey from CA"
+    Then the AUTHENTICATION cert request is generated for token "xrd-softhsm-0" key "BadAuthKey from CA" for client "CS:ORG:2908758-4:Management" throws exception
+
+  Scenario: Self signed certificate is generated
+    Given token "xrd-softhsm-0" key "First key" has 0 certificates
+    When self signed cert generated for token "xrd-softhsm-0" key "First key", client "cs:test:member-1"
+    Then token "xrd-softhsm-0" key "First key" has 1 certificates
+    And keyId can be retrieved by cert hash
+    And token and keyId can be retrieved by cert hash
+    And certificate can be signed using key "First key" from token "xrd-softhsm-0"
+
+  Scenario: Self Signed Certificate can be (re)imported
+    Given tokens list contains token "xrd-softhsm-0"
+    When Wrong Certificate is not imported for client "cs:test:member-2"
+    And self signed cert generated for token "xrd-softhsm-0" key "Second key", client "cs:test:member-2"
+    And certificate info can be retrieved by cert hash
+    When certificate can be deleted
+    Then token "xrd-softhsm-0" key "Second key" has 0 certificates
+    When Certificate is imported for client "cs:test:member-2"
+    Then token "xrd-softhsm-0" key "Second key" has 1 certificates
+
+  Scenario: Sign fails with an unknown algorithm error
+    Given digest can be signed using key "KeyX" from token "xrd-softhsm-0"
+    And Signing with unknown algorithm fails using key "KeyX" from token "xrd-softhsm-0"
+
+  Scenario: Sign data is successful
+    Given digest can be signed using key "SignKey from CA" from token "xrd-softhsm-0"
+    And Digest is signed using key "KeyX" from token "xrd-softhsm-0"
+
+  Scenario: Member signing info can be retrieved
+    Given tokens list contains token "xrd-softhsm-0"
+    * Member signing info for client "CS:ORG:2908758-4:Management" is retrieved
+
+  Scenario: Member info
+    Then member "cs:test:member-1" has 2 certificate
+
+  Scenario: Cert status
+    Given self signed cert generated for token "xrd-softhsm-0" key "KeyX", client "cs:test:member-2"
+    And certificate info can be retrieved by cert hash
+    Then certificate can be deactivated
+    And certificate can be activated
+    And certificate status can be changed to "deletion in progress"
+    And certificate can be deleted
 
+  Scenario: Miscellaneous checks
+    * check token "xrd-softhsm-0" key "First key" batch signing enabled
diff --git a/src/signer-protocol/src/intTest/resources/container-files/Dockerfile b/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
index 68ace653d9..90cf8684e0 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
+++ b/src/signer-protocol/src/intTest/resources/container-files/Dockerfile
@@ -18,7 +18,7 @@ RUN apt-get -qq update \
 
 # Create token
 RUN mkdir -p /var/lib/softhsm/tokens/ && \
-    softhsm2-util --init-token --slot 0 --label 'X-Road HW' --so-pin 1234 --pin 1234
+    softhsm2-util --init-token --slot 0 --label 'x-road-softhsm2' --so-pin 1234 --pin 1234
 
 COPY --chown=root:root files/app.jar /root/app.jar
 COPY --chown=root:root files/hwtoken.jar /root/lib/hwtoken.jar
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/fetchinterval-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/fetchinterval-params.xml
new file mode 100644
index 0000000000..2d4ab82be5
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/fetchinterval-params.xml
@@ -0,0 +1,3 @@
+<xro:conf xmlns:xro="http://x-road.eu/xsd/xroad.xsd">
+    <ocspFetchInterval>10</ocspFetchInterval>
+</xro:conf>
\ No newline at end of file
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml
index 3d409f1133..b3d36ed74b 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
-    <instanceIdentifier>cs</instanceIdentifier>
+    <instanceIdentifier>CS</instanceIdentifier>
     <managementService>
         <authCertRegServiceAddress>https://cs:4001/managementservice/</authCertRegServiceAddress>
-        <authCertRegServiceCert>MIIDJTCCAg2gAwIBAgIUNgaUk43F5+vevqBASzzr0SYP0ZEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDYwODA2MzA0N1oXDTQzMDYwMzA2MzA0N1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9vvBY+4gB+W+LWa4spLrpkDqrwx7BBo/0ESZrWL39jqsKEJtc5vkD2CjiMJUgKUiP6tRT+92gbzjOH8R5H8STJOGrwYP+VzjZ+cxYnU+20SdlsCJktcVRFNb+J6Njcq8unr5uao6aD1bJ0uElXi5e/WMuQ9VlMXwkuEeQa1QzrMHvLUNmtGjL8X8i9miDvFMuTSmul5W16i+3haciYdJpf7hxRjf/bqxkEEKkyRoMwQNt+c8Zt2FHo12kzlP2RnvJUB8md/nWJBv4i5GF3Vv3fAZTU2GZKZwXXmSqGXPqNgkZStDv1CUNBkiYv2uD45kLpuVJIVi4B+02AZ0j6HRywIDAQABo28wbTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIC5DArBgNVHREEJDAihwSsEQAEgglsb2NhbGhvc3SCD2J1aWxka2l0c2FuZGJveDAdBgNVHQ4EFgQUpFMff9ahuMTcKc5FKIi6TroAzRcwDQYJKoZIhvcNAQELBQADggEBABdut81ygN3TrSmC4HKxGcTvjJYUM+8LtadC9/3RGIXwZUEg2C5xa0e0MZwF3/RrfalSA6McNYBOR4F7AGnkSnRTPe0296M/Sg/w5k9ku/x4I3aDF9WJD1QfMFrpUfTv0+jt7UashHr063fmcvptkioTjgOia0cX//bPAelAuhKJccsI6ajPeeywmQrhwjN6ce6nr9GNkk0jNZYRhNW7iHtu1S8tjPUMxsMwD3yYyzPU3w/09tV69dcWX9rHcQiSCO2/eoUMySXSAT8/T/01pJLHIMh+yskxL59iXRvQVtwfNlPmquTx47vrCox54ay+ydzLCZySUWLPxzrfI+Qc/6c=</authCertRegServiceCert>
+        <authCertRegServiceCert>MIIDJTCCAg2gAwIBAgIUWITgfJuBX9pZlmadswBIhphOga0wDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDUxMjEzMDg0OVoXDTQzMDUwNzEzMDg0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw/tBnTkRPxhlzUyvIFhjxN+qfs/SYq8Aa2ot+SHH9fiqAaA2hhnTC5hE5EnJ11N7PNpBCrqYcBJtDALZR/ADBMcQ7AtidFUCLOZ8PR4JARWvmsD+s3KF/py2yxz5dSd46qHFYfTELLN9oDtmN6ELZLkFVcM1XaXw0TsxKUTI8QMNcj0Ajx7KdI96N7CJhC3pKYdFZQMYxFhD+COXVWuL/F0v6eX26UfygWde0LksHDiEfFQZM/y8EW5qU9NhT7+vUXg7a8J/f8rBi7OrviyNxJ3HMhEwfTqQ0xeMGFFHa9dR3+g50OUdq3tACw2kwKjdfhE44p9YBDFdicOEuhjjnQIDAQABo28wbTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIC5DArBgNVHREEJDAihwSsEQAEgglsb2NhbGhvc3SCD2J1aWxka2l0c2FuZGJveDAdBgNVHQ4EFgQUDYs5YPb/R43FVL9tRqCCpkDbmwIwDQYJKoZIhvcNAQELBQADggEBACkHsE9UtVs++GnDvo49ihjj4WzX9Zbjk6n46+wp5K0hj86wHed5lfS6MNbSbA5LyzQronDGBo2xPtfpEqrY6h9+kudxCPTf0/aOJfjRVWorQMaWGqVQHf7bgXaRGR9qcAqA/Btcwlj7uShhQlYiRLRifsdUktKSYJEC2+qFHi9E4Y4QlOpRKelU/rEZSKpWK23MgPYVrVZPB3kk+FEz0F7LSDwTxM5yixAT4WkpKrpFS2eWomN8/8eycRdmLuPx/dTVBfMQb1aQnWC5KvybR01O5mJp5sGS7w5C8aW30qA0QQlK0puS7Ct5rNzzZpLMtd8GReZC8uKP2m3JXOfgSwI=</authCertRegServiceCert>
         <managementRequestServiceProviderId ns2:objectType="SUBSYSTEM">
             <ns2:xRoadInstance>CS</ns2:xRoadInstance>
             <ns2:memberClass>ORG</ns2:memberClass>
@@ -11,5 +11,5 @@
             <ns2:subsystemCode>Management</ns2:subsystemCode>
         </managementRequestServiceProviderId>
     </managementService>
-    <timeStampingIntervalSeconds>60</timeStampingIntervalSeconds>
+    <timeStampingIntervalSeconds>10</timeStampingIntervalSeconds>
 </ns3:conf>
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml
index 2d9967ce7c..3a8d0fa041 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml
@@ -6,7 +6,7 @@
         <topCA>
             <cert>MIIFpzCCA4+gAwIBAgIUEbcXVQkWWEC88FwTg2ctua926BQwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCRkkxFDASBgNVBAoMC1gtUm9hZCBUZXN0MRowGAYDVQQLDBFYLVJvYWQgVGVzdCBDQSBPVTEaMBgGA1UEAwwRWC1Sb2FkIFRlc3QgQ0EgQ04wHhcNMjEwMzEwMDczNTU2WhcNNDEwMzA1MDczNTU2WjBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJJiNMU5G5Ufv6+N1iMkrlaD3PI3k11THgE/SJ2NcTJUD79CjIFYJtJrWLQS536FadtKgJ7ym3eYR0+PlU/mX6lxt1MIspLdTYTC1TRR/Cg533aJ+hJnG2IsE6or6Bl3hPstFH4caKyjpyBg0xPyQnKhEA89VY/bUdIQOJK0zgH3gsckxNlT/udyJ732CS2vZHyrWx6dZ6UAamyD0hwj6e8quU3vMrtTeHF3LqzlKxatlayWorkSj1uA4q6qfMiCZ3yKiFUU4MULV6h1x39YAoGIyj0+aMIbENWnIRY7E0KqGvVotMCpEQO8DUhJbixzzFVPuL6b+NVzLJu4tqtAao3s7SUElhQjmiPmTNCfs16NMnMpUkr9Pz6nnybqnNy7fA0g2l8tguQoec6AABodgtNDRvLX4j/OOmSutVYIS/FDCO+YG8/Xp8MbAV2o24X7rDhBFGM9yf0/i77yQ4BC/SFrNXlBCXP8E1v3O/w99SjVQvD6uQ4fsxWQFmGUQK+959pJ0R2YzSB4qRkpX1/yK1rt5LO+8pHQ1WM28W5BJNsisN2OarplszAleoGjBQAyAPO+8nO/5n5xcs0Dzw1NshWyH2kFDBS4xmp6N9KFhW7MQTmHlzCSQ0YTNmEnOi7W7n+gsxZVfiV8aA5lsABsFRQ+uL9z49FQyuidtfsyVB23AgMBAAGjYzBhMB0GA1UdDgQWBBTOdbt9k88MTU+r8w/+KsgVICpQnDAfBgNVHSMEGDAWgBTOdbt9k88MTU+r8w/+KsgVICpQnDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAUA07frwkTioAToWsW1LQWxGZ3s3uK06OmiAV13RFZf3YeIg+AF/sRpu6mfaPwZat0FQKz55NUk70HnJmlWjtkbtNemZFZhedyqbtEzce6e7uqkakaKUZUCnu4tDivUa6zOboYvFhjGNQ2A/C69SRztH5sYDALycUv/BB1o6sURknNqgbvoJmySHrONEQiEYWnnmHcIFOa+muvTrDwHfRB+if2zT2duLHCuy1aiBZM9koz7R00M/8/wXCIzliQFq1iUnckocWc2Lcrh+gJCjuMURAfWwH00Lk+n2lTBY66yRbCt0QEHYxSjXmf+6ACU9zg9m1Sg+xBMqZ8E2u9SumIUmcDHyWfFAbEb8bcl3drnxxE1LiZea9TsyamtGAUegg4PcjbSjtULWnX6h6ruva3s6+brnoJCrBf3nmmggFVWCkDF4RsVPw3PZS342gRsHMy2V7B4Qo2pglB0AiMu5iWHs6tw6iFojeYEBDysQxaLcJtKew7BPxR8ZQjLP1FYQkOPwsphPYHUC2f6z6k2bVf/N4QUqeFCqJSr+NeFUX35ZdZv5NK+oQTbEKftNEb2N/Kv3Gflkyc7DLEwhYJ7B9c+zsVT6fBlm14UlWoUiy63BrsSYwnq7j5HaFnAh6DocQ+7XMFy7UMTueK9MTHsaXlWg4909fZFN975Y+qJXFfBo=</cert>
             <ocsp>
-                <url>http://cs:8888</url>
+                <url>http://ca:8888</url>
                 <cert>MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF8xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEcMBoGA1UECwwTWC1Sb2FkIFRlc3QgT0NTUCBPVTEcMBoGA1UEAwwTWC1Sb2FkIFRlc3QgT0NTUCBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANXyMQ3LgRPe6DGIUTOTjofOi6ir7GvUpD4CN4Xv5Ahari1npD4eGVqHfH4Kor6D2m0tdzkzOaizqpG2o+U2wFowZCEcWpjOH97ZgV87QkdT/5sv1R0mQ9BtaPPYQlgyJuRtP3VVoj9BeMcwzPIkPvNqvX+ro7cgNz3JvUbwuyn8JU0oP1LBgGmy8aFLblSD22Vin0LqFFYfPzUlFCRDwUVJwoF2NFwsWSbxi5cmWBPPHDhcX8dQTSEDWOzC0jtg8ersAGFvTUslhkGtuixZAtAQJXc49SHOIjllYlS+D9h1bfo/5wakrcNIdaVGER7Yq0I6yfvpI6oTOBmjicepAcyNCQOf0/8ghh04sBAJGwTkY75b89gHCHnXlEWpHhiyqblin5M18MJxEDfz/G9LG9a0qcDST4WKs6ijCItmJzkJuaYpEAIvHXBKC3NlkPvkjp/kW260iTRhWKeQjczvDqZ7atN3wu0jA/auouTitGuOfo3vOXc1frlpzTcw/jadHTchOjsufK7beuWr0CAcMzKy8AA9wrlYSy0qmzLxPybqoBGt3ljU8MnJapmqojd/ECMKrIamprm/xzEeaijVbPdEzGgD9DKtL0PbGqBcRQjUL72LCtY9H1pwVtgDRqW/eyodz7IrQZRq760c8HVgtS/uSjjslwif2mHZiBdTSUPTAgMBAAGjdTBzMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCgPXe/DXrBZTbe1hYo+rPKATzLsMB8GA1UdIwQYMBaAFM51u32TzwxNT6vzD/4qyBUgKlCcMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAgEAWPcf+ObBEyZofQQZYHU673qzaooWohCa/IQ7ZXiQmt+s0YpUXZepYw9UXrv1nPRLzpTy7788bzUvl6vVvnGTCOomLPYSZ5Qwm0VoAXMeyluIkNKKKemeF5e5Mbr7tmGGGaN/HKKQNa6qXEQndbdhjhoD6mxJKMDAgj1hi+slm0/QaKkd2qqjmc+w38RNv0wi+9Zamkl0LZ743/KeH6CtVJEUARxYT+Q1i81adFICYqoDlmDSPpzq7VUir1lZejC3qTnJAVMgGCHw28vp4ROvOkZ95lEFRTOpR7+a/iVetkOcenIWiGJGybUYZ9sAUwl4+GTcDT5aF9UJECnkfHpG4XYs/0Fn9wnqqw+zVNB/JocFdYxjPTe4YpjG9vKaQniK6ZjleLTQwom8SuQAAXarffIX3FNq0qc35T9fmrOzX+E7heFaC4Xg/HT7Lhz4XvQeXx00d/Ej72BS2ffAumeY0yqAOtAHnhq7u7ahhZ6B/VCsM95slKiqi72SQGqF/iy1ndRAzk/8xkJWnlvqbMfeNFOnbCJ7U1jxoxEmoBi31Cx1UQvdLvaAjz6MRo1kS/sJwVXpR3x7ooJjTGt4+/4gL4IxKqObE3sbjYnmA9i9iKCwrOWxPhavASyDVwr6XKz3MRffTHVk5uQSlmtIUSJsEPiV/LIzwcKPZX1eWoLpI08=</cert>
             </ocsp>
         </topCA>
@@ -14,7 +14,7 @@
     </approvedCA>
     <approvedTSA>
         <name>X-Road Test TSA CN</name>
-        <url>http://cs:8899</url>
+        <url>http://ca:8899</url>
         <cert>MIIFXTCCA0WgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF0xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEbMBkGA1UECwwSWC1Sb2FkIFRlc3QgVFNBIE9VMRswGQYDVQQDDBJYLVJvYWQgVGVzdCBUU0EgQ04wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/9WmHOot4PgLCtjwMP2jRNs1N0ZdwdajqA7S1nK9YKhTHwipGK+odCZ3OO1YKLHa4DEsPk9tkHCULcDObeb2HKJg/tjHdj2CVFfTqsLTgJuubR6T5wsfYfK7SuHP9708NPQtMQm8HkGoP7RlcQ0eQQ1j0gW8Vz8oY5qWWaEhQyQD0ZLmsUATn3NmCvwTshQacdwgV5JPnJJIetk893N3vJdyWaCO64FQxF35SHLwADXwDKVy9h+qiabx5dO3jHsJV87kr/37Jxsw/r2hxAppKXfUcuftY0RaMJAkvmL5K8UuVvI0cZw6NgCivMxe2XPdS3B2O9cb2HQ7Q3DodTgLDoFMYuQVU2VsFEBw0m7AOH5LXSehNWBDD0XzYntMYg/L4J83jIxEnEPjwdl2tKwOQWxnAqpCyNabiqVt+kS5SOOj3GCeavJGgAp8TN825JMT8bXPievuZEAVu/aR0TJ2dOoC6mwm9hgwY6eLzoElxiDqOBnMsFPOuJkSn6ShIA8FSefzEYg4OnN74f+tqE3lemsf+KBZeJfy5p1vR5UaeOqW8FBIwrLi1ufBnT1AhMmQfgwppZCPV0OCMXMI6XRp6S4C4go8aQpXWMenLiiVW9oTawQd8bPbv87ZEMplghvMpTju2YVogha4btQNcvJjN9RYrZcyHEHXIEgleGx6gwQIDAQABoyowKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCBkAwDQYJKoZIhvcNAQELBQADggIBAAWbwH+dA2G0B0zAgkB8DsFwYvqz8NGckU/I1M5jrw5Ln6JgedCFStcQLWfDUQA9fHIOCt3tKOyXWYI1pSWAE6IG0a6IhtoxgHEKD+/lFal3p2ikyt46IDW3hab5DVrnYT/hrEptxygE901U/D8EshN4HJL3G1XC1uMAjFr1YjPMrkIvffG2Z9Nv3QEJ1MdS/N3Mfv9LHNojQZYc72JwocDzf8SwUNbBNQEQEPd/RZg1dEoVwApBmQAOEbBVCVyfcVV9fOR0m7s/dHxb5y1AHfLOZDAf8lpkzhNUQc1Xth7ihICzJH5jnzW3EYuTOTM3LXCPRWtsYW3F0M3cJQEthjU4hHDoGp/8xOlU2TJuuD5rhvpqS+IFDnaAlSd7cPXYHej58ivya5l9VlCazo5TaI/Q0lwkKL6HJuQJbNVkbookTxV554IPX3Q6Tg35tI3rdc6mqztKfTb8HUtoBy5WM2fKQGHu+0oXoNynpPOFgD+2O86lEemZPdoC1vytmybKZ0iDYBercxl70HFXLCAFZB0jB5UWOopoh1NMzdYpQjCPQJ9rhuTxBLxwuLbabWNbLRwv0mvC1kFbRQEOu8hiQTo6ao3oY9s0qnSfXLHDc3Rc0OXgU+P4EnTY9DHJXcSfGUyOngMxwh5ciFV4dpNwBGTk/1P3vOGGthCnjtL1VPkz</cert>
     </approvedTSA>
     <member id="id0">
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
index 2b2af3dbad..d79068d1b5 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
@@ -3,7 +3,7 @@
 
     <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
         <encoder>
-            <pattern>%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX"} %level [xroad-signer] [%thread] %logger{36} - %msg%n%rEx{3}</pattern>
+            <pattern>%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX"} %level [xroad-signer] [%thread] %logger{36} - %msg%n</pattern>
         </encoder>
     </appender>
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
index 84f22478b9..f79d72d2df 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
@@ -25,29 +25,37 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
+
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
 
-import lombok.RequiredArgsConstructor;
+import lombok.ToString;
+import lombok.Value;
 
 import java.io.Serializable;
 
 /**
  * Certificate request info DTO.
  */
-@RequiredArgsConstructor
+@Value
+@ToString(onlyExplicitlyIncluded = true)
 public class CertRequestInfo implements Serializable {
 
-    private final CertRequestInfoProto message;
+    @JsonIgnore
+    CertRequestInfoProto message;
 
+    @ToString.Include
     public String getId() {
         return message.getId();
     }
 
+    @ToString.Include
     public ClientId getMemberId() {
         return ClientIdMapper.fromDto(message.getMemberId());
     }
 
+    @ToString.Include
     public String getSubjectName() {
         return message.getSubjectName();
     }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
index a0c3d05a0b..ec8ca14f63 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
@@ -25,19 +25,21 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
+
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
 
-import lombok.RequiredArgsConstructor;
 import lombok.ToString;
+import lombok.Value;
 
 import java.io.Serializable;
 
 /**
  * Certificate info DTO.
  */
-@RequiredArgsConstructor
-@ToString(exclude = {"certificateBytes", "ocspBytes"})//TODO:grpc
+@Value
+@ToString(onlyExplicitlyIncluded = true)
 public class CertificateInfo implements Serializable {
 
     public static final String STATUS_SAVED = "saved";
@@ -51,32 +53,40 @@ public class CertificateInfo implements Serializable {
     public static final String OCSP_RESPONSE_UNKNOWN = "unknown";
     public static final String OCSP_RESPONSE_SUSPENDED = "suspended";
 
-    private final CertificateInfoProto message;
+    @JsonIgnore
+    CertificateInfoProto message;
 
+    @ToString.Include
     public ClientId.Conf getMemberId() {
         return ClientIdMapper.fromDto(message.getMemberId());
     }
 
+    @ToString.Include
     public boolean isActive() {
         return message.getActive();
     }
 
+    @ToString.Include
     public boolean isSavedToConfiguration() {
         return message.getSavedToConfiguration();
     }
 
+    @ToString.Include
     public String getStatus() {
         return message.getStatus();
     }
 
+    @ToString.Include
     public String getId() {
         return message.getId();
     }
 
+    @JsonIgnore
     public byte[] getCertificateBytes() {
         return message.getCertificateBytes().toByteArray();
     }
 
+    @JsonIgnore
     public byte[] getOcspBytes() {
         return message.getOcspBytes().toByteArray();
     }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
index a00aad52aa..6e18727955 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
@@ -25,6 +25,8 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.ToString;
 import lombok.Value;
 
 import java.io.Serializable;
@@ -33,34 +35,43 @@
 
 
 @Value
-public final class KeyInfo implements Serializable {
+@ToString(onlyExplicitlyIncluded = true)
+public class KeyInfo implements Serializable {
 
-    private final KeyInfoProto message;
+    @JsonIgnore
+    KeyInfoProto message;
 
+    @ToString.Include
     public boolean isAvailable() {
         return message.getAvailable();
     }
 
+    @ToString.Include
     public KeyUsageInfo getUsage() {
         return message.getUsage();
     }
 
+    @ToString.Include
     public String getFriendlyName() {
         return message.getFriendlyName();
     }
 
+    @ToString.Include
     public String getId() {
         return message.getId();
     }
 
+    @ToString.Include
     public String getLabel() {
         return message.getLabel();
     }
 
+    @ToString.Include
     public String getPublicKey() {
         return message.getPublicKey();
     }
 
+    @ToString.Include
     public List<CertificateInfo> getCerts() {
         return message.getCertsList().stream()
                 .map(CertificateInfo::new)
@@ -73,6 +84,7 @@ public List<CertRequestInfo> getCertRequests() {
                 .collect(Collectors.toList());
     }
 
+    @ToString.Include
     public String getSignMechanismName() {
         return message.getSignMechanismName();
     }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
index fe0e895ccf..d447ea8069 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
@@ -25,8 +25,9 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
-import lombok.RequiredArgsConstructor;
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.ToString;
+import lombok.Value;
 
 import java.io.Serializable;
 import java.util.List;
@@ -37,60 +38,73 @@
 /**
  * Token info DTO.
  */
-@ToString
-@RequiredArgsConstructor
-public final class TokenInfo implements Serializable {
+@Value
+@ToString(onlyExplicitlyIncluded = true)
+public class TokenInfo implements Serializable {
 
     public static final String SOFTWARE_MODULE_TYPE = "softToken";
 
-    private final TokenInfoProto message;
+    @JsonIgnore
+    TokenInfoProto message;
 
+    @ToString.Include
     public String getType() {
         return message.getType();
     }
 
+    @ToString.Include
     public String getFriendlyName() {
         return message.getFriendlyName();
     }
 
+    @ToString.Include
     public String getId() {
         return message.getId();
     }
 
+    @ToString.Include
     public boolean isReadOnly() {
         return message.getReadOnly();
     }
 
+    @ToString.Include
     public boolean isAvailable() {
         return message.getAvailable();
     }
 
+    @ToString.Include
     public boolean isActive() {
         return message.getActive();
     }
 
+    @ToString.Include
     public String getSerialNumber() {
         return message.getSerialNumber();
     }
 
+    @ToString.Include
     public String getLabel() {
         return message.getLabel();
     }
 
+    @ToString.Include
     public int getSlotIndex() {
         return message.getSlotIndex();
     }
 
+    @ToString.Include
     public TokenStatusInfo getStatus() {
         return message.getStatus();
     }
 
+    @ToString.Include
     public List<KeyInfo> getKeyInfo() {
         return message.getKeyInfoList().stream()
                 .map(KeyInfo::new)
                 .collect(Collectors.toList());
     }
 
+    @ToString.Include
     public Map<String, String> getTokenInfo() {
         return message.getTokenInfoMap();
     }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java
index a3c34728f4..d22474a300 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfoAndKeyId.java
@@ -25,6 +25,8 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.ToString;
 import lombok.Value;
 
 import java.io.Serializable;
@@ -33,11 +35,12 @@
  * DTO for holding a TokenInfo and key id..
  */
 @Value
-public final class TokenInfoAndKeyId implements Serializable {
+@ToString
+public class TokenInfoAndKeyId implements Serializable {
+    @JsonIgnore
+    TokenInfo tokenInfo;
 
-    private final TokenInfo tokenInfo;
-
-    private final String keyId;
+    String keyId;
 
     /**
      * Return the KeyInfo object which is part of this TokenInfo and has correct id,
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index 35f9edc602..c89eddaf8b 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -42,6 +42,7 @@ jar {
         attributes 'Main-Class': 'ee.ria.xroad.signer.SignerMain'
     }
     archiveClassifier = 'plain'
+
 }
 
 bootJar {
@@ -55,7 +56,7 @@ shadowJar {
     from rootProject.file("LICENSE.txt")
 }
 
-assemble.dependsOn shadowJar
+jar.finalizedBy shadowJar
 
 task createDirs() {
     doLast {

From 015aecb39256d17b0a0e74739420792d2a84a1e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 1 Sep 2023 20:43:42 +0300
Subject: [PATCH 040/127] chore: fix for various signer tests

Refs: XRDDEV-2468
---
 .../common/util/FilePasswordStoreProvider.java |  2 +-
 .../ee/ria/xroad/signer/console/SignerCLI.java |  6 +++---
 .../xroad/signer/test/glue/SignerStepDefs.java |  2 +-
 .../0100-signer-software-token.feature         | 18 +++++++++---------
 .../0200-signer-hardware-token.feature         | 16 ++++++++--------
 .../{cs => CS}/fetchinterval-params.xml        |  0
 .../globalconf/{cs => CS}/private-params.xml   |  0
 .../{cs => CS}/private-params.xml.metadata     |  0
 .../globalconf/{cs => CS}/shared-params.xml    |  0
 .../{cs => CS}/shared-params.xml.metadata      |  0
 .../etc/xroad/globalconf/instance-identifier   |  2 +-
 11 files changed, 23 insertions(+), 23 deletions(-)
 rename src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/{cs => CS}/fetchinterval-params.xml (100%)
 rename src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/{cs => CS}/private-params.xml (100%)
 rename src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/{cs => CS}/private-params.xml.metadata (100%)
 rename src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/{cs => CS}/shared-params.xml (100%)
 rename src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/{cs => CS}/shared-params.xml.metadata (100%)

diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
index 790cb54257..ad0245b0a3 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
@@ -42,7 +42,7 @@
 public class FilePasswordStoreProvider implements PasswordStore.PasswordStoreProvider {
     private static final String CFG_FILE_PASSWORD_STORE_PATH = SystemProperties.PREFIX + "internal.passwordstore-file-path";
 
-    private static final String PATTERN_FILE_PASSWORDSTORE = "%s/.passwordstore-%s";
+    private static final String PATTERN_FILE_PASSWORDSTORE = "%s/.pswd-%s";
 
     @Override
     public synchronized byte[] read(String pathnameForFtok, String id) throws Exception {
diff --git a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
index 636e0bf191..f846acf4fd 100644
--- a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
+++ b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
@@ -40,7 +40,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import akka.actor.ActorSystem;
 import asg.cliche.CLIException;
@@ -55,6 +54,7 @@
 import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Options;
 import org.apache.commons.lang3.StringUtils;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.io.IOException;
 import java.security.cert.X509Certificate;
@@ -108,10 +108,10 @@
 import static ee.ria.xroad.signer.console.Utils.printTokenInfo;
 import static ee.ria.xroad.signer.protocol.dto.KeyUsageInfo.AUTHENTICATION;
 import static ee.ria.xroad.signer.protocol.dto.KeyUsageInfo.SIGNING;
-import static ee.ria.xroad.signer.protocol.message.CertificateRequestFormat.DER;
-import static ee.ria.xroad.signer.protocol.message.CertificateRequestFormat.PEM;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.concurrent.TimeUnit.NANOSECONDS;
+import static org.niis.xroad.signer.proto.CertificateRequestFormat.DER;
+import static org.niis.xroad.signer.proto.CertificateRequestFormat.PEM;
 
 /**
  * Signer command line interface.
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index fb78d7782c..24b87c72bc 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -423,7 +423,7 @@ public void certificateCanBeSignedUsingKeyFromToken(String keyName, String frien
         KeyFactory kf = KeyFactory.getInstance("RSA");
         PublicKey publicKey = kf.generatePublic(x509publicKey);
 
-        final byte[] bytes = SignerProxy.signCertificate(key.getId(), SHA256WITHRSA_ID, "CN=cs", publicKey);
+        final byte[] bytes = SignerProxy.signCertificate(key.getId(), SHA256WITHRSA_ID, "CN=CS", publicKey);
         assertThat(bytes).isNotEmpty();
     }
 
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
index 3675f2ffe2..f5de530540 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
@@ -73,25 +73,25 @@ Feature: 0100 - Signer: SoftToken
     And Signing with unknown algorithm fails using key "KeyX" from token "soft-token-000"
 
   Scenario: Generate/Regenerate cert request
-    When the SIGNING cert request is generated for token "soft-token-000" key "Second key" for client "cs:test:member-2"
+    When the SIGNING cert request is generated for token "soft-token-000" key "Second key" for client "CS:test:member-2"
     And token and key can be retrieved by cert request
     Then cert request can be deleted
-    When the SIGNING cert request is generated for token "soft-token-000" key "Second key" for client "cs:test:member-2"
+    When the SIGNING cert request is generated for token "soft-token-000" key "Second key" for client "CS:test:member-2"
     And cert request is regenerated
 
   Scenario: Self Signed certificate can be (re)imported
     Given tokens list contains token "soft-token-000"
-    When Wrong Certificate is not imported for client "cs:test:member-2"
-    And self signed cert generated for token "soft-token-000" key "Second key", client "cs:test:member-2"
+    When Wrong Certificate is not imported for client "CS:test:member-2"
+    And self signed cert generated for token "soft-token-000" key "Second key", client "CS:test:member-2"
     And certificate info can be retrieved by cert hash
     When certificate can be deleted
     Then token "soft-token-000" key "Second key" has 0 certificates
-    When Certificate is imported for client "cs:test:member-2"
+    When Certificate is imported for client "CS:test:member-2"
     Then token "soft-token-000" key "Second key" has 1 certificates
 
   Scenario: Self signed certificate
     Given token "soft-token-000" key "First key" has 0 certificates
-    When self signed cert generated for token "soft-token-000" key "First key", client "cs:test:member-1"
+    When self signed cert generated for token "soft-token-000" key "First key", client "CS:test:member-1"
     Then token "soft-token-000" key "First key" has 1 certificates
     And keyId can be retrieved by cert hash
     And token and keyId can be retrieved by cert hash
@@ -103,13 +103,13 @@ Feature: 0100 - Signer: SoftToken
 
   Scenario: Member test failure
     Given tokens list contains token "soft-token-000"
-    * Member signing info for client "cs:test:member-1" is retrieved
+    * Member signing info for client "CS:test:member-1" is retrieved
 
   Scenario: Member info
-    Then member "cs:test:member-1" has 1 certificate
+    Then member "CS:test:member-1" has 1 certificate
 
   Scenario: Cert status
-    Given self signed cert generated for token "soft-token-000" key "KeyX", client "cs:test:member-2"
+    Given self signed cert generated for token "soft-token-000" key "KeyX", client "CS:test:member-2"
     And certificate info can be retrieved by cert hash
     Then certificate can be deactivated
     And certificate can be activated
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
index 686eb2bc38..c834f9de17 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
@@ -45,10 +45,10 @@ Feature: 0200 - Signer: HardwareToken
     Then token "xrd-softhsm-0" has exact keys "First key,Second key,KeyX"
 
   Scenario: Cert request is (re)generated
-    When the SIGNING cert request is generated for token "xrd-softhsm-0" key "Second key" for client "cs:test:member-2"
+    When the SIGNING cert request is generated for token "xrd-softhsm-0" key "Second key" for client "CS:test:member-2"
     And token and key can be retrieved by cert request
     Then cert request can be deleted
-    When the SIGNING cert request is generated for token "xrd-softhsm-0" key "Second key" for client "cs:test:member-2"
+    When the SIGNING cert request is generated for token "xrd-softhsm-0" key "Second key" for client "CS:test:member-2"
     And cert request is regenerated
 
   Scenario: A key with Sign certificate is created
@@ -69,7 +69,7 @@ Feature: 0200 - Signer: HardwareToken
 
   Scenario: Self signed certificate is generated
     Given token "xrd-softhsm-0" key "First key" has 0 certificates
-    When self signed cert generated for token "xrd-softhsm-0" key "First key", client "cs:test:member-1"
+    When self signed cert generated for token "xrd-softhsm-0" key "First key", client "CS:test:member-1"
     Then token "xrd-softhsm-0" key "First key" has 1 certificates
     And keyId can be retrieved by cert hash
     And token and keyId can be retrieved by cert hash
@@ -77,12 +77,12 @@ Feature: 0200 - Signer: HardwareToken
 
   Scenario: Self Signed Certificate can be (re)imported
     Given tokens list contains token "xrd-softhsm-0"
-    When Wrong Certificate is not imported for client "cs:test:member-2"
-    And self signed cert generated for token "xrd-softhsm-0" key "Second key", client "cs:test:member-2"
+    When Wrong Certificate is not imported for client "CS:test:member-2"
+    And self signed cert generated for token "xrd-softhsm-0" key "Second key", client "CS:test:member-2"
     And certificate info can be retrieved by cert hash
     When certificate can be deleted
     Then token "xrd-softhsm-0" key "Second key" has 0 certificates
-    When Certificate is imported for client "cs:test:member-2"
+    When Certificate is imported for client "CS:test:member-2"
     Then token "xrd-softhsm-0" key "Second key" has 1 certificates
 
   Scenario: Sign fails with an unknown algorithm error
@@ -98,10 +98,10 @@ Feature: 0200 - Signer: HardwareToken
     * Member signing info for client "CS:ORG:2908758-4:Management" is retrieved
 
   Scenario: Member info
-    Then member "cs:test:member-1" has 2 certificate
+    Then member "CS:test:member-1" has 2 certificate
 
   Scenario: Cert status
-    Given self signed cert generated for token "xrd-softhsm-0" key "KeyX", client "cs:test:member-2"
+    Given self signed cert generated for token "xrd-softhsm-0" key "KeyX", client "CS:test:member-2"
     And certificate info can be retrieved by cert hash
     Then certificate can be deactivated
     And certificate can be activated
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/fetchinterval-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/fetchinterval-params.xml
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml.metadata b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/private-params.xml.metadata
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml.metadata b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/cs/shared-params.xml.metadata
rename to src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
index 841618abad..3faedb7f9c 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
@@ -1 +1 @@
-cs
+CS

From 0dac409227e61fc3d8e05b8f6303665eb5059aba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 4 Sep 2023 11:21:54 +0300
Subject: [PATCH 041/127] chore: improve signer test run clear mechanism

Refs: XRDDEV-2468
---
 .../xroad/signer/test/container/ContainerSetup.java | 13 ++++++++++---
 .../behavior/0200-signer-hardware-token.feature     |  6 +++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
index ee310fb8fb..c8672bc4c9 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
@@ -122,9 +122,16 @@ public void afterStart(@NotNull GenericContainer<?> genericContainer) {
 
             @SneakyThrows
             private void prepareSignerDirs() {
-                var softtokenDir = Path.get("build/resources/intTest/container-files/etc/xroad/signer/softtoken/");
-                if (softtokenDir.toFile().exists()) {
-                    FileUtils.cleanDirectory(softtokenDir.toFile());
+                deleteIfPresent("build/resources/intTest/container-files/etc/xroad/signer/softtoken/");
+                deleteIfPresent("build/container-passwordstore/");
+            }
+
+            @SneakyThrows
+            private void deleteIfPresent(String path) {
+                var dir = Path.get(path);
+                if (dir.toFile().exists()) {
+                    log.info("Temporary test-signer sync dir {} found. Deleting..", dir);
+                    FileUtils.cleanDirectory(dir.toFile());
                 }
             }
         };
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
index c834f9de17..485217d320 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
@@ -12,9 +12,13 @@ Feature: 0200 - Signer: HardwareToken
     When friendly name "xrd-softhsm-0" is set for token with label "x-road-softhsm2"
     Then token with label "x-road-softhsm2" name is "xrd-softhsm-0"
 
-  Scenario: Token is in initialized and active state
+   Scenario: Token is in initialized
     Given tokens list contains token "xrd-softhsm-0"
     And token "xrd-softhsm-0" status is "OK"
+
+  Scenario: Activate token
+    Given token "xrd-softhsm-0" is not active
+    When token "xrd-softhsm-0" is logged in with pin "1234"
     Then token "xrd-softhsm-0" is active
 
   Scenario: Token is deactivated

From b8ed948e4211d4a8ff70b022d6cb730118cef7f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 4 Sep 2023 13:21:39 +0300
Subject: [PATCH 042/127] chore: additional signer tests

Refs: XRDDEV-2468
---
 .../signer/test/glue/SignerStepDefs.java      | 38 +++++++++++++++++++
 .../0100-signer-software-token.feature        | 37 ++++++++----------
 .../0200-signer-hardware-token.feature        |  8 ++--
 3 files changed, 57 insertions(+), 26 deletions(-)

diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 24b87c72bc..3697535149 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -31,6 +31,7 @@
 import ee.ria.xroad.common.OcspTestUtils;
 import ee.ria.xroad.common.TestCertUtil;
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.SignerProxy;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
@@ -71,6 +72,7 @@
 import static ee.ria.xroad.common.util.CryptoUtils.SHA512WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
+import static java.lang.String.format;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.time.Instant.now;
 import static java.time.temporal.ChronoUnit.DAYS;
@@ -285,6 +287,11 @@ private ClientId.Conf getClientId(String client) {
         return ClientId.Conf.create(parts[0], parts[1], parts[2]);
     }
 
+    private SecurityServerId.Conf getSecurityServerId(String securityServerId) {
+        final String[] parts = securityServerId.split(":");
+        return SecurityServerId.Conf.create(parts[0], parts[1], parts[2], parts[3]);
+    }
+
     @Step("the {} cert request is generated for token {string} key {string} for client {string} throws exception")
     public void certRequestIsGeneratedForTokenKeyException(String keyUsage, String friendlyName, String keyName, String client) throws Exception {
         try {
@@ -436,6 +443,26 @@ public void sign(String keyName, String friendlyName) throws Exception {
         assertThat(bytes).isNotEmpty();
     }
 
+    @Step("auth key for Security Server {string} is retrieved")
+    public void getAuthKey(String securityServerId) throws Exception {
+        var authKeyInfo = SignerProxy.getAuthKey(getSecurityServerId(securityServerId));
+        testReportService.attachJson("authKeyInfo", authKeyInfo);
+        assertThat(authKeyInfo).isNotNull();
+    }
+
+    @Step("auth key retrieval for Security Server {string} fails when no active token is found")
+    public void getAuthKeyFail(String securityServerId) throws Exception {
+        try {
+            SignerProxy.getAuthKey(getSecurityServerId(securityServerId));
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            var errorServerId = securityServerId.replace(":", "/");
+            assertException("Signer.KeyNotFound", "auth_key_not_found_for_server",
+                    format("Signer.KeyNotFound: Could not find active authentication key for security server 'SERVER:%s'", errorServerId),
+                    codedException);
+        }
+    }
+
     @Step("Set token name fails with TokenNotFound exception when token does not exist")
     public void setTokenNameFail() throws Exception {
         String tokenId = randomUUID().toString();
@@ -533,6 +560,17 @@ public void notExistingCertActivateFail() throws Exception {
         }
     }
 
+    @Step("Member signing info for client {string} fails if not suitable certificates are found")
+    public void getMemberSigningInfoFail(String client) throws Exception {
+        try {
+            SignerProxy.getMemberSigningInfo(getClientId(client));
+            fail("Exception expected");
+        } catch (CodedException codedException) {
+            assertException("Signer.InternalError", "member_has_no_suitable_certs",
+                    "Signer.InternalError: Member 'MEMBER:CS/test/member-1' has no suitable certificates", codedException);
+        }
+    }
+
     @Step("Member signing info for client {string} is retrieved")
     public void getMemberSigningInfo(String client) throws Exception {
         var memberInfo = SignerProxy.getMemberSigningInfo(getClientId(client));
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
index f5de530540..d055844a69 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
@@ -1,37 +1,38 @@
 @SoftToken
+  @This
 Feature: 0100 - Signer: SoftToken
 
   Background:
     Given tokens are listed
 
-  Scenario: Set token friendly name
+  Scenario: Token has its friendly name updated
     When name "soft-token-000" is set for token with id "0"
     Then token with id "0" name is "soft-token-000"
 
-  Scenario: Initialization
+  Scenario: Token is in initialized
     Given tokens list contains token "soft-token-000"
     And token "soft-token-000" status is "NOT_INITIALIZED"
     When signer is initialized with pin "1234"
     Then token "soft-token-000" is not active
     And token "soft-token-000" status is "OK"
 
-  Scenario: Activate token
+  Scenario: Token is activated
     Given token "soft-token-000" is not active
     When token "soft-token-000" is logged in with pin "1234"
     Then token "soft-token-000" is active
 
-  Scenario: Deactivate token
+  Scenario: Token is deactivated
     When token "soft-token-000" is logged out
     Then token "soft-token-000" is not active
 
-  Scenario: Update token pin
+  Scenario: Token pin is updated
     Given token "soft-token-000" is not active
     And token "soft-token-000" is logged in with pin "1234"
     When token "soft-token-000" pin is updated from "1234" to "4321"
     And token "soft-token-000" is logged in with pin "4321"
     Then token "soft-token-000" is active
 
-  Scenario: Key generation
+  Scenario: Keys are generated
     When new key "key-1" generated for token "soft-token-000"
     And name "First key" is set for generated key
     When new key "key-2" generated for token "soft-token-000"
@@ -41,7 +42,7 @@ Feature: 0100 - Signer: SoftToken
     Then token "soft-token-000" has exact keys "First key,Second key,Third key"
     And sign mechanism for token "soft-token-000" key "Second key" is not null
 
-  Scenario: Delete key
+  Scenario: Key is deleted
     Given new key "key-X" generated for token "soft-token-000"
     And name "KeyX" is set for generated key
     Then token info can be retrieved by key id
@@ -58,7 +59,7 @@ Feature: 0100 - Signer: SoftToken
     And Generated certificate with initial status "registered" is imported for client "CS:ORG:2908758-4:Management"
     Then token info can be retrieved by key id
 
-  Scenario: A key with Auth certificate is  created
+  Scenario: A key with Auth certificate is created
     Given new key "key-20" generated for token "soft-token-000"
     And name "AuthKey from CA" is set for generated key
     And token "soft-token-000" has exact keys "First key,Second key,KeyX,SignKey from CA,AuthKey from CA"
@@ -97,18 +98,14 @@ Feature: 0100 - Signer: SoftToken
     And token and keyId can be retrieved by cert hash
     And certificate can be signed using key "First key" from token "soft-token-000"
 
-  Scenario: Member test
+  Scenario: Member signing info can be retrieved
     Given tokens list contains token "soft-token-000"
     * Member signing info for client "CS:ORG:2908758-4:Management" is retrieved
 
-  Scenario: Member test failure
-    Given tokens list contains token "soft-token-000"
-    * Member signing info for client "CS:test:member-1" is retrieved
-
-  Scenario: Member info
+  Scenario: Member certs are retrieved
     Then member "CS:test:member-1" has 1 certificate
 
-  Scenario: Cert status
+  Scenario: Cert status can be updated
     Given self signed cert generated for token "soft-token-000" key "KeyX", client "CS:test:member-2"
     And certificate info can be retrieved by cert hash
     Then certificate can be deactivated
@@ -119,7 +116,7 @@ Feature: 0100 - Signer: SoftToken
   Scenario: Miscellaneous checks
     * check token "soft-token-000" key "First key" batch signing enabled
 
-  Scenario: Exceptions
+  Scenario: Exceptions are being handled
     * Set token name fails with TokenNotFound exception when token does not exist
     * Deleting not existing certificate from token fails
     * Retrieving token info by not existing key fails
@@ -127,17 +124,13 @@ Feature: 0100 - Signer: SoftToken
     * Signing with unknown key fails
     * Getting key by not existing cert hash fails
     * Not existing certificate can not be activated
+    * Member signing info for client "CS:test:member-1" fails if not suitable certificates are found
+    * auth key retrieval for Security Server "CS:ORG:2908758-4:SS100" fails when no active token is found
 
   Scenario: Ocsp responses
     When ocsp responses are set
     Then ocsp responses can be retrieved
     And null ocsp response is returned for unknown certificate
 
-
-
 #  not covered SignerProxy methods:
 #  AuthKeyInfo getAuthKey(SecurityServerId serverId)                            #requires valid ocsp response
-#  void setOcspResponses(String[] certHashes, String[] base64EncodedResponses)  #requires valid ocsp responses
-#  String[] getOcspResponses(String[] certHashes)                               #requires valid ocsp responses
-#  MemberSigningInfoDto getMemberSigningInfo(ClientId clientId)                 #requires valid ocsp response
-#  boolean isHSMOperational()                                                   #timeout. no ModuleManager actor
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
index 485217d320..428d5c3d05 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
@@ -16,7 +16,7 @@ Feature: 0200 - Signer: HardwareToken
     Given tokens list contains token "xrd-softhsm-0"
     And token "xrd-softhsm-0" status is "OK"
 
-  Scenario: Activate token
+  Scenario: Token is activated
     Given token "xrd-softhsm-0" is not active
     When token "xrd-softhsm-0" is logged in with pin "1234"
     Then token "xrd-softhsm-0" is active
@@ -25,7 +25,7 @@ Feature: 0200 - Signer: HardwareToken
     When token "xrd-softhsm-0" is logged out
     Then token "xrd-softhsm-0" is not active
 
-  Scenario: Update token pin is not supported for hardware token
+  Scenario: Token pin update is not supported for hardware token
     Given token "xrd-softhsm-0" is not active
     And token "xrd-softhsm-0" is logged in with pin "1234"
     When token "xrd-softhsm-0" pin is update from "1234" to "4321" fails with an error
@@ -101,10 +101,10 @@ Feature: 0200 - Signer: HardwareToken
     Given tokens list contains token "xrd-softhsm-0"
     * Member signing info for client "CS:ORG:2908758-4:Management" is retrieved
 
-  Scenario: Member info
+  Scenario: Member certs are retrieved
     Then member "CS:test:member-1" has 2 certificate
 
-  Scenario: Cert status
+  Scenario: Cert status can be updated
     Given self signed cert generated for token "xrd-softhsm-0" key "KeyX", client "CS:test:member-2"
     And certificate info can be retrieved by cert hash
     Then certificate can be deactivated

From 364f912c46e719a2e2203da05001e672d9181e72 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 4 Sep 2023 14:17:25 +0300
Subject: [PATCH 043/127] chore: OcspResponseManager refactored to spring bean

Refs: XRDDEV-2461
---
 .../xroad/signer/protocol/ClientIdMapper.java |  25 +++
 .../xroad/signer/protocol/ComponentNames.java |   6 -
 .../protocol/SecurityServerIdMapper.java      |  25 +++
 .../main/java/ee/ria/xroad/signer/Signer.java |   3 -
 .../ee/ria/xroad/signer/SignerConfig.java     |  12 +-
 .../ee/ria/xroad/signer/TemporaryHelper.java  |  12 --
 .../signer/certmanager/OcspClientWorker.java  |   7 +-
 .../certmanager/OcspResponseManager.java      | 170 ++++++------------
 .../java/ee/ria/xroad/signer/model/Cert.java  |   8 +-
 .../protocol/TemporaryAkkaMessenger.java      |  22 +--
 .../handler/GetOcspResponsesReqHandler.java   |   7 +-
 .../handler/ImportCertReqHandler.java         |   3 +-
 .../handler/SetOcspResponsesReqHandler.java   |  10 +-
 .../signer/tokenmanager/ServiceLocator.java   |   7 +-
 .../module/AbstractModuleManager.java         |   2 +
 .../ee/ria/xroad/signer/util/SignerUtil.java  |  48 +----
 .../java/ee/ria/xroad/signer/SignerTest.java  |   2 +-
 .../certmanager/FileBasedOcspCacheTest.java   |   2 +-
 .../GlobalConfChangeCheckerTest.java          |   2 +-
 .../signer/certmanager/OcspClientTest.java    |  46 +++--
 .../tokenmanager/TokenManagerMergeTest.java   |   5 +-
 .../merge/MergeOntoFileTokenStrategyTest.java |   2 +-
 22 files changed, 169 insertions(+), 257 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
index a1097a9a92..12dc60231a 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.identifier.ClientId;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
index 94e31851a5..a4f8f926a9 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
@@ -38,14 +38,8 @@ public final class ComponentNames {
 
     public static final String OCSP_RESPONSE_MANAGER = "OcspResponseManager";
 
-    public static final String OCSP_CLIENT = "OcspClient";
-
     public static final String MODULE_MANAGER = "ModuleManager";
 
-    public static final String OCSP_CLIENT_JOB = "OcspClientJob";
-
-    public static final String OCSP_CLIENT_RELOAD = "OcspClientReload";
-
     private ComponentNames() {
     }
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
index 3a35c32a91..fc8835bb27 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.identifier.SecurityServerId;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
index 60f11709ef..1d64ce5b40 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
@@ -28,7 +28,6 @@
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.StartStop;
 import ee.ria.xroad.common.util.filewatcher.FileWatcherRunner;
-import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
 import ee.ria.xroad.signer.tokenmanager.module.DefaultModuleManagerImpl;
@@ -44,7 +43,6 @@
 
 import static ee.ria.xroad.common.SystemProperties.NodeType.SLAVE;
 import static ee.ria.xroad.signer.protocol.ComponentNames.MODULE_MANAGER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_RESPONSE_MANAGER;
 
 /**
  * Signer application.
@@ -79,7 +77,6 @@ public void start() {
                     .buildAndStartWatcher();
         }
 
-        createComponent(OCSP_RESPONSE_MANAGER, OcspResponseManager.class);
     }
 
     @Override
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
index 1c5369b6e0..32ca236797 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
@@ -27,6 +27,7 @@
 
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
 
 import akka.actor.ActorSystem;
@@ -66,8 +67,15 @@ private static Config getConf(int signerPort) {
     }
 
     @Bean
-    OcspClientWorker ocspClientWorker() {
-        return new OcspClientWorker();
+    OcspResponseManager ocspResponseManager() {
+        OcspResponseManager ocspResponseManager = new OcspResponseManager();
+        ocspResponseManager.init();
+        return ocspResponseManager;
+    }
+
+    @Bean
+    OcspClientWorker ocspClientWorker(OcspResponseManager ocspResponseManager) {
+        return new OcspClientWorker(ocspResponseManager);
     }
 
     @Bean
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
index c43180c101..d98f52c64f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
@@ -25,7 +25,6 @@
  */
 package ee.ria.xroad.signer;
 
-import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
 import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 
@@ -45,9 +44,6 @@ public class TemporaryHelper {
     @Deprecated
     private static AbstractModuleManager moduleManager;
 
-    @Deprecated
-    public static OcspResponseManager ocspResponseManager;
-
     @Deprecated
     public static AbstractTokenWorker getTokenWorker(String tokenId) {
         if (!TOKEN_WORKERS.containsKey(tokenId)) {
@@ -56,14 +52,6 @@ public static AbstractTokenWorker getTokenWorker(String tokenId) {
         return TOKEN_WORKERS.get(tokenId);
     }
 
-    @Deprecated
-    public static OcspResponseManager getOcspResponseManager() {
-        if (ocspResponseManager != null) {
-            return ocspResponseManager;
-        }
-        throw new RuntimeException("OcspResponseManager not available");
-    }
-
     @Deprecated
     public static void addTokenWorker(String tokenId, AbstractTokenWorker tokenWorker) {
         TOKEN_WORKERS.put(tokenId, tokenWorker);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
index b69291152c..61a2ffe2f9 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
@@ -37,7 +37,6 @@
 import ee.ria.xroad.common.ocsp.OcspVerifier;
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
 import ee.ria.xroad.common.util.CertUtils;
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
@@ -84,6 +83,8 @@ public class OcspClientWorker {
     private static final String VERIFY_OCSP_NEXTUPDATE = "verifyOcspNextUpdate";
     private static final String OCSP_FETCH_INTERVAL = "ocspFetchInterval";
 
+    private final OcspResponseManager ocspResponseManager;
+
     private final GlobalConfChangeChecker changeChecker = new GlobalConfChangeChecker();
 
     private final CertificationServiceDiagnostics certServDiagnostics = new CertificationServiceDiagnostics();
@@ -334,7 +335,7 @@ void updateCertStatuses(Map<String, OCSPResp> statuses) throws Exception {
                 .addAllBase64EncodedResponses(responses)
                 .build();
 
-        TemporaryHelper.getOcspResponseManager().handleSetOcspResponses(setOcspResponsesReq);
+        ocspResponseManager.handleSetOcspResponses(setOcspResponsesReq);
     }
 
     /**
@@ -379,7 +380,7 @@ boolean isCertValid(X509Certificate subject) {
     boolean isCachedOcspResponse(String certHash) {
         // Check if the OCSP response is in the cache
         Date atDate = new Date();
-        boolean isCachedOcspResponse = TemporaryHelper.getOcspResponseManager().handleIsCachedOcspResponse(certHash, atDate);
+        boolean isCachedOcspResponse = ocspResponseManager.handleIsCachedOcspResponse(certHash, atDate);
 
         log.trace("isCachedOcspResponse(certHash: {}, atDate: {}) = {}", certHash, atDate, isCachedOcspResponse);
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
index d2f6271725..d022422495 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
@@ -25,17 +25,11 @@
  */
 package ee.ria.xroad.signer.certmanager;
 
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse;
-import ee.ria.xroad.signer.tokenmanager.ServiceLocator;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.util.AbstractSignerActor;
 import ee.ria.xroad.signer.util.SignerUtil;
 
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.niis.xroad.signer.proto.SetOcspResponsesReq;
@@ -51,21 +45,21 @@
 
 /**
  * This class is responsible for managing the OCSP responses for certificates.
- *
+ * <p>
  * Certificates are identified by their SHA-1 fingerprint calculated over
  * the entire certificate.
- *
+ * <p>
  * When an OCSP response is added to the manager, it is first cached in memory
  * (overwriting any existing response) and then attempted to be written to disk
  * (overwriting any existing response file).
- *
+ * <p>
  * When an OCSP response is queried from the manager, first the cache is checked
  * for the response. If the response exists in the memory cache, it is returned.
  * If the response does not exist in the memory cache, the response will be
  * loaded from disk, if it exists and is cached in memory as well.
  */
 @Slf4j
-public class OcspResponseManager extends AbstractSignerActor {
+public class OcspResponseManager {
 
     /** Maps a certificate hash to an OCSP response. */
     private final FileBasedOcspCache responseCache = new FileBasedOcspCache();
@@ -74,31 +68,24 @@ public class OcspResponseManager extends AbstractSignerActor {
 
     /**
      * Utility method for getting OCSP response for a certificate.
-     * @param ctx the actor context
      * @param cert the certificate
      * @return OCSP response as byte array
      * @throws Exception if an error occurs
      */
-    public static byte[] getOcspResponse(ActorSystem actorSystem,
-            X509Certificate cert) throws Exception {
-        return getOcspResponse(actorSystem, calculateCertHexHash(cert));
+    public byte[] getOcspResponse(X509Certificate cert) throws Exception {
+        return getOcspResponse(calculateCertHexHash(cert));
     }
 
     /**
      * Utility method for getting OCSP response for a certificate hash.
-     * @param ctx the actor context
      * @param certHash the certificate hash
      * @return OCSP response as byte array
      * @throws Exception if an error occurs
      */
-    public static byte[] getOcspResponse(ActorSystem actorSystem,
-                                         String certHash) throws Exception {
-        GetOcspResponses message =
-                new GetOcspResponses(new String[] {certHash});
+    private byte[] getOcspResponse(String certHash) throws Exception {
+        GetOcspResponses message = new GetOcspResponses(new String[] {certHash});
 
-        GetOcspResponsesResponse result =
-                (GetOcspResponsesResponse) SignerUtil.ask(
-                        ServiceLocator.getOcspResponseManager(actorSystem), message);
+        GetOcspResponsesResponse result = handleGetOcspResponses(message);
 
         if (result.getBase64EncodedResponses().length > 0
                 && result.getBase64EncodedResponses()[0] != null) {
@@ -110,9 +97,7 @@ public static byte[] getOcspResponse(ActorSystem actorSystem,
 
     // ------------------------------------------------------------------------
 
-    @Override
-    public void preStart() throws Exception {
-        super.preStart();
+    public void init() {
         try {
             responseCache.reloadFromDisk();
 
@@ -122,36 +107,55 @@ public void preStart() throws Exception {
         } catch (Exception e) {
             log.error("Failed to load OCSP responses from disk", e);
         }
-        TemporaryHelper.ocspResponseManager = this;
     }
 
-    /**
-     * Depending on given <code>message</code> parameter, sends back either nothing,
-     * data (eg. ocsp responses) or Exception which occurred
-     * whilst processing the request.
-     * @param message
-     * @throws Exception
-     */
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onReceive({})", message);
+    public GetOcspResponsesResponse handleGetOcspResponses(GetOcspResponses message) throws Exception {
+        log.trace("handleGetOcspResponses()");
 
-        try {
-            if (message instanceof GetOcspResponses) {
-                handleGetOcspResponses((GetOcspResponses) message);
+        String[] base64EncodedResponses = new String[message.getCertHash().length];
+        for (int i = 0; i < message.getCertHash().length; i++) {
+            OCSPResp ocspResponse = getResponse(message.getCertHash()[i]);
+            if (ocspResponse == null) {
+                log.debug("No cached OCSP response available for cert {}", message.getCertHash()[i]);
+                // if the response is not in local cache, download it
+                ocspResponse = downloadOcspResponse(message.getCertHash()[i]);
+                if (ocspResponse != null) {
+                    setResponse(message.getCertHash()[i], ocspResponse);
+                }
             } else {
-                unhandled(message);
+                log.debug("Found a cached OCSP response for cert {}", message.getCertHash()[i]);
+            }
+
+            if (ocspResponse != null) {
+                log.debug("Acquired an OCSP response for certificate {}", message.getCertHash()[i]);
+                base64EncodedResponses[i] = encodeBase64(ocspResponse.getEncoded());
+            } else {
+                log.warn("Could not acquire an OCSP response for certificate {}", message.getCertHash()[i]);
             }
-        } catch (Exception e) {
-            sendResponse(e);
         }
+
+        return new GetOcspResponsesResponse(base64EncodedResponses);
     }
 
-    void handleGetOcspResponses(GetOcspResponses message) {
-        log.trace("handleGetOcspResponses()");
+    private OCSPResp downloadOcspResponse(String certHash) throws Exception {
+        log.trace("downloadOcspResponse({})", certHash);
+
+        X509Certificate cert = SignerUtil.getCertForCertHash(certHash);
+        if (cert == null) {
+            log.warn("Could not find certificate for hash {}", certHash);
+            // unknown certificate
+            return null;
+        }
 
-        Props props = Props.create(GetOcspResponseHandler.class, this);
-        getContext().actorOf(props).tell(message.getCertHash(), getSender());
+        try {
+            log.debug("Downloading a new OCSP response for certificate {}", cert.getIssuerX500Principal());
+            return OcspClient.queryCertStatus(cert);
+        } catch (Exception e) {
+            log.error("Error downloading OCSP response for certificate "
+                    + cert.getSubjectX500Principal().getName()
+                    + " (hash: " + certHash + ")", e);
+            return null;
+        }
     }
 
     public void handleSetOcspResponses(SetOcspResponsesReq message) throws Exception {
@@ -169,11 +173,11 @@ public boolean handleIsCachedOcspResponse(String certHash, Date date) {
         return Boolean.FALSE;
     }
 
-    OCSPResp getResponse(String certHash) {
+    private OCSPResp getResponse(String certHash) {
         return responseCache.get(certHash);
     }
 
-    void setResponse(String certHash, OCSPResp response) {
+    private void setResponse(String certHash, OCSPResp response) {
         log.debug("Setting a new response to cache for cert: {}", certHash);
         try {
             responseCache.put(certHash, response);
@@ -182,74 +186,4 @@ void setResponse(String certHash, OCSPResp response) {
         }
     }
 
-    @RequiredArgsConstructor
-    private static class GetOcspResponseHandler extends AbstractSignerActor {
-
-        private final OcspResponseManager manager;
-
-        @Override
-        public void onReceive(Object message) {
-            try {
-                if (message instanceof String[]) { // cert hashes
-                    handleGetOcspResponses((String[]) message);
-                } else {
-                    unhandled(message);
-                }
-            } catch (Exception e) {
-                sendResponse(e);
-            } finally {
-                getContext().stop(getSelf());
-            }
-        }
-
-        void handleGetOcspResponses(String[] certHashes) throws Exception {
-            String[] base64EncodedResponses = new String[certHashes.length];
-            for (int i = 0; i < certHashes.length; i++) {
-                OCSPResp ocspResponse = manager.getResponse(certHashes[i]);
-                if (ocspResponse == null) {
-                    log.debug("No cached OCSP response available for cert {}", certHashes[i]);
-                    // if the response is not in local cache, download it
-                    ocspResponse = downloadOcspResponse(certHashes[i]);
-                    if (ocspResponse != null) {
-                        manager.setResponse(certHashes[i], ocspResponse);
-                    }
-                } else {
-                    log.debug("Found a cached OCSP response for cert {}", certHashes[i]);
-                }
-
-                if (ocspResponse != null) {
-                    log.debug("Acquired an OCSP response for certificate {}",
-                            certHashes[i]);
-                    base64EncodedResponses[i] =
-                            encodeBase64(ocspResponse.getEncoded());
-                } else {
-                    log.warn("Could not acquire an OCSP response for "
-                            + "certificate {}", certHashes[i]);
-                }
-            }
-
-            sendResponse(new GetOcspResponsesResponse(base64EncodedResponses));
-        }
-
-        OCSPResp downloadOcspResponse(String certHash) throws Exception {
-            log.trace("downloadOcspResponse({})", certHash);
-
-            X509Certificate cert = SignerUtil.getCertForCertHash(certHash);
-            if (cert == null) {
-                log.warn("Could not find certificate for hash {}", certHash);
-                // unknown certificate
-                return null;
-            }
-
-            try {
-                log.debug("Downloading a new OCSP response for certificate {}", cert.getIssuerX500Principal());
-                return OcspClient.queryCertStatus(cert);
-            } catch (Exception e) {
-                log.error("Error downloading OCSP response for certificate "
-                        + cert.getSubjectX500Principal().getName()
-                        + " (hash: " + certHash + ")", e);
-                return null;
-            }
-        }
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
index d6afaee66e..c599adf207 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
@@ -158,12 +158,16 @@ public byte[] getBytes() {
     public CertificateInfoProto toProtoDTO() {
         try {
             var builder = CertificateInfoProto.newBuilder()
-                    .setMemberId(ClientIdMapper.toDto(memberId))
                     .setActive(active)
                     .setSavedToConfiguration(savedToConfiguration)
-                    .setStatus(status)
                     .setId(id);
 
+            if (memberId != null) {
+                builder.setMemberId(ClientIdMapper.toDto(memberId));
+            }
+            if (status != null) {
+                builder.setStatus(status);
+            }
             if (certificate != null) {
                 builder.setCertificateBytes(ByteString.copyFrom(certificate.getEncoded()));
             }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
index 66bbbe7896..551db5ecf2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
@@ -1,11 +1,10 @@
 package ee.ria.xroad.signer.protocol;
 
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
+
 import akka.actor.ActorSystem;
 import akka.pattern.Patterns;
 import akka.util.Timeout;
-
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
@@ -14,7 +13,6 @@
 
 import java.util.concurrent.TimeUnit;
 
-import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getOcspResponseManager;
 import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
 import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
 
@@ -46,20 +44,4 @@ public Object tellToken(Object message, String tokenId) {
         return response;
     }
 
-    public <T> T tellOcspManagerWithResponse(Object message) {
-        return (T) tellOcspManager(message);
-    }
-
-    @SneakyThrows
-    public Object tellOcspManager(Object message) {
-
-
-        Object response = Await.result(Patterns.ask(getOcspResponseManager(actorSystem), message, AKKA_TIMEOUT),
-                AKKA_TIMEOUT.duration());
-        if (response instanceof Exception) {
-            throw (Throwable) response;
-        }
-        return response;
-    }
-
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
index 6e235b337a..d82fd41977 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetOcspResponsesReqHandler.java
@@ -25,9 +25,11 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
+import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
 
+import lombok.RequiredArgsConstructor;
 import org.apache.commons.lang3.ArrayUtils;
 import org.niis.xroad.signer.proto.GetOcspResponsesReq;
 import org.niis.xroad.signer.proto.GetOcspResponsesResp;
@@ -40,15 +42,18 @@
  * Handles OCSP requests.
  */
 @Component
+@RequiredArgsConstructor
 public class GetOcspResponsesReqHandler
         extends AbstractRpcHandler<GetOcspResponsesReq, GetOcspResponsesResp> {
 
+    private final OcspResponseManager ocspResponseManager;
+
     @Override
     protected GetOcspResponsesResp handle(GetOcspResponsesReq request) throws Exception {
         var message = new GetOcspResponses(
                 request.getCertHashList().toArray(new String[0]));
 
-        ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse response = temporaryAkkaMessenger.tellOcspManagerWithResponse(message);
+        ee.ria.xroad.signer.protocol.message.GetOcspResponsesResponse response = ocspResponseManager.handleGetOcspResponses(message);
 
         // todo return map from ocsp responses manager
         Map<String, String> ocspResponses = new HashMap<>();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
index 8073af44c6..8e935bd76a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
@@ -65,6 +65,7 @@
 @RequiredArgsConstructor
 public class ImportCertReqHandler extends AbstractRpcHandler<ImportCertReq, ImportCertResp> {
     private final DeleteCertRequestReqHandler deleteCertRequestReqHandler;
+    private final OcspResponseManager ocspResponseManager;
 
     @Override
     protected ImportCertResp handle(ImportCertReq request) throws Exception {
@@ -176,7 +177,7 @@ private void importCertificateToKey(KeyInfo keyInfo, X509Certificate cert,
 
     private void updateOcspResponse(X509Certificate cert) {
         try {
-            OcspResponseManager.getOcspResponse(temporaryAkkaMessenger.getActorSystem(), cert);
+            ocspResponseManager.getOcspResponse(cert);
         } catch (Exception e) {
             log.error("Failed to update OCSP response for certificate "
                     + cert.getSerialNumber(), e);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
index 6b9a5b7111..7d83f7622b 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SetOcspResponsesReqHandler.java
@@ -25,9 +25,10 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import ee.ria.xroad.signer.TemporaryHelper;
+import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 
+import lombok.RequiredArgsConstructor;
 import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
@@ -36,12 +37,15 @@
  * Handles requests for setting the OCSP responses for certificates.
  */
 @Component
+@RequiredArgsConstructor
 public class SetOcspResponsesReqHandler
         extends AbstractRpcHandler<SetOcspResponsesReq, Empty> {
+
+    private final OcspResponseManager ocspResponseManager;
+
     @Override
     protected Empty handle(SetOcspResponsesReq request) throws Exception {
-        TemporaryHelper.getOcspResponseManager()
-                .handleSetOcspResponses(request);
+        ocspResponseManager.handleSetOcspResponses(request);
 
         return Empty.getDefaultInstance();
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
index 0c340dacb3..0036ae0f9b 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
@@ -45,17 +45,12 @@ private ServiceLocator() {
      * @param context the actor context
      * @return the OCSP response manager actor
      */
+    @Deprecated(forRemoval = true)
     public static ActorSelection getOcspResponseManager(
             ActorContext context) {
         return context.actorSelection("/user/" + OCSP_RESPONSE_MANAGER);
     }
 
-    @Deprecated
-    public static ActorSelection getOcspResponseManager(
-            ActorSystem actorSystem) {
-        return actorSystem.actorSelection("/user/" + OCSP_RESPONSE_MANAGER);
-    }
-
     /**
      * @param context the actor context
      * @param tokenId the token id
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
index efbe466cec..a82fc5a7bb 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
@@ -137,6 +137,8 @@ private void mergeConfiguration() {
             if (!addedCerts.isEmpty()) {
                 log.info("Requesting OCSP update for new certificates obtained in key configuration merge.");
 
+                // todo inject ocsp response manager
+                //  ocspResponseManager.handleGetOcspResponses(mapCertListToGetOcspResponses(addedCerts));
                 ServiceLocator.getOcspResponseManager(getContext()).tell(mapCertListToGetOcspResponses(addedCerts),
                         ActorRef.noSender());
             }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
index b1d9f25846..49b8bf7cba 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,11 +26,9 @@
 package ee.ria.xroad.signer.util;
 
 import ee.ria.xroad.common.conf.globalconf.GlobalConf;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import akka.actor.ActorRef;
 import akka.actor.ActorSelection;
 import akka.actor.OneForOneStrategy;
 import akka.actor.SupervisorStrategy;
@@ -126,21 +124,6 @@ private static byte[] createDataToSign(byte[] digest) {
         return digestInfo;
     }
 
-    /**
-     * @param tokenInfo the token
-     * @param keyId     the key id
-     * @return true if the token contains a key with the specified id
-     */
-    public static boolean hasKey(TokenInfo tokenInfo, String keyId) {
-        for (KeyInfo keyInfo : tokenInfo.getKeyInfo()) {
-            if (keyInfo.getId().equals(keyId)) {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
     /**
      * Creates a key id (lexical representation of xsd:hexBinary)
      * from the specified key object.
@@ -218,35 +201,6 @@ public static byte[] generateId() {
         return id;
     }
 
-    /**
-     * Convenience method for sending a message to an actor and returning
-     * the result.
-     *
-     * @param actor   the actor
-     * @param message the message
-     * @return the result
-     * @throws Exception if an error occurs or if the result times out
-     */
-    public static Object ask(ActorRef actor, Object message) throws Exception {
-        return ask(actor, message, DEFAULT_ASK_TIMEOUT);
-    }
-
-    /**
-     * Convenience method for sending a message to an actor and returning
-     * the result.
-     *
-     * @param actor   the actor
-     * @param message the message
-     * @param timeout the timeout for the result
-     * @return the result
-     * @throws Exception if an error occurs or if the result times out
-     */
-    public static Object ask(ActorRef actor, Object message, Timeout timeout)
-            throws Exception {
-        return Await.result(Patterns.ask(actor, message,
-                timeout.duration().length()), timeout.duration());
-    }
-
     /**
      * Convenience method for sending a message to an actor selection
      * and returning the result.
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/SignerTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/SignerTest.java
index cd7a352640..ae56aae7e5 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/SignerTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/SignerTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/FileBasedOcspCacheTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/FileBasedOcspCacheTest.java
index 12b342cb5e..565f59fea3 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/FileBasedOcspCacheTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/FileBasedOcspCacheTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/GlobalConfChangeCheckerTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/GlobalConfChangeCheckerTest.java
index 6b77d398fc..6e2ed4c3d5 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/GlobalConfChangeCheckerTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/GlobalConfChangeCheckerTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java
index 80df34a1b7..bf9d2418e8 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -32,9 +32,6 @@
 import ee.ria.xroad.common.ocsp.OcspVerifier;
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
 
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.testkit.TestActorRef;
 import org.bouncycastle.cert.ocsp.CertificateStatus;
 import org.bouncycastle.cert.ocsp.OCSPException;
 import org.bouncycastle.cert.ocsp.OCSPResp;
@@ -42,7 +39,6 @@
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.handler.AbstractHandler;
-import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
@@ -50,10 +46,7 @@
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 import org.mockito.Mockito;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
 
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -86,21 +79,19 @@ public class OcspClientTest {
 
     private static final String RESPONDER_URI = "http://127.0.0.1:" + RESPONDER_PORT;
 
-    private static final ActorSystem ACTOR_SYSTEM = ActorSystem.create();
-
     private static Server ocspResponder;
     private static byte[] responseData;
 
     private static final Map<String, OCSPResp> OCSP_RESPONSES = new HashMap<>();
     private static X509Certificate ocspResponderCert;
 
-    private TestActorRef<TestOcspClient> testActor;
     private OcspClientWorker ocspClient;
 
     // --- test cases
 
     /**
      * Test.
+     *
      * @throws Exception if an error occurs
      */
     @Test
@@ -126,6 +117,7 @@ public void goodCertificateStatus() throws Exception {
 
     /**
      * Test.
+     *
      * @throws Exception if an error occurs
      */
     @Test
@@ -154,6 +146,7 @@ public void goodCertificateStatusFromSecondResponder() throws Exception {
 
     /**
      * Test.
+     *
      * @throws Exception if an error occurs
      */
     @Test
@@ -173,6 +166,7 @@ public void noResponseFromOCSPServer() throws Exception {
 
     /**
      * Test.
+     *
      * @throws Exception if an error occurs
      */
     @Test
@@ -192,6 +186,7 @@ public void faultyResponseFromOCSPServer() throws Exception {
 
     /**
      * Test.
+     *
      * @throws Exception if an error occurs
      */
     @Test
@@ -211,6 +206,7 @@ public void cannotConnectNoResponders() throws Exception {
 
     /**
      * Test.
+     *
      * @throws Exception if an error occurs
      */
     @Test
@@ -229,6 +225,7 @@ public void cannotConnect() throws Exception {
 
     /**
      * Test.
+     *
      * @throws Exception if an error occurs
      */
     @Test
@@ -250,6 +247,7 @@ public void signatureRequired() throws Exception {
 
     /**
      * BeforeClass
+     *
      * @throws Exception if an error occurs
      */
     @BeforeClass
@@ -261,36 +259,28 @@ public static void doBeforeClass() throws Exception {
 
     /**
      * Before
+     *
      * @throws Exception if an error occurs
      */
     @Before
-    public void startup() throws Exception {
+    public void startup() {
         OCSP_RESPONSES.clear();
 
         if (ocspResponderCert == null) {
             ocspResponderCert = TestCertUtil.getOcspSigner().certChain[0];
         }
 
-        testActor = TestActorRef.create(ACTOR_SYSTEM, Props.create(TestOcspClient.class));
-        ocspClient = testActor.underlyingActor();
-    }
-
-    /**
-     * After
-     * @throws Exception if an error occurs
-     */
-    @After
-    public void afterTest() throws Exception {
-        testActor.stop();
+        OcspResponseManager ocspResponseManager = new OcspResponseManager();
+        ocspClient = new TestOcspClient(ocspResponseManager);
     }
 
     /**
      * AfterClass
+     *
      * @throws Exception if an error occurs
      */
     @AfterClass
     public static void shutdown() throws Exception {
-        Await.ready(ACTOR_SYSTEM.terminate(), Duration.Inf());
         if (ocspResponder != null) {
             try {
                 ocspResponder.stop();
@@ -300,7 +290,7 @@ public static void shutdown() throws Exception {
         }
     }
 
-    private static X509Certificate getDefaultClientCert() throws Exception {
+    private static X509Certificate getDefaultClientCert() {
         return TestCertUtil.getConsumer().certChain[0];
     }
 
@@ -342,6 +332,10 @@ private OCSPResp getOcspResponse(X509Certificate subject) throws Exception {
     }
 
     private static class TestOcspClient extends OcspClientWorker {
+        public TestOcspClient(OcspResponseManager ocspResponseManager) {
+            super(ocspResponseManager);
+        }
+
         @Override
         void updateCertStatuses(Map<String, OCSPResp> statuses) {
             OCSP_RESPONSES.putAll(statuses);
@@ -354,7 +348,7 @@ private static class TestOCSPResponder extends AbstractHandler {
 
         @Override
         public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
-                throws IOException, ServletException {
+                throws IOException {
             try {
                 response.setContentType(responseContentType);
 
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java
index 9d585da34d..db79f7da9b 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -58,7 +58,6 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
@@ -204,7 +203,7 @@ public void shouldAddOcspResponse() throws IOException {
         assertNotNull("test setup failure", beforeCertInfo);
 
         // assert no ocsp response exists before test
-        assertNull("test setup failure", beforeCertInfo.getOcspBytes());
+        assertArrayEquals("test setup failure", new byte[0], beforeCertInfo.getOcspBytes());
 
         OCSPResp shouldMatchResponse = mock(OCSPResp.class);
         final byte[] shouldMatchOcspResponseBytes = "some example string  11 2 34".getBytes();
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/merge/MergeOntoFileTokenStrategyTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/merge/MergeOntoFileTokenStrategyTest.java
index 978373af82..312c2a47a1 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/merge/MergeOntoFileTokenStrategyTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/merge/MergeOntoFileTokenStrategyTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),

From 32064e7aff022756ddfedaf018b6e896f8fa3206 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 4 Sep 2023 18:29:40 +0300
Subject: [PATCH 044/127] chore: remove unused actors

Refs: XRDDEV-2468
---
 .../module/HardwareModuleWorker.java          |   6 +-
 .../tokenmanager/token/HardwareToken.java     |  61 --------
 .../0100-signer-software-token.feature        |   1 -
 .../xroad/signer/protocol/message/Sign.java   |  45 ------
 .../signer/protocol/message/SignResponse.java |  43 ------
 .../handler/AbstractGenerateCertReq.java      |  89 ++---------
 .../module/SoftwareModuleWorker.java          |  22 ++-
 .../tokenmanager/token/AbstractToken.java     | 144 ------------------
 .../token/AbstractTokenWorker.java            |  33 +---
 .../tokenmanager/token/SoftwareToken.java     |  81 ----------
 .../tokenmanager/token/TokenSigner.java       | 110 -------------
 .../xroad/signer/util/CalculateSignature.java |  46 ------
 .../signer/util/CalculatedSignature.java      |  45 ------
 .../ee/ria/xroad/signer/util/SignerUtil.java  |   2 +
 14 files changed, 39 insertions(+), 689 deletions(-)
 delete mode 100644 src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareToken.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareToken.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/util/CalculateSignature.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/util/CalculatedSignature.java

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
index 0cd2109cae..c2bec7f01f 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
@@ -25,8 +25,8 @@
  */
 package ee.ria.xroad.signer.tokenmanager.module;
 
-import ee.ria.xroad.signer.tokenmanager.token.HardwareToken;
 import ee.ria.xroad.signer.tokenmanager.token.HardwareTokenType;
+import ee.ria.xroad.signer.tokenmanager.token.HardwareTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.TokenType;
 import ee.ria.xroad.signer.util.SignerUtil;
 
@@ -171,6 +171,8 @@ private TokenType createToken(Slot[] slots, int slotIndex) throws Exception {
 
     @Override
     protected Props props(ee.ria.xroad.signer.protocol.dto.TokenInfo tokenInfo, TokenType tokenType) {
-        return Props.create(HardwareToken.class, tokenInfo, tokenType);
+       //TODO grpc
+        return Props.create(HardwareTokenWorker.class,
+                tokenInfo, tokenType).withDispatcher("token-worker-dispatcher");
     }
 }
diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareToken.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareToken.java
deleted file mode 100644
index bf8df53696..0000000000
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareToken.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.tokenmanager.token;
-
-import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-
-import akka.actor.Props;
-
-/**
- * Hardware token.
- */
-public class HardwareToken extends AbstractToken {
-
-    private static final String DISPATCHER = "token-worker-dispatcher";
-
-    private final HardwareTokenType tokenType;
-
-    /**
-     * @param tokenInfo the token info
-     * @param tokenType the token type
-     */
-    public HardwareToken(TokenInfo tokenInfo, HardwareTokenType tokenType) {
-        super(tokenInfo);
-
-        this.tokenType = tokenType;
-    }
-
-    @Override
-    protected Props createSigner() {
-        return Props.create(TokenSigner.class);
-    }
-
-    @Override
-    protected Props createWorker() {
-        return Props.create(HardwareTokenWorker.class, tokenInfo, tokenType).withDispatcher(DISPATCHER);
-    }
-
-}
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
index d055844a69..49d9e31096 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
@@ -1,5 +1,4 @@
 @SoftToken
-  @This
 Feature: 0100 - Signer: SoftToken
 
   Background:
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java
deleted file mode 100644
index ac2ee57112..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/Sign.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-@ToString(exclude = "digest")
-public class Sign implements Serializable {
-
-    private final String keyId;
-    private final String signatureAlgorithmId;
-    private final byte[] digest;
-
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java
deleted file mode 100644
index 796c540e41..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignResponse.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol.message;
-
-import lombok.ToString;
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Signer API message.
- */
-@Value
-@Deprecated
-@ToString(exclude = "signature")
-public class SignResponse implements Serializable {
-
-    private final byte[] signature;
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
index b656f4cdf6..ebe927323f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
@@ -28,16 +28,12 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.CryptoUtils;
+import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.util.CalculateSignature;
-import ee.ria.xroad.signer.util.CalculatedSignature;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
-import akka.actor.Actor;
-import akka.actor.ActorRef;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
 import com.google.protobuf.AbstractMessage;
+import com.google.protobuf.ByteString;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
@@ -47,14 +43,13 @@
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
+import org.niis.xroad.signer.proto.SignReq;
 
 import java.io.ByteArrayOutputStream;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
-import java.util.concurrent.CountDownLatch;
-import java.util.concurrent.TimeUnit;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.common.ErrorCodes.translateException;
@@ -83,7 +78,7 @@ PKCS10CertificationRequest buildSignedCertRequest(TokenAndKey tokenAndKey, Strin
         JcaPKCS10CertificationRequestBuilder certRequestBuilder = new JcaPKCS10CertificationRequestBuilder(
                 new X500Name(subjectName), publicKey);
 
-        ContentSigner signer = new TokenContentSigner(tokenAndKey, this);
+        ContentSigner signer = new TokenContentSigner(tokenAndKey);
 
         PKCS10CertificationRequest request = certRequestBuilder.build(signer);
         return request;
@@ -114,25 +109,15 @@ private static byte[] toPem(PKCS10CertificationRequest req) throws Exception {
 
     //TODO:grpc this should be refactored..
     private static class TokenContentSigner implements ContentSigner {
-
-        private static final int SIGNATURE_TIMEOUT_SECONDS = 10;
-
         private final ByteArrayOutputStream out = new ByteArrayOutputStream();
 
         private final TokenAndKey tokenAndKey;
-        private final AbstractGenerateCertReq abstractGenerateCertReq;
 
         private final String digestAlgoId;
         private final String signAlgoId;
 
-        private final CountDownLatch latch = new CountDownLatch(1);
-
-        private volatile CalculatedSignature signature;
-
-        TokenContentSigner(TokenAndKey tokenAndKey, AbstractGenerateCertReq abstractGenerateCertReq)
-                throws NoSuchAlgorithmException {
+        TokenContentSigner(final TokenAndKey tokenAndKey) throws NoSuchAlgorithmException {
             this.tokenAndKey = tokenAndKey;
-            this.abstractGenerateCertReq = abstractGenerateCertReq;
 
             digestAlgoId = SystemProperties.getSignerCsrSignatureDigestAlgorithm();
             signAlgoId = CryptoUtils.getSignatureAlgorithmId(digestAlgoId, tokenAndKey.getSignMechanism());
@@ -152,67 +137,19 @@ public OutputStream getOutputStream() {
         public byte[] getSignature() {
             log.debug("Calculating signature for certificate request...");
 
-            byte[] digest;
-
-            try {
-                digest = calculateDigest(digestAlgoId, out.toByteArray());
-            } catch (Exception e) {
-                throw new CodedException(X_INTERNAL_ERROR, e);
-            }
-
-            var actorSystem = abstractGenerateCertReq.temporaryAkkaMessenger.getActorSystem();
-            ActorRef signatureReceiver = actorSystem.actorOf(
-                    Props.create(SignatureReceiverActor.class, this));
-
             try {
+                SignReq request = SignReq.newBuilder()
+                        .setKeyId(tokenAndKey.getKeyId())
+                        .setSignatureAlgorithmId(signAlgoId)
+                        .setDigest(ByteString.copyFrom(calculateDigest(digestAlgoId, out.toByteArray())))
+                        .build();
 
-                signature = abstractGenerateCertReq.temporaryAkkaMessenger.tellTokenWithResponse(new CalculateSignature(Actor.noSender(),
-                                tokenAndKey.getKeyId(), signAlgoId, digest),
-                        tokenAndKey.getTokenId());
-
-//                waitForSignature();
-
-                if (signature.getException() != null) {
-                    throw translateException(signature.getException());
-                }
-
-                return signature.getSignature();
-            } finally {
-                actorSystem.stop(signatureReceiver);
-            }
-        }
-
-        private void waitForSignature() {
-            try {
-                if (!latch.await(SIGNATURE_TIMEOUT_SECONDS, TimeUnit.SECONDS)) {
-                    throw new CodedException(X_INTERNAL_ERROR, "Signature calculation timed out");
-                }
-            } catch (InterruptedException e) {
-                Thread.currentThread().interrupt();
+                return TemporaryHelper.getTokenWorker(tokenAndKey.getTokenId()).handleSign(request);
+            } catch (Exception e) {
+                throw translateException(e); //TODO verify that it is necessary to do this here
             }
         }
-
-        void setSignature(CalculatedSignature sig) {
-            this.signature = sig;
-            latch.countDown();
-        }
     }
 
-    private static class SignatureReceiverActor extends UntypedAbstractActor {
-
-        private final TokenContentSigner signer;
 
-        SignatureReceiverActor(TokenContentSigner signer) {
-            this.signer = signer;
-        }
-
-        @Override
-        public void onReceive(Object message) throws Exception {
-            if (message instanceof CalculatedSignature) {
-                signer.setSignature((CalculatedSignature) message);
-            } else {
-                unhandled(message);
-            }
-        }
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java
index 415249d0cc..7a25302895 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,14 +26,17 @@
 package ee.ria.xroad.signer.tokenmanager.module;
 
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.tokenmanager.token.SoftwareToken;
+import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
+import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.TokenType;
 
 import akka.actor.Props;
 
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 /**
  * Worker for software module. Always lists only one software token.
@@ -41,7 +44,7 @@
 public class SoftwareModuleWorker extends AbstractModuleWorker {
 
     private static final List<TokenType> TOKENS =
-            Collections.singletonList((TokenType) new SoftwareTokenType());
+            Collections.singletonList(new SoftwareTokenType());
 
     @Override
     protected void initializeModule() throws Exception {
@@ -60,7 +63,18 @@ protected List<TokenType> listTokens() throws Exception {
 
     @Override
     protected Props props(TokenInfo tokenInfo, TokenType tokenType) {
-        return Props.create(SoftwareToken.class, tokenInfo, tokenType);
+        initTokenInfo(tokenInfo);
+        //TODO:grpc
+        return Props.create(SoftwareTokenWorker.class,
+                tokenInfo, tokenType).withDispatcher("token-worker-dispatcher");
+
+    }
+
+    private void initTokenInfo(TokenInfo tokenInfo) {
+        Map<String, String> info = new HashMap<>();
+        info.put("Type", "Software");
+
+        TokenManager.setTokenInfo(tokenInfo.getId(), info);
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
deleted file mode 100644
index a9014a5115..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractToken.java
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.tokenmanager.token;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.Sign;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.util.AbstractSignerActor;
-import ee.ria.xroad.signer.util.SignerUtil;
-import ee.ria.xroad.signer.util.Update;
-
-import akka.actor.ActorRef;
-import akka.actor.Props;
-import akka.actor.SupervisorStrategy;
-import lombok.extern.slf4j.Slf4j;
-
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.common.ErrorCodes.translateException;
-import static ee.ria.xroad.signer.protocol.ComponentNames.TOKEN_SIGNER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.TOKEN_WORKER;
-import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotActive;
-import static ee.ria.xroad.signer.util.SignerUtil.getWorkerId;
-
-/**
- * Token base class.
- */
-@Slf4j
-public abstract class AbstractToken extends AbstractSignerActor {
-
-    protected final TokenInfo tokenInfo;
-
-    protected ActorRef signer;
-    protected ActorRef worker;
-
-    @Override
-    public SupervisorStrategy supervisorStrategy() {
-        // escalate to module worker
-        return SignerUtil.createPKCS11ExceptionEscalatingStrategy();
-    }
-
-    AbstractToken(TokenInfo tokenInfo) {
-        this.tokenInfo = tokenInfo;
-    }
-
-    @Override
-    public void preStart() throws Exception {
-        worker = createWatchedActor(createWorker(), TOKEN_WORKER);
-        signer = createWatchedActor(createSigner(), TOKEN_SIGNER);
-    }
-
-    @Override
-    public void postStop() throws Exception {
-        stopWatchedActor(signer);
-        stopWatchedActor(worker);
-    }
-
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onMessage()");
-
-        if (!isTokenActive(message)) {
-            sendErrorResponse(tokenNotActive(getWorkerId(tokenInfo)));
-            return;
-        }
-
-        if (message instanceof Sign) {
-            if (signer != null) {
-                signer.tell(message, getSender());
-            } else {
-                sendErrorResponse(new CodedException(X_INTERNAL_ERROR,
-                        "Cannot sign, signing actor of token '%s' "
-                                + "not initialized", getWorkerId(tokenInfo)));
-            }
-        } else {
-            if (worker != null) {
-                worker.tell(message, getSender());
-            } else {
-                unhandled(message);
-            }
-        }
-    }
-
-    @Override
-    protected CodedException translateError(Exception e) {
-        return translateException(e).withPrefix(SIGNER_X);
-    }
-
-    protected abstract Props createSigner();
-
-    protected abstract Props createWorker();
-
-    ActorRef createWatchedActor(Props props, String name) {
-        ActorRef actor = getContext().actorOf(props, name);
-
-        getContext().watch(actor);
-
-        return actor;
-    }
-
-    void stopWatchedActor(ActorRef actor) {
-        getContext().unwatch(actor);
-        getContext().stop(actor);
-    }
-
-    boolean isTokenActive(Object message) {
-        if (message instanceof Update) {
-//                || message instanceof ActivateToken) {
-//                || message instanceof InitSoftwareToken) {
-            return true;
-        }
-
-        return TokenManager.isTokenActive(tokenInfo.getId());
-    }
-
-    void sendErrorResponse(CodedException e) {
-        log.error(e.getMessage());
-        sendResponse(e);
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index 69f075554d..365a5b40de 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -25,7 +25,6 @@
  */
 package ee.ria.xroad.signer.tokenmanager.token;
 
-import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.common.util.PasswordStore;
 import ee.ria.xroad.signer.TemporaryHelper;
@@ -33,11 +32,8 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.AbstractUpdateableActor;
-import ee.ria.xroad.signer.util.CalculateSignature;
-import ee.ria.xroad.signer.util.CalculatedSignature;
 import ee.ria.xroad.signer.util.SignerUtil;
 
-import com.google.protobuf.ByteString;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.asn1.x500.X500Name;
@@ -106,12 +102,8 @@ protected Exception customizeException(Exception e) {
 
     @Override
     protected void onMessage(Object message) throws Exception {
-        log.trace("onMessage()");
-        if (message instanceof CalculateSignature) {
-            handleCalculateSignature((CalculateSignature) message);
-        } else {
-            unhandled(message);
-        }
+        log.trace("onMessage() = {}", message);
+        unhandled(message);
     }
 
     @Override
@@ -179,27 +171,6 @@ public void handleDeleteCert(String certificateId) {
         }
     }
 
-    @Deprecated
-    private void handleCalculateSignature(CalculateSignature signRequest) {
-        try {
-            SignReq request = SignReq.newBuilder()
-                    .setKeyId(signRequest.getKeyId())
-                    .setSignatureAlgorithmId(signRequest.getSignatureAlgorithmId())
-                    .setDigest(ByteString.copyFrom(signRequest.getDigest()))
-                    .build();
-
-            byte[] signature = handleSign(request);
-            sendResponse(new CalculatedSignature(signRequest, signature, null));
-        } catch (CodedException codedException) {
-            sendResponse(new CalculatedSignature(signRequest, null, codedException));
-        } catch (Exception e) { // catch-log-rethrow
-            log.error("Error while signing with key '{}'", signRequest.getKeyId(), e);
-
-            CodedException tr = translateError(customizeException(e)).withPrefix(X_CANNOT_SIGN);
-            sendResponse(new CalculatedSignature(signRequest, null, tr));
-        }
-    }
-
     public byte[] handleSign(SignReq request) {
         try {
             byte[] data = SignerUtil.createDataToSign(request.getDigest().toByteArray(), request.getSignatureAlgorithmId());
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareToken.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareToken.java
deleted file mode 100644
index c1f60033db..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareToken.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.tokenmanager.token;
-
-import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-import akka.actor.Props;
-
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Software token implementation.
- */
-public class SoftwareToken extends AbstractToken {
-
-    private static final String DISPATCHER = "token-worker-dispatcher";
-
-    private final SoftwareTokenType tokenType;
-
-    /**
-     * Constructs new software token.
-     * @param tokenInfo the token info
-     * @param tokenType the token type
-     */
-    public SoftwareToken(TokenInfo tokenInfo, SoftwareTokenType tokenType) {
-        super(tokenInfo);
-
-        this.tokenType = tokenType;
-    }
-
-    @Override
-    public void preStart() throws Exception {
-        super.preStart();
-
-        initTokenInfo(tokenInfo);
-    }
-
-    @Override
-    protected Props createWorker() {
-        return Props.create(SoftwareTokenWorker.class,
-                tokenInfo, tokenType).withDispatcher(DISPATCHER);
-    }
-
-    @Override
-    protected Props createSigner() {
-        return Props.create(TokenSigner.class);
-    }
-
-    private void initTokenInfo(TokenInfo tokenInfo) {
-        Map<String, String> info = new HashMap<>();
-        info.put("Type", "Software");
-
-        TokenManager.setTokenInfo(tokenInfo.getId(), info);
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java
deleted file mode 100644
index ffaec9a23d..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.tokenmanager.token;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.ComponentNames;
-import ee.ria.xroad.signer.protocol.message.Sign;
-import ee.ria.xroad.signer.protocol.message.SignResponse;
-import ee.ria.xroad.signer.util.CalculateSignature;
-import ee.ria.xroad.signer.util.CalculatedSignature;
-
-import akka.actor.ActorRef;
-import akka.actor.ActorSelection;
-import akka.actor.UntypedAbstractActor;
-import lombok.extern.slf4j.Slf4j;
-
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.translateException;
-
-/**
- * Token signer actor. Handles signing requests and calculated signatures.
- */
-@Slf4j
-public class TokenSigner extends UntypedAbstractActor {
-
-    private final ActorSelection tokenWorker = getContext().actorSelection("../" + ComponentNames.TOKEN_WORKER);
-
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onReceive({})", message);
-
-        try {
-            if (message instanceof Sign) {
-                handleSignRequest((Sign) message);
-            } else if (message instanceof CalculatedSignature) {
-                handleCalculatedSignature((CalculatedSignature) message);
-//            } else if (message instanceof SignCertificate) {
-//                handleSignCertificate((SignCertificate) message);
-            } else {
-                unhandled(message);
-            }
-        } catch (Exception e) {
-            sendResponse(getSender(), translateException(e));
-        }
-    }
-
-    private void handleSignRequest(Sign signRequest) throws Exception {
-        log.trace("handleSignRequest()");
-
-        calculateSignature(signRequest.getKeyId(), signRequest.getSignatureAlgorithmId(), signRequest.getDigest());
-    }
-
-    private void handleCalculatedSignature(CalculatedSignature message) {
-        log.trace("handleCalculatedSignature()");
-
-        Object response = null;
-
-        if (message.getException() != null) {
-            response = message.getException();
-
-            log.error("Error in token batch signer", message.getException());
-        } else {
-            response = new SignResponse(message.getSignature());
-        }
-
-        sendResponse(message.getRequest().getReceiver(), response);
-    }
-
-    private void calculateSignature(String keyId, String signatureAlgorithmId, byte[] digest) {
-        tokenWorker.tell(new CalculateSignature(getSender(), keyId, signatureAlgorithmId, digest), getSelf());
-    }
-
-    private void sendResponse(ActorRef client, Object message) {
-        if (client != ActorRef.noSender()) {
-            if (message instanceof CodedException) {
-                client.tell(((CodedException) message).withPrefix(SIGNER_X), getSelf());
-            } else {
-                client.tell(message, getSelf());
-            }
-        }
-    }
-
-//    private void handleSignCertificate(SignCertificate message) {
-//        tokenWorker.tell(message, getSelf());
-//    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/CalculateSignature.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/CalculateSignature.java
deleted file mode 100644
index dc13b0a7f0..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/CalculateSignature.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.util;
-
-import akka.actor.ActorRef;
-import lombok.Data;
-import lombok.ToString;
-
-import java.io.Serializable;
-
-/**
- * Message for signature calculation request.
- */
-@Data
-@ToString(exclude = "digest")
-public class CalculateSignature implements Serializable {
-
-    private final ActorRef receiver;
-    private final String keyId;
-    private final String signatureAlgorithmId;
-    private final byte[] digest;
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/CalculatedSignature.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/CalculatedSignature.java
deleted file mode 100644
index 2be16fe510..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/CalculatedSignature.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.util;
-
-import lombok.Data;
-import lombok.ToString;
-
-import java.io.Serializable;
-
-/**
- * Signature calculation result.
- */
-@Data
-@ToString(exclude = "signature")
-public class CalculatedSignature implements Serializable {
-
-    private final CalculateSignature request;
-    private final byte[] signature;
-
-    private final Exception exception;
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
index 49b8bf7cba..9b4e8190e4 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
@@ -287,6 +287,7 @@ public static String getFormattedTokenId(String tokenIdFormat, String moduleType
     /**
      * @return a supervisor strategy that escalates PKCS11Exceptions to the parent actor
      */
+    @Deprecated
     public static OneForOneStrategy createPKCS11ExceptionEscalatingStrategy() {
         return new OneForOneStrategy(-1, Duration.Inf(),
                 throwable -> {
@@ -300,3 +301,4 @@ public static OneForOneStrategy createPKCS11ExceptionEscalatingStrategy() {
     }
 
 }
+

From 47359f1fa6de456f8c524ad033aaec03729ab655 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 5 Sep 2023 15:50:26 +0300
Subject: [PATCH 045/127] chore: UNKNOWN values for enums

Refs: XRDDEV-2461
---
 .../ria/xroad/signer/protocol/dto/KeyInfo.java  |  7 ++++---
 .../xroad/signer/protocol/dto/TokenInfo.java    |  5 +++--
 .../src/main/proto/CertificateService.proto     |  5 +++--
 .../src/main/proto/CommonMessages.proto         | 13 +++++++------
 .../src/main/proto/TokenStatusInfo.proto        | 17 +++++++++--------
 src/signer-protocol/src/main/proto/Tokens.proto |  5 +++--
 6 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
index 6e18727955..70d384f697 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
@@ -48,7 +48,8 @@ public boolean isAvailable() {
 
     @ToString.Include
     public KeyUsageInfo getUsage() {
-        return message.getUsage();
+        var usage = message.getUsage();
+        return usage != KeyUsageInfo.KEY_USAGE_UNKNOWN ? usage : null;
     }
 
     @ToString.Include
@@ -75,13 +76,13 @@ public String getPublicKey() {
     public List<CertificateInfo> getCerts() {
         return message.getCertsList().stream()
                 .map(CertificateInfo::new)
-                .collect(Collectors.toList());
+                .collect(Collectors.toUnmodifiableList());
     }
 
     public List<CertRequestInfo> getCertRequests() {
         return message.getCertRequestsList().stream()
                 .map(CertRequestInfo::new)
-                .collect(Collectors.toList());
+                .collect(Collectors.toUnmodifiableList());
     }
 
     @ToString.Include
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
index d447ea8069..6a5b767e89 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
@@ -94,14 +94,15 @@ public int getSlotIndex() {
 
     @ToString.Include
     public TokenStatusInfo getStatus() {
-        return message.getStatus();
+        var status = message.getStatus();
+        return status != TokenStatusInfo.TOKEN_STATUS_UNKNOWN ? status : null;
     }
 
     @ToString.Include
     public List<KeyInfo> getKeyInfo() {
         return message.getKeyInfoList().stream()
                 .map(KeyInfo::new)
-                .collect(Collectors.toList());
+                .collect(Collectors.toUnmodifiableList());
     }
 
     @ToString.Include
diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
index 979d602aa9..5fdb68834f 100644
--- a/src/signer-protocol/src/main/proto/CertificateService.proto
+++ b/src/signer-protocol/src/main/proto/CertificateService.proto
@@ -71,8 +71,9 @@ message RegenerateCertRequestResp {
 
 /** Specifies the cert request format to return. */
 enum CertificateRequestFormat {
-  PEM = 0;
-  DER = 1;
+  CERTIFICATE_REQUEST_FORMAT_UNKNOWN = 0;
+  PEM = 1;
+  DER = 2;
 }
 
 message DeleteCertReq {
diff --git a/src/signer-protocol/src/main/proto/CommonMessages.proto b/src/signer-protocol/src/main/proto/CommonMessages.proto
index 7ad46cb0f8..a90afab14f 100644
--- a/src/signer-protocol/src/main/proto/CommonMessages.proto
+++ b/src/signer-protocol/src/main/proto/CommonMessages.proto
@@ -27,10 +27,11 @@ message SecurityServerIdProto {
 }
 
 enum XRoadObjectType {
-  SERVER = 0;
-  SERVICE = 1;
-  MEMBER = 2;
-  SUBSYSTEM = 3;
-  GLOBALGROUP = 4;
-  LOCALGROUP = 5 [deprecated = true]; // Deprecated
+  XROAD_OBJECT_TYPE_UNKNOWN = 0;
+  SERVER = 1;
+  SERVICE = 2;
+  MEMBER = 3;
+  SUBSYSTEM = 4;
+  GLOBALGROUP = 5;
+  LOCALGROUP = 6 [deprecated = true]; // Deprecated
 }
diff --git a/src/signer-protocol/src/main/proto/TokenStatusInfo.proto b/src/signer-protocol/src/main/proto/TokenStatusInfo.proto
index 71bdb7b63c..ca7de64447 100644
--- a/src/signer-protocol/src/main/proto/TokenStatusInfo.proto
+++ b/src/signer-protocol/src/main/proto/TokenStatusInfo.proto
@@ -12,12 +12,13 @@ option java_package = "ee.ria.xroad.signer.protocol.dto";
 
 /* Token status info DTO. */
 enum TokenStatusInfo {
-  OK = 0; // Normal operation status
-  USER_PIN_LOCKED = 1;// Blocked
-  USER_PIN_INCORRECT = 2; // Incorrect PIN was entered
-  USER_PIN_INVALID = 3; // Invalid PIN
-  USER_PIN_EXPIRED = 4; // PIN expired
-  USER_PIN_COUNT_LOW = 5; // Only a few tries left
-  USER_PIN_FINAL_TRY = 6; // Final try
-  NOT_INITIALIZED = 7; // PIN not initialized
+  TOKEN_STATUS_UNKNOWN = 0;
+  OK = 1; // Normal operation status
+  USER_PIN_LOCKED = 2;// Blocked
+  USER_PIN_INCORRECT = 3; // Incorrect PIN was entered
+  USER_PIN_INVALID = 4; // Invalid PIN
+  USER_PIN_EXPIRED = 5; // PIN expired
+  USER_PIN_COUNT_LOW = 6; // Only a few tries left
+  USER_PIN_FINAL_TRY = 7; // Final try
+  NOT_INITIALIZED = 8; // PIN not initialized
 }
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
index b37660436a..9448eb21eb 100644
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -58,6 +58,7 @@ message CertRequestInfoProto {
 
 /* Key usage can either be signing or authentication. */
 enum KeyUsageInfo {
-  SIGNING = 0;
-  AUTHENTICATION = 1;
+  KEY_USAGE_UNKNOWN = 0;
+  SIGNING = 1;
+  AUTHENTICATION = 2;
 }

From fdf487b9138ff89980d4bae3048e19e122e29d04 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 6 Sep 2023 11:47:47 +0300
Subject: [PATCH 046/127] chore: guava version up

Refs: XRDDEV-2461
---
 src/gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gradle.properties b/src/gradle.properties
index 9bccda32d5..8373e621cf 100644
--- a/src/gradle.properties
+++ b/src/gradle.properties
@@ -32,7 +32,7 @@ springDependenciesVersion=1.1.0
 springCloudVersion=2021.0.5
 openFeignVersion=11.10
 junitVersion=4.13.2
-guavaVersion=31.0.1-jre
+guavaVersion=32.0.1-jre
 guava.version=${guavaVersion}
 vavrVersion=0.10.4
 bouncyCastleVersion=1.69

From e03dc64a092fd747a2beaa4d23cbce9c142d2abf Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 6 Sep 2023 12:03:52 +0300
Subject: [PATCH 047/127] chore: security server code updates due to changes in
 signer

Refs: XRDDEV-2468
---
 .../restapi/converter/CsrFormatMapping.java   |   8 +-
 .../restapi/facade/SignerProxyFacade.java     |   2 +-
 .../restapi/openapi/CsrFilenameCreator.java   |   4 +-
 .../restapi/openapi/KeysApiController.java    |   2 +-
 .../restapi/openapi/TokensApiController.java  |   4 +-
 .../KeyAndCertificateRequestService.java      |   2 +-
 .../service/TokenCertificateService.java      |   2 +-
 .../restapi/converter/KeyConverterTest.java   |  68 +++----
 ...ertificateSigningRequestConverterTest.java |   9 +-
 .../restapi/converter/TokenConverterTest.java |  84 ++++----
 .../ClientsApiControllerIntegrationTest.java  | 191 +++++++++---------
 .../openapi/CsrFilenameCreatorTest.java       |   4 +-
 ...tificatesApiControllerIntegrationTest.java |   5 +-
 .../openapi/TokensApiControllerTest.java      |   6 +-
 ...tificateRequestServiceIntegrationTest.java |  44 ++--
 .../restapi/service/KeyServiceTest.java       |  50 ++---
 .../service/OrphanRemovalServiceTest.java     |   4 +-
 .../service/TokenCertificateServiceTest.java  |  35 ++--
 .../restapi/service/TokenServiceTest.java     |  34 ++--
 .../restapi/util/CertificateTestUtils.java    |  77 +++++--
 .../restapi/util/ClientUtilsTest.java         |   8 +-
 .../restapi/util/TokenTestUtils.java          |  91 ++++++---
 22 files changed, 401 insertions(+), 333 deletions(-)

diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/converter/CsrFormatMapping.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/converter/CsrFormatMapping.java
index 42eb9fc9ae..a0ec4f4d97 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/converter/CsrFormatMapping.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/converter/CsrFormatMapping.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,10 +25,10 @@
  */
 package org.niis.xroad.securityserver.restapi.converter;
 
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import lombok.Getter;
 import org.niis.xroad.securityserver.restapi.openapi.model.CsrFormat;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.util.Arrays;
 import java.util.Optional;
@@ -51,6 +51,7 @@ public enum CsrFormatMapping {
 
     /**
      * Return matching CertificateRequestFormat, if any
+     *
      * @param csrFormat
      * @return
      */
@@ -60,6 +61,7 @@ public static Optional<CertificateRequestFormat> map(CsrFormat csrFormat) {
 
     /**
      * Return matching CsrFormat, if any
+     *
      * @param requestFormat
      * @return
      */
@@ -69,6 +71,7 @@ public static Optional<CsrFormat> map(CertificateRequestFormat requestFormat) {
 
     /**
      * return CsrFormatMapping matching the given CsrFormat, if any
+     *
      * @param csrFormat
      * @return
      */
@@ -80,6 +83,7 @@ public static Optional<CsrFormatMapping> getFor(CsrFormat csrFormat) {
 
     /**
      * return CsrFormatMapping matching the given CertificateRequestFormat, if any
+     *
      * @param requestFormat
      * @return
      */
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
index 5b8c9ca650..89aed66689 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
@@ -36,9 +36,9 @@
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.stereotype.Component;
 
 import java.util.List;
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreator.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreator.java
index 66d2e82a42..0c77b57e28 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreator.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreator.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -28,9 +28,9 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.stereotype.Component;
 
 import java.time.LocalDateTime;
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java
index fe6930c29a..58c436c422 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java
@@ -29,7 +29,6 @@
 import ee.ria.xroad.signer.SignerProxy.GeneratedCertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -62,6 +61,7 @@
 import org.niis.xroad.securityserver.restapi.service.ServerConfService;
 import org.niis.xroad.securityserver.restapi.service.TokenCertificateService;
 import org.niis.xroad.securityserver.restapi.service.WrongKeyUsageException;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.core.io.Resource;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiController.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiController.java
index 71818056d6..1ab5fa16df 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiController.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiController.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -29,7 +29,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -63,6 +62,7 @@
 import org.niis.xroad.securityserver.restapi.service.TokenNotFoundException;
 import org.niis.xroad.securityserver.restapi.service.TokenService;
 import org.niis.xroad.securityserver.restapi.service.WeakPinException;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java
index c19bc9c564..a988a4f541 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java
@@ -29,11 +29,11 @@
 import ee.ria.xroad.signer.SignerProxy.GeneratedCertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java
index 8cbf09809d..5950cfcf94 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java
@@ -39,7 +39,6 @@
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -56,6 +55,7 @@
 import org.niis.xroad.securityserver.restapi.facade.GlobalConfFacade;
 import org.niis.xroad.securityserver.restapi.facade.SignerProxyFacade;
 import org.niis.xroad.securityserver.restapi.repository.ClientRepository;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/KeyConverterTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/KeyConverterTest.java
index ff7d3ddd3a..b0659fbd29 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/KeyConverterTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/KeyConverterTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,9 +25,7 @@
  */
 package org.niis.xroad.securityserver.restapi.converter;
 
-import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
-import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 
@@ -37,9 +35,6 @@
 import org.niis.xroad.securityserver.restapi.util.CertificateTestUtils;
 import org.niis.xroad.securityserver.restapi.util.TokenTestUtils;
 
-import java.util.ArrayList;
-import java.util.List;
-
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
@@ -47,21 +42,15 @@ public class KeyConverterTest extends AbstractConverterTestContext {
 
     @Test
     public void convert() throws Exception {
-        List<CertificateInfo> certs = new ArrayList<>();
-        certs.add(new CertificateTestUtils.CertificateInfoBuilder().build());
-        List<CertRequestInfo> csrs = new ArrayList<>();
-        csrs.add(new CertRequestInfo("id", ClientId.Conf.create("a", "b", "c"),
-                "sujbect-name"));
+        KeyInfo info = new TokenTestUtils.KeyInfoBuilder()
+                .available(true)
+                .keyUsageInfo(KeyUsageInfo.SIGNING)
+                .friendlyName("friendly-name")
+                .id("id")
+                .cert(new CertificateTestUtils.CertificateInfoBuilder().build())
+                .csr(createTestCsr())
+                .build();
 
-        KeyInfo info = new KeyInfo(true,
-                KeyUsageInfo.SIGNING,
-                "friendly-name",
-                "id",
-                "label",
-                "public-key",
-                certs,
-                csrs,
-                "sign-mechanism-name");
         Key key = keyConverter.convert(info);
 
         assertEquals(true, key.getAvailable());
@@ -79,40 +68,35 @@ public void convert() throws Exception {
     @Test
     public void isSavedToConfiguration() throws Exception {
         // test different combinations of keys and certs and the logic for isSavedToConfiguration
-        KeyInfo info = new TokenTestUtils.KeyInfoBuilder().build();
 
-        info.getCerts().clear();
-        info.getCertRequests().clear();
-        info.getCertRequests().add(createTestCsr());
+        KeyInfo info = new TokenTestUtils.KeyInfoBuilder()
+                .csr(createTestCsr())
+                .build();
         assertEquals(true, keyConverter.convert(info).getSavedToConfiguration());
 
-        info.getCerts().clear();
-        info.getCertRequests().clear();
+        info = new TokenTestUtils.KeyInfoBuilder().build();
         assertEquals(false, keyConverter.convert(info).getSavedToConfiguration());
 
-        info.getCerts().clear();
-        info.getCertRequests().clear();
-        info.getCerts().add(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build());
-        info.getCerts().add(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build());
+        info = new TokenTestUtils.KeyInfoBuilder()
+                .cert(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build())
+                .cert(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build())
+                .build();
         assertEquals(false, keyConverter.convert(info).getSavedToConfiguration());
 
-        info.getCerts().clear();
-        info.getCertRequests().clear();
-        info.getCerts().add(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build());
-        info.getCerts().add(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(true).build());
+        info = new TokenTestUtils.KeyInfoBuilder()
+                .cert(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build())
+                .cert(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(true).build())
+                .build();
         assertEquals(true, keyConverter.convert(info).getSavedToConfiguration());
 
-        info.getCerts().clear();
-        info.getCertRequests().clear();
-        info.getCerts().add(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(true).build());
-        info.getCerts().add(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build());
+        info = new TokenTestUtils.KeyInfoBuilder()
+                .cert(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(true).build())
+                .cert(new CertificateTestUtils.CertificateInfoBuilder().savedToConfiguration(false).build())
+                .build();
         assertEquals(true, keyConverter.convert(info).getSavedToConfiguration());
     }
 
     public static CertRequestInfo createTestCsr() {
-        return new CertRequestInfo("id",
-                ClientId.Conf.create("a", "b", "c"),
-                "sujbect-name");
-
+        return new CertificateTestUtils.CertRequestInfoBuilder().build();
     }
 }
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenCertificateSigningRequestConverterTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenCertificateSigningRequestConverterTest.java
index a4e8ea7ee8..92fa3e3316 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenCertificateSigningRequestConverterTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenCertificateSigningRequestConverterTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,7 +25,6 @@
  */
 package org.niis.xroad.securityserver.restapi.converter;
 
-import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -60,16 +59,14 @@ public void setup() {
 
     @Test
     public void convert() {
-        CertRequestInfo certRequestInfo = new CertRequestInfo("id",
-                ClientId.Conf.create("a", "b", "c"),
-                "subject-name");
+        CertRequestInfo certRequestInfo = new CertificateTestUtils.CertRequestInfoBuilder().build();
         TokenCertificateSigningRequest csr = csrConverter.convert(certRequestInfo);
         assertEquals("id", csr.getId());
         assertEquals("a:b:c", csr.getOwnerId());
     }
 
     @Test
-    public void convertWithPossibleActions() throws Exception {
+    public void convertWithPossibleActions() {
         CertRequestInfo certRequestInfo = new CertificateTestUtils.CertRequestInfoBuilder().build();
         KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder()
                 .csr(certRequestInfo)
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenConverterTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenConverterTest.java
index a96837a846..ff47380184 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenConverterTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/converter/TokenConverterTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -40,8 +40,6 @@
 import org.springframework.beans.factory.annotation.Autowired;
 
 import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
@@ -61,24 +59,17 @@ public void setup() {
 
     @Test
     public void convert() throws Exception {
-        Map<String, String> tokenInfos = new HashMap<>();
-        tokenInfos.put("key1", "value1");
-        tokenInfos.put("key2", "value2");
         // keyinfo not used, keyConverter mocked
         KeyInfo dummyKeyInfo = new TokenTestUtils.KeyInfoBuilder().build();
 
-        TokenInfo tokenInfo = new TokenInfo(TokenInfo.SOFTWARE_MODULE_TYPE,
-                "friendly-name",
-                "id",
-                false,
-                true,
-                true,
-                "serial-number",
-                "label",
-                123,
-                TokenStatusInfo.OK,
-                Collections.singletonList(dummyKeyInfo),
-                tokenInfos);
+        TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .readOnly(false)
+                .available(true)
+                .active(true)
+                .key(dummyKeyInfo)
+                .tokenInfo("key1", "value1")
+                .tokenInfo("key2", "value2")
+                .build();
 
         Token token = tokenConverter.convert(tokenInfo);
 
@@ -99,53 +90,48 @@ public void convert() throws Exception {
         assertTrue(token.getTokenInfos().contains(new KeyValuePair().key("key2").value("value2")));
 
         // hsm
-        tokenInfo = new TokenInfo("hsm-uid-1234",
-                "friendly-name",
-                "id",
-                false,
-                true,
-                true,
-                "serial-number",
-                "label",
-                123,
-                TokenStatusInfo.USER_PIN_COUNT_LOW,
-                Collections.singletonList(dummyKeyInfo),
-                tokenInfos);
+        tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .type("hsm-uid-1234")
+                .readOnly(false)
+                .available(true)
+                .active(true)
+                .status(TokenStatusInfo.USER_PIN_COUNT_LOW)
+                .key(dummyKeyInfo)
+                .tokenInfo("key1", "value1")
+                .tokenInfo("key2", "value2")
+                .build();
+
         token = tokenConverter.convert(tokenInfo);
         assertEquals(TokenType.HARDWARE, token.getType());
         assertEquals(TokenStatus.USER_PIN_COUNT_LOW, token.getStatus());
     }
 
     @Test
-    public void isSavedToConfiguration() throws Exception {
+    public void isSavedToConfiguration() {
         // test different combinations of saved and unsaved keys and the logic for isSavedToConfiguration
-        KeyInfo savedKey = new TokenTestUtils.KeyInfoBuilder().build();
+        KeyInfo savedKey = new TokenTestUtils.KeyInfoBuilder()
+                .csr(KeyConverterTest.createTestCsr())
+                .build();
         KeyInfo unsavedKey = new TokenTestUtils.KeyInfoBuilder().build();
 
-        savedKey.getCerts().clear();
-        savedKey.getCertRequests().clear();
-        savedKey.getCertRequests().add(KeyConverterTest.createTestCsr());
-
-        unsavedKey.getCerts().clear();
-        unsavedKey.getCertRequests().clear();
-
         TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder().build();
-
-        tokenInfo.getKeyInfo().clear();
         assertEquals(false, tokenConverter.convert(tokenInfo).getSavedToConfiguration());
 
-        tokenInfo.getKeyInfo().clear();
-        tokenInfo.getKeyInfo().add(unsavedKey);
+        tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .key(unsavedKey)
+                .build();
         assertEquals(false, tokenConverter.convert(tokenInfo).getSavedToConfiguration());
 
-        tokenInfo.getKeyInfo().clear();
-        tokenInfo.getKeyInfo().add(savedKey);
+        tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .key(savedKey)
+                .build();
         assertEquals(true, tokenConverter.convert(tokenInfo).getSavedToConfiguration());
 
-        tokenInfo.getKeyInfo().clear();
-        tokenInfo.getKeyInfo().add(unsavedKey);
-        tokenInfo.getKeyInfo().add(savedKey);
-        tokenInfo.getKeyInfo().add(unsavedKey);
+        tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .key(unsavedKey)
+                .key(savedKey)
+                .key(unsavedKey)
+                .build();
         assertEquals(true, tokenConverter.convert(tokenInfo).getSavedToConfiguration());
     }
 
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java
index f032954cc4..f2eea2048e 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -28,7 +28,6 @@
 import ee.ria.xroad.common.conf.globalconf.GlobalGroupInfo;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
-import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -149,7 +148,7 @@ public void setup() throws Exception {
                         null)
         )
         ));
-        List<TokenInfo> mockTokens = createMockTokenInfos(null);
+        List<TokenInfo> mockTokens = createMockTokenInfos();
         when(tokenService.getAllTokens()).thenReturn(mockTokens);
         when(wsdlValidator.getWsdlValidatorCommand()).thenReturn("src/test/resources/validator/mock-wsdlvalidator.sh");
         when(globalConfFacade.getGlobalGroups(any())).thenReturn(globalGroupInfos);
@@ -240,8 +239,8 @@ public void getClient() {
     }
 
     @Test
-    @WithMockUser(authorities = { "EDIT_CLIENT_INTERNAL_CONNECTION_TYPE", "VIEW_CLIENT_DETAILS" })
-    public void updateClient() throws Exception {
+    @WithMockUser(authorities = {"EDIT_CLIENT_INTERNAL_CONNECTION_TYPE", "VIEW_CLIENT_DETAILS"})
+    public void updateClient() {
         ResponseEntity<Client> response =
                 clientsApiController.getClient("FI:GOV:M1:SS1");
         assertEquals(ConnectionType.HTTPS_NO_AUTH, response.getBody().getConnectionType());
@@ -256,15 +255,19 @@ public void updateClient() throws Exception {
 
     @Test
     @WithMockUser(authorities = "VIEW_CLIENT_DETAILS")
-    public void getClientSignCertificates() throws Exception {
+    public void getClientSignCertificates() {
         ResponseEntity<Set<TokenCertificate>> certificates =
                 clientsApiController.getClientSignCertificates("FI:GOV:M1");
         assertEquals(HttpStatus.OK, certificates.getStatusCode());
         assertEquals(0, certificates.getBody().size());
-        CertificateInfo mockCertificate = new CertificateInfo(
-                ClientId.Conf.create("FI", "GOV", "M1"),
-                true, true, CertificateInfo.STATUS_REGISTERED,
-                "id", CertificateTestUtils.getMockCertificateBytes(), null);
+        CertificateInfo mockCertificate = new CertificateTestUtils.CertificateInfoBuilder()
+                .clientId(ClientId.Conf.create("FI", "GOV", "M1"))
+                .active(true)
+                .savedToConfiguration(true)
+                .certificateStatus(CertificateInfo.STATUS_REGISTERED)
+                .id("id")
+                .certificate(CertificateTestUtils.getMockCertificate())
+                .build();
         doReturn(Collections.singletonList(mockCertificate)).when(tokenService).getSignCertificates(any());
 
         certificates = clientsApiController.getClientSignCertificates("FI:GOV:M1");
@@ -289,7 +292,7 @@ public void getClientSignCertificates() throws Exception {
         assertTrue(onlyCertificate.getCertificateDetails().getRsaPublicKeyModulus().startsWith("9d888fbe089b32a35f58"));
         assertEquals(Integer.valueOf(65537), onlyCertificate.getCertificateDetails().getRsaPublicKeyExponent());
         assertEquals(new ArrayList<>(
-                Arrays.asList(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsage.NON_REPUDIATION)),
+                        Arrays.asList(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsage.NON_REPUDIATION)),
                 new ArrayList<>(onlyCertificate.getCertificateDetails().getKeyUsages()));
         try {
             certificates = clientsApiController.getClientSignCertificates("FI:GOV:M2");
@@ -309,33 +312,31 @@ public void forbidden() {
         }
     }
 
-    /**
-     * @param certificateInfo one certificate to put inside this tokenInfo
-     * structure
-     * @return
-     */
-    private List<TokenInfo> createMockTokenInfos(CertificateInfo certificateInfo) {
+    private List<TokenInfo> createMockTokenInfos() {
         List<TokenInfo> mockTokens = new ArrayList<>();
-        List<CertificateInfo> certificates = new ArrayList<>();
-        if (certificateInfo != null) {
-            certificates.add(certificateInfo);
-        }
-        KeyInfo keyInfo = new KeyInfo(false, null,
-                "friendlyName", "id", "label", "publicKey",
-                certificates, new ArrayList<CertRequestInfo>(),
-                "signMecchanismName");
-        TokenInfo tokenInfo = new TokenInfo("type",
-                "friendlyName", "id",
-                false, false, false,
-                "serialNumber", "label", -1,
-                null, Arrays.asList(keyInfo), null);
+
+        KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder()
+                .available(false)
+                .keyUsageInfo(null)
+                .build();
+
+        TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .type("type")
+                .friendlyName("friendlyName")
+                .readOnly(false)
+                .available(false)
+                .active(false)
+                .status(null)
+                .key(keyInfo)
+                .build();
+
         mockTokens.add(tokenInfo);
         return mockTokens;
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_INTERNAL_CERTS", "ADD_CLIENT_INTERNAL_CERT" })
-    public void addTlsCert() throws Exception {
+    @WithMockUser(authorities = {"VIEW_CLIENT_INTERNAL_CERTS", "ADD_CLIENT_INTERNAL_CERT"})
+    public void addTlsCert() {
         ResponseEntity<Set<CertificateDetails>> certs = clientsApiController.getClientTlsCertificates(
                 TestUtils.CLIENT_ID_SS1);
         assertEquals(0, certs.getBody().size());
@@ -370,9 +371,9 @@ public void addTlsCert() throws Exception {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_CLIENT_INTERNAL_CERT", "DELETE_CLIENT_INTERNAL_CERT",
-            "VIEW_CLIENT_INTERNAL_CERTS" })
-    public void deleteTlsCert() throws Exception {
+    @WithMockUser(authorities = {"ADD_CLIENT_INTERNAL_CERT", "DELETE_CLIENT_INTERNAL_CERT",
+            "VIEW_CLIENT_INTERNAL_CERTS"})
+    public void deleteTlsCert() {
         ResponseEntity<CertificateDetails> response =
                 clientsApiController.addClientTlsCertificate(TestUtils.CLIENT_ID_SS1,
                         getResource(CertificateTestUtils.getWidgitsCertificateBytes()));
@@ -394,9 +395,9 @@ public void deleteTlsCert() throws Exception {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_CLIENT_INTERNAL_CERT", "VIEW_CLIENT_INTERNAL_CERTS",
-            "VIEW_CLIENT_INTERNAL_CERT_DETAILS" })
-    public void findTlsCert() throws Exception {
+    @WithMockUser(authorities = {"ADD_CLIENT_INTERNAL_CERT", "VIEW_CLIENT_INTERNAL_CERTS",
+            "VIEW_CLIENT_INTERNAL_CERT_DETAILS"})
+    public void findTlsCert() {
         ResponseEntity<CertificateDetails> response =
                 clientsApiController.addClientTlsCertificate(TestUtils.CLIENT_ID_SS1,
                         getResource(CertificateTestUtils.getWidgitsCertificateBytes()));
@@ -423,8 +424,8 @@ public void findTlsCert() throws Exception {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_LOCAL_GROUP" })
-    public void addLocalGroup() throws Exception {
+    @WithMockUser(authorities = {"ADD_LOCAL_GROUP"})
+    public void addLocalGroup() {
         ResponseEntity<LocalGroup> response = clientsApiController.addClientLocalGroup(TestUtils.CLIENT_ID_SS1,
                 createLocalGroupAdd(TestUtils.NEW_GROUPCODE));
         assertEquals(HttpStatus.CREATED, response.getStatusCode());
@@ -434,8 +435,8 @@ public void addLocalGroup() throws Exception {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_LOCAL_GROUPS" })
-    public void getClientGroups() throws Exception {
+    @WithMockUser(authorities = {"VIEW_CLIENT_LOCAL_GROUPS"})
+    public void getClientGroups() {
         ResponseEntity<Set<LocalGroup>> response =
                 clientsApiController.getClientLocalGroups(TestUtils.CLIENT_ID_SS1);
         assertEquals(HttpStatus.OK, response.getStatusCode());
@@ -578,7 +579,7 @@ public void findInternalClientsBySubsystemExcludeMembers() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_SERVICES" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_SERVICES"})
     public void getServiceDescriptions() {
         // client with 0 services
         ResponseEntity<Set<ServiceDescription>> descriptions =
@@ -638,7 +639,7 @@ private Optional<ServiceDescription> getDescription(Set<ServiceDescription> desc
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENTS"})
     public void findAllClientsByPartialNameIncludeMembers() {
         ResponseEntity<Set<Client>> clientsResponse = clientsApiController.findClients(TestUtils.SUBSYSTEM3, null,
                 null, null, null, false, false, null, false);
@@ -647,7 +648,7 @@ public void findAllClientsByPartialNameIncludeMembers() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENTS"})
     public void findAllClientsByPartialSearchTermsIncludeMembers() {
         ResponseEntity<Set<Client>> clientsResponse = clientsApiController.findClients(null, "FI",
                 "OV", "1", "1", false, true, null, false);
@@ -656,10 +657,10 @@ public void findAllClientsByPartialSearchTermsIncludeMembers() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENTS"})
     public void findAllClientsShouldNotFindByPartialInstance() {
         ResponseEntity<Set<Client>> clientsResponse = clientsApiController.findClients(null, "F",
-                 "OV", "1", "1", false, true, null, false);
+                "OV", "1", "1", false, true, null, false);
         assertEquals(HttpStatus.OK, clientsResponse.getStatusCode());
         assertEquals(0, clientsResponse.getBody().size());
     }
@@ -673,7 +674,7 @@ private Client createTestClient(String memberClass, String memberCode, String su
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_CLIENT" })
+    @WithMockUser(authorities = {"ADD_CLIENT"})
     public void addClient() {
         Client clientToAdd = createTestClient("GOV", "M2", null);
         ResponseEntity<Client> response = clientsApiController.addClient(
@@ -688,8 +689,8 @@ public void addClient() {
 
         response = clientsApiController.addClient(
                 new ClientAdd().client(clientToAdd
-                        .connectionType(ConnectionType.HTTPS_NO_AUTH)
-                        .subsystemCode("SUBSYSTEM1"))
+                                .connectionType(ConnectionType.HTTPS_NO_AUTH)
+                                .subsystemCode("SUBSYSTEM1"))
                         .ignoreWarnings(false));
         assertEquals("SUBSYSTEM1", response.getBody().getSubsystemCode());
         assertEquals(ClientStatus.SAVED, response.getBody().getStatus());
@@ -698,7 +699,7 @@ public void addClient() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_CLIENT" })
+    @WithMockUser(authorities = {"ADD_CLIENT"})
     public void addClientConflicts() {
         // conflict: client already exists
         Client clientToAdd = createTestClient("GOV", "M1", null);
@@ -724,7 +725,7 @@ public void addClientConflicts() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_CLIENT" })
+    @WithMockUser(authorities = {"ADD_CLIENT"})
     public void addClientBadRequestFromWarnings() {
         // warning about unregistered client
         doReturn(null).when(globalConfFacade).getMemberName(any());
@@ -743,7 +744,7 @@ public void addClientBadRequestFromWarnings() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_CLIENT" })
+    @WithMockUser(authorities = {"ADD_CLIENT"})
     public void addClientBadRequestFromInvalidMemberClass() {
         // warning about unregistered client
         doReturn(null).when(globalConfFacade).getMemberName(any());
@@ -758,7 +759,7 @@ public void addClientBadRequestFromInvalidMemberClass() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_WSDL", "VIEW_CLIENT_SERVICES" })
+    @WithMockUser(authorities = {"ADD_WSDL", "VIEW_CLIENT_SERVICES"})
     public void addWsdlServiceDescription() {
         ServiceDescriptionAdd serviceDescription = new ServiceDescriptionAdd()
                 .url("file:src/test/resources/wsdl/valid.wsdl");
@@ -796,7 +797,7 @@ public void addWsdlServiceDescription() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_WSDL" })
+    @WithMockUser(authorities = {"ADD_WSDL"})
     public void addWsdlServiceDescriptionParserFail() {
         ServiceDescriptionAdd serviceDescription =
                 new ServiceDescriptionAdd().url("file:src/test/resources/wsdl/invalid.wsdl");
@@ -811,7 +812,7 @@ public void addWsdlServiceDescriptionParserFail() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_WSDL" })
+    @WithMockUser(authorities = {"ADD_WSDL"})
     public void addWsdlServiceDescriptionBadServiceUrl() {
         ServiceDescriptionAdd serviceDescription =
                 new ServiceDescriptionAdd().url("file:src/test/resources/wsdl/invalid-serviceurl.wsdl");
@@ -827,7 +828,7 @@ public void addWsdlServiceDescriptionBadServiceUrl() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_WSDL", "VIEW_CLIENT_SERVICES" })
+    @WithMockUser(authorities = {"ADD_WSDL", "VIEW_CLIENT_SERVICES"})
     public void addWsdlServiceDescriptionWithWarnings() {
         ServiceDescriptionAdd serviceDescription =
                 new ServiceDescriptionAdd().url("file:src/test/resources/wsdl/warning.wsdl");
@@ -853,7 +854,7 @@ public void addWsdlServiceDescriptionWithWarnings() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_WSDL" })
+    @WithMockUser(authorities = {"ADD_WSDL"})
     public void addWsdlServiceDescriptionValidationFail() {
         ServiceDescriptionAdd serviceDescription =
                 new ServiceDescriptionAdd().url("file:src/test/resources/wsdl/error.wsdl");
@@ -878,7 +879,7 @@ public void addWsdlServiceDescriptionValidationFail() {
     }
 
     @Test
-    @WithMockUser(authorities = { "ADD_WSDL" })
+    @WithMockUser(authorities = {"ADD_WSDL"})
     public void addWsdlServiceDescriptionSkipValidation() {
         ServiceDescriptionAdd serviceDescription =
                 new ServiceDescriptionAdd().url("file:src/test/resources/wsdl/error.wsdl");
@@ -893,7 +894,7 @@ public void addWsdlServiceDescriptionSkipValidation() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findAllServiceClientCandidates() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -906,7 +907,7 @@ public void findAllServiceClientCandidates() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesByName() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -916,7 +917,7 @@ public void findServiceClientCandidatesByName() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesByGroupDescription() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -931,7 +932,7 @@ public void findServiceClientCandidatesByGroupDescription() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesByType() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -941,7 +942,7 @@ public void findServiceClientCandidatesByType() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesByInstance() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -951,15 +952,15 @@ public void findServiceClientCandidatesByInstance() {
 
         ResponseEntity<Set<ServiceClient>> partialInstanceMatchResponse =
                 clientsApiController.findServiceClientCandidates(
-                TestUtils.CLIENT_ID_SS1,
-                null, ServiceClientType.SUBSYSTEM, "E", null, null, null);
+                        TestUtils.CLIENT_ID_SS1,
+                        null, ServiceClientType.SUBSYSTEM, "E", null, null, null);
         Set<ServiceClient> partialInstanceMatch = partialInstanceMatchResponse.getBody();
         assertEquals(0, partialInstanceMatch.size());
     }
 
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesByMemberClass() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -969,14 +970,14 @@ public void findServiceClientCandidatesByMemberClass() {
 
         ResponseEntity<Set<ServiceClient>> partialMemberClassMatchResponse =
                 clientsApiController.findServiceClientCandidates(
-                TestUtils.CLIENT_ID_SS1,
-                null, ServiceClientType.SUBSYSTEM, null, "GO", null, null);
+                        TestUtils.CLIENT_ID_SS1,
+                        null, ServiceClientType.SUBSYSTEM, null, "GO", null, null);
         Set<ServiceClient> partialMemberClassMatch = partialMemberClassMatchResponse.getBody();
         assertEquals(0, partialMemberClassMatch.size());
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesByMemberOrGroupCode() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -996,7 +997,7 @@ public void findServiceClientCandidatesByMemberOrGroupCode() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesBySubsystemCode() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -1006,7 +1007,7 @@ public void findServiceClientCandidatesBySubsystemCode() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesByAllSearchTerms() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -1019,13 +1020,13 @@ public void findServiceClientCandidatesByAllSearchTerms() {
     }
 
     @Test(expected = ResourceNotFoundException.class)
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesClientNotFound() {
         clientsApiController.findServiceClientCandidates(TestUtils.CLIENT_ID_SS4, null, null, null, null, null, null);
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void findServiceClientCandidatesNoResults() {
         ResponseEntity<Set<ServiceClient>> serviceClientResponse = clientsApiController.findServiceClientCandidates(
                 TestUtils.CLIENT_ID_SS1,
@@ -1043,7 +1044,7 @@ public void findServiceClientCandidatesNoResults() {
     }
 
     @Test
-    @WithMockUser(authorities = { "DELETE_CLIENT", "ADD_CLIENT", "VIEW_CLIENT_DETAILS" })
+    @WithMockUser(authorities = {"DELETE_CLIENT", "ADD_CLIENT", "VIEW_CLIENT_DETAILS"})
     public void deleteClient() {
         try {
             clientsApiController.deleteClient("FI:GOV:M1");
@@ -1072,7 +1073,7 @@ public void deleteClient() {
     }
 
     @Test
-    @WithMockUser(authorities = { "DELETE_CLIENT" })
+    @WithMockUser(authorities = {"DELETE_CLIENT"})
     public void getOrphans() {
         ClientId.Conf orphanClient = TestUtils.getClientId("FI:GOV:ORPHAN:SS1");
         KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder()
@@ -1098,7 +1099,7 @@ public void getOrphans() {
     }
 
     @Test
-    @WithMockUser(authorities = { "DELETE_CLIENT", "DELETE_SIGN_KEY" })
+    @WithMockUser(authorities = {"DELETE_CLIENT", "DELETE_SIGN_KEY"})
     public void deleteOrphans() throws Exception {
         ClientId.Conf orphanClient = TestUtils.getClientId("FI:GOV:ORPHAN:SS1");
         String orphanKeyId = "orphan-key";
@@ -1132,25 +1133,25 @@ public void deleteOrphans() throws Exception {
     }
 
     @Test
-    @WithMockUser(authorities = { "SEND_CLIENT_REG_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_REG_REQ"})
     public void registerClient() {
         ResponseEntity<Void> response = clientsApiController.registerClient(TestUtils.CLIENT_ID_M2_SS6);
         assertEquals(HttpStatus.NO_CONTENT, response.getStatusCode());
     }
 
     @Test(expected = BadRequestException.class)
-    @WithMockUser(authorities = { "SEND_CLIENT_REG_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_REG_REQ"})
     public void registerOwner() {
         clientsApiController.registerClient(TestUtils.OWNER_ID);
     }
 
     @Test(expected = ConflictException.class)
-    @WithMockUser(authorities = { "SEND_CLIENT_REG_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_REG_REQ"})
     public void registerClientWrongStatus() {
         clientsApiController.registerClient(TestUtils.CLIENT_ID_SS1);
     }
 
-    @WithMockUser(authorities = { "SEND_CLIENT_REG_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_REG_REQ"})
     public void registerClientWithInvalidInstanceIdentifier() throws Exception {
         try {
             clientsApiController.registerClient(TestUtils.CLIENT_ID_INVALID_INSTANCE_IDENTIFIER);
@@ -1161,7 +1162,7 @@ public void registerClientWithInvalidInstanceIdentifier() throws Exception {
         }
     }
 
-    @WithMockUser(authorities = { "SEND_CLIENT_REG_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_REG_REQ"})
     public void registerClientWithInvalidMemberClass() throws Exception {
         try {
             clientsApiController.registerClient(TestUtils.CLIENT_ID_INVALID_MEMBER_CLASS);
@@ -1172,26 +1173,26 @@ public void registerClientWithInvalidMemberClass() throws Exception {
     }
 
     @Test(expected = ConflictException.class)
-    @WithMockUser(authorities = { "SEND_CLIENT_DEL_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_DEL_REQ"})
     public void unregisterOwner() {
         clientsApiController.unregisterClient(TestUtils.OWNER_ID);
     }
 
     @Test
-    @WithMockUser(authorities = { "SEND_CLIENT_DEL_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_DEL_REQ"})
     public void unregisterClient() {
         ResponseEntity<Void> response = clientsApiController.unregisterClient(TestUtils.CLIENT_ID_SS1);
         assertEquals(HttpStatus.NO_CONTENT, response.getStatusCode());
     }
 
     @Test(expected = ConflictException.class)
-    @WithMockUser(authorities = { "SEND_CLIENT_DEL_REQ" })
+    @WithMockUser(authorities = {"SEND_CLIENT_DEL_REQ"})
     public void unregisterClientWrongStatus() {
         clientsApiController.unregisterClient(TestUtils.CLIENT_ID_M2_SS6);
     }
 
     @Test(expected = ConflictException.class)
-    @WithMockUser(authorities = { "SEND_OWNER_CHANGE_REQ", "ADD_CLIENT" })
+    @WithMockUser(authorities = {"SEND_OWNER_CHANGE_REQ", "ADD_CLIENT"})
     public void changeOwnerNotRegistered() {
         clientsApiController.addClient(new ClientAdd().client(createTestClient(
                 "GOV", "M2", null)).ignoreWarnings(true));
@@ -1200,19 +1201,19 @@ public void changeOwnerNotRegistered() {
     }
 
     @Test(expected = BadRequestException.class)
-    @WithMockUser(authorities = { "SEND_OWNER_CHANGE_REQ" })
+    @WithMockUser(authorities = {"SEND_OWNER_CHANGE_REQ"})
     public void changeOwnerCurrentOwner() {
         ResponseEntity<Void> response = clientsApiController.changeOwner("FI:GOV:M1");
     }
 
     @Test(expected = ConflictException.class)
-    @WithMockUser(authorities = { "SEND_OWNER_CHANGE_REQ" })
+    @WithMockUser(authorities = {"SEND_OWNER_CHANGE_REQ"})
     public void changeOwnerSubsystem() {
         ResponseEntity<Void> response = clientsApiController.changeOwner("FI:GOV:M1:SS1");
     }
 
     @Test(expected = ResourceNotFoundException.class)
-    @WithMockUser(authorities = { "SEND_OWNER_CHANGE_REQ" })
+    @WithMockUser(authorities = {"SEND_OWNER_CHANGE_REQ"})
     public void changeOwnerClientDoesNotExist() {
         Client client = new Client();
         client.setInstanceId("non");
@@ -1222,19 +1223,19 @@ public void changeOwnerClientDoesNotExist() {
     }
 
     @Test(expected = BadRequestException.class)
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void getServiceClientNotExist() {
         clientsApiController.getServiceClient(TestUtils.CLIENT_ID_SS1, "NoSuchServiceClient");
     }
 
     @Test(expected = ResourceNotFoundException.class)
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void getServiceClientWithClientNotContainingGivenServiceClient() {
         clientsApiController.getServiceClient(TestUtils.CLIENT_ID_SS5, TestUtils.CLIENT_ID_SS1);
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_CLIENT_ACL_SUBJECTS" })
+    @WithMockUser(authorities = {"VIEW_CLIENT_ACL_SUBJECTS"})
     public void getServiceClient() {
         String clientId = TestUtils.CLIENT_ID_SS1;
         String serviceClientId = TestUtils.CLIENT_ID_SS2;
@@ -1253,7 +1254,7 @@ public void getServiceClient() {
     }
 
     @Test
-    @WithMockUser(authorities = { "VIEW_ACL_SUBJECT_OPEN_SERVICES" })
+    @WithMockUser(authorities = {"VIEW_ACL_SUBJECT_OPEN_SERVICES"})
     public void getServiceClientAccessRightsTest() {
         String clientId = TestUtils.CLIENT_ID_SS1;
         String serviceClientId = TestUtils.CLIENT_ID_SS2;
@@ -1274,8 +1275,8 @@ public void getServiceClientAccessRightsTest() {
     }
 
     @Test
-    @WithMockUser(authorities = { "EDIT_ACL_SUBJECT_OPEN_SERVICES" })
-    public void addServiceClientAccessRights() throws Exception {
+    @WithMockUser(authorities = {"EDIT_ACL_SUBJECT_OPEN_SERVICES"})
+    public void addServiceClientAccessRights() {
 
         String encodedOwnerId = "FI:GOV:M1:SS1";
         String encodedSubsystemId = "EE:GOV:M2:SS3";
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreatorTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreatorTest.java
index d94207a027..a7881c72f3 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreatorTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/CsrFilenameCreatorTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -28,10 +28,10 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import org.junit.Before;
 import org.junit.Test;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import static org.junit.Assert.assertEquals;
 
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
index 19d541ecf0..7e2ae37aea 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
@@ -125,9 +125,10 @@ public void setup() throws Exception {
             }
         }).when(signerProxyFacade).getCertForHash(any());
         doAnswer(answer -> new SignerProxy.KeyIdInfo("key-id", null)).when(signerProxyFacade).getKeyIdForCertHash(any());
-        TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder().build();
         KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder().id("key-id").build();
-        tokenInfo.getKeyInfo().add(keyInfo);
+        TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .key(keyInfo)
+                .build();
         doAnswer(answer -> Collections.singletonList(tokenInfo)).when(signerProxyFacade).getTokens();
         TokenInfoAndKeyId tokenInfoAndKeyId = new TokenInfoAndKeyId(tokenInfo, keyInfo.getId());
         doAnswer(answer -> tokenInfoAndKeyId).when(signerProxyFacade).getTokenAndKeyIdForCertRequestId(any());
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java
index ec0f8f8d0e..3ac30a3606 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -90,7 +90,7 @@ public void setUp() throws Exception {
                 .active(false)
                 .key(inactiveKeyInfo)
                 .build();
-        allTokens = Arrays.asList(new TokenInfo[] {activeTokenInfo, inactiveTokenInfo});
+        allTokens = Arrays.asList(activeTokenInfo, inactiveTokenInfo);
 
         doReturn(allTokens).when(tokenService).getAllTokens();
 
@@ -123,7 +123,7 @@ public void setUp() throws Exception {
             String tokenId = (String) args[0];
             String keyLabel = (String) args[1];
             if (GOOD_TOKEN_ID.equals(tokenId)) {
-                ReflectionTestUtils.setField(keyInfo, "label", keyLabel);
+                ReflectionTestUtils.setField(keyInfo.getMessage(), "label_", keyLabel);
                 return keyInfo;
             } else if (NOT_ACTIVE_TOKEN_ID.equals(tokenId)) {
                 throw new CodedException.Fault(SIGNER_X + "." + X_TOKEN_NOT_ACTIVE, null);
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java
index 7450efe511..11b39dfea6 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java
@@ -33,12 +33,12 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import org.junit.Before;
 import org.junit.Test;
 import org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException;
 import org.niis.xroad.securityserver.restapi.util.TokenTestUtils;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.test.context.support.WithMockUser;
 
@@ -46,6 +46,7 @@
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
@@ -63,6 +64,7 @@ public class KeyAndCertificateRequestServiceIntegrationTest extends AbstractServ
     public static final String SOFTWARE_TOKEN_ID = PossibleActionsRuleEngine.SOFTWARE_TOKEN_ID;
     public static final String OTHER_TOKEN_ID = "1";
     public static final String MOCK_CA = "mock-ca";
+    Map<String, TokenInfo> tokens = new HashMap<>();
 
     @Before
     public void setup() throws Exception {
@@ -76,11 +78,11 @@ public void setup() throws Exception {
                 .type("mock-type")
                 .friendlyName("mock-token1")
                 .build();
-        Map<String, TokenInfo> tokens = new HashMap<>();
+
         tokens.put(token0.getId(), token0);
         tokens.put(token1.getId(), token1);
         // mock related signer proxy methods
-        when(signerProxyFacade.getTokens()).thenReturn(new ArrayList<>(tokens.values()));
+        when(signerProxyFacade.getTokens()).thenAnswer(i -> new ArrayList<>(tokens.values()));
         when(signerProxyFacade.getToken(any())).thenAnswer(
                 invocation -> tokens.get(invocation.getArguments()[0]));
         when(signerProxyFacade.generateKey(any(), any())).thenAnswer(invocation -> {
@@ -93,7 +95,10 @@ public void setup() throws Exception {
                     .friendlyName(label)
                     .build();
             TokenInfo token = tokens.get(tokenId);
-            token.getKeyInfo().add(keyInfo);
+            TokenInfo newTokenInfo = new TokenInfo(token.getMessage().toBuilder()
+                    .addKeyInfo(keyInfo.getMessage())
+                    .build());
+            tokens.put(tokenId, newTokenInfo);
             return keyInfo;
         });
         when(signerProxyFacade.getTokenForKeyId(any())).thenAnswer(invocation -> {
@@ -112,8 +117,17 @@ public void setup() throws Exception {
                             .keyInfo(keyInfo)
                             .keyUsageInfo(keyUsage)
                             .build();
-                    tokenInfo.getKeyInfo().remove(keyInfo);
-                    tokenInfo.getKeyInfo().add(copy);
+
+                    final ArrayList<KeyInfo> keyInfos = new ArrayList<>(tokenInfo.getKeyInfo());
+                    keyInfos.remove(keyInfo);
+                    keyInfos.add(copy);
+
+                    TokenInfo newToken = new TokenInfo(tokenInfo.getMessage().toBuilder()
+                            .clearKeyInfo()
+                            .addAllKeyInfo(keyInfos.stream().map(KeyInfo::getMessage).collect(Collectors.toList()))
+                            .build());
+                    tokens.put(newToken.getId(), newToken);
+
                     return new SignerProxy.GeneratedCertRequestInfo(null, null, null, null, null);
                 });
         when(globalConfFacade.getApprovedCAs(any())).thenReturn(Arrays.asList(
@@ -124,8 +138,8 @@ public void setup() throws Exception {
         when(currentSecurityServerId.getServerId()).thenReturn(ownerSsId);
     }
 
-    private KeyInfo getKey(Map<String, TokenInfo> tokens, String keyId) {
-        for (TokenInfo tokenInfo : tokens.values()) {
+    private KeyInfo getKey(Map<String, TokenInfo> tokenInfos, String keyId) {
+        for (TokenInfo tokenInfo : tokenInfos.values()) {
             for (KeyInfo keyInfo : tokenInfo.getKeyInfo()) {
                 if (keyInfo.getId().equals(keyId)) {
                     return keyInfo;
@@ -135,8 +149,8 @@ private KeyInfo getKey(Map<String, TokenInfo> tokens, String keyId) {
         return null;
     }
 
-    private TokenInfo getTokenWithKey(Map<String, TokenInfo> tokens, String keyId) {
-        for (TokenInfo tokenInfo : tokens.values()) {
+    private TokenInfo getTokenWithKey(Map<String, TokenInfo> tokenInfos, String keyId) {
+        for (TokenInfo tokenInfo : tokenInfos.values()) {
             for (KeyInfo keyInfo : tokenInfo.getKeyInfo()) {
                 if (keyInfo.getId().equals(keyId)) {
                     return tokenInfo;
@@ -147,7 +161,7 @@ private TokenInfo getTokenWithKey(Map<String, TokenInfo> tokens, String keyId) {
     }
 
     @Test
-    @WithMockUser(authorities = { "DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY" })
+    @WithMockUser(authorities = {"DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY"})
     public void addKeyAndCertSuccess() throws Exception {
         HashMap<String, String> dnParams = createCsrDnParams();
         KeyAndCertificateRequestService.KeyAndCertRequestInfo info = keyAndCertificateRequestService
@@ -171,7 +185,7 @@ private HashMap<String, String> createCsrDnParams() {
     }
 
     @Test
-    @WithMockUser(authorities = { "DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY" })
+    @WithMockUser(authorities = {"DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY"})
     public void canAddAuthKeyToSoftToken() throws Exception {
         HashMap<String, String> dnParams = createCsrDnParams();
         KeyAndCertificateRequestService.KeyAndCertRequestInfo info = keyAndCertificateRequestService
@@ -183,7 +197,7 @@ public void canAddAuthKeyToSoftToken() throws Exception {
     }
 
     @Test(expected = ActionNotPossibleException.class)
-    @WithMockUser(authorities = { "DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY" })
+    @WithMockUser(authorities = {"DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY"})
     public void cannotAddAuthKeyToNonSoftToken() throws Exception {
         HashMap<String, String> dnParams = createCsrDnParams();
         KeyAndCertificateRequestService.KeyAndCertRequestInfo info = keyAndCertificateRequestService
@@ -194,7 +208,7 @@ public void cannotAddAuthKeyToNonSoftToken() throws Exception {
     }
 
     @Test
-    @WithMockUser(authorities = { "DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY" })
+    @WithMockUser(authorities = {"DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY"})
     public void csrGenerateFailureRollsBackKeyCreate() throws Exception {
         HashMap<String, String> dnParams = createCsrDnParams();
         try {
@@ -215,7 +229,7 @@ public void csrGenerateFailureRollsBackKeyCreate() throws Exception {
     }
 
     @Test
-    @WithMockUser(authorities = { "DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY" })
+    @WithMockUser(authorities = {"DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY"})
     public void failedRollback() throws Exception {
         HashMap<String, String> dnParams = createCsrDnParams();
         doThrow(new CodedException(TokenService.KEY_NOT_FOUND_FAULT_CODE))
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java
index 62de5dc3e0..439344f689 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -46,7 +46,6 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.test.context.support.WithMockUser;
-import org.springframework.test.util.ReflectionTestUtils;
 
 import java.util.Arrays;
 import java.util.Collections;
@@ -102,16 +101,9 @@ public class KeyServiceTest extends AbstractServiceTestContext {
     private static final String REGISTERED_AUTH_CERT_ID = "registered-auth-cert";
     private static final String NONREGISTERED_AUTH_CERT_ID = "unregistered-auth-cert";
 
-    private static final TokenInfo TOKEN_INFO = new TokenTestUtils.TokenInfoBuilder()
-            .friendlyName("good-token").build();
-
-    private static final KeyInfo AUTH_KEY = new TokenTestUtils.KeyInfoBuilder()
-            .id(AUTH_KEY_ID)
-            .keyUsageInfo(KeyUsageInfo.AUTHENTICATION)
-            .build();
+    private TokenInfo tokenInfo;
 
-    static {
-        // auth key
+    private TokenInfo createTokenInfo(String authKeyFriendlyName) {
         CertificateInfo registeredCert = new CertificateTestUtils.CertificateInfoBuilder()
                 .savedToConfiguration(true)
                 .certificateStatus(CertificateInfo.STATUS_REGISTERED)
@@ -122,13 +114,17 @@ public class KeyServiceTest extends AbstractServiceTestContext {
                 .certificateStatus(CertificateInfo.STATUS_SAVED)
                 .id(NONREGISTERED_AUTH_CERT_ID)
                 .build();
-        AUTH_KEY.getCerts().add(registeredCert);
-        AUTH_KEY.getCerts().add(nonregisteredCert);
         CertRequestInfo certRequestInfo = new CertificateTestUtils.CertRequestInfoBuilder()
                 .build();
-        AUTH_KEY.getCertRequests().add(certRequestInfo);
+        KeyInfo authKeyInfo = new TokenTestUtils.KeyInfoBuilder()
+                .id(AUTH_KEY_ID)
+                .friendlyName(authKeyFriendlyName)
+                .keyUsageInfo(KeyUsageInfo.AUTHENTICATION)
+                .cert(registeredCert)
+                .cert(nonregisteredCert)
+                .csr(certRequestInfo)
+                .build();
 
-        // sign and typeless keys
         KeyInfo signKey = new TokenTestUtils.KeyInfoBuilder()
                 .id(SIGN_KEY_ID)
                 .keyUsageInfo(KeyUsageInfo.SIGNING)
@@ -137,13 +133,17 @@ public class KeyServiceTest extends AbstractServiceTestContext {
                 .id(TYPELESS_KEY_ID)
                 .keyUsageInfo(null)
                 .build();
-        TOKEN_INFO.getKeyInfo().add(AUTH_KEY);
-        TOKEN_INFO.getKeyInfo().add(signKey);
-        TOKEN_INFO.getKeyInfo().add(typelessKey);
+        return new TokenTestUtils.TokenInfoBuilder()
+                .friendlyName("good-token")
+                .key(authKeyInfo)
+                .key(signKey)
+                .key(typelessKey)
+                .build();
     }
 
     @Before
     public void setup() throws Exception {
+        tokenInfo = createTokenInfo("friendly-name");
         doAnswer(invocation -> {
             Object[] arguments = invocation.getArguments();
             String newKeyName = (String) arguments[1];
@@ -151,7 +151,7 @@ public void setup() throws Exception {
                 throw new CodedException(SIGNER_X + "." + X_KEY_NOT_FOUND);
             }
             if (arguments[0].equals(AUTH_KEY_ID)) {
-                ReflectionTestUtils.setField(AUTH_KEY, "friendlyName", newKeyName);
+                tokenInfo = createTokenInfo(newKeyName);
             } else {
                 throw new RuntimeException(arguments[0] + " not supported");
             }
@@ -293,7 +293,7 @@ public void deleteChecksPossibleActions() throws Exception {
     @WithMockUser(authorities = { "VIEW_KEYS" })
     public void getPossibleActionsForKey() throws Exception {
         EnumSet<PossibleActionEnum> possibleActions = keyService.getPossibleActionsForKey(SIGN_KEY_ID);
-        Set<PossibleActionEnum> allActions = new HashSet(Arrays.asList(PossibleActionEnum.values()));
+        Set<PossibleActionEnum> allActions = new HashSet<>(Arrays.asList(PossibleActionEnum.values()));
         assertEquals(allActions, new HashSet<>(possibleActions));
     }
 
@@ -306,7 +306,7 @@ public TokenInfo getTokenForKeyId(String keyId) throws KeyNotFoundException {
                 if (AUTH_KEY_ID.equals(keyId)
                         || SIGN_KEY_ID.equals(keyId)
                         || TYPELESS_KEY_ID.equals(keyId)) {
-                    return TOKEN_INFO;
+                    return tokenInfo;
                 } else {
                     throw new KeyNotFoundException(keyId + " not supported");
                 }
@@ -314,7 +314,7 @@ public TokenInfo getTokenForKeyId(String keyId) throws KeyNotFoundException {
 
             @Override
             public List<TokenInfo> getAllTokens() {
-                return Collections.singletonList(TOKEN_INFO);
+                return Collections.singletonList(tokenInfo);
             }
         };
         keyService = new KeyService(signerProxyFacade, tokenService, possibleActionsRuleEngineParam,
@@ -324,7 +324,7 @@ public List<TokenInfo> getAllTokens() {
     private void mockPossibleActionsRuleEngineAllowAll() {
         possibleActionsRuleEngine = new PossibleActionsRuleEngine() {
             @Override
-            public EnumSet<PossibleActionEnum> getPossibleKeyActions(TokenInfo tokenInfo,
+            public EnumSet<PossibleActionEnum> getPossibleKeyActions(TokenInfo token,
                     KeyInfo keyInfo) {
                 // by default all actions are possible
                 return EnumSet.allOf(PossibleActionEnum.class);
@@ -336,14 +336,14 @@ public EnumSet<PossibleActionEnum> getPossibleKeyActions(TokenInfo tokenInfo,
     private void mockPossibleActionsRuleEngineDenyAll() {
         possibleActionsRuleEngine = new PossibleActionsRuleEngine() {
             @Override
-            public EnumSet<PossibleActionEnum> getPossibleKeyActions(TokenInfo tokenInfo,
+            public EnumSet<PossibleActionEnum> getPossibleKeyActions(TokenInfo token,
                     KeyInfo keyInfo) {
                 // prepare so that no actions are possible
                 return EnumSet.noneOf(PossibleActionEnum.class);
             }
 
             @Override
-            public void requirePossibleKeyAction(PossibleActionEnum action, TokenInfo tokenInfo,
+            public void requirePossibleKeyAction(PossibleActionEnum action, TokenInfo token,
                     KeyInfo keyInfo) throws ActionNotPossibleException {
                 throw new ActionNotPossibleException("");
             }
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/OrphanRemovalServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/OrphanRemovalServiceTest.java
index 125354ff67..a69f8a36da 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/OrphanRemovalServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/OrphanRemovalServiceTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -284,7 +284,7 @@ public void isOrphanKey() {
         assertFalse(orphanRemovalService.isOrphanKey(
                 new TokenTestUtils.KeyInfoBuilder()
                         .keyUsageInfo(KeyUsageInfo.AUTHENTICATION)
-                        .cert(new CertificateTestUtils.CertificateInfoBuilder().clientId(null).build())
+                        .cert(new CertificateTestUtils.CertificateInfoBuilder().build())
                         .build(),
                 orphanSubsystemDeleted));
     }
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java
index c540444c61..36a9c91e56 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java
@@ -31,12 +31,12 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.SignerProxy;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
+import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
-import ee.ria.xroad.signer.protocol.message.CertificateRequestFormat;
 
 import com.google.common.collect.ImmutableMap;
 import lombok.extern.slf4j.Slf4j;
@@ -53,6 +53,7 @@
 import org.niis.xroad.securityserver.restapi.util.CertificateTestUtils;
 import org.niis.xroad.securityserver.restapi.util.TestUtils;
 import org.niis.xroad.securityserver.restapi.util.TokenTestUtils;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -89,6 +90,7 @@
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static org.niis.xroad.securityserver.restapi.util.CertificateTestUtils.createCertificateInfo;
 
 /**
  * Test TokenCertificateService
@@ -171,6 +173,12 @@ public class TokenCertificateServiceTest {
             new CertificateTestUtils.CertificateInfoBuilder().id(EXISTING_CERT_IN_AUTH_KEY_HASH)
                     .certificate(CertificateTestUtils.getMockAuthCertificate()).build();
 
+    private CertRequestInfo newCertRequestInfo(String id) {
+        return new CertRequestInfo(CertRequestInfoProto.newBuilder()
+                .setId(id)
+                .build());
+    }
+
     @Before
     public void setup() throws Exception {
         when(clientService.getLocalClientMemberIds())
@@ -188,11 +196,10 @@ public void setup() throws Exception {
         // keyService.getKey, signerProxyFacade.getKeyIdForCertHash,
         // signerProxyFacade.getCertForHash
         // mock delete-operations (deleteCertificate, deleteCsr)
-        CertRequestInfo goodCsr = new CertRequestInfo(GOOD_CSR_ID, null, null);
-        CertRequestInfo authCsr = new CertRequestInfo(GOOD_AUTH_CSR_ID, null, null);
-        CertRequestInfo signCsr = new CertRequestInfo(GOOD_SIGN_CSR_ID, null, null);
-        CertRequestInfo signerExceptionCsr = new CertRequestInfo(
-                SIGNER_EXCEPTION_CSR_ID, null, null);
+        CertRequestInfo goodCsr = newCertRequestInfo(GOOD_CSR_ID);
+        CertRequestInfo authCsr = newCertRequestInfo(GOOD_AUTH_CSR_ID);
+        CertRequestInfo signCsr = newCertRequestInfo(GOOD_SIGN_CSR_ID);
+        CertRequestInfo signerExceptionCsr = newCertRequestInfo(SIGNER_EXCEPTION_CSR_ID);
         KeyInfo authKey = new TokenTestUtils.KeyInfoBuilder().id(AUTH_KEY_ID)
                 .keyUsageInfo(KeyUsageInfo.AUTHENTICATION)
                 .csr(authCsr)
@@ -209,10 +216,12 @@ public void setup() throws Exception {
                 .csr(signCsr)
                 .cert(signCert)
                 .build();
-        TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder().friendlyName("fubar").build();
-        tokenInfo.getKeyInfo().add(authKey);
-        tokenInfo.getKeyInfo().add(signKey);
-        tokenInfo.getKeyInfo().add(goodKey);
+        TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                .friendlyName("fubar")
+                .key(authKey)
+                .key(signKey)
+                .key(goodKey)
+                .build();
 
         mockGetTokenAndKeyIdForCertificateHash(authKey, goodKey, signKey, tokenInfo);
         mockGetTokenAndKeyIdForCertificateRequestId(authKey, goodKey, signKey, tokenInfo);
@@ -325,7 +334,7 @@ private void mockGetCertForHash() throws Exception {
                     // cert will have same id as hash
                     return new CertificateTestUtils.CertificateInfoBuilder().id(certHash).build();
                 case MISSING_CERTIFICATE_HASH:
-                    return new CertificateInfo(null, false, false, "status", "certID",
+                    return createCertificateInfo(null, false, false, "status", "certID",
                             CertificateTestUtils.getMockAuthCertificateBytes(), null);
                 default:
                     throw new RuntimeException("bad switch option: " + certHash);
@@ -582,7 +591,7 @@ public void deActivateCertificateCheckPossibleActions() throws Exception {
                 default:
                     throw new RuntimeException("bad switch option: " + certHash);
             }
-            return new CertificateInfo(null, active, true, "status", "certID",
+            return createCertificateInfo(null, active, true, "status", "certID",
                     CertificateTestUtils.getMockAuthCertificateBytes(), null);
         }).when(signerProxyFacade).getCertForHash(any());
 
@@ -613,7 +622,7 @@ public void deActivateCertificateCheckPossibleActions() throws Exception {
     public void deActivateUnknownCertificate() throws Exception {
         // we want to use the real rules for this test
         Mockito.reset(possibleActionsRuleEngine);
-        doReturn(new CertificateInfo(null, true, true, "status",
+        doReturn(createCertificateInfo(null, true, true, "status",
                 "certID", CertificateTestUtils.getMockCertificateWithoutExtensionsBytes(), null))
                 .when(signerProxyFacade).getCertForHash(any());
 
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java
index 78cdd5b58c..e52f74c8ac 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,7 +26,6 @@
 package org.niis.xroad.securityserver.restapi.service;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 
 import lombok.extern.slf4j.Slf4j;
@@ -38,7 +37,6 @@
 import org.niis.xroad.securityserver.restapi.dto.TokenInitStatusInfo;
 import org.niis.xroad.securityserver.restapi.util.TokenTestUtils;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
@@ -73,6 +71,11 @@ public class TokenServiceTest extends AbstractServiceTestContext {
 
     public static final String GOOD_TOKEN_ID = "token-which-exists";
 
+    private TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+            .friendlyName(GOOD_TOKEN_NAME)
+            .key(new TokenTestUtils.KeyInfoBuilder().id(GOOD_KEY_ID).build())
+            .build();
+
     @Before
     public void setup() throws Exception {
         doAnswer(invocation -> {
@@ -119,10 +122,6 @@ public void setup() throws Exception {
             return null;
         }).when(signerProxyFacade).deactivateToken(any());
 
-        TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder().friendlyName(GOOD_TOKEN_NAME).build();
-        KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_KEY_ID).build();
-        tokenInfo.getKeyInfo().add(keyInfo);
-
         doAnswer(invocation -> {
             Object[] args = invocation.getArguments();
             String tokenId = (String) args[0];
@@ -136,7 +135,12 @@ public void setup() throws Exception {
         doAnswer(invocation -> {
             Object[] args = invocation.getArguments();
             String newTokenName = (String) args[1];
-            ReflectionTestUtils.setField(tokenInfo, "friendlyName", newTokenName);
+
+            tokenInfo = new TokenTestUtils.TokenInfoBuilder()
+                    .friendlyName(newTokenName)
+                    .key(new TokenTestUtils.KeyInfoBuilder().id(GOOD_KEY_ID).build())
+                    .build();
+
             return null;
         }).when(signerProxyFacade).setTokenFriendlyName(any(), any());
         mockPossibleActionsRuleEngineAllowAll();
@@ -210,16 +214,16 @@ public void getToken() throws Exception {
         } catch (TokenNotFoundException expected) {
         }
 
-        TokenInfo tokenInfo = tokenService.getToken(GOOD_TOKEN_ID);
-        assertEquals(GOOD_TOKEN_NAME, tokenInfo.getFriendlyName());
+        TokenInfo token = tokenService.getToken(GOOD_TOKEN_ID);
+        assertEquals(GOOD_TOKEN_NAME, token.getFriendlyName());
     }
 
     @Test
     public void updateTokenFriendlyName() throws Exception {
-        TokenInfo tokenInfo = tokenService.getToken(GOOD_TOKEN_ID);
-        assertEquals(GOOD_TOKEN_NAME, tokenInfo.getFriendlyName());
-        tokenInfo = tokenService.updateTokenFriendlyName(GOOD_TOKEN_ID, "friendly-neighborhood");
-        assertEquals("friendly-neighborhood", tokenInfo.getFriendlyName());
+        TokenInfo token = tokenService.getToken(GOOD_TOKEN_ID);
+        assertEquals(GOOD_TOKEN_NAME, token.getFriendlyName());
+        token = tokenService.updateTokenFriendlyName(GOOD_TOKEN_ID, "friendly-neighborhood");
+        assertEquals("friendly-neighborhood", token.getFriendlyName());
     }
 
     @Test(expected = TokenNotFoundException.class)
@@ -274,7 +278,7 @@ private void mockServices(PossibleActionsRuleEngine possibleActionsRuleEnginePar
     private void mockPossibleActionsRuleEngineAllowAll() {
         possibleActionsRuleEngine = new PossibleActionsRuleEngine() {
             @Override
-            public void requirePossibleTokenAction(PossibleActionEnum action, TokenInfo tokenInfo) throws
+            public void requirePossibleTokenAction(PossibleActionEnum action, TokenInfo token) throws
                     ActionNotPossibleException {
                 // noop
             }
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
index a38066cc20..0ca9655b14 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -29,9 +29,13 @@
 import ee.ria.xroad.common.TestCertUtil;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.CryptoUtils;
+import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
+import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 
+import com.google.protobuf.ByteString;
 import org.bouncycastle.cert.ocsp.CertificateStatus;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.springframework.core.io.ByteArrayResource;
@@ -43,6 +47,8 @@
 import java.util.Collections;
 import java.util.List;
 
+import static java.util.Optional.ofNullable;
+
 /**
  * Utils for working with test x509 certificates
  */
@@ -57,7 +63,7 @@ public final class CertificateTestUtils {
      * Version: V3
      * Subject: CN=N/A
      * Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
-     *
+     * <p>
      * Key:  Sun RSA public key, 2048 bits
      * public exponent: 65537
      * Validity: [From: Thu Jan 01 02:00:00 EET 1970,
@@ -88,7 +94,7 @@ public final class CertificateTestUtils {
      * Version: V3
      * Subject: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
      * Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
-     *
+     * <p>
      * Key:  Sun RSA public key, 512 bits
      * public exponent: 65537
      * Validity: [From: Wed Apr 24 09:59:02 EEST 2019,
@@ -128,7 +134,7 @@ public final class CertificateTestUtils {
 
     /**
      * This is an authentication certificate created in a development setup
-     *
+     * <p>
      * Certificate Details:
      * Serial Number: 8 (0x8)
      * Validity
@@ -275,7 +281,7 @@ private CertificateTestUtils() {
 
     /**
      * Certificate which does not have X509v3 Key Usage extension (and hence is not a sign or auth cert,
-     *  and CertUtils.isSigningCert & CertUtils.isAuthCert throw exceptions)
+     * and CertUtils.isSigningCert & CertUtils.isAuthCert throw exceptions)
      */
     public static X509Certificate getMockCertificateWithoutExtensions() {
         return getCertificate(MOCK_CERT_WITHOUT_EXTENSIONS);
@@ -312,6 +318,7 @@ public static X509Certificate getMockTopCaCertificate() {
 
     /**
      * Subject = CN=N/A, expires = 2038
+     *
      * @return
      */
     public static byte[] getMockCertificateBytes() {
@@ -320,6 +327,7 @@ public static byte[] getMockCertificateBytes() {
 
     /**
      * Subject = CN=N/A, expires = 2039
+     *
      * @return
      */
     public static byte[] getMockAuthCertificateBytes() {
@@ -328,6 +336,7 @@ public static byte[] getMockAuthCertificateBytes() {
 
     /**
      * return given certificate bytes as an X509Certificate
+     *
      * @return
      */
     public static X509Certificate getCertificate(byte[] certificateBytes) {
@@ -336,6 +345,7 @@ public static X509Certificate getCertificate(byte[] certificateBytes) {
 
     /**
      * Subject = CN=N/A, expires = 2038
+     *
      * @return
      */
     public static X509Certificate getMockCertificate() {
@@ -344,6 +354,7 @@ public static X509Certificate getMockCertificate() {
 
     /**
      * Subject = CN=N/A, expires = 2039
+     *
      * @return
      */
     public static X509Certificate getMockAuthCertificate() {
@@ -360,6 +371,7 @@ public static Resource getResource(byte[] bytes) {
     /**
      * Subject = O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
      * expires = Thu Apr 23 09:59:02 EEST 2020
+     *
      * @return
      */
     public static byte[] getWidgitsCertificateBytes() {
@@ -369,6 +381,7 @@ public static byte[] getWidgitsCertificateBytes() {
     /**
      * Subject = O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
      * expires = Thu Apr 23 09:59:02 EEST 2020
+     *
      * @return
      */
     public static X509Certificate getWidgitsCertificate() {
@@ -377,6 +390,7 @@ public static X509Certificate getWidgitsCertificate() {
 
     /**
      * Return hash for getWidgitsCertificateBytes
+     *
      * @return
      */
     public static String getWidgitsCertificateHash() {
@@ -385,6 +399,7 @@ public static String getWidgitsCertificateHash() {
 
     /**
      * Base64 encoded junk, not a certificate
+     *
      * @return
      */
     public static byte[] getInvalidCertBytes() {
@@ -401,6 +416,7 @@ public static byte[] getInvalidCertBytes() {
     public static class CertRequestInfoBuilder {
         private ClientId.Conf clientId = ClientId.Conf.create("a", "b", "c");
         private String id = "id";
+
         public CertRequestInfoBuilder() {
         }
 
@@ -415,10 +431,11 @@ public CertRequestInfoBuilder id(String idParam) {
         }
 
         public CertRequestInfo build() {
-            return new CertRequestInfo(
-                    id,
-                    clientId,
-                    "subject-name");
+            final CertRequestInfoProto.Builder builder = CertRequestInfoProto.newBuilder();
+            ofNullable(id).ifPresent(builder::setId);
+            ofNullable(clientId).map(ClientIdMapper::toDto).ifPresent(builder::setMemberId);
+            builder.setSubjectName("subject-name");
+            return new CertRequestInfo(builder.build());
         }
     }
 
@@ -442,6 +459,7 @@ public static class CertificateInfoBuilder {
         private boolean active = true;
         private String id = "1";
         private ClientId.Conf clientId = ClientId.Conf.create("a", "b", "c");
+        private boolean addOcspBytes = true;
 
 
         public CertificateInfoBuilder() {
@@ -482,34 +500,57 @@ public CertificateInfoBuilder clientId(ClientId.Conf clientIdParam) {
             return this;
         }
 
+        public CertificateInfoBuilder addOcspBytes(boolean addOcspBytesParam) {
+            this.addOcspBytes = addOcspBytesParam;
+            return this;
+        }
+
         public CertificateInfo build() {
             try {
-                List<OCSPResp> ocsp = generateOcspResponses(
-                        Arrays.asList(certificate),
-                        ocspStatus);
-                CertificateInfo certificateInfo = new CertificateInfo(
+                byte[] ocspBytes = null;
+                if (addOcspBytes) {
+                    List<OCSPResp> ocsp = generateOcspResponses(
+                            Arrays.asList(certificate),
+                            ocspStatus);
+                    ocspBytes =  ocsp.iterator().next().getEncoded();
+                }
+                return createCertificateInfo(
                         clientId,
                         active,
                         savedToConfiguration,
                         certificateStatus,
                         id,
                         certificate.getEncoded(),
-                        ocsp.iterator().next().getEncoded());
-                return certificateInfo;
-
+                        ocspBytes);
             } catch (Exception e) {
                 throw new RuntimeException("failed to create CertificateInfo", e);
             }
         }
     }
 
+    public static CertificateInfo createCertificateInfo(ClientId.Conf clientId, boolean active, boolean savedToConfiguration,
+                                                        String status, String id, byte[] certBytes, byte[] ocspBytes) {
+
+        final CertificateInfoProto.Builder builder = CertificateInfoProto.newBuilder()
+                .setActive(active)
+                .setSavedToConfiguration(savedToConfiguration)
+                .setStatus(status)
+                .setId(id);
+
+        ofNullable(clientId).map(ClientIdMapper::toDto).ifPresent(builder::setMemberId);
+        ofNullable(certBytes).map(ByteString::copyFrom).ifPresent(builder::setCertificateBytes);
+        ofNullable(ocspBytes).map(ByteString::copyFrom).ifPresent(builder::setOcspBytes);
+
+        return new CertificateInfo(builder.build());
+    }
+
     public static byte[] generateOcspBytes(X509Certificate cert, CertificateStatus status) throws Exception {
         OCSPResp response = generateOcspResponses(Collections.singletonList(cert), status).get(0);
         return response.getEncoded();
     }
 
     private static List<OCSPResp> generateOcspResponses(List<X509Certificate> certs,
-            CertificateStatus status) throws Exception {
+                                                        CertificateStatus status) throws Exception {
         List<OCSPResp> responses = new ArrayList<>();
         for (X509Certificate cert : certs) {
             responses.add(OcspTestUtils.createOCSPResponse(cert,
@@ -522,7 +563,7 @@ private static List<OCSPResp> generateOcspResponses(List<X509Certificate> certs,
     }
 
     private static X509Certificate getIssuerCert(X509Certificate subject,
-            List<X509Certificate> certs) {
+                                                 List<X509Certificate> certs) {
         for (X509Certificate cert : certs) {
             if (cert.getSubjectX500Principal().equals(
                     subject.getIssuerX500Principal())) {
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/ClientUtilsTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/ClientUtilsTest.java
index 672098948d..d4af54b6ff 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/ClientUtilsTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/ClientUtilsTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -32,7 +32,6 @@
 import org.bouncycastle.cert.ocsp.RevokedStatus;
 import org.bouncycastle.cert.ocsp.UnknownStatus;
 import org.junit.Test;
-import org.springframework.test.util.ReflectionTestUtils;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -69,7 +68,7 @@ private List<CertificateInfo> createCertificateInfoList() {
     }
 
     @Test
-    public void hasValidLocalSignCertTest() throws Exception {
+    public void hasValidLocalSignCertTest() {
         // Valid sign cert found
         ClientId.Conf clientId = ClientId.Conf.create("FI", "GOV", "M1");
         assertTrue(ClientUtils.hasValidLocalSignCert(clientId,
@@ -83,8 +82,7 @@ public void hasValidLocalSignCertTest() throws Exception {
         assertFalse(ClientUtils.hasValidLocalSignCert(clientId, Collections.singletonList(cert)));
 
         // Null ocsp response status – should return false
-        CertificateInfo nullCert = certBuilder.clientId(clientId).build();
-        ReflectionTestUtils.setField(nullCert, "ocspBytes", null);
+        CertificateInfo nullCert = certBuilder.clientId(clientId).addOcspBytes(false).build();
         assertFalse(ClientUtils.hasValidLocalSignCert(clientId, Collections.singletonList(nullCert)));
 
         // No valid sign cert for the client
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/TokenTestUtils.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/TokenTestUtils.java
index a4fe8f978c..f8df24c50b 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/TokenTestUtils.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/TokenTestUtils.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,18 +26,25 @@
 package org.niis.xroad.securityserver.restapi.util;
 
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
+import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
+import static java.util.Optional.ofNullable;
+
 /**
  * Test utils for working with tokens
  */
@@ -66,25 +73,29 @@ private TokenTestUtils() {
     public static class TokenInfoBuilder {
         private String id = "id";
         private String friendlyName = "friendly-name";
-        private List<KeyInfo> keyInfos = new ArrayList<>();
+        private List<KeyInfoProto> keyInfos = new ArrayList<>();
+        private Map<String, String> tokenInfos;
+        private TokenStatusInfo status = TokenStatusInfo.OK;
         private boolean readOnly = false;
         private boolean available = true;
         private boolean active = true;
         private String type = TokenInfo.SOFTWARE_MODULE_TYPE;
 
         public TokenInfo build() {
-            return new TokenInfo(type,
-                    friendlyName,
-                    id,
-                    readOnly,
-                    available,
-                    active,
-                    "serial-number",
-                    "label",
-                    123,
-                    TokenStatusInfo.OK,
-                    keyInfos,
-                    new HashMap<>());
+            final TokenInfoProto.Builder builder = TokenInfoProto.newBuilder()
+                    .setType(type)
+                    .setFriendlyName(friendlyName)
+                    .setId(id)
+                    .setReadOnly(readOnly)
+                    .setAvailable(available)
+                    .setActive(active)
+                    .setSerialNumber("serial-number")
+                    .setLabel("label")
+                    .setSlotIndex(123)
+                    .addAllKeyInfo(keyInfos);
+            ofNullable(status).ifPresent(builder::setStatus);
+            ofNullable(tokenInfos).ifPresent(builder::putAllTokenInfo);
+            return new TokenInfo(builder.build());
         }
 
         public TokenInfoBuilder active(boolean activeParam) {
@@ -116,15 +127,29 @@ public TokenInfoBuilder friendlyName(String friendlyNameParam) {
             this.friendlyName = friendlyNameParam;
             return this;
         }
+
         /**
          * Adds this item to keys, ensuring there are no duplicates
          */
         public TokenInfoBuilder key(KeyInfo keyInfo) {
-            Set<KeyInfo> keys = new HashSet<>(this.keyInfos);
-            keys.add(keyInfo);
+            Set<KeyInfoProto> keys = new HashSet<>(this.keyInfos);
+            keys.add(keyInfo.getMessage());
             this.keyInfos = new ArrayList<>(keys);
             return this;
         }
+
+        public TokenInfoBuilder status(TokenStatusInfo statusParam) {
+            this.status = statusParam;
+            return this;
+        }
+
+        public TokenInfoBuilder tokenInfo(String key, String value) {
+            if (this.tokenInfos == null) {
+                this.tokenInfos = new HashMap<>();
+            }
+            this.tokenInfos.put(key, value);
+            return this;
+        }
     }
 
     /**
@@ -144,20 +169,24 @@ public static class KeyInfoBuilder {
         private String id = "id";
         private String friendlyName = "friendly-name";
         private KeyUsageInfo keyUsageInfo = KeyUsageInfo.SIGNING;
-        private List<CertRequestInfo> certRequests = new ArrayList<>();
-        private List<CertificateInfo> certificates = new ArrayList<>();
+        private List<CertRequestInfoProto> certRequests = new ArrayList<>();
+        private List<CertificateInfoProto> certificates = new ArrayList<>();
         private boolean available = true;
 
         public KeyInfo build() {
-            return new KeyInfo(available,
-                    keyUsageInfo,
-                    friendlyName,
-                    id,
-                    "label",
-                    "public-key",
-                    certificates,
-                    certRequests,
-                    "sign-mechanism-name");
+            final KeyInfoProto.Builder builder = KeyInfoProto.newBuilder()
+                    .setAvailable(available)
+                    .setFriendlyName(friendlyName)
+                    .setId(id)
+                    .setLabel("label")
+                    .setPublicKey("public-key")
+                    .addAllCerts(certificates)
+                    .addAllCertRequests(certRequests)
+                    .setSignMechanismName("sign-mechanism-name");
+
+            ofNullable(keyUsageInfo).ifPresent(builder::setUsage);
+
+            return new KeyInfo(builder.build());
         }
 
         public KeyInfoBuilder keyInfo(KeyInfo info) {
@@ -194,8 +223,8 @@ public KeyInfoBuilder available(boolean availableParam) {
          * Adds this item to csrs, ensuring there are no duplicates
          */
         public KeyInfoBuilder csr(CertRequestInfo certRequestInfo) {
-            Set<CertRequestInfo> csrs = new HashSet<>(this.certRequests);
-            csrs.add(certRequestInfo);
+            Set<CertRequestInfoProto> csrs = new HashSet<>(this.certRequests);
+            csrs.add(certRequestInfo.getMessage());
             this.certRequests = new ArrayList<>(csrs);
             return this;
         }
@@ -204,8 +233,8 @@ public KeyInfoBuilder csr(CertRequestInfo certRequestInfo) {
          * Adds this item to certs, ensuring there are no duplicates
          */
         public KeyInfoBuilder cert(CertificateInfo certificateInfo) {
-            Set<CertificateInfo> certs = new HashSet<>(this.certificates);
-            certs.add(certificateInfo);
+            Set<CertificateInfoProto> certs = new HashSet<>(this.certificates);
+            certs.add(certificateInfo.getMessage());
             this.certificates = new ArrayList<>(certs);
             return this;
         }

From 286fa034b54b9f77be5bad048dacd6183726e721 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 6 Sep 2023 15:35:48 +0300
Subject: [PATCH 048/127] chore: central server code updates due to changes in
 signer

Refs: XRDDEV-2468
---
 .../admin/core/converter/TokenInfoMapper.java | 85 +++++++++++++------
 .../facade/SignerProxyFacadeMockHttpImpl.java | 21 +++--
 ...tionCertificateDeletionRequestHandler.java | 15 ++--
 .../core/converter/TokenInfoMapperTest.java   | 43 +++++++---
 ...nfigurationSigningKeysServiceImplTest.java | 63 ++++++++++----
 .../service/NotificationServiceImplTest.java  | 39 ++++++---
 .../SigningKeyActionsResolverTest.java        | 29 ++++---
 .../service/TokenActionsResolverImplTest.java | 26 ++++--
 .../core/service/TokensServiceImplTest.java   | 37 ++++----
 9 files changed, 242 insertions(+), 116 deletions(-)

diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java
index 165b973987..de326551f7 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java
@@ -1,21 +1,21 @@
 /*
  * The MIT License
- * <p>
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -27,37 +27,70 @@
 
 package org.niis.xroad.cs.admin.core.converter;
 
-import org.mapstruct.AfterMapping;
-import org.mapstruct.Mapper;
-import org.mapstruct.Mapping;
-import org.mapstruct.MappingConstants;
-import org.mapstruct.MappingTarget;
+import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
+
+import lombok.RequiredArgsConstructor;
 import org.niis.xroad.cs.admin.api.converter.GenericUniDirectionalMapper;
+import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKeyWithDetails;
 import org.niis.xroad.cs.admin.api.dto.TokenInfo;
+import org.niis.xroad.cs.admin.api.dto.TokenStatus;
 import org.niis.xroad.cs.admin.api.service.ConfigurationSigningKeysService;
 import org.niis.xroad.cs.admin.api.service.TokenActionsResolver;
-import org.niis.xroad.cs.admin.core.entity.mapper.ConfigurationSigningKeyMapper;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
 
-@Mapper(componentModel = MappingConstants.ComponentModel.SPRING, uses = ConfigurationSigningKeyMapper.class)
-public abstract class TokenInfoMapper implements GenericUniDirectionalMapper<ee.ria.xroad.signer.protocol.dto.TokenInfo, TokenInfo> {
+import java.util.List;
 
-    @Autowired
-    protected ConfigurationSigningKeysService configurationSigningKeysService;
+@Component
+@RequiredArgsConstructor
+public class TokenInfoMapper implements GenericUniDirectionalMapper<ee.ria.xroad.signer.protocol.dto.TokenInfo, TokenInfo> {
 
-    @Autowired
-    protected TokenActionsResolver tokenActionsResolver;
+    private final ConfigurationSigningKeysService configurationSigningKeysService;
+    private final TokenActionsResolver tokenActionsResolver;
 
     @Override
-    @Mapping(target = "configurationSigningKeys", ignore = true)
-    @Mapping(target = "possibleActions", ignore = true)
-    public abstract TokenInfo toTarget(ee.ria.xroad.signer.protocol.dto.TokenInfo tokenInfo);
-
-    @AfterMapping
-    protected void enrichToken(ee.ria.xroad.signer.protocol.dto.TokenInfo source, @MappingTarget TokenInfo target) {
-        var configurationKeys = configurationSigningKeysService.findDetailedByToken(source);
-        target.setConfigurationSigningKeys(configurationKeys);
-        target.setPossibleActions(tokenActionsResolver.resolveActions(source, configurationKeys));
+    public TokenInfo toTarget(ee.ria.xroad.signer.protocol.dto.TokenInfo tokenInfo) {
+        TokenInfo result = new TokenInfo();
+        result.setType(tokenInfo.getType());
+        result.setFriendlyName(tokenInfo.getFriendlyName());
+        result.setId(tokenInfo.getId());
+        result.setReadOnly(tokenInfo.isReadOnly());
+        result.setAvailable(tokenInfo.isAvailable());
+        result.setActive(tokenInfo.isActive());
+        result.setSerialNumber(tokenInfo.getSerialNumber());
+        result.setLabel(tokenInfo.getLabel());
+        result.setSlotIndex(tokenInfo.getSlotIndex());
+        result.setStatus(mapStatus(tokenInfo.getStatus()));
+
+        final List<ConfigurationSigningKeyWithDetails> configurationKeys = configurationSigningKeysService.findDetailedByToken(tokenInfo);
+        result.setPossibleActions(tokenActionsResolver.resolveActions(tokenInfo, configurationKeys));
+        result.setConfigurationSigningKeys(configurationKeys);
+        return result;
+    }
+
+    private TokenStatus mapStatus(TokenStatusInfo status) {
+        switch (status) {
+            case TOKEN_STATUS_UNKNOWN:
+                return null;
+            case OK:
+                return TokenStatus.OK;
+            case USER_PIN_LOCKED:
+                return TokenStatus.USER_PIN_LOCKED;
+            case USER_PIN_INCORRECT:
+                return TokenStatus.USER_PIN_INCORRECT;
+            case USER_PIN_INVALID:
+                return TokenStatus.USER_PIN_INVALID;
+            case USER_PIN_EXPIRED:
+                return TokenStatus.USER_PIN_EXPIRED;
+            case USER_PIN_COUNT_LOW:
+                return TokenStatus.USER_PIN_COUNT_LOW;
+            case USER_PIN_FINAL_TRY:
+                return TokenStatus.USER_PIN_FINAL_TRY;
+            case NOT_INITIALIZED:
+                return TokenStatus.NOT_INITIALIZED;
+            case UNRECOGNIZED:
+            default:
+                throw new IllegalArgumentException("Unexpected enum constant: " + status);
+        }
     }
 
 }
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java
index a3648db052..1f47fb08ba 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java
@@ -31,6 +31,7 @@
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -53,7 +54,6 @@
 import java.security.PublicKey;
 import java.util.Date;
 import java.util.List;
-import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.stream.StreamSupport;
 
@@ -118,13 +118,18 @@ private TokenInfo parseTokenInfo(String tokenString) throws JsonProcessingExcept
     }
 
     private TokenInfo parseTokenInfo(JsonNode json) {
-        final List<KeyInfo> keyInfoList = List.of();
-        Map<String, String> tokenParams = Map.of();
-
-        return new TokenInfo(json.get("type").asText(), json.get("friendlyName").asText(), json.get("id").asText(),
-                json.get("readOnly").asBoolean(), json.get("available").asBoolean(), json.get("active").asBoolean(),
-                json.get("serialNumber").asText(), json.get("label").asText(), json.get("slotIndex").asInt(),
-                TokenStatusInfo.valueOf(json.get("status").asText()), keyInfoList, tokenParams);
+        return new TokenInfo(TokenInfoProto.newBuilder()
+                .setType(json.get("type").asText())
+                .setFriendlyName(json.get("friendlyName").asText())
+                .setId(json.get("id").asText())
+                .setReadOnly(json.get("readOnly").asBoolean())
+                .setAvailable(json.get("available").asBoolean())
+                .setActive(json.get("active").asBoolean())
+                .setSerialNumber(json.get("serialNumber").asText())
+                .setLabel(json.get("label").asText())
+                .setSlotIndex(json.get("slotIndex").asInt())
+                .setStatus(TokenStatusInfo.valueOf(json.get("status").asText()))
+                .build());
     }
 
     @Override
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/managementrequest/AuthenticationCertificateDeletionRequestHandler.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/managementrequest/AuthenticationCertificateDeletionRequestHandler.java
index 69107e1964..aa7cd210bb 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/managementrequest/AuthenticationCertificateDeletionRequestHandler.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/managementrequest/AuthenticationCertificateDeletionRequestHandler.java
@@ -1,21 +1,21 @@
-/**
+/*
  * The MIT License
- * <p>
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -84,10 +84,7 @@ private void tryToRevokeAuthCertRegistration(final SecurityServerIdEntity server
         autCertRegistrationRequests.findByAuthCertAndStatus(certificate, Set.of(WAITING)).stream()
                 .filter(req -> serverId.equals(req.getSecurityServerId()))
                 .findFirst()
-                .ifPresentOrElse(
-                        this::revokeAuthCertRegistration,
-                        this::mrInvalidAuthCertificate
-                );
+                .ifPresentOrElse(this::revokeAuthCertRegistration, this::mrInvalidAuthCertificate);
     }
 
     private void revokeAuthCertRegistration(AuthenticationCertificateRegistrationRequestEntity req) {
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapperTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapperTest.java
index 495c7eacd9..0d9345a509 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapperTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapperTest.java
@@ -1,21 +1,21 @@
 /*
  * The MIT License
- * <p>
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -28,8 +28,10 @@
 package org.niis.xroad.cs.admin.core.converter;
 
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -59,7 +61,7 @@ class TokenInfoMapperTest {
     @Mock
     protected TokenActionsResolver tokenActionsResolver;
     @InjectMocks
-    private final TokenInfoMapper tokenInfoMapper = new TokenInfoMapperImpl();
+    private TokenInfoMapper tokenInfoMapper;
 
     @Test
     void toTarget() {
@@ -82,17 +84,36 @@ void toTarget() {
         assertThat(result.isReadOnly()).isFalse();
         assertThat(result.isAvailable()).isTrue();
         assertThat(result.isActive()).isFalse();
+        assertThat(result.getPossibleActions()).isEqualTo(possibleActions);
+        assertThat(result.getConfigurationSigningKeys()).isEqualTo(configurationSigningKeys);
     }
 
     private TokenInfo createTokenInfo() {
-        return new TokenInfo(
-                "type", "TOKEN_FRIENDLY_NAME", "TOKEN_ID", false, true,
-                false, "TOKEN_SERIAL_NUMBER", "label", 13, OK, List.of(createKeyInfo()), Map.of("key", "value")
-        );
+        return new TokenInfo(TokenInfoProto.newBuilder()
+                .setType("type")
+                .setFriendlyName("TOKEN_FRIENDLY_NAME")
+                .setId("TOKEN_ID")
+                .setReadOnly(false)
+                .setAvailable(true)
+                .setActive(false)
+                .setSerialNumber("TOKEN_SERIAL_NUMBER")
+                .setLabel("label")
+                .setSlotIndex(13)
+                .setStatus(OK)
+                .addAllKeyInfo(List.of(createKeyInfo().getMessage()))
+                .putAllTokenInfo(Map.of("key", "value"))
+                .build());
     }
 
     private KeyInfo createKeyInfo() {
-        return new ee.ria.xroad.signer.protocol.dto.KeyInfo(true, KeyUsageInfo.SIGNING, "keyFriendlyName",
-                "keyId", "keyLabel", "keyPublicKey", List.of(), List.of(), "keySignMechanismName");
+        return new KeyInfo(KeyInfoProto.newBuilder()
+                .setAvailable(true)
+                .setUsage(KeyUsageInfo.SIGNING)
+                .setFriendlyName("keyFriendlyName")
+                .setId("keyId")
+                .setLabel("keyLabel")
+                .setPublicKey("keyPublicKey")
+                .setSignMechanismName("keySignMechanismName")
+                .build());
     }
 }
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java
index fe7e361cb4..e65c26d85e 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java
@@ -1,21 +1,21 @@
 /*
  * The MIT License
- * <p>
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -28,9 +28,10 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
-import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -61,15 +62,14 @@
 
 import java.time.Instant;
 import java.util.Date;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 
 import static ee.ria.xroad.signer.protocol.dto.TokenStatusInfo.OK;
 import static java.lang.Boolean.FALSE;
 import static java.lang.Boolean.TRUE;
+import static java.util.stream.Collectors.toList;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.eq;
@@ -268,10 +268,20 @@ void shouldNotAddMoreThanTwoSigningKeys() throws Exception {
     }
 
     private TokenInfo createToken(List<KeyInfo> keys) {
-        return new TokenInfo(null, "tokenName", TOKEN_ID,
-                true, true, true, "serialNumber", "tokenLabel",
-                1, TokenStatusInfo.OK, keys, new HashMap<>()
-        );
+        final TokenInfoProto.Builder builder = TokenInfoProto.newBuilder()
+                .setFriendlyName("tokenName")
+                .setId(TOKEN_ID)
+                .setReadOnly(true)
+                .setAvailable(true)
+                .setActive(true)
+                .setSerialNumber("serialNumber")
+                .setLabel("tokenLabel")
+                .setSlotIndex(1)
+                .setStatus(OK);
+        if (!keys.isEmpty()) {
+            builder.addAllKeyInfo(keys.stream().map(KeyInfo::getMessage).collect(toList()));
+        }
+        return new TokenInfo(builder.build());
     }
 
     @Test
@@ -339,15 +349,34 @@ void findDetailedByToken() {
     }
 
     private KeyInfo createKeyInfo(String keyIdentifier) {
-        return new ee.ria.xroad.signer.protocol.dto.KeyInfo(true, KeyUsageInfo.SIGNING, "keyFriendlyName",
-                keyIdentifier, "keyLabel", "keyPublicKey", List.of(), List.of(), "keySignMechanismName");
+        return new ee.ria.xroad.signer.protocol.dto.KeyInfo(KeyInfoProto.newBuilder()
+                .setAvailable(true)
+                .setUsage(KeyUsageInfo.SIGNING)
+                .setFriendlyName("keyFriendlyName")
+                .setId(keyIdentifier)
+                .setLabel("keyLabel")
+                .setPublicKey("keyPublicKey")
+                .setSignMechanismName("keySignMechanismName")
+                .build());
     }
 
     private TokenInfo createTokenInfo(boolean active, boolean available, List<KeyInfo> keyInfos) {
-        return new TokenInfo(
-                "type", "TOKEN_FRIENDLY_NAME", "TOKEN_ID", false, available,
-                active, "TOKEN_SERIAL_NUMBER", "label", 13, OK, keyInfos, Map.of()
-        );
+        final TokenInfoProto.Builder builder = TokenInfoProto.newBuilder()
+                .setType("type")
+                .setFriendlyName("TOKEN_FRIENDLY_NAME")
+                .setId("TOKEN_ID")
+                .setReadOnly(false)
+                .setAvailable(available)
+                .setActive(active)
+                .setSerialNumber("TOKEN_SERIAL_NUMBER")
+                .setLabel("label")
+                .setSlotIndex(13)
+                .setStatus(OK);
+        if (!keyInfos.isEmpty()) {
+            builder.addAllKeyInfo(keyInfos.stream().map(KeyInfo::getMessage).collect(toList()));
+        }
+        return new TokenInfo(builder
+                .build());
     }
 
     private ConfigurationSigningKeyEntity createConfigurationSigningEntity(
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java
index a6ed4c38e6..5a6cb63331 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java
@@ -5,17 +5,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -28,8 +28,9 @@
 package org.niis.xroad.cs.admin.core.service;
 
 import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -48,7 +49,6 @@
 
 import java.time.Instant;
 import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 
@@ -204,11 +204,30 @@ void getAlertsGlobalConfExpired() throws Exception {
     }
 
     private void mockInitialized(boolean tokenActive, boolean keyAvailable) throws Exception {
-        KeyInfo keyinfo = new KeyInfo(keyAvailable, SIGNING, "", "id", "", "", List.of(),
-                List.of(), "");
-        TokenInfo tokenInfo = new TokenInfo("", "", "0", false, true,
-                tokenActive, "", "", 0, OK,
-                List.of(keyinfo), Map.of());
+        KeyInfoProto keyinfo = KeyInfoProto.newBuilder()
+                .setAvailable(keyAvailable)
+                .setUsage(SIGNING)
+                .setFriendlyName("")
+                .setId("id")
+                .setLabel("")
+                .setPublicKey("")
+                .setSignMechanismName("")
+                .build();
+
+        TokenInfo tokenInfo = new TokenInfo(TokenInfoProto.newBuilder()
+                .setType("")
+                .setFriendlyName("")
+                .setId("0")
+                .setReadOnly(false)
+                .setAvailable(true)
+                .setActive(tokenActive)
+                .setSerialNumber("")
+                .setLabel("")
+                .setSlotIndex(0)
+                .setStatus(OK)
+                .addKeyInfo(keyinfo)
+                .build());
+
         when(signerProxyFacade.getTokens()).thenReturn(List.of(tokenInfo));
         when(systemParameterService.getInstanceIdentifier()).thenReturn("CS");
         when(systemParameterService.getCentralServerAddress()).thenReturn("https://cs");
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/SigningKeyActionsResolverTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/SigningKeyActionsResolverTest.java
index 4b764ca3cb..b7ee8e4016 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/SigningKeyActionsResolverTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/SigningKeyActionsResolverTest.java
@@ -1,21 +1,21 @@
-/**
+/*
  * The MIT License
- * <p>
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -27,14 +27,13 @@
 package org.niis.xroad.cs.admin.core.service;
 
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 
 import org.junit.jupiter.api.Test;
 import org.niis.xroad.common.exception.ValidationFailureException;
 import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKey;
 
 import java.util.EnumSet;
-import java.util.List;
-import java.util.Map;
 
 import static ee.ria.xroad.signer.protocol.dto.TokenStatusInfo.OK;
 import static org.assertj.core.api.Assertions.assertThat;
@@ -96,9 +95,17 @@ private ConfigurationSigningKey createKey(final boolean active) {
     }
 
     private TokenInfo createTokenInfo(boolean active) {
-        return new TokenInfo(
-                "type", "TOKEN_FRIENDLY_NAME", "TOKEN_ID", false, true,
-                active, "TOKEN_SERIAL_NUMBER", "label", 13, OK, List.of(), Map.of()
-        );
+        return new TokenInfo(TokenInfoProto.newBuilder()
+                .setType("type")
+                .setFriendlyName("TOKEN_FRIENDLY_NAME")
+                .setId("TOKEN_ID")
+                .setReadOnly(false)
+                .setAvailable(true)
+                .setActive(active)
+                .setSerialNumber("TOKEN_SERIAL_NUMBER")
+                .setLabel("label")
+                .setSlotIndex(13)
+                .setStatus(OK)
+                .build());
     }
 }
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokenActionsResolverImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokenActionsResolverImplTest.java
index 1826dd8f79..193089b2f2 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokenActionsResolverImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokenActionsResolverImplTest.java
@@ -1,21 +1,21 @@
 /*
  * The MIT License
- * <p>
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -28,6 +28,7 @@
 package org.niis.xroad.cs.admin.core.service;
 
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 
 import org.junit.jupiter.api.Test;
 import org.niis.xroad.common.exception.ValidationFailureException;
@@ -37,7 +38,6 @@
 
 import java.util.EnumSet;
 import java.util.List;
-import java.util.Map;
 
 import static ee.ria.xroad.signer.protocol.dto.TokenStatusInfo.OK;
 import static org.assertj.core.api.Assertions.assertThat;
@@ -97,10 +97,18 @@ void requireAction() {
     }
 
     private TokenInfo createTokenInfo(boolean active, boolean available) {
-        return new TokenInfo(
-                "type", "TOKEN_FRIENDLY_NAME", "TOKEN_ID", false, available,
-                active, "TOKEN_SERIAL_NUMBER", "label", 13, OK, List.of(), Map.of()
-        );
+        return new TokenInfo(TokenInfoProto.newBuilder()
+                .setType("type")
+                .setFriendlyName("TOKEN_FRIENDLY_NAME")
+                .setId("TOKEN_ID")
+                .setReadOnly(false)
+                .setAvailable(available)
+                .setActive(active)
+                .setSerialNumber("TOKEN_SERIAL_NUMBER")
+                .setLabel("label")
+                .setSlotIndex(13)
+                .setStatus(OK)
+                .build());
     }
 
     private ConfigurationSigningKey key(final ConfigurationSourceType sourceType) {
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java
index 85194db218..69bf0a6a7d 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java
@@ -1,21 +1,21 @@
 /*
  * The MIT License
- * <p>
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -28,7 +28,7 @@
 package org.niis.xroad.cs.admin.core.service;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
 import org.junit.jupiter.api.Test;
@@ -48,7 +48,6 @@
 import org.niis.xroad.restapi.config.audit.AuditDataHelper;
 import org.niis.xroad.restapi.config.audit.RestApiAuditProperty;
 
-import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -278,24 +277,32 @@ void hasHardwareTokensReturnsFalse() throws Exception {
 
     private ee.ria.xroad.signer.protocol.dto.TokenInfo mockTokenInfo(String tokenId,
                                                                      TokenStatusInfo status,
-                                                                     Map<String, String> tokenParams,
-                                                                     List<KeyInfo> keyInfos) {
-        return new ee.ria.xroad.signer.protocol.dto.TokenInfo(
-                "type", TOKEN_FRIENDLY_NAME, tokenId, false, true,
-                false, TOKEN_SERIAL_NUMBER, "label", 13, status, keyInfos, tokenParams
-        );
+                                                                     Map<String, String> tokenParams) {
+        return new ee.ria.xroad.signer.protocol.dto.TokenInfo(TokenInfoProto.newBuilder()
+                .setType("type")
+                .setFriendlyName(TOKEN_FRIENDLY_NAME)
+                .setId(tokenId)
+                .setReadOnly(false)
+                .setAvailable(true)
+                .setActive(false)
+                .setSerialNumber(TOKEN_SERIAL_NUMBER)
+                .setLabel("label")
+                .setSlotIndex(13)
+                .setStatus(status)
+                .putAllTokenInfo(tokenParams)
+                .build());
     }
 
     private ee.ria.xroad.signer.protocol.dto.TokenInfo mockTokenInfo(TokenStatusInfo status) {
-        return mockTokenInfo(TOKEN_ID, status, new HashMap<>(), new ArrayList<>());
+        return mockTokenInfo(TOKEN_ID, status, new HashMap<>());
     }
 
     private ee.ria.xroad.signer.protocol.dto.TokenInfo mockTokenInfo(Map<String, String> tokenParams) {
-        return mockTokenInfo(TOKEN_ID, OK, tokenParams, new ArrayList<>());
+        return mockTokenInfo(TOKEN_ID, OK, tokenParams);
     }
 
     private ee.ria.xroad.signer.protocol.dto.TokenInfo mockTokenInfo(String tokenId) {
-        return mockTokenInfo(tokenId, OK, new HashMap<>(), new ArrayList<>());
+        return mockTokenInfo(tokenId, OK, new HashMap<>());
     }
 
     private void assertAuditMessages() {

From b9fd76638d82d423a7aea2657555b70bd7dfcdcd Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 7 Sep 2023 09:03:24 +0300
Subject: [PATCH 049/127] chore: code updates due to changes in signer

Refs: XRDDEV-2468
---
 .../monitor/CertificateInfoSensorTest.java    | 74 ++++++++++---------
 1 file changed, 40 insertions(+), 34 deletions(-)

diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java
index 2294f0e3a4..3f99d0c1c4 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -31,10 +31,12 @@
 import ee.ria.xroad.monitor.CertificateInfoSensor.CertificateInfoCollector;
 import ee.ria.xroad.monitor.CertificateInfoSensor.TokenExtractor;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
-import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
 import akka.actor.ActorSystem;
@@ -42,6 +44,7 @@
 import akka.testkit.TestActorRef;
 import com.codahale.metrics.Metric;
 import com.codahale.metrics.MetricRegistry;
+import com.google.protobuf.ByteString;
 import com.typesafe.config.ConfigFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.junit.After;
@@ -54,8 +57,6 @@
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Stream;
@@ -120,44 +121,49 @@ public void tearDown() throws Exception {
     }
 
     private TokenInfo createTestTokenInfo(KeyInfo... keyInfoParams) {
-        List<KeyInfo> keyInfos = new ArrayList<>();
-        for (KeyInfo info: keyInfoParams) {
-            keyInfos.add(info);
+        List<KeyInfoProto> keyInfos = new ArrayList<>();
+        for (KeyInfo info : keyInfoParams) {
+            keyInfos.add(info.getMessage());
         }
-        Map<String, String> tokenInfos = new HashMap<>();
-
-        return new TokenInfo("type",
-                "friendlyName",
-                "id",
-                false, false, false,
-                "serialNumber",
-                "label",
-                -1,
-                TokenStatusInfo.OK,
-                Collections.unmodifiableList(keyInfos),
-                Collections.unmodifiableMap(tokenInfos));
+
+        return new TokenInfo(TokenInfoProto.newBuilder()
+                .setType("type")
+                .setFriendlyName("friendlyName")
+                .setId("id")
+                .setReadOnly(false)
+                .setAvailable(false)
+                .setActive(false)
+                .setSerialNumber("serialNumber")
+                .setLabel("label")
+                .setSlotIndex(-1)
+                .setStatus(TokenStatusInfo.OK)
+                .addAllKeyInfo(keyInfos)
+                .build());
     }
 
     private KeyInfo createTestKeyInfo(CertificateInfo caInfo) {
-        KeyInfo keyInfo = new KeyInfo(true,
-                null, "friendlyName", "id",
-                "label", "publickey", new ArrayList<CertificateInfo>(),
-                new ArrayList<CertRequestInfo>(), "mechanismName");
-        keyInfo.getCerts().add(caInfo);
+        KeyInfo keyInfo = new KeyInfo(KeyInfoProto.newBuilder()
+                .setAvailable(true)
+                .setFriendlyName("friendlyName")
+                .setId("id")
+                .setLabel("label")
+                .setPublicKey("publickey")
+                .addCerts(caInfo.getMessage())
+                .setSignMechanismName("mechanismName")
+                .build());
+
         return keyInfo;
     }
 
     private CertificateInfo createTestCertificateInfo(X509Certificate cert)
             throws Exception {
-        CertificateInfo cInfo = new CertificateInfo(
-                null,
-                false,
-                false,
-                "status",
-                CryptoUtils.calculateDelimitedCertHexHash(cert, CERT_HEX_DELIMITER),
-                cert.getEncoded(),
-                null);
-        return cInfo;
+        return new CertificateInfo(CertificateInfoProto.newBuilder()
+                .setActive(false)
+                .setSavedToConfiguration(false)
+                .setStatus("status")
+                .setId(CryptoUtils.calculateDelimitedCertHexHash(cert, CERT_HEX_DELIMITER))
+                .setCertificateBytes(ByteString.copyFrom(cert.getEncoded()))
+                .build());
     }
 
     @Test
@@ -180,7 +186,7 @@ public void testSystemMetricsRequest() throws Exception {
         assertEquals(2, result.entrySet().size()); // certs & jmx certs
         SimpleSensor<JmxStringifiedData<CertificateMonitoringInfo>> certificates =
                 (SimpleSensor<JmxStringifiedData<CertificateMonitoringInfo>>)
-                result.get(SystemMetricNames.CERTIFICATES);
+                        result.get(SystemMetricNames.CERTIFICATES);
         SimpleSensor<ArrayList<String>> certificatesAsText = (SimpleSensor<ArrayList<String>>)
                 result.get(SystemMetricNames.CERTIFICATES_STRINGS);
         assertNotNull(certificates);

From bc639f7805d781c16ced6cf1d3f25cac02afeb0d Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 7 Sep 2023 13:42:54 +0300
Subject: [PATCH 050/127] chore: misleading handleIsCachedOcspResponse(..)
 renamed and minor refactor

Refs: XRDDEV-2468
---
 .../ee/ria/xroad/common/ocsp/OcspCache.java   | 10 ----
 .../signer/certmanager/OcspClientWorker.java  | 56 ++++++-------------
 .../certmanager/OcspResponseManager.java      |  6 +-
 3 files changed, 19 insertions(+), 53 deletions(-)

diff --git a/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspCache.java b/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspCache.java
index 707b14b6e6..716b97eba3 100644
--- a/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspCache.java
+++ b/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspCache.java
@@ -47,16 +47,6 @@ public class OcspCache {
 
     protected final Map<String, OCSPResp> cache = new ConcurrentHashMap<>();
 
-    /**
-     * @param key the key
-     * @param atDate the date
-     * @return the OCSP response or null if the response is not found or is
-     * expired at the specified date
-     */
-    public OCSPResp get(Object key, Date atDate) {
-        return getResponse(key, atDate);
-    }
-
     /**
      * @param key the key
      * @return the OCSP response or null if the response is not found or is
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
index 61a2ffe2f9..bccfccd0d5 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
@@ -56,7 +56,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -338,55 +337,34 @@ void updateCertStatuses(Map<String, OCSPResp> statuses) throws Exception {
         ocspResponseManager.handleSetOcspResponses(setOcspResponsesReq);
     }
 
-    /**
-     * @return true if the response for given certificate does not exist, is expired (in which case it is also
-     * removed from cache) or is not valid
-     */
-    boolean shouldFetchResponse(X509Certificate subject) throws Exception {
-        if (!CertUtils.isValid(subject)) {
-            log.warn("Certificate '{}' is not valid", subject.getSubjectX500Principal());
-
-            return false;
-        }
-
-        String subjectHash = calculateCertHexHash(subject);
-
+    private boolean isCertValid(X509Certificate subject) {
         try {
-            boolean shouldFetchResponse = !isCachedOcspResponse(subjectHash);
-
-            log.debug("shouldFetchResponse for cert: {} value: {}", subjectHash, shouldFetchResponse);
+            if (!CertUtils.isValid(subject)) {
+                log.warn("Certificate '{}' is not valid", subject.getSubjectX500Principal());
+                return false;
+            }
 
-            return shouldFetchResponse;
-        } catch (Exception e) {
-            log.debug("shouldFetchResponse encountered an error, returning true ", e);
+            String subjectHash = calculateCertHexHash(subject);
+            try {
+                // todo this should be separated from isValid check.
+                //  This seems to be the only place where expired Ocsp response is cleared from TokenManager.
+                ocspResponseManager.removeOcspResponseFromTokenManagerIfExpiredOrNotInCache(subjectHash);
+                log.debug("shouldFetchResponse for cert: {} value: {}", subjectHash, true);
+            } catch (Exception e) {
+                log.debug("shouldFetchResponse encountered an error, returning true ", e);
 
-            // Ignore this error, since any kind of failure to get the response
-            // or validate it means we should fetch the response from the
-            // responder.
+                // Ignore this error, since any kind of failure to get the response
+                // or validate it means we should fetch the response from the
+                // responder.
+            }
 
             return true;
-        }
-    }
-
-    boolean isCertValid(X509Certificate subject) {
-        try {
-            return shouldFetchResponse(subject);
         } catch (Exception e) {
             log.error("Unable to check if should fetch status for " + subject.getSerialNumber(), e);
             return false;
         }
     }
 
-    boolean isCachedOcspResponse(String certHash) {
-        // Check if the OCSP response is in the cache
-        Date atDate = new Date();
-        boolean isCachedOcspResponse = ocspResponseManager.handleIsCachedOcspResponse(certHash, atDate);
-
-        log.trace("isCachedOcspResponse(certHash: {}, atDate: {}) = {}", certHash, atDate, isCachedOcspResponse);
-
-        return isCachedOcspResponse;
-    }
-
     private List<X509Certificate> getCertChain(X509Certificate cert) {
         try {
             CertChain chain = GlobalConf.getCertChain(GlobalConf.getInstanceIdentifier(), cert);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
index d022422495..d4b5329ccf 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspResponseManager.java
@@ -35,7 +35,6 @@
 import org.niis.xroad.signer.proto.SetOcspResponsesReq;
 
 import java.security.cert.X509Certificate;
-import java.util.Date;
 import java.util.Map.Entry;
 
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
@@ -167,10 +166,9 @@ public void handleSetOcspResponses(SetOcspResponsesReq message) throws Exception
         }
     }
 
-    public boolean handleIsCachedOcspResponse(String certHash, Date date) {
-        OCSPResp response = responseCache.get(certHash, date);
+    public void removeOcspResponseFromTokenManagerIfExpiredOrNotInCache(String certHash) {
+        OCSPResp response = responseCache.get(certHash);
         TokenManager.setOcspResponse(certHash, response);
-        return Boolean.FALSE;
     }
 
     private OCSPResp getResponse(String certHash) {

From fde8d91bc27f8f3313cb90561f4a778b0d779d65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 7 Sep 2023 17:40:37 +0300
Subject: [PATCH 051/127] chore: refactor module/token workers not to use akka

Refs: XRDDEV-2468
---
 .../module/HardwareModuleManagerImpl.java     |  49 ++---
 .../module/HardwareModuleWorker.java          |  40 ++--
 .../token/HardwareTokenWorker.java            | 105 +++++-----
 .../etc/xroad/signer/signer-logback.xml       |   2 +
 .../xroad/signer/protocol/SignerClient.java   |   1 +
 src/signer/build.gradle                       |   1 -
 .../main/java/ee/ria/xroad/signer/Signer.java | 116 ----------
 .../ee/ria/xroad/signer/SignerConfig.java     |  31 ++-
 .../java/ee/ria/xroad/signer/SignerMain.java  |  22 +-
 .../ee/ria/xroad/signer/TemporaryHelper.java  |  72 -------
 .../signer/job/ModuleManagerReloadJob.java    |   8 +-
 .../signer/protocol/AbstractRpcHandler.java   |  12 +-
 .../protocol/TemporaryAkkaMessenger.java      |  47 -----
 .../handler/AbstractGenerateCertReq.java      |  23 +-
 .../GetHSMOperationalInfoReqHandler.java      |  12 +-
 .../handler/InitSoftwareTokenReqHandler.java  |   9 +-
 .../UpdateSoftwareTokenPinReqHandler.java     |  20 +-
 .../signer/tokenmanager/ServiceLocator.java   |  82 --------
 .../module/AbstractModuleManager.java         | 198 +++++++++++-------
 .../module/AbstractModuleWorker.java          | 160 ++++++--------
 .../module/DefaultModuleManagerImpl.java      |  30 +--
 .../module/SoftwareModuleWorker.java          |  19 +-
 .../token/AbstractTokenWorker.java            |  99 ++++-----
 .../token/BlockingTokenWorker.java            | 119 +++++++++++
 .../tokenmanager/token/SoftwareTokenType.java |   5 +
 .../token/SoftwareTokenWorker.java            |  76 +++----
 .../signer/tokenmanager/token/TokenType.java  |   7 +-
 .../tokenmanager/token/TokenWorker.java       |  29 +++
 .../token/TokenWorkerProvider.java            |   7 +
 .../token/WorkerWithLifecycle.java            |  32 +++
 .../signer/util/AbstractSignerActor.java      |  54 -----
 .../signer/util/AbstractUpdateableActor.java  |  52 -----
 .../ee/ria/xroad/signer/util/SignerUtil.java  |  57 -----
 .../java/ee/ria/xroad/signer/util/Update.java |  35 ----
 34 files changed, 639 insertions(+), 992 deletions(-)
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractUpdateableActor.java
 delete mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/util/Update.java

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java
index 2fce0b8a63..4ba71b97ae 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleManagerImpl.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,9 +25,9 @@
  */
 package ee.ria.xroad.signer.tokenmanager.module;
 
-import akka.actor.Props;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.proto.GetHSMOperationalInfoResp;
+
+import java.util.Optional;
 
 /**
  * Module manager that supports hardware tokens.
@@ -35,46 +35,31 @@
 @Slf4j
 public class HardwareModuleManagerImpl extends DefaultModuleManagerImpl {
 
-    private static final String HSM_OPERATIONAL_INFO = "HsmOperationalInfo";
-    private static final String DISPATCHER = "module-worker-dispatcher";
-
     @Override
-    public void onMessage(Object message) throws Exception {
-        if (HSM_OPERATIONAL_INFO.equals(message)) {
-            handleGetHSMOperationalInfo();
-        }
-        super.onMessage(message);
-    }
-
-
-    @Override
-    protected void initializeModule(ModuleType module) {
+    protected AbstractModuleWorker createModuleWorker(ModuleType module) throws Exception {
         if (module instanceof HardwareModuleType) {
-            initializeHardwareModule((HardwareModuleType) module);
-        } else if (module instanceof SoftwareModuleType) {
-            initializeSoftwareModule((SoftwareModuleType) module);
+            return createWorker((HardwareModuleType) module);
         }
+
+        return super.createModuleWorker(module);
     }
 
-    private void initializeHardwareModule(HardwareModuleType hardwareModule) {
-        if (!isModuleInitialized(hardwareModule)) {
-            try {
-                Props props = Props.create(HardwareModuleWorker.class, hardwareModule).withDispatcher(DISPATCHER);
-                initializeModuleWorker(hardwareModule.getType(), props);
-            } catch (Exception e) {
-                log.error("Error initializing hardware module '" + hardwareModule.getType() + "'", e);
-            }
+    private AbstractModuleWorker createWorker(HardwareModuleType hardwareModule) {
+        try {
+            return new HardwareModuleWorker(hardwareModule);
+        } catch (Exception e) {
+            log.error("Error initializing hardware module '{}'", hardwareModule.getType(), e);
         }
+
+        return null;
     }
 
-    private void handleGetHSMOperationalInfo() {
+    @Override
+    public Optional<Boolean> isHSMModuleOperational() {
         boolean hsmOperationalStatus = ModuleConf.getModules().stream()
                 .noneMatch(moduleType -> moduleType instanceof HardwareModuleType
                         && !isModuleInitialized(moduleType));
 
-        GetHSMOperationalInfoResp hsmOperationalInfo = GetHSMOperationalInfoResp.newBuilder()
-                .setOperational(hsmOperationalStatus)
-                .build();
-        getSender().tell(hsmOperationalInfo, getSelf());
+        return Optional.of(hsmOperationalStatus);
     }
 }
diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
index c2bec7f01f..a65fdc254e 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,50 +25,42 @@
  */
 package ee.ria.xroad.signer.tokenmanager.module;
 
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.HardwareTokenType;
 import ee.ria.xroad.signer.tokenmanager.token.HardwareTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.TokenType;
-import ee.ria.xroad.signer.util.SignerUtil;
 
-import akka.actor.Props;
-import akka.actor.SupervisorStrategy;
 import iaik.pkcs.pkcs11.DefaultInitializeArgs;
 import iaik.pkcs.pkcs11.InitializeArgs;
 import iaik.pkcs.pkcs11.Module;
 import iaik.pkcs.pkcs11.Slot;
+import iaik.pkcs.pkcs11.TokenException;
 import iaik.pkcs.pkcs11.wrapper.Functions;
 import iaik.pkcs.pkcs11.wrapper.PKCS11Constants;
 import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
-import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
+import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.signer.tokenmanager.token.HardwareTokenUtil.moduleGetInstance;
 
 /**
  * Module worker for hardware tokens.
  */
 @Slf4j
-@RequiredArgsConstructor
 public class HardwareModuleWorker extends AbstractModuleWorker {
-
     private final HardwareModuleType module;
 
     private Module pkcs11Module;
 
-    @Override
-    public SupervisorStrategy supervisorStrategy() {
-        // escalate to module manager
-        return SignerUtil.createPKCS11ExceptionEscalatingStrategy();
+    public HardwareModuleWorker(HardwareModuleType moduleType) {
+        super(moduleType);
+        this.module = moduleType;
     }
 
     @Override
-    protected void initializeModule() throws Exception {
+    public void start() {
         if (pkcs11Module != null) {
             return;
         }
@@ -97,14 +89,18 @@ private static InitializeArgs getInitializeArgs(Boolean libraryCantCreateOsThrea
     }
 
     @Override
-    protected void deinitializeModule() throws Exception {
+    public void stop() {
         if (pkcs11Module == null) {
             return;
         }
 
         log.info("Deinitializing module '{}' (library: {})", module.getType(), module.getPkcs11LibraryPath());
 
-        pkcs11Module.finalize(null);
+        try {
+            pkcs11Module.finalize(null);
+        } catch (TokenException e) {
+            throw translateException(e);
+        }
     }
 
     @Override
@@ -170,9 +166,7 @@ private TokenType createToken(Slot[] slots, int slotIndex) throws Exception {
     }
 
     @Override
-    protected Props props(ee.ria.xroad.signer.protocol.dto.TokenInfo tokenInfo, TokenType tokenType) {
-       //TODO grpc
-        return Props.create(HardwareTokenWorker.class,
-                tokenInfo, tokenType).withDispatcher("token-worker-dispatcher");
+    protected AbstractTokenWorker createWorker(ee.ria.xroad.signer.protocol.dto.TokenInfo tokenInfo, TokenType tokenType) {
+        return new HardwareTokenWorker(tokenInfo, tokenType);
     }
 }
diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
index d1e7f7f603..cb8e0643b1 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
@@ -113,7 +113,7 @@ public class HardwareTokenWorker extends AbstractTokenWorker {
 
     private static final Mechanism KEYGEN_MECHANISM = Mechanism.get(PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN);
 
-    private final HardwareTokenType tokenType;
+    private final TokenType tokenType;
 
     // maps signature algorithm id and signing mechanism
     private final Map<String, Mechanism> signMechanisms;
@@ -128,7 +128,7 @@ public class HardwareTokenWorker extends AbstractTokenWorker {
      * @param tokenInfo the token info
      * @param tokenType the token type
      */
-    public HardwareTokenWorker(TokenInfo tokenInfo, HardwareTokenType tokenType) {
+    public HardwareTokenWorker(TokenInfo tokenInfo, TokenType tokenType) {
         super(tokenInfo);
 
         this.tokenType = tokenType;
@@ -185,8 +185,7 @@ private static Mechanism createRsaPkcsPssMechanism(long hashMechanism) {
     }
 
     @Override
-    public void preStart() throws Exception {
-        super.preStart();
+    public void start() {
         try {
             initialize();
             setTokenAvailable(tokenId, true);
@@ -206,8 +205,8 @@ public void preStart() throws Exception {
     }
 
     @Override
-    public void postStop() throws Exception {
-        super.postStop();
+    public void stop() {
+        super.stop();
 
         try {
             closeActiveSession();
@@ -217,41 +216,34 @@ public void postStop() throws Exception {
     }
 
     @Override
-    protected void onUpdate() throws Exception {
-        log.trace("onUpdate()");
-
-        if (isTokenAvailable(tokenId) && activeSession != null) {
-            findKeysNotInConf();
-            findPublicKeysForPrivateKeys();
-            findCertificatesNotInConf();
-        }
+    public void reload() {
+        start();
     }
 
     @Override
-    protected void onMessage(Object message) throws Exception {
-        try {
-            super.onMessage(message);
-        } finally {
-            updateTokenInfo();
+    public void refresh() {
+        log.trace("refresh()");
+
+        if (isTokenAvailable(tokenId) && activeSession != null) {
+            try {
+                findKeysNotInConf();
+                findPublicKeysForPrivateKeys();
+                findCertificatesNotInConf();
+            } catch (Exception e) {
+                throw translateException(e);
+            }
         }
     }
 
     @Override
-    protected Exception customizeException(Exception e) {
-        if (e instanceof PKCS11Exception) {
-            // For some unknown reason, throwing PKCS11Exception causes an
-            // association error in Akka, so that the response message is not
-            // sent to the client.
-            return new Exception(e.getMessage());
-        }
-
-        return e;
+    public void onActionHandled() {
+        updateTokenInfo();
     }
 
     // ----------------------- Message handlers -------------------------------
 
     @Override
-    protected void activateToken(ActivateTokenReq message) throws Exception {
+    protected void activateToken(ActivateTokenReq message) {
         if (message.getActivate()) { // login
             log.info("Logging in token '{}'", getWorkerId());
 
@@ -368,7 +360,7 @@ protected void deleteKey(String keyId) throws Exception {
             return;
         }
 
-        certs.get(keyId).stream().forEach(this::destroyCert);
+        certs.get(keyId).forEach(this::destroyCert);
         certs.remove(keyId);
     }
 
@@ -447,7 +439,7 @@ protected byte[] signCertificate(String keyId, String signatureAlgorithmId, Stri
         ContentSigner contentSigner = new HardwareTokenContentSigner(keyId, signatureAlgorithmId);
 
         JcaX509v3CertificateBuilder certificateBuilder = getCertificateBuilder(subjectName, publicKey,
-                                                                               issuerX509Certificate);
+                issuerX509Certificate);
         X509CertificateHolder certHolder = certificateBuilder.build(contentSigner);
         X509Certificate signedCert = new JcaX509CertificateConverter().getCertificate(certHolder);
 
@@ -495,12 +487,10 @@ private void findKeysNotInConf() throws Exception {
                     updatePublicKey(keyId);
                 }
             }
+        } catch (PKCS11Exception e) {
+            throw e;
         } catch (Exception e) {
-            if (e instanceof PKCS11Exception) {
-                throw e;
-            } else {
-                log.error("Failed to find keys from token '{}'", getWorkerId(), e);
-            }
+            log.error("Failed to find keys from token '{}'", getWorkerId(), e);
         }
     }
 
@@ -543,12 +533,10 @@ private void findCertificatesNotInConf() throws Exception {
                     }
                 }
             }
+        } catch (PKCS11Exception e) {
+            throw e;
         } catch (Exception e) {
-            if (e instanceof PKCS11Exception) {
-                throw e;
-            } else {
-                log.error("Failed to find certificates not in conf", e);
-            }
+            log.error("Failed to find certificates not in conf", e);
         }
     }
 
@@ -575,12 +563,10 @@ private void updatePublicKey(String keyId) throws Exception {
 
                 setPublicKey(keyId, publicKeyBase64);
             }
+        } catch (PKCS11Exception e) {
+            throw e;
         } catch (Exception e) {
-            if (e instanceof PKCS11Exception) {
-                throw e;
-            } else {
-                log.error("Failed to find public key for key " + keyId, e);
-            }
+            log.error("Failed to find public key for key " + keyId, e);
         }
     }
 
@@ -687,7 +673,7 @@ private void loadPrivateKeys() throws Exception {
 
         log.trace("Found {} private key(s) on token '{}'", keysOnToken.size(), getWorkerId());
 
-        for (RSAPrivateKey keyOnToken: keysOnToken) {
+        for (RSAPrivateKey keyOnToken : keysOnToken) {
             String keyId = keyId(keyOnToken);
 
             if (keyId == null) {
@@ -709,7 +695,7 @@ private void loadPrivateKeys() throws Exception {
             setKeyAvailable(keyId, true);
         }
 
-        for (KeyInfo keyInfo: listKeys(tokenId)) {
+        for (KeyInfo keyInfo : listKeys(tokenId)) {
             String keyId = keyInfo.getId();
 
             if (!privateKeys.containsKey(keyId)) {
@@ -743,7 +729,7 @@ private void closeActiveSession() throws Exception {
         if (activeSession != null) {
             try {
                 logout();
-            } finally  {
+            } finally {
                 activeSession.closeSession();
                 activeSession = null;
             }
@@ -751,7 +737,7 @@ private void closeActiveSession() throws Exception {
     }
 
     private Token getToken() {
-        return tokenType.getToken();
+        return ((HardwareTokenType) tokenType).getToken();
     }
 
     private void setTokenStatusFromErrorCode(long errorCode) throws Exception {
@@ -802,6 +788,21 @@ private static boolean hasCert(KeyInfo key, byte[] certBytes) {
         return false;
     }
 
+    @Override
+    public boolean isSoftwareToken() {
+        return false;
+    }
+
+    @Override
+    public void handleUpdateTokenPin(char[] oldPin, char[] newPin) {
+        //NO-OP
+    }
+
+    @Override
+    public void initializeToken(char[] pin) {
+        //NO-OP
+    }
+
     private class HardwareTokenContentSigner implements ContentSigner {
 
         private final ByteArrayOutputStream out;
@@ -823,13 +824,13 @@ public byte[] getSignature() {
                 RSAPrivateKey privateKey = getPrivateKey(keyId);
                 if (privateKey == null) {
                     throw CodedException.tr(X_KEY_NOT_FOUND, "key_not_found_on_token", "Key '%s' not found on token '%s'",
-                                            keyId, tokenId);
+                            keyId, tokenId);
                 }
                 log.debug("Signing with key '{}' and signature algorithm '{}'", keyId, signatureAlgorithmId);
                 Mechanism signatureMechanism = signMechanisms.get(signatureAlgorithmId);
                 if (signatureMechanism == null) {
                     throw CodedException.tr(X_UNSUPPORTED_SIGN_ALGORITHM, "unsupported_sign_algorithm",
-                                            "Unsupported signature algorithm '%s'", signatureAlgorithmId);
+                            "Unsupported signature algorithm '%s'", signatureAlgorithmId);
                 }
                 activeSession.signInit(signatureMechanism, privateKey);
                 String digestAlgorithmId = getDigestAlgorithmId(signatureAlgorithmId);
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
index d79068d1b5..c3a111de00 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
@@ -7,6 +7,8 @@
         </encoder>
     </appender>
 
+    <logger name="org.springframework" level="INFO" />
+
     <logger name="ee.ria.xroad" level="TRACE" />
     <logger name="akka" level="WARN" />
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
index 69dd6224ff..8d84ece4f6 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
@@ -51,6 +51,7 @@
  * (running as separate JVM processes).
  */
 @Slf4j
+@Deprecated
 public final class SignerClient {
 
     public static final String LOCALHOST_IP = "127.0.0.1";
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index c89eddaf8b..ad56097942 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -29,7 +29,6 @@ dependencies {
     testImplementation project(':common:common-test')
     testImplementation project(path: ':common:common-verifier', configuration: 'testArtifacts')
 
-    testImplementation "com.typesafe.akka:akka-testkit_$akkaVersion"
     testImplementation 'com.github.stefanbirkner:system-rules:1.19.0'
     testImplementation "org.mockito:mockito-core:$mockitoVersion"
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java b/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
deleted file mode 100644
index 1d64ce5b40..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/Signer.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer;
-
-import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.common.util.StartStop;
-import ee.ria.xroad.common.util.filewatcher.FileWatcherRunner;
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
-import ee.ria.xroad.signer.tokenmanager.module.DefaultModuleManagerImpl;
-import ee.ria.xroad.signer.util.Update;
-
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
-
-import java.nio.file.Paths;
-
-import static ee.ria.xroad.common.SystemProperties.NodeType.SLAVE;
-import static ee.ria.xroad.signer.protocol.ComponentNames.MODULE_MANAGER;
-
-/**
- * Signer application.
- */
-@Slf4j
-@RequiredArgsConstructor
-public class Signer implements StartStop {
-
-    private static final String MODULE_MANAGER_IMPL_CLASS =
-            SystemProperties.PREFIX + "signer.moduleManagerImpl";
-
-    private final ActorSystem actorSystem;
-
-    private FileWatcherRunner keyConfFileWatcherRunner;
-
-    @Override
-    public void start() {
-        log.trace("start()");
-
-        TokenManager.init();
-
-        ActorRef moduleManager = createComponent(MODULE_MANAGER, getModuleManagerImpl());
-        moduleManager.tell(new Update(), ActorRef.noSender());
-
-        if (SLAVE.equals(SystemProperties.getServerNodeType())) {
-            // when the key conf file is changed from outside this system (i.e. a new copy from master),
-            // send an update event to the module manager so it knows to load the new config
-            this.keyConfFileWatcherRunner = FileWatcherRunner.create()
-                    .watchForChangesIn(Paths.get(SystemProperties.getKeyConfFile()))
-                    .listenToCreate().listenToModify()
-                    .andOnChangeNotify(() -> moduleManager.tell(new Update(), ActorRef.noSender()))
-                    .buildAndStartWatcher();
-        }
-
-    }
-
-    @Override
-    public void stop() throws Exception {
-        log.trace("stop()");
-
-        if (!SLAVE.equals(SystemProperties.getServerNodeType())) {
-            TokenManager.saveToConf();
-        }
-
-        if (this.keyConfFileWatcherRunner != null) {
-            this.keyConfFileWatcherRunner.stop();
-        }
-
-    }
-
-    @Override
-    public void join() {
-        //NOP
-    }
-
-    private ActorRef createComponent(String name, Class<?> clazz, Object... arg) {
-        return actorSystem.actorOf(Props.create(clazz, arg), name);
-    }
-
-    private Class<? extends AbstractModuleManager> getModuleManagerImpl() {
-        String moduleManagerImplClassName =
-                System.getProperty(MODULE_MANAGER_IMPL_CLASS, DefaultModuleManagerImpl.class.getName());
-        log.debug("Using module manager implementation: {}", moduleManagerImplClassName);
-        try {
-            return Class.forName(moduleManagerImplClassName).asSubclass(AbstractModuleManager.class);
-        } catch (ClassNotFoundException | ClassCastException e) {
-            throw new RuntimeException("Could not load module manager impl: " + moduleManagerImplClassName, e);
-        }
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
index 32ca236797..9b22fcfc10 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
@@ -29,11 +29,9 @@
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
+import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
+import ee.ria.xroad.signer.tokenmanager.module.DefaultModuleManagerImpl;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.Config;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigValueFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@@ -46,26 +44,27 @@
 import org.springframework.scheduling.annotation.EnableScheduling;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
 
-import static ee.ria.xroad.signer.protocol.ComponentNames.SIGNER;
-
+@Slf4j
 @ComponentScan({"ee.ria.xroad.signer.protocol", "ee.ria.xroad.signer.job"})
 @Configuration
 @EnableScheduling
 public class SignerConfig {
+    private static final String MODULE_MANAGER_IMPL_CLASS = SystemProperties.PREFIX + "signer.moduleManagerImpl";
 
-    @Bean
-    @Deprecated
-    public ActorSystem actorSystem() {
-        return ActorSystem.create(SIGNER, getConf(SystemProperties.getSignerPort()));
-    }
+    @Bean("moduleManager")
+    public AbstractModuleManager moduleManager() {
+        final String moduleManagerImplClassName = System.getProperty(MODULE_MANAGER_IMPL_CLASS, DefaultModuleManagerImpl.class.getName());
+        log.debug("Using module manager implementation: {}", moduleManagerImplClassName);
 
-    private static Config getConf(int signerPort) {
-        Config conf = ConfigFactory.load().getConfig("signer-main")
-                .withFallback(ConfigFactory.load());
-        return conf.withValue("akka.remote.artery.canonical.port",
-                ConfigValueFactory.fromAnyRef(signerPort));
+        try {
+            var clazz = Class.forName(moduleManagerImplClassName);
+            return (AbstractModuleManager) clazz.getDeclaredConstructor().newInstance();
+        } catch (Exception e) {
+            throw new RuntimeException("Could not load module manager impl: " + moduleManagerImplClassName, e);
+        }
     }
 
+
     @Bean
     OcspResponseManager ocspResponseManager() {
         OcspResponseManager ocspResponseManager = new OcspResponseManager();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index b95aa42bb1..fd76a9d73f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -34,8 +34,6 @@
 import ee.ria.xroad.signer.certmanager.OcspClientWorker;
 import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
 
-import akka.actor.ActorSystem;
-import akka.actor.CoordinatedShutdown;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.grpc.RpcServer;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
@@ -72,8 +70,6 @@ public final class SignerMain {
 
     private static GenericApplicationContext springCtx;
 
-    private static ActorSystem actorSystem;
-    private static Signer signer;
     private static AdminPort adminPort;
     private static CertificationServiceDiagnostics diagnosticsDefault;
 
@@ -104,19 +100,19 @@ private static void startup() throws Exception {
         springCtx = new AnnotationConfigApplicationContext(SignerConfig.class);
         springCtx.registerShutdownHook();
 
-        actorSystem = springCtx.getBean(ActorSystem.class);
-        signer = new Signer(actorSystem);
+
 
         OcspClientExecuteScheduler ocspClientExecuteScheduler = null;
         if (springCtx.containsBean("ocspClientExecuteScheduler")) {
             ocspClientExecuteScheduler = springCtx.getBean(OcspClientExecuteScheduler.class);
         }
 
+        //TODO
         adminPort = createAdminPort(SystemProperties.getSignerAdminPort(),
                 springCtx.getBean(OcspClientWorker.class),
                 ocspClientExecuteScheduler);
-        CoordinatedShutdown.get(actorSystem).addJvmShutdownHook(SignerMain::shutdown);
-        signer.start();
+
+
         adminPort.start();
 
         initGrpc();
@@ -135,18 +131,10 @@ private static void initGrpc() throws Exception {
         });
     }
 
+    //TODO: shutdown was tied to akka.
     private static void shutdown() {
         log.info("Signer shutting down...");
 
-        try {
-            if (signer != null) {
-                signer.stop();
-                signer.join();
-            }
-        } catch (Exception e) {
-            log.error("Error stopping signer", e);
-        }
-
         try {
             if (adminPort != null) {
                 adminPort.stop();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java b/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
deleted file mode 100644
index d98f52c64f..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/TemporaryHelper.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer;
-
-import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
-import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
-
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * FOR TEMPORARY USE DURING MIGRATION FROM AKKA ONLY!!!!
- */
-@Deprecated(forRemoval = true)
-public class TemporaryHelper {
-
-    @Deprecated
-    private static Map<String, AbstractTokenWorker> TOKEN_WORKERS = new HashMap<>();
-
-
-    @Deprecated
-    private static AbstractModuleManager moduleManager;
-
-    @Deprecated
-    public static AbstractTokenWorker getTokenWorker(String tokenId) {
-        if (!TOKEN_WORKERS.containsKey(tokenId)) {
-            throw new RuntimeException("Token worker not available");
-        }
-        return TOKEN_WORKERS.get(tokenId);
-    }
-
-    @Deprecated
-    public static void addTokenWorker(String tokenId, AbstractTokenWorker tokenWorker) {
-        TOKEN_WORKERS.put(tokenId, tokenWorker);
-    }
-
-    @Deprecated
-    public static void setModuleManager(AbstractModuleManager manager) {
-        moduleManager = manager;
-    }
-
-    @Deprecated
-    public static AbstractModuleManager getModuleManager() {
-        if (moduleManager != null) {
-            return moduleManager;
-        }
-        throw new RuntimeException("Module manager not available.");
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java b/src/signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java
index 2c01b36cba..b9fbf050c6 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/job/ModuleManagerReloadJob.java
@@ -27,21 +27,23 @@
 package ee.ria.xroad.signer.job;
 
 
-import ee.ria.xroad.signer.TemporaryHelper;
+import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
 
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 
 @Slf4j
 @Component
+@RequiredArgsConstructor
 public class ModuleManagerReloadJob {
+    private final AbstractModuleManager moduleManager;
 
     @Scheduled(fixedDelayString = "#{T(ee.ria.xroad.common.SystemProperties).getModuleManagerUpdateInterval() * 1000}")
     public void update() {
         log.trace("Triggering ModuleManager update");
-        // todo ModuleManager should be injected
-        TemporaryHelper.getModuleManager().onUpdate();
+        moduleManager.refresh();
     }
 
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
index 17e814020c..ee54fb6233 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
@@ -27,9 +27,9 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
-import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorkerProvider;
 
 import com.google.protobuf.AbstractMessage;
 import io.grpc.Status;
@@ -39,6 +39,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 
 import static com.google.protobuf.Any.pack;
+import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotFound;
 import static java.util.Optional.ofNullable;
 
 /**
@@ -49,7 +50,7 @@
 @SuppressWarnings("squid:S119")
 public abstract class AbstractRpcHandler<ReqT extends AbstractMessage, RespT extends AbstractMessage> {
     @Autowired
-    protected TemporaryAkkaMessenger temporaryAkkaMessenger;
+    protected TokenWorkerProvider tokenWorkerProvider;
 
     protected abstract RespT handle(ReqT request) throws Exception;
 
@@ -64,8 +65,9 @@ public void processSingle(ReqT request, StreamObserver<RespT> responseObserver)
         }
     }
 
-    protected AbstractTokenWorker getTokenWorker(String tokenId) {
-        return TemporaryHelper.getTokenWorker(tokenId);
+    protected TokenWorker getTokenWorker(String tokenId) {
+        return tokenWorkerProvider.getTokenWorker(tokenId)
+                .orElseThrow(() -> tokenNotFound(tokenId));
     }
 
     private void handleException(Exception exception, StreamObserver<RespT> responseObserver) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
deleted file mode 100644
index 551db5ecf2..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/TemporaryAkkaMessenger.java
+++ /dev/null
@@ -1,47 +0,0 @@
-package ee.ria.xroad.signer.protocol;
-
-import ee.ria.xroad.signer.tokenmanager.TokenManager;
-
-import akka.actor.ActorSystem;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
-import lombok.Getter;
-import lombok.RequiredArgsConstructor;
-import lombok.SneakyThrows;
-import org.springframework.stereotype.Component;
-import scala.concurrent.Await;
-
-import java.util.concurrent.TimeUnit;
-
-import static ee.ria.xroad.signer.tokenmanager.ServiceLocator.getToken;
-import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotAvailable;
-
-@Deprecated(forRemoval = true)
-@Component
-@RequiredArgsConstructor
-public class TemporaryAkkaMessenger {
-    @Deprecated
-    private static final Timeout AKKA_TIMEOUT = new Timeout(10, TimeUnit.SECONDS);
-
-    @Getter
-    private final ActorSystem actorSystem;
-
-    public <T> T tellTokenWithResponse(Object message, String tokenId) {
-        return (T) tellToken(message, tokenId);
-    }
-
-    @SneakyThrows
-    public Object tellToken(Object message, String tokenId) {
-        if (!TokenManager.isTokenAvailable(tokenId)) {
-            throw tokenNotAvailable(tokenId);
-        }
-
-        Object response = Await.result(Patterns.ask(getToken(actorSystem, tokenId), message, AKKA_TIMEOUT),
-                AKKA_TIMEOUT.duration());
-        if (response instanceof Exception) {
-            throw (Throwable) response;
-        }
-        return response;
-    }
-
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
index ebe927323f..a50591025b 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
@@ -28,8 +28,8 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorkerProvider;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
 import com.google.protobuf.AbstractMessage;
@@ -56,11 +56,13 @@
 import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
 import static ee.ria.xroad.common.util.CryptoUtils.decodeBase64;
 import static ee.ria.xroad.common.util.CryptoUtils.readX509PublicKey;
+import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotFound;
 
 /**
  * Abstract base class for GenerateCertRequestRequestHandler and RegenerateCertRequestRequestHandler.
  *
- * @param <T> the type of generate cert request message this handler handles
+ * @param <ReqT>  the type of generate cert request message this handler handles
+ * @param <RespT> response type
  */
 @Slf4j
 public abstract class AbstractGenerateCertReq<ReqT extends AbstractMessage,
@@ -78,10 +80,9 @@ PKCS10CertificationRequest buildSignedCertRequest(TokenAndKey tokenAndKey, Strin
         JcaPKCS10CertificationRequestBuilder certRequestBuilder = new JcaPKCS10CertificationRequestBuilder(
                 new X500Name(subjectName), publicKey);
 
-        ContentSigner signer = new TokenContentSigner(tokenAndKey);
+        ContentSigner signer = new TokenContentSigner(tokenWorkerProvider, tokenAndKey);
 
-        PKCS10CertificationRequest request = certRequestBuilder.build(signer);
-        return request;
+        return certRequestBuilder.build(signer);
     }
 
     private static PublicKey readPublicKey(String publicKeyBase64) throws Exception {
@@ -111,14 +112,15 @@ private static byte[] toPem(PKCS10CertificationRequest req) throws Exception {
     private static class TokenContentSigner implements ContentSigner {
         private final ByteArrayOutputStream out = new ByteArrayOutputStream();
 
+        private final TokenWorkerProvider tokenWorkerProvider;
         private final TokenAndKey tokenAndKey;
 
         private final String digestAlgoId;
         private final String signAlgoId;
 
-        TokenContentSigner(final TokenAndKey tokenAndKey) throws NoSuchAlgorithmException {
+        TokenContentSigner(final TokenWorkerProvider tokenWorkerProvider, final TokenAndKey tokenAndKey) throws NoSuchAlgorithmException {
             this.tokenAndKey = tokenAndKey;
-
+            this.tokenWorkerProvider = tokenWorkerProvider;
             digestAlgoId = SystemProperties.getSignerCsrSignatureDigestAlgorithm();
             signAlgoId = CryptoUtils.getSignatureAlgorithmId(digestAlgoId, tokenAndKey.getSignMechanism());
         }
@@ -144,9 +146,12 @@ public byte[] getSignature() {
                         .setDigest(ByteString.copyFrom(calculateDigest(digestAlgoId, out.toByteArray())))
                         .build();
 
-                return TemporaryHelper.getTokenWorker(tokenAndKey.getTokenId()).handleSign(request);
+
+                return tokenWorkerProvider.getTokenWorker(tokenAndKey.getTokenId())
+                        .orElseThrow(() -> tokenNotFound(tokenAndKey.getTokenId()))
+                        .handleSign(request);
             } catch (Exception e) {
-                throw translateException(e); //TODO verify that it is necessary to do this here
+                throw translateException(e);
             }
         }
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoReqHandler.java
index 31ea59381a..b27db1c225 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetHSMOperationalInfoReqHandler.java
@@ -26,9 +26,9 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.ComponentNames;
-import ee.ria.xroad.signer.util.SignerUtil;
+import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleManager;
 
+import lombok.RequiredArgsConstructor;
 import org.niis.xroad.signer.proto.GetHSMOperationalInfoResp;
 import org.niis.xroad.signer.protocol.dto.Empty;
 import org.springframework.stereotype.Component;
@@ -37,12 +37,14 @@
  * Handles requests for checking HSMs operational status.
  */
 @Component
+@RequiredArgsConstructor
 public class GetHSMOperationalInfoReqHandler extends AbstractRpcHandler<Empty, GetHSMOperationalInfoResp> {
+    private final AbstractModuleManager moduleManager;
 
     @Override
     protected GetHSMOperationalInfoResp handle(Empty request) throws Exception {
-        var actorSelection = temporaryAkkaMessenger.getActorSystem().actorSelection("/user/" + ComponentNames.MODULE_MANAGER);
-
-        return (GetHSMOperationalInfoResp) SignerUtil.ask(actorSelection, "HsmOperationalInfo");
+        return GetHSMOperationalInfoResp.newBuilder()
+                .setOperational(moduleManager.isHSMModuleOperational().orElse(false))
+                .build();
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenReqHandler.java
index 0e09c42290..0470dd89f5 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/InitSoftwareTokenReqHandler.java
@@ -28,8 +28,7 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
-import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorker;
 
 import org.niis.xroad.signer.proto.InitSoftwareTokenReq;
 import org.niis.xroad.signer.protocol.dto.Empty;
@@ -49,10 +48,10 @@ protected Empty handle(InitSoftwareTokenReq request) throws Exception {
         String softwareTokenId = TokenManager.getSoftwareTokenId();
 
         if (softwareTokenId != null) {
-            final AbstractTokenWorker tokenWorker = getTokenWorker(softwareTokenId);
-            if (tokenWorker instanceof SoftwareTokenWorker) {
+            final TokenWorker tokenWorker = getTokenWorker(softwareTokenId);
+            if (tokenWorker.isSoftwareToken()) {
                 try {
-                    ((SoftwareTokenWorker) tokenWorker).initializeToken(request.getPin().toCharArray());
+                    tokenWorker.initializeToken(request.getPin().toCharArray());
                     return Empty.getDefaultInstance();
                 } catch (Exception e) {
                     throw new CodedException(X_INTERNAL_ERROR, e); //todo move to worker
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
index 058370d846..ebc1dde3fe 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/UpdateSoftwareTokenPinReqHandler.java
@@ -27,8 +27,7 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
-import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorker;
 
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.UpdateSoftwareTokenPinReq;
@@ -42,21 +41,14 @@
  */
 @Slf4j
 @Component
-public class UpdateSoftwareTokenPinReqHandler
-        extends AbstractRpcHandler<UpdateSoftwareTokenPinReq, Empty> {
+public class UpdateSoftwareTokenPinReqHandler extends AbstractRpcHandler<UpdateSoftwareTokenPinReq, Empty> {
 
     @Override
     protected Empty handle(UpdateSoftwareTokenPinReq request) throws Exception {
-        final AbstractTokenWorker tokenWorker = getTokenWorker(request.getTokenId());
-        if (tokenWorker instanceof SoftwareTokenWorker) {
-            try {
-                ((SoftwareTokenWorker) tokenWorker).handleUpdateTokenPin(request.getOldPin().toCharArray(), request.getNewPin().toCharArray());
-                return Empty.getDefaultInstance();
-            } catch (Exception e) {
-                // todo move to tokenworker
-                log.error("Failed  to update software token", e);
-                throw new CodedException(X_INTERNAL_ERROR, e);
-            }
+        final TokenWorker tokenWorker = getTokenWorker(request.getTokenId());
+        if (tokenWorker.isSoftwareToken()) {
+            tokenWorker.handleUpdateTokenPin(request.getOldPin().toCharArray(), request.getNewPin().toCharArray());
+            return Empty.getDefaultInstance();
         } else {
             throw new CodedException(X_INTERNAL_ERROR, "Software token not found");
         }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
deleted file mode 100644
index 0036ae0f9b..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/ServiceLocator.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.tokenmanager;
-
-import akka.actor.ActorContext;
-import akka.actor.ActorSelection;
-import akka.actor.ActorSystem;
-
-import static ee.ria.xroad.signer.protocol.ComponentNames.MODULE_MANAGER;
-import static ee.ria.xroad.signer.protocol.ComponentNames.OCSP_RESPONSE_MANAGER;
-import static ee.ria.xroad.signer.util.ExceptionHelper.tokenNotFound;
-
-/**
- * Utility class for getting specific actor paths in Signer.
- */
-public final class ServiceLocator {
-
-    private ServiceLocator() {
-    }
-
-    /**
-     * @param context the actor context
-     * @return the OCSP response manager actor
-     */
-    @Deprecated(forRemoval = true)
-    public static ActorSelection getOcspResponseManager(
-            ActorContext context) {
-        return context.actorSelection("/user/" + OCSP_RESPONSE_MANAGER);
-    }
-
-    /**
-     * @param context the actor context
-     * @param tokenId the token id
-     * @return the token actor
-     */
-    public static ActorSelection getToken(ActorContext context,
-                                          String tokenId) {
-        String path = String.format("/user/%s/%s/%s", MODULE_MANAGER,
-                getModuleId(tokenId), tokenId);
-        return context.actorSelection(path);
-    }
-
-    @Deprecated
-    public static ActorSelection getToken(ActorSystem actorSystem,
-                                          String tokenId) {
-        String path = String.format("/user/%s/%s/%s", MODULE_MANAGER,
-                getModuleId(tokenId), tokenId);
-        return actorSystem.actorSelection(path);
-    }
-
-    private static String getModuleId(String tokenId) {
-        String moduleId = TokenManager.getModuleId(tokenId);
-        if (moduleId == null) {
-            throw tokenNotFound(tokenId);
-        }
-
-        return moduleId;
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
index a82fc5a7bb..f7709ab796 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
@@ -27,25 +27,31 @@
 
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.TemporaryHelper;
+import ee.ria.xroad.common.util.filewatcher.FileWatcherRunner;
+import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.model.Cert;
 import ee.ria.xroad.signer.protocol.message.GetOcspResponses;
-import ee.ria.xroad.signer.tokenmanager.ServiceLocator;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.util.AbstractUpdateableActor;
-import ee.ria.xroad.signer.util.Update;
-
-import akka.actor.ActorRef;
-import akka.actor.OneForOneStrategy;
-import akka.actor.Props;
-import akka.actor.SupervisorStrategy;
-import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorkerProvider;
+import ee.ria.xroad.signer.tokenmanager.token.WorkerWithLifecycle;
+
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import javax.annotation.PostConstruct;
+import javax.annotation.PreDestroy;
 
+import java.nio.file.Paths;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.SystemProperties.NodeType.SLAVE;
 import static java.util.Objects.requireNonNull;
@@ -54,34 +60,59 @@
  * Module manager base class.
  */
 @Slf4j
-public abstract class AbstractModuleManager extends AbstractUpdateableActor {
-
+public abstract class AbstractModuleManager implements WorkerWithLifecycle, TokenWorkerProvider {
     private final SystemProperties.NodeType serverNodeType = SystemProperties.getServerNodeType();
 
+    @Autowired
+    private OcspResponseManager ocspResponseManager;
+
+    @SuppressWarnings("java:S3077")
+    private volatile Map<String, AbstractModuleWorker> moduleWorkers = Collections.emptyMap();
+
+    private FileWatcherRunner keyConfFileWatcherRunner;
+
     @Override
-    @Deprecated(forRemoval = true)
-    public void preStart() throws Exception {
-        TemporaryHelper.setModuleManager(this);
+    @PostConstruct
+    public void start() {
+        log.info("Initializing module worker of instance {}", getClass().getSimpleName());
+        try {
+            TokenManager.init();
+
+            if (SLAVE.equals(SystemProperties.getServerNodeType())) {
+                // when the key conf file is changed from outside this system (i.e. a new copy from master),
+                // send an update event to the module manager so it knows to load the new config
+                this.keyConfFileWatcherRunner = FileWatcherRunner.create()
+                        .watchForChangesIn(Paths.get(SystemProperties.getKeyConfFile()))
+                        .listenToCreate().listenToModify()
+                        .andOnChangeNotify(this::refresh)
+                        .buildAndStartWatcher();
+            }
+            refresh();
+        } catch (Exception e) {
+            log.error("Failed to initialize token worker!", e);
+        }
     }
 
+    @PreDestroy
     @Override
-    public SupervisorStrategy supervisorStrategy() {
-        return new OneForOneStrategy(-1, Duration.Inf(),
-                throwable -> {
-                    if (throwable instanceof PKCS11Exception) {
-                        // PKCS11Exceptions should make the module reinitialized
-                        return SupervisorStrategy.restart();
-                    } else if (throwable instanceof Error) {
-                        return SupervisorStrategy.escalate();
-                    } else {
-                        return SupervisorStrategy.resume();
-                    }
-                }
-        );
+    public void stop() {
+        log.info("Destroying module worker");
+
+        if (!SLAVE.equals(SystemProperties.getServerNodeType())) {
+            try {
+                TokenManager.saveToConf();
+            } catch (Exception e) {
+                throw new RuntimeException(e); //TODO
+            }
+        }
+
+        if (this.keyConfFileWatcherRunner != null) {
+            this.keyConfFileWatcherRunner.stop();
+        }
     }
 
     @Override
-    public void onUpdate() {
+    public void refresh() {
         log.trace("onUpdate()");
         loadModules();
 
@@ -89,7 +120,7 @@ public void onUpdate() {
             mergeConfiguration();
         }
 
-        updateModuleWorkers();
+        moduleWorkers.forEach((key, worker) -> worker.refresh());
 
         if (!SLAVE.equals(serverNodeType)) {
             persistConfiguration();
@@ -97,11 +128,25 @@ public void onUpdate() {
     }
 
     @Override
-    public void onMessage(Object message) throws Exception {
-        unhandled(message);
+    public Optional<TokenWorker> getTokenWorker(String tokenId) {
+        for (Map.Entry<String, AbstractModuleWorker> entry : moduleWorkers.entrySet()) {
+            var tokenOpt = entry.getValue().getTokenById(tokenId);
+            if (tokenOpt.isPresent()) {
+                return tokenOpt;
+            }
+        }
+        return Optional.empty();
     }
 
-    protected abstract void initializeModule(ModuleType module);
+    protected abstract AbstractModuleWorker createModuleWorker(ModuleType module) throws Exception;
+
+    /**
+     * Returns HSM module operational status.
+     * Note: Only hardware token module manger returns a status. Default implementation returns null.
+     *
+     * @return status
+     */
+    public abstract Optional<Boolean> isHSMModuleOperational();
 
     private void loadModules() {
         log.trace("loadModules()");
@@ -113,14 +158,30 @@ private void loadModules() {
 
         ModuleConf.reload();
 
-        Collection<ModuleType> modules = ModuleConf.getModules();
-        addNewModules(modules);
-        removeLostModules(modules);
+        final Collection<ModuleType> modules = ModuleConf.getModules();
+        final Map<String, AbstractModuleWorker> refreshedWorkerModules = loadModules(modules);
+        final var oldModuleWorkers = moduleWorkers;
+
+        log.trace("Registered {} modules in {}", refreshedWorkerModules.size(), getClass().getSimpleName());
+        moduleWorkers = Collections.unmodifiableMap(refreshedWorkerModules);
+        stopLostModules(oldModuleWorkers, modules);
     }
 
-    private void updateModuleWorkers() {
-        for (ActorRef worker : getContext().getChildren()) {
-            worker.tell(new Update(), getSelf());
+    private void stopLostModules(Map<String, AbstractModuleWorker> oldModuleWorkers, Collection<ModuleType> modules) {
+        final Set<String> moduleTypes = modules.stream()
+                .map(ModuleType::getType)
+                .collect(Collectors.toSet());
+
+        for (Map.Entry<String, AbstractModuleWorker> entry : oldModuleWorkers.entrySet()) {
+            if (!moduleTypes.contains(entry.getKey())) {
+                try {
+                    log.trace("Stopping module worker for module '{}'", entry.getKey());
+                    entry.getValue().stop();
+                } catch (Exception e) {
+                    log.error("Failed to stop module {}", entry.getKey(), e);
+                }
+
+            }
         }
     }
 
@@ -136,11 +197,12 @@ private void mergeConfiguration() {
         TokenManager.merge(addedCerts -> {
             if (!addedCerts.isEmpty()) {
                 log.info("Requesting OCSP update for new certificates obtained in key configuration merge.");
-
-                // todo inject ocsp response manager
-                //  ocspResponseManager.handleGetOcspResponses(mapCertListToGetOcspResponses(addedCerts));
-                ServiceLocator.getOcspResponseManager(getContext()).tell(mapCertListToGetOcspResponses(addedCerts),
-                        ActorRef.noSender());
+                try {
+                    ocspResponseManager.handleGetOcspResponses(mapCertListToGetOcspResponses(addedCerts));
+                } catch (Exception e) {
+                    log.error("Failed to refresh OCSP", e);
+                    //TODO what should be done if failed?
+                }
             }
         });
     }
@@ -159,44 +221,28 @@ private static GetOcspResponses mapCertListToGetOcspResponses(List<Cert> certs)
         }).filter(Objects::nonNull).toArray(String[]::new));
     }
 
-    private void addNewModules(Collection<ModuleType> modules) {
-        modules.forEach(this::initializeModule);
-    }
+    private Map<String, AbstractModuleWorker> loadModules(Collection<ModuleType> modules) {
+        final Map<String, AbstractModuleWorker> newModules = new HashMap<>();
 
-    private void removeLostModules(Collection<ModuleType> modules) {
-        for (ActorRef module : getContext().getChildren()) {
-            String moduleId = module.path().name();
+        modules.forEach(moduleType -> {
+            try {
+                AbstractModuleWorker moduleWorker = moduleWorkers.get(moduleType.getType());
+                if (moduleWorker == null) {
+                    moduleWorker = createModuleWorker(moduleType);
+                    moduleWorker.start();
+                }
 
-            if (!containsModule(moduleId, modules)) {
-                deinitializeModuleWorker(moduleId);
+                newModules.put(moduleWorker.getModuleType().getType(), moduleWorker);
+            } catch (Exception e) {
+                throw new RuntimeException(e); //TODO
             }
-        }
-    }
-
-    void initializeModuleWorker(String name, Props props) {
-        log.trace("Starting module worker for module '{}'", name);
-
-        getContext().watch(getContext().actorOf(props, name));
+        });
+        return newModules;
     }
 
-    void deinitializeModuleWorker(String name) {
-        ActorRef worker = getContext().findChild(name).orElse(null);
-
-        if (worker != null) {
-            log.trace("Stopping module worker for module '{}'", name);
-
-            getContext().unwatch(worker);
-            getContext().stop(worker);
-        } else {
-            log.warn("Module worker for module '{}' not found", name);
-        }
-    }
 
     boolean isModuleInitialized(ModuleType module) {
-        return getContext().findChild(module.getType()).isPresent();
+        return moduleWorkers.containsKey(module.getType());
     }
 
-    private static boolean containsModule(String moduleId, Collection<ModuleType> modules) {
-        return modules.stream().anyMatch(m -> m.getType().equals(moduleId));
-    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
index 3e527ef340..f85711636e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,130 +27,108 @@
 
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.BlockingTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.TokenType;
-import ee.ria.xroad.signer.util.AbstractUpdateableActor;
-import ee.ria.xroad.signer.util.Update;
+import ee.ria.xroad.signer.tokenmanager.token.TokenWorker;
+import ee.ria.xroad.signer.tokenmanager.token.WorkerWithLifecycle;
 
-import akka.actor.ActorRef;
-import akka.actor.OneForOneStrategy;
-import akka.actor.Props;
-import akka.actor.SupervisorStrategy;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
 
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import static ee.ria.xroad.common.ErrorCodes.translateException;
 
 /**
  * Module worker base class.
  */
 @Slf4j
-public abstract class AbstractModuleWorker extends AbstractUpdateableActor {
+@RequiredArgsConstructor
+public abstract class AbstractModuleWorker implements WorkerWithLifecycle {
+    @SuppressWarnings("java:S3077")
+    private volatile Map<String, BlockingTokenWorker> tokenWorkers = Collections.emptyMap();
 
-    @Override
-    public SupervisorStrategy supervisorStrategy() {
-        return new OneForOneStrategy(-1, Duration.Inf(),
-                t -> {
-                    if (t instanceof Error) {
-                        return SupervisorStrategy.escalate();
-                    } else {
-                        return SupervisorStrategy.resume();
-                    }
-                });
-    }
+    @Getter
+    private final ModuleType moduleType;
 
-    @Override
-    public void preStart() throws Exception {
-        try {
-            initializeModule();
-        } catch (Exception e) {
-            log.error("Failed to initialize module", e);
-
-            getContext().stop(getSelf());
-        }
+    public Optional<TokenWorker> getTokenById(String tokenId) {
+        return Optional.ofNullable(tokenWorkers.get(tokenId));
     }
 
     @Override
-    public void postStop() throws Exception {
-        try {
-            deinitializeModule();
-        } catch (Exception e) {
-            log.error("Failed to deinitialize module", e);
-        }
+    public void reload() {
+        loadTokens(true);
+
     }
 
     @Override
-    protected void onUpdate() throws Exception {
+    public void refresh() {
         try {
-            List<TokenType> tokens = listTokens();
-
-            log.trace("Got {} tokens from module '{}'", tokens.size(), getSelf().path().name());
-
-            updateTokens(tokens);
+            loadTokens(false);
         } catch (Exception e) {
-            log.error("Error during update of module " + getSelf().path().name(), e);
+            log.error("Error during update of module " + getClass().getSimpleName(), e);
 
             throw e;
         }
     }
 
-    @Override
-    protected void onMessage(Object message) throws Exception {
-        unhandled(message);
-    }
-
-    protected abstract void initializeModule() throws Exception;
-
-    protected abstract void deinitializeModule() throws Exception;
-
     protected abstract List<TokenType> listTokens() throws Exception;
 
-    protected abstract Props props(TokenInfo tokenInfo, TokenType tokenType);
+    protected abstract AbstractTokenWorker createWorker(TokenInfo tokenInfo, TokenType tokenType);
 
-    private void updateTokens(List<TokenType> tokens) {
-        // create new tokens
-        for (TokenType tokenType : tokens) {
-            if (!hasToken(tokenType)) {
-                createToken(getTokenInfo(tokenType), tokenType);
+    private void loadTokens(boolean reload) {
+        try {
+            final Map<String, BlockingTokenWorker> newTokens = new HashMap<>();
+
+            final List<TokenType> tokens = listTokens();
+            log.trace("Got {} tokens from module '{}'", tokens.size(), getClass().getSimpleName());
+
+            for (TokenType tokenType : tokens) {
+                BlockingTokenWorker tokenWorker = tokenWorkers.get(tokenType.getId());
+                if (tokenWorker == null) {
+                    log.debug("Adding new token '{}#{}'", tokenType.getModuleType(), tokenType.getId());
+                    tokenWorker = new BlockingTokenWorker(this, createWorker(getTokenInfo(tokenType), tokenType));
+                    tokenWorker.getInternalTokenWorker().start();
+                } else if (reload) {
+                    tokenWorker.getInternalTokenWorker().reload();
+                }
+
+                tokenWorker.getInternalTokenWorker().refresh();
+                newTokens.put(tokenType.getId(), tokenWorker);
             }
-        }
 
-        // cleanup lost tokens, update existing tokens
-        for (ActorRef token : getContext().getChildren()) {
-            if (!hasToken(tokens, token)) {
-                destroyToken(token);
-            } else {
-                token.tell(new Update(), getSelf());
-            }
+            final var oldTokenWorkers = tokenWorkers;
+            tokenWorkers = Collections.unmodifiableMap(newTokens);
+            stopLostTokenWorkers(oldTokenWorkers, tokens);
+        } catch (Exception e) {
+            log.error("Error during update of module {}", getClass().getSimpleName(), e);
+            throw translateException(e);
         }
     }
 
-    private boolean hasToken(List<TokenType> tokens, ActorRef token) {
-        return tokens.stream()
-                .filter(t -> t.getId().equals(token.path().name()))
-                .findFirst()
-                .isPresent();
-    }
-
-    private boolean hasToken(TokenType tokenType) {
-        return getToken(tokenType).isPresent();
-    }
-
-    private Optional<ActorRef> getToken(TokenType tokenType) {
-        return getContext().findChild(tokenType.getId());
-    }
-
-    private ActorRef createToken(TokenInfo tokenInfo, TokenType tokenType) {
-        log.debug("Adding new token '{}#{}'", tokenType.getModuleType(), tokenInfo.getId());
-
-        return getContext().watch(getContext().actorOf(props(tokenInfo, tokenType), tokenType.getId()));
-    }
-
-    private void destroyToken(ActorRef token) {
-        log.debug("Lost token '{}'", token.path().name());
-
-        getContext().unwatch(token);
-        getContext().stop(token);
+    private void stopLostTokenWorkers(Map<String, BlockingTokenWorker> oldTokens, List<TokenType> newTokens) {
+        final Set<String> moduleTypes = newTokens.stream()
+                .map(TokenType::getId)
+                .collect(Collectors.toSet());
+
+        for (Map.Entry<String, BlockingTokenWorker> entry : oldTokens.entrySet()) {
+            if (!moduleTypes.contains(entry.getKey())) {
+                try {
+                    log.trace("Stopping token worker for module '{}'", entry.getKey());
+                    entry.getValue().getInternalTokenWorker().stop();
+                } catch (Exception e) {
+                    log.error("Failed to deinitialize ");
+                }
+            }
+        }
     }
 
     private static TokenInfo getTokenInfo(TokenType tokenType) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/DefaultModuleManagerImpl.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/DefaultModuleManagerImpl.java
index b1900d2b88..3a3d8649e3 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/DefaultModuleManagerImpl.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/DefaultModuleManagerImpl.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,9 +25,14 @@
  */
 package ee.ria.xroad.signer.tokenmanager.module;
 
-import akka.actor.Props;
+import ee.ria.xroad.common.CodedException;
+
 import lombok.extern.slf4j.Slf4j;
 
+import java.util.Optional;
+
+import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
+
 /**
  * Default module manager supporting only software modules.
  */
@@ -35,22 +40,21 @@
 public class DefaultModuleManagerImpl extends AbstractModuleManager {
 
     @Override
-    protected void initializeModule(ModuleType module) {
+    protected AbstractModuleWorker createModuleWorker(ModuleType module) throws Exception {
         if (module instanceof SoftwareModuleType) {
-            initializeSoftwareModule((SoftwareModuleType) module);
+            return createSoftwareModule((SoftwareModuleType) module);
         }
-    }
 
-    void initializeSoftwareModule(SoftwareModuleType softwareModule) {
-        if (getContext().findChild(softwareModule.getType()).isPresent()) {
-            // already initialized
-            return;
-        }
+        throw new CodedException(X_INTERNAL_ERROR, "unrecognized module type found!");
+    }
 
+    AbstractModuleWorker createSoftwareModule(SoftwareModuleType softwareModule) {
         log.debug("Initializing software module");
-
-        Props props = Props.create(SoftwareModuleWorker.class);
-        initializeModuleWorker(softwareModule.getType(), props);
+        return new SoftwareModuleWorker(softwareModule);
     }
 
+    @Override
+    public Optional<Boolean> isHSMModuleOperational() {
+        return Optional.empty();
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java
index 7a25302895..d6df6e7b27 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/SoftwareModuleWorker.java
@@ -27,12 +27,11 @@
 
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
+import ee.ria.xroad.signer.tokenmanager.token.AbstractTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.TokenType;
 
-import akka.actor.Props;
-
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -46,14 +45,8 @@ public class SoftwareModuleWorker extends AbstractModuleWorker {
     private static final List<TokenType> TOKENS =
             Collections.singletonList(new SoftwareTokenType());
 
-    @Override
-    protected void initializeModule() throws Exception {
-        // nothing to do
-    }
-
-    @Override
-    protected void deinitializeModule() throws Exception {
-        // nothing to do
+    public SoftwareModuleWorker(ModuleType moduleType) {
+        super(moduleType);
     }
 
     @Override
@@ -62,12 +55,10 @@ protected List<TokenType> listTokens() throws Exception {
     }
 
     @Override
-    protected Props props(TokenInfo tokenInfo, TokenType tokenType) {
+    protected AbstractTokenWorker createWorker(TokenInfo tokenInfo, TokenType tokenType) {
         initTokenInfo(tokenInfo);
-        //TODO:grpc
-        return Props.create(SoftwareTokenWorker.class,
-                tokenInfo, tokenType).withDispatcher("token-worker-dispatcher");
 
+        return new SoftwareTokenWorker(tokenInfo);
     }
 
     private void initTokenInfo(TokenInfo tokenInfo) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
index 365a5b40de..9f466a3325 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java
@@ -27,11 +27,9 @@
 
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.common.util.PasswordStore;
-import ee.ria.xroad.signer.TemporaryHelper;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
-import ee.ria.xroad.signer.util.AbstractUpdateableActor;
 import ee.ria.xroad.signer.util.SignerUtil;
 
 import lombok.Value;
@@ -53,6 +51,7 @@
 
 import static ee.ria.xroad.common.ErrorCodes.X_CANNOT_SIGN;
 import static ee.ria.xroad.common.ErrorCodes.X_FAILED_TO_GENERATE_R_KEY;
+import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.isKeyAvailable;
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.setTokenAvailable;
 import static ee.ria.xroad.signer.util.ExceptionHelper.keyNotAvailable;
@@ -61,70 +60,32 @@
  * Token worker base class.
  */
 @Slf4j
-public abstract class AbstractTokenWorker extends AbstractUpdateableActor {
-
-    protected final String tokenId;
-
+public abstract class AbstractTokenWorker implements TokenWorker, WorkerWithLifecycle {
     private final String workerId;
 
-    @Override
-    @Deprecated
-    public void preStart() throws Exception {
-        TemporaryHelper.addTokenWorker(tokenId, this);
-    }
+    protected final String tokenId;
 
     AbstractTokenWorker(TokenInfo tokenInfo) {
         this.tokenId = tokenInfo.getId();
         this.workerId = SignerUtil.getWorkerId(tokenInfo);
     }
 
-    protected boolean hasKey(String keyId) {
-        return TokenManager.getKeyInfo(keyId) != null;
-    }
-
-    protected boolean isPinStored() {
-        try {
-            return PasswordStore.getPassword(tokenId) != null;
-        } catch (Exception e) {
-            log.error("Error when checking if token is active", e);
-
-            return false;
-        }
-    }
-
-    protected String getWorkerId() {
-        return workerId;
-    }
-
-    protected Exception customizeException(Exception e) {
-        return e;
-    }
-
     @Override
-    protected void onMessage(Object message) throws Exception {
-        log.trace("onMessage() = {}", message);
-        unhandled(message);
-    }
-
-    @Override
-    public void postStop() throws Exception {
-        setTokenAvailable(tokenId, false);
-    }
-
-    public void handleActivateToken(ActivateTokenReq message) throws Exception {
+    public void handleActivateToken(ActivateTokenReq message) {
         try {
             activateToken(message);
 
-            onUpdate();
+            refresh();
         } catch (Exception e) {
             log.error("Failed to activate token '{}': {}", getWorkerId(), e.getMessage());
 
             TokenManager.setTokenActive(tokenId, false);
 
-            throw customizeException(e);
+            throw translateException(e);
         }
     }
 
+    @Override
     public KeyInfo handleGenerateKey(GenerateKeyReq message) {
         GenerateKeyResult result;
 
@@ -133,7 +94,7 @@ public KeyInfo handleGenerateKey(GenerateKeyReq message) {
         } catch (Exception e) {
             log.error("Failed to generate key", e);
 
-            throw translateError(customizeException(e)).withPrefix(X_FAILED_TO_GENERATE_R_KEY);
+            throw translateException(e).withPrefix(X_FAILED_TO_GENERATE_R_KEY);
         }
 
         String keyId = result.getKeyId();
@@ -150,27 +111,30 @@ public KeyInfo handleGenerateKey(GenerateKeyReq message) {
         return TokenManager.findKeyInfo(keyId);
     }
 
+    @Override
     public void handleDeleteKey(String keyId) {
         try {
             deleteKey(keyId);
         } catch (Exception e) {
             log.error("Failed to delete key '{}'", keyId, e);
 
-            throw translateError(customizeException(e));
+            throw translateException(e);
         }
 
         TokenManager.removeKey(keyId);
     }
 
+    @Override
     public void handleDeleteCert(String certificateId) {
         try {
             deleteCert(certificateId);
         } catch (Exception e) {
             log.error("Failed to delete cert '{}'", certificateId, e);
-            throw translateError(customizeException(e));
+            throw translateException(e);
         }
     }
 
+    @Override
     public byte[] handleSign(SignReq request) {
         try {
             byte[] data = SignerUtil.createDataToSign(request.getDigest().toByteArray(), request.getSignatureAlgorithmId());
@@ -179,10 +143,11 @@ public byte[] handleSign(SignReq request) {
         } catch (Exception e) {
             log.error("Error while signing with key '{}'", request.getKeyId(), e);
 
-            throw translateError(customizeException(e)).withPrefix(X_CANNOT_SIGN);
+            throw translateException(e).withPrefix(X_CANNOT_SIGN);
         }
     }
 
+    @Override
     public byte[] handleSignCertificate(SignCertificateReq request) {
         try {
             PublicKey publicKey = CryptoUtils.readX509PublicKey(request.getPublicKey().toByteArray());
@@ -190,10 +155,38 @@ public byte[] handleSignCertificate(SignCertificateReq request) {
                     request.getSubjectName(), publicKey);
         } catch (Exception e) {
             log.error("Error while signing certificate with key '{}'", request.getKeyId(), e);
-            throw translateError(customizeException(e)).withPrefix(X_CANNOT_SIGN);
+            throw translateException(e).withPrefix(X_CANNOT_SIGN);
+        }
+    }
+
+    @Override
+    public void stop() {
+        setTokenAvailable(tokenId, false);
+    }
+
+    protected boolean hasKey(String keyId) {
+        return TokenManager.getKeyInfo(keyId) != null;
+    }
+
+    protected boolean isPinStored() {
+        try {
+            return PasswordStore.getPassword(tokenId) != null;
+        } catch (Exception e) {
+            log.error("Error when checking if token is active", e);
+
+            return false;
         }
     }
 
+    protected String getWorkerId() {
+        return workerId;
+    }
+
+    /**
+     * Execute additional code post every token worker action.
+     */
+    public abstract void onActionHandled();
+
     // ------------------------------------------------------------------------
 
     protected abstract void activateToken(ActivateTokenReq message) throws Exception;
@@ -237,7 +230,7 @@ protected static JcaX509v3CertificateBuilder getCertificateBuilder(String subjec
 
     @Value
     protected static class GenerateKeyResult {
-        private final String keyId;
-        private final String publicKeyBase64;
+        String keyId;
+        String publicKeyBase64;
     }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
new file mode 100644
index 0000000000..efbbd4579c
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
@@ -0,0 +1,119 @@
+package ee.ria.xroad.signer.tokenmanager.token;
+
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleWorker;
+
+import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.GenerateKeyReq;
+import org.niis.xroad.signer.proto.SignCertificateReq;
+import org.niis.xroad.signer.proto.SignReq;
+
+import static ee.ria.xroad.common.ErrorCodes.translateException;
+
+/**
+ * A blocking (calls to token are synchronized) token worker.
+ */
+@Slf4j
+@RequiredArgsConstructor
+public class BlockingTokenWorker implements TokenWorker {
+    private final AbstractModuleWorker moduleWorker;
+    private final AbstractTokenWorker tokenWorker;
+
+    @Override
+    public void handleActivateToken(ActivateTokenReq message) {
+        synchronizedAction(() -> tokenWorker.handleActivateToken(message));
+    }
+
+    @Override
+    public KeyInfo handleGenerateKey(GenerateKeyReq message) {
+        return synchronizedAction(() -> tokenWorker.handleGenerateKey(message));
+    }
+
+    @Override
+    public void handleDeleteKey(String keyId) {
+        synchronizedAction(() -> tokenWorker.handleDeleteKey(keyId));
+    }
+
+    @Override
+    public void handleDeleteCert(String certificateId) {
+        synchronizedAction(() -> tokenWorker.handleDeleteCert(certificateId));
+    }
+
+    @Override
+    public byte[] handleSign(SignReq request) {
+        return synchronizedAction(() -> tokenWorker.handleSign(request));
+    }
+
+    @Override
+    public synchronized byte[] handleSignCertificate(SignCertificateReq request) {
+        return synchronizedAction(() -> tokenWorker.handleSignCertificate(request));
+
+    }
+
+    @Override
+    public synchronized void initializeToken(char[] pin) {
+        synchronizedAction(() -> tokenWorker.initializeToken(pin));
+    }
+
+    @Override
+    public synchronized void handleUpdateTokenPin(char[] oldPin, char[] newPin) {
+        synchronizedAction(() -> tokenWorker.handleUpdateTokenPin(oldPin, newPin));
+    }
+
+    @Override
+    public boolean isSoftwareToken() {
+        return getInternalTokenWorker().isSoftwareToken();
+    }
+
+    /**
+     * Returns unwrapped and unblocked token worker for internal operations.
+     *
+     * @return token worker
+     */
+    public AbstractTokenWorker getInternalTokenWorker() {
+        return tokenWorker;
+    }
+
+    @FunctionalInterface
+    public interface ThrowingSupplier<T, E extends Exception> {
+        T get() throws E;
+    }
+
+    @FunctionalInterface
+    public interface ThrowingRunnable<E extends Exception> {
+        void run() throws E;
+    }
+
+
+    private synchronized <T> T synchronizedAction(ThrowingSupplier<T, Exception> action) {
+        try {
+            return action.get();
+        } catch (PKCS11Exception pkcs11Exception) {
+            log.warn("PKCS11Exception was thrown. Reloading underlying module and token workers.");
+            moduleWorker.reload();
+            throw translateException(pkcs11Exception);
+        } catch (Exception e) {
+            throw translateException(e);
+        } finally {
+            tokenWorker.onActionHandled();
+        }
+    }
+
+
+    private synchronized void synchronizedAction(ThrowingRunnable<Exception> action) {
+        try {
+            action.run();
+        } catch (PKCS11Exception pkcs11Exception) {
+            log.warn("PKCS11Exception was thrown. Reloading underlying module and token workers.");
+            moduleWorker.reload();
+            throw translateException(pkcs11Exception);
+        } catch (Exception e) {
+            throw translateException(e);
+        } finally {
+            tokenWorker.onActionHandled();
+        }
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenType.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenType.java
index e8d1ae3437..f0f15adfae 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenType.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenType.java
@@ -75,6 +75,11 @@ public boolean isBatchSigningEnabled() {
         return true;
     }
 
+    @Override
+    public boolean isPinVerificationPerSigning() {
+        return false;
+    }
+
     @Override
     public String getSignMechanismName() {
         return CryptoUtils.CKM_RSA_PKCS_NAME;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
index 0c96bbf44a..84fb901877 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
@@ -47,20 +47,12 @@
 import org.niis.xroad.signer.proto.ActivateTokenReq;
 import org.niis.xroad.signer.proto.GenerateKeyReq;
 
-import java.io.File;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
+import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardOpenOption;
-import java.security.KeyPair;
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.Signature;
+import java.security.*;
 import java.security.cert.CertPath;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
@@ -72,6 +64,7 @@
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.common.ErrorCodes.X_TOKEN_PIN_POLICY_FAILURE;
 import static ee.ria.xroad.common.ErrorCodes.X_UNSUPPORTED_SIGN_ALGORITHM;
+import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.common.util.CryptoUtils.encodeBase64;
 import static ee.ria.xroad.common.util.CryptoUtils.loadPkcs12KeyStore;
 import static ee.ria.xroad.common.util.CryptoUtils.readCertificate;
@@ -83,19 +76,7 @@
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.setTokenActive;
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.setTokenAvailable;
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.setTokenStatus;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.P12;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.PIN_ALIAS;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.PIN_FILE;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.createKeyStore;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.createTempKeyDir;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.generateKeyPair;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getBackupKeyDir;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getBackupKeyDirForDateNow;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getKeyDir;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getKeyStoreFileName;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.isTokenInitialized;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.listKeysOnDisk;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.loadCertificate;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.*;
 import static ee.ria.xroad.signer.util.ExceptionHelper.keyNotFound;
 import static ee.ria.xroad.signer.util.ExceptionHelper.loginFailed;
 import static ee.ria.xroad.signer.util.ExceptionHelper.pinIncorrect;
@@ -121,14 +102,13 @@ public class SoftwareTokenWorker extends AbstractTokenWorker {
      * Creates new worker.
      *
      * @param tokenInfo the token info
-     * @param ignored   token type (not used)
      */
-    public SoftwareTokenWorker(TokenInfo tokenInfo, SoftwareTokenType ignored) {
+    public SoftwareTokenWorker(TokenInfo tokenInfo) {
         super(tokenInfo);
     }
 
     @Override
-    protected void onUpdate() {
+    public void refresh() {
         log.trace("onUpdate()");
 
         updateStatus();
@@ -144,19 +124,10 @@ protected void onUpdate() {
         }
     }
 
-//    @Override
-//    protected void onMessage(Object message) throws Exception {
-//        if (message instanceof InitSoftwareToken) {
-//            initializeToken(((InitSoftwareToken) message).getPin());
-//            sendSuccessResponse();
-//        if (message instanceof UpdateSoftwareTokenPin) {
-//            UpdateSoftwareTokenPin updateTokenPinMessage = (UpdateSoftwareTokenPin) message;
-//            handleUpdateTokenPin(updateTokenPinMessage.getOldPin(), updateTokenPinMessage.getNewPin());
-//            sendSuccessResponse();
-//        } else {
-//            super.onMessage(message);
-//        }
-//    }
+    @Override
+    public void onActionHandled() {
+        //No-OP
+    }
 
     @Override
     protected void activateToken(ActivateTokenReq message) {
@@ -347,7 +318,8 @@ private void initializePrivateKey(String keyId) throws Exception {
         }
     }
 
-    public void initializeToken(char[] pin) throws Exception {
+    @Override
+    public void initializeToken(char[] pin) {
         verifyPinProvided(pin);
 
         log.info("Initializing software token with new pin...");
@@ -356,13 +328,17 @@ public void initializeToken(char[] pin) throws Exception {
             throw new CodedException(X_TOKEN_PIN_POLICY_FAILURE, "Token PIN does not meet complexity requirements");
         }
 
-        java.security.KeyPair kp = generateKeyPair(SystemProperties.getSignerKeyLength());
+        try {
+            java.security.KeyPair kp = generateKeyPair(SystemProperties.getSignerKeyLength());
 
-        String keyStoreFile = getKeyStoreFileName(PIN_FILE);
-        savePkcs12Keystore(kp, PIN_ALIAS, keyStoreFile, pin);
+            String keyStoreFile = getKeyStoreFileName(PIN_FILE);
+            savePkcs12Keystore(kp, PIN_ALIAS, keyStoreFile, pin);
 
-        setTokenAvailable(tokenId, true);
-        setTokenStatus(tokenId, TokenStatusInfo.OK);
+            setTokenAvailable(tokenId, true);
+            setTokenStatus(tokenId, TokenStatusInfo.OK);
+        } catch (Exception e) {
+            throw translateException(e);
+        }
     }
 
     private void rewriteKeyStoreWithNewPin(String keyFile, String keyAlias, char[] oldPin, char[] newPin,
@@ -427,7 +403,8 @@ private void createKeyDirBackup() throws IOException {
         Files.move(getKeyDir().toPath(), getBackupKeyDir(), ATOMIC_MOVE);
     }
 
-    public void handleUpdateTokenPin(char[] oldPin, char[] newPin) throws Exception {
+    @Override
+    public void handleUpdateTokenPin(char[] oldPin, char[] newPin) {
         log.info("Updating the software token pin to a new one...");
 
         isTokenLoginAllowed = false; // Prevent token login for the time of pin update
@@ -452,7 +429,7 @@ public void handleUpdateTokenPin(char[] oldPin, char[] newPin) throws Exception
             log.info("Updating the software token pin was successful!");
         } catch (Exception e) {
             log.info("Updating the software token pin failed!");
-            throw e;
+            throw translateException(e);
         } finally {
             isTokenLoginAllowed = true; // Allow token login again
         }
@@ -549,4 +526,9 @@ private void assertTokenAvailable() {
             throw tokenNotActive(tokenId);
         }
     }
+
+    @Override
+    public boolean isSoftwareToken() {
+        return true;
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenType.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenType.java
index 00b5355ba7..c7ca63246b 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenType.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenType.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -48,6 +48,11 @@ public interface TokenType {
      */
     boolean isBatchSigningEnabled();
 
+    /**
+     * @return true if pin must be verified per signing.
+     */
+    boolean isPinVerificationPerSigning();
+
     /**
      * @return the slot index of the token
      */
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java
new file mode 100644
index 0000000000..539db9f9b7
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java
@@ -0,0 +1,29 @@
+package ee.ria.xroad.signer.tokenmanager.token;
+
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+
+import org.niis.xroad.signer.proto.ActivateTokenReq;
+import org.niis.xroad.signer.proto.GenerateKeyReq;
+import org.niis.xroad.signer.proto.SignCertificateReq;
+import org.niis.xroad.signer.proto.SignReq;
+
+public interface TokenWorker {
+
+    void handleActivateToken(ActivateTokenReq message);
+
+    KeyInfo handleGenerateKey(GenerateKeyReq message);
+
+    void handleDeleteKey(String keyId);
+
+    void handleDeleteCert(String certificateId);
+
+    byte[] handleSign(SignReq request);
+
+    byte[] handleSignCertificate(SignCertificateReq request);
+
+    void handleUpdateTokenPin(char[] oldPin, char[] newPin);
+
+    void initializeToken(char[] pin);
+
+    boolean isSoftwareToken();
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java
new file mode 100644
index 0000000000..ec3888d196
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java
@@ -0,0 +1,7 @@
+package ee.ria.xroad.signer.tokenmanager.token;
+
+import java.util.Optional;
+
+public interface TokenWorkerProvider {
+    Optional<TokenWorker> getTokenWorker(String tokenId);
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
new file mode 100644
index 0000000000..2a6dfa1c67
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
@@ -0,0 +1,32 @@
+package ee.ria.xroad.signer.tokenmanager.token;
+
+public interface WorkerWithLifecycle {
+
+    /**
+     * Stops the worker and underlying connections, context, etc.
+     */
+    default void stop() {
+        //NO-OP
+    }
+
+    /**
+     * Start the worker. This should fully prepare the worker.
+     */
+    default void start() {
+        //NO-OP
+    }
+
+    /**
+     * Reloads the worker. Reloaded instance should be similar to newly initialized worker.
+     */
+    default void reload() {
+        //NO-OP
+    }
+
+    /**
+     * Refreshes underlying worker.
+     */
+    default void refresh() {
+        //NO-OP
+    }
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java
deleted file mode 100644
index f15cbf0872..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractSignerActor.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.util;
-
-import ee.ria.xroad.common.CodedException;
-
-import akka.actor.ActorRef;
-import akka.actor.UntypedAbstractActor;
-
-import static ee.ria.xroad.common.ErrorCodes.translateException;
-
-/**
- * A generic actor base.
- */
-public abstract class AbstractSignerActor extends UntypedAbstractActor {
-
-    protected void sendResponse(Object message) {
-        if (getSender() != ActorRef.noSender()) {
-            if (message instanceof Exception) {
-                getSender().tell(
-                        translateError((Exception) message), getSelf());
-            } else {
-                getSender().tell(message, getSelf());
-            }
-        }
-    }
-
-    protected CodedException translateError(Exception e) {
-        return translateException(e);
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractUpdateableActor.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractUpdateableActor.java
deleted file mode 100644
index 872d9d84f7..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/AbstractUpdateableActor.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.util;
-
-
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.translateException;
-
-/**
- * Represents an actor which handles update messages.
- */
-public abstract class AbstractUpdateableActor extends AbstractSignerActor {
-
-    @Override
-    public final void onReceive(Object message) throws Exception {
-        if (message instanceof Update) {
-            onUpdate();
-        } else {
-            try {
-                onMessage(message);
-            } catch (Exception e) {
-                sendResponse(translateException(e).withPrefix(SIGNER_X));
-            }
-        }
-    }
-
-    protected abstract void onUpdate() throws Exception;
-    protected abstract void onMessage(Object message) throws Exception;
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
index 9b4e8190e4..fe3c505a89 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/util/SignerUtil.java
@@ -29,20 +29,12 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
-import akka.actor.ActorSelection;
-import akka.actor.OneForOneStrategy;
-import akka.actor.SupervisorStrategy;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
-import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
 import lombok.SneakyThrows;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.operator.ContentSigner;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
 
 import javax.xml.bind.DatatypeConverter;
 
@@ -54,7 +46,6 @@
 import java.util.Date;
 import java.util.GregorianCalendar;
 import java.util.Random;
-import java.util.concurrent.TimeUnit;
 
 import static ee.ria.xroad.common.util.CryptoUtils.SHA1WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSAANDMGF1_ID;
@@ -72,8 +63,6 @@ public final class SignerUtil {
 
     private static final int RANDOM_ID_LENGTH = 20;
 
-    private static final Timeout DEFAULT_ASK_TIMEOUT = new Timeout(5000, TimeUnit.MILLISECONDS);
-
     private SignerUtil() {
     }
 
@@ -201,36 +190,6 @@ public static byte[] generateId() {
         return id;
     }
 
-    /**
-     * Convenience method for sending a message to an actor selection
-     * and returning the result.
-     *
-     * @param actorSelection the actor selection
-     * @param message        the message
-     * @return the result
-     * @throws Exception if an error occurs or if the result times out
-     */
-    public static Object ask(ActorSelection actorSelection, Object message)
-            throws Exception {
-        return ask(actorSelection, message, DEFAULT_ASK_TIMEOUT);
-    }
-
-    /**
-     * Convenience method for sending a message to an actor selection
-     * and returning the result.
-     *
-     * @param actorSelection the actor selection
-     * @param message        the message
-     * @param timeout        the timeout for the result
-     * @return the result
-     * @throws Exception if an error occurs or if the result times out
-     */
-    public static Object ask(ActorSelection actorSelection, Object message,
-            Timeout timeout) throws Exception {
-        return Await.result(Patterns.ask(actorSelection, message, timeout),
-                timeout.duration());
-    }
-
     /**
      * @param tokenInfo the token
      * @return returns the token worker id consisting of the token type, label
@@ -284,21 +243,5 @@ public static String getFormattedTokenId(String tokenIdFormat, String moduleType
                 .replace("{label}", tokenInfo.getLabel().trim());
     }
 
-    /**
-     * @return a supervisor strategy that escalates PKCS11Exceptions to the parent actor
-     */
-    @Deprecated
-    public static OneForOneStrategy createPKCS11ExceptionEscalatingStrategy() {
-        return new OneForOneStrategy(-1, Duration.Inf(),
-                throwable -> {
-                    if (throwable instanceof Error || throwable instanceof PKCS11Exception) {
-                        return SupervisorStrategy.escalate();
-                    } else {
-                        return SupervisorStrategy.resume();
-                    }
-                }
-        );
-    }
-
 }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/util/Update.java b/src/signer/src/main/java/ee/ria/xroad/signer/util/Update.java
deleted file mode 100644
index 5ff6b538e7..0000000000
--- a/src/signer/src/main/java/ee/ria/xroad/signer/util/Update.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.util;
-
-import java.io.Serializable;
-
-/**
- * Dummy message sent to token workers to update their statuses
- */
-public class Update implements Serializable {
-
-}

From 2ce634f2020f70f8f00b4349c37211674cdcd40e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 7 Sep 2023 17:45:43 +0300
Subject: [PATCH 052/127] chore: checkstyle fixes

Refs: XRDDEV-2468
---
 .../xroad/signer/protocol/OcspService.java    | 25 +++++++++++++++++++
 .../token/BlockingTokenWorker.java            | 25 +++++++++++++++++++
 .../tokenmanager/token/TokenWorker.java       | 25 +++++++++++++++++++
 .../token/TokenWorkerProvider.java            | 25 +++++++++++++++++++
 .../token/WorkerWithLifecycle.java            | 25 +++++++++++++++++++
 5 files changed, 125 insertions(+)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
index 0cbfbf1981..d7a8d09acb 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/OcspService.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.signer.protocol.handler.GetOcspResponsesReqHandler;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
index efbbd4579c..d43d4cf2b9 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.tokenmanager.token;
 
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java
index 539db9f9b7..941f54d09c 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorker.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.tokenmanager.token;
 
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java
index ec3888d196..b4bd9725d5 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenWorkerProvider.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.tokenmanager.token;
 
 import java.util.Optional;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
index 2a6dfa1c67..c0f6192673 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.signer.tokenmanager.token;
 
 public interface WorkerWithLifecycle {

From 8c960e0aaa21095fd74144ebfcb2e9590f8b9671 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 8 Sep 2023 19:41:40 +0300
Subject: [PATCH 053/127] chore: improve reload on hwtoken failure

Refs: XRDDEV-2468
---
 .../module/HardwareModuleWorker.java          | 19 +++++-
 .../token/HardwareTokenWorker.java            |  2 +-
 .../signer/test/glue/BaseSignerStepDefs.java  | 39 ++++++++++++
 .../test/glue/SignerParallelStepDefs.java     | 60 +++++++++++++++++++
 .../signer/test/glue/SignerStepDefs.java      | 40 +++++--------
 .../0200-signer-hardware-token.feature        |  2 +
 .../0300-signer-parallel-actions.feature      |  9 +++
 .../module/AbstractModuleManager.java         |  2 +-
 .../module/AbstractModuleWorker.java          | 60 ++++++++++---------
 .../token/BlockingTokenWorker.java            |  1 -
 .../token/WorkerWithLifecycle.java            |  2 +-
 11 files changed, 178 insertions(+), 58 deletions(-)
 create mode 100644 src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
 create mode 100644 src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
 create mode 100644 src/signer-protocol/src/intTest/resources/behavior/0300-signer-parallel-actions.feature

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
index a65fdc254e..780d80f33d 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java
@@ -40,7 +40,11 @@
 import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
 import lombok.extern.slf4j.Slf4j;
 
-import java.util.*;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.signer.tokenmanager.token.HardwareTokenUtil.moduleGetInstance;
@@ -94,15 +98,26 @@ public void stop() {
             return;
         }
 
-        log.info("Deinitializing module '{}' (library: {})", module.getType(), module.getPkcs11LibraryPath());
+        log.info("Stopping module '{}' (library: {})", module.getType(), module.getPkcs11LibraryPath());
 
         try {
             pkcs11Module.finalize(null);
         } catch (TokenException e) {
             throw translateException(e);
+        } finally {
+            pkcs11Module = null;
         }
     }
 
+    @Override
+    public void reload() {
+        log.info("Reloading {}", module);
+        stop();
+        start();
+
+        super.reload();
+    }
+
     @Override
     protected List<TokenType> listTokens() throws Exception {
         log.trace("Listing tokens on module '{}'", module.getType());
diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
index cb8e0643b1..a1245b15d1 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
@@ -200,7 +200,7 @@ public void start() {
         try {
             login();
         } catch (Exception e) {
-            log.error("Failed to log in to token '" + getWorkerId() + "' at initialization", e);
+            log.error("Failed to log in to token '{}' at initialization", getWorkerId(), e);
         }
     }
 
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
new file mode 100644
index 0000000000..0f0058b4aa
--- /dev/null
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
@@ -0,0 +1,39 @@
+package org.niis.xroad.signer.test.glue;
+
+import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+
+import org.niis.xroad.common.test.glue.BaseStepDefs;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class BaseSignerStepDefs extends BaseStepDefs {
+    private static final String KEY_FRIENDLY_NAME_MAPPING = "tokenFriendlyNameToIdMapping";
+
+    protected Map<String, String> getTokenFriendlyNameToIdMapping() {
+        Map<String, String> map = scenarioContext.getStepData(KEY_FRIENDLY_NAME_MAPPING);
+        if (map == null) {
+            map = new HashMap<>();
+            scenarioContext.putStepData(KEY_FRIENDLY_NAME_MAPPING, map);
+        }
+        return map;
+    }
+
+    protected TokenInfo getTokenInfoByFriendlyName(String friendlyName) throws Exception {
+        var tokenInfo = SignerProxy.getToken(getTokenFriendlyNameToIdMapping().get(friendlyName));
+        testReportService.attachJson("TokenInfo", tokenInfo);
+        return tokenInfo;
+    }
+
+    protected KeyInfo findKeyInToken(String friendlyName, String keyName) throws Exception {
+        var foundKeyInfo = getTokenInfoByFriendlyName(friendlyName).getKeyInfo().stream()
+                .filter(keyInfo -> keyInfo.getFriendlyName().equals(keyName))
+                .findFirst()
+                .orElseThrow();
+        testReportService.attachJson("Key [" + keyName + "]", foundKeyInfo);
+        return foundKeyInfo;
+    }
+
+}
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
new file mode 100644
index 0000000000..150f70ceab
--- /dev/null
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
@@ -0,0 +1,60 @@
+package org.niis.xroad.signer.test.glue;
+
+import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+
+import io.cucumber.java.en.Step;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.time.StopWatch;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+
+import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSA_ID;
+import static ee.ria.xroad.common.util.CryptoUtils.SHA256_ID;
+import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.assertj.core.api.Assertions.assertThat;
+
+@Slf4j
+public class SignerParallelStepDefs extends BaseSignerStepDefs {
+    @Step("digest can be signed in using key {string} from token {string}. Called {} times with {} threads in parallel.")
+    public void digestCanBeSignedUsingKeyFromToken(String keyName, String friendlyName, int loops, int threads) throws Exception {
+        final KeyInfo key = findKeyInToken(friendlyName, keyName);
+
+        doConcurrentSign(() -> {
+            var digest = String.format("%s-%d", UUID.randomUUID(), System.currentTimeMillis());
+
+            var stopWatch = StopWatch.createStarted();
+            byte[] result = SignerProxy.sign(key.getId(), SHA256WITHRSA_ID, calculateDigest(SHA256_ID, digest.getBytes(UTF_8)));
+            stopWatch.stop();
+            log.info("Executed sign in {} ms.", stopWatch.getTime());
+            return result;
+        }, threads, loops);
+
+    }
+
+    private void doConcurrentSign(Callable<byte[]> callable,
+                                  int threads,
+                                  int loops) throws Exception {
+        ExecutorService executorService = Executors.newFixedThreadPool(threads);
+
+        List<Callable<byte[]>> callables = new ArrayList<>();
+        for (int i = 0; i < threads; i++) {
+            for (int j = 0; j < loops; j++) {
+                callables.add(callable);
+            }
+        }
+
+        List<Future<byte[]>> results = executorService.invokeAll(callables);
+        for (Future<byte[]> result : results) {
+            assertThat(result.get()).isNotEmpty();
+        }
+        executorService.shutdown();
+    }
+}
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 3697535149..c08c8320a5 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -65,6 +65,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.UUID;
 import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSA_ID;
@@ -83,7 +84,7 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 @Slf4j
-public class SignerStepDefs extends BaseStepDefs {
+public class SignerStepDefs extends BaseSignerStepDefs {
     private String keyId;
     private String csrId;
     private String certHash;
@@ -91,7 +92,6 @@ public class SignerStepDefs extends BaseStepDefs {
     private byte[] cert;
 
     private final Map<String, String> tokenLabelToIdMapping = new HashMap<>();
-    private final Map<String, String> tokenFriendlyNameToIdMapping = new HashMap<>();
 
     @Step("tokens are listed")
     public void listTokens() throws Exception {
@@ -99,14 +99,14 @@ public void listTokens() throws Exception {
         testReportService.attachJson("Tokens", tokens.toArray());
 
         tokenLabelToIdMapping.clear();
-        tokenFriendlyNameToIdMapping.clear();
+        getTokenFriendlyNameToIdMapping().clear();
 
         tokens.forEach(token -> {
             if (StringUtils.isNotBlank(token.getLabel())) {
                 tokenLabelToIdMapping.put(token.getLabel(), token.getId());
             }
             if (StringUtils.isNotBlank(token.getFriendlyName())) {
-                tokenFriendlyNameToIdMapping.put(token.getFriendlyName(), token.getId());
+                getTokenFriendlyNameToIdMapping().put(token.getFriendlyName(), token.getId());
             }
         });
     }
@@ -154,13 +154,13 @@ public void tokensListContainsTokenLabel(String label) throws Exception {
 
     @Step("token {string} is logged in with pin {string}")
     public void tokenIsActivatedWithPin(String friendlyName, String pin) throws Exception {
-        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
+        var tokenId = getTokenFriendlyNameToIdMapping().get(friendlyName);
         SignerProxy.activateToken(tokenId, pin.toCharArray());
     }
 
     @Step("token {string} is logged out")
     public void tokenIsLoggedOut(String friendlyName) throws Exception {
-        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
+        var tokenId = getTokenFriendlyNameToIdMapping().get(friendlyName);
         SignerProxy.deactivateToken(tokenId);
     }
 
@@ -172,13 +172,13 @@ public void tokenIsActive(String friendlyName) throws Exception {
 
     @Step("token {string} pin is updated from {string} to {string}")
     public void tokenPinIsUpdatedFromTo(String friendlyName, String oldPin, String newPin) throws Exception {
-        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
+        var tokenId = getTokenFriendlyNameToIdMapping().get(friendlyName);
         SignerProxy.updateTokenPin(tokenId, oldPin.toCharArray(), newPin.toCharArray());
     }
 
     @Step("token {string} pin is update from {string} to {string} fails with an error")
     public void tokenPinIsUpdatedFromToError(String friendlyName, String oldPin, String newPin) throws Exception {
-        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
+        var tokenId = getTokenFriendlyNameToIdMapping().get(friendlyName);
         try {
             SignerProxy.updateTokenPin(tokenId, oldPin.toCharArray(), newPin.toCharArray());
         } catch (CodedException codedException) {
@@ -211,7 +211,7 @@ public void tokenNameByLabelIs(String label, String name) throws Exception {
 
     @Step("new key {string} generated for token {string}")
     public void newKeyGeneratedForToken(String keyLabel, String friendlyName) throws Exception {
-        var tokenId = tokenFriendlyNameToIdMapping.get(friendlyName);
+        var tokenId = getTokenFriendlyNameToIdMapping().get(friendlyName);
         final KeyInfo keyInfo = SignerProxy.generateKey(tokenId, keyLabel);
         testReportService.attachJson("keyInfo", keyInfo);
         this.keyId = keyInfo.getId();
@@ -242,14 +242,7 @@ public void keyIsDeletedFromToken(String keyName, String friendlyName) throws Ex
         SignerProxy.deleteKey(key.getId(), true);
     }
 
-    private KeyInfo findKeyInToken(String friendlyName, String keyName) throws Exception {
-        var foundKeyInfo = getTokenInfoByFriendlyName(friendlyName).getKeyInfo().stream()
-                .filter(keyInfo -> keyInfo.getFriendlyName().equals(keyName))
-                .findFirst()
-                .orElseThrow();
-        testReportService.attachJson("Key [" + keyName + "]", foundKeyInfo);
-        return foundKeyInfo;
-    }
+
 
     @Step("Certificate is imported for client {string}")
     public void certificateIsImported(String client) throws Exception {
@@ -399,7 +392,8 @@ public void tokenInfoCanBeRetrievedByKeyId() throws Exception {
     public void digestCanBeSignedUsingKeyFromToken(String keyName, String friendlyName) throws Exception {
         final KeyInfo key = findKeyInToken(friendlyName, keyName);
 
-        SignerProxy.sign(key.getId(), SHA256WITHRSA_ID, calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
+        var digest = String.format("%s-%d", UUID.randomUUID(), System.currentTimeMillis());
+        SignerProxy.sign(key.getId(), SHA256WITHRSA_ID, calculateDigest(SHA256_ID, digest.getBytes(UTF_8)));
     }
 
     @Step("certificate can be deactivated")
@@ -439,7 +433,9 @@ public void certificateCanBeSignedUsingKeyFromToken(String keyName, String frien
     public void sign(String keyName, String friendlyName) throws Exception {
 
         final KeyInfo key = findKeyInToken(friendlyName, keyName);
-        byte[] bytes = SignerProxy.sign(key.getId(), SHA512WITHRSA_ID, calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
+
+        var digest = String.format("%s-%d", UUID.randomUUID(), System.currentTimeMillis());
+        byte[] bytes = SignerProxy.sign(key.getId(), SHA512WITHRSA_ID, calculateDigest(SHA256_ID, digest.getBytes(UTF_8)));
         assertThat(bytes).isNotEmpty();
     }
 
@@ -616,9 +612,5 @@ public void emptyOcspResponseIsReturnedForUnknownCertificate() throws Exception
         assertThat(ocspResponses[0]).isNull();
     }
 
-    private TokenInfo getTokenInfoByFriendlyName(String friendlyName) throws Exception {
-        var tokenInfo = SignerProxy.getToken(tokenFriendlyNameToIdMapping.get(friendlyName));
-        testReportService.attachJson("TokenInfo", tokenInfo);
-        return tokenInfo;
-    }
+
 }
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
index 428d5c3d05..0f647ca9b4 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
@@ -1,4 +1,5 @@
 @HardwareToken
+@This
 Feature: 0200 - Signer: HardwareToken
   Uses SoftHSM to emulate hardware token.
 
@@ -93,6 +94,7 @@ Feature: 0200 - Signer: HardwareToken
     Given digest can be signed using key "KeyX" from token "xrd-softhsm-0"
     And Signing with unknown algorithm fails using key "KeyX" from token "xrd-softhsm-0"
 
+    @This
   Scenario: Sign data is successful
     Given digest can be signed using key "SignKey from CA" from token "xrd-softhsm-0"
     And Digest is signed using key "KeyX" from token "xrd-softhsm-0"
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0300-signer-parallel-actions.feature b/src/signer-protocol/src/intTest/resources/behavior/0300-signer-parallel-actions.feature
new file mode 100644
index 0000000000..8cbec2a540
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/behavior/0300-signer-parallel-actions.feature
@@ -0,0 +1,9 @@
+Feature: 0300 - Signer: Parallel scenarios
+  Uses SoftHSM to emulate hardware token.
+
+  Background:
+    Given tokens are listed
+    And HSM is operational
+
+  Scenario: Data sign is properly handled in parallel execution
+    When digest can be signed in using key "SignKey from CA" from token "xrd-softhsm-0". Called 50 times with 25 threads in parallel.
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
index f7709ab796..04b1e9b89e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
@@ -113,7 +113,7 @@ public void stop() {
 
     @Override
     public void refresh() {
-        log.trace("onUpdate()");
+        log.trace("refresh()");
         loadModules();
 
         if (SLAVE.equals(serverNodeType)) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
index f85711636e..05d5f551db 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
@@ -33,6 +33,7 @@
 import ee.ria.xroad.signer.tokenmanager.token.TokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.WorkerWithLifecycle;
 
+import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -65,18 +66,26 @@ public Optional<TokenWorker> getTokenById(String tokenId) {
 
     @Override
     public void reload() {
-        loadTokens(true);
-
+        log.warn("Reloading {}.. ", getClass().getSimpleName());
+        try {
+            loadTokens(true);
+        } catch (Exception e) {
+            log.error("Error during module {} reload. It will be repeated on next scheduled module refresh..", getClass().getSimpleName(), e);
+            throw translateException(e);
+        }
     }
 
     @Override
     public void refresh() {
         try {
             loadTokens(false);
+        } catch (PKCS11Exception pkcs11Exception) {
+            log.warn("PKCS11Exception was thrown. Reloading underlying module and token workers.");
+            reload();
+            throw translateException(pkcs11Exception);
         } catch (Exception e) {
             log.error("Error during update of module " + getClass().getSimpleName(), e);
-
-            throw e;
+            throw translateException(e);
         }
     }
 
@@ -84,34 +93,29 @@ public void refresh() {
 
     protected abstract AbstractTokenWorker createWorker(TokenInfo tokenInfo, TokenType tokenType);
 
-    private void loadTokens(boolean reload) {
-        try {
-            final Map<String, BlockingTokenWorker> newTokens = new HashMap<>();
-
-            final List<TokenType> tokens = listTokens();
-            log.trace("Got {} tokens from module '{}'", tokens.size(), getClass().getSimpleName());
-
-            for (TokenType tokenType : tokens) {
-                BlockingTokenWorker tokenWorker = tokenWorkers.get(tokenType.getId());
-                if (tokenWorker == null) {
-                    log.debug("Adding new token '{}#{}'", tokenType.getModuleType(), tokenType.getId());
-                    tokenWorker = new BlockingTokenWorker(this, createWorker(getTokenInfo(tokenType), tokenType));
-                    tokenWorker.getInternalTokenWorker().start();
-                } else if (reload) {
-                    tokenWorker.getInternalTokenWorker().reload();
-                }
+    private void loadTokens(boolean reload) throws Exception {
+        final Map<String, BlockingTokenWorker> newTokens = new HashMap<>();
+
+        final List<TokenType> tokens = listTokens();
+        log.trace("Got {} tokens from module '{}'", tokens.size(), getClass().getSimpleName());
 
-                tokenWorker.getInternalTokenWorker().refresh();
-                newTokens.put(tokenType.getId(), tokenWorker);
+        for (TokenType tokenType : tokens) {
+            BlockingTokenWorker tokenWorker = tokenWorkers.get(tokenType.getId());
+            if (tokenWorker == null) {
+                log.debug("Adding new token '{}#{}'", tokenType.getModuleType(), tokenType.getId());
+                tokenWorker = new BlockingTokenWorker(this, createWorker(getTokenInfo(tokenType), tokenType));
+                tokenWorker.getInternalTokenWorker().start();
+            } else if (reload) {
+                tokenWorker.getInternalTokenWorker().reload();
             }
 
-            final var oldTokenWorkers = tokenWorkers;
-            tokenWorkers = Collections.unmodifiableMap(newTokens);
-            stopLostTokenWorkers(oldTokenWorkers, tokens);
-        } catch (Exception e) {
-            log.error("Error during update of module {}", getClass().getSimpleName(), e);
-            throw translateException(e);
+            tokenWorker.getInternalTokenWorker().refresh();
+            newTokens.put(tokenType.getId(), tokenWorker);
         }
+
+        final var oldTokenWorkers = tokenWorkers;
+        tokenWorkers = Collections.unmodifiableMap(newTokens);
+        stopLostTokenWorkers(oldTokenWorkers, tokens);
     }
 
     private void stopLostTokenWorkers(Map<String, BlockingTokenWorker> oldTokens, List<TokenType> newTokens) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
index d43d4cf2b9..c0705cfac2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
@@ -75,7 +75,6 @@ public byte[] handleSign(SignReq request) {
     @Override
     public synchronized byte[] handleSignCertificate(SignCertificateReq request) {
         return synchronizedAction(() -> tokenWorker.handleSignCertificate(request));
-
     }
 
     @Override
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
index c0f6192673..2a540b75ed 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
@@ -44,7 +44,7 @@ default void start() {
     /**
      * Reloads the worker. Reloaded instance should be similar to newly initialized worker.
      */
-    default void reload() {
+    default void reload() throws Exception {
         //NO-OP
     }
 

From c2e8a2fa9b5d02dc9300586b4f4c9034a9fb43b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 11 Sep 2023 17:24:19 +0300
Subject: [PATCH 054/127] chore: Remove akka based SignerClient

Refs: XRDDEV-2468
---
 .../core/facade/SignerProxyFacadeImpl.java    |   7 +-
 .../ee/ria/xroad/confproxy/ConfProxyMain.java |  28 +-
 .../commandline/ConfProxyUtilMain.java        |  36 +--
 .../ee/ria/xroad/confproxy/ConfProxyTest.java |  16 +-
 .../ee/ria/xroad/monitor/MonitorMain.java     |   6 +-
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |   8 +-
 .../signature/BatchSignerIntegrationTest.java |   8 +-
 .../restapi/config/StartStopListener.java     |  11 +-
 .../ria/xroad/signer/console/SignerCLI.java   |  11 +-
 .../signer/test/glue/SignerStepDefs.java      |  45 +--
 .../signer/test/hook/SignerProxyInitHook.java |   5 +
 .../0200-signer-hardware-token.feature        |   2 -
 .../java/ee/ria/xroad/signer/SignerProxy.java | 143 ++++------
 .../signer/protocol/RpcSignerClient.java      | 111 ++++++--
 .../xroad/signer/protocol/SignerClient.java   | 268 ------------------
 .../java/ee/ria/xroad/signer/SignerMain.java  |  13 +-
 16 files changed, 234 insertions(+), 484 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java

diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
index d12592ed3b..38f135c174 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
@@ -25,9 +25,10 @@
  */
 package org.niis.xroad.cs.admin.core.facade;
 
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.SignerProxy;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -66,10 +67,10 @@ public SignerProxyFacadeImpl(@Qualifier("signer-ip") String signerIp) {
     }
 
     @PostConstruct
-    void init() {
+    void init() throws Exception {
         Config config = ConfigFactory.load().getConfig("admin-service").withFallback(ConfigFactory.load());
         actorSystem = ActorSystem.create("SignerService", config);
-        SignerClient.init(actorSystem, signerIp);
+        RpcSignerClient.init(signerIp, SystemProperties.getGrpcSignerPort());
         log.info("SignerService actorSystem initialized with admin-service config");
     }
 
diff --git a/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/ConfProxyMain.java b/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/ConfProxyMain.java
index c5234bb3df..cc5c1c307f 100644
--- a/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/ConfProxyMain.java
+++ b/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/ConfProxyMain.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -28,10 +28,8 @@
 import ee.ria.xroad.common.SystemPropertiesLoader;
 import ee.ria.xroad.common.Version;
 import ee.ria.xroad.confproxy.util.ConfProxyHelper;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
 import lombok.extern.slf4j.Slf4j;
 
 import java.util.Arrays;
@@ -49,19 +47,19 @@ public final class ConfProxyMain {
 
     static {
         SystemPropertiesLoader.create().withCommonAndLocal()
-            .with(CONF_FILE_CONFPROXY, "configuration-proxy")
-            .load();
+                .with(CONF_FILE_CONFPROXY, "configuration-proxy")
+                .load();
     }
 
-    private static ActorSystem actorSystem;
-
     /**
      * Unavailable utility class constructor.
      */
-    private ConfProxyMain() { }
+    private ConfProxyMain() {
+    }
 
     /**
      * Configuration proxy program entry point.
+     *
      * @param args program args
      * @throws Exception in case configuration proxy fails to start
      */
@@ -79,6 +77,7 @@ public static void main(final String[] args) throws Exception {
 
     /**
      * Initialize configuration proxy components.
+     *
      * @throws Exception if initialization fails
      */
     private static void setup() throws Exception {
@@ -86,15 +85,12 @@ private static void setup() throws Exception {
 
         Version.outputVersionInfo(APP_NAME);
 
-        actorSystem = ActorSystem.create("ConfigurationProxy",
-                ConfigFactory.load().getConfig("configuration-proxy")
-                    .withFallback(ConfigFactory.load()));
-
-        SignerClient.init(actorSystem);
+        RpcSignerClient.init();
     }
 
     /**
      * Executes all configuration proxy instances in sequence.
+     *
      * @param args program arguments
      * @throws Exception if not able to get list of available instances
      */
@@ -109,7 +105,7 @@ private static void execute(final String[] args) throws Exception {
             log.debug("Instances from available instances: {}", instances);
         }
 
-        for (String instance: instances) {
+        for (String instance : instances) {
             try {
                 ConfProxy proxy = new ConfProxy(instance);
                 log.info("ConfProxy executing for instance {}", instance);
@@ -126,6 +122,6 @@ private static void execute(final String[] args) throws Exception {
      */
     private static void shutdown() {
         log.trace("shutdown()");
-        actorSystem.terminate();
+        RpcSignerClient.shutdown();
     }
 }
diff --git a/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilMain.java b/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilMain.java
index 99fc81ec8c..c4bca2b926 100644
--- a/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilMain.java
+++ b/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilMain.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,10 +26,10 @@
 package ee.ria.xroad.confproxy.commandline;
 
 import ee.ria.xroad.common.SystemPropertiesLoader;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
@@ -42,24 +42,20 @@
  * Main program for launching configuration proxy utility tools.
  */
 @Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class ConfProxyUtilMain {
 
     static {
         SystemPropertiesLoader.create().withCommonAndLocal()
-            .with(CONF_FILE_CONFPROXY, "configuration-proxy")
-            .load();
+                .with(CONF_FILE_CONFPROXY, "configuration-proxy")
+                .load();
     }
 
-    private static ActorSystem actorSystem;
     private static CommandLineParser cmdLineParser;
 
-    /**
-     * Unavailable utility class constructor.
-     */
-    private ConfProxyUtilMain() { }
-
     /**
      * Configuration proxy utility tool program entry point.
+     *
      * @param args program args
      */
     public static void main(final String[] args) {
@@ -70,24 +66,22 @@ public static void main(final String[] args) {
             System.err.println(e.getMessage());
             log.error("Error while running confproxy util:", e);
         } finally {
-            actorSystem.terminate();
+            RpcSignerClient.shutdown();
         }
     }
 
     /**
      * Initialize configuration proxy utility program components.
      */
-    static void setup() {
-        actorSystem = ActorSystem.create("ConfigurationProxyUtil",
-                ConfigFactory.load().getConfig("configuration-proxy"));
-
-        SignerClient.init(actorSystem);
+    static void setup() throws Exception {
+        RpcSignerClient.init();
 
         cmdLineParser = new DefaultParser();
     }
 
     /**
      * Executes the utility program with the provided argument list.
+     *
      * @param args program arguments
      * @throws Exception if any errors occur during execution
      */
@@ -102,14 +96,14 @@ static void runUtilWithArgs(final String[] args) throws Exception {
 
     /**
      * Creates an utility program instance of the provided class name.
+     *
      * @param className name of the utility program class
      * @return an instance of the requested utility program
      * @throws Exception if class could not be found or an instance could
-     * not be created
+     *                   not be created
      */
     @SuppressWarnings("unchecked")
-    static ConfProxyUtil createUtilInstance(final String className)
-            throws Exception {
+    static ConfProxyUtil createUtilInstance(final String className) throws Exception {
         Class<ConfProxyUtil> utilClass =
                 (Class<ConfProxyUtil>) Class.forName(className);
         return utilClass.newInstance();
diff --git a/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java b/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java
index 6664e51642..1fbdb71788 100644
--- a/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java
+++ b/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -30,10 +30,8 @@
 import ee.ria.xroad.common.conf.globalconf.ConfigurationDirectoryV2;
 import ee.ria.xroad.confproxy.util.ConfProxyHelper;
 import ee.ria.xroad.confproxy.util.OutputBuilder;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.junit.After;
 import org.junit.Before;
@@ -56,13 +54,9 @@
 @Slf4j
 public class ConfProxyTest {
 
-    private static ActorSystem actorSystem;
-
     @Before
-    public void setUp() {
-        actorSystem = ActorSystem.create("ConfigurationProxy",
-                ConfigFactory.load().getConfig("configuration-proxy"));
-        SignerClient.init(actorSystem);
+    public void setUp() throws Exception {
+        RpcSignerClient.init();
         System.setProperty(CONFIGURATION_PROXY_CONF_PATH, "src/test/resources/conf-proxy-conf");
         System.setProperty(CONFIGURATION_PROXY_GENERATED_CONF_PATH, "build/tmp/test/generated-conf");
         System.setProperty(CONFIGURATION_PATH, "src/test/resources/test-conf-simple");
@@ -86,7 +80,7 @@ public void cleanupTempDirectoriesWhenBuildingSignedDirectoryFails() throws Exce
 
     @After
     public void tearDown() {
-        actorSystem.terminate();
+        RpcSignerClient.shutdown();
     }
 
 }
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
index a1f3e1244b..273b71a324 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
@@ -29,7 +29,6 @@
 import ee.ria.xroad.common.SystemPropertiesLoader;
 import ee.ria.xroad.common.Version;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
-import ee.ria.xroad.signer.protocol.SignerClient;
 
 import akka.actor.ActorRef;
 import akka.actor.ActorSystem;
@@ -40,6 +39,9 @@
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigFactory;
 import com.typesafe.config.ConfigValueFactory;
+
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
+
 import lombok.extern.slf4j.Slf4j;
 import scala.concurrent.Await;
 import scala.concurrent.duration.Duration;
@@ -118,7 +120,7 @@ private static void stopReporter() {
 
     private static void initAkka() throws Exception {
         actorSystem = ActorSystem.create(APP_NAME, loadAkkaConfiguration());
-        SignerClient.init(actorSystem);
+        RpcSignerClient.init(); //TODO:grpc probably needs params.
 
         ActorRef unhandled = actorSystem.actorOf(Props.create(UnhandledListenerActor.class), "UnhandledListenerActor");
         actorSystem.eventStream().subscribe(unhandled, UnhandledMessage.class);
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index 99ca7afa91..eec71b44f4 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -58,7 +58,7 @@
 import ee.ria.xroad.proxy.serverproxy.ServerProxy;
 import ee.ria.xroad.proxy.util.CertHashBasedOcspResponder;
 import ee.ria.xroad.proxy.util.ServerConfStatsLogger;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
 import akka.actor.ActorSelection;
 import akka.actor.ActorSystem;
@@ -196,13 +196,15 @@ private static void shutdown() throws Exception {
         log.trace("shutdown()");
         stopServices();
         Await.ready(actorSystem.terminate(), Duration.Inf());
+
+        RpcSignerClient.shutdown();
     }
 
     private static void createServices() throws Exception {
         JobManager jobManager = new JobManager();
 
         MonitorAgent.init(actorSystem);
-        SignerClient.init(actorSystem);
+        RpcSignerClient.init();
         BatchSigner.init(actorSystem);
         boolean messageLogEnabled = MessageLog.init(actorSystem, jobManager);
         OpMonitoring.init(actorSystem);
diff --git a/src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java b/src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java
index 6c99825631..438d6c51a6 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -33,10 +33,12 @@
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.common.util.MessageFileNames;
 import ee.ria.xroad.proxy.signedmessage.SignerSigningKey;
-import ee.ria.xroad.signer.protocol.SignerClient;
 
 import akka.actor.ActorSystem;
 import com.typesafe.config.ConfigFactory;
+
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
+
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
@@ -107,7 +109,7 @@ public static void main(String[] args) throws Exception {
         }
 
         ActorSystem actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy"));
-        SignerClient.init(actorSystem);
+        RpcSignerClient.init();
 
         Thread.sleep(SIGNER_INIT_DELAY); // wait for signer client to connect
 
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
index b2bf7eaa1c..4a33e4877c 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,7 +26,7 @@
 package org.niis.xroad.securityserver.restapi.config;
 
 import ee.ria.xroad.commonui.UIServices;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -55,6 +55,8 @@ private synchronized void stop() throws Exception {
             uiApiActorSystem.stop();
             uiApiActorSystem = null;
         }
+
+        RpcSignerClient.shutdown();
     }
 
     @Autowired
@@ -63,14 +65,15 @@ private synchronized void stop() throws Exception {
 
     /**
      * Maybe be called multiple times since ContextRefreshedEvent can happen multiple times
+     *
      * @throws Exception
      */
-    private synchronized void start() {
+    private synchronized void start() throws Exception {
         log.info("start");
         if (uiApiActorSystem == null) {
             uiApiActorSystem = new UIServices("ProxyUIApi", "proxyuiapi");
-            SignerClient.init(uiApiActorSystem.getActorSystem(), signerIp);
         }
+        RpcSignerClient.init();
     }
 
 
diff --git a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
index f846acf4fd..e608f7b7c3 100644
--- a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
+++ b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
@@ -34,21 +34,19 @@
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.SignerProxy;
 import ee.ria.xroad.signer.SignerProxy.GeneratedCertRequestInfo;
-import ee.ria.xroad.signer.protocol.SignerClient;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 
-import akka.actor.ActorSystem;
 import asg.cliche.CLIException;
 import asg.cliche.Command;
 import asg.cliche.InputConverter;
 import asg.cliche.Param;
 import asg.cliche.Shell;
 import asg.cliche.ShellFactory;
-import com.typesafe.config.ConfigFactory;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.DefaultParser;
@@ -800,11 +798,8 @@ public static void main(String[] args) throws Exception {
             return;
         }
 
-        ActorSystem actorSystem = ActorSystem.create("SignerConsole", ConfigFactory.load().getConfig("signer-console")
-                .withFallback(ConfigFactory.load()));
-
         try {
-            SignerClient.init(actorSystem);
+            RpcSignerClient.init();
 
             String[] arguments = cmd.getArgs();
 
@@ -814,7 +809,7 @@ public static void main(String[] args) throws Exception {
                 startCommandLoop();
             }
         } finally {
-            actorSystem.terminate();
+            RpcSignerClient.shutdown();
         }
     }
 
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index c08c8320a5..6fedb1a65e 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -50,7 +50,6 @@
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.bouncycastle.util.encoders.Base64;
 import org.junit.jupiter.api.Assertions;
-import org.niis.xroad.common.test.glue.BaseStepDefs;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
 
 import java.io.File;
@@ -84,12 +83,13 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 @Slf4j
+@SuppressWarnings("checkstyle:MagicNumber")
 public class SignerStepDefs extends BaseSignerStepDefs {
-    private String keyId;
-    private String csrId;
+    private String scenarioKeyId;
+    private String scenarioCsrId;
     private String certHash;
     private CertificateInfo certInfo;
-    private byte[] cert;
+    private byte[] scenarioCert;
 
     private final Map<String, String> tokenLabelToIdMapping = new HashMap<>();
 
@@ -214,12 +214,12 @@ public void newKeyGeneratedForToken(String keyLabel, String friendlyName) throws
         var tokenId = getTokenFriendlyNameToIdMapping().get(friendlyName);
         final KeyInfo keyInfo = SignerProxy.generateKey(tokenId, keyLabel);
         testReportService.attachJson("keyInfo", keyInfo);
-        this.keyId = keyInfo.getId();
+        this.scenarioKeyId = keyInfo.getId();
     }
 
     @Step("name {string} is set for generated key")
     public void nameIsSetForGeneratedKey(String keyFriendlyName) throws Exception {
-        SignerProxy.setKeyFriendlyName(this.keyId, keyFriendlyName);
+        SignerProxy.setKeyFriendlyName(this.scenarioKeyId, keyFriendlyName);
     }
 
     @Step("token {string} has exact keys {string}")
@@ -243,10 +243,9 @@ public void keyIsDeletedFromToken(String keyName, String friendlyName) throws Ex
     }
 
 
-
     @Step("Certificate is imported for client {string}")
     public void certificateIsImported(String client) throws Exception {
-        keyId = SignerProxy.importCert(cert, CertificateInfo.STATUS_REGISTERED, getClientId(client));
+        scenarioKeyId = SignerProxy.importCert(scenarioCert, CertificateInfo.STATUS_REGISTERED, getClientId(client));
     }
 
     @Step("Wrong Certificate is not imported for client {string}")
@@ -256,7 +255,8 @@ public void certImportFails(String client) throws Exception {
             SignerProxy.importCert(certBytes, CertificateInfo.STATUS_REGISTERED, getClientId(client));
         } catch (CodedException codedException) {
             assertException("Signer.KeyNotFound", "key_not_found_for_certificate",
-                    "Signer.KeyNotFound: Could not find key that has public key that matches the public key of certificate", codedException);
+                    "Signer.KeyNotFound: Could not find key that has public key that matches the public key of certificate",
+                    codedException);
         }
     }
 
@@ -270,9 +270,9 @@ private byte[] fileToBytes(String fileName) throws Exception {
     public void selfSignedCertGeneratedForTokenKeyForClient(String friendlyName, String keyName, String client) throws Exception {
         final KeyInfo keyInToken = findKeyInToken(friendlyName, keyName);
 
-        cert = SignerProxy.generateSelfSignedCert(keyInToken.getId(), getClientId(client), KeyUsageInfo.SIGNING,
+        scenarioCert = SignerProxy.generateSelfSignedCert(keyInToken.getId(), getClientId(client), KeyUsageInfo.SIGNING,
                 "CN=" + client, Date.from(now().minus(5, DAYS)), Date.from(now().plus(5, DAYS)));
-        this.certHash = CryptoUtils.calculateCertHexHash(cert);
+        this.certHash = CryptoUtils.calculateCertHexHash(scenarioCert);
     }
 
     private ClientId.Conf getClientId(String client) {
@@ -286,7 +286,8 @@ private SecurityServerId.Conf getSecurityServerId(String securityServerId) {
     }
 
     @Step("the {} cert request is generated for token {string} key {string} for client {string} throws exception")
-    public void certRequestIsGeneratedForTokenKeyException(String keyUsage, String friendlyName, String keyName, String client) throws Exception {
+    public void certRequestIsGeneratedForTokenKeyException(String keyUsage, String friendlyName, String keyName, String client)
+            throws Exception {
         try {
             certRequestIsGeneratedForTokenKey(keyUsage, friendlyName, keyName, client);
         } catch (CodedException codedException) {
@@ -299,10 +300,11 @@ public void certRequestIsGeneratedForTokenKeyException(String keyUsage, String f
     public void certRequestIsGeneratedForTokenKey(String keyUsage, String friendlyName, String keyName, String client) throws Exception {
         final KeyInfo key = findKeyInToken(friendlyName, keyName);
         final ClientId.Conf clientId = getClientId(client);
-        SignerProxy.GeneratedCertRequestInfo csrInfo = SignerProxy.generateCertRequest(key.getId(), clientId, KeyUsageInfo.valueOf(keyUsage),
+        SignerProxy.GeneratedCertRequestInfo csrInfo = SignerProxy.generateCertRequest(key.getId(), clientId,
+                KeyUsageInfo.valueOf(keyUsage),
                 "CN=key-" + keyName, CertificateRequestFormat.DER);
 
-        this.csrId = csrInfo.getCertReqId();
+        this.scenarioCsrId = csrInfo.getCertReqId();
 
         File csrFile = File.createTempFile("tmp", keyUsage.toLowerCase() + "_csr" + System.currentTimeMillis());
         FileUtils.writeByteArrayToFile(csrFile, csrInfo.getCertRequest());
@@ -315,12 +317,12 @@ public void importCertFromFile(String initialStatus, String client) throws Excep
         final ClientId.Conf clientId = getClientId(client);
         final byte[] certBytes = FileUtils.readFileToByteArray(cert.orElseThrow());
 
-        keyId = SignerProxy.importCert(certBytes, initialStatus, clientId);
+        scenarioKeyId = SignerProxy.importCert(certBytes, initialStatus, clientId);
     }
 
     @Step("cert request is regenerated")
     public void certRequestIsRegenerated() throws Exception {
-        SignerProxy.regenerateCertRequest(this.csrId, CertificateRequestFormat.DER);
+        SignerProxy.regenerateCertRequest(this.scenarioCsrId, CertificateRequestFormat.DER);
     }
 
     @Step("token {string} key {string} has {int} certificates")
@@ -353,7 +355,7 @@ public void checkTokenBatchSigningEnabled(String friendlyName, String keyname) t
 
     @Step("cert request can be deleted")
     public void certRequestCanBeDeleted() throws Exception {
-        SignerProxy.deleteCertRequest(this.csrId);
+        SignerProxy.deleteCertRequest(this.scenarioCsrId);
     }
 
     @Step("certificate info can be retrieved by cert hash")
@@ -370,20 +372,20 @@ public void keyidCanBeRetrievedByCertHash() throws Exception {
     }
 
     @Step("token and keyId can be retrieved by cert hash")
-    public void tokenAndKeyIdCanBeRetrievedByCertHash() {
+    public void tokenAndKeyIdCanBeRetrievedByCertHash() throws Exception {
         final TokenInfoAndKeyId tokenAndKeyIdForCertHash = SignerProxy.getTokenAndKeyIdForCertHash(this.certHash);
         assertThat(tokenAndKeyIdForCertHash).isNotNull();
     }
 
     @Step("token and key can be retrieved by cert request")
     public void tokenAndKeyCanBeRetrievedByCertRequest() throws Exception {
-        final TokenInfoAndKeyId tokenAndKeyIdForCertRequestId = SignerProxy.getTokenAndKeyIdForCertRequestId(this.csrId);
+        final TokenInfoAndKeyId tokenAndKeyIdForCertRequestId = SignerProxy.getTokenAndKeyIdForCertRequestId(this.scenarioCsrId);
         assertThat(tokenAndKeyIdForCertRequestId).isNotNull();
     }
 
     @Step("token info can be retrieved by key id")
     public void tokenInfoCanBeRetrievedByKeyId() throws Exception {
-        final TokenInfo tokenForKeyId = SignerProxy.getTokenForKeyId(this.keyId);
+        final TokenInfo tokenForKeyId = SignerProxy.getTokenForKeyId(this.scenarioKeyId);
         testReportService.attachJson("tokenInfo", tokenForKeyId);
         assertThat(tokenForKeyId).isNotNull();
     }
@@ -588,7 +590,8 @@ private void assertException(String faultCode, String translationCode, String me
     @Step("ocsp responses are set")
     public void ocspResponsesAreSet() throws Exception {
         X509Certificate subject = TestCertUtil.getConsumer().certChain[0];
-        final OCSPResp ocspResponse = OcspTestUtils.createOCSPResponse(subject, TestCertUtil.getCaCert(), TestCertUtil.getOcspSigner().certChain[0],
+        final OCSPResp ocspResponse = OcspTestUtils.createOCSPResponse(subject, TestCertUtil.getCaCert(),
+                TestCertUtil.getOcspSigner().certChain[0],
                 TestCertUtil.getOcspSigner().key, CertificateStatus.GOOD);
 
         SignerProxy.setOcspResponses(new String[]{calculateCertHexHash(subject)},
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
index e227ff2003..ce4e9a6711 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
@@ -1,10 +1,12 @@
 package org.niis.xroad.signer.test.hook;
 
 import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
 import com.nortal.test.core.services.TestableApplicationInfoProvider;
 import com.nortal.test.core.services.hooks.BeforeSuiteHook;
 import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Component;
 
@@ -22,6 +24,7 @@ public class SignerProxyInitHook implements BeforeSuiteHook {
     private final TestableApplicationInfoProvider testableApplicationInfoProvider;
 
     @Override
+    @SneakyThrows
     public void beforeSuite() {
         var host = testableApplicationInfoProvider.getHost();
         var port = testableApplicationInfoProvider.getMappedPort(SystemProperties.getGrpcSignerPort());
@@ -41,6 +44,8 @@ public void beforeSuite() {
 
         System.setProperty("xroad.internal.passwordstore-provider", "file");
         System.setProperty("xroad.internal.passwordstore-file-path", "build/container-passwordstore/");
+
+        RpcSignerClient.init();
     }
 
 }
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
index 0f647ca9b4..428d5c3d05 100644
--- a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
+++ b/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
@@ -1,5 +1,4 @@
 @HardwareToken
-@This
 Feature: 0200 - Signer: HardwareToken
   Uses SoftHSM to emulate hardware token.
 
@@ -94,7 +93,6 @@ Feature: 0200 - Signer: HardwareToken
     Given digest can be signed using key "KeyX" from token "xrd-softhsm-0"
     And Signing with unknown algorithm fails using key "KeyX" from token "xrd-softhsm-0"
 
-    @This
   Scenario: Sign data is successful
     Given digest can be signed using key "SignKey from CA" from token "xrd-softhsm-0"
     And Digest is signed using key "KeyX" from token "xrd-softhsm-0"
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index a0ddadc9ad..83c18fad99 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -25,8 +25,6 @@
  */
 package ee.ria.xroad.signer;
 
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
@@ -35,16 +33,14 @@
 import ee.ria.xroad.signer.protocol.SecurityServerIdMapper;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
-import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
 
-import com.google.protobuf.Any;
 import com.google.protobuf.ByteString;
-import com.google.protobuf.InvalidProtocolBufferException;
-import io.grpc.StatusRuntimeException;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateCertReq;
@@ -87,48 +83,18 @@
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
-import java.util.concurrent.Callable;
 import java.util.stream.Collectors;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
 import static java.util.Arrays.asList;
 
 /**
  * Responsible for managing cryptographic tokens (smartcards, HSMs, etc.) through the signer.
  */
 @Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class SignerProxy {
-    private static RpcSignerClient signerClient;
-
-    private SignerProxy() {
-    }
-
     public static final String SSL_TOKEN_ID = "0";
 
-    private static <V> V executeAndHandleException(Callable<V> grpcCall) {
-        try {
-            return grpcCall.call();
-        } catch (StatusRuntimeException error) {
-            com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
-            if (status != null) {
-                for (Any any : status.getDetailsList()) {
-                    if (any.is(CodedExceptionProto.class)) {
-                        try {
-                            final CodedExceptionProto ce = any.unpack(CodedExceptionProto.class);
-                            throw CodedException.tr(ce.getFaultCode(), ce.getTranslationCode(), ce.getFaultString())
-                                    .withPrefix(SIGNER_X);
-                        } catch (InvalidProtocolBufferException e) {
-                            throw new RuntimeException("Failed to parse grpc message", e);
-                        }
-                    }
-                }
-            }
-            throw error;
-        } catch (Exception e) {
-            throw new RuntimeException("Error in grpc call", e);
-        }
-    }
-
     /**
      * Initialize the software token with the given password.
      *
@@ -138,7 +104,7 @@ private static <V> V executeAndHandleException(Callable<V> grpcCall) {
     public static void initSoftwareToken(char[] password) throws Exception {
         log.trace("Initializing software token");
 
-        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .initSoftwareToken(InitSoftwareTokenReq.newBuilder()
                         .setPin(new String(password))
                         .build()));
@@ -151,26 +117,14 @@ public static void initSoftwareToken(char[] password) throws Exception {
      * @throws Exception if any errors occur
      */
     public static List<TokenInfo> getTokens() throws Exception {
-        ListTokensResp response = executeAndHandleException(() ->
-                getSignerClient().getSignerApiBlockingStub().listTokens(Empty.newBuilder().build()));
+        ListTokensResp response = RpcSignerClient.execute(ctx ->
+                ctx.blockingTokenService.listTokens(Empty.newBuilder().build()));
 
         return response.getTokensList().stream()
                 .map(TokenInfo::new)
                 .collect(Collectors.toList());
     }
 
-    private static RpcSignerClient getSignerClient() {
-        //TODO this is unsafe, but works for poc.
-        if (signerClient == null) {
-            try {
-                signerClient = RpcSignerClient.init(SystemProperties.getGrpcSignerHost(), SystemProperties.getGrpcSignerPort());
-            } catch (Exception e) {
-                log.error("Failed to init client", e);
-            }
-        }
-        return signerClient;
-    }
-
     /**
      * Gets information about the token with the specified token ID.
      *
@@ -179,7 +133,7 @@ private static RpcSignerClient getSignerClient() {
      * @throws Exception if any errors occur
      */
     public static TokenInfo getToken(String tokenId) throws Exception {
-        return executeAndHandleException(() -> new TokenInfo(getSignerClient().getSignerApiBlockingStub()
+        return RpcSignerClient.execute(ctx -> new TokenInfo(ctx.blockingTokenService
                 .getTokenById(GetTokenByIdReq.newBuilder()
                         .setTokenId(tokenId)
                         .build())));
@@ -197,7 +151,7 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
 
         log.trace("Activating token '{}'", tokenId);
 
-        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(true)
@@ -215,7 +169,7 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
     public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin) throws Exception {
         log.trace("Updating token pin '{}'", tokenId);
 
-        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .updateSoftwareTokenPin(UpdateSoftwareTokenPinReq.newBuilder()
                         .setTokenId(tokenId)
                         .setOldPin(new String(oldPin))//TODO:grpc its not great that we're doing this transformation
@@ -234,7 +188,7 @@ public static void deactivateToken(String tokenId) throws Exception {
 
         log.trace("Deactivating token '{}'", tokenId);
 
-        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(false)
@@ -251,7 +205,7 @@ public static void deactivateToken(String tokenId) throws Exception {
     public static void setTokenFriendlyName(String tokenId, String friendlyName) throws Exception {
         log.trace("Setting friendly name '{}' for token '{}'", friendlyName, tokenId);
 
-        executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .setTokenFriendlyName(SetTokenFriendlyNameReq.newBuilder()
                         .setTokenId(tokenId)
                         .setFriendlyName(friendlyName)
@@ -268,7 +222,7 @@ public static void setTokenFriendlyName(String tokenId, String friendlyName) thr
     public static void setKeyFriendlyName(String keyId, String friendlyName) throws Exception {
         log.trace("Setting friendly name '{}' for key '{}'", friendlyName, keyId);
 
-        executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .setKeyFriendlyName(SetKeyFriendlyNameReq.newBuilder()
                         .setKeyId(keyId)
                         .setFriendlyName(friendlyName)
@@ -286,7 +240,7 @@ public static void setKeyFriendlyName(String keyId, String friendlyName) throws
     public static KeyInfo generateKey(String tokenId, String keyLabel) throws Exception {
         log.trace("Generating key for token '{}'", tokenId);
 
-        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .generateKey(GenerateKeyReq.newBuilder()
                         .setTokenId(tokenId)
                         .setKeyLabel(keyLabel)
@@ -315,7 +269,7 @@ public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId
                                                 String commonName, Date notBefore, Date notAfter) throws Exception {
         log.trace("Generate self-signed cert for key '{}'", keyId);
 
-        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .generateSelfSignedCert(GenerateSelfSignedCertReq.newBuilder()
                         .setKeyId(keyId)
                         .setCommonName(commonName)
@@ -344,7 +298,7 @@ public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId
     public static String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId) throws Exception {
         log.trace("Importing cert from file with length of '{}' bytes", certBytes.length);
 
-        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .importCert(ImportCertReq.newBuilder()
                         .setCertData(ByteString.copyFrom(certBytes))
                         .setInitialStatus(initialStatus)
@@ -365,7 +319,7 @@ public static String importCert(byte[] certBytes, String initialStatus, ClientId
     public static void activateCert(String certId) throws Exception {
         log.trace("Activating cert '{}'", certId);
 
-        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .activateCert(ActivateCertReq.newBuilder()
                         .setCertIdOrHash(certId)
                         .setActive(true)
@@ -381,7 +335,7 @@ public static void activateCert(String certId) throws Exception {
     public static void deactivateCert(String certId) throws Exception {
         log.trace("Deactivating cert '{}'", certId);
 
-        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .activateCert(ActivateCertReq.newBuilder()
                         .setCertIdOrHash(certId)
                         .setActive(false)
@@ -403,7 +357,7 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
                                                                KeyUsageInfo keyUsage, String subjectName,
                                                                CertificateRequestFormat format) throws Exception {
 
-        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .generateCertRequest(GenerateCertRequestReq.newBuilder()
                         .setKeyId(keyId)
                         .setMemberId(ClientIdMapper.toDto(memberId))
@@ -435,7 +389,7 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
     public static GeneratedCertRequestInfo regenerateCertRequest(String certRequestId,
                                                                  CertificateRequestFormat format) throws Exception {
 
-        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .regenerateCertRequest(RegenerateCertRequestReq.newBuilder()
                         .setCertRequestId(certRequestId)
                         .setFormat(format)
@@ -456,11 +410,11 @@ public static GeneratedCertRequestInfo regenerateCertRequest(String certRequestI
      */
     @Value
     public static class GeneratedCertRequestInfo {
-        private final String certReqId;
-        private final byte[] certRequest;
-        private final CertificateRequestFormat format;
-        private final ClientId memberId;
-        private final KeyUsageInfo keyUsage;
+        String certReqId;
+        byte[] certRequest;
+        CertificateRequestFormat format;
+        ClientId memberId;
+        KeyUsageInfo keyUsage;
     }
 
     /**
@@ -472,7 +426,7 @@ public static class GeneratedCertRequestInfo {
     public static void deleteCertRequest(String certRequestId) throws Exception {
         log.trace("Deleting cert request '{}'", certRequestId);
 
-        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .deleteCertRequest(DeleteCertRequestReq.newBuilder()
                         .setCertRequestId(certRequestId)
                         .build()));
@@ -487,7 +441,7 @@ public static void deleteCertRequest(String certRequestId) throws Exception {
     public static void deleteCert(String certId) throws Exception {
         log.trace("Deleting cert '{}'", certId);
 
-        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .deleteCert(DeleteCertReq.newBuilder()
                         .setCertId(certId)
                         .build()));
@@ -504,7 +458,7 @@ public static void deleteCert(String certId) throws Exception {
     public static void deleteKey(String keyId, boolean deleteFromToken) throws Exception {
         log.trace("Deleting key '{}', from token = {}", keyId, deleteFromToken);
 
-        executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .deleteKey(DeleteKeyReq.newBuilder()
                         .setKeyId(keyId)
                         .setDeleteFromDevice(deleteFromToken)
@@ -521,7 +475,7 @@ public static void deleteKey(String keyId, boolean deleteFromToken) throws Excep
     public static void setCertStatus(String certId, String status) throws Exception {
         log.trace("Setting cert ('{}') status to '{}'", certId, status);
 
-        executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .setCertStatus(SetCertStatusReq.newBuilder()
                         .setCertId(certId)
                         .setStatus(status)
@@ -533,13 +487,13 @@ public static void setCertStatus(String certId, String status) throws Exception
      *
      * @param hash cert hash. Will be converted to lowercase, which is what signer uses internally
      * @return CertificateInfo
-     * @throws Exception
+     * @throws Exception if any error occur
      */
     public static CertificateInfo getCertForHash(String hash) throws Exception {
         final String finalHash = hash.toLowerCase();
         log.trace("Getting cert by hash '{}'", hash);
 
-        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .getCertificateInfoForHash(GetCertificateInfoForHashReq.newBuilder()
                         .setCertHash(finalHash)
                         .build()));
@@ -560,7 +514,7 @@ public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
         final String finalHash = hash.toLowerCase();
         log.trace("Getting cert by hash '{}'", finalHash);
 
-        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .getKeyIdForCertHash(GetKeyIdForCertHashReq.newBuilder()
                         .setCertHash(finalHash)
                         .build()));
@@ -577,11 +531,11 @@ public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
      * @return TokenInfoAndKeyId
      * @throws Exception
      */
-    public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) {
+    public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws Exception {
         String hashLowercase = hash.toLowerCase();
         log.trace("Getting token and key id by cert hash '{}'", hashLowercase);
 
-        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .getTokenAndKeyIdByCertHash(GetTokenByCertHashReq.newBuilder()
                         .setCertHash(hashLowercase)
                         .build()));
@@ -600,7 +554,7 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) {
      */
     public static String[] getOcspResponses(String[] certHashes) throws Exception {
 
-        var response = executeAndHandleException(() -> getSignerClient().getOcspServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingOcspService
                 .getOcspResponses(GetOcspResponsesReq.newBuilder()
                         .addAllCertHash(toLowerCase(certHashes))
                         .build()));
@@ -617,7 +571,7 @@ public static String[] getOcspResponses(String[] certHashes) throws Exception {
     }
 
     public static void setOcspResponses(String[] certHashes, String[] base64EncodedResponses) throws Exception {
-        executeAndHandleException(() -> getSignerClient().getOcspServiceBlockingStub()
+        RpcSignerClient.execute(ctx -> ctx.blockingOcspService
                 .setOcspResponses(SetOcspResponsesReq.newBuilder()
                         .addAllCertHashes(asList(certHashes))
                         .addAllBase64EncodedResponses(asList(base64EncodedResponses))
@@ -638,7 +592,7 @@ private static List<String> toLowerCase(String[] certHashes) {
      * @throws Exception
      */
     public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception {
-        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .getAuthKey(GetAuthKeyReq.newBuilder()
                         .setSecurityServer(SecurityServerIdMapper.toDto(serverId))
                         .build()));
@@ -659,7 +613,7 @@ public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception
     public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws Exception {
         log.trace("Getting token and key id by cert request id '{}'", certRequestId);
 
-        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdReq.newBuilder()
                         .setCertRequestId(certRequestId)
                         .build()));
@@ -677,12 +631,14 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequ
      * @throws Exception if any errors occur
      */
     public static TokenInfo getTokenForKeyId(String keyId) throws Exception {
-        return executeAndHandleException(() -> new TokenInfo(getSignerClient().getSignerApiBlockingStub()
-                .getTokenByKey(GetTokenByKeyIdReq.newBuilder().setKeyId(keyId).build())));
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+                .getTokenByKey(GetTokenByKeyIdReq.newBuilder().setKeyId(keyId).build()));
+
+        return new TokenInfo(response);
     }
 
     public static String getSignMechanism(String keyId) throws Exception {
-        GetSignMechanismResp response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        GetSignMechanismResp response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .getSignMechanism(GetSignMechanismReq.newBuilder()
                         .setKeyId(keyId)
                         .build()));
@@ -691,7 +647,7 @@ public static String getSignMechanism(String keyId) throws Exception {
     }
 
     public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) throws Exception {
-        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .sign(SignReq.newBuilder()
                         .setKeyId(keyId)
                         .setSignatureAlgorithmId(signatureAlgorithmId)
@@ -701,8 +657,8 @@ public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] dige
         return response.getSignature().toByteArray();
     }
 
-    public static Boolean isTokenBatchSigningEnabled(String keyId) {
-        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+    public static Boolean isTokenBatchSigningEnabled(String keyId) throws Exception {
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq.newBuilder()
                         .setKeyId(keyId)
                         .build()));
@@ -711,7 +667,7 @@ public static Boolean isTokenBatchSigningEnabled(String keyId) {
     }
 
     public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throws Exception {
-        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .getMemberSigningInfo(GetMemberSigningInfoReq.newBuilder()
                         .setMemberId(ClientIdMapper.toDto(clientId))
                         .build()));
@@ -720,17 +676,18 @@ public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throw
     }
 
     public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exception {
-        var response = executeAndHandleException(() -> getSignerClient().getCertificateServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
                 .getMemberCerts(GetMemberCertsReq.newBuilder()
                         .setMemberId(ClientIdMapper.toDto(memberId))
                         .build()));
+
         return response.getCertsList().stream()
                 .map(CertificateInfo::new)
                 .collect(Collectors.toList());
     }
 
     public static boolean isHSMOperational() throws Exception {
-        var response = executeAndHandleException(() -> getSignerClient().getSignerApiBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .getHSMOperationalInfo(Empty.getDefaultInstance()));
 
         return response.getOperational();
@@ -738,7 +695,7 @@ public static boolean isHSMOperational() throws Exception {
 
     public static byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey)
             throws Exception {
-        var response = executeAndHandleException(() -> getSignerClient().getKeyServiceBlockingStub()
+        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
                 .signCertificate(SignCertificateReq.newBuilder()
                         .setKeyId(keyId)
                         .setSignatureAlgorithmId(signatureAlgorithmId)
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index ef262ff438..b1318799fa 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -25,52 +25,119 @@
  */
 package ee.ria.xroad.signer.protocol;
 
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
+
+import com.google.protobuf.Any;
+import com.google.protobuf.InvalidProtocolBufferException;
 import io.grpc.Channel;
 import io.grpc.Grpc;
 import io.grpc.ManagedChannel;
-import lombok.Getter;
+import io.grpc.StatusRuntimeException;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.CertificateServiceGrpc;
 import org.niis.xroad.signer.proto.KeyServiceGrpc;
 import org.niis.xroad.signer.proto.OcspServiceGrpc;
 import org.niis.xroad.signer.proto.TokenServiceGrpc;
 
+import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
 import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
 
 @Slf4j
 public class RpcSignerClient {
-    @Getter
-    private final TokenServiceGrpc.TokenServiceStub signerApiStub;
-    @Getter
-    private final TokenServiceGrpc.TokenServiceBlockingStub signerApiBlockingStub;
-    @Getter
-    private final CertificateServiceGrpc.CertificateServiceBlockingStub certificateServiceBlockingStub;
-    @Getter
-    private final KeyServiceGrpc.KeyServiceBlockingStub keyServiceBlockingStub;
-    @Getter
-    private final OcspServiceGrpc.OcspServiceBlockingStub ocspServiceBlockingStub;
+    private static RpcSignerClient instance;
+
+    private final ManagedChannel channel;
+    private final ExecutionContext executionContext;
 
     /**
-     * Construct client for accessing RouteGuide server using the existing channel.
+     * Construct client for accessing Signer services using the provided channel.
      */
-    public RpcSignerClient(Channel channel) {
-        signerApiStub = TokenServiceGrpc.newStub(channel);
-        signerApiBlockingStub = TokenServiceGrpc.newBlockingStub(channel);
-        certificateServiceBlockingStub = CertificateServiceGrpc.newBlockingStub(channel);
-        keyServiceBlockingStub = KeyServiceGrpc.newBlockingStub(channel);
-        ocspServiceBlockingStub = OcspServiceGrpc.newBlockingStub(channel);
+    private RpcSignerClient(final ManagedChannel channel) {
+        this.channel = channel;
+        this.executionContext = new ExecutionContext(channel);
     }
 
     /**
-     * Greet server. If provided, the first element of {@code args} is the name to use in the
-     * greeting.
+     * Initialize with default settings
+     *
+     * @throws Exception
      */
-    public static RpcSignerClient init(String host, int port) throws Exception {
+    public static void init() throws Exception {
+        init(SystemProperties.getGrpcSignerHost(), SystemProperties.getGrpcSignerPort());
+    }
+
+    public static void init(String host, int port) throws Exception {
         var credentials = createClientCredentials();
         log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
         ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
                 .build();
 
-        return new RpcSignerClient(channel);
+        instance = new RpcSignerClient(channel);
+    }
+
+    public static void shutdown() {
+        if (instance != null) {
+            instance.channel.shutdown();
+        }
+    }
+
+    public static class ExecutionContext {
+        public final TokenServiceGrpc.TokenServiceStub tokenService;
+
+        public final TokenServiceGrpc.TokenServiceBlockingStub blockingTokenService;
+        public final CertificateServiceGrpc.CertificateServiceBlockingStub blockingCertificateService;
+        public final KeyServiceGrpc.KeyServiceBlockingStub blockingKeyService;
+        public final OcspServiceGrpc.OcspServiceBlockingStub blockingOcspService;
+
+        public ExecutionContext(final Channel channel) {
+            tokenService = TokenServiceGrpc.newStub(channel);
+
+            blockingTokenService = TokenServiceGrpc.newBlockingStub(channel);
+            blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel);
+            blockingKeyService = KeyServiceGrpc.newBlockingStub(channel);
+            blockingOcspService = OcspServiceGrpc.newBlockingStub(channel);
+        }
+    }
+
+    public static <V> V execute(RpcExecution<V> grpcCall) throws Exception {
+        try {
+            return grpcCall.exec(getInstance().executionContext);
+        } catch (StatusRuntimeException error) {
+            com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
+            if (status != null) {
+                for (Any any : status.getDetailsList()) {
+                    if (any.is(CodedExceptionProto.class)) {
+                        try {
+                            final CodedExceptionProto ce = any.unpack(CodedExceptionProto.class);
+                            throw CodedException.tr(ce.getFaultCode(), ce.getTranslationCode(), ce.getFaultString())
+                                    .withPrefix(SIGNER_X);
+                        } catch (InvalidProtocolBufferException e) {
+                            throw new RuntimeException("Failed to parse grpc message", e);
+                        }
+                    }
+                }
+            }
+            throw error;
+        }
+    }
+
+    @FunctionalInterface
+    public interface RpcExecution<V> {
+        /**
+         * Computes a result, or throws an exception if unable to do so.
+         *
+         * @return computed result
+         * @throws Exception if unable to compute a result
+         */
+        V exec(ExecutionContext ctx) throws Exception;
+    }
+
+    public static RpcSignerClient getInstance() {
+        if (instance == null) {
+            throw new RuntimeException("RpcSignerClient is not initialized! Execute RpcSignerClient#init before using this client.");
+        }
+        return instance;
     }
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
deleted file mode 100644
index 8d84ece4f6..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SignerClient.java
+++ /dev/null
@@ -1,268 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol;
-
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.SystemProperties;
-
-import akka.actor.ActorIdentity;
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
-import lombok.extern.slf4j.Slf4j;
-
-import java.time.Duration;
-import java.util.Objects;
-import java.util.concurrent.CancellationException;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
-
-import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.signer.protocol.SignerClient.SignerWatcher.requestProcessor;
-
-/**
- * Signer client is used to send messages to signer from other components
- * (running as separate JVM processes).
- */
-@Slf4j
-@Deprecated
-public final class SignerClient {
-
-    public static final String LOCALHOST_IP = "127.0.0.1";
-
-    private SignerClient() {
-    }
-
-    /**
-     * Initializes the client with the provided actor system.
-     *
-     * @param system the actor system
-     * @throws Exception if an error occurs
-     */
-    public static void init(ActorSystem system) {
-        init(system, LOCALHOST_IP);
-    }
-
-    /**
-     * Initializes the client with the provided actor system.
-     *
-     * @param system          the actor system
-     * @param signerIpAddress IP address for remote signer
-     *                        or 127.0.0.1 for local signer
-     * @throws Exception if an error occurs
-     */
-    public static void init(ActorSystem system, String signerIpAddress) {
-        SignerWatcher.init(system, signerIpAddress);
-    }
-
-    /**
-     * Forwards a message to the signer.
-     *
-     * @param message  the message
-     * @param receiver the receiver actor
-     */
-    public static void execute(Object message, ActorRef receiver) {
-        requestProcessor().tell(message, receiver);
-    }
-
-    /**
-     * Returns the object as the instance or throws exception, if the object
-     * is throwable.
-     *
-     * @param <T>    the type of result
-     * @param result the result object
-     * @return result
-     * @throws Exception if the object is throwable
-     */
-    @SuppressWarnings("unchecked")
-    public static <T> T result(Object result) throws Exception {
-        if (result instanceof Throwable) {
-            throw (Exception) result;
-        } else {
-            return (T) result;
-        }
-    }
-
-    /**
-     * Watches Signer request processor and proactively keeps the actor reference up to date.
-     * For example, in case of a Signer restart, the watcher detects that the request
-     * processor is replaced with an new actor. Uses only ActorIdentity messages to avoid quarantine in case the
-     * communications is interrupted. The disadvantage is that detecting e.g. Signer restart and shutdown is
-     * somewhat slower and requires constant polling (Akka remote watch also uses polling, so the amount of messages
-     * is not higher).
-     *
-     * @see <a href="https://doc.akka.io/docs/akka/current/actors.html#actor-lifecycle">Akka documentation about Actor
-     * Lifecycle</a>
-     */
-    static class SignerWatcher extends UntypedAbstractActor {
-
-        /*
-         * the Future will be completed by the internally used SignerWatcher actor, and replaced with a new one in case
-         * the Signer is restarted. The purpose is to avoid long request timeouts when the signer is not (yet)
-         * available and make it possible to wait for the actor reference to appear.
-         */
-        private static volatile CompletableFuture<ActorRef> requestProcessorFuture = null;
-
-        private static final Duration WATCH_DELAY = Duration
-                .ofSeconds(SystemProperties.getSignerClientHeartbeatInterval());
-        public static final int UNREACHABLE_THRESHOLD = SystemProperties.getSignerClientFailureThreshold();
-
-        private static final int REF_GET_TIMEOUT = 7;
-
-        /**
-         * Returns an actor reference to the Signer request processor. Waits up to {@link #REF_GET_TIMEOUT} seconds
-         * for the reference to be available.
-         *
-         * @throws IllegalStateException if the signer client has not been initialized (see {@link #init(ActorSystem,
-         *                               String)})
-         * @throws CodedException        if the signer does not become available in {@link #REF_GET_TIMEOUT} seconds or
-         *                               the wait is interrupted.
-         */
-        static ActorRef requestProcessor() {
-            final CompletableFuture<ActorRef> processor = requestProcessorFuture;
-            if (processor == null) {
-                throw new IllegalStateException("SignerClient is not initialized");
-            }
-            try {
-                return processor.get(REF_GET_TIMEOUT, TimeUnit.SECONDS);
-            } catch (ExecutionException | TimeoutException | CancellationException e) {
-                throw new CodedException(X_INTERNAL_ERROR, e, "Signer is unreachable");
-            } catch (InterruptedException e) {
-                Thread.currentThread().interrupt();
-                throw new CodedException(X_INTERNAL_ERROR, e, "Request to signer was interrupted");
-            }
-        }
-
-        static synchronized void init(ActorSystem system, String signerIpAddress) {
-            if (requestProcessorFuture == null) {
-                requestProcessorFuture = new CompletableFuture<>();
-                system.actorOf(Props.create(SignerWatcher.class, signerIpAddress));
-            }
-        }
-
-        private static synchronized void resetRequestProcessorFuture(CompletableFuture<ActorRef> processor) {
-            if (requestProcessorFuture != null && !requestProcessorFuture.isDone()) {
-                //cancel pending future (any waiters will get an exception)
-                requestProcessorFuture.cancel(true);
-            }
-            requestProcessorFuture = processor;
-        }
-
-        private long correlationId = 0;
-        private long lastSeenCorrelationId = 0;
-
-        //the handle to the currently known SignerRequestProcessor actor
-        //can be null if the actor is not know yet (we are starting, or signer has just restarted)
-        private ActorRef requestProcessorRef;
-
-
-        private final String signerIpAddress;
-
-        interface Watch {
-        }
-
-        SignerWatcher(String signerIpAddress) {
-            this.signerIpAddress = signerIpAddress;
-        }
-
-        @Override
-        public void preStart() {
-            self().tell(Watch.class, self());
-        }
-
-        @Override
-        public void postStop() {
-            requestProcessorRef = null;
-            resetRequestProcessorFuture(null);
-        }
-
-        @Override
-        public void onReceive(final Object message) {
-            log.trace("onReceive({})", message);
-
-            if (Watch.class == message) {
-                if (correlationId - lastSeenCorrelationId > UNREACHABLE_THRESHOLD) {
-                    detachProcessor();
-                }
-                identifyProcessor();
-                scheduleWatch();
-            } else if (message instanceof ActorIdentity) {
-                attachProcessor((ActorIdentity) message);
-            } else {
-                unhandled(message);
-            }
-        }
-
-        private void scheduleWatch() {
-            context().system().scheduler()
-                    .scheduleOnce(WATCH_DELAY, self(), Watch.class, context().system().dispatcher(), self());
-        }
-
-        private void detachProcessor() {
-            if (requestProcessorRef != null) {
-                log.warn("Signer is unreachable");
-                requestProcessorRef = null;
-                resetRequestProcessorFuture(new CompletableFuture<>());
-            }
-        }
-
-        private void attachProcessor(final ActorIdentity message) {
-
-            final Long id = (Long) message.correlationId();
-            if (id > lastSeenCorrelationId) {
-                lastSeenCorrelationId = id;
-            } else {
-                return;
-            }
-
-            final ActorRef ref = message.getActorRef().orElse(null);
-            if (Objects.equals(ref, requestProcessorRef)) return;
-
-            requestProcessorRef = ref;
-            if (requestProcessorRef != null) {
-                if (!requestProcessorFuture.complete(requestProcessorRef)) {
-                    // In case the future was already completed, replace it
-                    // Can e.g. happen if the signer has restarted and we have not detected it yet
-                    resetRequestProcessorFuture(CompletableFuture.completedFuture(requestProcessorRef));
-                }
-                log.info("Signer is available");
-            } else {
-                log.warn("Signer is unreachable");
-                if (requestProcessorFuture.isDone()) {
-                    resetRequestProcessorFuture(new CompletableFuture<>());
-                }
-            }
-        }
-
-        private void identifyProcessor() {
-            correlationId++;
-        }
-
-    }
-}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index fd76a9d73f..94c0f4b2d4 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -120,15 +120,14 @@ private static void startup() throws Exception {
     }
 
     private static void initGrpc() throws Exception {
-        int port = 5560;
+        int port = SystemProperties.getGrpcSignerPort();
         log.info("Initializing GRPC server on port {}.. ", port);
 
-        RpcServer.init(port, builder -> {
-            springCtx.getBeansOfType(io.grpc.BindableService.class).forEach((s, bindableService) -> {
-                log.info("Registering {} gRPC service.", bindableService.getClass().getSimpleName());
-                builder.addService(bindableService);
-            });
-        });
+        RpcServer.init(port, builder ->
+                springCtx.getBeansOfType(io.grpc.BindableService.class).forEach((s, bindableService) -> {
+                    log.info("Registering {} gRPC service.", bindableService.getClass().getSimpleName());
+                    builder.addService(bindableService);
+                }));
     }
 
     //TODO: shutdown was tied to akka.

From dcdcfc7f6805680a758af8d274713fbabc6072e0 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 12 Sep 2023 11:43:22 +0300
Subject: [PATCH 055/127] chore: wip, removing akka from BatchSigner

Refs: XRDDEV-2468
---
 .../xroad/common/signature/BatchSigner.java   | 337 +++++++-----------
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |   2 +-
 2 files changed, 122 insertions(+), 217 deletions(-)

diff --git a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
index 6f47954ff6..a7cc750be1 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
@@ -28,76 +28,59 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.signer.SignerProxy;
-import ee.ria.xroad.signer.protocol.SignerClient;
-import ee.ria.xroad.signer.protocol.message.Sign;
-import ee.ria.xroad.signer.protocol.message.SignResponse;
-
-import akka.actor.AbstractActorWithStash;
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
+
 import lombok.Data;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import org.bouncycastle.operator.OperatorCreationException;
-import scala.concurrent.Await;
 
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.TimeUnit;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
-import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
 import static ee.ria.xroad.common.util.CryptoUtils.getDigestAlgorithmId;
 
 /**
  * This class handles batch signing. Batch signatures are created always, if
- * there are more then one message parts (e.g. messages with attachments).
+ * there are more than one message parts (e.g. messages with attachments).
  * Signing requests are grouped by the signing certificate.
- *
+ * <p>
  * Moreover, multiple signing requests for the same signing certificate
  * (and thus the same key id) are signed in batch and the resulting hash
  * chain is produced for each request.
- *
+ * <p>
  * The batch signer is an Akka actor, it creates child actors per
  * signing certificate, which means there is essentially one batch signer
  * per signing certificate.
  */
 @Slf4j
-public class BatchSigner extends UntypedAbstractActor {
+public class BatchSigner {
 
     private static final int TIMEOUT_MILLIS = SystemProperties.getSignerClientTimeout();
-    private static final Timeout DEFAULT_TIMEOUT = new Timeout(TIMEOUT_MILLIS, TimeUnit.MILLISECONDS);
 
-    // Holds the actor instance, which sends and receives messages.
-    private static ActorRef instance;
+    private static BatchSigner instance;
 
-    /**
-     * Initializes the batch signer with the given actor system.
-     *
-     * @param actorSystem actor system the batch signer should use
-     */
-    public static void init(ActorSystem actorSystem) {
-        if (instance == null) {
-            instance = actorSystem.actorOf(Props.create(BatchSigner.class));
-        }
+    private final Map<String, WorkerImpl> workers = new ConcurrentHashMap<>();
+
+    public static void init() {
+        instance = new BatchSigner();
     }
 
     /**
      * Submits the given signing request for batch signing.
      *
-     * @param keyId the signing key
+     * @param keyId                the signing key
      * @param signatureAlgorithmId ID of the signature algorithm to use
-     * @param request the signing request
+     * @param request              the signing request
      * @return the signature data
      * @throws Exception in case of any errors
      */
@@ -107,81 +90,55 @@ public static SignatureData sign(String keyId, String signatureAlgorithmId, Sign
             throw new IllegalStateException("BatchSigner is not initialized");
         }
 
-        // Send the signing request to the actor instance (itself)
-        return SignerClient.result(Await.result(Patterns.ask(instance, new SigningRequestWrapper(
-                keyId, signatureAlgorithmId, request), DEFAULT_TIMEOUT.duration().length()),
-                DEFAULT_TIMEOUT.duration()));
-    }
-
-    @Override
-    public void onReceive(Object message) throws Exception {
-        try {
-            if (message instanceof SigningRequestWrapper) {
-                handle((SigningRequestWrapper) message);
-            } else {
-                log.trace("unhandled({})", message);
-
-                unhandled(message);
-            }
-        } catch (Exception e) {
-            log.error("Error in signing worker", e);
-
-            getSender().tell(e, getSelf());
-        }
+        CompletableFuture<SignatureData> completableFuture = new CompletableFuture<>();
+        final SigningRequestWrapper signRequestWrapper = new SigningRequestWrapper(
+                completableFuture,
+                keyId, signatureAlgorithmId, request);
+        instance.handle(signRequestWrapper);
+        return completableFuture.get(TIMEOUT_MILLIS, TimeUnit.MILLISECONDS);
     }
 
-    private void handle(SigningRequestWrapper signRequest) throws Exception {
-        // New incoming sign request. Find the corresponding batch signer actor
+    private void handle(SigningRequestWrapper signRequest) {
+        // New incoming sign request. Find the corresponding batch signer
         // (if not found, create one) and relay the sign request to the worker.
-        try {
-            getWorker(signRequest).tell(signRequest, getSender());
-        } catch (Exception e) {
-            throw new RuntimeException("Unable to get worker", e);
-        }
+        getWorker(signRequest).handleSignRequest(signRequest);
     }
 
-    private ActorRef getWorker(SigningRequestWrapper signRequest) throws Exception {
+    private WorkerImpl getWorker(SigningRequestWrapper signRequest) {
         // Signing worker based on cert hash.
-        String name = calculateCertHexHash(signRequest.getSigningCert());
-
-        ActorRef worker = getContext().findChild(name).orElse(null);
-
-        if (worker == null) {
-            log.trace("Creating new worker for cert '{}'", name);
+        try {
+            String name = calculateCertHexHash(signRequest.getSigningCert());
 
-            worker = getContext().actorOf(Props.create(WorkerImpl.class), name);
+            return workers.computeIfAbsent(name, key -> {
+                log.trace("Creating new worker for cert '{}'", name);
+                return new WorkerImpl();
+            });
+        } catch (Exception e) {
+            throw new RuntimeException("Unable to get worker", e);
         }
-
-        return worker;
     }
 
     /**
      * This is the worker that does the heavy lifting.
      */
-    private static class WorkerImpl extends AbstractActorWithStash {
-
-        // The currently active signing ctx.
-        private BatchSignatureCtx workingSigningCtx;
-
-        // The next signing ctx, if batch signing.
-        private BatchSignatureCtx nextSigningCtx;
+    private static class WorkerImpl {
 
         private long signStartTime;
         private boolean workerBusy;
 
-        private Boolean batchSigningEnabled;
+        private volatile Boolean batchSigningEnabled;
 
-        @Override
-        public Receive createReceive() {
-            return receiveBuilder()
-                    .match(SigningRequestWrapper.class, this::handleSignRequest)
-                    .match(SignResponse.class, this::handleSignResponse)
-                    .match(Exception.class, this::handleException)
-                    .matchAny(this::unhandled)
-                    .build();
+        private final BlockingQueue<SigningRequestWrapper> requestsQueue = new LinkedBlockingQueue<>();
+        private boolean stopping;
+        private final Thread workerThread;
+
+        protected WorkerImpl() {
+            workerThread = new Thread(this::process);
+            workerThread.setDaemon(true); // todo check, if really needed?
+            workerThread.start();
         }
 
-        private void handleSignRequest(SigningRequestWrapper signRequest) throws Exception {
+        public synchronized void handleSignRequest(SigningRequestWrapper signRequest) {
             log.trace("handleSignRequest()");
 
             // If we do not know whether batch signing is enabled for the token,
@@ -190,24 +147,7 @@ private void handleSignRequest(SigningRequestWrapper signRequest) throws Excepti
             if (batchSigningEnabled == null) {
                 queryBatchSigningEnabled(signRequest.getKeyId());
             }
-
-            // Handle incoming sign request. If the token worker is currently
-            // busy (signing, generating key, etc...) and batch signing is
-            // enabled then create signing context and collect all following
-            // sign requests to be signed in batch. Otherwise just sign the
-            // data straight away.
-            if (isWorkerBusy()) {
-                if (batchSigningEnabled) {
-                    doBatchSign(signRequest);
-                } else {
-                    log.trace("Batch signing not enabled, stashing request");
-                    // Batch signing not enabled, but currently busy,
-                    // so stash this message for future.
-                    stash();
-                }
-            } else {
-                doSign(signRequest);
-            }
+            requestsQueue.add(signRequest);
         }
 
         private void queryBatchSigningEnabled(String keyId) {
@@ -218,71 +158,6 @@ private void queryBatchSigningEnabled(String keyId) {
             }
         }
 
-        private void doBatchSign(SigningRequestWrapper wrapper) {
-            log.trace("doBatchSign()");
-
-            if (nextSigningCtx == null) {
-                nextSigningCtx = new BatchSignatureCtx(wrapper.getKeyId(), wrapper.getSignatureAlgorithmId());
-            }
-
-            nextSigningCtx.add(getSender(), wrapper.getRequest());
-        }
-
-        private void doSign(SigningRequestWrapper wrapper) throws Exception {
-            log.trace("doSign()");
-
-            BatchSignatureCtx ctx = new BatchSignatureCtx(wrapper.getKeyId(), wrapper.getSignatureAlgorithmId());
-            ctx.add(getSender(), wrapper.getRequest());
-
-            workingSigningCtx = ctx;
-
-            doCalculateSignature(ctx.getKeyId(), ctx.getSignatureAlgorithmId(), ctx.getDataToBeSigned());
-        }
-
-        private void handleSignResponse(SignResponse signResponse) {
-            log.trace("handleSignResponse()");
-
-            workerBusy = false;
-
-            // Handle the (successful) signature calculation result that came
-            // from Signer -- send the signature to the clients.
-            sendResponse(signResponse);
-
-            // If batch signing is not enabled, then start signing the next
-            // stashed messages.
-            if (!batchSigningEnabled) {
-                unstashAll();
-            } else if (nextSigningCtx != null) {
-                // Start the next batch signing (if any).
-                startNextBatchSigning();
-            }
-        }
-
-        private void handleException(Exception exception) {
-            log.trace("handleException()");
-
-            workerBusy = false;
-
-            sendResponse(exception);
-        }
-
-        private void startNextBatchSigning() {
-            log.trace("startNextBatchSigning()");
-
-            workingSigningCtx = nextSigningCtx;
-            nextSigningCtx = null;
-
-            try {
-                doCalculateSignature(workingSigningCtx.getKeyId(), workingSigningCtx.getSignatureAlgorithmId(),
-                        workingSigningCtx.getDataToBeSigned());
-            } catch (Exception e) {
-                sendResponse(workingSigningCtx, translateException(e));
-
-                workerBusy = true;
-                workingSigningCtx = null;
-            }
-        }
-
         private boolean isWorkerBusy() {
             if (isSignatureCreationTimedOut()) {
                 workerBusy = false;
@@ -294,38 +169,7 @@ private boolean isWorkerBusy() {
         }
 
         private boolean isSignatureCreationTimedOut() {
-            return workerBusy && System.currentTimeMillis() - signStartTime >= DEFAULT_TIMEOUT.duration().length();
-        }
-
-        private void doCalculateSignature(String keyId, String signatureAlgorithmId, byte[] data)
-                throws NoSuchAlgorithmException, IOException, OperatorCreationException {
-            workerBusy = true;
-            signStartTime = System.currentTimeMillis();
-
-            byte[] digest = calculateDigest(getDigestAlgorithmId(signatureAlgorithmId), data);
-
-            // Proxy this request to the Signer.
-            SignerClient.execute(new Sign(keyId, signatureAlgorithmId, digest), getSelf());
-        }
-
-        private void sendResponse(Object message) {
-            log.trace("sendResponse({})", message);
-
-            if (workingSigningCtx != null) {
-                try {
-                    if (message instanceof SignResponse) {
-                        sendSignatureResponse(workingSigningCtx, ((SignResponse) message).getSignature());
-                    } else {
-                        sendResponse(workingSigningCtx, message);
-                    }
-                } catch (Exception e) {
-                    sendResponse(workingSigningCtx, e);
-                }
-
-                workingSigningCtx = null;
-            } else {
-                throw new RuntimeException("No signing context");
-            }
+            return workerBusy && System.currentTimeMillis() - signStartTime >= TIMEOUT_MILLIS;
         }
 
         private void sendSignatureResponse(BatchSignatureCtx ctx, byte[] signatureValue) throws Exception {
@@ -334,39 +178,100 @@ private void sendSignatureResponse(BatchSignatureCtx ctx, byte[] signatureValue)
             // Each client gets corresponding hash chain -- client index in the
             // clients list determines the hash chain.
             for (int i = 0; i < ctx.getClients().size(); i++) {
-                ActorRef client = ctx.getClients().get(i);
-                client.tell(ctx.createSignatureData(signature, i), getSelf());
+                CompletableFuture<SignatureData> client = ctx.getClients().get(i);
+                final boolean completed = client.complete(ctx.createSignatureData(signature, i));
+                if (!completed) {
+                    log.trace("future was completed already");
+                }
             }
         }
 
         private void sendResponse(BatchSignatureCtx ctx, Object message) {
-            for (ActorRef client : ctx.getClients()) {
+            for (CompletableFuture<SignatureData> client : ctx.getClients()) {
                 sendResponse(client, message);
             }
         }
 
-        private void sendResponse(ActorRef client, Object message) {
-            if (client != ActorRef.noSender()) {
-                if (message instanceof CodedException) {
-                    client.tell(((CodedException) message).withPrefix(SIGNER_X), getSelf());
-                } else {
-                    client.tell(message, getSelf());
+        private void sendResponse(CompletableFuture<SignatureData> client, Object message) {
+//            if (message instanceof CodedException) {
+//                client.completeExceptionally((CodedException) message);
+            if (message instanceof Exception) {
+                client.completeExceptionally((Exception) message);
+            } else {
+                client.complete((SignatureData) message);
+            }
+        }
+
+        private boolean isExpired(SigningRequestWrapper requestWrapper) {
+            // do not sign requests if timeout is already passed.
+            return System.currentTimeMillis() - requestWrapper.getCreatedOn() > TIMEOUT_MILLIS;
+        }
+
+        private synchronized void process() {
+            while (!stopping) {
+                log.trace("polling queue");
+                List<SigningRequestWrapper> requests = new LinkedList<>();
+                try {
+                    SigningRequestWrapper first;
+                    do {
+                        first = requestsQueue.take();
+                    } while (isExpired(first));
+
+                    requests.add(first);
+                    if (batchSigningEnabled) {
+                        // poll all. todo should add max batchSize param?
+                        requestsQueue.drainTo(requests);
+                    }
+
+                    log.trace("processing {} sign requests", requests.size());
+                    BatchSignatureCtx ctx = new BatchSignatureCtx(first.getKeyId(), first.getSignatureAlgorithmId());
+                    requests.stream()
+                            .filter(req -> !isExpired(req))
+                            .forEach(req -> ctx.add(req.getClientFuture(), req.getRequest()));
+
+                    try {
+                        byte[] digest = calculateDigest(getDigestAlgorithmId(ctx.getSignatureAlgorithmId()), ctx.getDataToBeSigned());
+                        final byte[] response = SignerProxy.sign(ctx.getKeyId(), ctx.getSignatureAlgorithmId(), digest);
+
+                        sendSignatureResponse(ctx, response);
+                    } catch (Exception exception) {
+                        sendResponse(ctx, exception);
+                    }
+                } catch (InterruptedException interruptedException) {
+                    log.trace("queue polling interrupted");
                 }
             }
         }
 
+        protected void stop() {
+            log.trace("stop()");
+            this.stopping = true;
+            this.workerThread.interrupt();
+        }
+
     }
 
+
     /**
      * Convenience class that wraps the request along with the keyId
      * and algorithm id.
      */
     @Data
     private static class SigningRequestWrapper {
+        private final long createdOn;
+        private final CompletableFuture<SignatureData> clientFuture;
         private final String keyId;
         private final String signatureAlgorithmId;
         private final SigningRequest request;
 
+        public SigningRequestWrapper(CompletableFuture<SignatureData> clientFuture, String keyId, String signatureAlgorithmId, SigningRequest request) {
+            this.createdOn = System.currentTimeMillis();
+            this.clientFuture = clientFuture;
+            this.keyId = keyId;
+            this.signatureAlgorithmId = signatureAlgorithmId;
+            this.request = request;
+        }
+
         X509Certificate getSigningCert() {
             return request.getSigningCert();
         }
@@ -379,7 +284,7 @@ X509Certificate getSigningCert() {
     private static class BatchSignatureCtx extends SignatureCtx {
 
         @Getter
-        private final List<ActorRef> clients = new ArrayList<>();
+        private final List<CompletableFuture<SignatureData>> clients = new ArrayList<>();
 
         @Getter
         private final String keyId;
@@ -390,7 +295,7 @@ private static class BatchSignatureCtx extends SignatureCtx {
             this.keyId = keyId;
         }
 
-        void add(ActorRef client, SigningRequest request) {
+        void add(CompletableFuture<SignatureData> client, SigningRequest request) {
             clients.add(client);
             add(request);
         }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index eec71b44f4..a550daa320 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -205,7 +205,7 @@ private static void createServices() throws Exception {
 
         MonitorAgent.init(actorSystem);
         RpcSignerClient.init();
-        BatchSigner.init(actorSystem);
+        BatchSigner.init();
         boolean messageLogEnabled = MessageLog.init(actorSystem, jobManager);
         OpMonitoring.init(actorSystem);
 

From 6240ec124db6242a27a25f6cf877d305b4c7cf16 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 12 Sep 2023 12:50:23 +0300
Subject: [PATCH 056/127] chore: wip, removing akka from BatchSigner

Refs: XRDDEV-2468
---
 .../xroad/common/signature/BatchSigner.java   | 62 +++++++------------
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |  1 +
 2 files changed, 23 insertions(+), 40 deletions(-)

diff --git a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
index a7cc750be1..f157b8f253 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
@@ -43,6 +43,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateCertHexHash;
@@ -57,10 +58,6 @@
  * Moreover, multiple signing requests for the same signing certificate
  * (and thus the same key id) are signed in batch and the resulting hash
  * chain is produced for each request.
- * <p>
- * The batch signer is an Akka actor, it creates child actors per
- * signing certificate, which means there is essentially one batch signer
- * per signing certificate.
  */
 @Slf4j
 public class BatchSigner {
@@ -75,6 +72,12 @@ public static void init() {
         instance = new BatchSigner();
     }
 
+    public static void shutdown() {
+        if (instance != null) {
+            instance.workers.values().forEach(WorkerImpl::stop);
+        }
+    }
+
     /**
      * Submits the given signing request for batch signing.
      *
@@ -95,7 +98,12 @@ public static SignatureData sign(String keyId, String signatureAlgorithmId, Sign
                 completableFuture,
                 keyId, signatureAlgorithmId, request);
         instance.handle(signRequestWrapper);
-        return completableFuture.get(TIMEOUT_MILLIS, TimeUnit.MILLISECONDS);
+
+        try {
+            return completableFuture.get(TIMEOUT_MILLIS, TimeUnit.MILLISECONDS);
+        } catch (TimeoutException timeoutException) {
+            throw new CodedException(X_INTERNAL_ERROR, "Signature creation timed out");
+        }
     }
 
     private void handle(SigningRequestWrapper signRequest) {
@@ -111,7 +119,7 @@ private WorkerImpl getWorker(SigningRequestWrapper signRequest) {
 
             return workers.computeIfAbsent(name, key -> {
                 log.trace("Creating new worker for cert '{}'", name);
-                return new WorkerImpl();
+                return new WorkerImpl(signRequest.getKeyId());
             });
         } catch (Exception e) {
             throw new RuntimeException("Unable to get worker", e);
@@ -126,27 +134,20 @@ private static class WorkerImpl {
         private long signStartTime;
         private boolean workerBusy;
 
-        private volatile Boolean batchSigningEnabled;
-
+        private boolean batchSigningEnabled;
         private final BlockingQueue<SigningRequestWrapper> requestsQueue = new LinkedBlockingQueue<>();
         private boolean stopping;
         private final Thread workerThread;
 
-        protected WorkerImpl() {
+        protected WorkerImpl(String keyId) {
+            queryBatchSigningEnabled(keyId);
             workerThread = new Thread(this::process);
             workerThread.setDaemon(true); // todo check, if really needed?
             workerThread.start();
         }
 
-        public synchronized void handleSignRequest(SigningRequestWrapper signRequest) {
+        public void handleSignRequest(SigningRequestWrapper signRequest) {
             log.trace("handleSignRequest()");
-
-            // If we do not know whether batch signing is enabled for the token,
-            // we ask from Signer. This call will block until response is
-            // received or error occurs.
-            if (batchSigningEnabled == null) {
-                queryBatchSigningEnabled(signRequest.getKeyId());
-            }
             requestsQueue.add(signRequest);
         }
 
@@ -186,19 +187,9 @@ private void sendSignatureResponse(BatchSignatureCtx ctx, byte[] signatureValue)
             }
         }
 
-        private void sendResponse(BatchSignatureCtx ctx, Object message) {
+        private void sendException(BatchSignatureCtx ctx, Exception message) {
             for (CompletableFuture<SignatureData> client : ctx.getClients()) {
-                sendResponse(client, message);
-            }
-        }
-
-        private void sendResponse(CompletableFuture<SignatureData> client, Object message) {
-//            if (message instanceof CodedException) {
-//                client.completeExceptionally((CodedException) message);
-            if (message instanceof Exception) {
-                client.completeExceptionally((Exception) message);
-            } else {
-                client.complete((SignatureData) message);
+                client.completeExceptionally(message);
             }
         }
 
@@ -232,10 +223,9 @@ private synchronized void process() {
                     try {
                         byte[] digest = calculateDigest(getDigestAlgorithmId(ctx.getSignatureAlgorithmId()), ctx.getDataToBeSigned());
                         final byte[] response = SignerProxy.sign(ctx.getKeyId(), ctx.getSignatureAlgorithmId(), digest);
-
                         sendSignatureResponse(ctx, response);
                     } catch (Exception exception) {
-                        sendResponse(ctx, exception);
+                        sendException(ctx, exception);
                     }
                 } catch (InterruptedException interruptedException) {
                     log.trace("queue polling interrupted");
@@ -258,20 +248,12 @@ protected void stop() {
      */
     @Data
     private static class SigningRequestWrapper {
-        private final long createdOn;
+        private final long createdOn = System.currentTimeMillis();
         private final CompletableFuture<SignatureData> clientFuture;
         private final String keyId;
         private final String signatureAlgorithmId;
         private final SigningRequest request;
 
-        public SigningRequestWrapper(CompletableFuture<SignatureData> clientFuture, String keyId, String signatureAlgorithmId, SigningRequest request) {
-            this.createdOn = System.currentTimeMillis();
-            this.clientFuture = clientFuture;
-            this.keyId = keyId;
-            this.signatureAlgorithmId = signatureAlgorithmId;
-            this.request = request;
-        }
-
         X509Certificate getSigningCert() {
             return request.getSigningCert();
         }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index a550daa320..f838db3e0c 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -197,6 +197,7 @@ private static void shutdown() throws Exception {
         stopServices();
         Await.ready(actorSystem.terminate(), Duration.Inf());
 
+        BatchSigner.shutdown();
         RpcSignerClient.shutdown();
     }
 

From b1ef6272cc5b14ecde3e04d043fd536c0d89da94 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 12 Sep 2023 13:12:26 +0300
Subject: [PATCH 057/127] chore: wip, removing akka from BatchSigner

Refs: XRDDEV-2468
---
 .../xroad/common/signature/BatchSigner.java   | 35 ++++---------------
 1 file changed, 7 insertions(+), 28 deletions(-)

diff --git a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
index f157b8f253..f726b6af12 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
@@ -131,16 +131,18 @@ private WorkerImpl getWorker(SigningRequestWrapper signRequest) {
      */
     private static class WorkerImpl {
 
-        private long signStartTime;
-        private boolean workerBusy;
-
-        private boolean batchSigningEnabled;
+        private final boolean batchSigningEnabled;
         private final BlockingQueue<SigningRequestWrapper> requestsQueue = new LinkedBlockingQueue<>();
         private boolean stopping;
         private final Thread workerThread;
 
         protected WorkerImpl(String keyId) {
-            queryBatchSigningEnabled(keyId);
+            try {
+                batchSigningEnabled = SignerProxy.isTokenBatchSigningEnabled(keyId);
+            } catch (Exception e) {
+                log.error("Failed to query if batch signing is enabled for token with key {}", keyId, e);
+                throw new RuntimeException(e);
+            }
             workerThread = new Thread(this::process);
             workerThread.setDaemon(true); // todo check, if really needed?
             workerThread.start();
@@ -151,28 +153,6 @@ public void handleSignRequest(SigningRequestWrapper signRequest) {
             requestsQueue.add(signRequest);
         }
 
-        private void queryBatchSigningEnabled(String keyId) {
-            try {
-                batchSigningEnabled = SignerProxy.isTokenBatchSigningEnabled(keyId);
-            } catch (Exception e) {
-                log.error("Failed to query if batch signing is enabled for token with key {}", keyId, e);
-            }
-        }
-
-        private boolean isWorkerBusy() {
-            if (isSignatureCreationTimedOut()) {
-                workerBusy = false;
-
-                throw new CodedException(X_INTERNAL_ERROR, "Signature creation timed out");
-            }
-
-            return workerBusy;
-        }
-
-        private boolean isSignatureCreationTimedOut() {
-            return workerBusy && System.currentTimeMillis() - signStartTime >= TIMEOUT_MILLIS;
-        }
-
         private void sendSignatureResponse(BatchSignatureCtx ctx, byte[] signatureValue) throws Exception {
             String signature = ctx.createSignatureXml(signatureValue);
 
@@ -241,7 +221,6 @@ protected void stop() {
 
     }
 
-
     /**
      * Convenience class that wraps the request along with the keyId
      * and algorithm id.

From b2627d5231015d59b535172076420ea8061bf0e2 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 12 Sep 2023 15:14:09 +0300
Subject: [PATCH 058/127] chore: wip, removing akka from BatchSigner

Refs: XRDDEV-2468
---
 .../main/java/ee/ria/xroad/common/signature/BatchSigner.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
index f726b6af12..0b3d9a5406 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
@@ -144,7 +144,7 @@ protected WorkerImpl(String keyId) {
                 throw new RuntimeException(e);
             }
             workerThread = new Thread(this::process);
-            workerThread.setDaemon(true); // todo check, if really needed?
+            workerThread.setDaemon(true);
             workerThread.start();
         }
 
@@ -190,7 +190,7 @@ private synchronized void process() {
 
                     requests.add(first);
                     if (batchSigningEnabled) {
-                        // poll all. todo should add max batchSize param?
+                        // poll all remaining
                         requestsQueue.drainTo(requests);
                     }
 
@@ -211,6 +211,7 @@ private synchronized void process() {
                     log.trace("queue polling interrupted");
                 }
             }
+            log.trace("Worker thread stopped");
         }
 
         protected void stop() {

From 3b10eb1b111cecae39efbcf2efc392b21dcec539 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Tue, 12 Sep 2023 15:53:01 +0300
Subject: [PATCH 059/127] chore: improve null safety in proto dtos

Refs: XRDDEV-2468
---
 .../xroad/signer/protocol/ClientIdMapper.java | 24 ++++++++++---------
 .../xroad/signer/protocol/dto/KeyInfo.java    | 10 ++++++--
 .../xroad/signer/protocol/dto/TokenInfo.java  | 15 +++++++++---
 .../src/main/proto/CommonMessages.proto       |  3 ++-
 .../src/main/proto/Tokens.proto               | 12 +++++-----
 .../java/ee/ria/xroad/signer/model/Token.java | 11 ++++-----
 6 files changed, 45 insertions(+), 30 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
index 12dc60231a..9e5e19d4c5 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
@@ -26,23 +26,25 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.identifier.ClientId;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import org.niis.xroad.signer.protocol.dto.ClientIdProto;
 import org.niis.xroad.signer.protocol.dto.XRoadObjectType;
 
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class ClientIdMapper {
 
-    public static ClientId.Conf fromDto(ClientIdProto input) {
-
-        //TODO:grpc refine this check
-        if (input.hasField(ClientIdProto.getDescriptor().findFieldByName("subsystemCode"))) {
-            return ClientId.Conf.create(input.getXroadInstance(),
-                    input.getMemberClass(),
-                    input.getMemberCode(),
-                    input.getSubsystemCode());
+    public static ClientId.Conf fromDto(ClientIdProto clientIdProto) {
+        if (clientIdProto.hasSubsystemCode()) {
+            return ClientId.Conf.create(clientIdProto.getXroadInstance(),
+                    clientIdProto.getMemberClass(),
+                    clientIdProto.getMemberCode(),
+                    clientIdProto.getSubsystemCode());
         } else {
-            return ClientId.Conf.create(input.getXroadInstance(),
-                    input.getMemberClass(),
-                    input.getMemberCode());
+            return ClientId.Conf.create(clientIdProto.getXroadInstance(),
+                    clientIdProto.getMemberClass(),
+                    clientIdProto.getMemberCode());
         }
     }
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
index 70d384f697..2b35454cc6 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
@@ -54,7 +54,10 @@ public KeyUsageInfo getUsage() {
 
     @ToString.Include
     public String getFriendlyName() {
-        return message.getFriendlyName();
+        if (message.hasFriendlyName()) {
+            return message.getFriendlyName();
+        }
+        return null;
     }
 
     @ToString.Include
@@ -64,7 +67,10 @@ public String getId() {
 
     @ToString.Include
     public String getLabel() {
-        return message.getLabel();
+        if (message.hasFriendlyName()) {
+            return message.getLabel();
+        }
+        return null;
     }
 
     @ToString.Include
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
index 6a5b767e89..51881fac08 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
@@ -54,7 +54,10 @@ public String getType() {
 
     @ToString.Include
     public String getFriendlyName() {
-        return message.getFriendlyName();
+        if (message.hasFriendlyName()) {
+            return message.getFriendlyName();
+        }
+        return null;
     }
 
     @ToString.Include
@@ -79,12 +82,18 @@ public boolean isActive() {
 
     @ToString.Include
     public String getSerialNumber() {
-        return message.getSerialNumber();
+        if (message.hasSerialNumber()) {
+            return message.getSerialNumber();
+        }
+        return null;
     }
 
     @ToString.Include
     public String getLabel() {
-        return message.getLabel();
+        if (message.hasLabel()) {
+            return message.getLabel();
+        }
+        return null;
     }
 
     @ToString.Include
diff --git a/src/signer-protocol/src/main/proto/CommonMessages.proto b/src/signer-protocol/src/main/proto/CommonMessages.proto
index a90afab14f..d136f4c734 100644
--- a/src/signer-protocol/src/main/proto/CommonMessages.proto
+++ b/src/signer-protocol/src/main/proto/CommonMessages.proto
@@ -1,4 +1,5 @@
 syntax = "proto3";
+
 import "TokenStatusInfo.proto";
 
 option java_multiple_files = true;
@@ -11,7 +12,7 @@ message Empty {
 message ClientIdProto {
   string memberClass = 1;
   string memberCode = 2;
-  string subsystemCode = 3;
+  optional string subsystemCode = 3;
 
   string xroadInstance = 4;
   XRoadObjectType objectType = 5;
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
index 9448eb21eb..0b0fccf1e1 100644
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -8,13 +8,13 @@ option java_package = "ee.ria.xroad.signer.protocol.dto";
 
 message TokenInfoProto {
   string type = 1;
-  string friendlyName = 2;
+ optional string friendlyName = 2;
   string id = 3;
   bool readOnly = 4;
   bool available = 5;
   bool active = 6;
-  string serialNumber = 7;
-  string label = 8;
+  optional string serialNumber = 7;
+  optional string label = 8;
   int32 slotIndex = 9;
   TokenStatusInfo status = 10;
   repeated KeyInfoProto keyInfo = 11;
@@ -29,9 +29,9 @@ message TokenInfoAndKeyIdProto {
 message KeyInfoProto {
   bool available = 1;
   KeyUsageInfo usage = 2;
-  string friendly_name = 3;
+  optional string friendly_name = 3;
   string id = 4;
-  string label = 5;
+  optional string label = 5;
   string public_key = 6;
   repeated CertificateInfoProto certs = 7;
   repeated CertRequestInfoProto cert_requests = 8;
@@ -39,7 +39,7 @@ message KeyInfoProto {
 }
 
 message CertificateInfoProto {
-  ClientIdProto memberId = 1;
+  optional ClientIdProto memberId = 1;
   bool active = 2;
   bool savedToConfiguration = 3;
   string status = 4;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
index e76d04b090..2ee1615212 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
@@ -42,6 +42,7 @@
 import java.util.stream.Collectors;
 
 import static java.util.Collections.unmodifiableMap;
+import static java.util.Optional.ofNullable;
 
 /**
  * Model object representing a token.
@@ -151,7 +152,6 @@ public void setInfo(Map<String, String> info) {
     public TokenInfo toDTO() {
         var messageBuilder = TokenInfoProto.newBuilder()
                 .setType(type)
-                .setFriendlyName(friendlyName)
                 .setId(id)
                 .setReadOnly(readOnly)
                 .setAvailable(available)
@@ -161,12 +161,9 @@ public TokenInfo toDTO() {
                 .addAllKeyInfo(Collections.unmodifiableList(getKeysAsDTOs()))
                 .putAllTokenInfo(unmodifiableMap(tokenInfo));
 
-        if (serialNumber != null) {
-            messageBuilder.setSerialNumber(serialNumber);
-        }
-        if (label != null) {
-            messageBuilder.setLabel(label);
-        }
+        ofNullable(friendlyName).ifPresent(m -> messageBuilder.setFriendlyName(friendlyName));
+        ofNullable(serialNumber).ifPresent(m -> messageBuilder.setSerialNumber(serialNumber));
+        ofNullable(label).ifPresent(m -> messageBuilder.setLabel(label));
 
         return new TokenInfo(messageBuilder.build());
     }

From 1a9fada78de2e55b9cda1040e7bc7b4a5e11ea8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Tue, 12 Sep 2023 16:10:02 +0300
Subject: [PATCH 060/127] chore: improve null safety in proto dtos

Refs: XRDDEV-2468
---
 .../ee/ria/xroad/signer/protocol/dto/CertificateInfo.java | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
index ec8ca14f63..c041d2251f 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
@@ -25,11 +25,10 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
-import com.fasterxml.jackson.annotation.JsonIgnore;
-
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.ToString;
 import lombok.Value;
 
@@ -58,7 +57,10 @@ public class CertificateInfo implements Serializable {
 
     @ToString.Include
     public ClientId.Conf getMemberId() {
-        return ClientIdMapper.fromDto(message.getMemberId());
+        if (message.hasMemberId()) {
+            return ClientIdMapper.fromDto(message.getMemberId());
+        }
+        return null;
     }
 
     @ToString.Include

From 154dae7b5c350c66f6496ae1c80fa687a7eb75e1 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 12 Sep 2023 16:30:22 +0300
Subject: [PATCH 061/127] chore: camelCase to snake_case

Refs: XRDDEV-2468
---
 .../signer/protocol/RpcSignerClient.java      |  2 +-
 .../protocol/SecurityServerIdMapper.java      |  5 +-
 .../signer/protocol/dto/CertRequestInfo.java  |  3 +-
 .../src/main/proto/CertificateService.proto   | 60 +++++++++----------
 .../src/main/proto/CommonMessages.proto       | 20 +++----
 .../src/main/proto/ErrorHandling.proto        | 10 ++--
 .../src/main/proto/KeyService.proto           | 42 ++++++-------
 .../src/main/proto/OcspService.proto          |  8 +--
 .../src/main/proto/TokenService.proto         | 32 +++++-----
 .../src/main/proto/Tokens.proto               | 22 +++----
 .../java/ee/ria/xroad/signer/model/Token.java | 10 ++--
 11 files changed, 108 insertions(+), 106 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index b1318799fa..c156934d7d 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -45,7 +45,7 @@
 import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
 
 @Slf4j
-public class RpcSignerClient {
+public final class RpcSignerClient {
     private static RpcSignerClient instance;
 
     private final ManagedChannel channel;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
index fc8835bb27..e966b7881e 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
@@ -30,7 +30,10 @@
 import org.niis.xroad.signer.protocol.dto.SecurityServerIdProto;
 import org.niis.xroad.signer.protocol.dto.XRoadObjectType;
 
-public class SecurityServerIdMapper {
+public final class SecurityServerIdMapper {
+
+    private SecurityServerIdMapper() {
+    }
 
     public static SecurityServerId.Conf fromDto(SecurityServerIdProto input) {
         return SecurityServerId.Conf.create(input.getXroadInstance(), input.getMemberClass(), input.getMemberCode(),
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
index f79d72d2df..3921e62b69 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
@@ -25,11 +25,10 @@
  */
 package ee.ria.xroad.signer.protocol.dto;
 
-import com.fasterxml.jackson.annotation.JsonIgnore;
-
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.ToString;
 import lombok.Value;
 
diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
index 5fdb68834f..573c05a82c 100644
--- a/src/signer-protocol/src/main/proto/CertificateService.proto
+++ b/src/signer-protocol/src/main/proto/CertificateService.proto
@@ -31,25 +31,25 @@ service CertificateService {
 }
 
 message GetCertificateInfoForHashReq {
-  string certHash = 1;
+  string cert_hash = 1;
 }
 
 message GetCertificateInfoResp {
-  CertificateInfoProto certificateInfo = 1;
+  CertificateInfoProto certificate_info = 1;
 }
 
 message ActivateCertReq {
-  string certIdOrHash = 1;
-  bool  active = 2;
+  string cert_id_or_hash = 1;
+  bool active = 2;
 }
 
 message SetCertStatusReq{
-  string certId = 1;
+  string cert_id = 1;
   string status = 2;
 }
 
 message GetMemberCertsReq{
-  ClientIdProto memberId = 1;
+  ClientIdProto member_id = 1;
 }
 
 message GetMemberCertsResp{
@@ -57,16 +57,16 @@ message GetMemberCertsResp{
 }
 
 message RegenerateCertRequestReq {
-  string certRequestId = 1;
+  string cert_request_id = 1;
   CertificateRequestFormat format = 2;
 }
 
 message RegenerateCertRequestResp {
-  string certReqId = 1;
-  bytes certRequest = 2;
+  string cert_req_id = 1;
+  bytes cert_request = 2;
   CertificateRequestFormat format = 3;
-  ClientIdProto memberId = 4;
-  KeyUsageInfo keyUsage = 5;
+  ClientIdProto member_id = 4;
+  KeyUsageInfo key_usage = 5;
 }
 
 /** Specifies the cert request format to return. */
@@ -77,46 +77,46 @@ enum CertificateRequestFormat {
 }
 
 message DeleteCertReq {
-  string certId = 1;
+  string cert_id = 1;
 }
 
 message DeleteCertRequestReq {
-  string certRequestId = 1;
+  string cert_request_id = 1;
 }
 
 message ImportCertReq {
-  bytes certData = 1;
-  string initialStatus = 2;
-  ClientIdProto memberId = 3;
+  bytes cert_data = 1;
+  string initial_status = 2;
+  ClientIdProto member_id = 3;
 }
 
 message ImportCertResp {
-  string keyId = 1;
+  string key_id = 1;
 }
 
 message GenerateSelfSignedCertReq {
-  string keyId = 1;
-  string commonName = 2;
-  int64 dateNotBefore = 3;
-  int64 dateNotAfter = 4;
-  KeyUsageInfo keyUsage = 5;
-  ClientIdProto memberId = 6;
+  string key_id = 1;
+  string common_name = 2;
+  int64 date_not_before = 3;
+  int64 date_not_after = 4;
+  KeyUsageInfo key_usage = 5;
+  ClientIdProto member_id = 6;
 }
 
 message GenerateSelfSignedCertResp {
-  bytes certificateBytes = 1;
+  bytes certificate_bytes = 1;
 }
 
 message GenerateCertRequestReq {
-  string keyId = 1;
-  ClientIdProto memberId = 2;
-  KeyUsageInfo keyUsage = 3;
-  string subjectName = 4;
+  string key_id = 1;
+  ClientIdProto member_id = 2;
+  KeyUsageInfo key_usage = 3;
+  string subject_name = 4;
   CertificateRequestFormat format = 5;
 }
 
 message GenerateCertRequestResp {
-  string certReqId = 1;
-  bytes certRequest = 2;
+  string cert_req_id = 1;
+  bytes cert_request = 2;
   CertificateRequestFormat format = 3;
 }
diff --git a/src/signer-protocol/src/main/proto/CommonMessages.proto b/src/signer-protocol/src/main/proto/CommonMessages.proto
index d136f4c734..684084d057 100644
--- a/src/signer-protocol/src/main/proto/CommonMessages.proto
+++ b/src/signer-protocol/src/main/proto/CommonMessages.proto
@@ -10,21 +10,21 @@ message Empty {
 }
 
 message ClientIdProto {
-  string memberClass = 1;
-  string memberCode = 2;
-  optional string subsystemCode = 3;
+  string member_class = 1;
+  string member_code = 2;
+  optional string subsystem_code = 3;
 
-  string xroadInstance = 4;
-  XRoadObjectType objectType = 5;
+  string xroad_instance = 4;
+  XRoadObjectType object_type = 5;
 }
 
 message SecurityServerIdProto {
-  string memberClass = 1;
-  string memberCode = 2;
-  string serverCode = 3;
+  string member_class = 1;
+  string member_code = 2;
+  string server_code = 3;
 
-  string xroadInstance = 4;
-  XRoadObjectType objectType = 5;
+  string xroad_instance = 4;
+  XRoadObjectType object_type = 5;
 }
 
 enum XRoadObjectType {
diff --git a/src/signer-protocol/src/main/proto/ErrorHandling.proto b/src/signer-protocol/src/main/proto/ErrorHandling.proto
index 7a625c9d4a..9c0841af2a 100644
--- a/src/signer-protocol/src/main/proto/ErrorHandling.proto
+++ b/src/signer-protocol/src/main/proto/ErrorHandling.proto
@@ -30,9 +30,9 @@ option java_package = "ee.ria.xroad.signer.protocol.dto";
 
 // todo rename the exception and the fields. should not be using soap fault naming inside signer.
 message CodedExceptionProto {
-  string faultCode = 1;
-  string faultActor = 2;
-  string faultDetail = 3;
-  string faultString = 4;
-  string translationCode = 5;
+  string fault_code = 1;
+  string fault_actor = 2;
+  string fault_detail = 3;
+  string fault_string = 4;
+  string translation_code = 5;
 }
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
index 4de54efc88..b84446a41d 100644
--- a/src/signer-protocol/src/main/proto/KeyService.proto
+++ b/src/signer-protocol/src/main/proto/KeyService.proto
@@ -27,31 +27,31 @@ service KeyService {
 }
 
 message GetKeyIdForCertHashReq {
-  string certHash = 1;
+  string cert_hash = 1;
 }
 
 message GetKeyIdForCertHashResp {
-  string keyId = 1;
-  string signMechanismName = 2;
+  string key_id = 1;
+  string sign_mechanism_name = 2;
 }
 
 message SetKeyFriendlyNameReq {
-  string keyId = 1;
-  string friendlyName = 2;
+  string key_id = 1;
+  string friendly_name = 2;
 }
 
 
 message GetSignMechanismReq {
-  string keyId = 1;
+  string key_id = 1;
 }
 
 message GetSignMechanismResp {
-  string signMechanismName = 1;
+  string sign_mechanism_name = 1;
 }
 
 message SignReq {
-  string keyId = 1;
-  string signatureAlgorithmId = 2;
+  string key_id = 1;
+  string signature_algorithm_id = 2;
   bytes digest = 3;
 }
 
@@ -60,33 +60,33 @@ message SignResp {
 }
 
 message SignCertificateReq {
-  string keyId = 1;
-  string signatureAlgorithmId = 2;
-  string subjectName = 3;
-  bytes publicKey = 4;
+  string key_id = 1;
+  string signature_algorithm_id = 2;
+  string subject_name = 3;
+  bytes public_key = 4;
 }
 
 message SignCertificateResp {
-  bytes certificateChain = 1;
+  bytes certificate_chain = 1;
 }
 
 message DeleteKeyReq {
-  string keyId = 1;
-  bool deleteFromDevice = 2;
+  string key_id = 1;
+  bool delete_from_device = 2;
 }
 
 message GenerateKeyReq {
-  string tokenId = 1;
-  string keyLabel = 2;
+  string token_id = 1;
+  string key_label = 2;
 }
 
 message GetAuthKeyReq {
-  SecurityServerIdProto securityServer = 1;
+  SecurityServerIdProto security_server = 1;
 }
 
 message AuthKeyInfoProto {
-  string  alias = 1;
-  string keyStoreFileName = 2;
+  string alias = 1;
+  string key_store_file_name = 2;
   string password = 3;
   CertificateInfoProto cert = 4;
 }
diff --git a/src/signer-protocol/src/main/proto/OcspService.proto b/src/signer-protocol/src/main/proto/OcspService.proto
index a53b56da44..1dac65d63a 100644
--- a/src/signer-protocol/src/main/proto/OcspService.proto
+++ b/src/signer-protocol/src/main/proto/OcspService.proto
@@ -13,14 +13,14 @@ service OcspService {
 }
 
 message SetOcspResponsesReq {
-  repeated string certHashes = 1;
-  repeated string base64EncodedResponses = 2;
+  repeated string cert_hashes = 1;
+  repeated string base64_encoded_responses = 2;
 }
 
 message GetOcspResponsesReq{
-  repeated string certHash = 1;
+  repeated string cert_hash = 1;
 }
 
 message GetOcspResponsesResp{
-  map<string, string> base64EncodedResponses = 1;
+  map<string, string> base64_encoded_responses = 1;
 }
diff --git a/src/signer-protocol/src/main/proto/TokenService.proto b/src/signer-protocol/src/main/proto/TokenService.proto
index a376f08d1a..f41cfbc123 100644
--- a/src/signer-protocol/src/main/proto/TokenService.proto
+++ b/src/signer-protocol/src/main/proto/TokenService.proto
@@ -39,37 +39,37 @@ message ListTokensResp {
 }
 
 message ActivateTokenReq{
-  string tokenId = 1;
-  bool  activate = 2;
+  string token_id = 1;
+  bool activate = 2;
 }
 
 message GetTokenByIdReq {
-  string tokenId = 1;
+  string token_id = 1;
 }
 
 message GetTokenByKeyIdReq {
-  string keyId = 1;
+  string key_id = 1;
 }
 
 message GetTokenByCertRequestIdReq {
-  string certRequestId = 1;
+  string cert_request_id = 1;
 }
 
 message GetTokenByCertHashReq {
-  string certHash = 1;
+  string cert_hash = 1;
 }
 
 message SetTokenFriendlyNameReq {
-  string tokenId = 1;
-  string friendlyName = 2;
+  string token_id = 1;
+  string friendly_name = 2;
 }
 
 message GetTokenBatchSigningEnabledReq {
-  string keyId = 1;
+  string key_id = 1;
 }
 
 message GetTokenBatchSigningEnabledResp {
-  bool batchingSigningEnabled = 1;
+  bool batching_signing_enabled = 1;
 }
 
 message InitSoftwareTokenReq {
@@ -77,9 +77,9 @@ message InitSoftwareTokenReq {
 }
 
 message UpdateSoftwareTokenPinReq {
-  string tokenId = 1;
-  string oldPin = 2;
-  string newPin = 3;
+  string token_id = 1;
+  string old_pin = 2;
+  string new_pin = 3;
 }
 
 message GetHSMOperationalInfoResp {
@@ -87,11 +87,11 @@ message GetHSMOperationalInfoResp {
 }
 
 message GetMemberSigningInfoReq {
-  ClientIdProto memberId = 1;
+  ClientIdProto member_id = 1;
 }
 
 message GetMemberSigningInfoResp {
-  string keyId = 1;
+  string key_id = 1;
   CertificateInfoProto cert = 2;
-  string signMechanismName = 3;
+  string sign_mechanism_name = 3;
 }
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
index 0b0fccf1e1..3069d18f07 100644
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ b/src/signer-protocol/src/main/proto/Tokens.proto
@@ -8,22 +8,22 @@ option java_package = "ee.ria.xroad.signer.protocol.dto";
 
 message TokenInfoProto {
   string type = 1;
- optional string friendlyName = 2;
+  optional string friendly_name = 2;
   string id = 3;
-  bool readOnly = 4;
+  bool read_only = 4;
   bool available = 5;
   bool active = 6;
-  optional string serialNumber = 7;
+  optional string serial_number = 7;
   optional string label = 8;
-  int32 slotIndex = 9;
+  int32 slot_index = 9;
   TokenStatusInfo status = 10;
-  repeated KeyInfoProto keyInfo = 11;
-  map<string, string> tokenInfo = 12;
+  repeated KeyInfoProto key_info = 11;
+  map<string, string> token_info = 12;
 }
 
 message TokenInfoAndKeyIdProto {
-  TokenInfoProto tokenInfo = 1;
-  string keyId = 2;
+  TokenInfoProto token_info = 1;
+  string key_id = 2;
 }
 
 message KeyInfoProto {
@@ -39,9 +39,9 @@ message KeyInfoProto {
 }
 
 message CertificateInfoProto {
-  optional ClientIdProto memberId = 1;
+  optional ClientIdProto member_id = 1;
   bool active = 2;
-  bool savedToConfiguration = 3;
+  bool saved_to_configuration = 3;
   string status = 4;
   string id = 5;
   bytes certificate_bytes = 6;
@@ -51,7 +51,7 @@ message CertificateInfoProto {
 
 message CertRequestInfoProto {
   string id = 1;
-  ClientIdProto memberId = 2;
+  ClientIdProto member_id = 2;
   string subject_name = 3;
   // Add other fields as needed
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
index 2ee1615212..d25ace6525 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
@@ -106,12 +106,12 @@ public final class Token {
     private boolean batchSigningEnabled = true;
 
     /**
-     * Holds the currect status of the token.
+     * Holds the current status of the token.
      */
     private TokenStatusInfo status = TokenStatusInfo.OK;
 
     /**
-     * Contains the the keys of this token.
+     * Contains the keys of this token.
      */
     private final List<Key> keys = new ArrayList<>();
 
@@ -161,9 +161,9 @@ public TokenInfo toDTO() {
                 .addAllKeyInfo(Collections.unmodifiableList(getKeysAsDTOs()))
                 .putAllTokenInfo(unmodifiableMap(tokenInfo));
 
-        ofNullable(friendlyName).ifPresent(m -> messageBuilder.setFriendlyName(friendlyName));
-        ofNullable(serialNumber).ifPresent(m -> messageBuilder.setSerialNumber(serialNumber));
-        ofNullable(label).ifPresent(m -> messageBuilder.setLabel(label));
+        ofNullable(friendlyName).ifPresent(messageBuilder::setFriendlyName);
+        ofNullable(serialNumber).ifPresent(messageBuilder::setSerialNumber);
+        ofNullable(label).ifPresent(messageBuilder::setLabel);
 
         return new TokenInfo(messageBuilder.build());
     }

From f5641e51403f9f0dfd011e18c463ea3063f3fe7a Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Tue, 12 Sep 2023 17:01:38 +0300
Subject: [PATCH 062/127] chore: proto files reorganized based on Style Guide

Refs: XRDDEV-2468
---
 .../xroad/signer/protocol/dto/KeyInfo.java    |   2 +-
 .../xroad/signer/protocol/dto/TokenInfo.java  |   2 +-
 .../src/main/proto/CertificateService.proto   | 122 ---------------
 .../src/main/proto/CommonMessages.proto       |  38 -----
 .../src/main/proto/KeyService.proto           |  92 -----------
 .../src/main/proto/OcspService.proto          |  26 ----
 .../src/main/proto/TokenService.proto         |  97 ------------
 .../src/main/proto/TokenStatusInfo.proto      |  24 ---
 .../src/main/proto/Tokens.proto               |  64 --------
 .../src/main/proto/certificate_service.proto  | 147 ++++++++++++++++++
 .../src/main/proto/common_messages.proto      |  61 ++++++++
 ...rorHandling.proto => error_handling.proto} |   0
 .../src/main/proto/key_service.proto          | 117 ++++++++++++++
 .../src/main/proto/ocsp_service.proto         |  51 ++++++
 .../src/main/proto/token_service.proto        | 122 +++++++++++++++
 .../src/main/proto/token_status_info.proto    |  49 ++++++
 .../src/main/proto/tokens.proto               |  89 +++++++++++
 .../java/ee/ria/xroad/signer/model/Token.java |   8 +-
 18 files changed, 642 insertions(+), 469 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/proto/CertificateService.proto
 delete mode 100644 src/signer-protocol/src/main/proto/CommonMessages.proto
 delete mode 100644 src/signer-protocol/src/main/proto/KeyService.proto
 delete mode 100644 src/signer-protocol/src/main/proto/OcspService.proto
 delete mode 100644 src/signer-protocol/src/main/proto/TokenService.proto
 delete mode 100644 src/signer-protocol/src/main/proto/TokenStatusInfo.proto
 delete mode 100644 src/signer-protocol/src/main/proto/Tokens.proto
 create mode 100644 src/signer-protocol/src/main/proto/certificate_service.proto
 create mode 100644 src/signer-protocol/src/main/proto/common_messages.proto
 rename src/signer-protocol/src/main/proto/{ErrorHandling.proto => error_handling.proto} (100%)
 create mode 100644 src/signer-protocol/src/main/proto/key_service.proto
 create mode 100644 src/signer-protocol/src/main/proto/ocsp_service.proto
 create mode 100644 src/signer-protocol/src/main/proto/token_service.proto
 create mode 100644 src/signer-protocol/src/main/proto/token_status_info.proto
 create mode 100644 src/signer-protocol/src/main/proto/tokens.proto

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
index 2b35454cc6..7007b65266 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/KeyInfo.java
@@ -49,7 +49,7 @@ public boolean isAvailable() {
     @ToString.Include
     public KeyUsageInfo getUsage() {
         var usage = message.getUsage();
-        return usage != KeyUsageInfo.KEY_USAGE_UNKNOWN ? usage : null;
+        return usage != KeyUsageInfo.KEY_USAGE_UNSPECIFIED ? usage : null;
     }
 
     @ToString.Include
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
index 51881fac08..da582214c4 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/TokenInfo.java
@@ -104,7 +104,7 @@ public int getSlotIndex() {
     @ToString.Include
     public TokenStatusInfo getStatus() {
         var status = message.getStatus();
-        return status != TokenStatusInfo.TOKEN_STATUS_UNKNOWN ? status : null;
+        return status != TokenStatusInfo.TOKEN_STATUS_UNSPECIFIED ? status : null;
     }
 
     @ToString.Include
diff --git a/src/signer-protocol/src/main/proto/CertificateService.proto b/src/signer-protocol/src/main/proto/CertificateService.proto
deleted file mode 100644
index 573c05a82c..0000000000
--- a/src/signer-protocol/src/main/proto/CertificateService.proto
+++ /dev/null
@@ -1,122 +0,0 @@
-syntax = "proto3";
-
-option java_multiple_files = true;
-
-import "CommonMessages.proto";
-import "Tokens.proto";
-import "TokenStatusInfo.proto";
-
-package org.niis.xroad.signer.proto;
-
-service CertificateService {
-  rpc ActivateCert (ActivateCertReq) returns (Empty) {}
-
-  rpc GetCertificateInfoForHash (GetCertificateInfoForHashReq) returns (GetCertificateInfoResp) {}
-
-  rpc GetMemberCerts (GetMemberCertsReq) returns (GetMemberCertsResp) {}
-
-  rpc SetCertStatus (SetCertStatusReq) returns (Empty) {}
-
-  rpc GenerateCertRequest (GenerateCertRequestReq) returns (GenerateCertRequestResp) {}
-
-  rpc RegenerateCertRequest (RegenerateCertRequestReq) returns (RegenerateCertRequestResp) {}
-
-  rpc DeleteCert (DeleteCertReq) returns (Empty) {}
-
-  rpc DeleteCertRequest (DeleteCertRequestReq) returns (Empty) {}
-
-  rpc ImportCert (ImportCertReq) returns (ImportCertResp) {}
-
-  rpc GenerateSelfSignedCert (GenerateSelfSignedCertReq) returns (GenerateSelfSignedCertResp) {}
-}
-
-message GetCertificateInfoForHashReq {
-  string cert_hash = 1;
-}
-
-message GetCertificateInfoResp {
-  CertificateInfoProto certificate_info = 1;
-}
-
-message ActivateCertReq {
-  string cert_id_or_hash = 1;
-  bool active = 2;
-}
-
-message SetCertStatusReq{
-  string cert_id = 1;
-  string status = 2;
-}
-
-message GetMemberCertsReq{
-  ClientIdProto member_id = 1;
-}
-
-message GetMemberCertsResp{
-  repeated CertificateInfoProto certs = 1;
-}
-
-message RegenerateCertRequestReq {
-  string cert_request_id = 1;
-  CertificateRequestFormat format = 2;
-}
-
-message RegenerateCertRequestResp {
-  string cert_req_id = 1;
-  bytes cert_request = 2;
-  CertificateRequestFormat format = 3;
-  ClientIdProto member_id = 4;
-  KeyUsageInfo key_usage = 5;
-}
-
-/** Specifies the cert request format to return. */
-enum CertificateRequestFormat {
-  CERTIFICATE_REQUEST_FORMAT_UNKNOWN = 0;
-  PEM = 1;
-  DER = 2;
-}
-
-message DeleteCertReq {
-  string cert_id = 1;
-}
-
-message DeleteCertRequestReq {
-  string cert_request_id = 1;
-}
-
-message ImportCertReq {
-  bytes cert_data = 1;
-  string initial_status = 2;
-  ClientIdProto member_id = 3;
-}
-
-message ImportCertResp {
-  string key_id = 1;
-}
-
-message GenerateSelfSignedCertReq {
-  string key_id = 1;
-  string common_name = 2;
-  int64 date_not_before = 3;
-  int64 date_not_after = 4;
-  KeyUsageInfo key_usage = 5;
-  ClientIdProto member_id = 6;
-}
-
-message GenerateSelfSignedCertResp {
-  bytes certificate_bytes = 1;
-}
-
-message GenerateCertRequestReq {
-  string key_id = 1;
-  ClientIdProto member_id = 2;
-  KeyUsageInfo key_usage = 3;
-  string subject_name = 4;
-  CertificateRequestFormat format = 5;
-}
-
-message GenerateCertRequestResp {
-  string cert_req_id = 1;
-  bytes cert_request = 2;
-  CertificateRequestFormat format = 3;
-}
diff --git a/src/signer-protocol/src/main/proto/CommonMessages.proto b/src/signer-protocol/src/main/proto/CommonMessages.proto
deleted file mode 100644
index 684084d057..0000000000
--- a/src/signer-protocol/src/main/proto/CommonMessages.proto
+++ /dev/null
@@ -1,38 +0,0 @@
-syntax = "proto3";
-
-import "TokenStatusInfo.proto";
-
-option java_multiple_files = true;
-option java_package = "org.niis.xroad.signer.protocol.dto";
-
-/* Generic empty request/response. */
-message Empty {
-}
-
-message ClientIdProto {
-  string member_class = 1;
-  string member_code = 2;
-  optional string subsystem_code = 3;
-
-  string xroad_instance = 4;
-  XRoadObjectType object_type = 5;
-}
-
-message SecurityServerIdProto {
-  string member_class = 1;
-  string member_code = 2;
-  string server_code = 3;
-
-  string xroad_instance = 4;
-  XRoadObjectType object_type = 5;
-}
-
-enum XRoadObjectType {
-  XROAD_OBJECT_TYPE_UNKNOWN = 0;
-  SERVER = 1;
-  SERVICE = 2;
-  MEMBER = 3;
-  SUBSYSTEM = 4;
-  GLOBALGROUP = 5;
-  LOCALGROUP = 6 [deprecated = true]; // Deprecated
-}
diff --git a/src/signer-protocol/src/main/proto/KeyService.proto b/src/signer-protocol/src/main/proto/KeyService.proto
deleted file mode 100644
index b84446a41d..0000000000
--- a/src/signer-protocol/src/main/proto/KeyService.proto
+++ /dev/null
@@ -1,92 +0,0 @@
-syntax = "proto3";
-
-option java_multiple_files = true;
-
-import "CommonMessages.proto";
-import "Tokens.proto";
-import "TokenStatusInfo.proto";
-
-package org.niis.xroad.signer.proto;
-
-service KeyService {
-  rpc GenerateKey (GenerateKeyReq) returns (KeyInfoProto) {}
-
-  rpc SetKeyFriendlyName (SetKeyFriendlyNameReq) returns (Empty) {}
-
-  rpc GetKeyIdForCertHash (GetKeyIdForCertHashReq) returns (GetKeyIdForCertHashResp) {}
-
-  rpc GetSignMechanism (GetSignMechanismReq) returns (GetSignMechanismResp) {}
-
-  rpc Sign(SignReq) returns (SignResp) {}
-
-  rpc SignCertificate(SignCertificateReq) returns (SignCertificateResp) {}
-
-  rpc DeleteKey (DeleteKeyReq) returns (Empty) {}
-
-  rpc GetAuthKey (GetAuthKeyReq) returns (AuthKeyInfoProto) {}
-}
-
-message GetKeyIdForCertHashReq {
-  string cert_hash = 1;
-}
-
-message GetKeyIdForCertHashResp {
-  string key_id = 1;
-  string sign_mechanism_name = 2;
-}
-
-message SetKeyFriendlyNameReq {
-  string key_id = 1;
-  string friendly_name = 2;
-}
-
-
-message GetSignMechanismReq {
-  string key_id = 1;
-}
-
-message GetSignMechanismResp {
-  string sign_mechanism_name = 1;
-}
-
-message SignReq {
-  string key_id = 1;
-  string signature_algorithm_id = 2;
-  bytes digest = 3;
-}
-
-message SignResp {
-  bytes signature = 1;
-}
-
-message SignCertificateReq {
-  string key_id = 1;
-  string signature_algorithm_id = 2;
-  string subject_name = 3;
-  bytes public_key = 4;
-}
-
-message SignCertificateResp {
-  bytes certificate_chain = 1;
-}
-
-message DeleteKeyReq {
-  string key_id = 1;
-  bool delete_from_device = 2;
-}
-
-message GenerateKeyReq {
-  string token_id = 1;
-  string key_label = 2;
-}
-
-message GetAuthKeyReq {
-  SecurityServerIdProto security_server = 1;
-}
-
-message AuthKeyInfoProto {
-  string alias = 1;
-  string key_store_file_name = 2;
-  string password = 3;
-  CertificateInfoProto cert = 4;
-}
diff --git a/src/signer-protocol/src/main/proto/OcspService.proto b/src/signer-protocol/src/main/proto/OcspService.proto
deleted file mode 100644
index 1dac65d63a..0000000000
--- a/src/signer-protocol/src/main/proto/OcspService.proto
+++ /dev/null
@@ -1,26 +0,0 @@
-syntax = "proto3";
-
-option java_multiple_files = true;
-
-package org.niis.xroad.signer.proto;
-
-import "CommonMessages.proto";
-
-service OcspService {
-  rpc SetOcspResponses (SetOcspResponsesReq) returns (Empty) {}
-
-  rpc GetOcspResponses (GetOcspResponsesReq) returns (GetOcspResponsesResp) {}
-}
-
-message SetOcspResponsesReq {
-  repeated string cert_hashes = 1;
-  repeated string base64_encoded_responses = 2;
-}
-
-message GetOcspResponsesReq{
-  repeated string cert_hash = 1;
-}
-
-message GetOcspResponsesResp{
-  map<string, string> base64_encoded_responses = 1;
-}
diff --git a/src/signer-protocol/src/main/proto/TokenService.proto b/src/signer-protocol/src/main/proto/TokenService.proto
deleted file mode 100644
index f41cfbc123..0000000000
--- a/src/signer-protocol/src/main/proto/TokenService.proto
+++ /dev/null
@@ -1,97 +0,0 @@
-syntax = "proto3";
-
-option java_multiple_files = true;
-
-import "CommonMessages.proto";
-import "Tokens.proto";
-import "TokenStatusInfo.proto";
-
-package org.niis.xroad.signer.proto;
-
-service TokenService {
-  rpc GetTokenById (GetTokenByIdReq) returns (TokenInfoProto) {}
-
-  rpc GetTokenByKey (GetTokenByKeyIdReq) returns (TokenInfoProto) {}
-
-  rpc GetTokenAndKeyIdByCertRequestId (GetTokenByCertRequestIdReq) returns (TokenInfoAndKeyIdProto) {}
-
-  rpc GetTokenAndKeyIdByCertHash (GetTokenByCertHashReq) returns (TokenInfoAndKeyIdProto) {}
-
-  rpc ListTokens (Empty) returns (ListTokensResp) {}
-
-  rpc ActivateToken (ActivateTokenReq) returns (Empty) {}
-
-  rpc SetTokenFriendlyName (SetTokenFriendlyNameReq) returns (Empty) {}
-
-  rpc GetTokenBatchSigningEnabled (GetTokenBatchSigningEnabledReq) returns (GetTokenBatchSigningEnabledResp){}
-
-  rpc InitSoftwareToken (InitSoftwareTokenReq) returns (Empty) {}
-
-  rpc UpdateSoftwareTokenPin (UpdateSoftwareTokenPinReq) returns (Empty) {}
-
-  rpc GetHSMOperationalInfo  (Empty) returns (GetHSMOperationalInfoResp) {}
-
-  rpc GetMemberSigningInfo (GetMemberSigningInfoReq) returns (GetMemberSigningInfoResp) {}
-}
-
-message ListTokensResp {
-  repeated TokenInfoProto tokens = 1;
-}
-
-message ActivateTokenReq{
-  string token_id = 1;
-  bool activate = 2;
-}
-
-message GetTokenByIdReq {
-  string token_id = 1;
-}
-
-message GetTokenByKeyIdReq {
-  string key_id = 1;
-}
-
-message GetTokenByCertRequestIdReq {
-  string cert_request_id = 1;
-}
-
-message GetTokenByCertHashReq {
-  string cert_hash = 1;
-}
-
-message SetTokenFriendlyNameReq {
-  string token_id = 1;
-  string friendly_name = 2;
-}
-
-message GetTokenBatchSigningEnabledReq {
-  string key_id = 1;
-}
-
-message GetTokenBatchSigningEnabledResp {
-  bool batching_signing_enabled = 1;
-}
-
-message InitSoftwareTokenReq {
-  string pin = 1;
-}
-
-message UpdateSoftwareTokenPinReq {
-  string token_id = 1;
-  string old_pin = 2;
-  string new_pin = 3;
-}
-
-message GetHSMOperationalInfoResp {
-  bool operational = 1;
-}
-
-message GetMemberSigningInfoReq {
-  ClientIdProto member_id = 1;
-}
-
-message GetMemberSigningInfoResp {
-  string key_id = 1;
-  CertificateInfoProto cert = 2;
-  string sign_mechanism_name = 3;
-}
diff --git a/src/signer-protocol/src/main/proto/TokenStatusInfo.proto b/src/signer-protocol/src/main/proto/TokenStatusInfo.proto
deleted file mode 100644
index ca7de64447..0000000000
--- a/src/signer-protocol/src/main/proto/TokenStatusInfo.proto
+++ /dev/null
@@ -1,24 +0,0 @@
-syntax = "proto3";
-
-//package protocol;
-
-option java_multiple_files = true;
-option java_package = "ee.ria.xroad.signer.protocol.dto";
-
-//option java_outer_classname = "TokenStatusInfo";
-//option objc_class_prefix = "HLW";
-
-//import "google/protobuf/empty.proto";
-
-/* Token status info DTO. */
-enum TokenStatusInfo {
-  TOKEN_STATUS_UNKNOWN = 0;
-  OK = 1; // Normal operation status
-  USER_PIN_LOCKED = 2;// Blocked
-  USER_PIN_INCORRECT = 3; // Incorrect PIN was entered
-  USER_PIN_INVALID = 4; // Invalid PIN
-  USER_PIN_EXPIRED = 5; // PIN expired
-  USER_PIN_COUNT_LOW = 6; // Only a few tries left
-  USER_PIN_FINAL_TRY = 7; // Final try
-  NOT_INITIALIZED = 8; // PIN not initialized
-}
diff --git a/src/signer-protocol/src/main/proto/Tokens.proto b/src/signer-protocol/src/main/proto/Tokens.proto
deleted file mode 100644
index 3069d18f07..0000000000
--- a/src/signer-protocol/src/main/proto/Tokens.proto
+++ /dev/null
@@ -1,64 +0,0 @@
-syntax = "proto3";
-
-import "CommonMessages.proto";
-import "TokenStatusInfo.proto";
-
-option java_multiple_files = true;
-option java_package = "ee.ria.xroad.signer.protocol.dto";
-
-message TokenInfoProto {
-  string type = 1;
-  optional string friendly_name = 2;
-  string id = 3;
-  bool read_only = 4;
-  bool available = 5;
-  bool active = 6;
-  optional string serial_number = 7;
-  optional string label = 8;
-  int32 slot_index = 9;
-  TokenStatusInfo status = 10;
-  repeated KeyInfoProto key_info = 11;
-  map<string, string> token_info = 12;
-}
-
-message TokenInfoAndKeyIdProto {
-  TokenInfoProto token_info = 1;
-  string key_id = 2;
-}
-
-message KeyInfoProto {
-  bool available = 1;
-  KeyUsageInfo usage = 2;
-  optional string friendly_name = 3;
-  string id = 4;
-  optional string label = 5;
-  string public_key = 6;
-  repeated CertificateInfoProto certs = 7;
-  repeated CertRequestInfoProto cert_requests = 8;
-  string sign_mechanism_name = 9;
-}
-
-message CertificateInfoProto {
-  optional ClientIdProto member_id = 1;
-  bool active = 2;
-  bool saved_to_configuration = 3;
-  string status = 4;
-  string id = 5;
-  bytes certificate_bytes = 6;
-  bytes ocsp_bytes = 7;
-  // Add other fields as needed
-}
-
-message CertRequestInfoProto {
-  string id = 1;
-  ClientIdProto member_id = 2;
-  string subject_name = 3;
-  // Add other fields as needed
-}
-
-/* Key usage can either be signing or authentication. */
-enum KeyUsageInfo {
-  KEY_USAGE_UNKNOWN = 0;
-  SIGNING = 1;
-  AUTHENTICATION = 2;
-}
diff --git a/src/signer-protocol/src/main/proto/certificate_service.proto b/src/signer-protocol/src/main/proto/certificate_service.proto
new file mode 100644
index 0000000000..1e1592e7fa
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/certificate_service.proto
@@ -0,0 +1,147 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+package org.niis.xroad.signer.proto;
+
+import "common_messages.proto";
+import "tokens.proto";
+import "token_status_info.proto";
+
+option java_multiple_files = true;
+
+service CertificateService {
+  rpc ActivateCert(ActivateCertReq) returns (Empty) {}
+
+  rpc GetCertificateInfoForHash(GetCertificateInfoForHashReq) returns (GetCertificateInfoResp) {}
+
+  rpc GetMemberCerts(GetMemberCertsReq) returns (GetMemberCertsResp) {}
+
+  rpc SetCertStatus(SetCertStatusReq) returns (Empty) {}
+
+  rpc GenerateCertRequest(GenerateCertRequestReq) returns (GenerateCertRequestResp) {}
+
+  rpc RegenerateCertRequest(RegenerateCertRequestReq) returns (RegenerateCertRequestResp) {}
+
+  rpc DeleteCert(DeleteCertReq) returns (Empty) {}
+
+  rpc DeleteCertRequest(DeleteCertRequestReq) returns (Empty) {}
+
+  rpc ImportCert(ImportCertReq) returns (ImportCertResp) {}
+
+  rpc GenerateSelfSignedCert(GenerateSelfSignedCertReq) returns (GenerateSelfSignedCertResp) {}
+}
+
+message GetCertificateInfoForHashReq {
+  string cert_hash = 1;
+}
+
+message GetCertificateInfoResp {
+  CertificateInfoProto certificate_info = 1;
+}
+
+message ActivateCertReq {
+  string cert_id_or_hash = 1;
+  bool active = 2;
+}
+
+message SetCertStatusReq{
+  string cert_id = 1;
+  string status = 2;
+}
+
+message GetMemberCertsReq{
+  ClientIdProto member_id = 1;
+}
+
+message GetMemberCertsResp{
+  repeated CertificateInfoProto certs = 1;
+}
+
+message RegenerateCertRequestReq {
+  string cert_request_id = 1;
+  CertificateRequestFormat format = 2;
+}
+
+message RegenerateCertRequestResp {
+  string cert_req_id = 1;
+  bytes cert_request = 2;
+  CertificateRequestFormat format = 3;
+  ClientIdProto member_id = 4;
+  KeyUsageInfo key_usage = 5;
+}
+
+/** Specifies the cert request format to return. */
+enum CertificateRequestFormat {
+  CERTIFICATE_REQUEST_FORMAT_UNSPECIFIED = 0;
+  PEM = 1;
+  DER = 2;
+}
+
+message DeleteCertReq {
+  string cert_id = 1;
+}
+
+message DeleteCertRequestReq {
+  string cert_request_id = 1;
+}
+
+message ImportCertReq {
+  bytes cert_data = 1;
+  string initial_status = 2;
+  ClientIdProto member_id = 3;
+}
+
+message ImportCertResp {
+  string key_id = 1;
+}
+
+message GenerateSelfSignedCertReq {
+  string key_id = 1;
+  string common_name = 2;
+  int64 date_not_before = 3;
+  int64 date_not_after = 4;
+  KeyUsageInfo key_usage = 5;
+  ClientIdProto member_id = 6;
+}
+
+message GenerateSelfSignedCertResp {
+  bytes certificate_bytes = 1;
+}
+
+message GenerateCertRequestReq {
+  string key_id = 1;
+  ClientIdProto member_id = 2;
+  KeyUsageInfo key_usage = 3;
+  string subject_name = 4;
+  CertificateRequestFormat format = 5;
+}
+
+message GenerateCertRequestResp {
+  string cert_req_id = 1;
+  bytes cert_request = 2;
+  CertificateRequestFormat format = 3;
+}
diff --git a/src/signer-protocol/src/main/proto/common_messages.proto b/src/signer-protocol/src/main/proto/common_messages.proto
new file mode 100644
index 0000000000..08082a1fa5
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/common_messages.proto
@@ -0,0 +1,61 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+option java_multiple_files = true;
+option java_package = "org.niis.xroad.signer.protocol.dto";
+
+/* Generic empty request/response. */
+message Empty {
+}
+
+message ClientIdProto {
+  string member_class = 1;
+  string member_code = 2;
+  optional string subsystem_code = 3;
+
+  string xroad_instance = 4;
+  XRoadObjectType object_type = 5;
+}
+
+message SecurityServerIdProto {
+  string member_class = 1;
+  string member_code = 2;
+  string server_code = 3;
+
+  string xroad_instance = 4;
+  XRoadObjectType object_type = 5;
+}
+
+enum XRoadObjectType {
+  XROAD_OBJECT_TYPE_UNSPECIFIED = 0;
+  SERVER = 1;
+  SERVICE = 2;
+  MEMBER = 3;
+  SUBSYSTEM = 4;
+  GLOBALGROUP = 5;
+  LOCALGROUP = 6 [deprecated = true]; // Deprecated
+}
diff --git a/src/signer-protocol/src/main/proto/ErrorHandling.proto b/src/signer-protocol/src/main/proto/error_handling.proto
similarity index 100%
rename from src/signer-protocol/src/main/proto/ErrorHandling.proto
rename to src/signer-protocol/src/main/proto/error_handling.proto
diff --git a/src/signer-protocol/src/main/proto/key_service.proto b/src/signer-protocol/src/main/proto/key_service.proto
new file mode 100644
index 0000000000..55ab9c21e3
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/key_service.proto
@@ -0,0 +1,117 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+package org.niis.xroad.signer.proto;
+
+import "common_messages.proto";
+import "tokens.proto";
+import "token_status_info.proto";
+
+option java_multiple_files = true;
+
+service KeyService {
+  rpc GenerateKey(GenerateKeyReq) returns (KeyInfoProto) {}
+
+  rpc SetKeyFriendlyName(SetKeyFriendlyNameReq) returns (Empty) {}
+
+  rpc GetKeyIdForCertHash(GetKeyIdForCertHashReq) returns (GetKeyIdForCertHashResp) {}
+
+  rpc GetSignMechanism(GetSignMechanismReq) returns (GetSignMechanismResp) {}
+
+  rpc Sign(SignReq) returns (SignResp) {}
+
+  rpc SignCertificate(SignCertificateReq) returns (SignCertificateResp) {}
+
+  rpc DeleteKey(DeleteKeyReq) returns (Empty) {}
+
+  rpc GetAuthKey(GetAuthKeyReq) returns (AuthKeyInfoProto) {}
+}
+
+message GetKeyIdForCertHashReq {
+  string cert_hash = 1;
+}
+
+message GetKeyIdForCertHashResp {
+  string key_id = 1;
+  string sign_mechanism_name = 2;
+}
+
+message SetKeyFriendlyNameReq {
+  string key_id = 1;
+  string friendly_name = 2;
+}
+
+
+message GetSignMechanismReq {
+  string key_id = 1;
+}
+
+message GetSignMechanismResp {
+  string sign_mechanism_name = 1;
+}
+
+message SignReq {
+  string key_id = 1;
+  string signature_algorithm_id = 2;
+  bytes digest = 3;
+}
+
+message SignResp {
+  bytes signature = 1;
+}
+
+message SignCertificateReq {
+  string key_id = 1;
+  string signature_algorithm_id = 2;
+  string subject_name = 3;
+  bytes public_key = 4;
+}
+
+message SignCertificateResp {
+  bytes certificate_chain = 1;
+}
+
+message DeleteKeyReq {
+  string key_id = 1;
+  bool delete_from_device = 2;
+}
+
+message GenerateKeyReq {
+  string token_id = 1;
+  string key_label = 2;
+}
+
+message GetAuthKeyReq {
+  SecurityServerIdProto security_server = 1;
+}
+
+message AuthKeyInfoProto {
+  string alias = 1;
+  string key_store_file_name = 2;
+  string password = 3;
+  CertificateInfoProto cert = 4;
+}
diff --git a/src/signer-protocol/src/main/proto/ocsp_service.proto b/src/signer-protocol/src/main/proto/ocsp_service.proto
new file mode 100644
index 0000000000..37a1eae677
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/ocsp_service.proto
@@ -0,0 +1,51 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+package org.niis.xroad.signer.proto;
+
+import "common_messages.proto";
+
+option java_multiple_files = true;
+
+service OcspService {
+  rpc SetOcspResponses(SetOcspResponsesReq) returns (Empty) {}
+
+  rpc GetOcspResponses(GetOcspResponsesReq) returns (GetOcspResponsesResp) {}
+}
+
+message SetOcspResponsesReq {
+  repeated string cert_hashes = 1;
+  repeated string base64_encoded_responses = 2;
+}
+
+message GetOcspResponsesReq{
+  repeated string cert_hash = 1;
+}
+
+message GetOcspResponsesResp{
+  map<string, string> base64_encoded_responses = 1;
+}
diff --git a/src/signer-protocol/src/main/proto/token_service.proto b/src/signer-protocol/src/main/proto/token_service.proto
new file mode 100644
index 0000000000..fef57f3aa4
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/token_service.proto
@@ -0,0 +1,122 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+package org.niis.xroad.signer.proto;
+
+import "common_messages.proto";
+import "tokens.proto";
+import "token_status_info.proto";
+
+option java_multiple_files = true;
+
+service TokenService {
+  rpc GetTokenById(GetTokenByIdReq) returns (TokenInfoProto) {}
+
+  rpc GetTokenByKey(GetTokenByKeyIdReq) returns (TokenInfoProto) {}
+
+  rpc GetTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdReq) returns (TokenInfoAndKeyIdProto) {}
+
+  rpc GetTokenAndKeyIdByCertHash(GetTokenByCertHashReq) returns (TokenInfoAndKeyIdProto) {}
+
+  rpc ListTokens(Empty) returns (ListTokensResp) {}
+
+  rpc ActivateToken(ActivateTokenReq) returns (Empty) {}
+
+  rpc SetTokenFriendlyName(SetTokenFriendlyNameReq) returns (Empty) {}
+
+  rpc GetTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq) returns (GetTokenBatchSigningEnabledResp){}
+
+  rpc InitSoftwareToken(InitSoftwareTokenReq) returns (Empty) {}
+
+  rpc UpdateSoftwareTokenPin(UpdateSoftwareTokenPinReq) returns (Empty) {}
+
+  rpc GetHSMOperationalInfo(Empty) returns (GetHSMOperationalInfoResp) {}
+
+  rpc GetMemberSigningInfo(GetMemberSigningInfoReq) returns (GetMemberSigningInfoResp) {}
+}
+
+message ListTokensResp {
+  repeated TokenInfoProto tokens = 1;
+}
+
+message ActivateTokenReq{
+  string token_id = 1;
+  bool activate = 2;
+}
+
+message GetTokenByIdReq {
+  string token_id = 1;
+}
+
+message GetTokenByKeyIdReq {
+  string key_id = 1;
+}
+
+message GetTokenByCertRequestIdReq {
+  string cert_request_id = 1;
+}
+
+message GetTokenByCertHashReq {
+  string cert_hash = 1;
+}
+
+message SetTokenFriendlyNameReq {
+  string token_id = 1;
+  string friendly_name = 2;
+}
+
+message GetTokenBatchSigningEnabledReq {
+  string key_id = 1;
+}
+
+message GetTokenBatchSigningEnabledResp {
+  bool batching_signing_enabled = 1;
+}
+
+message InitSoftwareTokenReq {
+  string pin = 1;
+}
+
+message UpdateSoftwareTokenPinReq {
+  string token_id = 1;
+  string old_pin = 2;
+  string new_pin = 3;
+}
+
+message GetHSMOperationalInfoResp {
+  bool operational = 1;
+}
+
+message GetMemberSigningInfoReq {
+  ClientIdProto member_id = 1;
+}
+
+message GetMemberSigningInfoResp {
+  string key_id = 1;
+  CertificateInfoProto cert = 2;
+  string sign_mechanism_name = 3;
+}
diff --git a/src/signer-protocol/src/main/proto/token_status_info.proto b/src/signer-protocol/src/main/proto/token_status_info.proto
new file mode 100644
index 0000000000..08b7dd713d
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/token_status_info.proto
@@ -0,0 +1,49 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+//package protocol;
+
+option java_multiple_files = true;
+option java_package = "ee.ria.xroad.signer.protocol.dto";
+
+//option java_outer_classname = "TokenStatusInfo";
+//option objc_class_prefix = "HLW";
+
+//import "google/protobuf/empty.proto";
+
+/* Token status info DTO. */
+enum TokenStatusInfo {
+  TOKEN_STATUS_UNSPECIFIED = 0;
+  OK = 1; // Normal operation status
+  USER_PIN_LOCKED = 2;// Blocked
+  USER_PIN_INCORRECT = 3; // Incorrect PIN was entered
+  USER_PIN_INVALID = 4; // Invalid PIN
+  USER_PIN_EXPIRED = 5; // PIN expired
+  USER_PIN_COUNT_LOW = 6; // Only a few tries left
+  USER_PIN_FINAL_TRY = 7; // Final try
+  NOT_INITIALIZED = 8; // PIN not initialized
+}
diff --git a/src/signer-protocol/src/main/proto/tokens.proto b/src/signer-protocol/src/main/proto/tokens.proto
new file mode 100644
index 0000000000..3747f2c7a7
--- /dev/null
+++ b/src/signer-protocol/src/main/proto/tokens.proto
@@ -0,0 +1,89 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+import "common_messages.proto";
+import "token_status_info.proto";
+
+option java_multiple_files = true;
+option java_package = "ee.ria.xroad.signer.protocol.dto";
+
+message TokenInfoProto {
+  string type = 1;
+  optional string friendly_name = 2;
+  string id = 3;
+  bool read_only = 4;
+  bool available = 5;
+  bool active = 6;
+  optional string serial_number = 7;
+  optional string label = 8;
+  int32 slot_index = 9;
+  TokenStatusInfo status = 10;
+  repeated KeyInfoProto key_info = 11;
+  map<string, string> token_info = 12;
+}
+
+message TokenInfoAndKeyIdProto {
+  TokenInfoProto token_info = 1;
+  string key_id = 2;
+}
+
+message KeyInfoProto {
+  bool available = 1;
+  KeyUsageInfo usage = 2;
+  optional string friendly_name = 3;
+  string id = 4;
+  optional string label = 5;
+  string public_key = 6;
+  repeated CertificateInfoProto certs = 7;
+  repeated CertRequestInfoProto cert_requests = 8;
+  string sign_mechanism_name = 9;
+}
+
+message CertificateInfoProto {
+  optional ClientIdProto member_id = 1;
+  bool active = 2;
+  bool saved_to_configuration = 3;
+  string status = 4;
+  string id = 5;
+  bytes certificate_bytes = 6;
+  bytes ocsp_bytes = 7;
+  // Add other fields as needed
+}
+
+message CertRequestInfoProto {
+  string id = 1;
+  ClientIdProto member_id = 2;
+  string subject_name = 3;
+  // Add other fields as needed
+}
+
+/* Key usage can either be signing or authentication. */
+enum KeyUsageInfo {
+  KEY_USAGE_UNSPECIFIED = 0;
+  SIGNING = 1;
+  AUTHENTICATION = 2;
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
index d25ace6525..aef3680556 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Token.java
@@ -32,13 +32,13 @@
 import ee.ria.xroad.signer.tokenmanager.token.TokenType;
 
 import lombok.Data;
-import org.apache.commons.lang3.ObjectUtils;
 
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
 import static java.util.Collections.unmodifiableMap;
@@ -183,9 +183,9 @@ public boolean matches(TokenType token) {
 
         return token.getModuleType() != null
                 && token.getModuleType().equals(type)
-                && ObjectUtils.equals(token.getSerialNumber(), serialNumber)
-                && ObjectUtils.equals(token.getLabel(), label)
-                && ObjectUtils.equals(token.getSlotIndex(), slotIndex);
+                && Objects.equals(token.getSerialNumber(), serialNumber)
+                && Objects.equals(token.getLabel(), label)
+                && Objects.equals(token.getSlotIndex(), slotIndex);
     }
 
     /**

From cb28c82674b95c91e328b7a1a1b7041543c03d5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Tue, 12 Sep 2023 20:01:01 +0300
Subject: [PATCH 063/127] chore: add proxy batch sign integration tests

Refs: XRDDEV-2468
---
 src/proxy/build.gradle                        |   4 +
 .../niis/xroad/proxy/test/ProxyIntTest.java   |  39 +++
 .../proxy/test/container/ContainerSetup.java  | 137 ++++++++++
 .../xroad/proxy/test/glue/ProxyStepDefs.java  | 249 ++++++++++++++++++
 .../proxy/test/hook/SignerProxyInitHook.java  |  58 ++++
 .../resources/application-override.yml        |  36 +++
 .../behavior/0100-proxy-batch-sign.feature    |  19 ++
 .../resources/container-files/Dockerfile      |  21 ++
 .../etc/xroad/conf.d/signer.ini               |   0
 .../globalconf/CS/fetchinterval-params.xml    |   3 +
 .../xroad/globalconf/CS/private-params.xml    |  15 ++
 .../globalconf/CS/private-params.xml.metadata |   1 +
 .../etc/xroad/globalconf/CS/shared-params.xml | 106 ++++++++
 .../globalconf/CS/shared-params.xml.metadata  |   1 +
 .../etc/xroad/globalconf/instance-identifier  |   1 +
 .../etc/xroad/signer/devices.ini              |   0
 .../etc/xroad/signer/keyconf.xml              |   2 +
 .../etc/xroad/signer/signer-logback.xml       |  21 ++
 .../etc/xroad/signer/softtoken/.gitkeep       |   0
 .../grpc-internal-keystore.jks                | Bin 0 -> 2614 bytes
 .../container-files/var/cache/xroad/.gitkeep  |   0
 21 files changed, 713 insertions(+)
 create mode 100644 src/proxy/src/intTest/java/org/niis/xroad/proxy/test/ProxyIntTest.java
 create mode 100644 src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
 create mode 100644 src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
 create mode 100644 src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
 create mode 100755 src/proxy/src/intTest/resources/application-override.yml
 create mode 100644 src/proxy/src/intTest/resources/behavior/0100-proxy-batch-sign.feature
 create mode 100644 src/proxy/src/intTest/resources/container-files/Dockerfile
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep
 create mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
 create mode 100644 src/proxy/src/intTest/resources/container-files/var/cache/xroad/.gitkeep

diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index d1a27c8f2e..f427c6384a 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -23,6 +23,10 @@ dependencies {
     testImplementation 'io.rest-assured:rest-assured:4.4.0'
     testImplementation 'wsdl4j:wsdl4j:1.6.3'
     testImplementation "org.mockito:mockito-inline:$mockitoVersion"
+
+  intTestRuntimeOnly project(':signer')
+  intTestImplementation project(":common:common-test")
+  intTestImplementation project(":common:common-int-test")
 }
 
 jar {
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/ProxyIntTest.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/ProxyIntTest.java
new file mode 100644
index 0000000000..ac8b3a71e9
--- /dev/null
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/ProxyIntTest.java
@@ -0,0 +1,39 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.niis.xroad.proxy.test;
+
+import org.junit.platform.suite.api.IncludeEngines;
+import org.junit.platform.suite.api.SelectClasspathResource;
+import org.junit.platform.suite.api.Suite;
+
+@Suite
+@IncludeEngines("cucumber")
+@SelectClasspathResource("behavior")
+public class ProxyIntTest {
+}
+
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
new file mode 100644
index 0000000000..6eaa71fc65
--- /dev/null
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
@@ -0,0 +1,137 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.proxy.test.container;
+
+import com.nortal.test.testcontainers.configuration.TestableContainerProperties;
+import com.nortal.test.testcontainers.configurator.TestContainerConfigurator;
+import com.nortal.test.testcontainers.images.builder.ImageFromDockerfile;
+import com.nortal.test.testcontainers.images.builder.ReusableImageFromDockerfile;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import okio.Path;
+import org.apache.commons.io.FileUtils;
+import org.jetbrains.annotations.NotNull;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.Wait;
+
+import java.io.File;
+import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+@Slf4j
+@Configuration
+@SuppressWarnings("checkstyle:MagicNumber")
+public class ContainerSetup {
+
+    static {
+        //This is to set docker api version in testcontainers. By default it uses 1.32, which does not support platform setting.
+        System.setProperty("api.version", "1.41");
+    }
+
+    @Bean
+    public TestContainerConfigurator testContainerConfigurator(
+            TestableContainerProperties testableContainerProperties) {
+        return new TestContainerConfigurator() {
+            @NotNull
+            @Override
+            public ImageFromDockerfile imageDefinition() {
+                var appJarPath = Paths.get("../signer/build/libs/signer-1.0.jar");
+                log.info("Will use {} jar for container creation", appJarPath);
+
+                File filesToAdd = Paths.get("src/intTest/resources/container-files/").toFile();
+
+                return new ReusableImageFromDockerfile("signer-int-test",
+                        !testableContainerProperties.getReuseBetweenRuns(),
+                        testableContainerProperties.getReuseBetweenRuns())
+                        .withFileFromFile(".", filesToAdd)
+                        .withFileFromPath("files/app.jar", appJarPath);
+            }
+
+            @NotNull
+            @Override
+            public Map<String, String> environmentalVariables() {
+                return new HashMap<>();
+            }
+
+            @NotNull
+            @Override
+            public List<Integer> exposedPorts() {
+                return List.of(5558, 5560);
+            }
+        };
+    }
+
+    @Bean
+    public TestContainerConfigurator.TestContainerInitListener testContainerInitListener() {
+        return new TestContainerConfigurator.TestContainerInitListener() {
+
+            @Override
+            public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
+                genericContainer
+                        .waitingFor(Wait.forLogMessage(".*Signer has been initialized in.*", 1));
+                genericContainer
+                        .withCommand("java",
+                                "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
+                                "-Dxroad.internal.passwordstore-provider=file",
+                                "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                                "-Dxroad.grpc.internal.keystore-password=111111",
+                                "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                                "-Dxroad.grpc.internal.truststore-password=111111",
+                                "-cp",
+                                "/root/app.jar",
+                                "ee.ria.xroad.signer.SignerMain");
+
+                prepareSignerDirs();
+            }
+
+            @Override
+            public void afterStart(@NotNull GenericContainer<?> genericContainer) {
+                //do nothing
+            }
+
+            @SneakyThrows
+            private void prepareSignerDirs() {
+                deleteIfPresent("build/resources/intTest/container-files/etc/xroad/signer/softtoken/");
+                deleteIfPresent("build/container-passwordstore/");
+            }
+
+            @SneakyThrows
+            private void deleteIfPresent(String path) {
+                var dir = Path.get(path);
+                if (dir.toFile().exists()) {
+                    log.info("Temporary test-signer sync dir {} found. Deleting..", dir);
+                    FileUtils.cleanDirectory(dir.toFile());
+                }
+            }
+        };
+    }
+
+
+}
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
new file mode 100644
index 0000000000..ef2f5f2a0a
--- /dev/null
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
@@ -0,0 +1,249 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.niis.xroad.proxy.test.glue;
+
+import ee.ria.xroad.common.hashchain.HashChainReferenceResolver;
+import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.signature.MessagePart;
+import ee.ria.xroad.common.signature.SignatureBuilder;
+import ee.ria.xroad.common.signature.SignatureData;
+import ee.ria.xroad.common.signature.SignatureVerifier;
+import ee.ria.xroad.common.util.MessageFileNames;
+import ee.ria.xroad.proxy.conf.KeyConf;
+import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+
+import io.cucumber.java.en.Step;
+import lombok.Value;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.niis.xroad.common.test.glue.BaseStepDefs;
+import org.niis.xroad.signer.proto.CertificateRequestFormat;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.*;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import static ee.ria.xroad.common.util.CryptoUtils.SHA512_ID;
+import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
+import static java.lang.String.format;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.fail;
+
+@Slf4j
+@SuppressWarnings("checkstyle:MagicNumber")
+public class ProxyStepDefs extends BaseStepDefs {
+    private String scenarioKeyId;
+
+    @Step("tokens are listed")
+    public void listTokens() throws Exception {
+        var tokens = SignerProxy.getTokens();
+        testReportService.attachJson("Tokens", tokens.toArray());
+    }
+
+    @Step("token is initialized with pin {string}")
+    public void initToken(String pin) throws Exception {
+        SignerProxy.initSoftwareToken(pin.toCharArray());
+    }
+
+    @Step("token with id {string} is logged in with pin {string}")
+    public void tokenIsActivatedWithPin(String tokenId, String pin) throws Exception {
+        SignerProxy.activateToken(tokenId, pin.toCharArray());
+    }
+
+    @Step("new key {string} generated for token with id {string}")
+    public void newKeyGeneratedForToken(String keyLabel, String tokenId) throws Exception {
+        final KeyInfo keyInfo = SignerProxy.generateKey(tokenId, keyLabel);
+        scenarioKeyId = keyInfo.getId();
+
+        testReportService.attachJson("keyInfo", keyInfo);
+    }
+
+    @Step("the {} cert request is generated with created key for client {string}")
+    public void certRequestIsGeneratedForTokenKey(String keyUsage, String client) throws Exception {
+        var clientId = getClientId(client);
+        var subjectName = format("C=%s, O=%s, CN=%s",
+                clientId.getXRoadInstance(),
+                clientId.getMemberClass(),
+                clientId.getMemberCode());
+
+        SignerProxy.GeneratedCertRequestInfo csrInfo = SignerProxy.generateCertRequest(scenarioKeyId, clientId,
+                KeyUsageInfo.valueOf(keyUsage), subjectName, CertificateRequestFormat.DER);
+
+
+        File csrFile = File.createTempFile("tmp", keyUsage.toLowerCase() + "_csr" + System.currentTimeMillis());
+        FileUtils.writeByteArrayToFile(csrFile, csrInfo.getCertRequest());
+        putStepData(StepDataKey.DOWNLOADED_FILE, csrFile);
+    }
+
+    @Step("Generated certificate with initial status {string} is imported for client {string}")
+    public void importCertFromFile(String initialStatus, String client) throws Exception {
+        final Optional<File> cert = getStepData(StepDataKey.CERT_FILE);
+        final ClientId.Conf clientId = getClientId(client);
+        final byte[] certBytes = FileUtils.readFileToByteArray(cert.orElseThrow());
+
+        scenarioKeyId = SignerProxy.importCert(certBytes, initialStatus, clientId);
+    }
+
+    @Step("token info can be retrieved by key id")
+    public void tokenInfoCanBeRetrievedByKeyId() throws Exception {
+        final TokenInfo tokenForKeyId = SignerProxy.getTokenForKeyId(this.scenarioKeyId);
+        testReportService.attachJson("tokenInfo", tokenForKeyId);
+        assertThat(tokenForKeyId).isNotNull();
+    }
+
+
+    @Step("client {string} signs the messages {} random messages using {} threads")
+    public void execBatchSign(String client, int count, int threads) throws Exception {
+        exec(client, count, threads);
+    }
+
+    private void exec(String client, int count, int threads) throws InterruptedException {
+        final var clientId = getClientId(client);
+        final var signingCtx = KeyConf.getSigningCtx(clientId);
+
+        List<String> messages = new ArrayList<>();
+        for (int i = 0; i < count; i++) {
+            messages.add("random-msg:" + RandomStringUtils.randomAlphabetic(100, 1000));
+        }
+
+        List<Callable<BatchSignResult>> callables = new ArrayList<>();
+        for (final String message : messages) {
+            callables.add(() -> {
+                try {
+                    MessagePart hashPart = new MessagePart(MessageFileNames.MESSAGE, SHA512_ID,
+                            calculateDigest(SHA512_ID, message.getBytes()), message.getBytes());
+
+                    List<MessagePart> hashes = Collections.singletonList(hashPart);
+
+                    SignatureBuilder builder = new SignatureBuilder();
+                    builder.addPart(hashPart);
+                    SignatureData signatureData = signingCtx.buildSignature(builder);
+
+                    return new BatchSignResult(clientId, message, signatureData, hashes);
+
+                } catch (Exception e) {
+                    log.error("Error", e);
+                    return new BatchSignResult(clientId, message, null, null);
+                }
+
+            });
+        }
+
+        List<Future<BatchSignResult>> results = invokeCallables(callables, threads);
+
+        final AtomicInteger batchSignatureDetectCounter = new AtomicInteger();
+        for (Future<BatchSignResult> result : results) {
+            try {
+                var signResult = result.get();
+
+                assertThat(signResult.getSignatureData()).isNotNull();
+
+                verify(signResult);
+
+                assertThat(signResult.getSignatureData().getSignatureXml()).isNotEmpty();
+
+                if (signResult.getSignatureData().isBatchSignature()) {
+                    batchSignatureDetectCounter.incrementAndGet();
+                }
+            } catch (Exception e) {
+                fail("Verification has failed.", e);
+            }
+        }
+
+        if (batchSignatureDetectCounter.get() == 0) {
+            fail("Batch signature was not detected.");
+        } else {
+            testReportService.attachText("Batch signature was triggered " + batchSignatureDetectCounter.get() + " times", "");
+        }
+    }
+
+    private List<Future<BatchSignResult>> invokeCallables(List<Callable<BatchSignResult>> callables, int threads) throws InterruptedException {
+        ExecutorService executorService = Executors.newFixedThreadPool(threads);
+
+        try {
+            return executorService.invokeAll(callables);
+        } finally {
+            executorService.shutdown();
+        }
+    }
+
+    @Value
+    private static class BatchSignResult {
+        ClientId.Conf clientId;
+        String message;
+        SignatureData signatureData;
+        List<MessagePart> messageParts;
+    }
+
+    private static void verify(final BatchSignResult batchSignResult)
+            throws Exception {
+        SignatureVerifier verifier = new SignatureVerifier(batchSignResult.getSignatureData());
+        verifier.addParts(batchSignResult.getMessageParts());
+
+        HashChainReferenceResolver resolver = new HashChainReferenceResolver() {
+            @Override
+            public InputStream resolve(String uri) {
+                switch (uri) {
+                    case MessageFileNames.SIG_HASH_CHAIN:
+                        return new ByteArrayInputStream(batchSignResult.getSignatureData().getHashChain().getBytes(StandardCharsets.UTF_8));
+                    case MessageFileNames.MESSAGE:
+                        return new ByteArrayInputStream(batchSignResult.getMessage().getBytes(StandardCharsets.UTF_8));
+                    default:
+                        return null;
+                }
+            }
+
+            @Override
+            public boolean shouldResolve(String uri, byte[] digestValue) {
+                return true;
+            }
+        };
+
+        if (batchSignResult.getSignatureData().getHashChainResult() != null) {
+            verifier.setHashChainResourceResolver(resolver);
+        }
+
+        verifier.verify(batchSignResult.getClientId(), new Date());
+    }
+
+    private ClientId.Conf getClientId(String client) {
+        final String[] parts = client.split(":");
+        return ClientId.Conf.create(parts[0], parts[1], parts[2]);
+    }
+}
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
new file mode 100644
index 0000000000..9c9a2aefad
--- /dev/null
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
@@ -0,0 +1,58 @@
+package org.niis.xroad.proxy.test.hook;
+
+import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.common.TestSecurityUtil;
+import ee.ria.xroad.common.signature.BatchSigner;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
+
+import com.nortal.test.core.services.TestableApplicationInfoProvider;
+import com.nortal.test.core.services.hooks.BeforeSuiteHook;
+import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Component;
+
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE;
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE_PASSWORD;
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE;
+import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE_PASSWORD;
+import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_HOST;
+import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_PORT;
+
+@Slf4j
+@Component
+@RequiredArgsConstructor
+public class SignerProxyInitHook implements BeforeSuiteHook {
+    private final TestableApplicationInfoProvider testableApplicationInfoProvider;
+
+    @Override
+    @SneakyThrows
+    public void beforeSuite() {
+        var host = testableApplicationInfoProvider.getHost();
+        var port = testableApplicationInfoProvider.getMappedPort(SystemProperties.getGrpcSignerPort());
+        log.info("Will use {}:{}  for signer RPC connection..", host, port);
+
+        System.setProperty(GRPC_SIGNER_HOST, host);
+        System.setProperty(GRPC_SIGNER_PORT, String.valueOf(port));
+
+        System.setProperty(GRPC_SIGNER_HOST, host);
+
+        System.setProperty(GRPC_INTERNAL_KEYSTORE,
+                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
+        System.setProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, "111111");
+        System.setProperty(GRPC_INTERNAL_TRUSTSTORE,
+                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
+        System.setProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "111111");
+
+        System.setProperty("xroad.internal.passwordstore-provider", "file");
+        System.setProperty("xroad.internal.passwordstore-file-path", "build/container-passwordstore/");
+
+        System.setProperty("xroad.common.configuration-path", "build/resources/intTest/container-files/etc/xroad/globalconf");
+        System.setProperty("xroad.signer.key-configuration-file", "build/resources/intTest/container-files/etc/xroad/signer/keyconf.xml");
+
+        TestSecurityUtil.initSecurity();
+        RpcSignerClient.init();
+        BatchSigner.init();
+    }
+
+}
diff --git a/src/proxy/src/intTest/resources/application-override.yml b/src/proxy/src/intTest/resources/application-override.yml
new file mode 100755
index 0000000000..1b89b7aca0
--- /dev/null
+++ b/src/proxy/src/intTest/resources/application-override.yml
@@ -0,0 +1,36 @@
+---
+#Logging configuration
+logging:
+  level:
+    ROOT: INFO
+    cucumber: TRACE
+    liquibase: WARN
+    org.springframework: INFO
+    org.niis: TRACE
+    com.nortal.test: INFO # TRACE is helpful for development
+
+test-automation:
+  report-name: xroad-proxy-test-suite
+  spring-component-scan: "org.niis.xroad.common.test,org.niis.xroad.proxy.test"
+  cucumber:
+    execution:
+      parallel:
+        enabled: false
+    glue-append: "org.niis.xroad.common.test.glue,org.niis.xroad.proxy.test.glue"
+    filter:
+      tags: "not @Skip"
+  containers:
+    testable-container:
+      reuse-between-runs: ${reuse-between-runs}
+      directory-mounts:
+        - "/tmp/xroad/passwordstore/:build/container-passwordstore/"
+        - "/etc/xroad/signer/:build/resources/intTest/container-files/etc/xroad/signer/"
+    context-containers:
+      ca-server:
+        enabled: true
+        reuse-between-runs: ${reuse-between-runs}
+
+# toggle for reusable containers. This allows quicker test development as containers are not destroyed between runs.
+# WARNING: this leaves containers running indefinitely. They have to be stopped manually.
+# Note: this required testcontainers.reuse.enable=true property to be defined in your ~/.testcontainers.properties file
+reuse-between-runs: false
diff --git a/src/proxy/src/intTest/resources/behavior/0100-proxy-batch-sign.feature b/src/proxy/src/intTest/resources/behavior/0100-proxy-batch-sign.feature
new file mode 100644
index 0000000000..9a3ff0c418
--- /dev/null
+++ b/src/proxy/src/intTest/resources/behavior/0100-proxy-batch-sign.feature
@@ -0,0 +1,19 @@
+@SoftToken
+Feature: 0100 - Proxy: Batch signer
+
+  Background:
+    Given tokens are listed
+
+  Scenario: Token and key is initialized
+    When token is initialized with pin "123456"
+    And token with id "0" is logged in with pin "123456"
+    Then tokens are listed
+
+  Scenario: Batch signer can sign multiple messages
+    Given new key "key-1" generated for token with id "0"
+    And the SIGNING cert request is generated with created key for client "CS:ORG:2908758-4:Management"
+    And SIGN CSR is processed by test CA
+    And Generated certificate with initial status "registered" is imported for client "CS:ORG:2908758-4:Management"
+    And token info can be retrieved by key id
+    And tokens are listed
+    When client "CS:ORG:2908758-4:Management" signs the messages 500 random messages using 50 threads
diff --git a/src/proxy/src/intTest/resources/container-files/Dockerfile b/src/proxy/src/intTest/resources/container-files/Dockerfile
new file mode 100644
index 0000000000..a614817706
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/Dockerfile
@@ -0,0 +1,21 @@
+# Explicitly defining linux/amd64 ubuntu:22.04 image
+FROM ubuntu@sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564
+RUN apt-get clean && apt-get -y update && apt-get install -y locales && locale-gen en_US.UTF-8
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get -qq update \
+  && apt-get -qq upgrade \
+  && apt-get -qq install curl software-properties-common gawk \
+  openjdk-11-jdk-headless build-essential git unzip debhelper \
+  && apt-get -qq autoremove \
+  && apt-get -qq clean
+
+COPY --chown=root:root files/app.jar /root/app.jar
+COPY --chown=root:root etc /etc
+COPY --chown=root:root var /var
+
+EXPOSE 5558 5559 5560
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini b/src/proxy/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
new file mode 100644
index 0000000000..7cd5010c07
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
@@ -0,0 +1,3 @@
+<xro:conf xmlns:xro="http://x-road.eu/xsd/xroad.xsd">
+    <ocspFetchInterval>10</ocspFetchInterval>
+</xro:conf>
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
new file mode 100644
index 0000000000..b3d36ed74b
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
+    <instanceIdentifier>CS</instanceIdentifier>
+    <managementService>
+        <authCertRegServiceAddress>https://cs:4001/managementservice/</authCertRegServiceAddress>
+        <authCertRegServiceCert>MIIDJTCCAg2gAwIBAgIUWITgfJuBX9pZlmadswBIhphOga0wDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDUxMjEzMDg0OVoXDTQzMDUwNzEzMDg0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw/tBnTkRPxhlzUyvIFhjxN+qfs/SYq8Aa2ot+SHH9fiqAaA2hhnTC5hE5EnJ11N7PNpBCrqYcBJtDALZR/ADBMcQ7AtidFUCLOZ8PR4JARWvmsD+s3KF/py2yxz5dSd46qHFYfTELLN9oDtmN6ELZLkFVcM1XaXw0TsxKUTI8QMNcj0Ajx7KdI96N7CJhC3pKYdFZQMYxFhD+COXVWuL/F0v6eX26UfygWde0LksHDiEfFQZM/y8EW5qU9NhT7+vUXg7a8J/f8rBi7OrviyNxJ3HMhEwfTqQ0xeMGFFHa9dR3+g50OUdq3tACw2kwKjdfhE44p9YBDFdicOEuhjjnQIDAQABo28wbTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIC5DArBgNVHREEJDAihwSsEQAEgglsb2NhbGhvc3SCD2J1aWxka2l0c2FuZGJveDAdBgNVHQ4EFgQUDYs5YPb/R43FVL9tRqCCpkDbmwIwDQYJKoZIhvcNAQELBQADggEBACkHsE9UtVs++GnDvo49ihjj4WzX9Zbjk6n46+wp5K0hj86wHed5lfS6MNbSbA5LyzQronDGBo2xPtfpEqrY6h9+kudxCPTf0/aOJfjRVWorQMaWGqVQHf7bgXaRGR9qcAqA/Btcwlj7uShhQlYiRLRifsdUktKSYJEC2+qFHi9E4Y4QlOpRKelU/rEZSKpWK23MgPYVrVZPB3kk+FEz0F7LSDwTxM5yixAT4WkpKrpFS2eWomN8/8eycRdmLuPx/dTVBfMQb1aQnWC5KvybR01O5mJp5sGS7w5C8aW30qA0QQlK0puS7Ct5rNzzZpLMtd8GReZC8uKP2m3JXOfgSwI=</authCertRegServiceCert>
+        <managementRequestServiceProviderId ns2:objectType="SUBSYSTEM">
+            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
+            <ns2:memberClass>ORG</ns2:memberClass>
+            <ns2:memberCode>2908758-4</ns2:memberCode>
+            <ns2:subsystemCode>Management</ns2:subsystemCode>
+        </managementRequestServiceProviderId>
+    </managementService>
+    <timeStampingIntervalSeconds>10</timeStampingIntervalSeconds>
+</ns3:conf>
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
new file mode 100644
index 0000000000..e4102000b5
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
@@ -0,0 +1 @@
+{"contentIdentifier":"PRIVATE-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
new file mode 100644
index 0000000000..3a8d0fa041
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
+    <instanceIdentifier>CS</instanceIdentifier>
+    <approvedCA>
+        <name>X-Road Test CA CN</name>
+        <topCA>
+            <cert>MIIFpzCCA4+gAwIBAgIUEbcXVQkWWEC88FwTg2ctua926BQwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCRkkxFDASBgNVBAoMC1gtUm9hZCBUZXN0MRowGAYDVQQLDBFYLVJvYWQgVGVzdCBDQSBPVTEaMBgGA1UEAwwRWC1Sb2FkIFRlc3QgQ0EgQ04wHhcNMjEwMzEwMDczNTU2WhcNNDEwMzA1MDczNTU2WjBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJJiNMU5G5Ufv6+N1iMkrlaD3PI3k11THgE/SJ2NcTJUD79CjIFYJtJrWLQS536FadtKgJ7ym3eYR0+PlU/mX6lxt1MIspLdTYTC1TRR/Cg533aJ+hJnG2IsE6or6Bl3hPstFH4caKyjpyBg0xPyQnKhEA89VY/bUdIQOJK0zgH3gsckxNlT/udyJ732CS2vZHyrWx6dZ6UAamyD0hwj6e8quU3vMrtTeHF3LqzlKxatlayWorkSj1uA4q6qfMiCZ3yKiFUU4MULV6h1x39YAoGIyj0+aMIbENWnIRY7E0KqGvVotMCpEQO8DUhJbixzzFVPuL6b+NVzLJu4tqtAao3s7SUElhQjmiPmTNCfs16NMnMpUkr9Pz6nnybqnNy7fA0g2l8tguQoec6AABodgtNDRvLX4j/OOmSutVYIS/FDCO+YG8/Xp8MbAV2o24X7rDhBFGM9yf0/i77yQ4BC/SFrNXlBCXP8E1v3O/w99SjVQvD6uQ4fsxWQFmGUQK+959pJ0R2YzSB4qRkpX1/yK1rt5LO+8pHQ1WM28W5BJNsisN2OarplszAleoGjBQAyAPO+8nO/5n5xcs0Dzw1NshWyH2kFDBS4xmp6N9KFhW7MQTmHlzCSQ0YTNmEnOi7W7n+gsxZVfiV8aA5lsABsFRQ+uL9z49FQyuidtfsyVB23AgMBAAGjYzBhMB0GA1UdDgQWBBTOdbt9k88MTU+r8w/+KsgVICpQnDAfBgNVHSMEGDAWgBTOdbt9k88MTU+r8w/+KsgVICpQnDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAUA07frwkTioAToWsW1LQWxGZ3s3uK06OmiAV13RFZf3YeIg+AF/sRpu6mfaPwZat0FQKz55NUk70HnJmlWjtkbtNemZFZhedyqbtEzce6e7uqkakaKUZUCnu4tDivUa6zOboYvFhjGNQ2A/C69SRztH5sYDALycUv/BB1o6sURknNqgbvoJmySHrONEQiEYWnnmHcIFOa+muvTrDwHfRB+if2zT2duLHCuy1aiBZM9koz7R00M/8/wXCIzliQFq1iUnckocWc2Lcrh+gJCjuMURAfWwH00Lk+n2lTBY66yRbCt0QEHYxSjXmf+6ACU9zg9m1Sg+xBMqZ8E2u9SumIUmcDHyWfFAbEb8bcl3drnxxE1LiZea9TsyamtGAUegg4PcjbSjtULWnX6h6ruva3s6+brnoJCrBf3nmmggFVWCkDF4RsVPw3PZS342gRsHMy2V7B4Qo2pglB0AiMu5iWHs6tw6iFojeYEBDysQxaLcJtKew7BPxR8ZQjLP1FYQkOPwsphPYHUC2f6z6k2bVf/N4QUqeFCqJSr+NeFUX35ZdZv5NK+oQTbEKftNEb2N/Kv3Gflkyc7DLEwhYJ7B9c+zsVT6fBlm14UlWoUiy63BrsSYwnq7j5HaFnAh6DocQ+7XMFy7UMTueK9MTHsaXlWg4909fZFN975Y+qJXFfBo=</cert>
+            <ocsp>
+                <url>http://ca:8888</url>
+                <cert>MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF8xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEcMBoGA1UECwwTWC1Sb2FkIFRlc3QgT0NTUCBPVTEcMBoGA1UEAwwTWC1Sb2FkIFRlc3QgT0NTUCBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANXyMQ3LgRPe6DGIUTOTjofOi6ir7GvUpD4CN4Xv5Ahari1npD4eGVqHfH4Kor6D2m0tdzkzOaizqpG2o+U2wFowZCEcWpjOH97ZgV87QkdT/5sv1R0mQ9BtaPPYQlgyJuRtP3VVoj9BeMcwzPIkPvNqvX+ro7cgNz3JvUbwuyn8JU0oP1LBgGmy8aFLblSD22Vin0LqFFYfPzUlFCRDwUVJwoF2NFwsWSbxi5cmWBPPHDhcX8dQTSEDWOzC0jtg8ersAGFvTUslhkGtuixZAtAQJXc49SHOIjllYlS+D9h1bfo/5wakrcNIdaVGER7Yq0I6yfvpI6oTOBmjicepAcyNCQOf0/8ghh04sBAJGwTkY75b89gHCHnXlEWpHhiyqblin5M18MJxEDfz/G9LG9a0qcDST4WKs6ijCItmJzkJuaYpEAIvHXBKC3NlkPvkjp/kW260iTRhWKeQjczvDqZ7atN3wu0jA/auouTitGuOfo3vOXc1frlpzTcw/jadHTchOjsufK7beuWr0CAcMzKy8AA9wrlYSy0qmzLxPybqoBGt3ljU8MnJapmqojd/ECMKrIamprm/xzEeaijVbPdEzGgD9DKtL0PbGqBcRQjUL72LCtY9H1pwVtgDRqW/eyodz7IrQZRq760c8HVgtS/uSjjslwif2mHZiBdTSUPTAgMBAAGjdTBzMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCgPXe/DXrBZTbe1hYo+rPKATzLsMB8GA1UdIwQYMBaAFM51u32TzwxNT6vzD/4qyBUgKlCcMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAgEAWPcf+ObBEyZofQQZYHU673qzaooWohCa/IQ7ZXiQmt+s0YpUXZepYw9UXrv1nPRLzpTy7788bzUvl6vVvnGTCOomLPYSZ5Qwm0VoAXMeyluIkNKKKemeF5e5Mbr7tmGGGaN/HKKQNa6qXEQndbdhjhoD6mxJKMDAgj1hi+slm0/QaKkd2qqjmc+w38RNv0wi+9Zamkl0LZ743/KeH6CtVJEUARxYT+Q1i81adFICYqoDlmDSPpzq7VUir1lZejC3qTnJAVMgGCHw28vp4ROvOkZ95lEFRTOpR7+a/iVetkOcenIWiGJGybUYZ9sAUwl4+GTcDT5aF9UJECnkfHpG4XYs/0Fn9wnqqw+zVNB/JocFdYxjPTe4YpjG9vKaQniK6ZjleLTQwom8SuQAAXarffIX3FNq0qc35T9fmrOzX+E7heFaC4Xg/HT7Lhz4XvQeXx00d/Ej72BS2ffAumeY0yqAOtAHnhq7u7ahhZ6B/VCsM95slKiqi72SQGqF/iy1ndRAzk/8xkJWnlvqbMfeNFOnbCJ7U1jxoxEmoBi31Cx1UQvdLvaAjz6MRo1kS/sJwVXpR3x7ooJjTGt4+/4gL4IxKqObE3sbjYnmA9i9iKCwrOWxPhavASyDVwr6XKz3MRffTHVk5uQSlmtIUSJsEPiV/LIzwcKPZX1eWoLpI08=</cert>
+            </ocsp>
+        </topCA>
+        <certificateProfileInfo>ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider</certificateProfileInfo>
+    </approvedCA>
+    <approvedTSA>
+        <name>X-Road Test TSA CN</name>
+        <url>http://ca:8899</url>
+        <cert>MIIFXTCCA0WgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF0xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEbMBkGA1UECwwSWC1Sb2FkIFRlc3QgVFNBIE9VMRswGQYDVQQDDBJYLVJvYWQgVGVzdCBUU0EgQ04wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/9WmHOot4PgLCtjwMP2jRNs1N0ZdwdajqA7S1nK9YKhTHwipGK+odCZ3OO1YKLHa4DEsPk9tkHCULcDObeb2HKJg/tjHdj2CVFfTqsLTgJuubR6T5wsfYfK7SuHP9708NPQtMQm8HkGoP7RlcQ0eQQ1j0gW8Vz8oY5qWWaEhQyQD0ZLmsUATn3NmCvwTshQacdwgV5JPnJJIetk893N3vJdyWaCO64FQxF35SHLwADXwDKVy9h+qiabx5dO3jHsJV87kr/37Jxsw/r2hxAppKXfUcuftY0RaMJAkvmL5K8UuVvI0cZw6NgCivMxe2XPdS3B2O9cb2HQ7Q3DodTgLDoFMYuQVU2VsFEBw0m7AOH5LXSehNWBDD0XzYntMYg/L4J83jIxEnEPjwdl2tKwOQWxnAqpCyNabiqVt+kS5SOOj3GCeavJGgAp8TN825JMT8bXPievuZEAVu/aR0TJ2dOoC6mwm9hgwY6eLzoElxiDqOBnMsFPOuJkSn6ShIA8FSefzEYg4OnN74f+tqE3lemsf+KBZeJfy5p1vR5UaeOqW8FBIwrLi1ufBnT1AhMmQfgwppZCPV0OCMXMI6XRp6S4C4go8aQpXWMenLiiVW9oTawQd8bPbv87ZEMplghvMpTju2YVogha4btQNcvJjN9RYrZcyHEHXIEgleGx6gwQIDAQABoyowKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCBkAwDQYJKoZIhvcNAQELBQADggIBAAWbwH+dA2G0B0zAgkB8DsFwYvqz8NGckU/I1M5jrw5Ln6JgedCFStcQLWfDUQA9fHIOCt3tKOyXWYI1pSWAE6IG0a6IhtoxgHEKD+/lFal3p2ikyt46IDW3hab5DVrnYT/hrEptxygE901U/D8EshN4HJL3G1XC1uMAjFr1YjPMrkIvffG2Z9Nv3QEJ1MdS/N3Mfv9LHNojQZYc72JwocDzf8SwUNbBNQEQEPd/RZg1dEoVwApBmQAOEbBVCVyfcVV9fOR0m7s/dHxb5y1AHfLOZDAf8lpkzhNUQc1Xth7ihICzJH5jnzW3EYuTOTM3LXCPRWtsYW3F0M3cJQEthjU4hHDoGp/8xOlU2TJuuD5rhvpqS+IFDnaAlSd7cPXYHej58ivya5l9VlCazo5TaI/Q0lwkKL6HJuQJbNVkbookTxV554IPX3Q6Tg35tI3rdc6mqztKfTb8HUtoBy5WM2fKQGHu+0oXoNynpPOFgD+2O86lEemZPdoC1vytmybKZ0iDYBercxl70HFXLCAFZB0jB5UWOopoh1NMzdYpQjCPQJ9rhuTxBLxwuLbabWNbLRwv0mvC1kFbRQEOu8hiQTo6ao3oY9s0qnSfXLHDc3Rc0OXgU+P4EnTY9DHJXcSfGUyOngMxwh5ciFV4dpNwBGTk/1P3vOGGthCnjtL1VPkz</cert>
+    </approvedTSA>
+    <member id="id0">
+        <memberClass>
+            <code>ORG</code>
+            <description>Non-profit organisations</description>
+        </memberClass>
+        <memberCode>2908758-4</memberCode>
+        <name>TestOrg</name>
+        <subsystem id="id1">
+            <subsystemCode>Management</subsystemCode>
+        </subsystem>
+    </member>
+    <member id="id2">
+        <memberClass>
+            <code>COM</code>
+            <description>Private companies</description>
+        </memberClass>
+        <memberCode>1710128-9</memberCode>
+        <name>TestCom</name>
+        <subsystem id="id3">
+            <subsystemCode>TestClient</subsystemCode>
+        </subsystem>
+    </member>
+    <member id="id4">
+        <memberClass>
+            <code>GOV</code>
+            <description>Governmental organisations</description>
+        </memberClass>
+        <memberCode>0245437-2</memberCode>
+        <name>TestGov</name>
+        <subsystem id="id5">
+            <subsystemCode>TestSaved</subsystemCode>
+        </subsystem>
+        <subsystem id="id6">
+            <subsystemCode>TestService</subsystemCode>
+        </subsystem>
+        <subsystem id="id7">
+            <subsystemCode>test-consumer</subsystemCode>
+        </subsystem>
+    </member>
+    <securityServer>
+        <owner>id0</owner>
+        <serverCode>SS0</serverCode>
+        <address>ss0</address>
+        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <client>id1</client>
+        <client>id7</client>
+    </securityServer>
+    <securityServer>
+        <owner>id4</owner>
+        <serverCode>SS1</serverCode>
+        <address>ss1</address>
+        <authCertHash>03SfHhv+L5OJrJaod/sOZn6vp1c=</authCertHash>
+        <client>id5</client>
+        <client>id6</client>
+        <client>id3</client>
+        <client>id1</client>
+    </securityServer>
+    <globalGroup>
+        <groupCode>security-server-owners</groupCode>
+        <description>Security server owners</description>
+        <groupMember ns2:objectType="MEMBER">
+            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
+            <ns2:memberClass>ORG</ns2:memberClass>
+            <ns2:memberCode>2908758-4</ns2:memberCode>
+        </groupMember>
+        <groupMember ns2:objectType="MEMBER">
+            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
+            <ns2:memberClass>GOV</ns2:memberClass>
+            <ns2:memberCode>0245437-2</ns2:memberCode>
+        </groupMember>
+    </globalGroup>
+    <globalSettings>
+        <memberClass>
+            <code>COM</code>
+            <description>Private companies</description>
+        </memberClass>
+        <memberClass>
+            <code>GOV</code>
+            <description>Governmental organisations</description>
+        </memberClass>
+        <memberClass>
+            <code>ORG</code>
+            <description>Non-profit organisations</description>
+        </memberClass>
+        <ocspFreshnessSeconds>3600</ocspFreshnessSeconds>
+    </globalSettings>
+</ns3:conf>
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
new file mode 100644
index 0000000000..20014b1e9e
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
@@ -0,0 +1 @@
+{"contentIdentifier":"SHARED-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
new file mode 100644
index 0000000000..3faedb7f9c
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
@@ -0,0 +1 @@
+CS
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/devices.ini b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
new file mode 100644
index 0000000000..ebe6f5804c
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns3:keyConf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd"/>
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
new file mode 100644
index 0000000000..3f685520c2
--- /dev/null
+++ b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<configuration scan="true" scanPeriod="60 seconds">
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX"} %level [xroad-signer] [%thread] %logger{36} - %msg%n</pattern>
+        </encoder>
+    </appender>
+
+    <logger name="org.springframework" level="INFO" />
+
+    <logger name="ee.ria.xroad" level="TRACE" />
+    <logger name="akka" level="WARN" />
+
+    <!--TokenManager is very verbose /-->
+    <logger name="ee.ria.xroad.signer.tokenmanager.TokenManager" level="INFO" />
+
+    <root level="INFO">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks b/src/proxy/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..f0368a6f6d5b1d177b04d27dd51b73af376498ce
GIT binary patch
literal 2614
zcma)8c{CJ?8lQcPE!inM*UngG=vr?WToQ$`6$WDsA!|%VmdQG}mh2>SjU|(0XG9Ab
zvZOMygz;|HtcBM*@15>>f4%p|cfRxemhZpscRnPMRUHHbBZ-KQFoZ&qS<*fS5DqLS
zB1RxY#LFM>b0iVk`Ck;20wF@{e!$f~sshIL9~V0-5L8Zt8vX!vk@%kuC<oFJsr~oJ
zj#Py3-i=3gxBDUM{m6|g=2B%*9Rwl=2qen|0*WKqVJ!dN2tq&sND&yqEy)b%1%?0>
zAYAD5B&Lg@5O?%)IEp)9<|~8<p?4eG3LBf^TvJxHeofP3zun-j*H-q0rTbw`tY=f^
z43CPaG@*9~jbHi&=Oxs+$9-zNVv#XBHD+lVm|_+Cc0fdEK{r90R2<S5N$}VT?I(^-
zd8(9GD7nWuOpMLYR|`lpzo?N%nqY>2GWOk@N=5eecq%^en?XB>I&U=2T4P<LNC$l3
zD-R3Y!AIE_RC#7ut1=WtlV9&14V&CrmR;YvM`2(p9t(2#^ya3NGpd5W?j#eJR&*<*
zbktkA)(hF<u9-CDMP=pcV7*IfADM*22N$W@NX}RgL){6t>-Yr#4MPqlXV-f4C0~B6
zzlc8cWwN<^>k|TCNf~$4s!(TD*wIo^-g1QO=QE>D3RMa67MJCH!k@%WDnc>4P85=s
zZbxuO*+XT17Eh5j(X`aY?6o}=Tp7ihGcuIgQepi<JG`kEzEw&Ivwo`-U~sEn=nt4>
zWGJ}F>kMNo7`2S=VjgN_n5Ku5=`eY+N|t;CNhXi;G@zF6ERO4R%o&y?v!T=%5~iuv
z!@ah|Gp35)k!gP5tOXw`M-{f{JD!Y0<t+^``)cJ@^AiGc3=5X;yxMzToweLlWbJP=
zeI!5_G$ohP$OqglSPAGn?J57IPch5Nh<lsE)fQ7udEDmsiW|Zbe7_|@#7>8+BCiOG
zr6_LaE0s#Zf?wO^9=sQ?@Lo?<sjEY8FIJ>u;VlC1Cxcg0)-*+K0HmdHo<Ry7IdM<H
zrt5-!fmuPHP9KDp2CywkxiMrLEsMc19?b=9X@t#3Iqcf<@v%*};4Y&WSnKXPU-9p~
z9|7|+Nxhl5PmK5{c4GG&>5<95Pj+K<Xuobs+~Lw~d)Mp?&Z6KjvIyajnFrCKpQB5v
zq{`Y3o0{t}RtA9?#uEedp-12aDs8o6rN_eZ%dSmX^J<T#!|0t@F6Sqtmf>zavXq$l
z2T)g#UR8JSg1|A2`GLl#U&{FW(J`d5z1zQ_(NH?0+oR3LCg}1%iib_(ZTA*Y$4Wut
z`R+t2+AZvGsUUg(xlJQALu{HO#!YME<YvGIpLExxN!I>ftr9!9VTt!o<r+Qgct)T|
z_!jd!iJChQty)>5-oQ_sL@k<$o76Cc6}k&i-!6J7zGycE@?3Pr#KWdJA&$qEvHjz>
zJs#8x)zSG)#l+et9<~qEZ7xf}LNnejm|QClQ#5No_8!uGE*&9JqG1mtz0y@!$MdAU
zl;nuC@-d9IGbv&4?OML6y){pI)8ZwZfw1VFb(Iz5o{Mm$4e@A9JbD(*xqox6rk6-N
zrcL_Oi!hsfr&0aEo|y%mtJ!npR}euxBR8%l^sc|li^&GglMg6ae^l|_WWs6OUoVUn
ztRKc$BGt+S7CUFnvluUtr^d?to@98fNot$*{evQ!%g~#!)WLAKmvgKclfwQrspt8x
z*-Gq8i4O^;_By^BH}W;^x0Y7<&;`Uj#$zh@^W>0cMtX6j6;Q$fDvZt4W=N*=Yy|d2
zzyZKiJ3K{haA6=ywGRVha%TJg6|PIIIbbz&17Za1E4T0ld`xjV|8@9=$lk)0CzmI2
z?tiwgCR${?j=lVbqDFiBrT7FsZ>qSEMz_#dTSN8W=_gi4SWQRmP_)!I2&N55y!Bh6
zniW$1XIvt9)y|6w1H1ttfM9?JKpEf*2n2)yynf7q0CzwDQsQqZpBgWO+t&Anm$(}G
zf;w75T^)^9M`|O95a3S{99B*QZzGA|br2BnqpkeS0RLBL=USY91vppWbpLBalszGa
zMNB0w^ZyBL%lJ2>uFehi#dLue`oa4rcZlF%%{W74=8<wl8()Z1<JBbKVUYOImkU%D
zyxUns`7`i*gv&^P)`vUC&S}Gk;WsUDBL@>l`{GR?tK}?NjJuC8hgsm%xkNG|(r+Ji
zc=zJ<KBs&ygXr<1Y(9;Vi1zxe8{*oYJ&a#>8;%NN>h()dtDCuL@+H*)vPM-DGmBoT
z{Y2+7Tk0%bkLfT-7(64Uf_K2u#(1a^8s9}vfpWp3Q5m_7(;EU?K0>(iYURCE!{n+M
zSoXB)eYH!Utn0Jg>#tKbaji)IOCs)&B?h5<ec(8^%SS|&Ek2vUvzj+<VuxOlG9$<v
zNX0eDb(fC&7kYR<uH0EaY=xsI3Q3y{jE1C8Gv+swS&XOjnr-s}4E9IZpRI%oHdqjI
z>{Mo}huX>cSV@Az9n^^NZAh8UcQ~U!PH>x{eT$Y%an$S97#66sK6hU2sGe`1QE#w{
z>9I}OHpq1E-cKre7uF>sW5syK8}_K-yv57<YbtveJlJf%m6_ib6w#5<s^&_KiQ~Xk
zayhs@)i7ncup4_h_LJ_X>|EFmd8N%g)S54RW%{bX=1hm9ChJ_@Nlqbm?Qcgyk=#qy
zG)4XPoc@8Iea}%$HWw>8UJGYoS#-@6_pwWa3W>%B7f`@g@z}|eb4KTfGqLen-1<(Z
zLBGqi89eCz{p``eqA&?`vbjakDIWw<$P$sH>e1(d;SO=Wl3}^1REm?K&-I13o^Qr%
z2T;0JCWF6}$*73Zv^7dv#qM&3dJvk2?7qv(9|-26Kgq-AzqII}Ii@Bg06lxWWs8O&
z=#^wfvG2klGY8nG6?%@Ob$a+&I*LW|ZYL-n<jE<T!&;P>F%E)$k5tmFfd?HTrpl06
zw~i5yiwt#gKo*66I&&n*Q7@!mDdy%HNR8}(kU9BC3=-Q(t=tEvv&gLm;pKCly}qwx
zVJU`AUyk34;fIr{{^E2{kGb>BH3M1Id*C3j&57bwLEn+iZ@Q?dD^dw-1<uBb{Kxss
z8s$r4z2M+hrDxj@P_wctdb;bb`c1BOqj%>tFlXZCM@^(hI-;F2H_{Q~HN=x=H0pPE
zm8Brz9!q+*azmtx${D}DYKpLDF?_fBv&}tMqczo?GR2XLHn<6PYhDS2$5AYK{bTL>
zcy~{q2$}(xp{G$cGI~-jZDO%a7<mb)hUED9OM!q;07P6(V4J94F(=8bdVASSx5auG
tyL#0q`e2{)Va2mGW}Ya7*L(l7-*Rl-U`6>-^7G5*g3$L3-T!s+{{*O{qUitt

literal 0
HcmV?d00001

diff --git a/src/proxy/src/intTest/resources/container-files/var/cache/xroad/.gitkeep b/src/proxy/src/intTest/resources/container-files/var/cache/xroad/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2

From 863a78d73ccec582edfedfce63bac6a8478310ac Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 13 Sep 2023 11:52:47 +0300
Subject: [PATCH 064/127] chore: minor updates

Refs: XRDDEV-2468
---
 .../proxy/test/container/ContainerSetup.java  |  2 +-
 .../xroad/proxy/test/glue/ProxyStepDefs.java  |  9 +++++--
 .../proxy/test/hook/SignerProxyInitHook.java  | 27 +++++++++++++++++++
 .../resources/application-override.yml        |  2 +-
 4 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
index 6eaa71fc65..49afcfe370 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
@@ -67,7 +67,7 @@ public ImageFromDockerfile imageDefinition() {
 
                 File filesToAdd = Paths.get("src/intTest/resources/container-files/").toFile();
 
-                return new ReusableImageFromDockerfile("signer-int-test",
+                return new ReusableImageFromDockerfile("proxy-int-test",
                         !testableContainerProperties.getReuseBetweenRuns(),
                         testableContainerProperties.getReuseBetweenRuns())
                         .withFileFromFile(".", filesToAdd)
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
index ef2f5f2a0a..c1bc15ec41 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
@@ -52,7 +52,11 @@
 import java.io.File;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+import java.util.Optional;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -193,7 +197,8 @@ private void exec(String client, int count, int threads) throws InterruptedExcep
         }
     }
 
-    private List<Future<BatchSignResult>> invokeCallables(List<Callable<BatchSignResult>> callables, int threads) throws InterruptedException {
+    private List<Future<BatchSignResult>> invokeCallables(List<Callable<BatchSignResult>> callables, int threads)
+            throws InterruptedException {
         ExecutorService executorService = Executors.newFixedThreadPool(threads);
 
         try {
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
index 9c9a2aefad..81e7c5694b 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
@@ -1,3 +1,30 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package org.niis.xroad.proxy.test.hook;
 
 import ee.ria.xroad.common.SystemProperties;
diff --git a/src/proxy/src/intTest/resources/application-override.yml b/src/proxy/src/intTest/resources/application-override.yml
index 1b89b7aca0..ec6e599b37 100755
--- a/src/proxy/src/intTest/resources/application-override.yml
+++ b/src/proxy/src/intTest/resources/application-override.yml
@@ -8,6 +8,7 @@ logging:
     org.springframework: INFO
     org.niis: TRACE
     com.nortal.test: INFO # TRACE is helpful for development
+    ee.ria.xroad.common.signature.BatchSigner: TRACE
 
 test-automation:
   report-name: xroad-proxy-test-suite
@@ -24,7 +25,6 @@ test-automation:
       reuse-between-runs: ${reuse-between-runs}
       directory-mounts:
         - "/tmp/xroad/passwordstore/:build/container-passwordstore/"
-        - "/etc/xroad/signer/:build/resources/intTest/container-files/etc/xroad/signer/"
     context-containers:
       ca-server:
         enabled: true

From afab966040f6ebff3839d0268f2d87ef79f1dcd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 13 Sep 2023 11:58:35 +0300
Subject: [PATCH 065/127] chore: various akka removal improvements

Refs: XRDDEV-2468
---
 src/addons/hwtoken/build.gradle               |  12 +-
 src/proxy/build.gradle                        |  33 ++-
 .../xroad/proxy/test/glue/ProxyStepDefs.java  |   9 +-
 .../proxy/test/hook/SignerProxyInitHook.java  |  27 ++
 .../signature/BatchSignerIntegrationTest.java | 252 ------------------
 .../src/intTest/resources/application.conf    |  13 -
 .../etc/xroad/signer/signer-logback.xml       |   1 -
 .../transport-keystore/akka-keystore.p12      | Bin 1008 -> 0 bytes
 .../src/main/resources/application.conf       |  32 ---
 9 files changed, 69 insertions(+), 310 deletions(-)
 delete mode 100644 src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java
 delete mode 100644 src/signer-protocol/src/intTest/resources/application.conf
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/akka-keystore.p12
 delete mode 100644 src/signer/src/main/resources/application.conf

diff --git a/src/addons/hwtoken/build.gradle b/src/addons/hwtoken/build.gradle
index 3c290739ee..05f55be64d 100644
--- a/src/addons/hwtoken/build.gradle
+++ b/src/addons/hwtoken/build.gradle
@@ -1,8 +1,10 @@
 dependencies {
-    implementation(project(':signer'))
-    implementation(project(':signer-protocol'))
-    implementation(project(':common:common-util'))
+  implementation(project(':signer')) {
+    exclude group: 'org.springframework', module: 'spring-context'
+  }
+  implementation(project(':signer-protocol'))
+  implementation(project(':common:common-util'))
 
-    // Necessary since there are jars with no adequate Maven dependencies
-    implementation fileTree(dir: '../../libs', include: '*.jar')
+  // Necessary since there are jars with no adequate Maven dependencies
+  implementation fileTree(dir: '../../libs', include: '*.jar')
 }
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index f427c6384a..9bd14a01c3 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -1,3 +1,5 @@
+import nl.javadude.gradle.plugins.license.License
+
 plugins {
     id 'com.github.johnrengelman.shadow'
 }
@@ -24,9 +26,9 @@ dependencies {
     testImplementation 'wsdl4j:wsdl4j:1.6.3'
     testImplementation "org.mockito:mockito-inline:$mockitoVersion"
 
-  intTestRuntimeOnly project(':signer')
-  intTestImplementation project(":common:common-test")
-  intTestImplementation project(":common:common-int-test")
+    intTestRuntimeOnly project(':signer')
+    intTestImplementation project(":common:common-test")
+    intTestImplementation project(":common:common-int-test")
 }
 
 jar {
@@ -46,11 +48,11 @@ shadowJar {
 testJar.enabled = true
 assemble.finalizedBy shadowJar
 
-task licenseFormatJava(type: nl.javadude.gradle.plugins.license.License) {
+task licenseFormatJava(type: License) {
     source = fileTree('src/main/java')
 }
 
-task licenseTestJava(type: nl.javadude.gradle.plugins.license.License) {
+task licenseTestJava(type: License) {
     source = fileTree('src/main/java')
     check = true
 }
@@ -135,3 +137,24 @@ task runBatchSigner(type: JavaExec) {
 }
 
 check.dependsOn integrationTest
+
+tasks.register('intTest', Test) {
+  useJUnitPlatform()
+
+  setDescription("Runs integration tests.")
+  group = 'verification'
+
+  testClassesDirs = sourceSets.intTest.output.classesDirs
+  classpath = sourceSets.intTest.runtimeClasspath
+
+  testLogging {
+    showStackTraces(true)
+    showExceptions(true)
+    showCauses(true)
+    showStandardStreams(true)
+  }
+}
+
+tasks.named('check') {
+  dependsOn tasks.named('intTest')
+}
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
index ef2f5f2a0a..c1bc15ec41 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
@@ -52,7 +52,11 @@
 import java.io.File;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+import java.util.Optional;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -193,7 +197,8 @@ private void exec(String client, int count, int threads) throws InterruptedExcep
         }
     }
 
-    private List<Future<BatchSignResult>> invokeCallables(List<Callable<BatchSignResult>> callables, int threads) throws InterruptedException {
+    private List<Future<BatchSignResult>> invokeCallables(List<Callable<BatchSignResult>> callables, int threads)
+            throws InterruptedException {
         ExecutorService executorService = Executors.newFixedThreadPool(threads);
 
         try {
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
index 9c9a2aefad..81e7c5694b 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
@@ -1,3 +1,30 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package org.niis.xroad.proxy.test.hook;
 
 import ee.ria.xroad.common.SystemProperties;
diff --git a/src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java b/src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java
deleted file mode 100644
index 438d6c51a6..0000000000
--- a/src/proxy/src/test/java/ee/ria/xroad/common/signature/BatchSignerIntegrationTest.java
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common.signature;
-
-import ee.ria.xroad.common.OcspTestUtils;
-import ee.ria.xroad.common.TestCertUtil;
-import ee.ria.xroad.common.TestSecurityUtil;
-import ee.ria.xroad.common.hashchain.HashChainReferenceResolver;
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.common.util.MessageFileNames;
-import ee.ria.xroad.proxy.signedmessage.SignerSigningKey;
-
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
-
-import ee.ria.xroad.signer.protocol.RpcSignerClient;
-
-import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.io.FileUtils;
-import org.apache.commons.io.IOUtils;
-import org.bouncycastle.cert.ocsp.CertificateStatus;
-import org.bouncycastle.cert.ocsp.OCSPResp;
-import org.bouncycastle.operator.DigestCalculator;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
-
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
-import java.util.concurrent.CountDownLatch;
-
-import static ee.ria.xroad.common.util.CryptoUtils.DEFAULT_DIGEST_ALGORITHM_ID;
-import static ee.ria.xroad.common.util.CryptoUtils.SHA512_ID;
-import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
-import static ee.ria.xroad.common.util.CryptoUtils.createDigestCalculator;
-
-/**
- * Batch signer test program.
- */
-@Slf4j
-public final class BatchSignerIntegrationTest {
-
-    private static final int SIGNER_INIT_DELAY = 2500;
-
-    private static final String ALGORITHM = DEFAULT_DIGEST_ALGORITHM_ID;
-
-    private static final String KEY_ID = "consumer";
-
-    private static final ClientId CORRECT_MEMBER = ClientId.Conf.create("EE", "FOO", "consumer");
-
-    private static final Date CORRECT_VALIDATION_DATE = createDate(30, 9, 2014);
-
-    private static CountDownLatch latch;
-    private static Integer sigIdx = 0;
-
-    static {
-        TestSecurityUtil.initSecurity();
-    }
-
-    private BatchSignerIntegrationTest() {
-    }
-
-    /**
-     * Main program entry point.
-     * @param args command-line arguments
-     * @throws Exception in case of any errors
-     */
-    public static void main(String[] args) throws Exception {
-        if (args.length == 0) {
-            printUsage();
-
-            return;
-        }
-
-        ActorSystem actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy"));
-        RpcSignerClient.init();
-
-        Thread.sleep(SIGNER_INIT_DELAY); // wait for signer client to connect
-
-        BatchSigner.init(actorSystem);
-
-        X509Certificate subjectCert = TestCertUtil.getConsumer().certChain[0];
-        X509Certificate issuerCert = TestCertUtil.getCaCert();
-        X509Certificate signerCert = TestCertUtil.getOcspSigner().certChain[0];
-        PrivateKey signerKey = TestCertUtil.getOcspSigner().key;
-
-        List<String> messages = new ArrayList<>();
-
-        for (String arg : args) {
-            messages.add(FileUtils.readFileToString(new File(arg)));
-        }
-
-        latch = new CountDownLatch(messages.size());
-        Date thisUpdate = Date.from(Instant.now().plus(1, ChronoUnit.DAYS));
-        final OCSPResp ocsp = OcspTestUtils.createOCSPResponse(subjectCert, issuerCert, signerCert, signerKey,
-                CertificateStatus.GOOD, thisUpdate, null);
-
-        for (final String message : messages) {
-            new Thread(() -> {
-                try {
-                    byte[] hash = hash(message);
-                    log.info("File: {}, hash: {}", message, hash);
-
-                    MessagePart hashPart = new MessagePart(MessageFileNames.MESSAGE, SHA512_ID,
-                            calculateDigest(SHA512_ID, message.getBytes()), message.getBytes());
-
-                    List<MessagePart> hashes = Collections.singletonList(hashPart);
-
-                    SignatureBuilder builder = new SignatureBuilder();
-                    builder.addPart(hashPart);
-
-                    builder.setSigningCert(subjectCert);
-                    builder.addOcspResponses(Collections.singletonList(ocsp));
-
-                    log.info("### Calculating signature...");
-
-                    SignatureData signatureData = builder.build(new SignerSigningKey(KEY_ID,
-                            CryptoUtils.CKM_RSA_PKCS_NAME), CryptoUtils.SHA512_ID);
-
-                    synchronized (sigIdx) {
-                        log.info("### Created signature: {}", signatureData.getSignatureXml());
-
-                        log.info("HashChainResult: {}", signatureData.getHashChainResult());
-                        log.info("HashChain: {}", signatureData.getHashChain());
-
-                        toFile("message-" + sigIdx + ".xml", message);
-
-                        String sigFileName = signatureData.getHashChainResult() != null ? "batch-sig-" : "sig-";
-
-                        toFile(sigFileName + sigIdx + ".xml", signatureData.getSignatureXml());
-
-                        if (signatureData.getHashChainResult() != null) {
-                            toFile("hash-chain-" + sigIdx + ".xml", signatureData.getHashChain());
-                            toFile("hash-chain-result.xml", signatureData.getHashChainResult());
-                        }
-
-                        sigIdx++;
-                    }
-
-                    try {
-                        verify(signatureData, hashes, message);
-
-                        log.info("Verification successful (message hash: {})", hash);
-                    } catch (Exception e) {
-                        log.error("Verification failed (message hash: {})", hash, e);
-                    }
-                } catch (Exception e) {
-                    log.error("Error", e);
-                } finally {
-                    latch.countDown();
-                }
-            }).start();
-        }
-
-        latch.await();
-        Await.ready(actorSystem.terminate(), Duration.Inf());
-    }
-
-    private static void verify(final SignatureData signatureData, final List<MessagePart> hashes, final String message)
-            throws Exception {
-        SignatureVerifier verifier = new SignatureVerifier(signatureData);
-        verifier.addParts(hashes);
-
-        HashChainReferenceResolver resolver = new HashChainReferenceResolver() {
-            @Override
-            public InputStream resolve(String uri) throws IOException {
-                switch (uri) {
-                    case MessageFileNames.SIG_HASH_CHAIN:
-                        return new ByteArrayInputStream(signatureData.getHashChain().getBytes(StandardCharsets.UTF_8));
-                    case MessageFileNames.MESSAGE:
-                        return new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8));
-                    default:
-                        return null;
-                }
-            }
-
-            @Override
-            public boolean shouldResolve(String uri, byte[] digestValue) {
-                return true;
-            }
-        };
-
-        if (signatureData.getHashChainResult() != null) {
-            verifier.setHashChainResourceResolver(resolver);
-        }
-
-        verifier.verify(CORRECT_MEMBER, CORRECT_VALIDATION_DATE);
-    }
-
-    private static void printUsage() {
-        log.info("BatchSigner <message1> <message2> ...\n"
-                + "NOTE: It assumes that Signer has configured a batch signing token with keyId 'testorg', "
-                + "where the key and cert are the ones found in 'common-test/src/test/certs/testorg.p12'");
-    }
-
-    private static byte[] hash(String data) throws Exception {
-        DigestCalculator calc = createDigestCalculator(ALGORITHM);
-        IOUtils.write(data, calc.getOutputStream());
-
-        return calc.getDigest();
-    }
-
-    private static void toFile(String fileName, String data) throws Exception {
-        IOUtils.write(data, new FileOutputStream(fileName));
-
-        log.info("Created file " + fileName);
-    }
-
-    private static Date createDate(int day, int month, int year) {
-        Calendar cal = Calendar.getInstance();
-        cal.clear(); // Let's clear the current time.
-        cal.set(year, month, day);
-
-        return cal.getTime();
-    }
-}
diff --git a/src/signer-protocol/src/intTest/resources/application.conf b/src/signer-protocol/src/intTest/resources/application.conf
deleted file mode 100644
index 60f07f579d..0000000000
--- a/src/signer-protocol/src/intTest/resources/application.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-signer-integration-test {
-    include "akka-global.conf"
-    akka {
-        actor {
-          provider = remote
-        }
-
-        coordinated-shutdown {
-          exit-jvm = on
-          phases.actor-system-terminate.timeout = 3s
-        }
-    }
-}
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
index c3a111de00..93cbe9b520 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
@@ -10,7 +10,6 @@
     <logger name="org.springframework" level="INFO" />
 
     <logger name="ee.ria.xroad" level="TRACE" />
-    <logger name="akka" level="WARN" />
 
     <!--TokenManager is very verbose /-->
     <logger name="ee.ria.xroad.signer.tokenmanager.TokenManager" level="TRACE" />
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/akka-keystore.p12 b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/akka-keystore.p12
deleted file mode 100644
index 0006306951ca2ea36cd2fc0ddd00c31cbf50d17c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1008
zcmXqLVt&KK$ZXKWJdKT0tIebBJ1-+U<ANsUc9tgQW}tArK@+1IiWH+bOB16oP?#Tx
zx!Jg(x_G!4nHDteHE7&rkOo)J%4-m5V1eNB7-+MI-0yRjKX>Cbhy6a`gqZsW*2-1S
zn8L)QF2Ka7V8Fx10Wpt>la;|hmW?x^&4V$OnT1h{Mc|C+wsj5<CoFDy#FFvY>{}yC
zK*d+5;wO`sDtML5e@)sLy?@io*cwqr)_ENZ_|AS@Yglr+L+*vEvCx~jx2v3OL;{#g
z7A0hOt0-u%waTbF{r}x2+d|FWpVoe5W#Pe3jyARF7}^+!!yU^hV#p=O!H~$14TOmX
ziU<i&LlG9Ckj&gv1w%7SBQpa_LqijD15<-0ra-tNcD4mgOin-{J0?a3AZ3n_VI&kl
zx2jIA<NnI?hB;i)`o`pa8R;yV1;hkU$>&E>lh3qpaL)3&C{oWO($K_s;D63X!*8t(
z9j{kqcxnDtEt`1!U+3*TSH7qJGOrEV`S+QI{v7G=$6nQku-&?Dsyf;G`~Fn<S=$&d
zeoQjH?9<EpJj94|o?v$0j(EmTX6Ad}cSW5%Z(MzX@%xcijF+EXo+~N$O7HON<g<!C
z$0c7rTw(UzZA*go(xa!f{7-j$vF<BtT4}!GmhR@hOz|4;5{5gw4MJr$*6sNFZ7ri#
zjpO$dmUb-4_a4Um{qMxL|7tNa<L6`7ZrW++Nw8E!dp#+7{9QsI{h?&t`{U16oZT;N
zQu*%6whzyLwg0%KyIO21&xI5-rRl224YCjHYmVf(U-bJVTaRMM@n4bLDXlqk{A7-b
z1<JSmO6{LLd+v74e$TfbLgYLJR;)f6q7^jttZK{sB@w?(8~?3dbbhIN?VY|huImr~
z^zPoMdhX7zj*IeVZK~J``&xNyv#WP!ZCkW()!AFm-Z({=J)Xl@Q}NJ0+0pF!;T%=F
zD;pW*vbcPB7;@w}G6k=*H=e#drNbaV`hsZ7&JAks&3Ep9nC$faM6}aNmTPY}M7)T5
z8r3nkFR1d6$E!-oZC|d7n>fE-ew4Ly#o1T0qP(6jd-GL*zq@XZ@7tau6WLhb8uA$U
z8W<Yz!t((WBP#=o!k0aJzT7^c)7&O19IvtE{;k}})(@*2f`2XHyEd~?c=aR}k&Ixb
Zzml_hLMtPb%x`>}xMSDLmCry)2mmEgm~{XE

diff --git a/src/signer/src/main/resources/application.conf b/src/signer/src/main/resources/application.conf
deleted file mode 100644
index aebe3af0d6..0000000000
--- a/src/signer/src/main/resources/application.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-signer-main {
-    include "akka-global.conf"
-    akka {
-        actor {
-            provider = remote
-        }
-
-        remote {
-            artery {
-                canonical {
-                    hostname = "127.0.0.1"
-                    port = 2552 // will be overridden by application
-                }
-                untrusted-mode = on
-                trusted-selection-paths=["/user/RequestProcessor"]
-            }
-        }
-
-        log-dead-letters = 1
-        log-dead-letters-during-shutdown = off
-    }
-
-    token-worker-dispatcher {
-        type = PinnedDispatcher
-        executor = "thread-pool-executor"
-    }
-
-    module-worker-dispatcher {
-        type = PinnedDispatcher
-        executor = "thread-pool-executor"
-    }
-}

From 826efa6cec91ed642b99be5b8b392fd816dcdead Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 13 Sep 2023 14:40:18 +0300
Subject: [PATCH 066/127] chore: improve signer startup/shutdown

Refs: XRDDEV-2468
---
 .../org/niis/xroad/signer/grpc/RpcServer.java |  38 ++---
 .../CertificationServiceDiagnostics.java      |  13 +-
 .../xroad/signer/SignerAdminPortConfig.java   | 135 ++++++++++++++++++
 .../ee/ria/xroad/signer/SignerConfig.java     |  11 +-
 .../java/ee/ria/xroad/signer/SignerMain.java  | 116 +--------------
 .../ee/ria/xroad/signer/SignerRpcConfig.java  |  53 +++++++
 6 files changed, 225 insertions(+), 141 deletions(-)
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java
 create mode 100644 src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java

diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
index 5c7e6f843d..1944bb3ec4 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
@@ -45,49 +45,37 @@
  */
 @Slf4j
 public class RpcServer {
-    private Server server;
+    private final Server server;
 
     private final int port;
-    private final ServerCredentials creds;
 
-    public RpcServer(int port, ServerCredentials creds) {
+    public RpcServer(int port, ServerCredentials creds, Consumer<ServerBuilder<?>> configFunc) {
         this.port = port;
-        this.creds = creds;
-    }
-
-    private void start(Consumer<ServerBuilder<?>> configFunc) throws IOException {
-        //TODO:grpc sample for setting 127.0.0.1
-//        NettyServerBuilder.forAddress(new InetSocketAddress("localhost", config.port()))
-//                .addService(new GRPCServiceImpl(serviceParams))
-//                .build()
 
         ServerBuilder<?> builder = Grpc.newServerBuilderForPort(port, creds);
         configFunc.accept(builder);
 
-        server = builder.build()
-                .start();
-        log.info("Server started, listening on " + port);
+        server = builder.build();
+    }
 
-        Runtime.getRuntime().addShutdownHook(new Thread(() -> {
-            // Use stderr here since the logger may have been reset by its JVM shutdown hook.
-            log.info("*** shutting down gRPC server since JVM is shutting down");
-            RpcServer.this.stop();
-            log.info("*** server shut down");
-        }));
+    public void start() throws IOException {
+        server.start();
+        log.info("Server started, listening on {}", port);
     }
 
-    private void stop() {
+    public void shutdown() {
         if (server != null) {
+            log.info("Shutting down gRPC server..");
             server.shutdown();
+            log.info("Shutting down gRPC server.. Success!");
         }
     }
 
-    public static void init(int port, Consumer<ServerBuilder<?>> configFunc) throws IOException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
+    public static RpcServer newServer(int port, Consumer<ServerBuilder<?>> configFunc) throws IOException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
         var serverCredentials = createServerCredentials();
         log.info("Initializing grpc with {} credentials..", serverCredentials.getClass().getSimpleName());
-        final RpcServer server = new RpcServer(port, serverCredentials);
-        server.start(configFunc);
-        log.info("Grpc is running..");
+
+        return new RpcServer(port, serverCredentials, configFunc);
     }
 
 
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java
index df74350637..eac76a3153 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -37,9 +37,18 @@
 public class CertificationServiceDiagnostics implements Serializable {
 
     @Getter
-    private final Map<String, CertificationServiceStatus> certificationServiceStatusMap;
+    private Map<String, CertificationServiceStatus> certificationServiceStatusMap;
 
     public CertificationServiceDiagnostics() {
         certificationServiceStatusMap = new HashMap<>();
     }
+
+    /**
+     * Updates existing map with a provided one
+     *
+     * @param certificationServiceStatusMap new map
+     */
+    public void update(Map<String, CertificationServiceStatus> certificationServiceStatusMap) {
+        this.certificationServiceStatusMap = certificationServiceStatusMap;
+    }
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java
new file mode 100644
index 0000000000..0c028e4df7
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java
@@ -0,0 +1,135 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer;
+
+import ee.ria.xroad.common.CertificationServiceDiagnostics;
+import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.common.util.AdminPort;
+import ee.ria.xroad.common.util.JsonUtils;
+import ee.ria.xroad.signer.certmanager.OcspClientWorker;
+import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import javax.annotation.PostConstruct;
+import javax.annotation.PreDestroy;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.util.Optional;
+
+@Slf4j
+@Configuration
+public class SignerAdminPortConfig {
+
+    @Bean
+    CertificationServiceDiagnostics certificationServiceDiagnostics() {
+        return new CertificationServiceDiagnostics();
+    }
+    @Bean
+    AdminPort createAdminPort(final CertificationServiceDiagnostics diagnosticsDefault,
+                              final OcspClientWorker ocspClientWorker,
+                              final Optional<OcspClientExecuteScheduler> ocspClientExecuteScheduler) {
+        AdminPort port = new SpringManagerAdminPort(SystemProperties.getSignerAdminPort());
+
+        port.addHandler("/execute", new AdminPort.SynchronousCallback() {
+            @Override
+            public void handle(HttpServletRequest request, HttpServletResponse response) {
+                try {
+                    if (ocspClientExecuteScheduler.isPresent()) {
+                        ocspClientExecuteScheduler.get().execute();
+                    } else {
+                        ocspClientWorker.execute(null);
+                    }
+                } catch (Exception ex) {
+                    log.error("error occurred in execute handler", ex);
+                }
+            }
+        });
+
+        port.addHandler("/status", new AdminPort.SynchronousCallback() {
+            @Override
+            public void handle(HttpServletRequest request, HttpServletResponse response) {
+                log.info("handler /status");
+                CertificationServiceDiagnostics diagnostics = null;
+                try {
+                    diagnostics = ocspClientWorker.getDiagnostics();
+                    if (diagnostics != null) {
+                        diagnosticsDefault.update(diagnostics.getCertificationServiceStatusMap());
+                    }
+                } catch (Exception e) {
+                    log.error("Error getting diagnostics status", e);
+                }
+                if (diagnostics == null) {
+                    diagnostics = diagnosticsDefault;
+                }
+                try {
+                    response.setCharacterEncoding("UTF8");
+                    JsonUtils.getObjectWriter()
+                            .writeValue(response.getWriter(), diagnostics);
+                } catch (IOException e) {
+                    log.error("Error writing response", e);
+                }
+            }
+        });
+
+        return port;
+    }
+
+    public static class SpringManagerAdminPort extends AdminPort {
+
+        /**
+         * Constructs an AdminPort instance that listens for commands on the given port number.
+         *
+         * @param portNumber the port number AdminPort will listen on
+         */
+        public SpringManagerAdminPort(int portNumber) {
+            super(portNumber);
+        }
+
+        @PostConstruct
+        public void init() throws Exception {
+            start();
+        }
+
+        @PreDestroy
+        public void destroy() {
+            log.info("Signer shutting down...");
+
+            try {
+                stop();
+                join();
+
+            } catch (Exception e) {
+                log.error("Error stopping admin port", e);
+            }
+        }
+    }
+
+}
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
index 9b22fcfc10..3bdc9e3887 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerConfig.java
@@ -39,20 +39,25 @@
 import org.springframework.context.annotation.ConditionContext;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
 import org.springframework.core.type.AnnotatedTypeMetadata;
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.scheduling.annotation.EnableScheduling;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
 
 @Slf4j
+@EnableScheduling
+@Import({SignerAdminPortConfig.class, SignerRpcConfig.class})
 @ComponentScan({"ee.ria.xroad.signer.protocol", "ee.ria.xroad.signer.job"})
 @Configuration
-@EnableScheduling
 public class SignerConfig {
     private static final String MODULE_MANAGER_IMPL_CLASS = SystemProperties.PREFIX + "signer.moduleManagerImpl";
+    static final int OCSP_SCHEDULER_BEAN_ORDER = Ordered.LOWEST_PRECEDENCE - 100;
 
     @Bean("moduleManager")
-    public AbstractModuleManager moduleManager() {
+    AbstractModuleManager moduleManager() {
         final String moduleManagerImplClassName = System.getProperty(MODULE_MANAGER_IMPL_CLASS, DefaultModuleManagerImpl.class.getName());
         log.debug("Using module manager implementation: {}", moduleManagerImplClassName);
 
@@ -64,7 +69,6 @@ public AbstractModuleManager moduleManager() {
         }
     }
 
-
     @Bean
     OcspResponseManager ocspResponseManager() {
         OcspResponseManager ocspResponseManager = new OcspResponseManager();
@@ -82,6 +86,7 @@ TaskScheduler taskScheduler() {
         return new ThreadPoolTaskScheduler();
     }
 
+    @Order(OCSP_SCHEDULER_BEAN_ORDER)
     @Bean(name = "ocspClientExecuteScheduler")
     @Conditional(IsOcspClientJobsActive.class)
     OcspClientExecuteScheduler ocspClientExecuteScheduler(OcspClientWorker ocspClientWorker, TaskScheduler taskScheduler) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
index 94c0f4b2d4..a1abdcf0e4 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerMain.java
@@ -25,25 +25,16 @@
  */
 package ee.ria.xroad.signer;
 
-import ee.ria.xroad.common.CertificationServiceDiagnostics;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.SystemPropertiesLoader;
 import ee.ria.xroad.common.Version;
-import ee.ria.xroad.common.util.AdminPort;
-import ee.ria.xroad.common.util.JsonUtils;
-import ee.ria.xroad.signer.certmanager.OcspClientWorker;
-import ee.ria.xroad.signer.job.OcspClientExecuteScheduler;
 
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.grpc.RpcServer;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.context.support.GenericApplicationContext;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import java.io.IOException;
-
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_CENTER;
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_CONFPROXY;
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_NODE;
@@ -54,6 +45,7 @@
  * Signer main program.
  */
 @Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class SignerMain {
 
     private static final String APP_NAME = "xroad-signer";
@@ -65,24 +57,16 @@ public final class SignerMain {
                 .withAtLeastOneOf(CONF_FILE_CENTER, CONF_FILE_PROXY, CONF_FILE_CONFPROXY)
                 .with(CONF_FILE_SIGNER)
                 .load();
-        diagnosticsDefault = new CertificationServiceDiagnostics();
     }
 
     private static GenericApplicationContext springCtx;
 
-    private static AdminPort adminPort;
-    private static CertificationServiceDiagnostics diagnosticsDefault;
-
-    private SignerMain() {
-    }
-
     /**
      * Entry point to Signer.
      *
      * @param args the arguments
-     * @throws Exception if an error occurs
      */
-    public static void main(String[] args) throws Exception {
+    public static void main(String[] args) {
         try {
             startup();
         } catch (Exception fatal) {
@@ -91,7 +75,7 @@ public static void main(String[] args) throws Exception {
         }
     }
 
-    private static void startup() throws Exception {
+    private static void startup() {
         long start = System.currentTimeMillis();
         Version.outputVersionInfo(APP_NAME);
         int signerPort = SystemProperties.getSignerPort();
@@ -100,97 +84,7 @@ private static void startup() throws Exception {
         springCtx = new AnnotationConfigApplicationContext(SignerConfig.class);
         springCtx.registerShutdownHook();
 
-
-
-        OcspClientExecuteScheduler ocspClientExecuteScheduler = null;
-        if (springCtx.containsBean("ocspClientExecuteScheduler")) {
-            ocspClientExecuteScheduler = springCtx.getBean(OcspClientExecuteScheduler.class);
-        }
-
-        //TODO
-        adminPort = createAdminPort(SystemProperties.getSignerAdminPort(),
-                springCtx.getBean(OcspClientWorker.class),
-                ocspClientExecuteScheduler);
-
-
-        adminPort.start();
-
-        initGrpc();
         log.info("Signer has been initialized in {} ms.", System.currentTimeMillis() - start);
     }
 
-    private static void initGrpc() throws Exception {
-        int port = SystemProperties.getGrpcSignerPort();
-        log.info("Initializing GRPC server on port {}.. ", port);
-
-        RpcServer.init(port, builder ->
-                springCtx.getBeansOfType(io.grpc.BindableService.class).forEach((s, bindableService) -> {
-                    log.info("Registering {} gRPC service.", bindableService.getClass().getSimpleName());
-                    builder.addService(bindableService);
-                }));
-    }
-
-    //TODO: shutdown was tied to akka.
-    private static void shutdown() {
-        log.info("Signer shutting down...");
-
-        try {
-            if (adminPort != null) {
-                adminPort.stop();
-                adminPort.join();
-            }
-        } catch (Exception e) {
-            log.error("Error stopping admin port", e);
-        }
-
-    }
-
-    private static AdminPort createAdminPort(int signerPort, OcspClientWorker ocspClientWorker,
-                                             OcspClientExecuteScheduler ocspClientExecuteScheduler) {
-        AdminPort port = new AdminPort(signerPort);
-
-        port.addHandler("/execute", new AdminPort.SynchronousCallback() {
-            @Override
-            public void handle(HttpServletRequest request, HttpServletResponse response) {
-                try {
-                    if (ocspClientExecuteScheduler != null) {
-                        ocspClientExecuteScheduler.execute();
-                    } else {
-                        ocspClientWorker.execute(null);
-                    }
-                } catch (Exception ex) {
-                    log.error("error occurred in execute handler", ex);
-                }
-            }
-        });
-
-        port.addHandler("/status", new AdminPort.SynchronousCallback() {
-            @Override
-            public void handle(HttpServletRequest request, HttpServletResponse response) {
-                log.info("handler /status");
-                CertificationServiceDiagnostics diagnostics = null;
-                try {
-                    diagnostics = ocspClientWorker.getDiagnostics();
-                    if (diagnostics != null) {
-                        diagnosticsDefault = diagnostics;
-                    }
-                } catch (Exception e) {
-                    log.error("Error getting diagnostics status {}", e);
-                }
-                if (diagnostics == null) {
-                    diagnostics = diagnosticsDefault;
-                }
-                try {
-                    response.setCharacterEncoding("UTF8");
-                    JsonUtils.getObjectWriter()
-                            .writeValue(response.getWriter(), diagnostics);
-                } catch (IOException e) {
-                    log.error("Error writing response {}", e);
-                }
-            }
-        });
-
-        return port;
-    }
-
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
new file mode 100644
index 0000000000..b762bab960
--- /dev/null
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
@@ -0,0 +1,53 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer;
+
+import ee.ria.xroad.common.SystemProperties;
+
+import io.grpc.BindableService;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.signer.grpc.RpcServer;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.List;
+
+@Slf4j
+@Configuration
+public class SignerRpcConfig {
+
+    @Bean(initMethod = "start", destroyMethod = "shutdown")
+    RpcServer rpcServer(final List<BindableService> bindableServices) throws Exception {
+        int port = SystemProperties.getGrpcSignerPort();
+        log.info("Initializing RPC server on port {}.. ", port);
+
+        return RpcServer.newServer(port, builder ->
+                bindableServices.forEach(bindableService -> {
+                    log.info("Registering {} gRPC service.", bindableService.getClass().getSimpleName());
+                    builder.addService(bindableService);
+                }));
+    }
+}

From 4172ae59d3c5f7c9cee0441d16cf6231a5cf45af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 13 Sep 2023 14:51:41 +0300
Subject: [PATCH 067/127] chore: checkstyle fixes

Refs: XRDDEV-2468
---
 .../handler/AbstractGenerateCertReq.java      |  2 +-
 .../handler/GetAuthKeyReqHandler.java         |  5 ++--
 .../handler/ImportCertReqHandler.java         |  8 ++++--
 .../handler/RegenerateCertReqReqHandler.java  |  3 +--
 .../signer/tokenmanager/TokenManager.java     | 13 ++--------
 .../module/AbstractModuleWorker.java          |  3 ++-
 .../token/SoftwareTokenWorker.java            | 26 ++++++++++++++++---
 .../signer/certmanager/OcspClientTest.java    |  2 +-
 8 files changed, 38 insertions(+), 24 deletions(-)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
index a50591025b..a1fbf715bb 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/AbstractGenerateCertReq.java
@@ -65,6 +65,7 @@
  * @param <RespT> response type
  */
 @Slf4j
+@SuppressWarnings("squid:S119")
 public abstract class AbstractGenerateCertReq<ReqT extends AbstractMessage,
         RespT extends AbstractMessage> extends AbstractRpcHandler<ReqT, RespT> {
 
@@ -108,7 +109,6 @@ private static byte[] toPem(PKCS10CertificationRequest req) throws Exception {
         return out.toByteArray();
     }
 
-    //TODO:grpc this should be refactored..
     private static class TokenContentSigner implements ContentSigner {
         private final ByteArrayOutputStream out = new ByteArrayOutputStream();
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
index 1346a85784..71f4556e73 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
@@ -171,9 +171,8 @@ private boolean authCertValid(CertificateInfo certInfo,
 
         log.trace("Ignoring authentication certificate {} because it does "
                 + "not belong to security server {} "
-                + "(server id from global conf: {})", new Object[]{
-                CertUtils.identify(cert),
-                securityServer, serverIdFromConf});
+                + "(server id from global conf: {})", CertUtils.identify(cert),
+                securityServer, serverIdFromConf);
 
         return false;
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
index 8e935bd76a..9958a60a92 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
@@ -34,7 +34,11 @@
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
-import ee.ria.xroad.signer.protocol.dto.*;
+import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
+import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.SignerUtil;
 
@@ -238,7 +242,7 @@ private void deleteCertRequest(String keyId, ClientId memberId) throws Exception
 
     private static KeyUsageInfo getKeyUsage(KeyInfo keyInfo, boolean sign) {
         KeyUsageInfo keyUsage = keyInfo.getUsage();
-        if (keyUsage == null) {//TODO:grpc to we need to support nulls?
+        if (keyUsage == null) {
             return sign ? KeyUsageInfo.SIGNING : KeyUsageInfo.AUTHENTICATION;
         }
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
index 36ce572782..d9881ec6d6 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
@@ -25,8 +25,6 @@
  */
 package ee.ria.xroad.signer.protocol.handler;
 
-import com.google.protobuf.ByteString;
-
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.signer.protocol.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
@@ -37,6 +35,7 @@
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
+import com.google.protobuf.ByteString;
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.niis.xroad.signer.proto.RegenerateCertRequestReq;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java
index 8e009fc4bd..4868f146c9 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/TokenManager.java
@@ -729,20 +729,11 @@ public static synchronized void addCert(String keyId, byte[] certBytes) {
         key.addCert(cert);
     }
 
-    public static synchronized void addCert(String keyId,
-                                            CertificateInfo certInfo) {
-        //TODO check if needed
-
-    }
     /**
      * Adds a certificate to a key. Throws exception, if key cannot be found.
-     *
-     * @param keyId    the key id
-     * @param certInfo the certificate info
      */
-    public static synchronized void addCert(String keyId,
-                                            ClientId.Conf memberId, boolean active,boolean savedToConfiguration,
-                                            String initialStatus,String id,byte[] certificate) {
+    public static synchronized void addCert(String keyId, ClientId.Conf memberId, boolean active, boolean savedToConfiguration,
+                                            String initialStatus, String id, byte[] certificate) {
         log.trace("addCert({})", keyId);
 
         Key key = findKey(keyId);
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
index 05d5f551db..57b156431e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
@@ -70,7 +70,8 @@ public void reload() {
         try {
             loadTokens(true);
         } catch (Exception e) {
-            log.error("Error during module {} reload. It will be repeated on next scheduled module refresh..", getClass().getSimpleName(), e);
+            log.error("Error during module {} reload. It will be repeated on next scheduled module refresh..",
+                    getClass().getSimpleName(), e);
             throw translateException(e);
         }
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
index 84fb901877..6ee92475c7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java
@@ -47,12 +47,20 @@
 import org.niis.xroad.signer.proto.ActivateTokenReq;
 import org.niis.xroad.signer.proto.GenerateKeyReq;
 
-import java.io.*;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardOpenOption;
-import java.security.*;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
 import java.security.cert.CertPath;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
@@ -76,7 +84,19 @@
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.setTokenActive;
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.setTokenAvailable;
 import static ee.ria.xroad.signer.tokenmanager.TokenManager.setTokenStatus;
-import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.*;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.P12;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.PIN_ALIAS;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.PIN_FILE;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.createKeyStore;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.createTempKeyDir;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.generateKeyPair;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getBackupKeyDir;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getBackupKeyDirForDateNow;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getKeyDir;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.getKeyStoreFileName;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.isTokenInitialized;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.listKeysOnDisk;
+import static ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenUtil.loadCertificate;
 import static ee.ria.xroad.signer.util.ExceptionHelper.keyNotFound;
 import static ee.ria.xroad.signer.util.ExceptionHelper.loginFailed;
 import static ee.ria.xroad.signer.util.ExceptionHelper.pinIncorrect;
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java
index bf9d2418e8..50d0a4d966 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/certmanager/OcspClientTest.java
@@ -332,7 +332,7 @@ private OCSPResp getOcspResponse(X509Certificate subject) throws Exception {
     }
 
     private static class TestOcspClient extends OcspClientWorker {
-        public TestOcspClient(OcspResponseManager ocspResponseManager) {
+        TestOcspClient(OcspResponseManager ocspResponseManager) {
             super(ocspResponseManager);
         }
 

From 21908984f6092d8bc68b6bbd8e6b4af96078a18c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 13 Sep 2023 15:28:29 +0300
Subject: [PATCH 068/127] chore: add rpc server host configuration

Refs: XRDDEV-2468
---
 src/common/common-rpc/build.gradle            |  2 +-
 .../org/niis/xroad/signer/grpc/RpcServer.java | 25 +++++++++----------
 .../grpc/ServerCredentialsConfigurer.java     |  6 +++--
 src/gradle.properties                         |  2 +-
 .../signer/test/container/ContainerSetup.java |  2 +-
 .../ee/ria/xroad/signer/SignerRpcConfig.java  | 11 ++++----
 6 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/src/common/common-rpc/build.gradle b/src/common/common-rpc/build.gradle
index bdbe08934b..12e6ed492b 100644
--- a/src/common/common-rpc/build.gradle
+++ b/src/common/common-rpc/build.gradle
@@ -8,7 +8,7 @@ dependencies {
 
   api "io.grpc:grpc-protobuf:${grpcVersion}"
   api "io.grpc:grpc-stub:${grpcVersion}"
+  api "io.grpc:grpc-netty-shaded:${grpcVersion}"
   api "jakarta.annotation:jakarta.annotation-api:1.3.5"
 
-  runtimeOnly "io.grpc:grpc-netty-shaded:${grpcVersion}"
 }
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
index 1944bb3ec4..25f2b2c9db 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
@@ -26,13 +26,14 @@
  */
 package org.niis.xroad.signer.grpc;
 
-import io.grpc.Grpc;
 import io.grpc.Server;
 import io.grpc.ServerBuilder;
 import io.grpc.ServerCredentials;
+import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.IOException;
+import java.net.InetSocketAddress;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
@@ -47,12 +48,8 @@
 public class RpcServer {
     private final Server server;
 
-    private final int port;
-
-    public RpcServer(int port, ServerCredentials creds, Consumer<ServerBuilder<?>> configFunc) {
-        this.port = port;
-
-        ServerBuilder<?> builder = Grpc.newServerBuilderForPort(port, creds);
+    public RpcServer(final String host, final int port, final ServerCredentials creds, final Consumer<ServerBuilder<?>> configFunc) {
+        ServerBuilder<?> builder = NettyServerBuilder.forAddress(new InetSocketAddress(host, port), creds);
         configFunc.accept(builder);
 
         server = builder.build();
@@ -60,22 +57,24 @@ public RpcServer(int port, ServerCredentials creds, Consumer<ServerBuilder<?>> c
 
     public void start() throws IOException {
         server.start();
-        log.info("Server started, listening on {}", port);
+
+        log.info("RPC server has started, listening on {}", server.getListenSockets());
     }
 
     public void shutdown() {
         if (server != null) {
-            log.info("Shutting down gRPC server..");
+            log.info("Shutting down RPC server..");
             server.shutdown();
-            log.info("Shutting down gRPC server.. Success!");
+            log.info("Shutting down RPC server.. Success!");
         }
     }
 
-    public static RpcServer newServer(int port, Consumer<ServerBuilder<?>> configFunc) throws IOException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
+    public static RpcServer newServer(String host, int port, Consumer<ServerBuilder<?>> configFunc)
+            throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
         var serverCredentials = createServerCredentials();
-        log.info("Initializing grpc with {} credentials..", serverCredentials.getClass().getSimpleName());
+        log.info("Initializing RPC server with {} credentials..", serverCredentials.getClass().getSimpleName());
 
-        return new RpcServer(port, serverCredentials, configFunc);
+        return new RpcServer(host, port, serverCredentials, configFunc);
     }
 
 
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
index bb4e4cc16e..760127d602 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
@@ -56,7 +56,8 @@
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class ServerCredentialsConfigurer {
 
-    public static ServerCredentials createServerCredentials() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
+    public static ServerCredentials createServerCredentials() throws UnrecoverableKeyException, NoSuchAlgorithmException,
+            KeyStoreException {
         TlsServerCredentials.Builder tlsBuilder = TlsServerCredentials.newBuilder()
                 .keyManager(getKeyManagers())
                 .trustManager(getTrustManagers())
@@ -65,7 +66,8 @@ public static ServerCredentials createServerCredentials() throws UnrecoverableKe
         return tlsBuilder.build();
     }
 
-    public static ChannelCredentials createClientCredentials() throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
+    public static ChannelCredentials createClientCredentials() throws NoSuchAlgorithmException, KeyStoreException,
+            UnrecoverableKeyException {
         TlsChannelCredentials.Builder tlsBuilder = TlsChannelCredentials.newBuilder()
                 .keyManager(getKeyManagers())
                 .trustManager(getTrustManagers());
diff --git a/src/gradle.properties b/src/gradle.properties
index 8373e621cf..84f6589af3 100644
--- a/src/gradle.properties
+++ b/src/gradle.properties
@@ -62,4 +62,4 @@ assertj.version=${assertjVersion}
 swaggerAnnotationsVersion=2.2.8
 protocVersion=3.24.0
 protobufGradleVersion=0.9.4
-grpcVersion=1.57.1
+grpcVersion=1.58.0
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
index c8672bc4c9..c0c90e402f 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
@@ -99,10 +99,10 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                 genericContainer
                         .waitingFor(Wait.forLogMessage(".*Signer has been initialized in.*", 1));
                 genericContainer
-//                        .withCreateContainerCmdModifier(cmd -> cmd.withPlatform("linux/amd64"))
                         .withCommand("java",
                                 "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
                                 "-Dxroad.internal.passwordstore-provider=file",
+                                "-Dxroad.grpc.signer.host=0.0.0.0",
                                 "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
                                 "-Dxroad.grpc.internal.keystore-password=111111",
                                 "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
index b762bab960..5e3a1349b0 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
@@ -41,12 +41,11 @@ public class SignerRpcConfig {
 
     @Bean(initMethod = "start", destroyMethod = "shutdown")
     RpcServer rpcServer(final List<BindableService> bindableServices) throws Exception {
-        int port = SystemProperties.getGrpcSignerPort();
-        log.info("Initializing RPC server on port {}.. ", port);
-
-        return RpcServer.newServer(port, builder ->
-                bindableServices.forEach(bindableService -> {
-                    log.info("Registering {} gRPC service.", bindableService.getClass().getSimpleName());
+        return RpcServer.newServer(
+                SystemProperties.getGrpcSignerHost(),
+                SystemProperties.getGrpcSignerPort(),
+                builder -> bindableServices.forEach(bindableService -> {
+                    log.info("Registering {} RPC service.", bindableService.getClass().getSimpleName());
                     builder.addService(bindableService);
                 }));
     }

From 877e7bab76745ce2f58d9bbcfa119ff1b0fd6536 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 13 Sep 2023 15:40:49 +0300
Subject: [PATCH 069/127] chore: signer grpc client timeout

Refs: XRDDEV-2468
---
 .../src/main/resources/application.conf       | 13 -------
 .../signer/test/glue/BaseSignerStepDefs.java  | 27 +++++++++++++
 .../test/glue/SignerParallelStepDefs.java     | 27 +++++++++++++
 .../signer/test/glue/SignerStepDefs.java      | 23 +++++++++++
 .../signer/test/hook/SignerProxyInitHook.java | 27 +++++++++++++
 .../behavior/0050-signer-general.feature      |  6 +++
 .../java/ee/ria/xroad/signer/SignerProxy.java |  2 +-
 .../xroad/signer/protocol/ClientIdMapper.java |  2 +-
 .../signer/protocol/RpcSignerClient.java      | 38 +++++++++++--------
 9 files changed, 135 insertions(+), 30 deletions(-)
 delete mode 100644 src/signer-console/src/main/resources/application.conf
 create mode 100644 src/signer-protocol/src/intTest/resources/behavior/0050-signer-general.feature

diff --git a/src/signer-console/src/main/resources/application.conf b/src/signer-console/src/main/resources/application.conf
deleted file mode 100644
index be86a088a5..0000000000
--- a/src/signer-console/src/main/resources/application.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-signer-console {
-    include "akka-global.conf"
-    akka {
-        actor {
-          provider = remote
-        }
-
-        coordinated-shutdown {
-          exit-jvm = on
-          phases.actor-system-terminate.timeout = 3s
-        }
-    }
-}
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
index 0f0058b4aa..cd5edd294f 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
@@ -1,3 +1,30 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package org.niis.xroad.signer.test.glue;
 
 import ee.ria.xroad.signer.SignerProxy;
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
index 150f70ceab..cd26745e09 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
@@ -1,3 +1,30 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package org.niis.xroad.signer.test.glue;
 
 import ee.ria.xroad.signer.SignerProxy;
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 6fedb1a65e..74e162a4ec 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -34,6 +34,7 @@
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -67,6 +68,8 @@
 import java.util.UUID;
 import java.util.stream.Collectors;
 
+import static ee.ria.xroad.common.SystemProperties.getGrpcSignerHost;
+import static ee.ria.xroad.common.SystemProperties.getGrpcSignerPort;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA512WITHRSA_ID;
@@ -78,6 +81,7 @@
 import static java.time.temporal.ChronoUnit.DAYS;
 import static java.util.UUID.randomUUID;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.Assertions.fail;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -615,5 +619,24 @@ public void emptyOcspResponseIsReturnedForUnknownCertificate() throws Exception
         assertThat(ocspResponses[0]).isNull();
     }
 
+    @Step("signer client initialized with default settings")
+    public void signerClientInitializedWithDefaultSettings() throws Exception {
+        RpcSignerClient.shutdown();
+        RpcSignerClient.init();
+    }
+
+    @Step("signer client initialized with timeout {int} milliseconds")
+    public void signerClientReinitializedWithTimeoutMilliseconds(int timeoutMillis) throws Exception {
+        RpcSignerClient.shutdown();
+        RpcSignerClient.init(getGrpcSignerHost(), getGrpcSignerPort(), timeoutMillis);
+    }
+
+    @Step("getTokens fails with timeout exception")
+    public void signerGetTokensFailsWithTimeoutException() {
+        assertThatThrownBy(SignerProxy::getTokens)
+                .isInstanceOf(CodedException.class)
+                .hasMessage("Signer: Signer client timed out");
+    }
+
 
 }
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
index ce4e9a6711..e7735344e8 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
@@ -1,3 +1,30 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package org.niis.xroad.signer.test.hook;
 
 import ee.ria.xroad.common.SystemProperties;
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0050-signer-general.feature b/src/signer-protocol/src/intTest/resources/behavior/0050-signer-general.feature
new file mode 100644
index 0000000000..7e8b2c5da3
--- /dev/null
+++ b/src/signer-protocol/src/intTest/resources/behavior/0050-signer-general.feature
@@ -0,0 +1,6 @@
+Feature: 0050 - Signer: general
+
+  Scenario: Signer client timeout works
+    Given signer client initialized with timeout 10 milliseconds
+    Then getTokens fails with timeout exception
+    And signer client initialized with default settings
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 83c18fad99..25fc8bfe17 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -172,7 +172,7 @@ public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin)
         RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .updateSoftwareTokenPin(UpdateSoftwareTokenPinReq.newBuilder()
                         .setTokenId(tokenId)
-                        .setOldPin(new String(oldPin))//TODO:grpc its not great that we're doing this transformation
+                        .setOldPin(new String(oldPin))//TODO grpc its not great that we're doing this transformation
                         .setNewPin(new String(newPin))
                         .build()));
     }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
index 9e5e19d4c5..3364da81c6 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
@@ -48,7 +48,7 @@ public static ClientId.Conf fromDto(ClientIdProto clientIdProto) {
         }
     }
 
-    //TODO:grpc move to a separate place.
+    //TODO grpc move to a separate place.
     public static ClientIdProto toDto(ClientId input) {
         var builder = ClientIdProto.newBuilder()
                 .setMemberClass(input.getMemberClass())
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index c156934d7d..8a4177b18e 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -26,7 +26,6 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
 
 import com.google.protobuf.Any;
@@ -34,6 +33,7 @@
 import io.grpc.Channel;
 import io.grpc.Grpc;
 import io.grpc.ManagedChannel;
+import io.grpc.Status;
 import io.grpc.StatusRuntimeException;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.CertificateServiceGrpc;
@@ -42,6 +42,10 @@
 import org.niis.xroad.signer.proto.TokenServiceGrpc;
 
 import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
+import static ee.ria.xroad.common.SystemProperties.getGrpcSignerHost;
+import static ee.ria.xroad.common.SystemProperties.getGrpcSignerPort;
+import static ee.ria.xroad.common.SystemProperties.getSignerClientTimeout;
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
 import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
 
 @Slf4j
@@ -54,9 +58,9 @@ public final class RpcSignerClient {
     /**
      * Construct client for accessing Signer services using the provided channel.
      */
-    private RpcSignerClient(final ManagedChannel channel) {
+    private RpcSignerClient(final ManagedChannel channel, int clientTimeoutMillis) {
         this.channel = channel;
-        this.executionContext = new ExecutionContext(channel);
+        this.executionContext = new ExecutionContext(channel, clientTimeoutMillis);
     }
 
     /**
@@ -65,16 +69,16 @@ private RpcSignerClient(final ManagedChannel channel) {
      * @throws Exception
      */
     public static void init() throws Exception {
-        init(SystemProperties.getGrpcSignerHost(), SystemProperties.getGrpcSignerPort());
+        init(getGrpcSignerHost(), getGrpcSignerPort(), getSignerClientTimeout());
     }
 
-    public static void init(String host, int port) throws Exception {
+    public static void init(String host, int port, int clientTimeoutMillis) throws Exception {
         var credentials = createClientCredentials();
         log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
         ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
                 .build();
 
-        instance = new RpcSignerClient(channel);
+        instance = new RpcSignerClient(channel, clientTimeoutMillis);
     }
 
     public static void shutdown() {
@@ -84,20 +88,20 @@ public static void shutdown() {
     }
 
     public static class ExecutionContext {
-        public final TokenServiceGrpc.TokenServiceStub tokenService;
-
         public final TokenServiceGrpc.TokenServiceBlockingStub blockingTokenService;
         public final CertificateServiceGrpc.CertificateServiceBlockingStub blockingCertificateService;
         public final KeyServiceGrpc.KeyServiceBlockingStub blockingKeyService;
         public final OcspServiceGrpc.OcspServiceBlockingStub blockingOcspService;
 
-        public ExecutionContext(final Channel channel) {
-            tokenService = TokenServiceGrpc.newStub(channel);
-
-            blockingTokenService = TokenServiceGrpc.newBlockingStub(channel);
-            blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel);
-            blockingKeyService = KeyServiceGrpc.newBlockingStub(channel);
-            blockingOcspService = OcspServiceGrpc.newBlockingStub(channel);
+        public ExecutionContext(final Channel channel, int clientTimeoutMillis) {
+            blockingTokenService = TokenServiceGrpc.newBlockingStub(channel)
+                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
+            blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel)
+                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
+            blockingKeyService = KeyServiceGrpc.newBlockingStub(channel)
+                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
+            blockingOcspService = OcspServiceGrpc.newBlockingStub(channel)
+                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
         }
     }
 
@@ -105,6 +109,10 @@ public static <V> V execute(RpcExecution<V> grpcCall) throws Exception {
         try {
             return grpcCall.exec(getInstance().executionContext);
         } catch (StatusRuntimeException error) {
+            if (error.getStatus().getCode() == Status.Code.DEADLINE_EXCEEDED) {
+                throw CodedException.tr(SIGNER_X, "signer_client_timeout", "Signer client timed out")
+                        .withPrefix(SIGNER_X);
+            }
             com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
             if (status != null) {
                 for (Any any : status.getDetailsList()) {

From ba17656747d67100c04939846aba35cea9e49ad9 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 13 Sep 2023 15:49:10 +0300
Subject: [PATCH 070/127] chore: signer grpc client timeout

Refs: XRDDEV-2468
---
 .../ee/ria/xroad/signer/protocol/RpcSignerClient.java  | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index 8a4177b18e..d94ba74f06 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -31,6 +31,7 @@
 import com.google.protobuf.Any;
 import com.google.protobuf.InvalidProtocolBufferException;
 import io.grpc.Channel;
+import io.grpc.Deadline;
 import io.grpc.Grpc;
 import io.grpc.ManagedChannel;
 import io.grpc.Status;
@@ -94,14 +95,15 @@ public static class ExecutionContext {
         public final OcspServiceGrpc.OcspServiceBlockingStub blockingOcspService;
 
         public ExecutionContext(final Channel channel, int clientTimeoutMillis) {
+            final Deadline deadline = Deadline.after(clientTimeoutMillis, MILLISECONDS);
             blockingTokenService = TokenServiceGrpc.newBlockingStub(channel)
-                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
+                    .withDeadline(deadline);
             blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel)
-                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
+                    .withDeadline(deadline);
             blockingKeyService = KeyServiceGrpc.newBlockingStub(channel)
-                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
+                    .withDeadline(deadline);
             blockingOcspService = OcspServiceGrpc.newBlockingStub(channel)
-                    .withDeadlineAfter(clientTimeoutMillis, MILLISECONDS);
+                    .withDeadline(deadline);
         }
     }
 

From 200c65be6e2dbad78755e3cbba2b14d08e85ea01 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 13 Sep 2023 16:34:19 +0300
Subject: [PATCH 071/127] chore: fix proxy intTest

Refs: XRDDEV-2468
---
 .../java/org/niis/xroad/proxy/test/container/ContainerSetup.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
index 49afcfe370..f2d801a3de 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
@@ -104,6 +104,7 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                                 "-Dxroad.grpc.internal.keystore-password=111111",
                                 "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
                                 "-Dxroad.grpc.internal.truststore-password=111111",
+                                "-Dxroad.grpc.signer.host=0.0.0.0",
                                 "-cp",
                                 "/root/app.jar",
                                 "ee.ria.xroad.signer.SignerMain");

From b880a5cd33048b29c62ed0d0e8424a9ba6430815 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 13 Sep 2023 18:17:37 +0300
Subject: [PATCH 072/127] chore: add rpc server host configuration

Refs: XRDDEV-2468
---
 Docker/securityserver/files/ss-entrypoint.sh  |   5 +++
 .../base/etc/xroad/services/global.conf       |   4 +-
 .../usr/share/xroad/scripts/xroad-base.sh     |  42 ++++++++----------
 .../signer/test/container/ContainerSetup.java |   4 +-
 .../signer/test/hook/SignerProxyInitHook.java |   4 +-
 .../etc/xroad/transport-keystore/gen-cert.sh  |   8 ++--
 .../grpc-internal-keystore.jks                | Bin 2614 -> 0 bytes
 .../grpc-internal-keystore.p12                | Bin 0 -> 1074 bytes
 8 files changed, 35 insertions(+), 32 deletions(-)
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
 create mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12

diff --git a/Docker/securityserver/files/ss-entrypoint.sh b/Docker/securityserver/files/ss-entrypoint.sh
index 9907d129d0..c50069108a 100755
--- a/Docker/securityserver/files/ss-entrypoint.sh
+++ b/Docker/securityserver/files/ss-entrypoint.sh
@@ -32,4 +32,9 @@ then
     unset XROAD_TOKEN_PIN
 fi
 
+#initialize transport keys
+mkdir -p -m0750 /var/run/xroad
+chown xroad:xroad /var/run/xroad
+su - xroad -c sh -c /usr/share/xroad/scripts/xroad-base.sh
+
 exec /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf
diff --git a/src/packages/src/xroad/common/base/etc/xroad/services/global.conf b/src/packages/src/xroad/common/base/etc/xroad/services/global.conf
index 44125930ea..794ed8660f 100644
--- a/src/packages/src/xroad/common/base/etc/xroad/services/global.conf
+++ b/src/packages/src/xroad/common/base/etc/xroad/services/global.conf
@@ -7,9 +7,9 @@ ADDON_PATH="/usr/share/xroad/jlib/addon"
 
 umask 0027
 
-if [ -f /var/run/xroad/xroad-akka-env.properties ]; then
+if [ -f /var/run/xroad/xroad-grpc-internal-env.properties ]; then
   set -a
-  . /var/run/xroad/xroad-akka-env.properties
+  . /var/run/xroad/xroad-grpc-internal-env.properties
   set +a
 fi
 
diff --git a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
index b815aa1cf4..3058545b8e 100755
--- a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
+++ b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
@@ -7,29 +7,26 @@ gen_pw() {
   head -c 24 /dev/urandom | base64 | tr "/+" "_-"
 }
 
-get_prop() {
-  crudini --get "$1" "$2" "$3" 2>/dev/null || echo "$4"
-}
-
-use_secure_akka_transport() {
-  local value="true"
-  for f in "$XROAD_CONF_PATH/conf.d/common.ini" "$XROAD_CONF_PATH"/conf.d/override-*.ini "$XROAD_CONF_PATH/conf.d/local.ini"; do
-    value=$(get_prop "$f" common akka-use-secure-remote-transport "$value")
-  done
-  [[ $value == "true" ]]
-}
-
-# generate EC keypair and self-signed certificate for akka remoting
-gen_akka_keypair() {
+# generate EC keypair and self-signed certificate for internal transport
+gen_grpc_internal_keypair() {
   umask 077
   local keystore_pw="$(gen_pw)"
-  local keystore=/var/run/xroad/xroad-akka-keystore.p12
-  local env_file=/var/run/xroad/xroad-akka-env.properties
+  local keystore=/var/run/xroad/xroad-grpc-internal-keystore.p12
+  local env_file=/var/run/xroad/xroad-grpc-internal-env.properties
 
   if [[ ! -f "$keystore" && ! -f "$env_file" ]]; then
-    if use_secure_akka_transport; then
-      PW="$keystore_pw" keytool -genkeypair -alias akka -keyalg EC -keysize 256 -sigalg SHA256withECDSA -validity 3650 \
-        -dname "cn=xroad-akka" -keystore "$keystore" -deststoretype pkcs12 -storepass:env PW -keypass:env PW
+      PW="$keystore_pw" \
+      keytool -genkeypair -alias grpc-internal \
+       -storetype PKCS12 \
+       -keyalg EC -groupname secp256r1 \
+       -sigalg SHA256withECDSA \
+       -keystore "$keystore" \
+       -dname "CN=127.0.0.1" \
+       -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
+       -validity 3650 \
+       -storepass:env PW \
+       -keypass:env PW
+
       chown xroad:xroad "$keystore"
 
       cat <<EOF >"$env_file"
@@ -38,13 +35,12 @@ XROAD_COMMON_AKKA_KEYSTORE="$keystore"
 XROAD_COMMON_AKKA_KEYSTORE_PASSWORD="$keystore_pw"
 XROAD_COMMON_AKKA_TRUSTSTORE="$keystore"
 XROAD_COMMON_AKKA_TRUSTSTORE_PASSWORD="$keystore_pw"
+xroad.grpc.internal.keystore-password="$keystore_pw"
+xroad.grpc.internal.truststore-password="$keystore_pw"
 EOF
-    else
-      echo "XROAD_COMMON_AKKA_REMOTE_TRANSPORT=tcp" >"$env_file"
-    fi
 
     chown xroad:xroad "$env_file"
   fi
 }
 
-gen_akka_keypair
+gen_grpc_internal_keypair
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
index c0c90e402f..498b42c30b 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
@@ -103,9 +103,9 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                                 "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
                                 "-Dxroad.internal.passwordstore-provider=file",
                                 "-Dxroad.grpc.signer.host=0.0.0.0",
-                                "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                                "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
                                 "-Dxroad.grpc.internal.keystore-password=111111",
-                                "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
+                                "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
                                 "-Dxroad.grpc.internal.truststore-password=111111",
                                 "-Dxroad.signer.moduleManagerImpl=ee.ria.xroad.signer.tokenmanager.module.HardwareModuleManagerImpl",
                                 "-cp",
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
index e7735344e8..4bfbf32184 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
+++ b/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
@@ -63,10 +63,10 @@ public void beforeSuite() {
         System.setProperty(GRPC_SIGNER_HOST, host);
 
         System.setProperty(GRPC_INTERNAL_KEYSTORE,
-                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
+                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
         System.setProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, "111111");
         System.setProperty(GRPC_INTERNAL_TRUSTSTORE,
-                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
+                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
         System.setProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "111111");
 
         System.setProperty("xroad.internal.passwordstore-provider", "file");
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh
index 9bb951f5dc..1dee917cf9 100644
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh
+++ b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh
@@ -10,11 +10,13 @@ then
 fi
 
 echo "Generating keystore for grpc-internal.........."
-${KEYTOOL} -genkey -alias grpc-internal -keyalg RSA -keysize 2048 \
+${KEYTOOL} -genkeypair -alias grpc-internal \
         -storetype PKCS12 \
-        -keystore grpc-internal-keystore.jks \
+        -keyalg EC -groupname secp256r1 \
+        -sigalg SHA256withECDSA \
+        -keystore grpc-internal-keystore.p12 \
         -dname "CN=127.0.0.1" \
         -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
-        -validity 9999 \
+        -validity 3650 \
         -storepass 111111 \
         -keypass 111111
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
deleted file mode 100644
index f0368a6f6d5b1d177b04d27dd51b73af376498ce..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2614
zcma)8c{CJ?8lQcPE!inM*UngG=vr?WToQ$`6$WDsA!|%VmdQG}mh2>SjU|(0XG9Ab
zvZOMygz;|HtcBM*@15>>f4%p|cfRxemhZpscRnPMRUHHbBZ-KQFoZ&qS<*fS5DqLS
zB1RxY#LFM>b0iVk`Ck;20wF@{e!$f~sshIL9~V0-5L8Zt8vX!vk@%kuC<oFJsr~oJ
zj#Py3-i=3gxBDUM{m6|g=2B%*9Rwl=2qen|0*WKqVJ!dN2tq&sND&yqEy)b%1%?0>
zAYAD5B&Lg@5O?%)IEp)9<|~8<p?4eG3LBf^TvJxHeofP3zun-j*H-q0rTbw`tY=f^
z43CPaG@*9~jbHi&=Oxs+$9-zNVv#XBHD+lVm|_+Cc0fdEK{r90R2<S5N$}VT?I(^-
zd8(9GD7nWuOpMLYR|`lpzo?N%nqY>2GWOk@N=5eecq%^en?XB>I&U=2T4P<LNC$l3
zD-R3Y!AIE_RC#7ut1=WtlV9&14V&CrmR;YvM`2(p9t(2#^ya3NGpd5W?j#eJR&*<*
zbktkA)(hF<u9-CDMP=pcV7*IfADM*22N$W@NX}RgL){6t>-Yr#4MPqlXV-f4C0~B6
zzlc8cWwN<^>k|TCNf~$4s!(TD*wIo^-g1QO=QE>D3RMa67MJCH!k@%WDnc>4P85=s
zZbxuO*+XT17Eh5j(X`aY?6o}=Tp7ihGcuIgQepi<JG`kEzEw&Ivwo`-U~sEn=nt4>
zWGJ}F>kMNo7`2S=VjgN_n5Ku5=`eY+N|t;CNhXi;G@zF6ERO4R%o&y?v!T=%5~iuv
z!@ah|Gp35)k!gP5tOXw`M-{f{JD!Y0<t+^``)cJ@^AiGc3=5X;yxMzToweLlWbJP=
zeI!5_G$ohP$OqglSPAGn?J57IPch5Nh<lsE)fQ7udEDmsiW|Zbe7_|@#7>8+BCiOG
zr6_LaE0s#Zf?wO^9=sQ?@Lo?<sjEY8FIJ>u;VlC1Cxcg0)-*+K0HmdHo<Ry7IdM<H
zrt5-!fmuPHP9KDp2CywkxiMrLEsMc19?b=9X@t#3Iqcf<@v%*};4Y&WSnKXPU-9p~
z9|7|+Nxhl5PmK5{c4GG&>5<95Pj+K<Xuobs+~Lw~d)Mp?&Z6KjvIyajnFrCKpQB5v
zq{`Y3o0{t}RtA9?#uEedp-12aDs8o6rN_eZ%dSmX^J<T#!|0t@F6Sqtmf>zavXq$l
z2T)g#UR8JSg1|A2`GLl#U&{FW(J`d5z1zQ_(NH?0+oR3LCg}1%iib_(ZTA*Y$4Wut
z`R+t2+AZvGsUUg(xlJQALu{HO#!YME<YvGIpLExxN!I>ftr9!9VTt!o<r+Qgct)T|
z_!jd!iJChQty)>5-oQ_sL@k<$o76Cc6}k&i-!6J7zGycE@?3Pr#KWdJA&$qEvHjz>
zJs#8x)zSG)#l+et9<~qEZ7xf}LNnejm|QClQ#5No_8!uGE*&9JqG1mtz0y@!$MdAU
zl;nuC@-d9IGbv&4?OML6y){pI)8ZwZfw1VFb(Iz5o{Mm$4e@A9JbD(*xqox6rk6-N
zrcL_Oi!hsfr&0aEo|y%mtJ!npR}euxBR8%l^sc|li^&GglMg6ae^l|_WWs6OUoVUn
ztRKc$BGt+S7CUFnvluUtr^d?to@98fNot$*{evQ!%g~#!)WLAKmvgKclfwQrspt8x
z*-Gq8i4O^;_By^BH}W;^x0Y7<&;`Uj#$zh@^W>0cMtX6j6;Q$fDvZt4W=N*=Yy|d2
zzyZKiJ3K{haA6=ywGRVha%TJg6|PIIIbbz&17Za1E4T0ld`xjV|8@9=$lk)0CzmI2
z?tiwgCR${?j=lVbqDFiBrT7FsZ>qSEMz_#dTSN8W=_gi4SWQRmP_)!I2&N55y!Bh6
zniW$1XIvt9)y|6w1H1ttfM9?JKpEf*2n2)yynf7q0CzwDQsQqZpBgWO+t&Anm$(}G
zf;w75T^)^9M`|O95a3S{99B*QZzGA|br2BnqpkeS0RLBL=USY91vppWbpLBalszGa
zMNB0w^ZyBL%lJ2>uFehi#dLue`oa4rcZlF%%{W74=8<wl8()Z1<JBbKVUYOImkU%D
zyxUns`7`i*gv&^P)`vUC&S}Gk;WsUDBL@>l`{GR?tK}?NjJuC8hgsm%xkNG|(r+Ji
zc=zJ<KBs&ygXr<1Y(9;Vi1zxe8{*oYJ&a#>8;%NN>h()dtDCuL@+H*)vPM-DGmBoT
z{Y2+7Tk0%bkLfT-7(64Uf_K2u#(1a^8s9}vfpWp3Q5m_7(;EU?K0>(iYURCE!{n+M
zSoXB)eYH!Utn0Jg>#tKbaji)IOCs)&B?h5<ec(8^%SS|&Ek2vUvzj+<VuxOlG9$<v
zNX0eDb(fC&7kYR<uH0EaY=xsI3Q3y{jE1C8Gv+swS&XOjnr-s}4E9IZpRI%oHdqjI
z>{Mo}huX>cSV@Az9n^^NZAh8UcQ~U!PH>x{eT$Y%an$S97#66sK6hU2sGe`1QE#w{
z>9I}OHpq1E-cKre7uF>sW5syK8}_K-yv57<YbtveJlJf%m6_ib6w#5<s^&_KiQ~Xk
zayhs@)i7ncup4_h_LJ_X>|EFmd8N%g)S54RW%{bX=1hm9ChJ_@Nlqbm?Qcgyk=#qy
zG)4XPoc@8Iea}%$HWw>8UJGYoS#-@6_pwWa3W>%B7f`@g@z}|eb4KTfGqLen-1<(Z
zLBGqi89eCz{p``eqA&?`vbjakDIWw<$P$sH>e1(d;SO=Wl3}^1REm?K&-I13o^Qr%
z2T;0JCWF6}$*73Zv^7dv#qM&3dJvk2?7qv(9|-26Kgq-AzqII}Ii@Bg06lxWWs8O&
z=#^wfvG2klGY8nG6?%@Ob$a+&I*LW|ZYL-n<jE<T!&;P>F%E)$k5tmFfd?HTrpl06
zw~i5yiwt#gKo*66I&&n*Q7@!mDdy%HNR8}(kU9BC3=-Q(t=tEvv&gLm;pKCly}qwx
zVJU`AUyk34;fIr{{^E2{kGb>BH3M1Id*C3j&57bwLEn+iZ@Q?dD^dw-1<uBb{Kxss
z8s$r4z2M+hrDxj@P_wctdb;bb`c1BOqj%>tFlXZCM@^(hI-;F2H_{Q~HN=x=H0pPE
zm8Brz9!q+*azmtx${D}DYKpLDF?_fBv&}tMqczo?GR2XLHn<6PYhDS2$5AYK{bTL>
zcy~{q2$}(xp{G$cGI~-jZDO%a7<mb)hUED9OM!q;07P6(V4J94F(=8bdVASSx5auG
tyL#0q`e2{)Va2mGW}Ya7*L(l7-*Rl-U`6>-^7G5*g3$L3-T!s+{{*O{qUitt

diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12 b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..9e33a1ef62962afb9ebd386413e1d12fd06fc07c
GIT binary patch
literal 1074
zcmXqLV$ow_WHxAGzQM++)#lOmotKfFaX}OFNtPz&qd?(<22G3>C{m1?EKQ86Kw(87
zmSy9H>f+&IWLnU;*PwBiK^j~=E3ZMM0YW<~kAXIeh}w}!lPxp%P1@SjYdZO}^O@@^
zve%fH)CHIr6%2UTI3VURak4TP$g*)Jw0SV5GP5vhu?R@%a1}U77p-Rr-`7$luc*Tk
zpj%w<n9b_=#)G?(7f)TB?k|+L#C-9^cdq8~Hm5Du@J`*Mzf^qb9pC8WRc3!~+?|;u
zn!xj6>TWHT!_RDk3L-iLmq^b)%#vm1|8h#mnZhWyWrltRnsB#siWthsNin1|6fqPq
zBs1tTWHRJ2lrW?M`FRY93^@jh2&JNiA}m57nYpP7hGv!~W`@S5CWa>F<_1knjc`Tm
zYzvy0ihx3SOpFXbDjgxiNGQlG*lllxSg{6v=k<+TE%_mYSzT@-F+nEs+o$o%b)5zJ
zNmff@Xa3*W(8TzmX0Awkn)IzhzNh^X&n!4HU-oH8+q#awXItt&%n$JU^hiru)t0^K
zWl@>NyhXi_-%4?w^H}lkv%OKwjEb!(YnqvBF0HXT6}f@W;!k3BaNmMAlYd37JA3G9
z45wsX|KT4o7ZPv&?!D<9Z}@@#(e*l(upO4p{1e|;w2C{wU#V#M&^grU_K^~uPw~u2
zmz;HKC-4Pd`83ft!675*smhGNfS3)xCMYgtJftu!(1=TNu7yGPTz>CJbDwIXUeAia
z&A+zpNd3RZ>GBnc<1;dj>^^pTk<H%P#(>J7Vm2)&*K!3Fn0u+5`<={T&tPf9WNvv-
zn}4xL@!ne{A1kKZ5xI5X*87iU>W(EJdOKqzjs^Ps{$$7*+IHOG=i9xDn<dx%a}rc&
zD1PJ8YA6}?mg(>Z#h<SCe)8R$yd(WsZ`+?0X->Peyz_r0F7$OZ5BPp8qQ&mplPo5c
zNxE<L&dn<AG~e?`S9tBFsB_Z=Cr)}=x#v{(d%szC&b>Lk!Yw7dZeIVo)R(oV#3U5B
z&!wpA7s+ro3h&#S(DFk^!QE$5PQaJ2C+8MvMCu6&#qKuG-f6m^y*FHZfq3<`{1+z0
z52e0_d+nR0V$ySU+2K#lJP)F56H=2G<p!u$#_tPLzu~!6XyVyho?A@&59YO`Jh&XC
z<KMMw?L(>4@v2b|d<}dJ3=MeUIf;ppm4QX!P)1ojW7F=JF0)#c4_prodg)SbSod%0
o&Fzo=yg#<l?JA4Nm1SWHr>pW;w71tfCo(O&yGPV*1t`e@0OfM0EdT%j

literal 0
HcmV?d00001


From 125648ef657c24ef18c0864160b93b35c3158ac5 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 14 Sep 2023 08:58:33 +0300
Subject: [PATCH 073/127] chore: license

Refs: XRDDEV-2468
---
 .../xroad/common/test/glue/BaseStepDefs.java  | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
index ce0448de78..b78087856f 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
@@ -1,3 +1,29 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package org.niis.xroad.common.test.glue;
 
 import com.nortal.test.core.report.TestReportService;

From 23cfb0186e4ba380ac4e482930dd389f1faa0a87 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 14 Sep 2023 10:13:36 +0300
Subject: [PATCH 074/127] chore: build and checkstyle fixes

Refs: XRDDEV-2468
---
 .../cs/admin/core/converter/TokenInfoMapper.java     |  2 +-
 .../cs/admin/core/facade/SignerProxyFacadeImpl.java  |  2 +-
 .../common/CertificationServiceDiagnostics.java      |  6 +++---
 .../java/ee/ria/xroad/common/SystemProperties.java   |  4 +++-
 .../xroad/common/util/FilePasswordStoreProvider.java |  3 ++-
 .../java/ee/ria/xroad/common/util/PasswordStore.java | 12 ++++++------
 .../main/java/ee/ria/xroad/monitor/MonitorMain.java  |  8 +++-----
 7 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java
index de326551f7..c9aa39ac11 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/TokenInfoMapper.java
@@ -69,7 +69,7 @@ public TokenInfo toTarget(ee.ria.xroad.signer.protocol.dto.TokenInfo tokenInfo)
 
     private TokenStatus mapStatus(TokenStatusInfo status) {
         switch (status) {
-            case TOKEN_STATUS_UNKNOWN:
+            case TOKEN_STATUS_UNSPECIFIED:
                 return null;
             case OK:
                 return TokenStatus.OK;
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
index 38f135c174..f361cd4d44 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
@@ -70,7 +70,7 @@ public SignerProxyFacadeImpl(@Qualifier("signer-ip") String signerIp) {
     void init() throws Exception {
         Config config = ConfigFactory.load().getConfig("admin-service").withFallback(ConfigFactory.load());
         actorSystem = ActorSystem.create("SignerService", config);
-        RpcSignerClient.init(signerIp, SystemProperties.getGrpcSignerPort());
+        RpcSignerClient.init(signerIp, SystemProperties.getGrpcSignerPort(), SystemProperties.getSignerClientTimeout());
         log.info("SignerService actorSystem initialized with admin-service config");
     }
 
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java
index eac76a3153..25854834b9 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/CertificationServiceDiagnostics.java
@@ -46,9 +46,9 @@ public CertificationServiceDiagnostics() {
     /**
      * Updates existing map with a provided one
      *
-     * @param certificationServiceStatusMap new map
+     * @param certificationServiceStatusMapParam new map
      */
-    public void update(Map<String, CertificationServiceStatus> certificationServiceStatusMap) {
-        this.certificationServiceStatusMap = certificationServiceStatusMap;
+    public void update(Map<String, CertificationServiceStatus> certificationServiceStatusMapParam) {
+        this.certificationServiceStatusMap = certificationServiceStatusMapParam;
     }
 }
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
index 518202a6e0..d11455ecc7 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -340,6 +340,8 @@ private SystemProperties() {
 
     private static final String DEFAULT_ENFORCE_CLIENT_IS_CERT_VALIDITY_PERIOD_CHECK = "false";
 
+    private static final int DEFAULT_GRPC_SIGNER_PORT = 5560;
+
     /**
      * The default value of the on/off switch for a group of settings that affect whether or not pooled connections
      * for the ClientProxy can be actually reused
@@ -1709,7 +1711,7 @@ public static String getGrpcSignerHost() {
      * @return gRPC signer host.
      */
     public static int getGrpcSignerPort() {
-        return Integer.parseInt(System.getProperty(GRPC_SIGNER_PORT, String.valueOf(5560)));
+        return Integer.parseInt(System.getProperty(GRPC_SIGNER_PORT, String.valueOf(DEFAULT_GRPC_SIGNER_PORT)));
     }
 
     /**
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
index ad0245b0a3..0a0eb504a3 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
@@ -36,7 +36,8 @@
 import static java.lang.String.format;
 
 /**
- * A simplified password store implementation which uses files as storage medium. This implementation is designed purely for testing purposes.
+ * A simplified password store implementation which uses files as storage medium.
+ * This implementation is designed purely for testing purposes.
  */
 @Slf4j
 public class FilePasswordStoreProvider implements PasswordStore.PasswordStoreProvider {
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
index 332e7cd4ee..a04cf98ade 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
@@ -49,14 +49,14 @@ public final class PasswordStore {
     private static final String CFG_PASSWORD_STORE_FILE = "file";
     private static final int PERMISSIONS = 0600;
 
-    private static final PasswordStoreProvider passwordStoreProvider;
+    private static final PasswordStoreProvider PASSWORD_STORE_PROVIDER;
 
     static {
         if (isFilePasswordStoreEnabled()) {
             log.warn("WARNING: FilePasswordStoreProvider is enabled. This provider is not production ready.");
-            passwordStoreProvider = new FilePasswordStoreProvider();
+            PASSWORD_STORE_PROVIDER = new FilePasswordStoreProvider();
         } else {
-            passwordStoreProvider = new MemoryPasswordStoreProvider();
+            PASSWORD_STORE_PROVIDER = new MemoryPasswordStoreProvider();
         }
     }
 
@@ -72,7 +72,7 @@ private static boolean isFilePasswordStoreEnabled() {
      * @throws Exception in case of any errors
      */
     public static char[] getPassword(String id) throws Exception {
-        byte[] raw = passwordStoreProvider.read(getPathnameForFtok(), id);
+        byte[] raw = PASSWORD_STORE_PROVIDER.read(getPathnameForFtok(), id);
         return raw == null ? null : byteToChar(raw);
     }
 
@@ -87,7 +87,7 @@ public static char[] getPassword(String id) throws Exception {
     public static void storePassword(String id, char[] password)
             throws Exception {
         byte[] raw = charToByte(password);
-        passwordStoreProvider.write(getPathnameForFtok(), id, raw, PERMISSIONS);
+        PASSWORD_STORE_PROVIDER.write(getPathnameForFtok(), id, raw, PERMISSIONS);
     }
 
     /**
@@ -96,7 +96,7 @@ public static void storePassword(String id, char[] password)
      * @throws Exception in case of any errors
      */
     public static void clearStore() throws Exception {
-        passwordStoreProvider.clear(getPathnameForFtok(), PERMISSIONS);
+        PASSWORD_STORE_PROVIDER.clear(getPathnameForFtok(), PERMISSIONS);
     }
 
     private static byte[] charToByte(char[] buffer) throws IOException {
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
index 273b71a324..c99cc56a4d 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -29,6 +29,7 @@
 import ee.ria.xroad.common.SystemPropertiesLoader;
 import ee.ria.xroad.common.Version;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
 import akka.actor.ActorRef;
 import akka.actor.ActorSystem;
@@ -39,9 +40,6 @@
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigFactory;
 import com.typesafe.config.ConfigValueFactory;
-
-import ee.ria.xroad.signer.protocol.RpcSignerClient;
-
 import lombok.extern.slf4j.Slf4j;
 import scala.concurrent.Await;
 import scala.concurrent.duration.Duration;
@@ -120,7 +118,7 @@ private static void stopReporter() {
 
     private static void initAkka() throws Exception {
         actorSystem = ActorSystem.create(APP_NAME, loadAkkaConfiguration());
-        RpcSignerClient.init(); //TODO:grpc probably needs params.
+        RpcSignerClient.init(); //TODO grpc probably needs params.
 
         ActorRef unhandled = actorSystem.actorOf(Props.create(UnhandledListenerActor.class), "UnhandledListenerActor");
         actorSystem.eventStream().subscribe(unhandled, UnhandledMessage.class);

From 4fcb3ba71352c4372da6bc930f5aaa9876e9e1a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 14 Sep 2023 14:56:37 +0300
Subject: [PATCH 075/127] chore: improve signer int tests

Refs: XRDDEV-2468
---
 src/common/common-int-test/build.gradle       |   3 +
 .../xroad/common/test/glue/BaseStepDefs.java  |  25 +++++
 .../container/BaseTestSignerSetup.java}       |  24 ++--
 .../signer}/hook/SignerProxyInitHook.java     |  29 ++---
 .../signer-container-files}/Dockerfile        |   0
 .../etc/xroad/conf.d/signer.ini               |   0
 .../globalconf/CS/fetchinterval-params.xml    |   0
 .../xroad/globalconf/CS/private-params.xml    |   0
 .../globalconf/CS/private-params.xml.metadata |   0
 .../etc/xroad/globalconf/CS/shared-params.xml |   0
 .../globalconf/CS/shared-params.xml.metadata  |   0
 .../etc/xroad/globalconf/instance-identifier  |   0
 .../etc/xroad/signer/devices.ini              |   0
 .../etc/xroad/signer/keyconf.xml              |   0
 .../etc/xroad/signer/signer-logback.xml       |   0
 .../etc/xroad/signer/softtoken/.gitkeep       |   0
 .../etc/xroad/transport-keystore/gen-cert.sh  |   0
 .../grpc-internal-keystore.p12                | Bin
 .../var/cache/xroad/.gitkeep                  |   0
 src/proxy/build.gradle                        |   8 ++
 .../proxy/test/container/ContainerSetup.java  |  94 +---------------
 .../proxy/test/hook/BatchSignerInitHook.java  |  61 ++++++++++
 .../proxy/test/hook/SignerProxyInitHook.java  |  85 --------------
 .../resources/application-override.yml        |   3 +-
 .../resources/container-files/Dockerfile      |  21 ----
 .../globalconf/CS/fetchinterval-params.xml    |   3 -
 .../etc/xroad/signer/devices.ini              |   0
 .../etc/xroad/signer/signer-logback.xml       |  21 ----
 .../grpc-internal-keystore.jks                | Bin 2614 -> 0 bytes
 src/signer-protocol/build.gradle              |  28 -----
 .../etc/xroad/conf.d/signer.ini               |   0
 .../xroad/globalconf/CS/private-params.xml    |  15 ---
 .../globalconf/CS/private-params.xml.metadata |   1 -
 .../etc/xroad/globalconf/CS/shared-params.xml | 106 ------------------
 .../globalconf/CS/shared-params.xml.metadata  |   1 -
 .../etc/xroad/globalconf/instance-identifier  |   1 -
 .../etc/xroad/signer/keyconf.xml              |   2 -
 .../etc/xroad/signer/softtoken/.gitkeep       |   0
 .../container-files/var/cache/xroad/.gitkeep  |   0
 src/signer/build.gradle                       |  32 ++++++
 .../niis/xroad/signer/test/SignerIntTest.java |   0
 .../signer/test/container/ContainerSetup.java |  51 +++++++++
 .../signer/test/glue/BaseSignerStepDefs.java  |   0
 .../test/glue/SignerParallelStepDefs.java     |   0
 .../signer/test/glue/SignerStepDefs.java      |  36 +++---
 .../resources/application-override.yml        |   5 +-
 .../behavior/0050-signer-general.feature      |   0
 .../0100-signer-software-token.feature        |   0
 .../0200-signer-hardware-token.feature        |   0
 .../0300-signer-parallel-actions.feature      |   0
 .../src/intTest/resources/cert-01.pem         |   0
 51 files changed, 228 insertions(+), 427 deletions(-)
 rename src/{signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java => common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java} (91%)
 rename src/{signer-protocol/src/intTest/java/org/niis/xroad/signer/test => common/common-int-test/src/main/java/org/niis/xroad/common/test/signer}/hook/SignerProxyInitHook.java (68%)
 rename src/{signer-protocol/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/Dockerfile (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/conf.d/signer.ini (100%)
 rename src/{signer-protocol/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/globalconf/CS/fetchinterval-params.xml (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/globalconf/CS/private-params.xml (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/globalconf/CS/private-params.xml.metadata (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/globalconf/CS/shared-params.xml (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/globalconf/CS/shared-params.xml.metadata (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/globalconf/instance-identifier (100%)
 rename src/{signer-protocol/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/signer/devices.ini (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/signer/keyconf.xml (100%)
 rename src/{signer-protocol/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/signer/signer-logback.xml (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/signer/softtoken/.gitkeep (100%)
 rename src/{signer-protocol/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/transport-keystore/gen-cert.sh (100%)
 rename src/{signer-protocol/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/etc/xroad/transport-keystore/grpc-internal-keystore.p12 (100%)
 rename src/{proxy/src/intTest/resources/container-files => common/common-int-test/src/main/resources/signer-container-files}/var/cache/xroad/.gitkeep (100%)
 create mode 100644 src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/BatchSignerInitHook.java
 delete mode 100644 src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
 delete mode 100644 src/proxy/src/intTest/resources/container-files/Dockerfile
 delete mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
 delete mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
 delete mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
 delete mode 100644 src/proxy/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep
 delete mode 100644 src/signer-protocol/src/intTest/resources/container-files/var/cache/xroad/.gitkeep
 rename src/{signer-protocol => signer}/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java (100%)
 create mode 100644 src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
 rename src/{signer-protocol => signer}/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java (100%)
 rename src/{signer-protocol => signer}/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java (100%)
 rename src/{signer-protocol => signer}/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java (96%)
 rename src/{signer-protocol => signer}/src/intTest/resources/application-override.yml (89%)
 rename src/{signer-protocol => signer}/src/intTest/resources/behavior/0050-signer-general.feature (100%)
 rename src/{signer-protocol => signer}/src/intTest/resources/behavior/0100-signer-software-token.feature (100%)
 rename src/{signer-protocol => signer}/src/intTest/resources/behavior/0200-signer-hardware-token.feature (100%)
 rename src/{signer-protocol => signer}/src/intTest/resources/behavior/0300-signer-parallel-actions.feature (100%)
 rename src/{signer-protocol => signer}/src/intTest/resources/cert-01.pem (100%)

diff --git a/src/common/common-int-test/build.gradle b/src/common/common-int-test/build.gradle
index 2dd5783173..01270698ec 100644
--- a/src/common/common-int-test/build.gradle
+++ b/src/common/common-int-test/build.gradle
@@ -3,6 +3,9 @@ plugins {
 }
 
 dependencies {
+  api project(':common:common-util')
+  api project(':signer-protocol')
+
   api("com.nortal.test:test-automation-core:${testAutomationFrameworkVersion}")
   api("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}")
   api("com.nortal.test:test-automation-containers:${testAutomationFrameworkVersion}")
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
index ce0448de78..90eed103dc 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/BaseStepDefs.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package org.niis.xroad.common.test.glue;
 
 import com.nortal.test.core.report.TestReportService;
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
similarity index 91%
rename from src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
rename to src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
index 498b42c30b..25da5a90b6 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
@@ -23,7 +23,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.niis.xroad.signer.test.container;
+package org.niis.xroad.common.test.signer.container;
 
 import com.nortal.test.testcontainers.configuration.TestableContainerProperties;
 import com.nortal.test.testcontainers.configurator.TestContainerConfigurator;
@@ -31,11 +31,8 @@
 import com.nortal.test.testcontainers.images.builder.ReusableImageFromDockerfile;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
-import okio.Path;
 import org.apache.commons.io.FileUtils;
 import org.jetbrains.annotations.NotNull;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
 import org.testcontainers.containers.GenericContainer;
 import org.testcontainers.containers.wait.strategy.Wait;
 
@@ -46,16 +43,14 @@
 import java.util.Map;
 
 @Slf4j
-@Configuration
 @SuppressWarnings("checkstyle:MagicNumber")
-public class ContainerSetup {
+public abstract class BaseTestSignerSetup {
 
     static {
         //This is to set docker api version in testcontainers. By default it uses 1.32, which does not support platform setting.
         System.setProperty("api.version", "1.41");
     }
 
-    @Bean
     public TestContainerConfigurator testContainerConfigurator(
             TestableContainerProperties testableContainerProperties) {
         return new TestContainerConfigurator() {
@@ -66,7 +61,7 @@ public ImageFromDockerfile imageDefinition() {
                 var hwTokenJarPath = Paths.get("../addons/hwtoken/build/libs/hwtoken-1.0.jar");
                 log.info("Will use {} jar for container creation", appJarPath);
 
-                File filesToAdd = Paths.get("src/intTest/resources/container-files/").toFile();
+                File filesToAdd = Paths.get("build/resources/intTest/signer-container-files/").toFile();
 
                 return new ReusableImageFromDockerfile("signer-int-test",
                         !testableContainerProperties.getReuseBetweenRuns(),
@@ -90,12 +85,15 @@ public List<Integer> exposedPorts() {
         };
     }
 
-    @Bean
-    public TestContainerConfigurator.TestContainerInitListener testContainerInitListener() {
+    public TestContainerConfigurator.TestContainerInitListener testContainerInitListener(boolean enableHwModule) {
         return new TestContainerConfigurator.TestContainerInitListener() {
 
             @Override
             public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
+                var modulemanager = enableHwModule
+                        ? "-Dxroad.signer.moduleManagerImpl=ee.ria.xroad.signer.tokenmanager.module.HardwareModuleManagerImpl"
+                        : "";
+
                 genericContainer
                         .waitingFor(Wait.forLogMessage(".*Signer has been initialized in.*", 1));
                 genericContainer
@@ -107,7 +105,7 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                                 "-Dxroad.grpc.internal.keystore-password=111111",
                                 "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
                                 "-Dxroad.grpc.internal.truststore-password=111111",
-                                "-Dxroad.signer.moduleManagerImpl=ee.ria.xroad.signer.tokenmanager.module.HardwareModuleManagerImpl",
+                                modulemanager,
                                 "-cp",
                                 "/root/lib/hwtoken.jar:/root/app.jar",
                                 "ee.ria.xroad.signer.SignerMain");
@@ -128,7 +126,7 @@ private void prepareSignerDirs() {
 
             @SneakyThrows
             private void deleteIfPresent(String path) {
-                var dir = Path.get(path);
+                var dir = Paths.get(path);
                 if (dir.toFile().exists()) {
                     log.info("Temporary test-signer sync dir {} found. Deleting..", dir);
                     FileUtils.cleanDirectory(dir.toFile());
@@ -136,6 +134,4 @@ private void deleteIfPresent(String path) {
             }
         };
     }
-
-
 }
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
similarity index 68%
rename from src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
rename to src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
index 4bfbf32184..fc048bf431 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/hook/SignerProxyInitHook.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
@@ -25,7 +25,7 @@
  * THE SOFTWARE.
  */
 
-package org.niis.xroad.signer.test.hook;
+package org.niis.xroad.common.test.signer.hook;
 
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
@@ -35,17 +35,12 @@
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE;
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE_PASSWORD;
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE;
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE_PASSWORD;
-import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_HOST;
-import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_PORT;
-
 @Slf4j
 @Component
+@ConditionalOnProperty(value = "test-automation.custom.signer-container-enabled", havingValue = "true")
 @RequiredArgsConstructor
 public class SignerProxyInitHook implements BeforeSuiteHook {
     private final TestableApplicationInfoProvider testableApplicationInfoProvider;
@@ -57,17 +52,17 @@ public void beforeSuite() {
         var port = testableApplicationInfoProvider.getMappedPort(SystemProperties.getGrpcSignerPort());
         log.info("Will use {}:{}  for signer RPC connection..", host, port);
 
-        System.setProperty(GRPC_SIGNER_HOST, host);
-        System.setProperty(GRPC_SIGNER_PORT, String.valueOf(port));
+        System.setProperty(SystemProperties.GRPC_SIGNER_HOST, host);
+        System.setProperty(SystemProperties.GRPC_SIGNER_PORT, String.valueOf(port));
 
-        System.setProperty(GRPC_SIGNER_HOST, host);
+        System.setProperty(SystemProperties.GRPC_SIGNER_HOST, host);
 
-        System.setProperty(GRPC_INTERNAL_KEYSTORE,
-                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
-        System.setProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, "111111");
-        System.setProperty(GRPC_INTERNAL_TRUSTSTORE,
-                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
-        System.setProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "111111");
+        System.setProperty(SystemProperties.GRPC_INTERNAL_KEYSTORE,
+                "build/resources/intTest/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
+        System.setProperty(SystemProperties.GRPC_INTERNAL_KEYSTORE_PASSWORD, "111111");
+        System.setProperty(SystemProperties.GRPC_INTERNAL_TRUSTSTORE,
+                "build/resources/intTest/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
+        System.setProperty(SystemProperties.GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "111111");
 
         System.setProperty("xroad.internal.passwordstore-provider", "file");
         System.setProperty("xroad.internal.passwordstore-file-path", "build/container-passwordstore/");
diff --git a/src/signer-protocol/src/intTest/resources/container-files/Dockerfile b/src/common/common-int-test/src/main/resources/signer-container-files/Dockerfile
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/Dockerfile
rename to src/common/common-int-test/src/main/resources/signer-container-files/Dockerfile
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/conf.d/signer.ini
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/conf.d/signer.ini
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/private-params.xml
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/private-params.xml
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/instance-identifier
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/instance-identifier
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/devices.ini
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/devices.ini
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/keyconf.xml
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/keyconf.xml
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/signer-logback.xml
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/signer-logback.xml
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/softtoken/.gitkeep
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/signer/softtoken/.gitkeep
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/gen-cert.sh
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/gen-cert.sh
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/gen-cert.sh
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12 b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12
rename to src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12
diff --git a/src/proxy/src/intTest/resources/container-files/var/cache/xroad/.gitkeep b/src/common/common-int-test/src/main/resources/signer-container-files/var/cache/xroad/.gitkeep
similarity index 100%
rename from src/proxy/src/intTest/resources/container-files/var/cache/xroad/.gitkeep
rename to src/common/common-int-test/src/main/resources/signer-container-files/var/cache/xroad/.gitkeep
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index f46c488b5b..2dd4b0e9d6 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -4,6 +4,14 @@ plugins {
     id 'com.github.johnrengelman.shadow'
 }
 
+sourceSets {
+  intTest {
+    resources {
+      srcDir '../common/common-int-test/src/main/resources/'
+    }
+  }
+}
+
 dependencies {
     implementation project(':common:common-util')
     implementation project(':common:common-verifier')
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
index f2d801a3de..cc3f2c9bdb 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
@@ -27,111 +27,25 @@
 
 import com.nortal.test.testcontainers.configuration.TestableContainerProperties;
 import com.nortal.test.testcontainers.configurator.TestContainerConfigurator;
-import com.nortal.test.testcontainers.images.builder.ImageFromDockerfile;
-import com.nortal.test.testcontainers.images.builder.ReusableImageFromDockerfile;
-import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
-import okio.Path;
-import org.apache.commons.io.FileUtils;
-import org.jetbrains.annotations.NotNull;
+import org.niis.xroad.common.test.signer.container.BaseTestSignerSetup;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.testcontainers.containers.GenericContainer;
-import org.testcontainers.containers.wait.strategy.Wait;
-
-import java.io.File;
-import java.nio.file.Paths;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
 
 @Slf4j
 @Configuration
 @SuppressWarnings("checkstyle:MagicNumber")
-public class ContainerSetup {
-
-    static {
-        //This is to set docker api version in testcontainers. By default it uses 1.32, which does not support platform setting.
-        System.setProperty("api.version", "1.41");
-    }
+public class ContainerSetup extends BaseTestSignerSetup {
 
     @Bean
     public TestContainerConfigurator testContainerConfigurator(
             TestableContainerProperties testableContainerProperties) {
-        return new TestContainerConfigurator() {
-            @NotNull
-            @Override
-            public ImageFromDockerfile imageDefinition() {
-                var appJarPath = Paths.get("../signer/build/libs/signer-1.0.jar");
-                log.info("Will use {} jar for container creation", appJarPath);
-
-                File filesToAdd = Paths.get("src/intTest/resources/container-files/").toFile();
-
-                return new ReusableImageFromDockerfile("proxy-int-test",
-                        !testableContainerProperties.getReuseBetweenRuns(),
-                        testableContainerProperties.getReuseBetweenRuns())
-                        .withFileFromFile(".", filesToAdd)
-                        .withFileFromPath("files/app.jar", appJarPath);
-            }
-
-            @NotNull
-            @Override
-            public Map<String, String> environmentalVariables() {
-                return new HashMap<>();
-            }
-
-            @NotNull
-            @Override
-            public List<Integer> exposedPorts() {
-                return List.of(5558, 5560);
-            }
-        };
+        return super.testContainerConfigurator(testableContainerProperties);
     }
 
     @Bean
     public TestContainerConfigurator.TestContainerInitListener testContainerInitListener() {
-        return new TestContainerConfigurator.TestContainerInitListener() {
-
-            @Override
-            public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
-                genericContainer
-                        .waitingFor(Wait.forLogMessage(".*Signer has been initialized in.*", 1));
-                genericContainer
-                        .withCommand("java",
-                                "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
-                                "-Dxroad.internal.passwordstore-provider=file",
-                                "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
-                                "-Dxroad.grpc.internal.keystore-password=111111",
-                                "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.jks",
-                                "-Dxroad.grpc.internal.truststore-password=111111",
-                                "-Dxroad.grpc.signer.host=0.0.0.0",
-                                "-cp",
-                                "/root/app.jar",
-                                "ee.ria.xroad.signer.SignerMain");
-
-                prepareSignerDirs();
-            }
-
-            @Override
-            public void afterStart(@NotNull GenericContainer<?> genericContainer) {
-                //do nothing
-            }
-
-            @SneakyThrows
-            private void prepareSignerDirs() {
-                deleteIfPresent("build/resources/intTest/container-files/etc/xroad/signer/softtoken/");
-                deleteIfPresent("build/container-passwordstore/");
-            }
-
-            @SneakyThrows
-            private void deleteIfPresent(String path) {
-                var dir = Path.get(path);
-                if (dir.toFile().exists()) {
-                    log.info("Temporary test-signer sync dir {} found. Deleting..", dir);
-                    FileUtils.cleanDirectory(dir.toFile());
-                }
-            }
-        };
+        return super.testContainerInitListener(true);
     }
 
 
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/BatchSignerInitHook.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/BatchSignerInitHook.java
new file mode 100644
index 0000000000..31b3f3fce0
--- /dev/null
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/BatchSignerInitHook.java
@@ -0,0 +1,61 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.niis.xroad.proxy.test.hook;
+
+import ee.ria.xroad.common.TestSecurityUtil;
+import ee.ria.xroad.common.signature.BatchSigner;
+
+import com.nortal.test.core.services.hooks.BeforeSuiteHook;
+import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Component;
+
+import static java.lang.String.format;
+
+@Slf4j
+@Component
+@RequiredArgsConstructor
+public class BatchSignerInitHook implements BeforeSuiteHook {
+    private static final String CONTAINER_FILES_PATH = "build/resources/intTest/signer-container-files/%s";
+
+    @Override
+    @SneakyThrows
+    public void beforeSuite() {
+        System.setProperty("xroad.common.configuration-path", format(CONTAINER_FILES_PATH, "etc/xroad/globalconf"));
+        System.setProperty("xroad.signer.key-configuration-file", format(CONTAINER_FILES_PATH, "etc/xroad/signer/keyconf.xml"));
+
+        TestSecurityUtil.initSecurity();
+        BatchSigner.init();
+    }
+
+    @Override
+    public int beforeSuiteOrder() {
+        return DEFAULT_ORDER + 100;
+    }
+}
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
deleted file mode 100644
index 81e7c5694b..0000000000
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/hook/SignerProxyInitHook.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * The MIT License
- *
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-
-package org.niis.xroad.proxy.test.hook;
-
-import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.common.TestSecurityUtil;
-import ee.ria.xroad.common.signature.BatchSigner;
-import ee.ria.xroad.signer.protocol.RpcSignerClient;
-
-import com.nortal.test.core.services.TestableApplicationInfoProvider;
-import com.nortal.test.core.services.hooks.BeforeSuiteHook;
-import lombok.RequiredArgsConstructor;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.stereotype.Component;
-
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE;
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_KEYSTORE_PASSWORD;
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE;
-import static ee.ria.xroad.common.SystemProperties.GRPC_INTERNAL_TRUSTSTORE_PASSWORD;
-import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_HOST;
-import static ee.ria.xroad.common.SystemProperties.GRPC_SIGNER_PORT;
-
-@Slf4j
-@Component
-@RequiredArgsConstructor
-public class SignerProxyInitHook implements BeforeSuiteHook {
-    private final TestableApplicationInfoProvider testableApplicationInfoProvider;
-
-    @Override
-    @SneakyThrows
-    public void beforeSuite() {
-        var host = testableApplicationInfoProvider.getHost();
-        var port = testableApplicationInfoProvider.getMappedPort(SystemProperties.getGrpcSignerPort());
-        log.info("Will use {}:{}  for signer RPC connection..", host, port);
-
-        System.setProperty(GRPC_SIGNER_HOST, host);
-        System.setProperty(GRPC_SIGNER_PORT, String.valueOf(port));
-
-        System.setProperty(GRPC_SIGNER_HOST, host);
-
-        System.setProperty(GRPC_INTERNAL_KEYSTORE,
-                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
-        System.setProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, "111111");
-        System.setProperty(GRPC_INTERNAL_TRUSTSTORE,
-                "src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks");
-        System.setProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "111111");
-
-        System.setProperty("xroad.internal.passwordstore-provider", "file");
-        System.setProperty("xroad.internal.passwordstore-file-path", "build/container-passwordstore/");
-
-        System.setProperty("xroad.common.configuration-path", "build/resources/intTest/container-files/etc/xroad/globalconf");
-        System.setProperty("xroad.signer.key-configuration-file", "build/resources/intTest/container-files/etc/xroad/signer/keyconf.xml");
-
-        TestSecurityUtil.initSecurity();
-        RpcSignerClient.init();
-        BatchSigner.init();
-    }
-
-}
diff --git a/src/proxy/src/intTest/resources/application-override.yml b/src/proxy/src/intTest/resources/application-override.yml
index ec6e599b37..45f0e64ddb 100755
--- a/src/proxy/src/intTest/resources/application-override.yml
+++ b/src/proxy/src/intTest/resources/application-override.yml
@@ -29,7 +29,8 @@ test-automation:
       ca-server:
         enabled: true
         reuse-between-runs: ${reuse-between-runs}
-
+  custom:
+    signer-container-enabled: true
 # toggle for reusable containers. This allows quicker test development as containers are not destroyed between runs.
 # WARNING: this leaves containers running indefinitely. They have to be stopped manually.
 # Note: this required testcontainers.reuse.enable=true property to be defined in your ~/.testcontainers.properties file
diff --git a/src/proxy/src/intTest/resources/container-files/Dockerfile b/src/proxy/src/intTest/resources/container-files/Dockerfile
deleted file mode 100644
index a614817706..0000000000
--- a/src/proxy/src/intTest/resources/container-files/Dockerfile
+++ /dev/null
@@ -1,21 +0,0 @@
-# Explicitly defining linux/amd64 ubuntu:22.04 image
-FROM ubuntu@sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564
-RUN apt-get clean && apt-get -y update && apt-get install -y locales && locale-gen en_US.UTF-8
-ENV LANG en_US.UTF-8
-ENV LANGUAGE en_US:en
-ENV LC_ALL en_US.UTF-8
-
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get -qq update \
-  && apt-get -qq upgrade \
-  && apt-get -qq install curl software-properties-common gawk \
-  openjdk-11-jdk-headless build-essential git unzip debhelper \
-  && apt-get -qq autoremove \
-  && apt-get -qq clean
-
-COPY --chown=root:root files/app.jar /root/app.jar
-COPY --chown=root:root etc /etc
-COPY --chown=root:root var /var
-
-EXPOSE 5558 5559 5560
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml b/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
deleted file mode 100644
index 7cd5010c07..0000000000
--- a/src/proxy/src/intTest/resources/container-files/etc/xroad/globalconf/CS/fetchinterval-params.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<xro:conf xmlns:xro="http://x-road.eu/xsd/xroad.xsd">
-    <ocspFetchInterval>10</ocspFetchInterval>
-</xro:conf>
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/devices.ini b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/devices.ini
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml b/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
deleted file mode 100644
index 3f685520c2..0000000000
--- a/src/proxy/src/intTest/resources/container-files/etc/xroad/signer/signer-logback.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<configuration scan="true" scanPeriod="60 seconds">
-
-    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder>
-            <pattern>%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX"} %level [xroad-signer] [%thread] %logger{36} - %msg%n</pattern>
-        </encoder>
-    </appender>
-
-    <logger name="org.springframework" level="INFO" />
-
-    <logger name="ee.ria.xroad" level="TRACE" />
-    <logger name="akka" level="WARN" />
-
-    <!--TokenManager is very verbose /-->
-    <logger name="ee.ria.xroad.signer.tokenmanager.TokenManager" level="INFO" />
-
-    <root level="INFO">
-        <appender-ref ref="STDOUT" />
-    </root>
-</configuration>
diff --git a/src/proxy/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks b/src/proxy/src/intTest/resources/container-files/etc/xroad/transport-keystore/grpc-internal-keystore.jks
deleted file mode 100644
index f0368a6f6d5b1d177b04d27dd51b73af376498ce..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2614
zcma)8c{CJ?8lQcPE!inM*UngG=vr?WToQ$`6$WDsA!|%VmdQG}mh2>SjU|(0XG9Ab
zvZOMygz;|HtcBM*@15>>f4%p|cfRxemhZpscRnPMRUHHbBZ-KQFoZ&qS<*fS5DqLS
zB1RxY#LFM>b0iVk`Ck;20wF@{e!$f~sshIL9~V0-5L8Zt8vX!vk@%kuC<oFJsr~oJ
zj#Py3-i=3gxBDUM{m6|g=2B%*9Rwl=2qen|0*WKqVJ!dN2tq&sND&yqEy)b%1%?0>
zAYAD5B&Lg@5O?%)IEp)9<|~8<p?4eG3LBf^TvJxHeofP3zun-j*H-q0rTbw`tY=f^
z43CPaG@*9~jbHi&=Oxs+$9-zNVv#XBHD+lVm|_+Cc0fdEK{r90R2<S5N$}VT?I(^-
zd8(9GD7nWuOpMLYR|`lpzo?N%nqY>2GWOk@N=5eecq%^en?XB>I&U=2T4P<LNC$l3
zD-R3Y!AIE_RC#7ut1=WtlV9&14V&CrmR;YvM`2(p9t(2#^ya3NGpd5W?j#eJR&*<*
zbktkA)(hF<u9-CDMP=pcV7*IfADM*22N$W@NX}RgL){6t>-Yr#4MPqlXV-f4C0~B6
zzlc8cWwN<^>k|TCNf~$4s!(TD*wIo^-g1QO=QE>D3RMa67MJCH!k@%WDnc>4P85=s
zZbxuO*+XT17Eh5j(X`aY?6o}=Tp7ihGcuIgQepi<JG`kEzEw&Ivwo`-U~sEn=nt4>
zWGJ}F>kMNo7`2S=VjgN_n5Ku5=`eY+N|t;CNhXi;G@zF6ERO4R%o&y?v!T=%5~iuv
z!@ah|Gp35)k!gP5tOXw`M-{f{JD!Y0<t+^``)cJ@^AiGc3=5X;yxMzToweLlWbJP=
zeI!5_G$ohP$OqglSPAGn?J57IPch5Nh<lsE)fQ7udEDmsiW|Zbe7_|@#7>8+BCiOG
zr6_LaE0s#Zf?wO^9=sQ?@Lo?<sjEY8FIJ>u;VlC1Cxcg0)-*+K0HmdHo<Ry7IdM<H
zrt5-!fmuPHP9KDp2CywkxiMrLEsMc19?b=9X@t#3Iqcf<@v%*};4Y&WSnKXPU-9p~
z9|7|+Nxhl5PmK5{c4GG&>5<95Pj+K<Xuobs+~Lw~d)Mp?&Z6KjvIyajnFrCKpQB5v
zq{`Y3o0{t}RtA9?#uEedp-12aDs8o6rN_eZ%dSmX^J<T#!|0t@F6Sqtmf>zavXq$l
z2T)g#UR8JSg1|A2`GLl#U&{FW(J`d5z1zQ_(NH?0+oR3LCg}1%iib_(ZTA*Y$4Wut
z`R+t2+AZvGsUUg(xlJQALu{HO#!YME<YvGIpLExxN!I>ftr9!9VTt!o<r+Qgct)T|
z_!jd!iJChQty)>5-oQ_sL@k<$o76Cc6}k&i-!6J7zGycE@?3Pr#KWdJA&$qEvHjz>
zJs#8x)zSG)#l+et9<~qEZ7xf}LNnejm|QClQ#5No_8!uGE*&9JqG1mtz0y@!$MdAU
zl;nuC@-d9IGbv&4?OML6y){pI)8ZwZfw1VFb(Iz5o{Mm$4e@A9JbD(*xqox6rk6-N
zrcL_Oi!hsfr&0aEo|y%mtJ!npR}euxBR8%l^sc|li^&GglMg6ae^l|_WWs6OUoVUn
ztRKc$BGt+S7CUFnvluUtr^d?to@98fNot$*{evQ!%g~#!)WLAKmvgKclfwQrspt8x
z*-Gq8i4O^;_By^BH}W;^x0Y7<&;`Uj#$zh@^W>0cMtX6j6;Q$fDvZt4W=N*=Yy|d2
zzyZKiJ3K{haA6=ywGRVha%TJg6|PIIIbbz&17Za1E4T0ld`xjV|8@9=$lk)0CzmI2
z?tiwgCR${?j=lVbqDFiBrT7FsZ>qSEMz_#dTSN8W=_gi4SWQRmP_)!I2&N55y!Bh6
zniW$1XIvt9)y|6w1H1ttfM9?JKpEf*2n2)yynf7q0CzwDQsQqZpBgWO+t&Anm$(}G
zf;w75T^)^9M`|O95a3S{99B*QZzGA|br2BnqpkeS0RLBL=USY91vppWbpLBalszGa
zMNB0w^ZyBL%lJ2>uFehi#dLue`oa4rcZlF%%{W74=8<wl8()Z1<JBbKVUYOImkU%D
zyxUns`7`i*gv&^P)`vUC&S}Gk;WsUDBL@>l`{GR?tK}?NjJuC8hgsm%xkNG|(r+Ji
zc=zJ<KBs&ygXr<1Y(9;Vi1zxe8{*oYJ&a#>8;%NN>h()dtDCuL@+H*)vPM-DGmBoT
z{Y2+7Tk0%bkLfT-7(64Uf_K2u#(1a^8s9}vfpWp3Q5m_7(;EU?K0>(iYURCE!{n+M
zSoXB)eYH!Utn0Jg>#tKbaji)IOCs)&B?h5<ec(8^%SS|&Ek2vUvzj+<VuxOlG9$<v
zNX0eDb(fC&7kYR<uH0EaY=xsI3Q3y{jE1C8Gv+swS&XOjnr-s}4E9IZpRI%oHdqjI
z>{Mo}huX>cSV@Az9n^^NZAh8UcQ~U!PH>x{eT$Y%an$S97#66sK6hU2sGe`1QE#w{
z>9I}OHpq1E-cKre7uF>sW5syK8}_K-yv57<YbtveJlJf%m6_ib6w#5<s^&_KiQ~Xk
zayhs@)i7ncup4_h_LJ_X>|EFmd8N%g)S54RW%{bX=1hm9ChJ_@Nlqbm?Qcgyk=#qy
zG)4XPoc@8Iea}%$HWw>8UJGYoS#-@6_pwWa3W>%B7f`@g@z}|eb4KTfGqLen-1<(Z
zLBGqi89eCz{p``eqA&?`vbjakDIWw<$P$sH>e1(d;SO=Wl3}^1REm?K&-I13o^Qr%
z2T;0JCWF6}$*73Zv^7dv#qM&3dJvk2?7qv(9|-26Kgq-AzqII}Ii@Bg06lxWWs8O&
z=#^wfvG2klGY8nG6?%@Ob$a+&I*LW|ZYL-n<jE<T!&;P>F%E)$k5tmFfd?HTrpl06
zw~i5yiwt#gKo*66I&&n*Q7@!mDdy%HNR8}(kU9BC3=-Q(t=tEvv&gLm;pKCly}qwx
zVJU`AUyk34;fIr{{^E2{kGb>BH3M1Id*C3j&57bwLEn+iZ@Q?dD^dw-1<uBb{Kxss
z8s$r4z2M+hrDxj@P_wctdb;bb`c1BOqj%>tFlXZCM@^(hI-;F2H_{Q~HN=x=H0pPE
zm8Brz9!q+*azmtx${D}DYKpLDF?_fBv&}tMqczo?GR2XLHn<6PYhDS2$5AYK{bTL>
zcy~{q2$}(xp{G$cGI~-jZDO%a7<mb)hUED9OM!q;07P6(V4J94F(=8bdVASSx5auG
tyL#0q`e2{)Va2mGW}Ya7*L(l7-*Rl-U`6>-^7G5*g3$L3-T!s+{{*O{qUitt

diff --git a/src/signer-protocol/build.gradle b/src/signer-protocol/build.gradle
index 2378f7d711..0a4a5827ea 100644
--- a/src/signer-protocol/build.gradle
+++ b/src/signer-protocol/build.gradle
@@ -16,13 +16,6 @@ sourceSets {
 dependencies {
   implementation project(':common:common-util')
   api project(':common:common-rpc')
-
-  intTestRuntimeOnly project(':signer')
-  intTestRuntimeOnly project(':addons:hwtoken')
-  intTestRuntimeOnly project(':common:common-util')
-
-  intTestImplementation project(":common:common-test")
-  intTestImplementation project(":common:common-int-test")
 }
 
 protobuf {
@@ -40,24 +33,3 @@ compileJava.dependsOn generateProto
 test {
   useJUnitPlatform()
 }
-
-tasks.register('intTest', Test) {
-  useJUnitPlatform()
-
-  setDescription("Runs integration tests.")
-  group = 'verification'
-
-  testClassesDirs = sourceSets.intTest.output.classesDirs
-  classpath = sourceSets.intTest.runtimeClasspath
-
-  testLogging {
-    showStackTraces(true)
-    showExceptions(true)
-    showCauses(true)
-    showStandardStreams(true)
-  }
-}
-
-tasks.named('check') {
-  dependsOn tasks.named('intTest')
-}
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/conf.d/signer.ini
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
deleted file mode 100644
index b3d36ed74b..0000000000
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
-    <instanceIdentifier>CS</instanceIdentifier>
-    <managementService>
-        <authCertRegServiceAddress>https://cs:4001/managementservice/</authCertRegServiceAddress>
-        <authCertRegServiceCert>MIIDJTCCAg2gAwIBAgIUWITgfJuBX9pZlmadswBIhphOga0wDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDUxMjEzMDg0OVoXDTQzMDUwNzEzMDg0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw/tBnTkRPxhlzUyvIFhjxN+qfs/SYq8Aa2ot+SHH9fiqAaA2hhnTC5hE5EnJ11N7PNpBCrqYcBJtDALZR/ADBMcQ7AtidFUCLOZ8PR4JARWvmsD+s3KF/py2yxz5dSd46qHFYfTELLN9oDtmN6ELZLkFVcM1XaXw0TsxKUTI8QMNcj0Ajx7KdI96N7CJhC3pKYdFZQMYxFhD+COXVWuL/F0v6eX26UfygWde0LksHDiEfFQZM/y8EW5qU9NhT7+vUXg7a8J/f8rBi7OrviyNxJ3HMhEwfTqQ0xeMGFFHa9dR3+g50OUdq3tACw2kwKjdfhE44p9YBDFdicOEuhjjnQIDAQABo28wbTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIC5DArBgNVHREEJDAihwSsEQAEgglsb2NhbGhvc3SCD2J1aWxka2l0c2FuZGJveDAdBgNVHQ4EFgQUDYs5YPb/R43FVL9tRqCCpkDbmwIwDQYJKoZIhvcNAQELBQADggEBACkHsE9UtVs++GnDvo49ihjj4WzX9Zbjk6n46+wp5K0hj86wHed5lfS6MNbSbA5LyzQronDGBo2xPtfpEqrY6h9+kudxCPTf0/aOJfjRVWorQMaWGqVQHf7bgXaRGR9qcAqA/Btcwlj7uShhQlYiRLRifsdUktKSYJEC2+qFHi9E4Y4QlOpRKelU/rEZSKpWK23MgPYVrVZPB3kk+FEz0F7LSDwTxM5yixAT4WkpKrpFS2eWomN8/8eycRdmLuPx/dTVBfMQb1aQnWC5KvybR01O5mJp5sGS7w5C8aW30qA0QQlK0puS7Ct5rNzzZpLMtd8GReZC8uKP2m3JXOfgSwI=</authCertRegServiceCert>
-        <managementRequestServiceProviderId ns2:objectType="SUBSYSTEM">
-            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
-            <ns2:memberClass>ORG</ns2:memberClass>
-            <ns2:memberCode>2908758-4</ns2:memberCode>
-            <ns2:subsystemCode>Management</ns2:subsystemCode>
-        </managementRequestServiceProviderId>
-    </managementService>
-    <timeStampingIntervalSeconds>10</timeStampingIntervalSeconds>
-</ns3:conf>
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
deleted file mode 100644
index e4102000b5..0000000000
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
+++ /dev/null
@@ -1 +0,0 @@
-{"contentIdentifier":"PRIVATE-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
deleted file mode 100644
index 3a8d0fa041..0000000000
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml
+++ /dev/null
@@ -1,106 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
-    <instanceIdentifier>CS</instanceIdentifier>
-    <approvedCA>
-        <name>X-Road Test CA CN</name>
-        <topCA>
-            <cert>MIIFpzCCA4+gAwIBAgIUEbcXVQkWWEC88FwTg2ctua926BQwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCRkkxFDASBgNVBAoMC1gtUm9hZCBUZXN0MRowGAYDVQQLDBFYLVJvYWQgVGVzdCBDQSBPVTEaMBgGA1UEAwwRWC1Sb2FkIFRlc3QgQ0EgQ04wHhcNMjEwMzEwMDczNTU2WhcNNDEwMzA1MDczNTU2WjBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJJiNMU5G5Ufv6+N1iMkrlaD3PI3k11THgE/SJ2NcTJUD79CjIFYJtJrWLQS536FadtKgJ7ym3eYR0+PlU/mX6lxt1MIspLdTYTC1TRR/Cg533aJ+hJnG2IsE6or6Bl3hPstFH4caKyjpyBg0xPyQnKhEA89VY/bUdIQOJK0zgH3gsckxNlT/udyJ732CS2vZHyrWx6dZ6UAamyD0hwj6e8quU3vMrtTeHF3LqzlKxatlayWorkSj1uA4q6qfMiCZ3yKiFUU4MULV6h1x39YAoGIyj0+aMIbENWnIRY7E0KqGvVotMCpEQO8DUhJbixzzFVPuL6b+NVzLJu4tqtAao3s7SUElhQjmiPmTNCfs16NMnMpUkr9Pz6nnybqnNy7fA0g2l8tguQoec6AABodgtNDRvLX4j/OOmSutVYIS/FDCO+YG8/Xp8MbAV2o24X7rDhBFGM9yf0/i77yQ4BC/SFrNXlBCXP8E1v3O/w99SjVQvD6uQ4fsxWQFmGUQK+959pJ0R2YzSB4qRkpX1/yK1rt5LO+8pHQ1WM28W5BJNsisN2OarplszAleoGjBQAyAPO+8nO/5n5xcs0Dzw1NshWyH2kFDBS4xmp6N9KFhW7MQTmHlzCSQ0YTNmEnOi7W7n+gsxZVfiV8aA5lsABsFRQ+uL9z49FQyuidtfsyVB23AgMBAAGjYzBhMB0GA1UdDgQWBBTOdbt9k88MTU+r8w/+KsgVICpQnDAfBgNVHSMEGDAWgBTOdbt9k88MTU+r8w/+KsgVICpQnDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAUA07frwkTioAToWsW1LQWxGZ3s3uK06OmiAV13RFZf3YeIg+AF/sRpu6mfaPwZat0FQKz55NUk70HnJmlWjtkbtNemZFZhedyqbtEzce6e7uqkakaKUZUCnu4tDivUa6zOboYvFhjGNQ2A/C69SRztH5sYDALycUv/BB1o6sURknNqgbvoJmySHrONEQiEYWnnmHcIFOa+muvTrDwHfRB+if2zT2duLHCuy1aiBZM9koz7R00M/8/wXCIzliQFq1iUnckocWc2Lcrh+gJCjuMURAfWwH00Lk+n2lTBY66yRbCt0QEHYxSjXmf+6ACU9zg9m1Sg+xBMqZ8E2u9SumIUmcDHyWfFAbEb8bcl3drnxxE1LiZea9TsyamtGAUegg4PcjbSjtULWnX6h6ruva3s6+brnoJCrBf3nmmggFVWCkDF4RsVPw3PZS342gRsHMy2V7B4Qo2pglB0AiMu5iWHs6tw6iFojeYEBDysQxaLcJtKew7BPxR8ZQjLP1FYQkOPwsphPYHUC2f6z6k2bVf/N4QUqeFCqJSr+NeFUX35ZdZv5NK+oQTbEKftNEb2N/Kv3Gflkyc7DLEwhYJ7B9c+zsVT6fBlm14UlWoUiy63BrsSYwnq7j5HaFnAh6DocQ+7XMFy7UMTueK9MTHsaXlWg4909fZFN975Y+qJXFfBo=</cert>
-            <ocsp>
-                <url>http://ca:8888</url>
-                <cert>MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF8xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEcMBoGA1UECwwTWC1Sb2FkIFRlc3QgT0NTUCBPVTEcMBoGA1UEAwwTWC1Sb2FkIFRlc3QgT0NTUCBDTjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANXyMQ3LgRPe6DGIUTOTjofOi6ir7GvUpD4CN4Xv5Ahari1npD4eGVqHfH4Kor6D2m0tdzkzOaizqpG2o+U2wFowZCEcWpjOH97ZgV87QkdT/5sv1R0mQ9BtaPPYQlgyJuRtP3VVoj9BeMcwzPIkPvNqvX+ro7cgNz3JvUbwuyn8JU0oP1LBgGmy8aFLblSD22Vin0LqFFYfPzUlFCRDwUVJwoF2NFwsWSbxi5cmWBPPHDhcX8dQTSEDWOzC0jtg8ersAGFvTUslhkGtuixZAtAQJXc49SHOIjllYlS+D9h1bfo/5wakrcNIdaVGER7Yq0I6yfvpI6oTOBmjicepAcyNCQOf0/8ghh04sBAJGwTkY75b89gHCHnXlEWpHhiyqblin5M18MJxEDfz/G9LG9a0qcDST4WKs6ijCItmJzkJuaYpEAIvHXBKC3NlkPvkjp/kW260iTRhWKeQjczvDqZ7atN3wu0jA/auouTitGuOfo3vOXc1frlpzTcw/jadHTchOjsufK7beuWr0CAcMzKy8AA9wrlYSy0qmzLxPybqoBGt3ljU8MnJapmqojd/ECMKrIamprm/xzEeaijVbPdEzGgD9DKtL0PbGqBcRQjUL72LCtY9H1pwVtgDRqW/eyodz7IrQZRq760c8HVgtS/uSjjslwif2mHZiBdTSUPTAgMBAAGjdTBzMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCgPXe/DXrBZTbe1hYo+rPKATzLsMB8GA1UdIwQYMBaAFM51u32TzwxNT6vzD/4qyBUgKlCcMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAgEAWPcf+ObBEyZofQQZYHU673qzaooWohCa/IQ7ZXiQmt+s0YpUXZepYw9UXrv1nPRLzpTy7788bzUvl6vVvnGTCOomLPYSZ5Qwm0VoAXMeyluIkNKKKemeF5e5Mbr7tmGGGaN/HKKQNa6qXEQndbdhjhoD6mxJKMDAgj1hi+slm0/QaKkd2qqjmc+w38RNv0wi+9Zamkl0LZ743/KeH6CtVJEUARxYT+Q1i81adFICYqoDlmDSPpzq7VUir1lZejC3qTnJAVMgGCHw28vp4ROvOkZ95lEFRTOpR7+a/iVetkOcenIWiGJGybUYZ9sAUwl4+GTcDT5aF9UJECnkfHpG4XYs/0Fn9wnqqw+zVNB/JocFdYxjPTe4YpjG9vKaQniK6ZjleLTQwom8SuQAAXarffIX3FNq0qc35T9fmrOzX+E7heFaC4Xg/HT7Lhz4XvQeXx00d/Ej72BS2ffAumeY0yqAOtAHnhq7u7ahhZ6B/VCsM95slKiqi72SQGqF/iy1ndRAzk/8xkJWnlvqbMfeNFOnbCJ7U1jxoxEmoBi31Cx1UQvdLvaAjz6MRo1kS/sJwVXpR3x7ooJjTGt4+/4gL4IxKqObE3sbjYnmA9i9iKCwrOWxPhavASyDVwr6XKz3MRffTHVk5uQSlmtIUSJsEPiV/LIzwcKPZX1eWoLpI08=</cert>
-            </ocsp>
-        </topCA>
-        <certificateProfileInfo>ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider</certificateProfileInfo>
-    </approvedCA>
-    <approvedTSA>
-        <name>X-Road Test TSA CN</name>
-        <url>http://ca:8899</url>
-        <cert>MIIFXTCCA0WgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGSTEUMBIGA1UECgwLWC1Sb2FkIFRlc3QxGjAYBgNVBAsMEVgtUm9hZCBUZXN0IENBIE9VMRowGAYDVQQDDBFYLVJvYWQgVGVzdCBDQSBDTjAeFw0yMTAzMTAwNzM1NTdaFw00MTAzMDUwNzM1NTdaMF0xCzAJBgNVBAYTAkZJMRQwEgYDVQQKDAtYLVJvYWQgVGVzdDEbMBkGA1UECwwSWC1Sb2FkIFRlc3QgVFNBIE9VMRswGQYDVQQDDBJYLVJvYWQgVGVzdCBUU0EgQ04wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/9WmHOot4PgLCtjwMP2jRNs1N0ZdwdajqA7S1nK9YKhTHwipGK+odCZ3OO1YKLHa4DEsPk9tkHCULcDObeb2HKJg/tjHdj2CVFfTqsLTgJuubR6T5wsfYfK7SuHP9708NPQtMQm8HkGoP7RlcQ0eQQ1j0gW8Vz8oY5qWWaEhQyQD0ZLmsUATn3NmCvwTshQacdwgV5JPnJJIetk893N3vJdyWaCO64FQxF35SHLwADXwDKVy9h+qiabx5dO3jHsJV87kr/37Jxsw/r2hxAppKXfUcuftY0RaMJAkvmL5K8UuVvI0cZw6NgCivMxe2XPdS3B2O9cb2HQ7Q3DodTgLDoFMYuQVU2VsFEBw0m7AOH5LXSehNWBDD0XzYntMYg/L4J83jIxEnEPjwdl2tKwOQWxnAqpCyNabiqVt+kS5SOOj3GCeavJGgAp8TN825JMT8bXPievuZEAVu/aR0TJ2dOoC6mwm9hgwY6eLzoElxiDqOBnMsFPOuJkSn6ShIA8FSefzEYg4OnN74f+tqE3lemsf+KBZeJfy5p1vR5UaeOqW8FBIwrLi1ufBnT1AhMmQfgwppZCPV0OCMXMI6XRp6S4C4go8aQpXWMenLiiVW9oTawQd8bPbv87ZEMplghvMpTju2YVogha4btQNcvJjN9RYrZcyHEHXIEgleGx6gwQIDAQABoyowKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCBkAwDQYJKoZIhvcNAQELBQADggIBAAWbwH+dA2G0B0zAgkB8DsFwYvqz8NGckU/I1M5jrw5Ln6JgedCFStcQLWfDUQA9fHIOCt3tKOyXWYI1pSWAE6IG0a6IhtoxgHEKD+/lFal3p2ikyt46IDW3hab5DVrnYT/hrEptxygE901U/D8EshN4HJL3G1XC1uMAjFr1YjPMrkIvffG2Z9Nv3QEJ1MdS/N3Mfv9LHNojQZYc72JwocDzf8SwUNbBNQEQEPd/RZg1dEoVwApBmQAOEbBVCVyfcVV9fOR0m7s/dHxb5y1AHfLOZDAf8lpkzhNUQc1Xth7ihICzJH5jnzW3EYuTOTM3LXCPRWtsYW3F0M3cJQEthjU4hHDoGp/8xOlU2TJuuD5rhvpqS+IFDnaAlSd7cPXYHej58ivya5l9VlCazo5TaI/Q0lwkKL6HJuQJbNVkbookTxV554IPX3Q6Tg35tI3rdc6mqztKfTb8HUtoBy5WM2fKQGHu+0oXoNynpPOFgD+2O86lEemZPdoC1vytmybKZ0iDYBercxl70HFXLCAFZB0jB5UWOopoh1NMzdYpQjCPQJ9rhuTxBLxwuLbabWNbLRwv0mvC1kFbRQEOu8hiQTo6ao3oY9s0qnSfXLHDc3Rc0OXgU+P4EnTY9DHJXcSfGUyOngMxwh5ciFV4dpNwBGTk/1P3vOGGthCnjtL1VPkz</cert>
-    </approvedTSA>
-    <member id="id0">
-        <memberClass>
-            <code>ORG</code>
-            <description>Non-profit organisations</description>
-        </memberClass>
-        <memberCode>2908758-4</memberCode>
-        <name>TestOrg</name>
-        <subsystem id="id1">
-            <subsystemCode>Management</subsystemCode>
-        </subsystem>
-    </member>
-    <member id="id2">
-        <memberClass>
-            <code>COM</code>
-            <description>Private companies</description>
-        </memberClass>
-        <memberCode>1710128-9</memberCode>
-        <name>TestCom</name>
-        <subsystem id="id3">
-            <subsystemCode>TestClient</subsystemCode>
-        </subsystem>
-    </member>
-    <member id="id4">
-        <memberClass>
-            <code>GOV</code>
-            <description>Governmental organisations</description>
-        </memberClass>
-        <memberCode>0245437-2</memberCode>
-        <name>TestGov</name>
-        <subsystem id="id5">
-            <subsystemCode>TestSaved</subsystemCode>
-        </subsystem>
-        <subsystem id="id6">
-            <subsystemCode>TestService</subsystemCode>
-        </subsystem>
-        <subsystem id="id7">
-            <subsystemCode>test-consumer</subsystemCode>
-        </subsystem>
-    </member>
-    <securityServer>
-        <owner>id0</owner>
-        <serverCode>SS0</serverCode>
-        <address>ss0</address>
-        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
-        <client>id1</client>
-        <client>id7</client>
-    </securityServer>
-    <securityServer>
-        <owner>id4</owner>
-        <serverCode>SS1</serverCode>
-        <address>ss1</address>
-        <authCertHash>03SfHhv+L5OJrJaod/sOZn6vp1c=</authCertHash>
-        <client>id5</client>
-        <client>id6</client>
-        <client>id3</client>
-        <client>id1</client>
-    </securityServer>
-    <globalGroup>
-        <groupCode>security-server-owners</groupCode>
-        <description>Security server owners</description>
-        <groupMember ns2:objectType="MEMBER">
-            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
-            <ns2:memberClass>ORG</ns2:memberClass>
-            <ns2:memberCode>2908758-4</ns2:memberCode>
-        </groupMember>
-        <groupMember ns2:objectType="MEMBER">
-            <ns2:xRoadInstance>CS</ns2:xRoadInstance>
-            <ns2:memberClass>GOV</ns2:memberClass>
-            <ns2:memberCode>0245437-2</ns2:memberCode>
-        </groupMember>
-    </globalGroup>
-    <globalSettings>
-        <memberClass>
-            <code>COM</code>
-            <description>Private companies</description>
-        </memberClass>
-        <memberClass>
-            <code>GOV</code>
-            <description>Governmental organisations</description>
-        </memberClass>
-        <memberClass>
-            <code>ORG</code>
-            <description>Non-profit organisations</description>
-        </memberClass>
-        <ocspFreshnessSeconds>3600</ocspFreshnessSeconds>
-    </globalSettings>
-</ns3:conf>
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
deleted file mode 100644
index 20014b1e9e..0000000000
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
+++ /dev/null
@@ -1 +0,0 @@
-{"contentIdentifier":"SHARED-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
deleted file mode 100644
index 3faedb7f9c..0000000000
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/globalconf/instance-identifier
+++ /dev/null
@@ -1 +0,0 @@
-CS
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
deleted file mode 100644
index ebe6f5804c..0000000000
--- a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/keyconf.xml
+++ /dev/null
@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<ns3:keyConf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd"/>
diff --git a/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep b/src/signer-protocol/src/intTest/resources/container-files/etc/xroad/signer/softtoken/.gitkeep
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/signer-protocol/src/intTest/resources/container-files/var/cache/xroad/.gitkeep b/src/signer-protocol/src/intTest/resources/container-files/var/cache/xroad/.gitkeep
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index ad56097942..54afd20612 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -14,6 +14,11 @@ sourceSets {
     main {
         java.srcDirs = ['src/main/java', "${buildDir}/generated-sources"]
     }
+  intTest {
+    resources {
+      srcDir '../common/common-int-test/src/main/resources/'
+    }
+  }
 }
 
 dependencies {
@@ -32,6 +37,12 @@ dependencies {
     testImplementation 'com.github.stefanbirkner:system-rules:1.19.0'
     testImplementation "org.mockito:mockito-core:$mockitoVersion"
 
+
+    intTestRuntimeOnly project(':addons:hwtoken')
+    intTestRuntimeOnly project(':common:common-util')
+    intTestImplementation project(":common:common-test")
+    intTestImplementation project(":common:common-int-test")
+
     xjc "org.glassfish.jaxb:jaxb-xjc:$jaxbVersion"
     xjc "org.glassfish.jaxb:jaxb-runtime:$jaxbVersion"
 }
@@ -120,3 +131,24 @@ licenseMain.enabled = false
 
 licenseFormat.dependsOn licenseFormatJava
 licenseTest.dependsOn licenseTestJava
+
+tasks.register('intTest', Test) {
+  useJUnitPlatform()
+
+  setDescription("Runs integration tests.")
+  group = 'verification'
+
+  testClassesDirs = sourceSets.intTest.output.classesDirs
+  classpath = sourceSets.intTest.runtimeClasspath
+
+  testLogging {
+    showStackTraces(true)
+    showExceptions(true)
+    showCauses(true)
+    showStandardStreams(true)
+  }
+}
+
+tasks.named('check') {
+  dependsOn tasks.named('intTest')
+}
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java
similarity index 100%
rename from src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java
rename to src/signer/src/intTest/java/org/niis/xroad/signer/test/SignerIntTest.java
diff --git a/src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
new file mode 100644
index 0000000000..cee83314e2
--- /dev/null
+++ b/src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
@@ -0,0 +1,51 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.signer.test.container;
+
+import com.nortal.test.testcontainers.configuration.TestableContainerProperties;
+import com.nortal.test.testcontainers.configurator.TestContainerConfigurator;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.test.signer.container.BaseTestSignerSetup;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Slf4j
+@Configuration
+public class ContainerSetup extends BaseTestSignerSetup {
+
+    @Bean
+    public TestContainerConfigurator testContainerConfigurator(
+            TestableContainerProperties testableContainerProperties) {
+        return super.testContainerConfigurator(testableContainerProperties);
+    }
+
+    @Bean
+    public TestContainerConfigurator.TestContainerInitListener testContainerInitListener() {
+        return super.testContainerInitListener(true);
+    }
+
+
+}
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
similarity index 100%
rename from src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
rename to src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/BaseSignerStepDefs.java
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
similarity index 100%
rename from src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
rename to src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerParallelStepDefs.java
diff --git a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
similarity index 96%
rename from src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
rename to src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 74e162a4ec..506b456b24 100644
--- a/src/signer-protocol/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -80,11 +80,9 @@
 import static java.time.Instant.now;
 import static java.time.temporal.ChronoUnit.DAYS;
 import static java.util.UUID.randomUUID;
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.assertj.core.api.Assertions.fail;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.assertj.core.api.AssertionsForClassTypes.assertThatThrownBy;
+import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
+
 
 @Slf4j
 @SuppressWarnings("checkstyle:MagicNumber")
@@ -456,7 +454,7 @@ public void getAuthKey(String securityServerId) throws Exception {
     public void getAuthKeyFail(String securityServerId) throws Exception {
         try {
             SignerProxy.getAuthKey(getSecurityServerId(securityServerId));
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             var errorServerId = securityServerId.replace(":", "/");
             assertException("Signer.KeyNotFound", "auth_key_not_found_for_server",
@@ -470,7 +468,7 @@ public void setTokenNameFail() throws Exception {
         String tokenId = randomUUID().toString();
         try {
             SignerProxy.setTokenFriendlyName(tokenId, randomUUID().toString());
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.TokenNotFound", "token_not_found",
                     "Signer.TokenNotFound: Token '" + tokenId + "' not found", codedException);
@@ -482,7 +480,7 @@ public void failOnDeleteCert() throws Exception {
         String cerId = randomUUID().toString();
         try {
             SignerProxy.deleteCert(cerId);
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.CertNotFound", "cert_with_id_not_found",
                     "Signer.CertNotFound: Certificate with id '" + cerId + "' not found", codedException);
@@ -494,7 +492,7 @@ public void retrievingTokenInfoCanByNotExistingKeyFails() throws Exception {
         String keyId = randomUUID().toString();
         try {
             SignerProxy.getTokenForKeyId(keyId);
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.KeyNotFound", "key_not_found",
                     "Signer.KeyNotFound: Key '" + keyId + "' not found", codedException);
@@ -506,7 +504,7 @@ public void deletingCertRequestFails() throws Exception {
         String csrId = randomUUID().toString();
         try {
             SignerProxy.deleteCertRequest(csrId);
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.CsrNotFound", "csr_not_found",
                     "Signer.CsrNotFound: Certificate request '" + csrId + "' not found", codedException);
@@ -518,7 +516,7 @@ public void signKeyFail() throws Exception {
         String keyId = randomUUID().toString();
         try {
             SignerProxy.sign(keyId, randomUUID().toString(), new byte[0]);
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.KeyNotFound", "key_not_found",
                     "Signer.KeyNotFound: Key '" + keyId + "' not found", codedException);
@@ -531,7 +529,7 @@ public void signAlgorithmFail(String keyName, String friendlyName) throws Except
             final KeyInfo key = findKeyInToken(friendlyName, keyName);
             SignerProxy.sign(key.getId(), "NOT-ALGORITHM-ID", calculateDigest(SHA256_ID, "digest".getBytes(UTF_8)));
 
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.CannotSign.InternalError", "",
                     "Signer.CannotSign.InternalError: Unknown sign algorithm id: NOT-ALGORITHM-ID", codedException);
@@ -543,7 +541,7 @@ public void getKeyIdByHashFail() throws Exception {
         String hash = randomUUID().toString();
         try {
             SignerProxy.getKeyIdForCertHash(hash);
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.CertNotFound", "certificate_with_hash_not_found",
                     "Signer.CertNotFound: Certificate with hash '" + hash + "' not found", codedException);
@@ -555,7 +553,7 @@ public void notExistingCertActivateFail() throws Exception {
         String certId = randomUUID().toString();
         try {
             SignerProxy.activateCert(certId);
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.CertNotFound", "cert_with_id_not_found",
                     "Signer.CertNotFound: Certificate with id '" + certId + "' not found", codedException);
@@ -566,7 +564,7 @@ public void notExistingCertActivateFail() throws Exception {
     public void getMemberSigningInfoFail(String client) throws Exception {
         try {
             SignerProxy.getMemberSigningInfo(getClientId(client));
-            fail("Exception expected");
+            Assertions.fail("Exception expected");
         } catch (CodedException codedException) {
             assertException("Signer.InternalError", "member_has_no_suitable_certs",
                     "Signer.InternalError: Member 'MEMBER:CS/test/member-1' has no suitable certificates", codedException);
@@ -581,13 +579,13 @@ public void getMemberSigningInfo(String client) throws Exception {
 
     @Step("HSM is operational")
     public void hsmIsNotOperational() throws Exception {
-        assertTrue(SignerProxy.isHSMOperational());
+        Assertions.assertTrue(SignerProxy.isHSMOperational());
     }
 
     private void assertException(String faultCode, String translationCode, String message, CodedException codedException) {
-        assertEquals(faultCode, codedException.getFaultCode());
-        assertEquals(translationCode, codedException.getTranslationCode());
-        assertEquals(message, codedException.getMessage());
+        Assertions.assertEquals(faultCode, codedException.getFaultCode());
+        Assertions.assertEquals(translationCode, codedException.getTranslationCode());
+        Assertions.assertEquals(message, codedException.getMessage());
     }
 
 
diff --git a/src/signer-protocol/src/intTest/resources/application-override.yml b/src/signer/src/intTest/resources/application-override.yml
similarity index 89%
rename from src/signer-protocol/src/intTest/resources/application-override.yml
rename to src/signer/src/intTest/resources/application-override.yml
index 648b79fe5f..c2baed7bad 100755
--- a/src/signer-protocol/src/intTest/resources/application-override.yml
+++ b/src/signer/src/intTest/resources/application-override.yml
@@ -24,12 +24,13 @@ test-automation:
       reuse-between-runs: ${reuse-between-runs}
       directory-mounts:
         - "/tmp/xroad/passwordstore/:build/container-passwordstore/"
-        - "/etc/xroad/signer/:build/resources/intTest/container-files/etc/xroad/signer/"
+        - "/etc/xroad/signer/:build/resources/intTest/signer-container-files/etc/xroad/signer/"
     context-containers:
       ca-server:
         enabled: true
         reuse-between-runs: ${reuse-between-runs}
-
+  custom:
+    signer-container-enabled: true
 # toggle for reusable containers. This allows quicker test development as containers are not destroyed between runs.
 # WARNING: this leaves containers running indefinitely. They have to be stopped manually.
 # Note: this required testcontainers.reuse.enable=true property to be defined in your ~/.testcontainers.properties file
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0050-signer-general.feature b/src/signer/src/intTest/resources/behavior/0050-signer-general.feature
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/behavior/0050-signer-general.feature
rename to src/signer/src/intTest/resources/behavior/0050-signer-general.feature
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature b/src/signer/src/intTest/resources/behavior/0100-signer-software-token.feature
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/behavior/0100-signer-software-token.feature
rename to src/signer/src/intTest/resources/behavior/0100-signer-software-token.feature
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature b/src/signer/src/intTest/resources/behavior/0200-signer-hardware-token.feature
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/behavior/0200-signer-hardware-token.feature
rename to src/signer/src/intTest/resources/behavior/0200-signer-hardware-token.feature
diff --git a/src/signer-protocol/src/intTest/resources/behavior/0300-signer-parallel-actions.feature b/src/signer/src/intTest/resources/behavior/0300-signer-parallel-actions.feature
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/behavior/0300-signer-parallel-actions.feature
rename to src/signer/src/intTest/resources/behavior/0300-signer-parallel-actions.feature
diff --git a/src/signer-protocol/src/intTest/resources/cert-01.pem b/src/signer/src/intTest/resources/cert-01.pem
similarity index 100%
rename from src/signer-protocol/src/intTest/resources/cert-01.pem
rename to src/signer/src/intTest/resources/cert-01.pem

From 7d596e7990b16db7b1becd0678a78458f2a3339f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 14 Sep 2023 15:25:07 +0300
Subject: [PATCH 076/127] chore: fix grpc todos

Refs: XRDDEV-2468
---
 .../restapi/util/CertificateTestUtils.java      |  2 +-
 .../java/ee/ria/xroad/signer/SignerProxy.java   |  6 +++---
 .../signer/protocol/dto/CertRequestInfo.java    |  2 +-
 .../signer/protocol/dto/CertificateInfo.java    |  2 +-
 .../protocol/{ => mapper}/ClientIdMapper.java   |  5 ++---
 .../{ => mapper}/SecurityServerIdMapper.java    | 17 ++++++++++-------
 .../java/ee/ria/xroad/signer/model/Cert.java    |  2 +-
 .../ee/ria/xroad/signer/model/CertRequest.java  |  2 +-
 .../handler/GenerateCertReqReqHandler.java      |  2 +-
 .../GenerateSelfSignedCertReqHandler.java       |  2 +-
 .../protocol/handler/GetAuthKeyReqHandler.java  |  5 ++---
 .../handler/GetMemberCertsReqHandler.java       |  2 +-
 .../handler/GetMemberSigningInfoReqHandler.java |  2 +-
 .../protocol/handler/ImportCertReqHandler.java  |  2 +-
 .../handler/RegenerateCertReqReqHandler.java    |  2 +-
 15 files changed, 28 insertions(+), 27 deletions(-)
 rename src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/{ => mapper}/ClientIdMapper.java (96%)
 rename src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/{ => mapper}/SecurityServerIdMapper.java (81%)

diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
index 0ca9655b14..54a357cf85 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
@@ -29,7 +29,7 @@
 import ee.ria.xroad.common.TestCertUtil;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 25fc8bfe17..cb49e43d6f 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -28,9 +28,9 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
-import ee.ria.xroad.signer.protocol.SecurityServerIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.SecurityServerIdMapper;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
@@ -172,7 +172,7 @@ public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin)
         RpcSignerClient.execute(ctx -> ctx.blockingTokenService
                 .updateSoftwareTokenPin(UpdateSoftwareTokenPinReq.newBuilder()
                         .setTokenId(tokenId)
-                        .setOldPin(new String(oldPin))//TODO grpc its not great that we're doing this transformation
+                        .setOldPin(new String(oldPin))
                         .setNewPin(new String(newPin))
                         .build()));
     }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
index 3921e62b69..aeeb47bb7d 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
@@ -26,7 +26,7 @@
 package ee.ria.xroad.signer.protocol.dto;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.ToString;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
index c041d2251f..62bfbe9e50 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
@@ -26,7 +26,7 @@
 package ee.ria.xroad.signer.protocol.dto;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.ToString;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/mapper/ClientIdMapper.java
similarity index 96%
rename from src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
rename to src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/mapper/ClientIdMapper.java
index 3364da81c6..0e32aab4c8 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ClientIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/mapper/ClientIdMapper.java
@@ -23,7 +23,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.signer.protocol;
+package ee.ria.xroad.signer.protocol.mapper;
 
 import ee.ria.xroad.common.identifier.ClientId;
 
@@ -33,7 +33,7 @@
 import org.niis.xroad.signer.protocol.dto.XRoadObjectType;
 
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
-public class ClientIdMapper {
+public final class ClientIdMapper {
 
     public static ClientId.Conf fromDto(ClientIdProto clientIdProto) {
         if (clientIdProto.hasSubsystemCode()) {
@@ -48,7 +48,6 @@ public static ClientId.Conf fromDto(ClientIdProto clientIdProto) {
         }
     }
 
-    //TODO grpc move to a separate place.
     public static ClientIdProto toDto(ClientId input) {
         var builder = ClientIdProto.newBuilder()
                 .setMemberClass(input.getMemberClass())
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/mapper/SecurityServerIdMapper.java
similarity index 81%
rename from src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
rename to src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/mapper/SecurityServerIdMapper.java
index e966b7881e..c1d36099e4 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/SecurityServerIdMapper.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/mapper/SecurityServerIdMapper.java
@@ -23,24 +23,27 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.signer.protocol;
+package ee.ria.xroad.signer.protocol.mapper;
 
 import ee.ria.xroad.common.identifier.SecurityServerId;
 
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import org.niis.xroad.signer.protocol.dto.SecurityServerIdProto;
 import org.niis.xroad.signer.protocol.dto.XRoadObjectType;
 
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class SecurityServerIdMapper {
 
-    private SecurityServerIdMapper() {
-    }
-
-    public static SecurityServerId.Conf fromDto(SecurityServerIdProto input) {
-        return SecurityServerId.Conf.create(input.getXroadInstance(), input.getMemberClass(), input.getMemberCode(),
+    public static SecurityServerId.Conf fromDto(final SecurityServerIdProto input) {
+        return SecurityServerId.Conf.create(
+                input.getXroadInstance(),
+                input.getMemberClass(),
+                input.getMemberCode(),
                 input.getServerCode());
     }
 
-    public static SecurityServerIdProto toDto(SecurityServerId input) {
+    public static SecurityServerIdProto toDto(final SecurityServerId input) {
         return SecurityServerIdProto.newBuilder()
                 .setMemberClass(input.getMemberClass())
                 .setMemberCode(input.getMemberCode())
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
index c599adf207..513be17539 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
@@ -26,7 +26,7 @@
 package ee.ria.xroad.signer.model;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
index 09a3521420..768c3620fc 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
@@ -26,7 +26,7 @@
 package ee.ria.xroad.signer.model;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
index c56ce58ac9..afb04e6ac7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
@@ -26,7 +26,7 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
index abd0256dbc..0b064d7dd3 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
@@ -28,7 +28,7 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
index 71f4556e73..7926e220a9 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
@@ -34,7 +34,7 @@
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.common.util.PasswordStore;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.SecurityServerIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.SecurityServerIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -69,8 +69,7 @@ public class GetAuthKeyReqHandler
     @Override
     protected AuthKeyInfoProto handle(GetAuthKeyReq request) throws Exception {
         var securityServer = SecurityServerIdMapper.fromDto(request.getSecurityServer());
-        log.trace("Selecting authentication key for security server {}",
-                securityServer);
+        log.trace("Selecting authentication key for security server {}", securityServer);
 
         validateToken();
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
index fd5141f1f0..f3b5cf5914 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
@@ -27,7 +27,7 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
index 85aea0d72e..c663fad5cb 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
@@ -32,7 +32,7 @@
 import ee.ria.xroad.common.ocsp.OcspVerifier;
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
index 9958a60a92..29cd27242f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
@@ -33,7 +33,7 @@
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
index d9881ec6d6..ce1c1c0e85 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
@@ -26,7 +26,7 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;

From 82d4aeb9f67ae8ad68a40cb003c074b62ddbbeff Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Fri, 15 Sep 2023 08:31:43 +0300
Subject: [PATCH 077/127] chore: checkstyle fixes

Refs: XRDDEV-2468
---
 src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java    | 2 +-
 .../src/main/java/ee/ria/xroad/signer/model/CertRequest.java    | 2 +-
 .../signer/protocol/handler/GenerateCertReqReqHandler.java      | 2 +-
 .../protocol/handler/GenerateSelfSignedCertReqHandler.java      | 2 +-
 .../ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java | 2 +-
 .../xroad/signer/protocol/handler/GetMemberCertsReqHandler.java | 2 +-
 .../signer/protocol/handler/GetMemberSigningInfoReqHandler.java | 2 +-
 .../ria/xroad/signer/protocol/handler/ImportCertReqHandler.java | 2 +-
 .../signer/protocol/handler/RegenerateCertReqReqHandler.java    | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
index 513be17539..18be05ae67 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/Cert.java
@@ -26,9 +26,9 @@
 package ee.ria.xroad.signer.model;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 
 import com.google.protobuf.ByteString;
 import lombok.AccessLevel;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
index 768c3620fc..c956d5e596 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
@@ -26,9 +26,9 @@
 package ee.ria.xroad.signer.model;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 
 import lombok.Value;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
index afb04e6ac7..8ace492aab 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
@@ -26,8 +26,8 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
 import ee.ria.xroad.signer.util.TokenAndKey;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
index 0b064d7dd3..dfc5812eef 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
@@ -28,9 +28,9 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.TokenAndKey;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
index 7926e220a9..b6c807a04e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
@@ -34,10 +34,10 @@
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.common.util.PasswordStore;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.mapper.SecurityServerIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.mapper.SecurityServerIdMapper;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.module.SoftwareModuleType;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
index f3b5cf5914..a0d823e170 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberCertsReqHandler.java
@@ -27,10 +27,10 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
 import org.niis.xroad.signer.proto.GetMemberCertsReq;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
index c663fad5cb..38be9baf1e 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetMemberSigningInfoReqHandler.java
@@ -32,9 +32,9 @@
 import ee.ria.xroad.common.ocsp.OcspVerifier;
 import ee.ria.xroad.common.ocsp.OcspVerifierOptions;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 
 import lombok.Data;
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
index 29cd27242f..0767ac47ce 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
@@ -33,12 +33,12 @@
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.signer.certmanager.OcspResponseManager;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.util.SignerUtil;
 
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
index ce1c1c0e85..f0b950d2ec 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
@@ -26,11 +26,11 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.tokenmanager.TokenManager;
 import ee.ria.xroad.signer.tokenmanager.token.SoftwareTokenType;
 import ee.ria.xroad.signer.util.TokenAndKey;

From b91c52fcb9044a8c55294ad0fd1afe0d84164971 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Fri, 15 Sep 2023 09:27:52 +0300
Subject: [PATCH 078/127] chore: grpc env env variables

Refs: XRDDEV-2468
---
 .../ee/ria/xroad/common/SystemProperties.java | 12 ++++--
 .../usr/share/xroad/scripts/xroad-base.sh     |  4 +-
 .../ui/CsAdminServiceTestConfiguration.java   | 37 -------------------
 3 files changed, 10 insertions(+), 43 deletions(-)
 delete mode 100644 src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java

diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
index d11455ecc7..fe7da00058 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -645,6 +645,8 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
      */
     public static final String GRPC_INTERNAL_KEYSTORE_PASSWORD =
             PREFIX + "grpc.internal.keystore-password";
+    public static final String GRPC_INTERNAL_KEYSTORE_PASSWORD_ENV =
+            GRPC_INTERNAL_KEYSTORE_PASSWORD.toUpperCase().replaceAll("[.-]", "_");
 
     /**
      * Property name for gRPC internal truststore location.
@@ -657,6 +659,8 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
      */
     public static final String GRPC_INTERNAL_TRUSTSTORE_PASSWORD =
             PREFIX + "grpc.internal.truststore-password";
+    public static final String GRPC_INTERNAL_TRUSTSTORE_PASSWORD_ENV =
+            GRPC_INTERNAL_TRUSTSTORE_PASSWORD.toUpperCase().replaceAll("[.-]", "_");
     // Cluster node configuration ------------------------------------------ //
 
     /**
@@ -1718,27 +1722,27 @@ public static int getGrpcSignerPort() {
      * @return gRPC internal key store path. Uses JKS format.
      */
     public static String getGrpcInternalKeyStore() {
-        return System.getProperty(GRPC_INTERNAL_KEYSTORE, "var/run/xroad/xroad-grpc-internal-keystore.jks");
+        return System.getProperty(GRPC_INTERNAL_KEYSTORE, "/var/run/xroad/xroad-grpc-internal-keystore.p12");
     }
 
     /**
      * @return gRPC internal key store password.
      */
     public static String getGrpcInternalKeyStorePassword() {
-        return System.getProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, "");
+        return System.getProperty(GRPC_INTERNAL_KEYSTORE_PASSWORD, System.getenv().get(GRPC_INTERNAL_KEYSTORE_PASSWORD_ENV));
     }
 
     /**
      * @return gRPC internal trust store path. Uses JKS format.
      */
     public static String getGrpcInternalTrustStore() {
-        return System.getProperty(GRPC_INTERNAL_TRUSTSTORE, "var/run/xroad/xroad-grpc-internal-truststore.jks");
+        return System.getProperty(GRPC_INTERNAL_TRUSTSTORE, "/var/run/xroad/xroad-grpc-internal-keystore.p12");
     }
 
     /**
      * @return gRPC internal trust store path password.
      */
     public static String getGrpcInternalTruststorePassword() {
-        return System.getProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, "");
+        return System.getProperty(GRPC_INTERNAL_TRUSTSTORE_PASSWORD, System.getenv().get(GRPC_INTERNAL_TRUSTSTORE_PASSWORD_ENV));
     }
 }
diff --git a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
index 3058545b8e..1c4efa5deb 100755
--- a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
+++ b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
@@ -35,8 +35,8 @@ XROAD_COMMON_AKKA_KEYSTORE="$keystore"
 XROAD_COMMON_AKKA_KEYSTORE_PASSWORD="$keystore_pw"
 XROAD_COMMON_AKKA_TRUSTSTORE="$keystore"
 XROAD_COMMON_AKKA_TRUSTSTORE_PASSWORD="$keystore_pw"
-xroad.grpc.internal.keystore-password="$keystore_pw"
-xroad.grpc.internal.truststore-password="$keystore_pw"
+XROAD_GRPC_INTERNAL_KEYSTORE_PASSWORD="$keystore_pw"
+XROAD_GRPC_INTERNAL_TRUSTSTORE_PASSWORD="$keystore_pw"
 EOF
 
     chown xroad:xroad "$env_file"
diff --git a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java b/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java
deleted file mode 100644
index fa1b85da23..0000000000
--- a/src/security-server/admin-service/ui-system-test/src/intTest/java/org/niis/xroad/ss/test/ui/CsAdminServiceTestConfiguration.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package org.niis.xroad.ss.test.ui;
-
-import org.springframework.cloud.openfeign.EnableFeignClients;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-@EnableFeignClients(basePackages = {
-        "org.niis.xroad.common.test",
-        "org.niis.xroad.ss.test.ui.api"
-})
-public class CsAdminServiceTestConfiguration {
-}

From b95fe554a7cd1f480c4e48f5b84672ebc8e0437b Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 18 Sep 2023 09:39:47 +0300
Subject: [PATCH 079/127] chore: handling null member_id field

Refs: XRDDEV-2468
---
 .../java/ee/ria/xroad/signer/SignerProxy.java | 36 +++++++++++--------
 .../signer/protocol/dto/AuthKeyInfo.java      |  2 +-
 .../signer/protocol/dto/CertRequestInfo.java  | 13 ++++---
 .../src/main/proto/certificate_service.proto  |  6 ++--
 .../src/main/proto/tokens.proto               |  2 +-
 .../ria/xroad/signer/model/CertRequest.java   | 10 +++---
 .../handler/GenerateCertReqReqHandler.java    |  2 +-
 .../handler/ImportCertReqHandler.java         |  4 +--
 .../handler/RegenerateCertReqReqHandler.java  |  9 ++---
 9 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index cb49e43d6f..11cd983494 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -28,15 +28,15 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
-import ee.ria.xroad.signer.protocol.mapper.SecurityServerIdMapper;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
+import ee.ria.xroad.signer.protocol.mapper.SecurityServerIdMapper;
 
 import com.google.protobuf.ByteString;
 import lombok.AccessLevel;
@@ -86,6 +86,7 @@
 import java.util.stream.Collectors;
 
 import static java.util.Arrays.asList;
+import static java.util.Optional.ofNullable;
 
 /**
  * Responsible for managing cryptographic tokens (smartcards, HSMs, etc.) through the signer.
@@ -298,12 +299,13 @@ public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId
     public static String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId) throws Exception {
         log.trace("Importing cert from file with length of '{}' bytes", certBytes.length);
 
+        final ImportCertReq.Builder builder = ImportCertReq.newBuilder()
+                .setCertData(ByteString.copyFrom(certBytes))
+                .setInitialStatus(initialStatus);
+        ofNullable(clientId).map(ClientIdMapper::toDto).ifPresent(builder::setMemberId);
+
         var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
-                .importCert(ImportCertReq.newBuilder()
-                        .setCertData(ByteString.copyFrom(certBytes))
-                        .setInitialStatus(initialStatus)
-                        .setMemberId(ClientIdMapper.toDto(clientId))
-                        .build()));
+                .importCert(builder.build()));
 
         log.trace("Cert imported successfully, keyId received: {}", response.getKeyId());
 
@@ -357,14 +359,18 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
                                                                KeyUsageInfo keyUsage, String subjectName,
                                                                CertificateRequestFormat format) throws Exception {
 
+        var reqBuilder = GenerateCertRequestReq.newBuilder()
+                .setKeyId(keyId)
+                .setKeyUsage(keyUsage)
+                .setSubjectName(subjectName)
+                .setFormat(format);
+
+        ofNullable(memberId)
+                .map(ClientIdMapper::toDto)
+                .ifPresent(reqBuilder::setMemberId);
+
         var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
-                .generateCertRequest(GenerateCertRequestReq.newBuilder()
-                        .setKeyId(keyId)
-                        .setMemberId(ClientIdMapper.toDto(memberId))
-                        .setKeyUsage(keyUsage)
-                        .setSubjectName(subjectName)
-                        .setFormat(format)
-                        .build()));
+                .generateCertRequest(reqBuilder.build()));
 
         byte[] certRequestBytes = response.getCertRequest().toByteArray();
 
@@ -401,7 +407,7 @@ public static GeneratedCertRequestInfo regenerateCertRequest(String certRequestI
                 response.getCertReqId(),
                 response.getCertRequest().toByteArray(),
                 response.getFormat(),
-                ClientIdMapper.fromDto(response.getMemberId()),
+                response.hasMemberId() ? ClientIdMapper.fromDto(response.getMemberId()) : null,
                 response.getKeyUsage());
     }
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
index 0faf6ab448..f0d9cf8147 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
index aeeb47bb7d..60b2dbcbf7 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertRequestInfo.java
@@ -1,20 +1,20 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -51,7 +51,10 @@ public String getId() {
 
     @ToString.Include
     public ClientId getMemberId() {
-        return ClientIdMapper.fromDto(message.getMemberId());
+        if (message.hasMemberId()) {
+            return ClientIdMapper.fromDto(message.getMemberId());
+        }
+        return null;
     }
 
     @ToString.Include
diff --git a/src/signer-protocol/src/main/proto/certificate_service.proto b/src/signer-protocol/src/main/proto/certificate_service.proto
index 1e1592e7fa..979df04706 100644
--- a/src/signer-protocol/src/main/proto/certificate_service.proto
+++ b/src/signer-protocol/src/main/proto/certificate_service.proto
@@ -90,7 +90,7 @@ message RegenerateCertRequestResp {
   string cert_req_id = 1;
   bytes cert_request = 2;
   CertificateRequestFormat format = 3;
-  ClientIdProto member_id = 4;
+  optional ClientIdProto member_id = 4;
   KeyUsageInfo key_usage = 5;
 }
 
@@ -112,7 +112,7 @@ message DeleteCertRequestReq {
 message ImportCertReq {
   bytes cert_data = 1;
   string initial_status = 2;
-  ClientIdProto member_id = 3;
+  optional ClientIdProto member_id = 3;
 }
 
 message ImportCertResp {
@@ -134,7 +134,7 @@ message GenerateSelfSignedCertResp {
 
 message GenerateCertRequestReq {
   string key_id = 1;
-  ClientIdProto member_id = 2;
+  optional ClientIdProto member_id = 2;
   KeyUsageInfo key_usage = 3;
   string subject_name = 4;
   CertificateRequestFormat format = 5;
diff --git a/src/signer-protocol/src/main/proto/tokens.proto b/src/signer-protocol/src/main/proto/tokens.proto
index 3747f2c7a7..805df7ad43 100644
--- a/src/signer-protocol/src/main/proto/tokens.proto
+++ b/src/signer-protocol/src/main/proto/tokens.proto
@@ -76,7 +76,7 @@ message CertificateInfoProto {
 
 message CertRequestInfoProto {
   string id = 1;
-  ClientIdProto member_id = 2;
+  optional ClientIdProto member_id = 2;
   string subject_name = 3;
   // Add other fields as needed
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
index c956d5e596..c01b4e6969 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/model/CertRequest.java
@@ -32,6 +32,8 @@
 
 import lombok.Value;
 
+import static java.util.Optional.ofNullable;
+
 /**
  * Model object representing the certificate request.
  */
@@ -50,11 +52,11 @@ public class CertRequest {
      * @return the value object
      */
     public CertRequestInfoProto toProtoDTO() {
-        return CertRequestInfoProto.newBuilder()
+        final CertRequestInfoProto.Builder builder = CertRequestInfoProto.newBuilder()
                 .setId(id)
-                .setMemberId(ClientIdMapper.toDto(memberId))
-                .setSubjectName(subjectName)
-                .build();
+                .setSubjectName(subjectName);
+        ofNullable(memberId).map(ClientIdMapper::toDto).ifPresent(builder::setMemberId);
+        return builder.build();
     }
 
     /**
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
index 8ace492aab..500bc5c9b2 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateCertReqReqHandler.java
@@ -67,7 +67,7 @@ protected GenerateCertRequestResp handle(GenerateCertRequestReq request) throws
         PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, request.getSubjectName());
 
         String certReqId = TokenManager.addCertRequest(tokenAndKey.getKeyId(),
-                ClientIdMapper.fromDto(request.getMemberId()),
+                request.hasMemberId() ? ClientIdMapper.fromDto(request.getMemberId()) : null,
                 request.getSubjectName(), request.getKeyUsage());
 
         return GenerateCertRequestResp.newBuilder()
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
index 0767ac47ce..2f021ab5bd 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/ImportCertReqHandler.java
@@ -83,7 +83,7 @@ protected ImportCertResp handle(ImportCertReq request) throws Exception {
         }
 
         String keyId = importCertificate(cert, request.getInitialStatus(),
-                ClientIdMapper.fromDto(request.getMemberId()));
+                request.hasMemberId() ? ClientIdMapper.fromDto(request.getMemberId()) : null);
 
         return ImportCertResp.newBuilder()
                 .setKeyId(keyId)
@@ -91,7 +91,7 @@ protected ImportCertResp handle(ImportCertReq request) throws Exception {
     }
 
     public String importCertificate(X509Certificate cert,
-                                     String initialStatus, ClientId.Conf memberId) throws Exception {
+                                    String initialStatus, ClientId.Conf memberId) throws Exception {
         String publicKey = encodeBase64(cert.getPublicKey().getEncoded());
 
         // Find the key based on the public key of the cert
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
index f0b950d2ec..25a4bf585f 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/RegenerateCertReqReqHandler.java
@@ -45,6 +45,7 @@
 import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.signer.util.ExceptionHelper.keyNotAvailable;
+import static java.util.Optional.ofNullable;
 
 /**
  * Handles certificate request re-generations.
@@ -79,13 +80,13 @@ protected RegenerateCertRequestResp handle(RegenerateCertRequestReq message) thr
 
         PKCS10CertificationRequest generatedRequest = buildSignedCertRequest(tokenAndKey, subjectName);
 
-        return RegenerateCertRequestResp.newBuilder()
+        final RegenerateCertRequestResp.Builder builder = RegenerateCertRequestResp.newBuilder()
                 .setCertReqId(message.getCertRequestId())
                 .setCertRequest(ByteString.copyFrom(convert(generatedRequest, message.getFormat())))
                 .setFormat(message.getFormat())
-                .setMemberId(ClientIdMapper.toDto(certRequestInfo.getMemberId()))
-                .setKeyUsage(tokenAndKey.getKey().getUsage())
-                .build();
+                .setKeyUsage(tokenAndKey.getKey().getUsage());
+        ofNullable(certRequestInfo.getMemberId()).map(ClientIdMapper::toDto).ifPresent(builder::setMemberId);
+        return builder.build();
     }
 
     private TokenAndKey findTokenAndKeyForCsrId(String certRequestId) {

From 728fd75e939add4b21c87afb0d123b01c54d4a32 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 18 Sep 2023 13:17:08 +0300
Subject: [PATCH 080/127] chore: using grpc client interceptor for timeout

Refs: XRDDEV-2468
---
 .../java/ee/ria/xroad/signer/SignerProxy.java | 68 +++++++++----------
 .../signer/protocol/RpcSignerClient.java      | 44 +++++++-----
 2 files changed, 60 insertions(+), 52 deletions(-)

diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 11cd983494..fe9492fbba 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -105,7 +105,7 @@ public final class SignerProxy {
     public static void initSoftwareToken(char[] password) throws Exception {
         log.trace("Initializing software token");
 
-        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .initSoftwareToken(InitSoftwareTokenReq.newBuilder()
                         .setPin(new String(password))
                         .build()));
@@ -119,7 +119,7 @@ public static void initSoftwareToken(char[] password) throws Exception {
      */
     public static List<TokenInfo> getTokens() throws Exception {
         ListTokensResp response = RpcSignerClient.execute(ctx ->
-                ctx.blockingTokenService.listTokens(Empty.newBuilder().build()));
+                ctx.getBlockingTokenService().listTokens(Empty.newBuilder().build()));
 
         return response.getTokensList().stream()
                 .map(TokenInfo::new)
@@ -134,7 +134,7 @@ public static List<TokenInfo> getTokens() throws Exception {
      * @throws Exception if any errors occur
      */
     public static TokenInfo getToken(String tokenId) throws Exception {
-        return RpcSignerClient.execute(ctx -> new TokenInfo(ctx.blockingTokenService
+        return RpcSignerClient.execute(ctx -> new TokenInfo(ctx.getBlockingTokenService()
                 .getTokenById(GetTokenByIdReq.newBuilder()
                         .setTokenId(tokenId)
                         .build())));
@@ -152,7 +152,7 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
 
         log.trace("Activating token '{}'", tokenId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(true)
@@ -170,7 +170,7 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
     public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin) throws Exception {
         log.trace("Updating token pin '{}'", tokenId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .updateSoftwareTokenPin(UpdateSoftwareTokenPinReq.newBuilder()
                         .setTokenId(tokenId)
                         .setOldPin(new String(oldPin))
@@ -189,7 +189,7 @@ public static void deactivateToken(String tokenId) throws Exception {
 
         log.trace("Deactivating token '{}'", tokenId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
                         .setActivate(false)
@@ -206,7 +206,7 @@ public static void deactivateToken(String tokenId) throws Exception {
     public static void setTokenFriendlyName(String tokenId, String friendlyName) throws Exception {
         log.trace("Setting friendly name '{}' for token '{}'", friendlyName, tokenId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .setTokenFriendlyName(SetTokenFriendlyNameReq.newBuilder()
                         .setTokenId(tokenId)
                         .setFriendlyName(friendlyName)
@@ -223,7 +223,7 @@ public static void setTokenFriendlyName(String tokenId, String friendlyName) thr
     public static void setKeyFriendlyName(String keyId, String friendlyName) throws Exception {
         log.trace("Setting friendly name '{}' for key '{}'", friendlyName, keyId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .setKeyFriendlyName(SetKeyFriendlyNameReq.newBuilder()
                         .setKeyId(keyId)
                         .setFriendlyName(friendlyName)
@@ -241,7 +241,7 @@ public static void setKeyFriendlyName(String keyId, String friendlyName) throws
     public static KeyInfo generateKey(String tokenId, String keyLabel) throws Exception {
         log.trace("Generating key for token '{}'", tokenId);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .generateKey(GenerateKeyReq.newBuilder()
                         .setTokenId(tokenId)
                         .setKeyLabel(keyLabel)
@@ -270,7 +270,7 @@ public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId
                                                 String commonName, Date notBefore, Date notAfter) throws Exception {
         log.trace("Generate self-signed cert for key '{}'", keyId);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .generateSelfSignedCert(GenerateSelfSignedCertReq.newBuilder()
                         .setKeyId(keyId)
                         .setCommonName(commonName)
@@ -304,7 +304,7 @@ public static String importCert(byte[] certBytes, String initialStatus, ClientId
                 .setInitialStatus(initialStatus);
         ofNullable(clientId).map(ClientIdMapper::toDto).ifPresent(builder::setMemberId);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .importCert(builder.build()));
 
         log.trace("Cert imported successfully, keyId received: {}", response.getKeyId());
@@ -321,7 +321,7 @@ public static String importCert(byte[] certBytes, String initialStatus, ClientId
     public static void activateCert(String certId) throws Exception {
         log.trace("Activating cert '{}'", certId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .activateCert(ActivateCertReq.newBuilder()
                         .setCertIdOrHash(certId)
                         .setActive(true)
@@ -337,7 +337,7 @@ public static void activateCert(String certId) throws Exception {
     public static void deactivateCert(String certId) throws Exception {
         log.trace("Deactivating cert '{}'", certId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .activateCert(ActivateCertReq.newBuilder()
                         .setCertIdOrHash(certId)
                         .setActive(false)
@@ -369,7 +369,7 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
                 .map(ClientIdMapper::toDto)
                 .ifPresent(reqBuilder::setMemberId);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .generateCertRequest(reqBuilder.build()));
 
         byte[] certRequestBytes = response.getCertRequest().toByteArray();
@@ -395,7 +395,7 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
     public static GeneratedCertRequestInfo regenerateCertRequest(String certRequestId,
                                                                  CertificateRequestFormat format) throws Exception {
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .regenerateCertRequest(RegenerateCertRequestReq.newBuilder()
                         .setCertRequestId(certRequestId)
                         .setFormat(format)
@@ -432,7 +432,7 @@ public static class GeneratedCertRequestInfo {
     public static void deleteCertRequest(String certRequestId) throws Exception {
         log.trace("Deleting cert request '{}'", certRequestId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .deleteCertRequest(DeleteCertRequestReq.newBuilder()
                         .setCertRequestId(certRequestId)
                         .build()));
@@ -447,7 +447,7 @@ public static void deleteCertRequest(String certRequestId) throws Exception {
     public static void deleteCert(String certId) throws Exception {
         log.trace("Deleting cert '{}'", certId);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .deleteCert(DeleteCertReq.newBuilder()
                         .setCertId(certId)
                         .build()));
@@ -464,7 +464,7 @@ public static void deleteCert(String certId) throws Exception {
     public static void deleteKey(String keyId, boolean deleteFromToken) throws Exception {
         log.trace("Deleting key '{}', from token = {}", keyId, deleteFromToken);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .deleteKey(DeleteKeyReq.newBuilder()
                         .setKeyId(keyId)
                         .setDeleteFromDevice(deleteFromToken)
@@ -481,7 +481,7 @@ public static void deleteKey(String keyId, boolean deleteFromToken) throws Excep
     public static void setCertStatus(String certId, String status) throws Exception {
         log.trace("Setting cert ('{}') status to '{}'", certId, status);
 
-        RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .setCertStatus(SetCertStatusReq.newBuilder()
                         .setCertId(certId)
                         .setStatus(status)
@@ -499,7 +499,7 @@ public static CertificateInfo getCertForHash(String hash) throws Exception {
         final String finalHash = hash.toLowerCase();
         log.trace("Getting cert by hash '{}'", hash);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .getCertificateInfoForHash(GetCertificateInfoForHashReq.newBuilder()
                         .setCertHash(finalHash)
                         .build()));
@@ -520,7 +520,7 @@ public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
         final String finalHash = hash.toLowerCase();
         log.trace("Getting cert by hash '{}'", finalHash);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .getKeyIdForCertHash(GetKeyIdForCertHashReq.newBuilder()
                         .setCertHash(finalHash)
                         .build()));
@@ -541,7 +541,7 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws
         String hashLowercase = hash.toLowerCase();
         log.trace("Getting token and key id by cert hash '{}'", hashLowercase);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .getTokenAndKeyIdByCertHash(GetTokenByCertHashReq.newBuilder()
                         .setCertHash(hashLowercase)
                         .build()));
@@ -560,7 +560,7 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws
      */
     public static String[] getOcspResponses(String[] certHashes) throws Exception {
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingOcspService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingOcspService()
                 .getOcspResponses(GetOcspResponsesReq.newBuilder()
                         .addAllCertHash(toLowerCase(certHashes))
                         .build()));
@@ -577,7 +577,7 @@ public static String[] getOcspResponses(String[] certHashes) throws Exception {
     }
 
     public static void setOcspResponses(String[] certHashes, String[] base64EncodedResponses) throws Exception {
-        RpcSignerClient.execute(ctx -> ctx.blockingOcspService
+        RpcSignerClient.execute(ctx -> ctx.getBlockingOcspService()
                 .setOcspResponses(SetOcspResponsesReq.newBuilder()
                         .addAllCertHashes(asList(certHashes))
                         .addAllBase64EncodedResponses(asList(base64EncodedResponses))
@@ -598,7 +598,7 @@ private static List<String> toLowerCase(String[] certHashes) {
      * @throws Exception
      */
     public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .getAuthKey(GetAuthKeyReq.newBuilder()
                         .setSecurityServer(SecurityServerIdMapper.toDto(serverId))
                         .build()));
@@ -619,7 +619,7 @@ public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception
     public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws Exception {
         log.trace("Getting token and key id by cert request id '{}'", certRequestId);
 
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdReq.newBuilder()
                         .setCertRequestId(certRequestId)
                         .build()));
@@ -637,14 +637,14 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequ
      * @throws Exception if any errors occur
      */
     public static TokenInfo getTokenForKeyId(String keyId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .getTokenByKey(GetTokenByKeyIdReq.newBuilder().setKeyId(keyId).build()));
 
         return new TokenInfo(response);
     }
 
     public static String getSignMechanism(String keyId) throws Exception {
-        GetSignMechanismResp response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        GetSignMechanismResp response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .getSignMechanism(GetSignMechanismReq.newBuilder()
                         .setKeyId(keyId)
                         .build()));
@@ -653,7 +653,7 @@ public static String getSignMechanism(String keyId) throws Exception {
     }
 
     public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .sign(SignReq.newBuilder()
                         .setKeyId(keyId)
                         .setSignatureAlgorithmId(signatureAlgorithmId)
@@ -664,7 +664,7 @@ public static byte[] sign(String keyId, String signatureAlgorithmId, byte[] dige
     }
 
     public static Boolean isTokenBatchSigningEnabled(String keyId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq.newBuilder()
                         .setKeyId(keyId)
                         .build()));
@@ -673,7 +673,7 @@ public static Boolean isTokenBatchSigningEnabled(String keyId) throws Exception
     }
 
     public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .getMemberSigningInfo(GetMemberSigningInfoReq.newBuilder()
                         .setMemberId(ClientIdMapper.toDto(clientId))
                         .build()));
@@ -682,7 +682,7 @@ public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throw
     }
 
     public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingCertificateService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .getMemberCerts(GetMemberCertsReq.newBuilder()
                         .setMemberId(ClientIdMapper.toDto(memberId))
                         .build()));
@@ -693,7 +693,7 @@ public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exc
     }
 
     public static boolean isHSMOperational() throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingTokenService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .getHSMOperationalInfo(Empty.getDefaultInstance()));
 
         return response.getOperational();
@@ -701,7 +701,7 @@ public static boolean isHSMOperational() throws Exception {
 
     public static byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey)
             throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.blockingKeyService
+        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
                 .signCertificate(SignCertificateReq.newBuilder()
                         .setKeyId(keyId)
                         .setSignatureAlgorithmId(signatureAlgorithmId)
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index d94ba74f06..f07f6b85e0 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -30,12 +30,16 @@
 
 import com.google.protobuf.Any;
 import com.google.protobuf.InvalidProtocolBufferException;
+import io.grpc.CallOptions;
 import io.grpc.Channel;
-import io.grpc.Deadline;
+import io.grpc.ClientCall;
+import io.grpc.ClientInterceptor;
 import io.grpc.Grpc;
 import io.grpc.ManagedChannel;
+import io.grpc.MethodDescriptor;
 import io.grpc.Status;
 import io.grpc.StatusRuntimeException;
+import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.CertificateServiceGrpc;
 import org.niis.xroad.signer.proto.KeyServiceGrpc;
@@ -59,9 +63,9 @@ public final class RpcSignerClient {
     /**
      * Construct client for accessing Signer services using the provided channel.
      */
-    private RpcSignerClient(final ManagedChannel channel, int clientTimeoutMillis) {
+    private RpcSignerClient(final ManagedChannel channel) {
         this.channel = channel;
-        this.executionContext = new ExecutionContext(channel, clientTimeoutMillis);
+        this.executionContext = new ExecutionContext(channel);
     }
 
     /**
@@ -76,10 +80,18 @@ public static void init() throws Exception {
     public static void init(String host, int port, int clientTimeoutMillis) throws Exception {
         var credentials = createClientCredentials();
         log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
+        final ClientInterceptor timeoutInterceptor = new ClientInterceptor() {
+            @Override
+            public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
+                    MethodDescriptor<ReqT, RespT> method, CallOptions callOptions, Channel next) {
+                return next.newCall(method, callOptions.withDeadlineAfter(clientTimeoutMillis, MILLISECONDS));
+            }
+        };
         ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
+                .intercept(timeoutInterceptor)
                 .build();
 
-        instance = new RpcSignerClient(channel, clientTimeoutMillis);
+        instance = new RpcSignerClient(channel);
     }
 
     public static void shutdown() {
@@ -88,22 +100,18 @@ public static void shutdown() {
         }
     }
 
+    @Getter
     public static class ExecutionContext {
-        public final TokenServiceGrpc.TokenServiceBlockingStub blockingTokenService;
-        public final CertificateServiceGrpc.CertificateServiceBlockingStub blockingCertificateService;
-        public final KeyServiceGrpc.KeyServiceBlockingStub blockingKeyService;
-        public final OcspServiceGrpc.OcspServiceBlockingStub blockingOcspService;
+        private final TokenServiceGrpc.TokenServiceBlockingStub blockingTokenService;
+        private final CertificateServiceGrpc.CertificateServiceBlockingStub blockingCertificateService;
+        private final KeyServiceGrpc.KeyServiceBlockingStub blockingKeyService;
+        private final OcspServiceGrpc.OcspServiceBlockingStub blockingOcspService;
 
-        public ExecutionContext(final Channel channel, int clientTimeoutMillis) {
-            final Deadline deadline = Deadline.after(clientTimeoutMillis, MILLISECONDS);
-            blockingTokenService = TokenServiceGrpc.newBlockingStub(channel)
-                    .withDeadline(deadline);
-            blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel)
-                    .withDeadline(deadline);
-            blockingKeyService = KeyServiceGrpc.newBlockingStub(channel)
-                    .withDeadline(deadline);
-            blockingOcspService = OcspServiceGrpc.newBlockingStub(channel)
-                    .withDeadline(deadline);
+        public ExecutionContext(final Channel channel) {
+            blockingTokenService = TokenServiceGrpc.newBlockingStub(channel);
+            blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel);
+            blockingKeyService = KeyServiceGrpc.newBlockingStub(channel);
+            blockingOcspService = OcspServiceGrpc.newBlockingStub(channel);
         }
     }
 

From c4e76a825f6b85d42863383d31059a8c73e7eaaf Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Mon, 18 Sep 2023 14:14:59 +0300
Subject: [PATCH 081/127] chore: unit test fix

Refs: XRDDEV-2468
---
 src/configuration-proxy/build.gradle          |  1 +
 .../ee/ria/xroad/confproxy/ConfProxyTest.java | 28 +++++++++----------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/src/configuration-proxy/build.gradle b/src/configuration-proxy/build.gradle
index 3ddbd9f35c..f482c7b98f 100644
--- a/src/configuration-proxy/build.gradle
+++ b/src/configuration-proxy/build.gradle
@@ -9,6 +9,7 @@ dependencies {
     implementation 'commons-cli:commons-cli:1.4'
 
     testImplementation project(':common:common-test')
+    testImplementation "org.mockito:mockito-inline:$mockitoVersion"
 }
 
 ext {
diff --git a/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java b/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java
index 1fbdb71788..36c2ab5b15 100644
--- a/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java
+++ b/src/configuration-proxy/src/test/java/ee/ria/xroad/confproxy/ConfProxyTest.java
@@ -30,12 +30,12 @@
 import ee.ria.xroad.common.conf.globalconf.ConfigurationDirectoryV2;
 import ee.ria.xroad.confproxy.util.ConfProxyHelper;
 import ee.ria.xroad.confproxy.util.OutputBuilder;
-import ee.ria.xroad.signer.protocol.RpcSignerClient;
+import ee.ria.xroad.signer.SignerProxy;
 
 import lombok.extern.slf4j.Slf4j;
-import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.MockedStatic;
 
 import java.nio.file.Files;
 import java.nio.file.Paths;
@@ -46,6 +46,8 @@
 import static ee.ria.xroad.common.SystemProperties.TEMP_FILES_PATH;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mockStatic;
 
 /**
  * Test program for the configuration proxy,
@@ -55,8 +57,7 @@
 public class ConfProxyTest {
 
     @Before
-    public void setUp() throws Exception {
-        RpcSignerClient.init();
+    public void setUp() {
         System.setProperty(CONFIGURATION_PROXY_CONF_PATH, "src/test/resources/conf-proxy-conf");
         System.setProperty(CONFIGURATION_PROXY_GENERATED_CONF_PATH, "build/tmp/test/generated-conf");
         System.setProperty(CONFIGURATION_PATH, "src/test/resources/test-conf-simple");
@@ -70,17 +71,16 @@ public void cleanupTempDirectoriesWhenBuildingSignedDirectoryFails() throws Exce
         ConfigurationDirectoryV2 confDir = new ConfigurationDirectoryV2(
                 conf.getConfigurationDownloadPath(SystemProperties.CURRENT_GLOBAL_CONFIGURATION_VERSION));
 
-        try (OutputBuilder output = new OutputBuilder(confDir, conf,
-                SystemProperties.CURRENT_GLOBAL_CONFIGURATION_VERSION)) {
-            CodedException exception = assertThrows(CodedException.class, output::buildSignedDirectory);
-            assertEquals("InternalError: Signer is unreachable", exception.getMessage());
+        try (MockedStatic<SignerProxy> signerProxyMock = mockStatic(SignerProxy.class)) {
+            signerProxyMock.when(() -> SignerProxy.getSignMechanism(any()))
+                    .thenThrow(new CodedException("InternalError", "Signer is unreachable"));
+            try (OutputBuilder output = new OutputBuilder(confDir, conf,
+                    SystemProperties.CURRENT_GLOBAL_CONFIGURATION_VERSION)) {
+                CodedException exception = assertThrows(CodedException.class, output::buildSignedDirectory);
+                assertEquals("InternalError: Signer is unreachable", exception.getMessage());
+            }
+            assertEquals(0, Files.list(Paths.get("build/tmp/test/PROXY1")).count());
         }
-        assertEquals(0, Files.list(Paths.get("build/tmp/test/PROXY1")).count());
-    }
-
-    @After
-    public void tearDown() {
-        RpcSignerClient.shutdown();
     }
 
 }

From b3d99e00e8455fbbda87fdbd5750a92ea28a02f3 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 20 Sep 2023 09:24:46 +0300
Subject: [PATCH 082/127] chore: enable remote debug in test signer container

Refs: XRDDEV-2468
---
 .../common/test/signer/container/BaseTestSignerSetup.java      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
index 25da5a90b6..5a3c709ff7 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
@@ -80,7 +80,7 @@ public Map<String, String> environmentalVariables() {
             @NotNull
             @Override
             public List<Integer> exposedPorts() {
-                return List.of(5558, 5560);
+                return List.of(5558, 5560, 5005);
             }
         };
     }
@@ -105,6 +105,7 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                                 "-Dxroad.grpc.internal.keystore-password=111111",
                                 "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
                                 "-Dxroad.grpc.internal.truststore-password=111111",
+                                "-agentlib:jdwp=transport=dt_socket,address=*:5005,server=y,suspend=n",
                                 modulemanager,
                                 "-cp",
                                 "/root/lib/hwtoken.jar:/root/app.jar",

From c4e65787c2d384e724b940bd52d7c933f23a90bb Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 20 Sep 2023 09:36:03 +0300
Subject: [PATCH 083/127] chore: minor changes in pkcs11Exception handling

Refs: XRDDEV-2468
---
 .../tokenmanager/token/HardwareTokenWorker.java    | 14 ++++++--------
 .../tokenmanager/module/AbstractModuleWorker.java  |  2 +-
 .../tokenmanager/token/BlockingTokenWorker.java    | 11 -----------
 .../tokenmanager/token/WorkerWithLifecycle.java    |  4 ++--
 4 files changed, 9 insertions(+), 22 deletions(-)

diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
index a1245b15d1..eb9ed9d804 100644
--- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
+++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java
@@ -186,6 +186,7 @@ private static Mechanism createRsaPkcsPssMechanism(long hashMechanism) {
 
     @Override
     public void start() {
+        log.trace("start()");
         try {
             initialize();
             setTokenAvailable(tokenId, true);
@@ -221,17 +222,13 @@ public void reload() {
     }
 
     @Override
-    public void refresh() {
+    public void refresh() throws Exception {
         log.trace("refresh()");
 
         if (isTokenAvailable(tokenId) && activeSession != null) {
-            try {
-                findKeysNotInConf();
-                findPublicKeysForPrivateKeys();
-                findCertificatesNotInConf();
-            } catch (Exception e) {
-                throw translateException(e);
-            }
+            findKeysNotInConf();
+            findPublicKeysForPrivateKeys();
+            findCertificatesNotInConf();
         }
     }
 
@@ -654,6 +651,7 @@ private void pinVerificationPerSigningLogout() {
     }
 
     private void createSession() throws Exception {
+        log.trace("createSession()");
         closeActiveSession();
 
         if (getToken() != null) {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
index 57b156431e..60877bf0d7 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
@@ -104,7 +104,7 @@ private void loadTokens(boolean reload) throws Exception {
             BlockingTokenWorker tokenWorker = tokenWorkers.get(tokenType.getId());
             if (tokenWorker == null) {
                 log.debug("Adding new token '{}#{}'", tokenType.getModuleType(), tokenType.getId());
-                tokenWorker = new BlockingTokenWorker(this, createWorker(getTokenInfo(tokenType), tokenType));
+                tokenWorker = new BlockingTokenWorker(createWorker(getTokenInfo(tokenType), tokenType));
                 tokenWorker.getInternalTokenWorker().start();
             } else if (reload) {
                 tokenWorker.getInternalTokenWorker().reload();
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
index c0705cfac2..d0e6750459 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/BlockingTokenWorker.java
@@ -26,9 +26,7 @@
 package ee.ria.xroad.signer.tokenmanager.token;
 
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
-import ee.ria.xroad.signer.tokenmanager.module.AbstractModuleWorker;
 
-import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateTokenReq;
@@ -44,7 +42,6 @@
 @Slf4j
 @RequiredArgsConstructor
 public class BlockingTokenWorker implements TokenWorker {
-    private final AbstractModuleWorker moduleWorker;
     private final AbstractTokenWorker tokenWorker;
 
     @Override
@@ -115,10 +112,6 @@ public interface ThrowingRunnable<E extends Exception> {
     private synchronized <T> T synchronizedAction(ThrowingSupplier<T, Exception> action) {
         try {
             return action.get();
-        } catch (PKCS11Exception pkcs11Exception) {
-            log.warn("PKCS11Exception was thrown. Reloading underlying module and token workers.");
-            moduleWorker.reload();
-            throw translateException(pkcs11Exception);
         } catch (Exception e) {
             throw translateException(e);
         } finally {
@@ -130,10 +123,6 @@ private synchronized <T> T synchronizedAction(ThrowingSupplier<T, Exception> act
     private synchronized void synchronizedAction(ThrowingRunnable<Exception> action) {
         try {
             action.run();
-        } catch (PKCS11Exception pkcs11Exception) {
-            log.warn("PKCS11Exception was thrown. Reloading underlying module and token workers.");
-            moduleWorker.reload();
-            throw translateException(pkcs11Exception);
         } catch (Exception e) {
             throw translateException(e);
         } finally {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
index 2a540b75ed..36f447b95d 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/WorkerWithLifecycle.java
@@ -44,14 +44,14 @@ default void start() {
     /**
      * Reloads the worker. Reloaded instance should be similar to newly initialized worker.
      */
-    default void reload() throws Exception {
+    default void reload() {
         //NO-OP
     }
 
     /**
      * Refreshes underlying worker.
      */
-    default void refresh() {
+    default void refresh() throws Exception {
         //NO-OP
     }
 }

From 76bab3609206b11240b0e87c5738775fd54f7db8 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 20 Sep 2023 12:58:29 +0300
Subject: [PATCH 084/127] chore: checkstyle

Refs: XRDDEV-2468
---
 .../securityserver/restapi/util/CertificateTestUtils.java     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
index 54a357cf85..36e343f167 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
@@ -29,11 +29,11 @@
 import ee.ria.xroad.common.TestCertUtil;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfoProto;
+import ee.ria.xroad.signer.protocol.mapper.ClientIdMapper;
 
 import com.google.protobuf.ByteString;
 import org.bouncycastle.cert.ocsp.CertificateStatus;
@@ -512,7 +512,7 @@ public CertificateInfo build() {
                     List<OCSPResp> ocsp = generateOcspResponses(
                             Arrays.asList(certificate),
                             ocspStatus);
-                    ocspBytes =  ocsp.iterator().next().getEncoded();
+                    ocspBytes = ocsp.iterator().next().getEncoded();
                 }
                 return createCertificateInfo(
                         clientId,

From 6d743cfac8fdec8c1a4d42ea58a89972a64c271d Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 20 Sep 2023 17:17:20 +0300
Subject: [PATCH 085/127] chore: minor fixes

Refs: XRDDEV-2468
---
 src/common/common-int-test/build.gradle                          | 1 +
 .../java/org/niis/xroad/proxy/test/container/ContainerSetup.java | 1 -
 src/signer/build.gradle                                          | 1 -
 3 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/common/common-int-test/build.gradle b/src/common/common-int-test/build.gradle
index 01270698ec..0e18bcf086 100644
--- a/src/common/common-int-test/build.gradle
+++ b/src/common/common-int-test/build.gradle
@@ -5,6 +5,7 @@ plugins {
 dependencies {
   api project(':common:common-util')
   api project(':signer-protocol')
+  api project(':addons:hwtoken')
 
   api("com.nortal.test:test-automation-core:${testAutomationFrameworkVersion}")
   api("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}")
diff --git a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
index cc3f2c9bdb..6a930d4ea7 100644
--- a/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
+++ b/src/proxy/src/intTest/java/org/niis/xroad/proxy/test/container/ContainerSetup.java
@@ -34,7 +34,6 @@
 
 @Slf4j
 @Configuration
-@SuppressWarnings("checkstyle:MagicNumber")
 public class ContainerSetup extends BaseTestSignerSetup {
 
     @Bean
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index 54afd20612..061cd6abce 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -62,7 +62,6 @@ bootJar {
 shadowJar {
     archiveClassifier = ''
     exclude('**/module-info.class')
-    append('reference.conf')
     from rootProject.file("LICENSE.txt")
 }
 

From c0d6857e872580ff01ff3f7297659ac076e16ba3 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 20 Sep 2023 18:45:58 +0300
Subject: [PATCH 086/127] chore: minor fixes

Refs: XRDDEV-2468
---
 .../securityserver/restapi/config/StartStopListener.java     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
index 4a33e4877c..0366b8cd88 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
@@ -26,7 +26,6 @@
 package org.niis.xroad.securityserver.restapi.config;
 
 import ee.ria.xroad.commonui.UIServices;
-import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -56,7 +55,7 @@ private synchronized void stop() throws Exception {
             uiApiActorSystem = null;
         }
 
-        RpcSignerClient.shutdown();
+//        RpcSignerClient.shutdown();
     }
 
     @Autowired
@@ -73,7 +72,7 @@ private synchronized void start() throws Exception {
         if (uiApiActorSystem == null) {
             uiApiActorSystem = new UIServices("ProxyUIApi", "proxyuiapi");
         }
-        RpcSignerClient.init();
+//        RpcSignerClient.init();
     }
 
 

From 56748b6239ca4f9aa79fdd6f565210c401894bf0 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 21 Sep 2023 11:22:55 +0300
Subject: [PATCH 087/127] chore: signer intTest file permissions fix

Refs: XRDDEV-2468
---
 .../hook/SignerProxyAfterSuiteHook.java       | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java
new file mode 100644
index 0000000000..dc4e04d1fd
--- /dev/null
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java
@@ -0,0 +1,54 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.niis.xroad.common.test.signer.hook;
+
+import com.nortal.test.core.services.hooks.AfterSuiteHook;
+import com.nortal.test.testcontainers.TestableApplicationContainerProvider;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.stereotype.Component;
+
+@Slf4j
+@Component
+@ConditionalOnProperty(value = "test-automation.custom.signer-container-enabled", havingValue = "true")
+@RequiredArgsConstructor
+public class SignerProxyAfterSuiteHook implements AfterSuiteHook {
+
+    private final TestableApplicationContainerProvider containerProvider;
+
+    @Override
+    public void afterSuite() {
+        log.info("Setting permissions for signer files so they could be deleted");
+        try {
+            containerProvider.getContainer().execInContainer("chmod", "-R", "777", "/etc/xroad/signer/");
+        } catch (Exception e) {
+            log.error("Failed to change file permissions", e);
+        }
+    }
+
+}

From 6e67668be558ba00d7fdeec7ae64f39098a3d48c Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Thu, 21 Sep 2023 14:03:47 +0300
Subject: [PATCH 088/127] chore: signer, not throwing exception if second
 reload() after pkcs11Exc succeeds

Refs: XRDDEV-2468
---
 .../xroad/signer/tokenmanager/module/AbstractModuleWorker.java | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
index 60877bf0d7..85cfcea316 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java
@@ -81,9 +81,8 @@ public void refresh() {
         try {
             loadTokens(false);
         } catch (PKCS11Exception pkcs11Exception) {
-            log.warn("PKCS11Exception was thrown. Reloading underlying module and token workers.");
+            log.warn("PKCS11Exception was thrown. Reloading underlying module and token workers.", pkcs11Exception);
             reload();
-            throw translateException(pkcs11Exception);
         } catch (Exception e) {
             log.error("Error during update of module " + getClass().getSimpleName(), e);
             throw translateException(e);

From 7105091eb153965b7c51d2a678453f6443407bc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 20 Sep 2023 17:35:16 +0300
Subject: [PATCH 089/127] chore: migrate monitor/proxymonitor to grpc

Refs: XRDDEV-2468
---
 .../proxymonitor/metaservice/build.gradle     |   2 +-
 .../ProxyMonitorServiceHandlerImpl.java       |   2 +-
 .../proxy/serverproxy/StdinValidator.java     |   2 +-
 .../ria/xroad/proxymonitor/ProxyMonitor.java  |  40 ++--
 .../xroad/proxymonitor/util/MetricTypes.java  |  63 +++---
 .../proxymonitor/util/MonitorClient.java      |  62 ++---
 ...torAgent.java => ProxyMonitorService.java} |  51 +++--
 .../serverproxy/MetricsQueryBuilder.java      |   2 +-
 ...ProxyMonitorServiceHandlerMetricsTest.java |   2 +-
 .../ProxyMonitorServiceHandlerTest.java       |   2 +-
 .../SecurityServerMetricsMessage.java         |  89 ++++----
 .../src/test/resources/application.conf       |  14 --
 .../test/signer/hook/SignerProxyInitHook.java |   4 +-
 src/common/common-rpc/build.gradle            |  23 ++
 .../InsecureRpcCredentialsConfigurer.java}    |  34 +--
 .../rpc/RpcCredentialsConfigurer.java}        |   4 +-
 .../xroad/common/rpc/client/RpcClient.java    | 156 +++++++++++++
 .../grpc => common/rpc/server}/RpcServer.java |  24 +-
 .../src/main/proto/error_handling.proto       |   2 +-
 src/common/common-test/build.gradle           |  25 ++-
 .../ee/ria/xroad/common/TestPortUtils.java    |  16 ++
 .../java/ee/ria/xroad/common/PortNumbers.java |  12 +-
 .../ee/ria/xroad/common/SystemProperties.java |  33 ++-
 src/gradle.properties                         |   2 +-
 src/monitor-common/build.gradle               |  32 ++-
 .../xroad/monitor/common/StatsRequest.java    |  34 ---
 .../xroad/monitor/common/StatsResponse.java   |  49 ----
 .../monitor/common/SystemMetricNames.java     |   2 +-
 .../monitor/common/SystemMetricsRequest.java  |  51 -----
 .../monitor/common/SystemMetricsResponse.java |  45 ----
 .../monitor/common/dto/HistogramDto.java      |  82 -------
 .../xroad/monitor/common/dto/MetricDto.java   |  44 ----
 .../monitor/common/dto/MetricSetDto.java      |  79 -------
 .../monitor/common/dto/SimpleMetricDto.java   |  52 -----
 .../src/main/proto/monitor_service.proto      | 106 +++++++++
 src/monitor-test/LICENSE.txt                  |  23 --
 src/monitor-test/build.gradle                 |  19 --
 .../ria/xroad/monitor/test/ClientActor.java   |  64 ------
 .../ria/xroad/monitor/test/MonitorTest.java   |  80 -------
 .../src/main/resources/application.conf       |  14 --
 src/monitor/build.gradle                      |  56 +++--
 .../ee/ria/xroad/monitor/AbstractSensor.java  |  22 +-
 .../xroad/monitor/CertificateInfoSensor.java  |  39 ++--
 .../monitor/CertificateMonitoringInfo.java    |   2 +-
 .../ee/ria/xroad/monitor/DiskSpaceSensor.java |  38 ++--
 .../ria/xroad/monitor/ExecListingSensor.java  |  30 ++-
 .../ria/xroad/monitor/JmxStringifiedData.java |   2 +-
 .../xroad/monitor/MetricRegistryHolder.java   |   2 +-
 ...viderActor.java => MetricsRpcService.java} | 194 ++++++++--------
 .../ee/ria/xroad/monitor/MonitorMain.java     |  76 +------
 .../ee/ria/xroad/monitor/SensorException.java |   2 +-
 .../ee/ria/xroad/monitor/SimpleSensor.java    |   2 +-
 .../xroad/monitor/SystemMetricsSensor.java    |  95 ++++----
 .../monitor/configuration/MonitorConfig.java  |  94 ++++++++
 .../executablelister/AbstractExecLister.java  |   2 +-
 .../ExecListingFailedException.java           |   2 +-
 .../executablelister/OsInfoLister.java        |   2 +-
 .../monitor/executablelister/PackageInfo.java |   2 +-
 .../executablelister/PackageLister.java       |   2 +-
 .../monitor/executablelister/ProcessInfo.java |   2 +-
 .../executablelister/ProcessLister.java       |   2 +-
 .../executablelister/XroadProcessLister.java  |   2 +-
 .../src/main/resources/application.conf       |  17 --
 .../monitor/CertificateInfoSensorTest.java    |  78 +++----
 .../ee/ria/xroad/monitor/EmptyServerConf.java |   2 +-
 .../monitor/MetricRegistryHolderTest.java     |  25 +--
 .../monitor/MetricsProviderActorTest.java     | 212 ------------------
 .../xroad/monitor/MetricsRpcServiceTest.java  | 198 ++++++++++++++++
 .../monitor/SystemMetricsSensorTest.java      | 121 +++++++---
 .../executablelister/PackageListerTest.java   |  25 +--
 .../executablelister/ProcessListerTest.java   |  27 +--
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |  36 ++-
 .../java/ee/ria/xroad/proxy/addon/AddOn.java  |  31 ++-
 src/proxy/src/main/resources/application.conf |   2 +-
 .../proxy/AbstractProxyIntegrationTest.java   |   5 +-
 .../xroad/proxy/testsuite/ProxyTestSuite.java |  25 ++-
 src/settings.gradle                           |   1 -
 .../signer/protocol/RpcSignerClient.java      |  87 ++-----
 .../signer/test/glue/SignerStepDefs.java      |   4 +-
 .../ee/ria/xroad/signer/SignerRpcConfig.java  |   6 +-
 .../signer/protocol/AbstractRpcHandler.java   |   2 +-
 81 files changed, 1382 insertions(+), 1634 deletions(-)
 rename src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/{ProxyMonitorAgent.java => ProxyMonitorService.java} (56%)
 delete mode 100644 src/addons/proxymonitor/metaservice/src/test/resources/application.conf
 rename src/{monitor/src/main/java/ee/ria/xroad/monitor/UnhandledListenerActor.java => common/common-rpc/src/main/java/org/niis/xroad/common/rpc/InsecureRpcCredentialsConfigurer.java} (71%)
 rename src/common/common-rpc/src/main/java/org/niis/xroad/{signer/grpc/ServerCredentialsConfigurer.java => common/rpc/RpcCredentialsConfigurer.java} (98%)
 create mode 100644 src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
 rename src/common/common-rpc/src/main/java/org/niis/xroad/{signer/grpc => common/rpc/server}/RpcServer.java (81%)
 rename src/{signer-protocol => common/common-rpc}/src/main/proto/error_handling.proto (96%)
 create mode 100644 src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsRequest.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsResponse.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsRequest.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsResponse.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/HistogramDto.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricDto.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricSetDto.java
 delete mode 100644 src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/SimpleMetricDto.java
 create mode 100644 src/monitor-common/src/main/proto/monitor_service.proto
 delete mode 100644 src/monitor-test/LICENSE.txt
 delete mode 100644 src/monitor-test/build.gradle
 delete mode 100644 src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/ClientActor.java
 delete mode 100644 src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/MonitorTest.java
 delete mode 100644 src/monitor-test/src/main/resources/application.conf
 rename src/monitor/src/main/java/ee/ria/xroad/monitor/{MetricsProviderActor.java => MetricsRpcService.java} (52%)
 create mode 100644 src/monitor/src/main/java/ee/ria/xroad/monitor/configuration/MonitorConfig.java
 delete mode 100644 src/monitor/src/main/resources/application.conf
 delete mode 100644 src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsProviderActorTest.java
 create mode 100644 src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java

diff --git a/src/addons/proxymonitor/metaservice/build.gradle b/src/addons/proxymonitor/metaservice/build.gradle
index 37ab176328..5f17b87909 100644
--- a/src/addons/proxymonitor/metaservice/build.gradle
+++ b/src/addons/proxymonitor/metaservice/build.gradle
@@ -90,7 +90,7 @@ task runProxymonitorMetaserviceTest(type: JavaExec) {
         '-Dxroad.proxy.client-httpclient-so-linger=-1',
         '-Dxroad.proxy.server-connector-so-linger=-1',
         '-Dxroad.proxy.serverServiceHandlers=ee.ria.xroad.proxy.serverproxy.ProxyMonitorServiceHandlerImpl',
-        '-Dproxy.akka.remote.artery.canonical.port=0'
+        '-Dxroad.grpc.internal.tls-enabled=false'
 
     mainClass = 'ee.ria.xroad.proxy.testsuite.ProxyTestSuite'
     classpath = sourceSets.test.runtimeClasspath
diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerImpl.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerImpl.java
index 570bba59ce..ac7f367964 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerImpl.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerImpl.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/StdinValidator.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/StdinValidator.java
index 3b0bfa4a94..4052155e08 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/StdinValidator.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxy/serverproxy/StdinValidator.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
index 6facb7562f..6883f6253b 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,28 +27,34 @@
 
 import ee.ria.xroad.proxy.addon.AddOn;
 import ee.ria.xroad.proxymonitor.util.MonitorClient;
-import ee.ria.xroad.proxymonitor.util.ProxyMonitorAgent;
+import ee.ria.xroad.proxymonitor.util.ProxyMonitorService;
 
-import akka.actor.ActorSystem;
-import akka.actor.Props;
 import lombok.extern.slf4j.Slf4j;
 
 /**
- *  ProxyMonitor initialization
+ * ProxyMonitor initialization
  */
 @Slf4j
 public class ProxyMonitor implements AddOn {
 
-    private static final String CONFIG_PROPERTY_PORT = "xroad.monitor.port";
-    private static final int DEFAULT_PORT = 2552;
-
     private static volatile MonitorClient monitorClient;
 
     @Override
-    public void init(final ActorSystem system) {
-        monitorClient = new MonitorClient(
-                system.actorSelection(getMonitorAddress() + "/user/MetricsProviderActor"));
-        system.actorOf(Props.create(ProxyMonitorAgent.class), "ProxyMonitorAgent");
+    public void init(final BindableServiceRegistry bindableServiceRegistry) {
+        try {
+            bindableServiceRegistry.register(new ProxyMonitorService());
+            //TODO grpc, client might require delayed init due to missing rpc service
+            monitorClient = new MonitorClient();
+        } catch (Exception e) {
+            log.error("ProxyMonitor addon has failed to start. Monitor data will not be available!", e);
+        }
+    }
+
+    @Override
+    public void shutdown() {
+        if (monitorClient != null) {
+            monitorClient.shutdown();
+        }
     }
 
     public static MonitorClient getClient() {
@@ -59,14 +65,4 @@ static void setTestClient(MonitorClient testMonitorClient) {
         ProxyMonitor.monitorClient = testMonitorClient;
     }
 
-    private String getMonitorAddress() {
-        int port = DEFAULT_PORT;
-        try {
-            port = Integer.parseUnsignedInt(System.getProperty(CONFIG_PROPERTY_PORT));
-        } catch (NumberFormatException e) {
-            log.warn(String.format("Could not load configuration property %s - using the default port",
-                    CONFIG_PROPERTY_PORT));
-        }
-        return String.format("akka://xroad-monitor@127.0.0.1:%d", port);
-    }
 }
diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java
index d5c5e7cfd1..8aba74a8a8 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
+ * <p>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- *
+ * <p>
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- *
+ * <p>
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -25,73 +25,79 @@
  */
 package ee.ria.xroad.proxymonitor.util;
 
-import ee.ria.xroad.monitor.common.dto.HistogramDto;
-import ee.ria.xroad.monitor.common.dto.MetricDto;
-import ee.ria.xroad.monitor.common.dto.MetricSetDto;
-import ee.ria.xroad.monitor.common.dto.SimpleMetricDto;
 import ee.ria.xroad.proxymonitor.message.HistogramMetricType;
 import ee.ria.xroad.proxymonitor.message.MetricSetType;
 import ee.ria.xroad.proxymonitor.message.MetricType;
 import ee.ria.xroad.proxymonitor.message.NumericMetricType;
 import ee.ria.xroad.proxymonitor.message.StringMetricType;
 
+import com.google.protobuf.util.Timestamps;
+import org.apache.commons.lang3.math.NumberUtils;
+import org.niis.xroad.monitor.common.HistogramMetrics;
+import org.niis.xroad.monitor.common.Metrics;
+import org.niis.xroad.monitor.common.MetricsGroup;
+import org.niis.xroad.monitor.common.SingleMetrics;
+
 import javax.xml.datatype.DatatypeConfigurationException;
 import javax.xml.datatype.DatatypeFactory;
 
 import java.math.BigDecimal;
+import java.time.Instant;
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.util.GregorianCalendar;
+import java.util.Optional;
 
 /**
  * Created by hyoty on 25.9.2015.
  */
 public final class MetricTypes {
-    private MetricTypes() { }
+    private MetricTypes() {
+    }
 
     /**
      * MetricSetType factory
      */
-    public static MetricSetType of(MetricSetDto metrics) {
+    public static MetricSetType of(MetricsGroup metrics) {
         final MetricSetType metricSet = new MetricSetType();
         metricSet.setName(metrics.getName());
-        for (MetricDto metricDto : metrics.getMetrics()) {
-            if (metricDto instanceof MetricSetDto) {
-                metricSet.getMetrics().add(of((MetricSetDto) metricDto));
-            } else if (metricDto instanceof HistogramDto) {
-                metricSet.getMetrics().add(toMetricType((HistogramDto) metricDto));
-            } else if (metricDto instanceof SimpleMetricDto) {
-                metricSet.getMetrics().add(toMetricType((SimpleMetricDto<?>) metricDto));
+        for (Metrics metricDto : metrics.getMetricsList()) {
+            if (metricDto.hasMetricsGroup()) {
+                metricSet.getMetrics().add(of(metricDto.getMetricsGroup()));
+            } else if (metricDto.hasSingleHistogram()) {
+                metricSet.getMetrics().add(toMetricType(metricDto.getSingleHistogram()));
+            } else if (metricDto.hasSingleMetrics()) {
+                metricSet.getMetrics().add(toMetricType(metricDto.getSingleMetrics()));
             }
         }
         return metricSet;
     }
 
-    private static BigDecimal toBigDecimal(Number n) {
-        if (n instanceof BigDecimal) return (BigDecimal)n;
-        if (n instanceof Integer || n instanceof Long) return BigDecimal.valueOf(n.longValue());
-        return BigDecimal.valueOf(n.doubleValue());
 
-    }
+    private static MetricType toMetricType(SingleMetrics metricDto) {
+        Optional<String> optValue = Optional.ofNullable(metricDto.hasValue() ? metricDto.getValue() : null);
 
-    private static MetricType toMetricType(SimpleMetricDto<?> metricDto) {
-        Object value = metricDto.getValue();
-        if (value instanceof Number) {
+        if (optValue.isPresent() && NumberUtils.isCreatable(optValue.get())) {
             final NumericMetricType metric = new NumericMetricType();
             metric.setName(metricDto.getName());
-            metric.setValue(toBigDecimal((Number) value));
+            metric.setValue(new BigDecimal(optValue.get()));
             return metric;
         }
+
         final StringMetricType metric = new StringMetricType();
         metric.setName(metricDto.getName());
-        metric.setValue((metricDto.getValue() == null ? null : metricDto.getValue().toString()));
+        optValue.ifPresent(metric::setValue);
+
         return metric;
     }
 
-    private static MetricType toMetricType(HistogramDto metricDto) {
+    private static MetricType toMetricType(HistogramMetrics metricDto) {
         final HistogramMetricType metric = new HistogramMetricType();
+
+        var dateUpdated = Instant.ofEpochMilli(Timestamps.toMillis(metricDto.getUpdateDateTime()));
+
         final GregorianCalendar cal =
-                GregorianCalendar.from(ZonedDateTime.ofInstant(metricDto.getUpdateDateTime(), ZoneId.of("UTC")));
+                GregorianCalendar.from(ZonedDateTime.ofInstant(dateUpdated, ZoneId.of("UTC")));
         metric.setUpdated(DATATYPE_FACTORY.newXMLGregorianCalendar(cal));
         metric.setName(metricDto.getName());
         metric.setMax(BigDecimal.valueOf(metricDto.getMax()));
@@ -103,6 +109,7 @@ private static MetricType toMetricType(HistogramDto metricDto) {
     }
 
     private static final DatatypeFactory DATATYPE_FACTORY;
+
     static {
         try {
             DATATYPE_FACTORY = DatatypeFactory.newInstance();
diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
index 0985fdcd2b..59101bb928 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
+ * <p>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- *
+ * <p>
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- *
+ * <p>
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -27,34 +27,30 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.ErrorCodes;
-import ee.ria.xroad.monitor.common.SystemMetricsRequest;
-import ee.ria.xroad.monitor.common.SystemMetricsResponse;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.proxymonitor.message.MetricSetType;
 
-import akka.actor.ActorSelection;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
+import io.grpc.Channel;
+import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.Await;
-import scala.concurrent.Future;
-import scala.concurrent.duration.Duration;
+import org.niis.xroad.common.rpc.client.RpcClient;
+import org.niis.xroad.monitor.common.MetricsServiceGrpc;
+import org.niis.xroad.monitor.common.SystemMetricsReq;
 
 import java.util.List;
-import java.util.concurrent.TimeUnit;
 
 /**
  * Created by hyoty on 25.9.2015.
  */
 @Slf4j
 public class MonitorClient {
+    private static final int TIMEOUT_AWAIT = 10 * 1000;
 
-    public static final int TIMEOUT_AWAIT = 10;
-    public static final int TIMEOUT_REQUEST = 5;
+    private final RpcClient<MetricsRpcExecutionContext> metricsRpcClient;
 
-    private final ActorSelection metricsProvider;
-
-    public MonitorClient(ActorSelection metricsProvider) {
-        this.metricsProvider = metricsProvider;
+    public MonitorClient() throws Exception {
+        this.metricsRpcClient = RpcClient.newClient(SystemProperties.getGrpcInternalHost(),
+                SystemProperties.getEnvMonitorPort(), TIMEOUT_AWAIT, MetricsRpcExecutionContext::new);
     }
 
     /**
@@ -62,21 +58,31 @@ public MonitorClient(ActorSelection metricsProvider) {
      */
     public MetricSetType getMetrics(List<String> metricNames, boolean isOwner) {
         try {
-            final Future<Object> response = Patterns.ask(metricsProvider,
-                    new SystemMetricsRequest(metricNames, isOwner),
-                    Timeout.apply(TIMEOUT_REQUEST, TimeUnit.SECONDS));
-            Object obj = Await.result(response, Duration.apply(TIMEOUT_AWAIT, TimeUnit.SECONDS));
-            if (obj instanceof SystemMetricsResponse) {
-                final SystemMetricsResponse result = (SystemMetricsResponse) obj;
-                return MetricTypes.of(result.getMetrics());
-            } else {
-                throw new CodedException(ErrorCodes.X_INTERNAL_ERROR, "Unexpected response");
-            }
+            var response = metricsRpcClient.execute(ctx -> ctx.getMetricsServiceBlockingStub().getMetrics(SystemMetricsReq.newBuilder()
+                    .setIsClientOwner(isOwner)
+                    .addAllMetricNames(metricNames)
+                    .build()));
+            //TODO grpc REQUEST timeout is missing? it was 5secs
+
+            return MetricTypes.of(response.getMetrics());
         } catch (Exception e) {
             log.warn("Unable to read metrics", e);
             throw new CodedException(ErrorCodes.X_INTERNAL_ERROR, "Unable to read metrics");
         }
     }
 
+    public void shutdown() {
+        metricsRpcClient.shutdown();
+    }
+
+    @Getter
+    private static class MetricsRpcExecutionContext implements RpcClient.ExecutionContext {
+        private final MetricsServiceGrpc.MetricsServiceBlockingStub metricsServiceBlockingStub;
+
+        MetricsRpcExecutionContext(Channel channel) {
+            metricsServiceBlockingStub = MetricsServiceGrpc.newBlockingStub(channel);
+        }
+    }
+
 
 }
diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/ProxyMonitorAgent.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/ProxyMonitorService.java
similarity index 56%
rename from src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/ProxyMonitorAgent.java
rename to src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/ProxyMonitorService.java
index 74898a1390..5bf03a052d 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/ProxyMonitorAgent.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/ProxyMonitorService.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,50 +26,55 @@
 package ee.ria.xroad.proxymonitor.util;
 
 import ee.ria.xroad.common.util.SystemMetrics;
-import ee.ria.xroad.monitor.common.StatsRequest;
-import ee.ria.xroad.monitor.common.StatsResponse;
 
-import akka.actor.UntypedAbstractActor;
 import com.sun.management.UnixOperatingSystemMXBean;
+import io.grpc.stub.StreamObserver;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.monitor.common.MonitorServiceGrpc;
+import org.niis.xroad.monitor.common.StatsReq;
+import org.niis.xroad.monitor.common.StatsResp;
 
 /**
  * Proxy monitoring agent
  */
 @Slf4j
-public class ProxyMonitorAgent extends UntypedAbstractActor {
+public class ProxyMonitorService extends MonitorServiceGrpc.MonitorServiceImplBase {
 
     private boolean failureState = false;
 
     @Override
-    public void onReceive(Object o) throws Throwable {
-        if (o instanceof StatsRequest) {
-            handleStatsRequest();
+    public void getStats(StatsReq request, StreamObserver<StatsResp> responseObserver) {
+        try {
+            responseObserver.onNext(handleStatsRequest());
+        } catch (Exception e) {
+            responseObserver.onError(e);
         }
+        responseObserver.onCompleted();
     }
 
-    private void handleStatsRequest() {
+    private StatsResp handleStatsRequest() throws InternalError {
         final UnixOperatingSystemMXBean stats = SystemMetrics.getStats();
         try {
-            final StatsResponse response = new StatsResponse(
-                    stats.getOpenFileDescriptorCount(),
-                    stats.getMaxFileDescriptorCount(),
-                    Math.max(stats.getSystemCpuLoad(), 0d),
-                    stats.getCommittedVirtualMemorySize(),
-                    stats.getFreePhysicalMemorySize(),
-                    stats.getTotalPhysicalMemorySize(),
-                    stats.getFreeSwapSpaceSize(),
-                    stats.getTotalSwapSpaceSize());
+            final StatsResp response = StatsResp.newBuilder()
+                    .setOpenFileDescriptorCount(stats.getOpenFileDescriptorCount())
+                    .setMaxFileDescriptorCount(stats.getMaxFileDescriptorCount())
+                    .setSystemCpuLoad(Math.max(stats.getSystemCpuLoad(), 0d))
+                    .setCommittedVirtualMemorySize(stats.getCommittedVirtualMemorySize())
+                    .setFreePhysicalMemorySize(stats.getFreePhysicalMemorySize())
+                    .setTotalPhysicalMemorySize(stats.getTotalPhysicalMemorySize())
+                    .setFreeSwapSpaceSize(stats.getFreeSwapSpaceSize())
+                    .setTotalSwapSpaceSize(stats.getTotalSwapSpaceSize())
+                    .build();
+
             failureState = false;
-            sender().tell(response, self());
-        } catch (InternalError ignored) {
-            // Querying stats fails with an java.lang.InternalError if all file descriptors are in use
-            // An uncaught InternalError (by default) stops the actorsystem and Akka forces the JVM to exit.
+            return response;
+        } catch (InternalError internalError) {
             if (!failureState) {
                 //Avoid logging periodically during failure.
-                log.error("Failed to retrieve OS stats", ignored);
+                log.error("Failed to retrieve OS stats", internalError);
                 failureState = true;
             }
+            throw internalError;
         }
     }
 }
diff --git a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/MetricsQueryBuilder.java b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/MetricsQueryBuilder.java
index 9c8f25d8f4..c82d41c613 100644
--- a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/MetricsQueryBuilder.java
+++ b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/MetricsQueryBuilder.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerMetricsTest.java b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerMetricsTest.java
index 846116bf4d..9315c972ce 100644
--- a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerMetricsTest.java
+++ b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerMetricsTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerTest.java b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerTest.java
index 8930aea8f4..94e329ead7 100644
--- a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerTest.java
+++ b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/serverproxy/ProxyMonitorServiceHandlerTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SecurityServerMetricsMessage.java b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SecurityServerMetricsMessage.java
index 79acfc6227..679b5adc14 100644
--- a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SecurityServerMetricsMessage.java
+++ b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SecurityServerMetricsMessage.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,15 +25,12 @@
  */
 package ee.ria.xroad.proxy.testsuite.testcases;
 
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.conf.globalconf.GlobalConf;
 import ee.ria.xroad.common.conf.serverconf.ServerConf;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.message.SoapMessageImpl;
-import ee.ria.xroad.monitor.common.SystemMetricsRequest;
-import ee.ria.xroad.monitor.common.SystemMetricsResponse;
-import ee.ria.xroad.monitor.common.dto.HistogramDto;
-import ee.ria.xroad.monitor.common.dto.MetricSetDto;
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MessageTestCase;
@@ -46,29 +43,30 @@
 import ee.ria.xroad.proxymonitor.message.MetricSetType;
 import ee.ria.xroad.proxymonitor.message.MetricType;
 
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
-import com.typesafe.config.Config;
-import com.typesafe.config.ConfigFactory;
+import com.google.protobuf.util.Timestamps;
+import io.grpc.stub.StreamObserver;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
+import org.niis.xroad.common.rpc.server.RpcServer;
+import org.niis.xroad.monitor.common.HistogramMetrics;
+import org.niis.xroad.monitor.common.Metrics;
+import org.niis.xroad.monitor.common.MetricsGroup;
+import org.niis.xroad.monitor.common.MetricsServiceGrpc;
+import org.niis.xroad.monitor.common.SystemMetricsReq;
+import org.niis.xroad.monitor.common.SystemMetricsResp;
 
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Unmarshaller;
 import javax.xml.soap.SOAPBody;
 
 import java.math.BigDecimal;
-import java.nio.file.Paths;
 import java.util.List;
 
 import static ee.ria.xroad.proxy.util.MetaserviceTestUtil.verifyAndGetSingleBodyElementOfType;
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.isIn;
 import static org.hamcrest.core.Is.is;
-import static org.junit.Assert.assertThat;
 
 /**
  * Test member list retrieval
@@ -76,16 +74,12 @@
  */
 @Slf4j
 public class SecurityServerMetricsMessage extends MessageTestCase {
-
     private static final String EXPECTED_XR_INSTANCE = "EE";
     private static final ClientId.Conf DEFAULT_OWNER_CLIENT = ClientId.Conf.create(EXPECTED_XR_INSTANCE, "BUSINESS", "producer");
 
     private static final SecurityServerId.Conf DEFAULT_OWNER_SERVER =
             SecurityServerId.Conf.create(DEFAULT_OWNER_CLIENT, "ownerServer");
 
-    private static final ActorSystem ACTOR_SYSTEM
-            = ActorSystem.create("xroad-monitor", loadAkkaConfiguration());
-
     private static final String EXPECTED_METRIC_SET_NAME = "someMetricSet";
     private static final double MIN_VALUE = 0.125;
     private static final BigDecimal EXPECTED_RESPONSE_MIN_VALUE = BigDecimal.valueOf(MIN_VALUE);
@@ -94,6 +88,7 @@ public class SecurityServerMetricsMessage extends MessageTestCase {
 
     private static Unmarshaller unmarshaller;
 
+    private static RpcServer monitorRpcServer;
 
     /**
      * Constructs the test case.
@@ -102,8 +97,6 @@ public SecurityServerMetricsMessage() {
         this.requestFileName = "getMetrics.query";
     }
 
-
-
     @Override
     protected void validateNormalResponse(Message receivedResponse)
             throws Exception {
@@ -147,6 +140,12 @@ protected void validateNormalResponse(Message receivedResponse)
     protected void startUp() throws Exception {
         super.startUp();
 
+        monitorRpcServer = RpcServer.newServer(
+                SystemProperties.getGrpcInternalHost(),
+                SystemProperties.getEnvMonitorPort(),
+                builder -> builder.addService(new MockMetricsProvider()));
+        monitorRpcServer.start();
+
         GlobalConf.reload(new TestSuiteGlobalConf() {
             @Override
             public String getInstanceIdentifier() {
@@ -162,44 +161,44 @@ public SecurityServerId.Conf getIdentifier() {
         });
 
         unmarshaller = JAXBContext.newInstance(GetSecurityServerMetricsResponse.class).createUnmarshaller();
-
-        ACTOR_SYSTEM.actorOf(Props.create(MockMetricsProvider.class), "MetricsProviderActor");
     }
 
     @Override
     protected void closeDown() throws Exception {
-        Await.ready(ACTOR_SYSTEM.terminate(), Duration.Inf());
+        monitorRpcServer.stop();
     }
 
-    private static SystemMetricsResponse createMetricsResponse() {
-        HistogramDto histogramDto = new HistogramDto("exampleHistogram",
-                75, 95, 98, 99,
-                99.9, MAX_VALUE, 50, 51, MIN_VALUE, 2);
-        MetricSetDto.Builder builder = new MetricSetDto.Builder(EXPECTED_METRIC_SET_NAME);
-        builder.withMetric(histogramDto);
-        return new SystemMetricsResponse(builder.build());
-    }
-
-
-    private static Config loadAkkaConfiguration() {
-        Config config = ConfigFactory.parseFile(Paths.get("src/test/resources/application.conf").toFile());
-        return ConfigFactory.load(config);
+    private static SystemMetricsResp createMetricsResponse() {
+        var histogram = HistogramMetrics.newBuilder()
+                .setName("exampleHistogram")
+                .setUpdateDateTime(Timestamps.now())
+                .setDistribution75ThPercentile(75)
+                .setDistribution95ThPercentile(95)
+                .setDistribution98ThPercentile(98)
+                .setDistribution99ThPercentile(99)
+                .setDistribution999ThPercentile(99.9)
+                .setMax(MAX_VALUE)
+                .setMean(50)
+                .setMedian(51)
+                .setMin(MIN_VALUE)
+                .setStdDev(2);
+
+        return SystemMetricsResp.newBuilder()
+                .setMetrics(MetricsGroup.newBuilder()
+                        .setName(EXPECTED_METRIC_SET_NAME)
+                        .addMetrics(Metrics.newBuilder().setSingleHistogram(histogram)))
+                .build();
     }
 
     /**
      * Mock provider for metrics data
      */
-    public static class MockMetricsProvider extends UntypedAbstractActor {
+    public static class MockMetricsProvider extends MetricsServiceGrpc.MetricsServiceImplBase {
 
         @Override
-        public void onReceive(Object message) throws Throwable {
-            if (message instanceof SystemMetricsRequest) {
-                getSender().tell(createMetricsResponse(), getSelf());
-
-            } else {
-                unhandled(message);
-            }
-
+        public void getMetrics(SystemMetricsReq request, StreamObserver<SystemMetricsResp> responseObserver) {
+            responseObserver.onNext(createMetricsResponse());
+            responseObserver.onCompleted();
         }
     }
 }
diff --git a/src/addons/proxymonitor/metaservice/src/test/resources/application.conf b/src/addons/proxymonitor/metaservice/src/test/resources/application.conf
deleted file mode 100644
index aec602b7dd..0000000000
--- a/src/addons/proxymonitor/metaservice/src/test/resources/application.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-akka {
-  actor {
-    provider = remote
-    allow-java-serialization = true
-  }
-  remote {
-    artery {
-      canonical {
-          hostname = "127.0.0.1"
-          port = 2552
-      }
-    }
-  }
-}
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
index fc048bf431..f92381ada3 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
@@ -52,10 +52,10 @@ public void beforeSuite() {
         var port = testableApplicationInfoProvider.getMappedPort(SystemProperties.getGrpcSignerPort());
         log.info("Will use {}:{}  for signer RPC connection..", host, port);
 
-        System.setProperty(SystemProperties.GRPC_SIGNER_HOST, host);
+        System.setProperty(SystemProperties.GRPC_INTERNAL_HOST, host);
         System.setProperty(SystemProperties.GRPC_SIGNER_PORT, String.valueOf(port));
 
-        System.setProperty(SystemProperties.GRPC_SIGNER_HOST, host);
+        System.setProperty(SystemProperties.GRPC_INTERNAL_HOST, host);
 
         System.setProperty(SystemProperties.GRPC_INTERNAL_KEYSTORE,
                 "build/resources/intTest/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
diff --git a/src/common/common-rpc/build.gradle b/src/common/common-rpc/build.gradle
index 12e6ed492b..e6169fe329 100644
--- a/src/common/common-rpc/build.gradle
+++ b/src/common/common-rpc/build.gradle
@@ -1,5 +1,16 @@
 plugins {
   id 'java-library'
+  id 'com.google.protobuf'
+}
+
+sourceSets {
+  main {
+    java.srcDirs = [
+      'src/main/java'
+      , 'build/generated-sources'
+      , 'build/generated/source/proto/main/grpc'
+      , 'build/generated/source/proto/main/java']
+  }
 }
 
 dependencies {
@@ -9,6 +20,18 @@ dependencies {
   api "io.grpc:grpc-protobuf:${grpcVersion}"
   api "io.grpc:grpc-stub:${grpcVersion}"
   api "io.grpc:grpc-netty-shaded:${grpcVersion}"
+  api "com.google.protobuf:protobuf-java-util:${protocVersion}"
   api "jakarta.annotation:jakarta.annotation-api:1.3.5"
+}
 
+protobuf {
+  protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+  plugins {
+    grpc { artifact = "io.grpc:protoc-gen-grpc-java:$grpcVersion" }
+  }
+  generateProtoTasks {
+    all()*.plugins { grpc {} }
+  }
 }
+
+compileJava.dependsOn generateProto
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/UnhandledListenerActor.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/InsecureRpcCredentialsConfigurer.java
similarity index 71%
rename from src/monitor/src/main/java/ee/ria/xroad/monitor/UnhandledListenerActor.java
rename to src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/InsecureRpcCredentialsConfigurer.java
index 9a6d7d5e85..73ee67b435 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/UnhandledListenerActor.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/InsecureRpcCredentialsConfigurer.java
@@ -1,5 +1,6 @@
-/**
+/*
  * The MIT License
+ *
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
@@ -23,23 +24,26 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.monitor;
+package org.niis.xroad.common.rpc;
 
-import akka.actor.UnhandledMessage;
-import akka.actor.UntypedAbstractActor;
+import io.grpc.ChannelCredentials;
+import io.grpc.InsecureChannelCredentials;
+import io.grpc.InsecureServerCredentials;
+import io.grpc.ServerCredentials;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
-/**
- * Created by janne on 17.5.2017.
- */
 @Slf4j
-public class UnhandledListenerActor extends UntypedAbstractActor {
-    @Override
-    public void onReceive(Object o) throws Exception {
-        if (o instanceof UnhandledMessage) {
-            log.error("Unhandled message {}", o);
-        } else {
-            unhandled(o);
-        }
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class InsecureRpcCredentialsConfigurer {
+
+    public static ServerCredentials createServerCredentials() {
+        return InsecureServerCredentials.create();
+    }
+
+    public static ChannelCredentials createClientCredentials() {
+        return InsecureChannelCredentials.create();
+
     }
 }
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/RpcCredentialsConfigurer.java
similarity index 98%
rename from src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
rename to src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/RpcCredentialsConfigurer.java
index 760127d602..f0959452ba 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/ServerCredentialsConfigurer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/RpcCredentialsConfigurer.java
@@ -24,7 +24,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.niis.xroad.signer.grpc;
+package org.niis.xroad.common.rpc;
 
 import ee.ria.xroad.common.SystemProperties;
 
@@ -54,7 +54,7 @@
 
 @Slf4j
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
-public class ServerCredentialsConfigurer {
+public class RpcCredentialsConfigurer {
 
     public static ServerCredentials createServerCredentials() throws UnrecoverableKeyException, NoSuchAlgorithmException,
             KeyStoreException {
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
new file mode 100644
index 0000000000..6a776684b5
--- /dev/null
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -0,0 +1,156 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.common.rpc.client;
+
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.SystemProperties;
+
+import com.google.protobuf.Any;
+import com.google.protobuf.InvalidProtocolBufferException;
+import io.grpc.CallOptions;
+import io.grpc.Channel;
+import io.grpc.ClientCall;
+import io.grpc.ClientInterceptor;
+import io.grpc.Grpc;
+import io.grpc.ManagedChannel;
+import io.grpc.MethodDescriptor;
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.rpc.InsecureRpcCredentialsConfigurer;
+import org.niis.xroad.common.rpc.RpcCredentialsConfigurer;
+import org.niis.xroad.rpc.error.CodedExceptionProto;
+
+import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
+
+@Slf4j
+public final class RpcClient<C extends RpcClient.ExecutionContext> {
+    private static final int DEFAULT_DEADLINE_MILIS = 60000;
+
+    private final ManagedChannel channel;
+
+    private final C executionContext;
+
+    /**
+     * Construct client for accessing Signer services using the provided channel.
+     */
+    private RpcClient(final ManagedChannel channel, final C executionContext) {
+        this.channel = channel;
+        this.executionContext = executionContext;
+    }
+
+    public static <C extends RpcClient.ExecutionContext> RpcClient<C> newClient(
+            String host, int port, ExecutionContextFactory<C> contextFactory) throws Exception {
+        return newClient(host, port, DEFAULT_DEADLINE_MILIS, contextFactory);
+    }
+
+    public static <C extends RpcClient.ExecutionContext> RpcClient<C> newClient(
+            String host, int port, int clientTimeoutMillis, ExecutionContextFactory<C> contextFactory) throws Exception {
+        var credentials = SystemProperties.isGrpcInternalTlsEnabled()
+                ? RpcCredentialsConfigurer.createClientCredentials() : InsecureRpcCredentialsConfigurer.createClientCredentials();
+
+        log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
+
+        final ClientInterceptor timeoutInterceptor = new ClientInterceptor() {
+            @Override
+            public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
+                    MethodDescriptor<ReqT, RespT> method, CallOptions callOptions, Channel next) {
+                return next.newCall(method, callOptions.withDeadlineAfter(clientTimeoutMillis, MILLISECONDS));
+            }
+        };
+
+        ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
+                .intercept(timeoutInterceptor)
+                .build();
+
+        var executionContext = contextFactory.createContext(channel);
+        return new RpcClient<>(channel, executionContext);
+    }
+
+    public void shutdown() {
+        if (channel.isShutdown()) {
+            log.warn("gRPC client is already shutdown!");
+        } else {
+            channel.shutdown();
+        }
+    }
+
+    public void executeAsync(AsyncRpcExecution<C> grpcCall) {
+        grpcCall.exec(executionContext);
+    }
+
+    public <V> V execute(RpcExecution<V, C> grpcCall) throws Exception {
+        try {
+            return grpcCall.exec(executionContext);
+        } catch (StatusRuntimeException error) {
+            if (error.getStatus().getCode() == Status.Code.DEADLINE_EXCEEDED) {
+                throw CodedException.tr(SIGNER_X, "signer_client_timeout", "Signer client timed out")
+                        .withPrefix(SIGNER_X);
+            }
+            com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
+            if (status != null) {
+                for (Any any : status.getDetailsList()) {
+                    if (any.is(CodedExceptionProto.class)) {
+                        try {
+                            final CodedExceptionProto ce = any.unpack(CodedExceptionProto.class);
+                            throw CodedException.tr(ce.getFaultCode(), ce.getTranslationCode(), ce.getFaultString())
+                                    .withPrefix(SIGNER_X);
+                        } catch (InvalidProtocolBufferException e) {
+                            throw new RuntimeException("Failed to parse grpc message", e);
+                        }
+                    }
+                }
+            }
+            throw error;
+        }
+    }
+
+    @FunctionalInterface
+    public interface RpcExecution<V, C extends ExecutionContext> {
+        /**
+         * Computes a result, or throws an exception if unable to do so.
+         *
+         * @return computed result
+         */
+        V exec(C ctx) throws Exception;
+    }
+
+    @FunctionalInterface
+    public interface AsyncRpcExecution<C extends ExecutionContext> {
+        /**
+         * Computes a result, or throws an exception if unable to do so.
+         */
+        void exec(C ctx);
+    }
+
+    public interface ExecutionContextFactory<C extends ExecutionContext> {
+        C createContext(Channel channel);
+    }
+
+    public interface ExecutionContext {
+    }
+}
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
similarity index 81%
rename from src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
rename to src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
index 25f2b2c9db..3c7ab11192 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/signer/grpc/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
@@ -24,13 +24,18 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.niis.xroad.signer.grpc;
+package org.niis.xroad.common.rpc.server;
+
+import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.common.util.StartStop;
 
 import io.grpc.Server;
 import io.grpc.ServerBuilder;
 import io.grpc.ServerCredentials;
 import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.rpc.InsecureRpcCredentialsConfigurer;
+import org.niis.xroad.common.rpc.RpcCredentialsConfigurer;
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
@@ -39,13 +44,11 @@
 import java.security.UnrecoverableKeyException;
 import java.util.function.Consumer;
 
-import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createServerCredentials;
-
 /**
  * Server that manages startup/shutdown of RPC server.
  */
 @Slf4j
-public class RpcServer {
+public class RpcServer implements StartStop {
     private final Server server;
 
     public RpcServer(final String host, final int port, final ServerCredentials creds, final Consumer<ServerBuilder<?>> configFunc) {
@@ -55,13 +58,15 @@ public RpcServer(final String host, final int port, final ServerCredentials cred
         server = builder.build();
     }
 
+    @Override
     public void start() throws IOException {
         server.start();
 
         log.info("RPC server has started, listening on {}", server.getListenSockets());
     }
 
-    public void shutdown() {
+    @Override
+    public void stop() throws Exception {
         if (server != null) {
             log.info("Shutting down RPC server..");
             server.shutdown();
@@ -69,9 +74,16 @@ public void shutdown() {
         }
     }
 
+    @Override
+    public void join() throws InterruptedException {
+        //NO-OP
+    }
+
+
     public static RpcServer newServer(String host, int port, Consumer<ServerBuilder<?>> configFunc)
             throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
-        var serverCredentials = createServerCredentials();
+        var serverCredentials = SystemProperties.isGrpcInternalTlsEnabled()
+                ? RpcCredentialsConfigurer.createServerCredentials() : InsecureRpcCredentialsConfigurer.createServerCredentials();
         log.info("Initializing RPC server with {} credentials..", serverCredentials.getClass().getSimpleName());
 
         return new RpcServer(host, port, serverCredentials, configFunc);
diff --git a/src/signer-protocol/src/main/proto/error_handling.proto b/src/common/common-rpc/src/main/proto/error_handling.proto
similarity index 96%
rename from src/signer-protocol/src/main/proto/error_handling.proto
rename to src/common/common-rpc/src/main/proto/error_handling.proto
index 9c0841af2a..a5fd0e4468 100644
--- a/src/signer-protocol/src/main/proto/error_handling.proto
+++ b/src/common/common-rpc/src/main/proto/error_handling.proto
@@ -26,7 +26,7 @@
 syntax = "proto3";
 
 option java_multiple_files = true;
-option java_package = "ee.ria.xroad.signer.protocol.dto";
+option java_package = "org.niis.xroad.rpc.error";
 
 // todo rename the exception and the fields. should not be using soap fault naming inside signer.
 message CodedExceptionProto {
diff --git a/src/common/common-test/build.gradle b/src/common/common-test/build.gradle
index 04d104fac7..636579a36c 100644
--- a/src/common/common-test/build.gradle
+++ b/src/common/common-test/build.gradle
@@ -1,22 +1,23 @@
 plugins {
-    id 'java-library'
+  id 'java-library'
 }
 
 dependencies {
-    implementation project(':common:common-util')
-    implementation project(':common:common-verifier')
-    implementation 'org.antlr:ST4:4.0.7'
-    // JUnit is needed for ExpectedCodedException
-    implementation "junit:junit:$junitVersion"
-    api "org.mockito:mockito-core:$mockitoVersion"
+  implementation project(':common:common-util')
+  implementation project(':common:common-verifier')
+  implementation 'org.antlr:ST4:4.0.7'
+  // JUnit is needed for ExpectedCodedException
+  implementation "junit:junit:$junitVersion"
+  api "org.mockito:mockito-core:$mockitoVersion"
+  api("org.awaitility:awaitility:$awaitilityVersion")
 
-    implementation "io.vavr:vavr:$vavrVersion"
+  implementation "io.vavr:vavr:$vavrVersion"
 }
 
 sourceSets {
-    main {
-        resources {
-            srcDir 'src/test/certs'
-        }
+  main {
+    resources {
+      srcDir 'src/test/certs'
     }
+  }
 }
diff --git a/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java b/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
new file mode 100644
index 0000000000..e1ae8b89e2
--- /dev/null
+++ b/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
@@ -0,0 +1,16 @@
+package ee.ria.xroad.common;
+
+import lombok.experimental.UtilityClass;
+
+import java.io.IOException;
+import java.net.ServerSocket;
+
+@UtilityClass
+public class TestPortUtils {
+
+    public static Integer findRandomPort() throws IOException {
+        try (ServerSocket socket = new ServerSocket(0)) {
+            return socket.getLocalPort();
+        }
+    }
+}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
index 8633344ef7..87cc1f6e27 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
@@ -69,8 +69,16 @@ public final class PortNumbers {
     /** Port of the operational monitoring daemon. */
     public static final int OP_MONITOR_DAEMON_PORT = 2080;
 
-    /** Proxy actorsystem port */
-    public static final int PROXY_ACTORSYSTEM_PORT = 5567;
+    /**
+     * Proxy actorsystem port
+     */
+    @Deprecated
+    public static final int PROXY_ACTORSYSTEM_PORT = 5568;
+
+    /**
+     * Proxy grpc port
+     */
+    public static final int PROXY_GRPC_PORT = 5567;
 
     private PortNumbers() {
     }
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
index fe7da00058..91e912c673 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -277,8 +277,6 @@ private SystemProperties() {
 
     private static final String PROXY_HEALTH_CHECK_PORT = PREFIX + "proxy.health-check-port";
 
-    private static final String PROXY_ACTORSYSTEM_PORT = PREFIX + "proxy.actorsystem-port";
-
     private static final String ENFORCE_CLIENT_IS_CERT_VALIDITY_PERIOD_CHECK =
             PREFIX + "proxy.enforce-client-is-cert-validity-period-check";
 
@@ -623,10 +621,16 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
     // gRPC internal cross-component transport configuration  -------------------------- //
 
     /**
-     * Property name for gRPC signer host.
+     * Property name for gRPC host.
      */
-    public static final String GRPC_SIGNER_HOST =
-            PREFIX + "grpc.signer.host";
+    public static final String GRPC_INTERNAL_HOST =
+            PREFIX + "grpc.internal.host";
+
+    /**
+     * Property name for gRPC host.
+     */
+    public static final String GRPC_INTERNAL_TLS_ENABLED =
+            PREFIX + "grpc.internal.tls-enabled";
 
     /**
      * Property name for gRPC signer port.
@@ -634,6 +638,8 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
     public static final String GRPC_SIGNER_PORT =
             PREFIX + "grpc.signer.port";
 
+    public static final String PROXY_GRPC_PORT = PREFIX + "grpc.proxy.port";
+
     /**
      * Property name for gRPC internal keystore location.
      */
@@ -1259,10 +1265,10 @@ public static int getProxyParamsCollectingInterval() {
     }
 
     /**
-     * @return proxy actorsystem port, {@link PortNumbers#PROXY_ACTORSYSTEM_PORT} by default.
+     * @return proxy grpc port, {@link PortNumbers#PROXY_GRPC_PORT} by default.
      */
-    public static int getProxyActorSystemPort() {
-        return Integer.getInteger(PROXY_ACTORSYSTEM_PORT, PortNumbers.PROXY_ACTORSYSTEM_PORT);
+    public static int getProxyGrpcPort() {
+        return Integer.getInteger(PROXY_GRPC_PORT, PortNumbers.PROXY_GRPC_PORT);
     }
 
     /**
@@ -1707,8 +1713,15 @@ public static boolean isHSMHealthCheckEnabled() {
     /**
      * @return gRPC signer host.
      */
-    public static String getGrpcSignerHost() {
-        return System.getProperty(GRPC_SIGNER_HOST, "127.0.0.1");
+    public static String getGrpcInternalHost() {
+        return System.getProperty(GRPC_INTERNAL_HOST, "127.0.0.1");
+    }
+
+    /**
+     * @return gRPC signer host.
+     */
+    public static boolean isGrpcInternalTlsEnabled() {
+        return Boolean.parseBoolean(System.getProperty(GRPC_INTERNAL_TLS_ENABLED, Boolean.TRUE.toString()));
     }
 
     /**
diff --git a/src/gradle.properties b/src/gradle.properties
index 028d6cbcd2..71c12645b6 100644
--- a/src/gradle.properties
+++ b/src/gradle.properties
@@ -65,6 +65,6 @@ bucket4jVersion=7.4.0
 assertjVersion=3.24.1
 assertj.version=${assertjVersion}
 swaggerAnnotationsVersion=2.2.8
-protocVersion=3.24.0
+protocVersion=3.24.3
 protobufGradleVersion=0.9.4
 grpcVersion=1.58.0
diff --git a/src/monitor-common/build.gradle b/src/monitor-common/build.gradle
index b982bfb35b..bfca70b037 100644
--- a/src/monitor-common/build.gradle
+++ b/src/monitor-common/build.gradle
@@ -1,14 +1,34 @@
-apply plugin: 'java'
+plugins {
+  id 'java-library'
+  id 'com.google.protobuf'
+}
 
-repositories {
-    mavenCentral()
+sourceSets {
+  main {
+    java.srcDirs = [
+      'src/main/java'
+      , 'build/generated-sources'
+      , 'build/generated/source/proto/main/grpc'
+      , 'build/generated/source/proto/main/java']
+  }
 }
 
 dependencies {
+  api project(':common:common-rpc')
+  implementation "com.google.guava:guava:$guavaVersion"
+  implementation "org.slf4j:slf4j-api:$slf4jVersion"
 
-    implementation "com.google.guava:guava:$guavaVersion"
-    implementation "org.slf4j:slf4j-api:${slf4jVersion}"
+  testImplementation "junit:junit:$junitVersion"
+}
 
-    testImplementation "junit:junit:$junitVersion"
+protobuf {
+  protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+  plugins {
+    grpc { artifact = "io.grpc:protoc-gen-grpc-java:$grpcVersion" }
+  }
+  generateProtoTasks {
+    all()*.plugins { grpc {} }
+  }
 }
 
+compileJava.dependsOn generateProto
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsRequest.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsRequest.java
deleted file mode 100644
index 79b6e0dfd8..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsRequest.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common;
-
-import java.io.Serializable;
-
-/**
- * Request for system stats
- */
-public class StatsRequest implements Serializable {
-}
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsResponse.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsResponse.java
deleted file mode 100644
index dca46289dc..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/StatsResponse.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common;
-
-import lombok.Getter;
-import lombok.RequiredArgsConstructor;
-
-import java.io.Serializable;
-
-/**
- * System statistics response
- *
- * @see com.sun.management.UnixOperatingSystemMXBean
- */
-@Getter
-@RequiredArgsConstructor
-public final class StatsResponse implements Serializable {
-    private final long openFileDescriptorCount;
-    private final long maxFileDescriptorCount;
-    private final double systemCpuLoad;
-    private final long committedVirtualMemorySize;
-    private final long freePhysicalMemorySize;
-    private final long totalPhysicalMemorySize;
-    private final long freeSwapSpaceSize;
-    private final long totalSwapSpaceSize;
-}
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricNames.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricNames.java
index f3cda92ca7..c4f3a87ef0 100644
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricNames.java
+++ b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricNames.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsRequest.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsRequest.java
deleted file mode 100644
index 01cd17ae4f..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsRequest.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common;
-
-import lombok.Data;
-
-import java.io.Serializable;
-import java.util.List;
-
-/**
- * Message for requesting system metrics data
- */
-@Data
-public class SystemMetricsRequest implements Serializable {
-
-    // Can be set to null/empty to request all metrics
-    private List<String> metricNames;
-
-    private boolean isClientOwner;
-
-    public SystemMetricsRequest() {
-    }
-
-    public SystemMetricsRequest(List<String> metricNames, boolean isClientOwner) {
-        this.metricNames = metricNames;
-        this.isClientOwner = isClientOwner;
-    }
-}
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsResponse.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsResponse.java
deleted file mode 100644
index 174c144e2e..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/SystemMetricsResponse.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common;
-
-import ee.ria.xroad.monitor.common.dto.MetricSetDto;
-
-import lombok.Getter;
-
-import java.io.Serializable;
-
-/**
- * Message for returning system metrics data
- */
-@Getter
-public class SystemMetricsResponse implements Serializable {
-
-    private final MetricSetDto metrics;
-
-    public SystemMetricsResponse(MetricSetDto metrics) {
-        this.metrics = metrics;
-    }
-}
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/HistogramDto.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/HistogramDto.java
deleted file mode 100644
index e68875c064..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/HistogramDto.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common.dto;
-
-import lombok.EqualsAndHashCode;
-import lombok.Getter;
-
-import java.time.Instant;
-
-/**
- * Created by hyoty on 24.9.2015.
- */
-
-@Getter
-@EqualsAndHashCode(callSuper = true)
-public class HistogramDto extends MetricDto {
-    /**
-     * The date/time when data was last updated
-     */
-    private final Instant updateDateTime;
-    private final double distribution75thPercentile;
-    private final double distribution95thPercentile;
-    private final double distribution98thPercentile;
-    private final double distribution99thPercentile;
-    private final double distribution999thPercentile;
-    private final double max;
-    private final double mean;
-    private final double median;
-    private final double min;
-    private final double stdDev;
-
-    /**
-     * Constructor
-     */
-    public HistogramDto(String name,
-                        double distribution75thPercentile,
-                        double distribution95thPercentile,
-                        double distribution98thPercentile,
-                        double distribution99thPercentile,
-                        double distribution999thPercentile,
-                        double max,
-                        double mean,
-                        double median,
-                        double min,
-                        double stdDev) {
-        super(name);
-        updateDateTime = Instant.now();
-        this.distribution75thPercentile = distribution75thPercentile;
-        this.distribution95thPercentile = distribution95thPercentile;
-        this.distribution98thPercentile = distribution98thPercentile;
-        this.distribution99thPercentile = distribution99thPercentile;
-        this.distribution999thPercentile = distribution999thPercentile;
-        this.min = min;
-        this.max = max;
-        this.mean = mean;
-        this.median = median;
-        this.stdDev = stdDev;
-    }
-}
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricDto.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricDto.java
deleted file mode 100644
index 91c30e9658..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricDto.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common.dto;
-
-import lombok.EqualsAndHashCode;
-import lombok.Getter;
-
-import java.io.Serializable;
-
-/**
- * Created by hyoty on 24.9.2015.
- */
-@Getter
-@EqualsAndHashCode
-public abstract class MetricDto implements Serializable {
-    private final String name;
-
-    public MetricDto(String name) {
-        this.name = name;
-    }
-}
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricSetDto.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricSetDto.java
deleted file mode 100644
index fa9e3ada90..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/MetricSetDto.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common.dto;
-
-import lombok.EqualsAndHashCode;
-import lombok.Getter;
-import lombok.ToString;
-
-import java.io.Serializable;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-/**
- * Created by hyoty on 24.9.2015.
- */
-@Getter
-@EqualsAndHashCode(callSuper = true)
-@ToString
-public final class MetricSetDto extends MetricDto {
-    private final Set<MetricDto> metrics;
-
-    private MetricSetDto(String name, Set<MetricDto> metrics) {
-        super(name);
-        this.metrics = metrics;
-    }
-
-    /**
-     * Builder for {@link MetricSetDto}
-     */
-    public static class Builder {
-        private Set<MetricDto> metrics = new LinkedHashSet<>();
-        private String name;
-
-        public Builder(String name) {
-            this.name = name;
-        }
-        public Builder withMetric(MetricDto metric) {
-            metrics.add(metric);
-            return this;
-        }
-
-        public <T extends Serializable> Builder withSimpleMetric(String metricName, T value) {
-            metrics.add(new SimpleMetricDto<>(metricName, value));
-            return this;
-        }
-
-        /**
-         * Build instance
-         */
-        public MetricSetDto build() {
-            Set<MetricDto> tmp = metrics;
-            metrics = null;
-            return new MetricSetDto(name, tmp);
-        }
-    }
-}
diff --git a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/SimpleMetricDto.java b/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/SimpleMetricDto.java
deleted file mode 100644
index 2626d41b10..0000000000
--- a/src/monitor-common/src/main/java/ee/ria/xroad/monitor/common/dto/SimpleMetricDto.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.common.dto;
-
-import lombok.EqualsAndHashCode;
-import lombok.Getter;
-import lombok.ToString;
-
-import java.io.Serializable;
-
-/**
- * Created by hyoty on 24.9.2015.
- */
-
-/**
- * SimpleMetricDto
- * @param <T> value type
- */
-@Getter
-@EqualsAndHashCode(callSuper = true)
-@ToString
-public class SimpleMetricDto<T extends Serializable> extends MetricDto {
-    private final T value;
-
-    public SimpleMetricDto(String name, T value) {
-        super(name);
-        this.value = value;
-    }
-}
diff --git a/src/monitor-common/src/main/proto/monitor_service.proto b/src/monitor-common/src/main/proto/monitor_service.proto
new file mode 100644
index 0000000000..f33ba74bed
--- /dev/null
+++ b/src/monitor-common/src/main/proto/monitor_service.proto
@@ -0,0 +1,106 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+
+package org.niis.xroad.monitor.common;
+
+option java_multiple_files = true;
+
+service MonitorService {
+  rpc GetStats(StatsReq) returns (StatsResp) {}
+}
+
+service MetricsService {
+  rpc GetMetrics(SystemMetricsReq) returns (SystemMetricsResp) {}
+}
+
+/*
+ * Request for system stats
+ */
+message StatsReq {
+  //currently empty
+}
+
+/*
+ * System statistics response
+ *
+ * see com.sun.management.UnixOperatingSystemMXBean
+ */
+message StatsResp{
+  int64 open_file_descriptor_count = 1;
+  int64 max_file_descriptor_count = 2;
+  double system_cpu_load = 3;
+  int64 committed_virtual_memory_size = 4;
+  int64 free_physical_memory_size = 5;
+  int64 total_physical_memory_size = 6;
+  int64 free_swap_space_size = 7;
+  int64 total_swap_space_size = 8;
+}
+
+message SystemMetricsReq {
+  repeated string metric_names = 1;
+  bool is_client_owner = 2;
+}
+
+message SystemMetricsResp {
+   MetricsGroup metrics = 1;
+}
+
+message Metrics {
+  oneof value {
+    MetricsGroup metricsGroup = 1;
+    SingleMetrics singleMetrics = 2;
+    HistogramMetrics singleHistogram = 3;
+  }
+}
+
+message MetricsGroup {
+  string  name = 1;
+  repeated Metrics metrics = 2;
+}
+
+message SingleMetrics {
+  string name = 1;
+  optional string value = 2;
+}
+
+message HistogramMetrics {
+  string  name = 1;
+  // The date/time when data was last updated
+  google.protobuf.Timestamp update_date_time = 2;
+  double distribution_75th_percentile = 3;
+  double distribution_95th_percentile = 4;
+  double distribution_98th_percentile = 5;
+  double distribution_99th_percentile = 6;
+  double distribution_999th_percentile = 7;
+  double max = 8;
+  double mean = 9;
+  double median = 10;
+  double min = 11;
+  double std_dev = 12;
+}
diff --git a/src/monitor-test/LICENSE.txt b/src/monitor-test/LICENSE.txt
deleted file mode 100644
index 8f1d2d5442..0000000000
--- a/src/monitor-test/LICENSE.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-The MIT License
-Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
-Copyright (c) 2018 Estonian Information System Authority (RIA),
-Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
-Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff --git a/src/monitor-test/build.gradle b/src/monitor-test/build.gradle
deleted file mode 100644
index 85b94c6d55..0000000000
--- a/src/monitor-test/build.gradle
+++ /dev/null
@@ -1,19 +0,0 @@
-apply plugin: 'java'
-apply plugin: 'application'
-
-mainClassName = "ee.ria.xroad.monitor.test.MonitorTest"
-distZip.enabled = false
-distTar.enabled = false
-
-repositories {
-    mavenCentral()
-}
-
-dependencies {
-
-    implementation project(':common:common-util')
-    implementation project(':monitor-common')
-    implementation "org.slf4j:slf4j-api:${slf4jVersion}"
-
-    testImplementation "junit:junit:$junitVersion"
-}
diff --git a/src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/ClientActor.java b/src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/ClientActor.java
deleted file mode 100644
index ad59955df2..0000000000
--- a/src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/ClientActor.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.test;
-
-import ee.ria.xroad.monitor.common.SystemMetricsRequest;
-import ee.ria.xroad.monitor.common.SystemMetricsResponse;
-
-import akka.actor.ActorSelection;
-import akka.actor.UntypedAbstractActor;
-import akka.event.Logging;
-import akka.event.LoggingAdapter;
-
-/**
- * Test caller for monitoring service
- */
-public class ClientActor extends UntypedAbstractActor {
-
-    private LoggingAdapter log = Logging.getLogger(getContext().system(), this);
-
-    private ActorSelection selection =
-            getContext().actorSelection("akka://xroad-monitor@127.0.0.1:2552/user/MetricsProviderActor");
-
-    @Override
-    public void preStart() throws Exception {
-        log.info("ActorSelection={}", selection);
-        super.preStart();
-    }
-
-    @Override
-    public void onReceive(Object o) throws Exception {
-        if (o.equals("Start")) {
-            selection.tell(new SystemMetricsRequest(null, true), getSelf());
-            log.info("ClientActor sent SystemMetricsRequest");
-        } else if (o instanceof SystemMetricsResponse) {
-            SystemMetricsResponse response = (SystemMetricsResponse) o;
-            log.info("ClientActor received SystemMetricsResponse");
-        } else {
-            unhandled(o);
-        }
-    }
-}
diff --git a/src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/MonitorTest.java b/src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/MonitorTest.java
deleted file mode 100644
index e9ceb30050..0000000000
--- a/src/monitor-test/src/main/java/ee/ria/xroad/monitor/test/MonitorTest.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor.test;
-
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import com.typesafe.config.ConfigFactory;
-import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
-
-import java.util.concurrent.TimeoutException;
-
-/**
- * Test client for monitoring
- */
-@Slf4j
-public final class MonitorTest {
-
-    public static final int TIMES = 100;
-    public static final int WAIT_SECONDS = 10;
-    public static final int MS_IN_SECOND = 1000;
-
-    /**
-     * Program entry point
-     */
-    public static void main(String args[]) {
-
-        ActorSystem actorSystem = ActorSystem.create("AkkaRemoteClient", ConfigFactory.load());
-        ActorRef client = actorSystem.actorOf(Props.create(ClientActor.class));
-
-        for (int i = 0; i < TIMES; i++) {
-            client.tell("Start", ActorRef.noSender());
-        }
-        waitXSeconds(WAIT_SECONDS);
-
-        try {
-            Await.ready(actorSystem.terminate(), Duration.Inf());
-        } catch (TimeoutException e) {
-            log.error("Timed out while waiting for akka to terminate");
-        } catch (InterruptedException e) {
-            log.error("Interrupted while waiting for akka to terminate");
-        }
-    }
-
-    private MonitorTest() {
-    }
-
-    private static void waitXSeconds(long x) {
-        try {
-            Thread.sleep(x * MS_IN_SECOND);
-        } catch (InterruptedException e) {
-            System.out.println("InterruptedException occurred while thread was sleeping");
-        }
-    }
-}
diff --git a/src/monitor-test/src/main/resources/application.conf b/src/monitor-test/src/main/resources/application.conf
deleted file mode 100644
index af7693f714..0000000000
--- a/src/monitor-test/src/main/resources/application.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-include "akka-global.conf"
-akka {
-  actor {
-    provider = remote
-  }
-  remote {
-    artery {
-        canonical.hostname = "127.0.0.1"
-        canonical.port = 0
-    }
-    log-dead-letters = 1
-    log-dead-letters-during-shutdown = off
-  }
-}
diff --git a/src/monitor/build.gradle b/src/monitor/build.gradle
index 89af789cc5..3859e29c09 100644
--- a/src/monitor/build.gradle
+++ b/src/monitor/build.gradle
@@ -1,6 +1,7 @@
 plugins {
-    id 'java'
-    id 'com.github.johnrengelman.shadow'
+  id 'io.spring.dependency-management'
+  id 'org.springframework.boot'
+  id 'com.github.johnrengelman.shadow'
 }
 
 ext {
@@ -13,37 +14,34 @@ jar {
   }
 }
 
-repositories {
-    mavenCentral()
-}
-
 dependencies {
-
-    implementation project(':common:common-util')
-    implementation project(':monitor-common')
-    implementation project(':signer-protocol')
-    implementation project(':serverconf')
-
-    implementation "org.slf4j:slf4j-api:${slf4jVersion}"
-    implementation "io.dropwizard.metrics:metrics-core:$metricsVersion"
-    implementation "io.dropwizard.metrics:metrics-jmx:$metricsVersion"
-
-    testImplementation project(':common:common-test')
-    testImplementation "junit:junit:$junitVersion"
-    testImplementation "com.typesafe.akka:akka-testkit_$akkaVersion"
-    testImplementation 'com.github.stefanbirkner:system-rules:1.19.0'
-    testImplementation "org.mockito:mockito-core:$mockitoVersion"
+  implementation project(':common:common-util')
+  implementation project(':monitor-common')
+  implementation project(':signer-protocol')
+  implementation project(':serverconf')
+
+  implementation('org.springframework:spring-context')
+  implementation "org.slf4j:slf4j-api:${slf4jVersion}"
+  implementation "io.dropwizard.metrics:metrics-core:$metricsVersion"
+  implementation "io.dropwizard.metrics:metrics-jmx:$metricsVersion"
+
+  testImplementation project(':common:common-test')
+  testImplementation("org.springframework.boot:spring-boot-starter-test")
+  testImplementation "org.mockito:mockito-core:$mockitoVersion"
 }
 
-jar {
-    enabled = false
-}
+bootJar.enabled = false
+bootJarMainClassName.enabled = false
 
 shadowJar {
-    append('reference.conf')
-    exclude('**/module-info.class')
-    archiveBaseName = "monitor"
-    archiveClassifier = ''
+  append('reference.conf')
+  exclude('**/module-info.class')
+  archiveBaseName = "monitor"
+  archiveClassifier = ''
 }
 
-build.dependsOn shadowJar
+jar.finalizedBy shadowJar
+
+test {
+  useJUnitPlatform()
+}
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/AbstractSensor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/AbstractSensor.java
index 0cd862fbe9..601bd3dcfc 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/AbstractSensor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/AbstractSensor.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,18 +25,24 @@
  */
 package ee.ria.xroad.monitor;
 
-import akka.actor.UntypedAbstractActor;
-import scala.concurrent.duration.FiniteDuration;
+import lombok.RequiredArgsConstructor;
+import org.springframework.scheduling.TaskScheduler;
+
+import java.time.Duration;
 
 /**
  * Base class for sensors
  */
-public abstract class AbstractSensor extends UntypedAbstractActor {
+@RequiredArgsConstructor
+public abstract class AbstractSensor {
+    private final TaskScheduler taskScheduler;
 
-    protected void scheduleSingleMeasurement(FiniteDuration duration, Object msg) {
-        context().system().scheduler().scheduleOnce(duration,
-                self(), msg, context().system().dispatcher(), null);
+    protected void scheduleSingleMeasurement(Duration delay) {
+        taskScheduler.schedule(this::measure, taskScheduler.getClock().instant().plus(delay));
     }
 
-    protected abstract FiniteDuration getInterval();
+    protected abstract Duration getInterval();
+
+    protected abstract void measure();
+
 }
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateInfoSensor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateInfoSensor.java
index fb49aab9d5..ca7b59791c 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateInfoSensor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateInfoSensor.java
@@ -34,15 +34,14 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
-import scala.concurrent.duration.FiniteDuration;
+import org.springframework.scheduling.TaskScheduler;
 
 import java.security.cert.X509Certificate;
+import java.time.Duration;
 import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
-import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -55,7 +54,7 @@
 public class CertificateInfoSensor extends AbstractSensor {
 
     // give signer some time to become available
-    private static final FiniteDuration INITIAL_DELAY = Duration.create(10, TimeUnit.SECONDS);
+    private static final Duration INITIAL_DELAY = Duration.ofSeconds(10);
     private static final String JMX_HEADER = "SHA1HASH\t\t\t\t\t\t\tCERT TYPE\t\tNOT BEFORE\t\tNOT AFTER\t\tACTIVE";
 
     private CertificateInfoCollector certificateInfoCollector;
@@ -69,7 +68,8 @@ public void setCertificateInfoCollector(CertificateInfoCollector collector) {
     /**
      * Create new CertificateInfoSensor
      */
-    public CertificateInfoSensor() {
+    public CertificateInfoSensor(TaskScheduler taskScheduler) {
+        super(taskScheduler);
         log.info("Creating sensor, measurement interval: {}", getInterval());
 
         certificateInfoCollector = new CertificateInfoCollector()
@@ -77,7 +77,7 @@ public CertificateInfoSensor() {
                 .addExtractor(new InternalTlsExtractor())
                 .addExtractor(new TokenExtractor());
 
-        scheduleSingleMeasurement(INITIAL_DELAY, new CertificateInfoMeasure());
+        scheduleSingleMeasurement(INITIAL_DELAY);
     }
 
     /**
@@ -211,7 +211,7 @@ public Stream<CertificateMonitoringInfo> getCertificates() {
 
     static class CertificateInfoCollector {
 
-        private List<CertificateInfoExtractor> extractors = new ArrayList<>();
+        private final List<CertificateInfoExtractor> extractors = new ArrayList<>();
 
         CertificateInfoCollector() {
         }
@@ -223,7 +223,7 @@ CertificateInfoCollector addExtractor(CertificateInfoExtractor extractor) {
 
         Set<CertificateMonitoringInfo> extractToSet() {
             return extractors.stream()
-                    .flatMap(entry -> entry.getCertificates())
+                    .flatMap(CertificateInfoExtractor::getCertificates)
                     .collect(Collectors.toSet());
         }
 
@@ -253,26 +253,15 @@ private void addWithTab(String s, StringBuilder b) {
     }
 
     @Override
-    public void onReceive(Object o) throws Exception {
-        if (o instanceof CertificateInfoMeasure) {
-            log.info("Updating CertificateInfo metrics");
-            updateOrRegisterData(list());
-            scheduleSingleMeasurement(getInterval(), new CertificateInfoMeasure());
-        } else {
-            log.error("received unhandled message {}", o);
-            unhandled(o);
-        }
+    public void measure() {
+        log.info("Updating CertificateInfo metrics");
+        updateOrRegisterData(list());
+        scheduleSingleMeasurement(getInterval());
     }
 
     @Override
-    protected FiniteDuration getInterval() {
-        return Duration.create(SystemProperties.getEnvMonitorCertificateInfoSensorInterval(), TimeUnit.SECONDS);
-    }
-
-    /**
-     * Akka message
-     */
-    public static class CertificateInfoMeasure {
+    protected Duration getInterval() {
+        return Duration.ofSeconds(SystemProperties.getEnvMonitorCertificateInfoSensorInterval());
     }
 
 }
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateMonitoringInfo.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateMonitoringInfo.java
index 878ef8cd93..9cd54f7520 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateMonitoringInfo.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/CertificateMonitoringInfo.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/DiskSpaceSensor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/DiskSpaceSensor.java
index cd0caf1151..b6f294ed25 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/DiskSpaceSensor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/DiskSpaceSensor.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -28,14 +28,11 @@
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
 
-import lombok.AllArgsConstructor;
-import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
-import scala.concurrent.duration.FiniteDuration;
+import org.springframework.scheduling.TaskScheduler;
 
 import java.io.File;
-import java.util.concurrent.TimeUnit;
+import java.time.Duration;
 
 /**
  * Collects disk space information
@@ -46,17 +43,18 @@ public class DiskSpaceSensor extends AbstractSensor {
     /**
      * Constructor
      */
-    public DiskSpaceSensor() {
+    public DiskSpaceSensor(TaskScheduler taskScheduler) {
+        super(taskScheduler);
         log.info("Creating sensor, measurement interval: {}", getInterval());
         updateMetrics();
-        scheduleSingleMeasurement(getInterval(), new DiskSpaceMeasure());
+        scheduleSingleMeasurement(getInterval());
     }
 
     private void updateMetrics() {
         File[] roots = File.listRoots();
         if (roots != null && roots.length > 0) {
             final MetricRegistryHolder registryHolder = MetricRegistryHolder.getInstance();
-            for (File drive: roots) {
+            for (File drive : roots) {
                 SimpleSensor<Long> total = registryHolder.getOrCreateSimpleSensor(
                         String.format("%s_%s", SystemMetricNames.DISK_SPACE_TOTAL, drive));
 
@@ -70,25 +68,15 @@ private void updateMetrics() {
     }
 
     @Override
-    public void onReceive(Object o) throws Exception {
-        if (o instanceof DiskSpaceMeasure) {
-            log.debug("Updating metrics");
-            updateMetrics();
-            scheduleSingleMeasurement(getInterval(), new DiskSpaceMeasure());
-        }
+    protected void measure() {
+        log.debug("Updating metrics");
+        updateMetrics();
+        scheduleSingleMeasurement(getInterval());
     }
 
     @Override
-    protected FiniteDuration getInterval() {
-        return Duration.create(SystemProperties.getEnvMonitorDiskSpaceSensorInterval(), TimeUnit.SECONDS);
+    protected Duration getInterval() {
+        return Duration.ofSeconds(SystemProperties.getEnvMonitorDiskSpaceSensorInterval());
     }
 
-    private static class DiskSpaceMeasure { }
-
-    @AllArgsConstructor
-    @Getter
-    private static class SensorPair {
-        private final SimpleSensor<Long> total;
-        private final SimpleSensor<Long> free;
-    }
 }
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/ExecListingSensor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/ExecListingSensor.java
index f81a2f63d6..fdb2e835e1 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/ExecListingSensor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/ExecListingSensor.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -34,11 +34,10 @@
 
 import com.codahale.metrics.Metric;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
-import scala.concurrent.duration.FiniteDuration;
+import org.springframework.scheduling.TaskScheduler;
 
+import java.time.Duration;
 import java.util.ArrayList;
-import java.util.concurrent.TimeUnit;
 
 /**
  * Sensor which collects data by running external commands and
@@ -48,13 +47,15 @@
 public class ExecListingSensor extends AbstractSensor {
 
     private MetricRegistryHolder registryHolder;
+
     /**
      * Constructor
      */
-    public <T extends Metric> ExecListingSensor() {
+    public <T extends Metric> ExecListingSensor(TaskScheduler taskScheduler) {
+        super(taskScheduler);
         log.info("Creating sensor, measurement interval: {}", getInterval());
         updateMetrics();
-        scheduleSingleMeasurement(getInterval(), new ProcessMeasure());
+        scheduleSingleMeasurement(getInterval());
     }
 
     private void createOrUpdateMetricPair(String parsedName, String jmxName, JmxStringifiedData data) {
@@ -103,19 +104,16 @@ private void updateMetrics() {
     }
 
     @Override
-    public void onReceive(Object o) throws Exception {
-        if (o instanceof ProcessMeasure) {
-            log.debug("Updating metrics");
-            updateMetrics();
-            scheduleSingleMeasurement(getInterval(), new ProcessMeasure());
-        }
+    public void measure() {
+        log.debug("Updating metrics");
+        updateMetrics();
+        scheduleSingleMeasurement(getInterval());
+
     }
 
     @Override
-    protected FiniteDuration getInterval() {
-        return Duration.create(SystemProperties.getEnvMonitorExecListingSensorInterval(), TimeUnit.SECONDS);
+    protected Duration getInterval() {
+        return Duration.ofSeconds(SystemProperties.getEnvMonitorExecListingSensorInterval());
     }
 
-    private static class ProcessMeasure { }
-
 }
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/JmxStringifiedData.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/JmxStringifiedData.java
index 7ea65632d8..39af314890 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/JmxStringifiedData.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/JmxStringifiedData.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricRegistryHolder.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricRegistryHolder.java
index 93953f8e6b..b77700e3f9 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricRegistryHolder.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricRegistryHolder.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricsProviderActor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricsRpcService.java
similarity index 52%
rename from src/monitor/src/main/java/ee/ria/xroad/monitor/MetricsProviderActor.java
rename to src/monitor/src/main/java/ee/ria/xroad/monitor/MetricsRpcService.java
index adb6084a9d..491f5ae96c 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricsProviderActor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/MetricsRpcService.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,18 +27,9 @@
 
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
-import ee.ria.xroad.monitor.common.SystemMetricsRequest;
-import ee.ria.xroad.monitor.common.SystemMetricsResponse;
-import ee.ria.xroad.monitor.common.dto.HistogramDto;
-import ee.ria.xroad.monitor.common.dto.MetricDto;
-import ee.ria.xroad.monitor.common.dto.MetricSetDto;
-import ee.ria.xroad.monitor.common.dto.SimpleMetricDto;
 import ee.ria.xroad.monitor.executablelister.PackageInfo;
 import ee.ria.xroad.monitor.executablelister.ProcessInfo;
 
-import akka.actor.UntypedAbstractActor;
-import akka.event.Logging;
-import akka.event.LoggingAdapter;
 import com.codahale.metrics.Gauge;
 import com.codahale.metrics.Histogram;
 import com.codahale.metrics.Metric;
@@ -46,17 +37,25 @@
 import com.codahale.metrics.MetricRegistry;
 import com.codahale.metrics.Snapshot;
 import com.google.common.collect.Lists;
+import com.google.protobuf.util.Timestamps;
+import io.grpc.stub.StreamObserver;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.monitor.common.HistogramMetrics;
+import org.niis.xroad.monitor.common.Metrics;
+import org.niis.xroad.monitor.common.MetricsGroup;
+import org.niis.xroad.monitor.common.MetricsServiceGrpc;
+import org.niis.xroad.monitor.common.SingleMetrics;
+import org.niis.xroad.monitor.common.SystemMetricsReq;
+import org.niis.xroad.monitor.common.SystemMetricsResp;
 
-import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
 
 /**
  * Actor for providing system metrics data
  */
-public class MetricsProviderActor extends UntypedAbstractActor {
-
-    private LoggingAdapter log = Logging.getLogger(getContext().system(), this);
+@Slf4j
+public class MetricsRpcService extends MetricsServiceGrpc.MetricsServiceImplBase {
     private static final List<String> PACKAGE_OR_CERTIFICATE_METRIC_NAMES = Lists.newArrayList(
             SystemMetricNames.PROCESSES,
             SystemMetricNames.PROCESS_STRINGS,
@@ -72,7 +71,7 @@ public class MetricsProviderActor extends UntypedAbstractActor {
      * Two phase filter for checking user requested metric names and additional chained filter for
      * application defined metric names (histogram/process/certificate/package/etc).
      */
-    public class SystemMetricsFilter implements MetricFilter {
+    public static class SystemMetricsFilter implements MetricFilter {
 
         private final List<String> metricNames;
         private final MetricFilter chainedFilter;
@@ -110,37 +109,28 @@ private boolean isMatchByChainedFilter(String name, Metric metric) {
     }
 
     @Override
-    public void onReceive(Object o) throws Exception {
-
-        if (o instanceof SystemMetricsRequest) {
-
-            final SystemMetricsRequest req = (SystemMetricsRequest) o;
-            log.info("Received SystemMetricsRequest: " + req);
-
-            if (req.getMetricNames() != null && req.getMetricNames().size() > 0) {
-                log.info("Specified metrics requested: " + req.getMetricNames());
-                log.info("Is owner of security server: " + req.isClientOwner());
-            }
-
-            MetricRegistry metrics = MetricRegistryHolder.getInstance().getMetrics();
-            final MetricSetDto.Builder builder = new MetricSetDto.Builder("systemMetrics");
-
-            collectMetrics(builder, metrics, req.getMetricNames(), req.isClientOwner());
+    public void getMetrics(SystemMetricsReq req, StreamObserver<SystemMetricsResp> responseObserver) {
+        log.info("Received SystemMetricsRequest: " + req);
+        if (!req.getMetricNamesList().isEmpty()) {
+            log.info("Specified metrics requested: " + req.getMetricNamesList());
+            log.info("Is owner of security server: " + req.getIsClientOwner());
+        }
 
-            if (req.isClientOwner() || !SystemProperties.getEnvMonitorLimitRemoteDataSet()) {
-                collectOwnerMetrics(builder, metrics, req.getMetricNames());
-            }
+        MetricRegistry metrics = MetricRegistryHolder.getInstance().getMetrics();
+        var responseBuilder = SystemMetricsResp.newBuilder();
+        responseBuilder.getMetricsBuilder().setName("systemMetrics");
 
-            MetricSetDto metricSet = builder.build();
-            final SystemMetricsResponse response = new SystemMetricsResponse(metricSet);
-            getSender().tell(response, getSelf());
+        collectMetrics(responseBuilder, metrics, req.getMetricNamesList(), req.getIsClientOwner());
 
-        } else {
-            unhandled(o);
+        if (req.getIsClientOwner() || !SystemProperties.getEnvMonitorLimitRemoteDataSet()) {
+            collectOwnerMetrics(responseBuilder, metrics, req.getMetricNamesList());
         }
+
+        responseObserver.onNext(responseBuilder.build());
+        responseObserver.onCompleted();
     }
 
-    private void collectMetrics(MetricSetDto.Builder builder, MetricRegistry metrics, List<String> metricNames,
+    private void collectMetrics(SystemMetricsResp.Builder builder, MetricRegistry metrics, List<String> metricNames,
                                 boolean clientOwner) {
         SystemMetricsFilter certificateMetricFilter = new SystemMetricsFilter(metricNames,
                 (name, metric) -> SystemMetricNames.CERTIFICATES.equals(name));
@@ -149,15 +139,15 @@ private void collectMetrics(MetricSetDto.Builder builder, MetricRegistry metrics
                 (name, metric) -> filterPackageOrCertifates(clientOwner, name));
 
         for (Map.Entry<String, Gauge> e : metrics.getGauges(certificateMetricFilter).entrySet()) {
-            builder.withMetric(toCertificateMetricSetDTO(e.getKey(), e.getValue()));
+            builder.getMetricsBuilder().addMetrics(toCertificateMetricSetDTO(e.getKey(), e.getValue()));
         }
 
         for (Map.Entry<String, Gauge> e : metrics.getGauges(simpleMetricFilter).entrySet()) {
-            builder.withMetric(toSimpleMetricDto(e.getKey(), e.getValue()));
+            builder.getMetricsBuilder().addMetrics(toSimpleMetricDto(e.getKey(), e.getValue()));
         }
     }
 
-    private void collectOwnerMetrics(MetricSetDto.Builder builder, MetricRegistry metrics, List<String> metricNames) {
+    private void collectOwnerMetrics(SystemMetricsResp.Builder builder, MetricRegistry metrics, List<String> metricNames) {
         SystemMetricsFilter histogramMetricFilter = new SystemMetricsFilter(metricNames,
                 null);
 
@@ -169,19 +159,19 @@ private void collectOwnerMetrics(MetricSetDto.Builder builder, MetricRegistry me
                 (name, metric) -> SystemMetricNames.PACKAGES.equals(name));
 
         for (Map.Entry<String, Histogram> e : metrics.getHistograms(histogramMetricFilter).entrySet()) {
-            builder.withMetric(toHistogramDto(e.getKey(), e.getValue().getSnapshot()));
+            builder.getMetricsBuilder().addMetrics(toHistogramDto(e.getKey(), e.getValue().getSnapshot()));
         }
 
         // dont handle processes, packages and certificates gauges normally,
         // they have have special conversions to dto
         // *_STRINGS gauges are only for JMX reporting
         for (Map.Entry<String, Gauge> e : metrics.getGauges(processMetricFilter).entrySet()) {
-            builder.withMetric(toProcessMetricSetDto(e.getKey(), e.getValue()));
+            builder.getMetricsBuilder().addMetrics(toProcessMetricSetDto(e.getKey(), e.getValue()));
         }
 
 
         for (Map.Entry<String, Gauge> e : metrics.getGauges(packageMetricFilter).entrySet()) {
-            builder.withMetric(toPackageMetricSetDto(e.getKey(), e.getValue()));
+            builder.getMetricsBuilder().addMetrics(toPackageMetricSetDto(e.getKey(), e.getValue()));
         }
     }
 
@@ -193,71 +183,97 @@ private boolean filterPackageOrCertifates(boolean isOwner, String name) {
         }
     }
 
-    private MetricSetDto toProcessMetricSetDto(String name,
-                                               Gauge<JmxStringifiedData<ProcessInfo>> processSensor) {
+    private Metrics toProcessMetricSetDto(String name,
+                                          Gauge<JmxStringifiedData<ProcessInfo>> processSensor) {
         JmxStringifiedData<ProcessInfo> p = processSensor.getValue();
-        MetricSetDto.Builder mainBuilder = new MetricSetDto.Builder(name);
+
+        var metricsGroup = MetricsGroup.newBuilder()
+                .setName(name);
         for (ProcessInfo process : p.getDtoData()) {
-            MetricSetDto.Builder processBuilder = new MetricSetDto.Builder(process.getProcessId());
-            mainBuilder.withMetric(processBuilder
-                    .withSimpleMetric("processId", process.getProcessId())
-                    .withSimpleMetric("command", process.getCommand())
-                    .withSimpleMetric("cpuLoad", process.getCpuLoad())
-                    .withSimpleMetric("memUsed", process.getMemUsed())
-                    .withSimpleMetric("startTime", process.getStartTime())
-                    .withSimpleMetric("userId", process.getUserId())
+            var processMetrics = MetricsGroup.newBuilder()
+                    .setName(process.getProcessId())
+                    .addMetrics(toSingleMetrics("processId", process.getProcessId()))
+                    .addMetrics(toSingleMetrics("command", process.getCommand()))
+                    .addMetrics(toSingleMetrics("cpuLoad", process.getCpuLoad()))
+                    .addMetrics(toSingleMetrics("memUsed", process.getMemUsed()))
+                    .addMetrics(toSingleMetrics("startTime", process.getStartTime()))
+                    .addMetrics(toSingleMetrics("userId", process.getUserId()));
+
+            metricsGroup.addMetrics(Metrics.newBuilder()
+                    .setMetricsGroup(processMetrics)
                     .build());
         }
-        return mainBuilder.build();
+        return Metrics.newBuilder()
+                .setMetricsGroup(metricsGroup)
+                .build();
     }
 
 
-    private MetricSetDto toCertificateMetricSetDTO(
+    private Metrics toCertificateMetricSetDTO(
             String name,
             Gauge<JmxStringifiedData<CertificateMonitoringInfo>> certificateSensor) {
         JmxStringifiedData<CertificateMonitoringInfo> c = certificateSensor.getValue();
-        MetricSetDto.Builder mainBuilder = new MetricSetDto.Builder(name);
+
+        var metricsGroup = MetricsGroup.newBuilder()
+                .setName(name);
         for (CertificateMonitoringInfo cert : c.getDtoData()) {
-            MetricSetDto.Builder certBuilder = new MetricSetDto.Builder("certificate-" + cert.getSha1hash());
-            mainBuilder.withMetric(certBuilder
-                    .withSimpleMetric("sha1Hash", cert.getSha1hash())
-                    .withSimpleMetric("notBefore", cert.getNotBefore())
-                    .withSimpleMetric("notAfter", cert.getNotAfter())
-                    .withSimpleMetric("certificateType", cert.getType().name())
-                    .withSimpleMetric("active", cert.isActive())
+            var certMetrics = MetricsGroup.newBuilder()
+                    .setName("certificate-" + cert.getSha1hash())
+                    .addMetrics(toSingleMetrics("sha1Hash", cert.getSha1hash()))
+                    .addMetrics(toSingleMetrics("notBefore", cert.getNotBefore()))
+                    .addMetrics(toSingleMetrics("notAfter", cert.getNotAfter()))
+                    .addMetrics(toSingleMetrics("certificateType", cert.getType().name()))
+                    .addMetrics(toSingleMetrics("active", String.valueOf(cert.isActive())));
+
+            metricsGroup.addMetrics(Metrics.newBuilder()
+                    .setMetricsGroup(certMetrics)
                     .build());
         }
-        return mainBuilder.build();
+
+        return Metrics.newBuilder()
+                .setMetricsGroup(metricsGroup)
+                .build();
     }
 
-    private MetricSetDto toPackageMetricSetDto(String name,
-                                               Gauge<JmxStringifiedData<PackageInfo>> packageSensor) {
+    private Metrics.Builder toPackageMetricSetDto(String name,
+                                                  Gauge<JmxStringifiedData<PackageInfo>> packageSensor) {
         JmxStringifiedData<PackageInfo> p = packageSensor.getValue();
-        MetricSetDto.Builder mainBuilder = new MetricSetDto.Builder(name);
+
+        var packageMetrics = MetricsGroup.newBuilder()
+                .setName(name);
         for (PackageInfo pac : p.getDtoData()) {
-            mainBuilder.withSimpleMetric(pac.getName(), pac.getVersion());
+            packageMetrics.addMetrics(toSingleMetrics(pac.getName(), pac.getVersion()));
         }
-        return mainBuilder.build();
+
+        return Metrics.newBuilder().setMetricsGroup(packageMetrics);
+    }
+
+    private Metrics.Builder toSimpleMetricDto(String key, Gauge<?> value) {
+        return toSingleMetrics(key, String.valueOf(value.getValue()));
     }
 
-    private <T extends Serializable> SimpleMetricDto<T> toSimpleMetricDto(String key, Gauge<T> value) {
-        return new SimpleMetricDto<>(key, value.getValue());
+    private Metrics.Builder toSingleMetrics(String key, String value) {
+        return Metrics.newBuilder().setSingleMetrics(SingleMetrics.newBuilder()
+                .setName(key)
+                .setValue(value));
     }
 
-    private MetricDto toHistogramDto(String name, Snapshot snapshot) {
-        return new HistogramDto(
-                name,
-                snapshot.get75thPercentile(),
-                snapshot.get95thPercentile(),
-                snapshot.get98thPercentile(),
-                snapshot.get99thPercentile(),
-                snapshot.get999thPercentile(),
-                snapshot.getMax(),
-                snapshot.getMean(),
-                snapshot.getMedian(),
-                snapshot.getMin(),
-                snapshot.getStdDev()
-        );
+    private Metrics.Builder toHistogramDto(String name, Snapshot snapshot) {
+        var histogram = HistogramMetrics.newBuilder()
+                .setName(name)
+                .setUpdateDateTime(Timestamps.now())
+                .setDistribution75ThPercentile(snapshot.get75thPercentile())
+                .setDistribution95ThPercentile(snapshot.get95thPercentile())
+                .setDistribution98ThPercentile(snapshot.get98thPercentile())
+                .setDistribution99ThPercentile(snapshot.get99thPercentile())
+                .setDistribution999ThPercentile(snapshot.get999thPercentile())
+                .setMax(snapshot.getMax())
+                .setMean(snapshot.getMean())
+                .setMedian(snapshot.getMedian())
+                .setMin(snapshot.getMin())
+                .setStdDev(snapshot.getStdDev());
+
+        return Metrics.newBuilder().setSingleHistogram(histogram);
     }
 
 }
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
index c99cc56a4d..65e4f236a4 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/MonitorMain.java
@@ -25,27 +25,21 @@
  */
 package ee.ria.xroad.monitor;
 
-import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.SystemPropertiesLoader;
 import ee.ria.xroad.common.Version;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
+import ee.ria.xroad.monitor.configuration.MonitorConfig;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.actor.UnhandledMessage;
 import com.codahale.metrics.jmx.JmxReporter;
 import com.google.common.collect.Lists;
-import com.typesafe.config.Config;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigValueFactory;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.support.GenericApplicationContext;
 
 import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
 
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_ENV_MONITOR;
 
@@ -53,6 +47,7 @@
  * Main class for monitor application
  */
 @Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class MonitorMain {
 
     private static final String APP_NAME = "xroad-monitor";
@@ -64,9 +59,7 @@ public final class MonitorMain {
                 .load();
     }
 
-    private static final String AKKA_PORT = "akka.remote.artery.canonical.port";
-
-    private static ActorSystem actorSystem;
+    private static GenericApplicationContext springCtx;
     private static JmxReporter jmxReporter;
 
     /**
@@ -78,34 +71,13 @@ public static void main(String args[]) throws Exception {
         log.info("Starting X-Road Environmental Monitoring");
         Version.outputVersionInfo(APP_NAME);
 
-        registerShutdownHook();
-        initAkka();
-        startReporters();
-    }
+        RpcSignerClient.init();
 
-    private MonitorMain() {
-    }
+        springCtx = new AnnotationConfigApplicationContext(MonitorConfig.class);
+        springCtx.registerShutdownHook();
 
-    private static void registerShutdownHook() {
-        Runtime.getRuntime().addShutdownHook(new Thread(() -> {
-            shutdownAkka();
-            stopReporter();
-        }));
-    }
-
-    private static void shutdownAkka() {
-        log.trace("shutdownAkka()");
-
-        if (actorSystem != null) {
-            try {
-                Await.ready(actorSystem.terminate(), Duration.Inf());
-            } catch (TimeoutException e) {
-                log.error("Timed out while waiting for akka to terminate");
-            } catch (InterruptedException e) {
-                log.error("Interrupted while waiting for akka to terminate");
-            }
-            actorSystem = null;
-        }
+        Runtime.getRuntime().addShutdownHook(new Thread(MonitorMain::stopReporter));
+        startReporters();
     }
 
     private static void stopReporter() {
@@ -116,30 +88,6 @@ private static void stopReporter() {
         }
     }
 
-    private static void initAkka() throws Exception {
-        actorSystem = ActorSystem.create(APP_NAME, loadAkkaConfiguration());
-        RpcSignerClient.init(); //TODO grpc probably needs params.
-
-        ActorRef unhandled = actorSystem.actorOf(Props.create(UnhandledListenerActor.class), "UnhandledListenerActor");
-        actorSystem.eventStream().subscribe(unhandled, UnhandledMessage.class);
-
-        actorSystem.actorOf(Props.create(MetricsProviderActor.class), "MetricsProviderActor");
-        actorSystem.actorOf(Props.create(SystemMetricsSensor.class), "SystemMetricsSensor");
-        actorSystem.actorOf(Props.create(DiskSpaceSensor.class), "DiskSpaceSensor");
-        actorSystem.actorOf(Props.create(ExecListingSensor.class), "ExecListingSensor");
-        actorSystem.actorOf(Props.create(CertificateInfoSensor.class), "CertificateInfoSensor");
-
-        log.info("akka init complete");
-    }
-
-    private static Config loadAkkaConfiguration() {
-        log.info("loadAkkaConfiguration");
-
-        final int port = SystemProperties.getEnvMonitorPort();
-
-        return ConfigFactory.load().withValue(AKKA_PORT, ConfigValueFactory.fromAnyRef(port));
-    }
-
     private static void startReporters() {
         jmxReporter = JmxReporter.forRegistry(MetricRegistryHolder.getInstance().getMetrics())
                 .convertRatesTo(TimeUnit.SECONDS)
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/SensorException.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/SensorException.java
index a463fb7e22..0fcfb3fc5f 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/SensorException.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/SensorException.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/SimpleSensor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/SimpleSensor.java
index 279c625685..a29571edc7 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/SimpleSensor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/SimpleSensor.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java
index a67851001e..16c6c7ec75 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -24,17 +24,21 @@
  * THE SOFTWARE.
  */
 package ee.ria.xroad.monitor;
+
 import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.monitor.common.StatsRequest;
-import ee.ria.xroad.monitor.common.StatsResponse;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
 
-import akka.actor.ActorSelection;
+import io.grpc.Channel;
+import io.grpc.stub.StreamObserver;
+import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
-import scala.concurrent.duration.FiniteDuration;
+import org.niis.xroad.common.rpc.client.RpcClient;
+import org.niis.xroad.monitor.common.MonitorServiceGrpc;
+import org.niis.xroad.monitor.common.StatsReq;
+import org.niis.xroad.monitor.common.StatsResp;
+import org.springframework.scheduling.TaskScheduler;
 
-import java.util.concurrent.TimeUnit;
+import java.time.Duration;
 
 /**
  * System metrics sensor collects information such as
@@ -42,44 +46,31 @@
  */
 @Slf4j
 public class SystemMetricsSensor extends AbstractSensor {
-
     private static final int SYSTEM_CPU_LOAD_MULTIPLIER = 100;
-    private static final Object MEASURE_MESSAGE = new Object();
-    private static final StatsRequest STATS_REQUEST = new StatsRequest();
 
-    private final FiniteDuration interval
-            = Duration.create(SystemProperties.getEnvMonitorSystemMetricsSensorInterval(), TimeUnit.SECONDS);
+    private final RpcClient<ProxyRpcExecutionContext> proxyRpcClient;
 
-    private static final String DEFAULT_AGENT_PATH =
-            "akka://Proxy@127.0.0.1:" + SystemProperties.getProxyActorSystemPort() + "/user/ProxyMonitorAgent";
+    private final Duration interval = Duration.ofSeconds(SystemProperties.getEnvMonitorSystemMetricsSensorInterval());
 
-    private final ActorSelection agent;
 
-    /**
-     * Create new Sensor with a default agent path.
-     */
-    public SystemMetricsSensor() {
-        this(DEFAULT_AGENT_PATH);
-    }
-
-    /**
-     * Create new Sensor with a custom agent path
-     * @param agentPath
-     */
-    public SystemMetricsSensor(String agentPath) {
+    public SystemMetricsSensor(TaskScheduler taskScheduler) throws Exception {
+        super(taskScheduler);
         log.info("Creating sensor, measurement interval: {}", getInterval());
-        this.agent = context().actorSelection(agentPath);
-        scheduleSingleMeasurement(getInterval(), MEASURE_MESSAGE);
+
+        this.proxyRpcClient = RpcClient.newClient(SystemProperties.getGrpcInternalHost(),
+                SystemProperties.getProxyGrpcPort(), ProxyRpcExecutionContext::new);
+
+        scheduleSingleMeasurement(getInterval());
     }
 
     /**
      * Update sensor metrics
      */
-    private void updateMetrics(StatsResponse stats) {
+    private void updateMetrics(StatsResp stats) {
         MetricRegistryHolder registryHolder = MetricRegistryHolder.getInstance();
         registryHolder
                 .getOrCreateHistogram(SystemMetricNames.SYSTEM_CPU_LOAD)
-                .update((long)(stats.getSystemCpuLoad() * SYSTEM_CPU_LOAD_MULTIPLIER));
+                .update((long) (stats.getSystemCpuLoad() * SYSTEM_CPU_LOAD_MULTIPLIER));
         registryHolder
                 .getOrCreateHistogram(SystemMetricNames.FREE_PHYSICAL_MEMORY)
                 .update(stats.getFreePhysicalMemorySize());
@@ -104,20 +95,40 @@ private void updateMetrics(StatsResponse stats) {
     }
 
     @Override
-    public void onReceive(final Object message) {
-        log.trace("onReceive({})", message);
-        if (MEASURE_MESSAGE == message) {
-            agent.tell(STATS_REQUEST, self());
-            scheduleSingleMeasurement(getInterval(), MEASURE_MESSAGE);
-        } else if (message instanceof StatsResponse) {
-            updateMetrics((StatsResponse) message);
-        } else {
-            unhandled(message);
-        }
+    public void measure() {
+        proxyRpcClient.executeAsync(ctx -> ctx.getMonitorServiceStub().getStats(StatsReq.getDefaultInstance(), new StreamObserver<>() {
+
+            @Override
+            public void onNext(StatsResp value) {
+                updateMetrics(value);
+                scheduleSingleMeasurement(getInterval());
+            }
+
+            @Override
+            public void onError(Throwable t) {
+                log.error("Failed to update system metrics stats. Rescheduling..", t);
+            }
+
+            @Override
+            public void onCompleted() {
+                //NO-OP
+            }
+        }));
     }
 
+
     @Override
-    protected FiniteDuration getInterval() {
+    protected Duration getInterval() {
         return interval;
     }
+
+    @Getter
+    private static class ProxyRpcExecutionContext implements RpcClient.ExecutionContext {
+        private final MonitorServiceGrpc.MonitorServiceStub monitorServiceStub;
+
+        ProxyRpcExecutionContext(Channel channel) {
+            monitorServiceStub = MonitorServiceGrpc.newStub(channel);
+        }
+    }
+
 }
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/configuration/MonitorConfig.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/configuration/MonitorConfig.java
new file mode 100644
index 0000000000..d16d1f957f
--- /dev/null
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/configuration/MonitorConfig.java
@@ -0,0 +1,94 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.monitor.configuration;
+
+import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.monitor.CertificateInfoSensor;
+import ee.ria.xroad.monitor.DiskSpaceSensor;
+import ee.ria.xroad.monitor.ExecListingSensor;
+import ee.ria.xroad.monitor.MetricsRpcService;
+import ee.ria.xroad.monitor.SystemMetricsSensor;
+
+import io.grpc.BindableService;
+import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.rpc.server.RpcServer;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.TaskScheduler;
+import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
+
+import java.util.List;
+
+@Slf4j
+@EnableScheduling
+@Configuration
+public class MonitorConfig {
+    private static final int TASK_EXECUTOR_POOL_SIZE = 5;
+
+    @Bean(initMethod = "start", destroyMethod = "stop")
+    RpcServer rpcServer(final List<BindableService> bindableServices) throws Exception {
+        return RpcServer.newServer(
+                SystemProperties.getGrpcInternalHost(),
+                SystemProperties.getEnvMonitorPort(),
+                builder -> bindableServices.forEach(bindableService -> {
+                    log.info("Registering {} RPC service.", bindableService.getClass().getSimpleName());
+                    builder.addService(bindableService);
+                }));
+    }
+
+    @Bean
+    TaskScheduler taskScheduler() {
+        var taskScheduler = new ThreadPoolTaskScheduler();
+        taskScheduler.setPoolSize(TASK_EXECUTOR_POOL_SIZE);
+        return taskScheduler;
+    }
+
+    @Bean
+    MetricsRpcService metricsRpcService() {
+        return new MetricsRpcService();
+    }
+
+    @Bean
+    SystemMetricsSensor systemMetricsSensor(TaskScheduler taskScheduler) throws Exception {
+        return new SystemMetricsSensor(taskScheduler);
+    }
+
+    @Bean
+    DiskSpaceSensor diskSpaceSensor(TaskScheduler taskScheduler) {
+        return new DiskSpaceSensor(taskScheduler);
+    }
+
+    @Bean
+    ExecListingSensor execListingSensor(TaskScheduler taskScheduler) {
+        return new ExecListingSensor(taskScheduler);
+    }
+
+    @Bean
+    CertificateInfoSensor certificateInfoSensor(TaskScheduler taskScheduler) {
+        return new CertificateInfoSensor(taskScheduler);
+    }
+}
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/AbstractExecLister.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/AbstractExecLister.java
index 19c8551e86..43d2154886 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/AbstractExecLister.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/AbstractExecLister.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ExecListingFailedException.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ExecListingFailedException.java
index 8d21cc1472..e4698bcc02 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ExecListingFailedException.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ExecListingFailedException.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/OsInfoLister.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/OsInfoLister.java
index 6523c5a3a8..f6a7170ffd 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/OsInfoLister.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/OsInfoLister.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageInfo.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageInfo.java
index 50d2e3f864..1d08928fb5 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageInfo.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageInfo.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageLister.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageLister.java
index 8c9f478d22..e2f8c6b35b 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageLister.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/PackageLister.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessInfo.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessInfo.java
index 1a96e4ddc0..ec72e38cde 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessInfo.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessInfo.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessLister.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessLister.java
index c37c4555c5..f740225904 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessLister.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/ProcessLister.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/XroadProcessLister.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/XroadProcessLister.java
index d7a0810fba..38fb3730cd 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/XroadProcessLister.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/executablelister/XroadProcessLister.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/main/resources/application.conf b/src/monitor/src/main/resources/application.conf
deleted file mode 100644
index 01bf7c23be..0000000000
--- a/src/monitor/src/main/resources/application.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-include "akka-global.conf"
-
-akka {
-  actor {
-    provider = remote
-  }
-  remote {
-    artery {
-      canonical {
-        hostname = "127.0.0.1"
-        port = 2552
-      }
-    }
-    log-dead-letters = 1
-    log-dead-letters-during-shutdown = off
-  }
-}
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java
index 3f99d0c1c4..e471db1983 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/CertificateInfoSensorTest.java
@@ -39,22 +39,18 @@
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.testkit.TestActorRef;
 import com.codahale.metrics.Metric;
 import com.codahale.metrics.MetricRegistry;
 import com.google.protobuf.ByteString;
-import com.typesafe.config.ConfigFactory;
-import lombok.extern.slf4j.Slf4j;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.scheduling.TaskScheduler;
 
 import java.security.cert.X509Certificate;
+import java.time.Clock;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -62,17 +58,17 @@
 import java.util.stream.Stream;
 
 import static ee.ria.xroad.monitor.CertificateInfoSensor.CERT_HEX_DELIMITER;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.when;
 
 /**
  * CertificateInfoSensorTest
  */
-@Slf4j
-public class CertificateInfoSensorTest {
-    private static ActorSystem actorSystem;
+@ExtendWith(MockitoExtension.class)
+class CertificateInfoSensorTest {
     private MetricRegistry metrics;
     private TokenInfo caTokenInfo;
     private TokenInfo tspTokenInfo;
@@ -84,12 +80,10 @@ public class CertificateInfoSensorTest {
     private static final String TSP_NOT_BEFORE = "2012-11-29T11:53:06Z";
     private static final String TSP_NOT_AFTER = "2014-11-29T11:53:06Z";
 
-    /**
-     * Before test handler
-     */
-    @Before
-    public void init() throws Exception {
-        actorSystem = ActorSystem.create("AkkaRemoteServer", ConfigFactory.load());
+    private CertificateInfoSensor certificateInfoSensor;
+
+    @BeforeEach
+    void init() throws Exception {
         metrics = new MetricRegistry();
         MetricRegistryHolder.getInstance().setMetrics(metrics);
 
@@ -110,14 +104,10 @@ public void init() throws Exception {
 
         ServerConf.reload(new EmptyServerConf());
 
-    }
+        var taskScheduler = spy(TaskScheduler.class);
+        when(taskScheduler.getClock()).thenReturn(Clock.systemDefaultZone());
 
-    /**
-     * Shut down actor system and wait for clean up, so that other tests are not disturbed
-     */
-    @After
-    public void tearDown() throws Exception {
-        Await.result(actorSystem.terminate(), Duration.Inf());
+        certificateInfoSensor = new CertificateInfoSensor(taskScheduler);
     }
 
     private TokenInfo createTestTokenInfo(KeyInfo... keyInfoParams) {
@@ -142,7 +132,7 @@ private TokenInfo createTestTokenInfo(KeyInfo... keyInfoParams) {
     }
 
     private KeyInfo createTestKeyInfo(CertificateInfo caInfo) {
-        KeyInfo keyInfo = new KeyInfo(KeyInfoProto.newBuilder()
+        return new KeyInfo(KeyInfoProto.newBuilder()
                 .setAvailable(true)
                 .setFriendlyName("friendlyName")
                 .setId("id")
@@ -151,8 +141,6 @@ private KeyInfo createTestKeyInfo(CertificateInfo caInfo) {
                 .addCerts(caInfo.getMessage())
                 .setSignMechanismName("mechanismName")
                 .build());
-
-        return keyInfo;
     }
 
     private CertificateInfo createTestCertificateInfo(X509Certificate cert)
@@ -167,21 +155,13 @@ private CertificateInfo createTestCertificateInfo(X509Certificate cert)
     }
 
     @Test
-    public void testSystemMetricsRequest() throws Exception {
-
-        log.info("testing");
-        final Props props = Props.create(CertificateInfoSensor.class);
-        final TestActorRef<CertificateInfoSensor> ref = TestActorRef.create(actorSystem, props,
-                "testActorRef");
-
-        CertificateInfoSensor sensor = ref.underlyingActor();
-
+    void testSystemMetricsRequest() {
         CertificateInfoCollector collector = new CertificateInfoCollector()
                 .addExtractor(new TokenExtractor(() -> Arrays.asList(caTokenInfo, tspTokenInfo)));
 
-        sensor.setCertificateInfoCollector(collector);
+        certificateInfoSensor.setCertificateInfoCollector(collector);
+        certificateInfoSensor.measure();
 
-        sensor.onReceive(new CertificateInfoSensor.CertificateInfoMeasure());
         Map<String, Metric> result = metrics.getMetrics();
         assertEquals(2, result.entrySet().size()); // certs & jmx certs
         SimpleSensor<JmxStringifiedData<CertificateMonitoringInfo>> certificates =
@@ -199,22 +179,14 @@ public void testSystemMetricsRequest() throws Exception {
         CertificateMonitoringInfo tspInfo = getCertificateInfo(certificates.getValue().getDtoData(), tspCertId);
         assertEquals(TSP_NOT_AFTER, tspInfo.getNotAfter());
         assertEquals(TSP_NOT_BEFORE, tspInfo.getNotBefore());
-        log.info("testing done");
     }
 
     @Test
-    public void testFailingCertExtractionSystemMetricsRequest() throws Exception {
-
-        final Props props = Props.create(CertificateInfoSensor.class);
-        final TestActorRef<CertificateInfoSensor> ref = TestActorRef.create(actorSystem, props,
-                "testActorRef");
-
+    void testFailingCertExtractionSystemMetricsRequest() throws Exception {
         X509Certificate mockCert = mock(X509Certificate.class, Mockito.RETURNS_DEEP_STUBS);
         when(mockCert.getEncoded()).thenThrow(new IllegalStateException("some random exception"));
         when(mockCert.getIssuerDN().getName()).thenReturn("DN");
 
-        CertificateInfoSensor sensor = ref.underlyingActor();
-
         CertificateInfoCollector collector = new CertificateInfoCollector()
                 .addExtractor(new CertificateInfoSensor.CertificateInfoExtractor() {
                     @Override
@@ -226,9 +198,9 @@ Stream<CertificateMonitoringInfo> getCertificates() {
                     }
                 });
 
-        sensor.setCertificateInfoCollector(collector);
+        certificateInfoSensor.setCertificateInfoCollector(collector);
+        certificateInfoSensor.measure();
 
-        sensor.onReceive(new CertificateInfoSensor.CertificateInfoMeasure());
         Map<String, Metric> result = metrics.getMetrics();
         assertEquals(2, result.entrySet().size()); // certs & jmx certs
         SimpleSensor<JmxStringifiedData<CertificateMonitoringInfo>> certificates =
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/EmptyServerConf.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/EmptyServerConf.java
index 3d0c443fcb..8dca6e1c45 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/EmptyServerConf.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/EmptyServerConf.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricRegistryHolderTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricRegistryHolderTest.java
index 10f8683c67..cc8534afda 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricRegistryHolderTest.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricRegistryHolderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,20 +26,20 @@
 package ee.ria.xroad.monitor;
 
 import lombok.extern.slf4j.Slf4j;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 
-import static junit.framework.TestCase.assertEquals;
-import static junit.framework.TestCase.fail;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  * MetricsRegistryHolderTest
  */
 @Slf4j
-public class MetricRegistryHolderTest {
+class MetricRegistryHolderTest {
 
     @Test
-    public void testGetOrCreateSimpleSensor() {
-
+    void testGetOrCreateSimpleSensor() {
         try {
             MetricRegistryHolder holder = MetricRegistryHolder.getInstance();
             assertEquals(holder.getOrCreateSimpleSensor("Sensor"),
@@ -47,12 +47,10 @@ public void testGetOrCreateSimpleSensor() {
         } catch (Exception e) {
             fail("Exception should not have been thrwon!");
         }
-
     }
 
     @Test
-    public void testGetOrCreateHistogram() {
-
+    void testGetOrCreateHistogram() {
         try {
             MetricRegistryHolder holder = MetricRegistryHolder.getInstance();
             assertEquals(holder.getOrCreateHistogram("Histogram"),
@@ -60,13 +58,12 @@ public void testGetOrCreateHistogram() {
         } catch (Exception e) {
             fail("Exception should not have been thrown!");
         }
-
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    public void testTypeConflict() {
+    @Test
+    void testTypeConflict() {
         final MetricRegistryHolder holder = MetricRegistryHolder.getInstance();
         holder.getMetrics().gauge("test", () -> () -> 42L);
-        holder.getOrCreateSimpleSensor("test");
+        assertThrows(IllegalArgumentException.class, () -> holder.getOrCreateSimpleSensor("test"));
     }
 }
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsProviderActorTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsProviderActorTest.java
deleted file mode 100644
index 1107082979..0000000000
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsProviderActorTest.java
+++ /dev/null
@@ -1,212 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.monitor;
-
-import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.monitor.common.SystemMetricsRequest;
-import ee.ria.xroad.monitor.common.SystemMetricsResponse;
-import ee.ria.xroad.monitor.common.dto.HistogramDto;
-import ee.ria.xroad.monitor.common.dto.MetricDto;
-import ee.ria.xroad.monitor.common.dto.MetricSetDto;
-
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.pattern.Patterns;
-import akka.testkit.TestActorRef;
-import akka.util.Timeout;
-import com.codahale.metrics.Gauge;
-import com.codahale.metrics.Histogram;
-import com.codahale.metrics.MetricRegistry;
-import com.typesafe.config.ConfigFactory;
-import lombok.extern.slf4j.Slf4j;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.contrib.java.lang.system.ProvideSystemProperty;
-import scala.concurrent.Await;
-import scala.concurrent.Future;
-import scala.concurrent.duration.Duration;
-
-import java.util.Arrays;
-import java.util.Set;
-import java.util.concurrent.TimeUnit;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-/**
- * MetricsProviderActorTest
- */
-@Slf4j
-public class MetricsProviderActorTest {
-
-    private static ActorSystem actorSystem;
-    private MetricRegistry metricsRegistry;
-
-    private static final String HISTOGRAM_NAME = "TestHistogram";
-    private static final String GAUGE_NAME = "TestGauge";
-
-    @Rule
-    public final ProvideSystemProperty p = new ProvideSystemProperty(
-            SystemProperties.ENV_MONITOR_LIMIT_REMOTE_DATA_SET,
-            "true");
-
-    /**
-     * Before test handler
-     */
-    @Before
-    public void init() {
-
-
-        actorSystem = ActorSystem.create("AkkaRemoteServer", ConfigFactory.load());
-        metricsRegistry = new MetricRegistry();
-
-        Histogram testHistogram = metricsRegistry.histogram(HISTOGRAM_NAME);
-        testHistogram.update(100);
-        testHistogram.update(10);
-
-        //MetricRegistry.MetricSupplier<Gauge> x;
-        Gauge g = metricsRegistry.gauge(GAUGE_NAME, () -> new SimpleSensor<String>("Test gauge String value."));
-
-        MetricRegistryHolder.getInstance().setMetrics(metricsRegistry);
-    }
-
-    /**
-     * Shut down actor system and wait for clean up, so that other tests are not disturbed
-     */
-    @After
-    public void tearDown() throws Exception {
-        Await.ready(actorSystem.terminate(), Duration.Inf());
-    }
-
-    @Test
-    public void testAllSystemMetricsRequest() throws Exception {
-        final Props props = Props.create(MetricsProviderActor.class);
-        final TestActorRef<MetricsProviderActor> ref = TestActorRef.create(actorSystem, props, "testActorRef");
-        Future<Object> future = Patterns.ask(ref, new SystemMetricsRequest(null, true),
-                Timeout.apply(1, TimeUnit.MINUTES));
-        Object result = Await.result(future, Duration.apply(1, TimeUnit.MINUTES));
-        assertTrue(future.isCompleted());
-        assertTrue(result instanceof SystemMetricsResponse);
-        SystemMetricsResponse response = (SystemMetricsResponse) result;
-        MetricSetDto metricSetDto = response.getMetrics();
-        Set<MetricDto> dtoSet = metricSetDto.getMetrics();
-
-        log.info("metricSetDto: " + metricSetDto);
-        assertEquals(2, dtoSet.stream().count());
-
-        for (MetricDto metricDto : dtoSet) {
-
-            // Order of entries is undefined -> Must handle by name
-            switch (metricDto.getName()) {
-                case HISTOGRAM_NAME:
-                    log.info("metricDto: " + metricDto);
-                    assertEquals(HISTOGRAM_NAME, metricDto.getName());
-                    assertTrue(metricDto instanceof HistogramDto);
-                    HistogramDto h = (HistogramDto) metricDto;
-                    assertEquals(100L, (long) h.getMax());
-                    assertEquals(10L, (long) h.getMin());
-                    assertEquals(55L, (long) h.getMean());
-                    break;
-                case GAUGE_NAME:
-                    log.info("metricDto: " + metricDto);
-                    assertEquals(GAUGE_NAME, metricDto.getName());
-                    break;
-                default:
-                    Assert.fail("Unknown metric found in response.");
-
-            }
-        }
-
-
-    }
-
-    @Test
-    public void testLimitedSystemMetricsRequest() throws Exception {
-
-        final Props props = Props.create(MetricsProviderActor.class);
-        final TestActorRef<MetricsProviderActor> ref = TestActorRef.create(actorSystem, props, "testActorRef");
-        Future<Object> future = Patterns.ask(ref, new SystemMetricsRequest(null, false),
-                Timeout.apply(1, TimeUnit.MINUTES));
-        Object result = Await.result(future, Duration.apply(1, TimeUnit.MINUTES));
-        assertTrue(future.isCompleted());
-        assertTrue(result instanceof SystemMetricsResponse);
-        SystemMetricsResponse response = (SystemMetricsResponse) result;
-        MetricSetDto metricSetDto = response.getMetrics();
-        Set<MetricDto> dtoSet = metricSetDto.getMetrics();
-
-        log.info("metricSetDto: " + metricSetDto);
-        //assertEquals(2, dtoSet.stream().count());
-
-        for (MetricDto metricDto : dtoSet) {
-
-            // Order of entries is undefined -> Must handle by name
-            switch (metricDto.getName()) {
-                case HISTOGRAM_NAME:
-                    Assert.fail("Should not have histrogram.");
-                    break;
-                case GAUGE_NAME:
-                    Assert.fail("Should not have histrogram gauge.");
-                    break;
-                default:
-                    Assert.fail("Unknown metric found in response.");
-                    break;
-            }
-        }
-    }
-
-    @Test
-    public void testParametrizedSystemMetricsRequest() throws Exception {
-        final Props props = Props.create(MetricsProviderActor.class);
-        final TestActorRef<MetricsProviderActor> ref = TestActorRef.create(actorSystem, props, "testActorRef");
-
-        Future<Object> future = Patterns.ask(
-                ref,
-                new SystemMetricsRequest(Arrays.asList(HISTOGRAM_NAME), true),
-                Timeout.apply(1, TimeUnit.MINUTES));
-
-        Object result = Await.result(future, Duration.apply(1, TimeUnit.MINUTES));
-        assertTrue(future.isCompleted());
-        assertTrue(result instanceof SystemMetricsResponse);
-        SystemMetricsResponse response = (SystemMetricsResponse) result;
-        MetricSetDto metricSetDto = response.getMetrics();
-        Set<MetricDto> dtoSet = metricSetDto.getMetrics();
-
-        log.info("metricSetDto: " + metricSetDto);
-        assertEquals(1, dtoSet.stream().count());
-
-        // Note: findFirst() works only because of single result
-        MetricDto metricDto = dtoSet.stream().findFirst().get();
-        assertEquals(HISTOGRAM_NAME, metricDto.getName());
-        assertTrue(metricDto instanceof HistogramDto);
-        HistogramDto h = (HistogramDto) metricDto;
-        assertEquals(100L, (long) h.getMax());
-        assertEquals(10L, (long) h.getMin());
-        assertEquals(55L, (long) h.getMean());
-    }
-}
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java
new file mode 100644
index 0000000000..4c25c84801
--- /dev/null
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java
@@ -0,0 +1,198 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.monitor;
+
+import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.common.TestPortUtils;
+
+import com.codahale.metrics.Histogram;
+import com.codahale.metrics.MetricRegistry;
+import io.grpc.Channel;
+import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.niis.xroad.common.rpc.client.RpcClient;
+import org.niis.xroad.common.rpc.server.RpcServer;
+import org.niis.xroad.monitor.common.Metrics;
+import org.niis.xroad.monitor.common.MetricsGroup;
+import org.niis.xroad.monitor.common.MetricsServiceGrpc;
+import org.niis.xroad.monitor.common.SystemMetricsReq;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * MetricsProviderActorTest
+ */
+@Slf4j
+class MetricsRpcServiceTest {
+    private static final String HISTOGRAM_NAME = "TestHistogram";
+    private static final String GAUGE_NAME = "TestGauge";
+
+    private RpcServer rpcServer;
+    private RpcClient<TestMetricsExecutionContext> rpcClient;
+
+    @Getter
+    private static class TestMetricsExecutionContext implements RpcClient.ExecutionContext {
+        private final MetricsServiceGrpc.MetricsServiceBlockingStub metricsServiceBlockingStub;
+
+        TestMetricsExecutionContext(Channel channel) {
+            metricsServiceBlockingStub = MetricsServiceGrpc.newBlockingStub(channel);
+        }
+    }
+
+    /**
+     * Before test handler
+     */
+    @BeforeEach
+    public void init() throws Exception {
+        System.setProperty(SystemProperties.ENV_MONITOR_LIMIT_REMOTE_DATA_SET, Boolean.TRUE.toString());
+        System.setProperty(SystemProperties.GRPC_INTERNAL_TLS_ENABLED, Boolean.FALSE.toString());
+
+        int port = TestPortUtils.findRandomPort();
+        rpcServer = RpcServer.newServer("localhost", port, serverBuilder -> serverBuilder.addService(new MetricsRpcService()));
+        rpcServer.start();
+        rpcClient = RpcClient.newClient("localhost", port, TestMetricsExecutionContext::new);
+
+        MetricRegistry metricsRegistry = new MetricRegistry();
+        Histogram testHistogram = metricsRegistry.histogram(HISTOGRAM_NAME);
+        testHistogram.update(100);
+        testHistogram.update(10);
+
+        //MetricRegistry.MetricSupplier<Gauge> x;
+        metricsRegistry.gauge(GAUGE_NAME, () -> new SimpleSensor<>("Test gauge String value."));
+
+        MetricRegistryHolder.getInstance().setMetrics(metricsRegistry);
+    }
+
+    /**
+     * Shut down actor system and wait for clean up, so that other tests are not disturbed
+     */
+    @AfterEach
+    public void tearDown() throws Exception {
+        rpcClient.shutdown();
+        rpcServer.stop();
+    }
+
+    @Test
+    void testAllSystemMetricsRequest() throws Exception {
+        var request = SystemMetricsReq.newBuilder().setIsClientOwner(true).build();
+        var response = rpcClient.execute(ctx -> ctx.getMetricsServiceBlockingStub().getMetrics(request));
+
+        assertNotNull(response);
+
+        MetricsGroup metricSetDto = response.getMetrics();
+        List<Metrics> dtoSet = metricSetDto.getMetricsList();
+
+        log.info("metricSetDto: {}", metricSetDto);
+        assertEquals(2, dtoSet.size());
+
+        for (Metrics metricDto : dtoSet) {
+            if (metricDto.hasSingleHistogram()) {
+                var histogram = metricDto.getSingleHistogram();
+                log.info("metricDto: {}", histogram);
+                assertEquals(HISTOGRAM_NAME, histogram.getName());
+                assertEquals(100L, (long) histogram.getMax());
+                assertEquals(10L, (long) histogram.getMin());
+                assertEquals(55L, (long) histogram.getMean());
+            } else if (metricDto.hasSingleMetrics()) {
+                var singleMetrics = metricDto.getSingleMetrics();
+                log.info("metricDto: {}", singleMetrics);
+                assertEquals(GAUGE_NAME, singleMetrics.getName());
+            } else {
+                fail("Unknown metric found in response.");
+            }
+        }
+    }
+
+    @Test
+    void testLimitedSystemMetricsRequest() throws Exception {
+        var request = SystemMetricsReq.newBuilder().setIsClientOwner(false).build();
+        var response = rpcClient.execute(ctx -> ctx.getMetricsServiceBlockingStub().getMetrics(request));
+
+        MetricsGroup metricSetDto = response.getMetrics();
+        List<Metrics> dtoSet = metricSetDto.getMetricsList();
+
+        log.info("metricSetDto: {}", metricSetDto);
+
+        for (Metrics metricDto : dtoSet) {
+            String name = getMetricsName(metricDto);
+            switch (name) {
+                case HISTOGRAM_NAME:
+                    fail("Should not have histrogram.");
+                    break;
+                case GAUGE_NAME:
+                    fail("Should not have histrogram gauge.");
+                    break;
+                default:
+                    fail("Unknown metric found in response.");
+                    break;
+            }
+        }
+    }
+
+    private String getMetricsName(Metrics metrics) {
+        if (metrics.hasSingleMetrics()) {
+            return metrics.getSingleMetrics().getName();
+        } else if (metrics.hasSingleHistogram()) {
+            return metrics.getSingleHistogram().getName();
+        }
+        return fail("Unknown metric found in response.");
+    }
+
+    @Test
+    void testParametrizedSystemMetricsRequest() throws Exception {
+        var request = SystemMetricsReq.newBuilder()
+                .addMetricNames(HISTOGRAM_NAME)
+                .setIsClientOwner(true)
+                .build();
+
+        var response = rpcClient.execute(ctx -> ctx.getMetricsServiceBlockingStub().getMetrics(request));
+
+        MetricsGroup metricSetDto = response.getMetrics();
+        List<Metrics> dtoSet = metricSetDto.getMetricsList();
+
+        log.info("metricSetDto: {}", metricSetDto);
+        assertEquals(1, dtoSet.size());
+
+        // Note: findFirst() works only because of single result
+        Metrics metricDto = dtoSet.stream().findFirst().get();
+        assertTrue(metricDto.hasSingleHistogram());
+        var histogram = metricDto.getSingleHistogram();
+        assertEquals(HISTOGRAM_NAME, histogram.getName());
+
+        assertEquals(100L, (long) histogram.getMax());
+        assertEquals(10L, (long) histogram.getMin());
+        assertEquals(55L, (long) histogram.getMean());
+    }
+
+}
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/SystemMetricsSensorTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/SystemMetricsSensorTest.java
index 95e7be69e7..d2f9da6879 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/SystemMetricsSensorTest.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/SystemMetricsSensorTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -26,62 +26,117 @@
 package ee.ria.xroad.monitor;
 
 import ee.ria.xroad.common.SystemProperties;
-import ee.ria.xroad.monitor.common.StatsRequest;
-import ee.ria.xroad.monitor.common.StatsResponse;
+import ee.ria.xroad.common.TestPortUtils;
 import ee.ria.xroad.monitor.common.SystemMetricNames;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.testkit.TestActorRef;
-import akka.testkit.javadsl.TestKit;
 import com.codahale.metrics.Histogram;
 import com.codahale.metrics.MetricRegistry;
-import com.typesafe.config.ConfigFactory;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import io.grpc.stub.StreamObserver;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Spy;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.niis.xroad.common.rpc.server.RpcServer;
+import org.niis.xroad.monitor.common.MonitorServiceGrpc;
+import org.niis.xroad.monitor.common.StatsReq;
+import org.niis.xroad.monitor.common.StatsResp;
+import org.springframework.scheduling.TaskScheduler;
 
+import java.io.IOException;
+import java.time.Clock;
+import java.time.Duration;
 import java.util.Map;
+import java.util.concurrent.TimeUnit;
+
+import static org.awaitility.Awaitility.await;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 /**
  * Test for SystemMetricsSensor
  */
-public class SystemMetricsSensorTest {
+@ExtendWith(MockitoExtension.class)
+class SystemMetricsSensorTest {
+    private static final int PORT;
+
+    private static RpcServer rpcServer;
+    private static StatsResp response;
 
-    private static ActorSystem actorSystem;
+    @Spy
+    private MetricRegistry metricRegistry = new MetricRegistry();
+
+    static {
+        try {
+            PORT = TestPortUtils.findRandomPort();
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
 
-    @BeforeClass
-    public static void init() {
         System.setProperty(SystemProperties.ENV_MONITOR_SYSTEM_METRICS_SENSOR_INTERVAL, "1");
-        actorSystem = ActorSystem.create("AkkaTestServer", ConfigFactory.load());
+        System.setProperty(SystemProperties.PROXY_GRPC_PORT, String.valueOf(PORT));
+        System.setProperty(SystemProperties.GRPC_INTERNAL_TLS_ENABLED, Boolean.FALSE.toString());
+    }
+
+    @BeforeAll
+    public static void init() throws Exception {
+        rpcServer = RpcServer.newServer(SystemProperties.getGrpcInternalHost(), PORT, serverBuilder ->
+                serverBuilder.addService(new MonitorServiceGrpc.MonitorServiceImplBase() {
+                    @Override
+                    public void getStats(StatsReq request, StreamObserver<StatsResp> responseObserver) {
+                        responseObserver.onNext(response);
+                        responseObserver.onCompleted();
+                    }
+                }));
+        rpcServer.start();
     }
 
-    @AfterClass
-    public static void tearDown() {
-        TestKit.shutdownActorSystem(actorSystem);
+    @AfterAll
+    public static void tearDown() throws Exception {
+        rpcServer.stop();
     }
 
     @Test
-    public void testSystemMetricsSensor() {
-        final MetricRegistry registry = new MetricRegistry();
-        MetricRegistryHolder.getInstance().setMetrics(registry);
+    void testSystemMetricsSensor() throws Exception {
+        MetricRegistryHolder.getInstance().setMetrics(metricRegistry);
+
+        var taskScheduler = spy(TaskScheduler.class);
+        when(taskScheduler.getClock()).thenReturn(Clock.systemDefaultZone());
+
+        SystemMetricsSensor systemMetricsSensor = new SystemMetricsSensor(taskScheduler);
 
-        final TestKit agent = new TestKit(actorSystem);
-        final ActorRef sensor = TestActorRef.create(actorSystem, Props.create(SystemMetricsSensor.class,
-                agent.getRef().path().toString()));
-        agent.expectMsgClass(StatsRequest.class);
-        sensor.tell(new StatsResponse(0, 0, 1.0, 0, 0, 0, 0, 0), agent.getRef());
+        response = StatsResp.newBuilder()
+                .setOpenFileDescriptorCount(0)
+                .setMaxFileDescriptorCount(0)
+                .setSystemCpuLoad(1.0d)
+                .setCommittedVirtualMemorySize(0)
+                .setFreePhysicalMemorySize(0)
+                .setTotalPhysicalMemorySize(0)
+                .setFreeSwapSpaceSize(0)
+                .setTotalSwapSpaceSize(0)
+                .build();
 
-        for (Map.Entry<String, Histogram> e : registry.getHistograms().entrySet()) {
+        systemMetricsSensor.measure();
+
+        await()
+                .atMost(Duration.ofSeconds(30))
+                .pollDelay(500, TimeUnit.MILLISECONDS)
+                .untilAsserted(() -> verify(metricRegistry, times(1))
+                        .gauge(eq(SystemMetricNames.TOTAL_PHYSICAL_MEMORY), any()));
+
+        for (Map.Entry<String, Histogram> e : metricRegistry.getHistograms().entrySet()) {
             if (SystemMetricNames.SYSTEM_CPU_LOAD.equalsIgnoreCase(e.getKey())) {
-                Assert.assertEquals(100, e.getValue().getSnapshot().getValues()[0]);
+                assertEquals(100, e.getValue().getSnapshot().getValues()[0]);
             } else {
-                Assert.assertEquals(0, e.getValue().getSnapshot().getValues()[0]);
+                assertEquals(0, e.getValue().getSnapshot().getValues()[0]);
             }
         }
-
     }
 
 }
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/PackageListerTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/PackageListerTest.java
index 619e4b37a1..b8a2a0899b 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/PackageListerTest.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/PackageListerTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -30,25 +30,21 @@
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.SystemUtils;
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 
 import java.io.File;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 
-import static org.junit.Assert.assertEquals;
-
-/**
- * Created by janne on 6.11.2015.
- */
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * Tests for package lister
  */
 @Slf4j
-public class PackageListerTest {
+class PackageListerTest {
 
     // FIXME: there should be a better way to do this with gradle. Seems to be the norm though elsewhere as well.
     private static final String RESOURCE_PATH = "src/test/resources/";
@@ -58,8 +54,8 @@ public class PackageListerTest {
     /**
      * Before test handler
      */
-    @Before
-    public void setup() throws Exception {
+    @BeforeEach
+    void setup() throws Exception {
 
         packageOutputString = FileUtils.readFileToString(new File(RESOURCE_PATH + "ubuntu-packagelist.txt"),
                 StandardCharsets.UTF_8.toString());
@@ -68,9 +64,8 @@ public void setup() throws Exception {
     }
 
     @Test
-    public void testProcessList() throws Exception {
-        Assume.assumeTrue("AbstractExecListener does not support other operating systems.",
-                SystemUtils.IS_OS_LINUX);
+    void testProcessList() {
+        Assumptions.assumeTrue(SystemUtils.IS_OS_LINUX, "AbstractExecListener does not support other operating systems.");
 
         PackageLister testPackageLister = new PackageLister() {
             @Override
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/ProcessListerTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/ProcessListerTest.java
index e2867265b5..86e941b838 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/ProcessListerTest.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/executablelister/ProcessListerTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -30,21 +30,20 @@
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.SystemUtils;
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 
 import java.io.File;
-import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 
-import static org.junit.Assert.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * Created by janne on 6.11.2015.
  */
 @Slf4j
-public class ProcessListerTest {
+class ProcessListerTest {
 
     // FIXME: there should be a better way to do this with gradle. Seems to be the norm though elsewhere as well.
     private static final String RESOURCE_PATH = "src/test/resources/";
@@ -54,8 +53,8 @@ public class ProcessListerTest {
     /**
      * Before test handler
      */
-    @Before
-    public void setup() throws Exception {
+    @BeforeEach
+    void setup() throws Exception {
 
         processOutputString = FileUtils.readFileToString(new File(RESOURCE_PATH + "processlist.txt"),
                 StandardCharsets.UTF_8.toString());
@@ -64,20 +63,18 @@ public void setup() throws Exception {
     }
 
     @Test
-    public void testProcessList() throws Exception {
-        Assume.assumeTrue("AbstractExecListener does not support other operating systems.",
-                SystemUtils.IS_OS_LINUX);
+    void testProcessList() {
+        Assumptions.assumeTrue(SystemUtils.IS_OS_LINUX, "AbstractExecListener does not support other operating systems.");
 
         ProcessLister testProcessLister = new ProcessLister() {
-
-
             @Override
-            ProcessOutputs executeProcess() throws IOException, InterruptedException {
+            ProcessOutputs executeProcess() {
                 ProcessOutputs fakeOutputs = new ProcessOutputs();
                 fakeOutputs.setOut(processOutputString);
                 return fakeOutputs;
             }
         };
+
         JmxStringifiedData<ProcessInfo> data = testProcessLister.list();
         assertEquals(11, data.getDtoData().size()); // no header row
         assertEquals(12, data.getJmxStringData().size()); // header row included
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index f838db3e0c..c3ade93237 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -66,8 +66,10 @@
 import akka.util.Timeout;
 import com.typesafe.config.ConfigFactory;
 import com.typesafe.config.ConfigValueFactory;
+import io.grpc.BindableService;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
+import org.niis.xroad.common.rpc.server.RpcServer;
 import scala.concurrent.Await;
 import scala.concurrent.duration.Duration;
 
@@ -117,6 +119,8 @@ public final class ProxyMain {
 
     private static final List<StartStop> SERVICES = new ArrayList<>();
 
+    private static RpcServer rpcServer;
+
     private static ActorSystem actorSystem;
 
     private static ServiceLoader<AddOn> addOns = ServiceLoader.load(AddOn.class);
@@ -136,6 +140,7 @@ private ProxyMain() {
 
     /**
      * Main program entry point.
+     *
      * @param args command-line arguments
      * @throws Exception in case of any errors
      */
@@ -198,6 +203,7 @@ private static void shutdown() throws Exception {
         Await.ready(actorSystem.terminate(), Duration.Inf());
 
         BatchSigner.shutdown();
+        rpcServer.stop();
         RpcSignerClient.shutdown();
     }
 
@@ -210,9 +216,12 @@ private static void createServices() throws Exception {
         boolean messageLogEnabled = MessageLog.init(actorSystem, jobManager);
         OpMonitoring.init(actorSystem);
 
+        AddOn.BindableServiceRegistry bindableServiceRegistry = new AddOn.BindableServiceRegistry();
         for (AddOn addOn : addOns) {
-            addOn.init(actorSystem);
+            addOn.init(bindableServiceRegistry);
         }
+        rpcServer = createRpcServer(bindableServiceRegistry.getRegisteredServices());
+        rpcServer.start();
 
         SERVICES.add(jobManager);
         SERVICES.add(new ClientProxy());
@@ -243,6 +252,17 @@ private static void createServices() throws Exception {
                 getMessageLogArchiveEncryptionMembers(getMembers()));
     }
 
+    //TODO grpc. this is a god class that must be split.
+    public static RpcServer createRpcServer(final List<BindableService> bindableServices) throws Exception {
+        return RpcServer.newServer(
+                SystemProperties.getGrpcInternalHost(),
+                SystemProperties.getProxyGrpcPort(),
+                builder -> bindableServices.forEach(bindableService -> {
+                    log.info("Registering {} RPC service.", bindableService.getClass().getSimpleName());
+                    builder.addService(bindableService);
+                }));
+    }
+
     private static List<ClientId> getMembers() {
         try {
             return new ArrayList<>(ServerConf.getMembers());
@@ -388,7 +408,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response) {
                 Timeout timeout = new Timeout(DIAGNOSTICS_CONNECTION_TIMEOUT_MS, TimeUnit.MILLISECONDS);
                 try {
                     Map<String, DiagnosticsStatus> statusesFromLogManager =
-                            (Map<String, DiagnosticsStatus>)Await.result(
+                            (Map<String, DiagnosticsStatus>) Await.result(
                                     Patterns.ask(logManagerSelection, CommonMessages.TIMESTAMP_STATUS, timeout),
                                     timeout.duration());
 
@@ -422,13 +442,14 @@ public void handle(HttpServletRequest request, HttpServletResponse response) {
 
     /**
      * Logic that determines correct DiagnosticsStatus based on simple connection check and LogManager status
-     * @param timestamperUrl url of timestamper
+     *
+     * @param timestamperUrl                  url of timestamper
      * @param statusFromSimpleConnectionCheck status from simple connection check
-     * @param statusFromLogManager (possible) status from LogManager
+     * @param statusFromLogManager            (possible) status from LogManager
      * @return
      */
     private static DiagnosticsStatus determineDiagnosticsStatus(String timestamperUrl,
-            DiagnosticsStatus statusFromSimpleConnectionCheck, DiagnosticsStatus statusFromLogManager) {
+                                                                DiagnosticsStatus statusFromSimpleConnectionCheck, DiagnosticsStatus statusFromLogManager) {
 
         DiagnosticsStatus status = statusFromSimpleConnectionCheck;
 
@@ -497,7 +518,7 @@ private static Map<String, DiagnosticsStatus> checkConnectionToTimestampUrl() {
 
                 log.info("Checking timestamp server status for url {}", url);
 
-                HttpURLConnection con = (HttpURLConnection)url.openConnection();
+                HttpURLConnection con = (HttpURLConnection) url.openConnection();
                 con.setConnectTimeout(DIAGNOSTICS_CONNECTION_TIMEOUT_MS);
                 con.setReadTimeout(DIAGNOSTICS_READ_TIMEOUT_MS);
                 con.setDoOutput(true);
@@ -546,13 +567,14 @@ private static List<MessageLogArchiveEncryptionMember> getMessageLogArchiveEncry
 
     private static List<String> getBackupEncryptionKeyIds() {
         return Arrays.stream(StringUtils.split(
-                SystemProperties.getBackupEncryptionKeyIds(), ','))
+                        SystemProperties.getBackupEncryptionKeyIds(), ','))
                 .map(String::trim)
                 .collect(Collectors.toList());
     }
 
     /**
      * Return X-Road software version
+     *
      * @return version string e.g. 6.19.0
      */
     public static String readProxyVersion() {
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java
index 44bbc4f69f..9700e3a59d 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,7 +25,11 @@
  */
 package ee.ria.xroad.proxy.addon;
 
-import akka.actor.ActorSystem;
+import com.google.common.collect.ImmutableList;
+import io.grpc.BindableService;
+
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Interface for proxy addons
@@ -35,8 +39,27 @@ public interface AddOn {
     /**
      * Initialization hook called during proxy startup
      *
-     * @param system    proxy actorsystem
+     * @param bindableServiceRegistry proxy gRPC service registry
      */
-    void init(ActorSystem system);
+    void init(BindableServiceRegistry bindableServiceRegistry);
+
+
+    void shutdown();
+
+    class BindableServiceRegistry {
+        private final List<BindableService> bindableServices = new ArrayList<>();
+
+        /**
+         * Register gRPC bindable service to already present server.
+         *
+         * @param bindableService
+         */
+        public void register(BindableService bindableService) {
+            bindableServices.add(bindableService);
+        }
 
+        public List<BindableService> getRegisteredServices() {
+            return ImmutableList.copyOf(bindableServices);
+        }
+    }
 }
diff --git a/src/proxy/src/main/resources/application.conf b/src/proxy/src/main/resources/application.conf
index 0d6a402e6d..404f283e99 100644
--- a/src/proxy/src/main/resources/application.conf
+++ b/src/proxy/src/main/resources/application.conf
@@ -9,7 +9,7 @@ proxy {
             artery {
                 canonical {
                     hostname = "127.0.0.1"
-                    port = 5567
+                    port = 5568 #TODO this is temporary change until akka is migrated
                 }
             }
         }
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
index 96fa5f4c25..f9859ac42a 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -136,8 +136,9 @@ public static void setup() throws Exception {
 
         MessageLog.init(actorSystem, jobManager);
         OpMonitoring.init(actorSystem);
+        AddOn.BindableServiceRegistry serviceRegistry = new AddOn.BindableServiceRegistry();
         for (AddOn addon : ServiceLoader.load(AddOn.class)) {
-            addon.init(actorSystem);
+            addon.init(serviceRegistry);
         }
 
         clientProxy = new ClientProxy();
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
index 8178817c15..4b524d11b7 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
+ * <p>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- *
+ * <p>
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- *
+ * <p>
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -30,6 +30,7 @@
 import ee.ria.xroad.common.conf.serverconf.ServerConf;
 import ee.ria.xroad.common.util.JobManager;
 import ee.ria.xroad.common.util.StartStop;
+import ee.ria.xroad.proxy.ProxyMain;
 import ee.ria.xroad.proxy.addon.AddOn;
 import ee.ria.xroad.proxy.clientproxy.ClientProxy;
 import ee.ria.xroad.proxy.conf.KeyConf;
@@ -41,6 +42,7 @@
 import akka.actor.ActorSystem;
 import com.typesafe.config.ConfigFactory;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.rpc.server.RpcServer;
 import scala.concurrent.Await;
 import scala.concurrent.duration.Duration;
 
@@ -68,6 +70,7 @@ public final class ProxyTestSuite {
 
     private static JobManager jobManager;
     private static ActorSystem actorSystem;
+    private static RpcServer proxyRpcServer;
 
     private ProxyTestSuite() {
     }
@@ -169,10 +172,11 @@ private static void setUp() throws Exception {
         jobManager.start();
 
         actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy"));
-
-        for (AddOn addon :ServiceLoader.load(AddOn.class)) {
-            addon.init(actorSystem);
+        AddOn.BindableServiceRegistry serviceRegistry = new AddOn.BindableServiceRegistry();
+        for (AddOn addon : ServiceLoader.load(AddOn.class)) {
+            addon.init(serviceRegistry);
         }
+       proxyRpcServer = ProxyMain.createRpcServer(serviceRegistry.getRegisteredServices());
     }
 
     private static void runNormalTestCases(List<MessageTestCase> tc) throws Exception {
@@ -229,9 +233,13 @@ private static void runIsolatedSslTestCases(List<MessageTestCase> tc) throws Exc
 
     private static void runTestSuite(List<StartStop> services, List<MessageTestCase> tc) throws Exception {
         for (StartStop s : services) {
-            s.start();
+            try {
+                s.start();
 
-            log.info(s.getClass().getSimpleName() + " started");
+                log.info(s.getClass().getSimpleName() + " started");
+            } catch (Exception e) {
+                log.error("Failed to start service", e);
+            }
         }
 
         try {
@@ -290,6 +298,7 @@ private static List<StartStop> getDefaultServices() throws Exception {
 
         return new ArrayList<>(// need mutable list
                 Arrays.asList(clientProxy, serverProxy, new CertHashBasedOcspResponder("127.0.0.1"),
+                        proxyRpcServer,
                         new DummyService(), new DummyServerProxy()));
     }
 
diff --git a/src/settings.gradle b/src/settings.gradle
index 19353b4234..8240b02176 100644
--- a/src/settings.gradle
+++ b/src/settings.gradle
@@ -33,7 +33,6 @@ include "asicverifier"
 include "asic-util"
 include "monitor"
 include "monitor-common"
-include "monitor-test"
 include "op-monitor-daemon"
 include "shared-ui"
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index f07f6b85e0..1e46ffc6a0 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -25,47 +25,30 @@
  */
 package ee.ria.xroad.signer.protocol;
 
-import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
-
-import com.google.protobuf.Any;
-import com.google.protobuf.InvalidProtocolBufferException;
-import io.grpc.CallOptions;
 import io.grpc.Channel;
-import io.grpc.ClientCall;
-import io.grpc.ClientInterceptor;
-import io.grpc.Grpc;
-import io.grpc.ManagedChannel;
-import io.grpc.MethodDescriptor;
-import io.grpc.Status;
-import io.grpc.StatusRuntimeException;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.rpc.client.RpcClient;
 import org.niis.xroad.signer.proto.CertificateServiceGrpc;
 import org.niis.xroad.signer.proto.KeyServiceGrpc;
 import org.niis.xroad.signer.proto.OcspServiceGrpc;
 import org.niis.xroad.signer.proto.TokenServiceGrpc;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.SystemProperties.getGrpcSignerHost;
+import static ee.ria.xroad.common.SystemProperties.getGrpcInternalHost;
 import static ee.ria.xroad.common.SystemProperties.getGrpcSignerPort;
 import static ee.ria.xroad.common.SystemProperties.getSignerClientTimeout;
-import static java.util.concurrent.TimeUnit.MILLISECONDS;
-import static org.niis.xroad.signer.grpc.ServerCredentialsConfigurer.createClientCredentials;
 
 @Slf4j
 public final class RpcSignerClient {
     private static RpcSignerClient instance;
 
-    private final ManagedChannel channel;
-    private final ExecutionContext executionContext;
+    private final RpcClient<SignerRpcExecutionContext> client;
 
     /**
      * Construct client for accessing Signer services using the provided channel.
      */
-    private RpcSignerClient(final ManagedChannel channel) {
-        this.channel = channel;
-        this.executionContext = new ExecutionContext(channel);
+    private RpcSignerClient(final RpcClient<SignerRpcExecutionContext> client) {
+        this.client = client;
     }
 
     /**
@@ -74,40 +57,28 @@ private RpcSignerClient(final ManagedChannel channel) {
      * @throws Exception
      */
     public static void init() throws Exception {
-        init(getGrpcSignerHost(), getGrpcSignerPort(), getSignerClientTimeout());
+        init(getGrpcInternalHost(), getGrpcSignerPort(), getSignerClientTimeout());
     }
 
     public static void init(String host, int port, int clientTimeoutMillis) throws Exception {
-        var credentials = createClientCredentials();
-        log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
-        final ClientInterceptor timeoutInterceptor = new ClientInterceptor() {
-            @Override
-            public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
-                    MethodDescriptor<ReqT, RespT> method, CallOptions callOptions, Channel next) {
-                return next.newCall(method, callOptions.withDeadlineAfter(clientTimeoutMillis, MILLISECONDS));
-            }
-        };
-        ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
-                .intercept(timeoutInterceptor)
-                .build();
-
-        instance = new RpcSignerClient(channel);
+        var client = RpcClient.newClient(host, port, clientTimeoutMillis, SignerRpcExecutionContext::new);
+        instance = new RpcSignerClient(client);
     }
 
     public static void shutdown() {
         if (instance != null) {
-            instance.channel.shutdown();
+            instance.client.shutdown();
         }
     }
 
     @Getter
-    public static class ExecutionContext {
+    public static class SignerRpcExecutionContext implements RpcClient.ExecutionContext {
         private final TokenServiceGrpc.TokenServiceBlockingStub blockingTokenService;
         private final CertificateServiceGrpc.CertificateServiceBlockingStub blockingCertificateService;
         private final KeyServiceGrpc.KeyServiceBlockingStub blockingKeyService;
         private final OcspServiceGrpc.OcspServiceBlockingStub blockingOcspService;
 
-        public ExecutionContext(final Channel channel) {
+        public SignerRpcExecutionContext(Channel channel) {
             blockingTokenService = TokenServiceGrpc.newBlockingStub(channel);
             blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel);
             blockingKeyService = KeyServiceGrpc.newBlockingStub(channel);
@@ -115,42 +86,10 @@ public ExecutionContext(final Channel channel) {
         }
     }
 
-    public static <V> V execute(RpcExecution<V> grpcCall) throws Exception {
-        try {
-            return grpcCall.exec(getInstance().executionContext);
-        } catch (StatusRuntimeException error) {
-            if (error.getStatus().getCode() == Status.Code.DEADLINE_EXCEEDED) {
-                throw CodedException.tr(SIGNER_X, "signer_client_timeout", "Signer client timed out")
-                        .withPrefix(SIGNER_X);
-            }
-            com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
-            if (status != null) {
-                for (Any any : status.getDetailsList()) {
-                    if (any.is(CodedExceptionProto.class)) {
-                        try {
-                            final CodedExceptionProto ce = any.unpack(CodedExceptionProto.class);
-                            throw CodedException.tr(ce.getFaultCode(), ce.getTranslationCode(), ce.getFaultString())
-                                    .withPrefix(SIGNER_X);
-                        } catch (InvalidProtocolBufferException e) {
-                            throw new RuntimeException("Failed to parse grpc message", e);
-                        }
-                    }
-                }
-            }
-            throw error;
-        }
+    public static <V> V execute(RpcClient.RpcExecution<V, SignerRpcExecutionContext> grpcCall) throws Exception {
+        return getInstance().client.execute(grpcCall);
     }
 
-    @FunctionalInterface
-    public interface RpcExecution<V> {
-        /**
-         * Computes a result, or throws an exception if unable to do so.
-         *
-         * @return computed result
-         * @throws Exception if unable to compute a result
-         */
-        V exec(ExecutionContext ctx) throws Exception;
-    }
 
     public static RpcSignerClient getInstance() {
         if (instance == null) {
diff --git a/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 506b456b24..6749cabb5a 100644
--- a/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -68,7 +68,7 @@
 import java.util.UUID;
 import java.util.stream.Collectors;
 
-import static ee.ria.xroad.common.SystemProperties.getGrpcSignerHost;
+import static ee.ria.xroad.common.SystemProperties.getGrpcInternalHost;
 import static ee.ria.xroad.common.SystemProperties.getGrpcSignerPort;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256WITHRSA_ID;
 import static ee.ria.xroad.common.util.CryptoUtils.SHA256_ID;
@@ -626,7 +626,7 @@ public void signerClientInitializedWithDefaultSettings() throws Exception {
     @Step("signer client initialized with timeout {int} milliseconds")
     public void signerClientReinitializedWithTimeoutMilliseconds(int timeoutMillis) throws Exception {
         RpcSignerClient.shutdown();
-        RpcSignerClient.init(getGrpcSignerHost(), getGrpcSignerPort(), timeoutMillis);
+        RpcSignerClient.init(getGrpcInternalHost(), getGrpcSignerPort(), timeoutMillis);
     }
 
     @Step("getTokens fails with timeout exception")
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
index 5e3a1349b0..8d6c05e70a 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerRpcConfig.java
@@ -29,7 +29,7 @@
 
 import io.grpc.BindableService;
 import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.signer.grpc.RpcServer;
+import org.niis.xroad.common.rpc.server.RpcServer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
@@ -39,10 +39,10 @@
 @Configuration
 public class SignerRpcConfig {
 
-    @Bean(initMethod = "start", destroyMethod = "shutdown")
+    @Bean(initMethod = "start", destroyMethod = "stop")
     RpcServer rpcServer(final List<BindableService> bindableServices) throws Exception {
         return RpcServer.newServer(
-                SystemProperties.getGrpcSignerHost(),
+                SystemProperties.getGrpcInternalHost(),
                 SystemProperties.getGrpcSignerPort(),
                 builder -> bindableServices.forEach(bindableService -> {
                     log.info("Registering {} RPC service.", bindableService.getClass().getSimpleName());
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
index ee54fb6233..fdce6f1505 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/AbstractRpcHandler.java
@@ -27,7 +27,6 @@
 package ee.ria.xroad.signer.protocol;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.signer.protocol.dto.CodedExceptionProto;
 import ee.ria.xroad.signer.tokenmanager.token.TokenWorker;
 import ee.ria.xroad.signer.tokenmanager.token.TokenWorkerProvider;
 
@@ -36,6 +35,7 @@
 import io.grpc.protobuf.StatusProto;
 import io.grpc.stub.StreamObserver;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.rpc.error.CodedExceptionProto;
 import org.springframework.beans.factory.annotation.Autowired;
 
 import static com.google.protobuf.Any.pack;

From eb88683d2fb68c7ab9c6c47fbca7cf2e306dea71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 21 Sep 2023 16:49:45 +0300
Subject: [PATCH 090/127] chore: remove unused libs

Refs: XRDDEV-2468
---
 src/addons/proxymonitor/metaservice/build.gradle | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/addons/proxymonitor/metaservice/build.gradle b/src/addons/proxymonitor/metaservice/build.gradle
index 5f17b87909..dcfa04d533 100644
--- a/src/addons/proxymonitor/metaservice/build.gradle
+++ b/src/addons/proxymonitor/metaservice/build.gradle
@@ -30,8 +30,6 @@ dependencies {
     testImplementation project(':common:common-test')
     testImplementation 'org.hamcrest:hamcrest:2.2'
     testImplementation 'com.github.stefanbirkner:system-rules:1.19.0'
-    testImplementation "com.typesafe.akka:akka-testkit_$akkaVersion"
-    testImplementation "org.mockito:mockito-core:$mockitoVersion"
 }
 
 task createDirs() {

From 3ddbba3a36d294727f3e2a53746b97ef7548a398 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 22 Sep 2023 12:31:36 +0300
Subject: [PATCH 091/127] chore: test fixes

Refs: XRDDEV-2468
---
 .../signer/container/BaseTestSignerSetup.java |  2 +-
 .../test/signer/hook/SignerProxyInitHook.java |  4 ++-
 .../ee/ria/xroad/common/TestPortUtils.java    | 28 +++++++++++++++++++
 .../java/ee/ria/xroad/common/PortNumbers.java |  8 +++++-
 .../ee/ria/xroad/common/SystemProperties.java |  4 +--
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |  3 +-
 .../xroad/proxy/testsuite/ProxyTestSuite.java |  3 +-
 7 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
index 5a3c709ff7..0d6a999e1b 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
@@ -100,7 +100,7 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                         .withCommand("java",
                                 "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
                                 "-Dxroad.internal.passwordstore-provider=file",
-                                "-Dxroad.grpc.signer.host=0.0.0.0",
+                                "-Dxroad.grpc.internal.host=0.0.0.0",
                                 "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
                                 "-Dxroad.grpc.internal.keystore-password=111111",
                                 "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
index f92381ada3..4d1fd4efe8 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
@@ -38,6 +38,8 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
+import static ee.ria.xroad.common.PortNumbers.SIGNER_GRPC_PORT;
+
 @Slf4j
 @Component
 @ConditionalOnProperty(value = "test-automation.custom.signer-container-enabled", havingValue = "true")
@@ -49,7 +51,7 @@ public class SignerProxyInitHook implements BeforeSuiteHook {
     @SneakyThrows
     public void beforeSuite() {
         var host = testableApplicationInfoProvider.getHost();
-        var port = testableApplicationInfoProvider.getMappedPort(SystemProperties.getGrpcSignerPort());
+        var port = testableApplicationInfoProvider.getMappedPort(SIGNER_GRPC_PORT);
         log.info("Will use {}:{}  for signer RPC connection..", host, port);
 
         System.setProperty(SystemProperties.GRPC_INTERNAL_HOST, host);
diff --git a/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java b/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
index e1ae8b89e2..eb4b987579 100644
--- a/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
+++ b/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
@@ -1,3 +1,28 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 package ee.ria.xroad.common;
 
 import lombok.experimental.UtilityClass;
@@ -8,6 +33,9 @@
 @UtilityClass
 public class TestPortUtils {
 
+    /**
+     * Get random available port for use.
+     */
     public static Integer findRandomPort() throws IOException {
         try (ServerSocket socket = new ServerSocket(0)) {
             return socket.getLocalPort();
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
index 87cc1f6e27..66bd8f4b72 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -51,6 +51,11 @@ public final class PortNumbers {
     /** Signer Admin port. */
     public static final int SIGNER_ADMIN_PORT = 5559;
 
+    /**
+     * Signer grpc service port.
+     */
+    public static final int SIGNER_GRPC_PORT = 5560;
+
     /** Center-Service HTTP port. */
     public static final int CENTER_SERVICE_HTTP_PORT = 3333;
 
@@ -75,6 +80,7 @@ public final class PortNumbers {
     @Deprecated
     public static final int PROXY_ACTORSYSTEM_PORT = 5568;
 
+
     /**
      * Proxy grpc port
      */
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
index 91e912c673..efb5e4d991 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -338,8 +338,6 @@ private SystemProperties() {
 
     private static final String DEFAULT_ENFORCE_CLIENT_IS_CERT_VALIDITY_PERIOD_CHECK = "false";
 
-    private static final int DEFAULT_GRPC_SIGNER_PORT = 5560;
-
     /**
      * The default value of the on/off switch for a group of settings that affect whether or not pooled connections
      * for the ClientProxy can be actually reused
@@ -1728,7 +1726,7 @@ public static boolean isGrpcInternalTlsEnabled() {
      * @return gRPC signer host.
      */
     public static int getGrpcSignerPort() {
-        return Integer.parseInt(System.getProperty(GRPC_SIGNER_PORT, String.valueOf(DEFAULT_GRPC_SIGNER_PORT)));
+        return Integer.parseInt(System.getProperty(GRPC_SIGNER_PORT, String.valueOf(PortNumbers.SIGNER_GRPC_PORT)));
     }
 
     /**
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index c3ade93237..8d62fff37a 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -449,7 +449,8 @@ public void handle(HttpServletRequest request, HttpServletResponse response) {
      * @return
      */
     private static DiagnosticsStatus determineDiagnosticsStatus(String timestamperUrl,
-                                                                DiagnosticsStatus statusFromSimpleConnectionCheck, DiagnosticsStatus statusFromLogManager) {
+                                                                DiagnosticsStatus statusFromSimpleConnectionCheck,
+                                                                DiagnosticsStatus statusFromLogManager) {
 
         DiagnosticsStatus status = statusFromSimpleConnectionCheck;
 
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
index 4b524d11b7..48b1bd381b 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
@@ -176,7 +176,8 @@ private static void setUp() throws Exception {
         for (AddOn addon : ServiceLoader.load(AddOn.class)) {
             addon.init(serviceRegistry);
         }
-       proxyRpcServer = ProxyMain.createRpcServer(serviceRegistry.getRegisteredServices());
+
+        proxyRpcServer = ProxyMain.createRpcServer(serviceRegistry.getRegisteredServices());
     }
 
     private static void runNormalTestCases(List<MessageTestCase> tc) throws Exception {

From 1950fb701e7005cb191a269cbd5b974d7f51987b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 22 Sep 2023 15:48:59 +0300
Subject: [PATCH 092/127] chore: fix missing system test logs

Refs: XRDDEV-2468
---
 .../admin-service/ui-system-test/build.gradle | 88 +++++++++----------
 src/security-server/system-test/build.gradle  |  6 +-
 2 files changed, 48 insertions(+), 46 deletions(-)

diff --git a/src/central-server/admin-service/ui-system-test/build.gradle b/src/central-server/admin-service/ui-system-test/build.gradle
index 59cc176d53..65b70366ce 100644
--- a/src/central-server/admin-service/ui-system-test/build.gradle
+++ b/src/central-server/admin-service/ui-system-test/build.gradle
@@ -1,49 +1,49 @@
-
-
 dependencies {
-    intTestImplementation project(":central-server:openapi-model")
-    intTestImplementation("com.nortal.test:test-automation-core:${testAutomationFrameworkVersion}")
-    intTestImplementation("com.nortal.test:test-automation-selenide:${testAutomationFrameworkVersion}")
-    intTestImplementation("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}")
-    intTestImplementation("com.nortal.test:test-automation-containers:${testAutomationFrameworkVersion}")
-    intTestImplementation("com.nortal.test:test-automation-feign:$testAutomationFrameworkVersion")
-    intTestImplementation("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}")
-    intTestImplementation( "org.awaitility:awaitility:${awaitilityVersion}")
+  intTestImplementation project(":central-server:openapi-model")
+  intTestImplementation("com.nortal.test:test-automation-core:${testAutomationFrameworkVersion}")
+  intTestImplementation("com.nortal.test:test-automation-selenide:${testAutomationFrameworkVersion}") {
+    exclude group: "org.slf4j", module: "*"
+  }
+  intTestImplementation("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}")
+  intTestImplementation("com.nortal.test:test-automation-containers:${testAutomationFrameworkVersion}")
+  intTestImplementation("com.nortal.test:test-automation-feign:$testAutomationFrameworkVersion")
+  intTestImplementation("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}")
+  intTestImplementation("org.awaitility:awaitility:${awaitilityVersion}")
 }
 
 task systemTest(type: Test) {
-    useJUnitPlatform()
-
-    setDescription("Runs integration tests.")
-    group = 'verification'
-
-    testClassesDirs = sourceSets.intTest.output.classesDirs
-    classpath = sourceSets.intTest.runtimeClasspath
-
-    def systemTestArgs = []
-    if (project.hasProperty('systemTestTags')) {
-        systemTestArgs += "-Dtest-automation.cucumber.filter.tags=" + project.getProperty('systemTestTags')
-    }
-    if (project.hasProperty('systemTestServeReport')) {
-        systemTestArgs += "-Dtest-automation.report.allure.serve-report.enabled=" + project.getProperty('systemTestServeReport')
-    }
-    if (project.hasProperty('systemTestCentralServerUrl')) {
-        systemTestArgs += "-Dtest-automation.custom.central-server-url-override=" + project.getProperty('systemTestCentralServerUrl')
-    }
-    if (project.hasProperty('systemTestCsPackageHost')) {
-        systemTestArgs += "-Dtest-automation.custom.package-host=" + project.getProperty('systemTestCsPackageHost')
-    }
-    if (project.hasProperty('systemTestCsDockerRoot')) {
-        systemTestArgs += "-Dtest-automation.custom.docker-root=" + project.getProperty('systemTestCsDockerRoot')
-    }
-    jvmArgs systemTestArgs
-
-    testLogging {
-        showStackTraces(true)
-        showExceptions(true)
-        showCauses(true)
-        showStandardStreams(true)
-    }
-
-    shouldRunAfter test
+  useJUnitPlatform()
+
+  setDescription("Runs integration tests.")
+  group = 'verification'
+
+  testClassesDirs = sourceSets.intTest.output.classesDirs
+  classpath = sourceSets.intTest.runtimeClasspath
+
+  def systemTestArgs = []
+  if (project.hasProperty('systemTestTags')) {
+    systemTestArgs += "-Dtest-automation.cucumber.filter.tags=" + project.getProperty('systemTestTags')
+  }
+  if (project.hasProperty('systemTestServeReport')) {
+    systemTestArgs += "-Dtest-automation.report.allure.serve-report.enabled=" + project.getProperty('systemTestServeReport')
+  }
+  if (project.hasProperty('systemTestCentralServerUrl')) {
+    systemTestArgs += "-Dtest-automation.custom.central-server-url-override=" + project.getProperty('systemTestCentralServerUrl')
+  }
+  if (project.hasProperty('systemTestCsPackageHost')) {
+    systemTestArgs += "-Dtest-automation.custom.package-host=" + project.getProperty('systemTestCsPackageHost')
+  }
+  if (project.hasProperty('systemTestCsDockerRoot')) {
+    systemTestArgs += "-Dtest-automation.custom.docker-root=" + project.getProperty('systemTestCsDockerRoot')
+  }
+  jvmArgs systemTestArgs
+
+  testLogging {
+    showStackTraces(true)
+    showExceptions(true)
+    showCauses(true)
+    showStandardStreams(true)
+  }
+
+  shouldRunAfter test
 }
diff --git a/src/security-server/system-test/build.gradle b/src/security-server/system-test/build.gradle
index d225f2bbb8..6d59011c6e 100644
--- a/src/security-server/system-test/build.gradle
+++ b/src/security-server/system-test/build.gradle
@@ -4,8 +4,10 @@ dependencies {
 
   intTestImplementation project(":common:common-int-test")
   intTestImplementation("com.nortal.test:test-automation-assert:$testAutomationFrameworkVersion")
-  intTestImplementation("com.nortal.test:test-automation-selenide:${testAutomationFrameworkVersion}")
-  intTestImplementation ("io.github.openfeign:feign-hc5:$openFeignVersion")
+  intTestImplementation("com.nortal.test:test-automation-selenide:${testAutomationFrameworkVersion}") {
+    exclude group: "org.slf4j", module: "*"
+  }
+  intTestImplementation("io.github.openfeign:feign-hc5:$openFeignVersion")
 }
 
 task systemTest(type: Test) {

From b163e751f87c63f1ffd3381e6f89ef47d7e2fb8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 22 Sep 2023 17:30:34 +0300
Subject: [PATCH 093/127] chore: fix proxui ui signer client initialization

Refs: XRDDEV-2468
---
 .../restapi/config/StartStopListener.java       |  3 ---
 .../restapi/facade/SignerProxyFacade.java       | 17 +++++++++++++++++
 .../restapi/ApplicationIpRateLimitTest.java     |  2 +-
 .../xroad/ss/test/container/ContainerSetup.java |  4 +++-
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
index 0366b8cd88..6676cddde2 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
@@ -54,8 +54,6 @@ private synchronized void stop() throws Exception {
             uiApiActorSystem.stop();
             uiApiActorSystem = null;
         }
-
-//        RpcSignerClient.shutdown();
     }
 
     @Autowired
@@ -72,7 +70,6 @@ private synchronized void start() throws Exception {
         if (uiApiActorSystem == null) {
             uiApiActorSystem = new UIServices("ProxyUIApi", "proxyuiapi");
         }
-//        RpcSignerClient.init();
     }
 
 
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
index 89aed66689..9dae4d7116 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
@@ -30,6 +30,7 @@
 import ee.ria.xroad.signer.SignerProxy;
 import ee.ria.xroad.signer.SignerProxy.GeneratedCertRequestInfo;
 import ee.ria.xroad.signer.SignerProxy.KeyIdInfo;
+import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
@@ -39,8 +40,12 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
+import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Component;
 
+import javax.annotation.PostConstruct;
+import javax.annotation.PreDestroy;
+
 import java.util.List;
 
 /**
@@ -49,8 +54,20 @@
  * Exists to make testing easier by offering non-static methods.
  */
 @Slf4j
+@Profile("!test")
 @Component
 public class SignerProxyFacade {
+
+    @PostConstruct
+    public void init() throws Exception {
+        RpcSignerClient.init();
+    }
+
+    @PreDestroy
+    public void shutdown() {
+        RpcSignerClient.shutdown();
+    }
+
     /**
      * {@link SignerProxy#initSoftwareToken(char[])}
      */
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/ApplicationIpRateLimitTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/ApplicationIpRateLimitTest.java
index 57f4e0cdcc..0c96d85e25 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/ApplicationIpRateLimitTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/ApplicationIpRateLimitTest.java
@@ -63,7 +63,7 @@
         properties = {
                 "xroad.proxy-ui-api.rate-limit-requests-per-minute=10",
                 "xroad.proxy-ui-api.rate-limit-requests-per-second=5"})
-@ActiveProfiles({"nontest"})
+@ActiveProfiles({"nontest", "test"})
 @AutoConfigureMockMvc(print = MockMvcPrint.NONE)
 class ApplicationIpRateLimitTest {
     private static final int RUNS_PER_MINUTE = 11;
diff --git a/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java b/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java
index b04fd25cdb..cbd2ff6d3b 100644
--- a/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java
+++ b/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java
@@ -68,7 +68,9 @@ public void customizeDockerFileBuilder(@NotNull DockerfileBuilder dockerfileBuil
             @NotNull
             @Override
             public List<String> customizeCommandParts() {
-                return List.of("-Dxroad.signer.enforce-token-pin-policy=true");
+                return List.of(
+                        "-Dxroad.signer.enforce-token-pin-policy=true",
+                        "-Dxroad.grpc.internal.tls-enabled=false");
             }
 
             @NotNull

From 97dcd115e77eb544045e340cca77c14b05cf2460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Tue, 26 Sep 2023 12:59:30 +0300
Subject: [PATCH 094/127] chore: fix missing grpc META-INF service locators

Refs: XRDDEV-2468
---
 .../messagelog/messagelog-archiver/build.gradle   | 11 ++++++-----
 src/addons/proxymonitor/metaservice/build.gradle  | 15 ++++++++-------
 src/configuration-client/build.gradle             |  5 +++--
 src/configuration-proxy/build.gradle              |  9 +++++----
 src/monitor/build.gradle                          |  1 +
 src/op-monitor-daemon/build.gradle                | 13 +++++++------
 src/proxy/build.gradle                            |  9 +++++----
 src/signer-console/build.gradle                   | 11 ++++++-----
 src/signer/build.gradle                           |  7 ++++---
 9 files changed, 45 insertions(+), 36 deletions(-)

diff --git a/src/addons/messagelog/messagelog-archiver/build.gradle b/src/addons/messagelog/messagelog-archiver/build.gradle
index bf025c0e22..14734a694a 100644
--- a/src/addons/messagelog/messagelog-archiver/build.gradle
+++ b/src/addons/messagelog/messagelog-archiver/build.gradle
@@ -22,11 +22,12 @@ jar {
 }
 
 shadowJar {
-    archiveVersion = ''
-    archiveClassifier = ''
-    exclude('**/module-info.class')
-    append('reference.conf')
-    from rootProject.file("LICENSE.txt")
+  archiveVersion = ''
+  archiveClassifier = ''
+  exclude('**/module-info.class')
+  append('reference.conf')
+  from rootProject.file("LICENSE.txt")
+  mergeServiceFiles()
 }
 
 assemble.dependsOn shadowJar
diff --git a/src/addons/proxymonitor/metaservice/build.gradle b/src/addons/proxymonitor/metaservice/build.gradle
index dcfa04d533..cdff3ba63e 100644
--- a/src/addons/proxymonitor/metaservice/build.gradle
+++ b/src/addons/proxymonitor/metaservice/build.gradle
@@ -58,13 +58,14 @@ jar {
 }
 
 shadowJar {
-    archiveClassifier = ''
-    exclude('**/module-info.class')
-    dependencies {
-        include(project(':addons:proxymonitor-common'))
-        include(project(':monitor-common'))
-        include(project(':monitoring-conf'))
-    }
+  archiveClassifier = ''
+  exclude('**/module-info.class')
+  dependencies {
+    include(project(':addons:proxymonitor-common'))
+    include(project(':monitor-common'))
+    include(project(':monitoring-conf'))
+  }
+  mergeServiceFiles()
 }
 
 build.dependsOn shadowJar
diff --git a/src/configuration-client/build.gradle b/src/configuration-client/build.gradle
index 792c12a66b..5ff7915843 100644
--- a/src/configuration-client/build.gradle
+++ b/src/configuration-client/build.gradle
@@ -23,8 +23,9 @@ jar {
 }
 
 shadowJar {
-    exclude('**/module-info.class')
-    classifier = ''
+  exclude('**/module-info.class')
+  classifier = ''
+  mergeServiceFiles()
 }
 
 jar.enabled = false
diff --git a/src/configuration-proxy/build.gradle b/src/configuration-proxy/build.gradle
index f482c7b98f..b15c6d1e92 100644
--- a/src/configuration-proxy/build.gradle
+++ b/src/configuration-proxy/build.gradle
@@ -23,10 +23,11 @@ jar {
 }
 
 shadowJar {
-    classifier = ''
-    exclude('**/module-info.class')
-    append('reference.conf')
-    from rootProject.file("LICENSE.txt")
+  classifier = ''
+  exclude('**/module-info.class')
+  append('reference.conf')
+  from rootProject.file("LICENSE.txt")
+  mergeServiceFiles()
 }
 
 jar.enabled = false
diff --git a/src/monitor/build.gradle b/src/monitor/build.gradle
index 3859e29c09..e03f44e4c3 100644
--- a/src/monitor/build.gradle
+++ b/src/monitor/build.gradle
@@ -38,6 +38,7 @@ shadowJar {
   exclude('**/module-info.class')
   archiveBaseName = "monitor"
   archiveClassifier = ''
+  mergeServiceFiles()
 }
 
 jar.finalizedBy shadowJar
diff --git a/src/op-monitor-daemon/build.gradle b/src/op-monitor-daemon/build.gradle
index 0fbc82482c..a07ac8b0c1 100644
--- a/src/op-monitor-daemon/build.gradle
+++ b/src/op-monitor-daemon/build.gradle
@@ -60,12 +60,13 @@ task xjc() {
 }
 
 shadowJar {
-    append('reference.conf')
-    archiveClassifier = ''
-    exclude('**/module-info.class')
-    manifest {
-        attributes 'Main-Class': 'ee.ria.xroad.opmonitordaemon.OpMonitorDaemonMain'
-    }
+  append('reference.conf')
+  archiveClassifier = ''
+  exclude('**/module-info.class')
+  manifest {
+    attributes 'Main-Class': 'ee.ria.xroad.opmonitordaemon.OpMonitorDaemonMain'
+  }
+  mergeServiceFiles()
 }
 
 task testsJar(type: Jar, dependsOn: testClasses) {
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index 2dd4b0e9d6..d5281a2241 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -49,10 +49,11 @@ jar {
 }
 
 shadowJar {
-    archiveClassifier = ''
-    append('reference.conf')
-    exclude('**/module-info.class')
-    from rootProject.file("LICENSE.txt")
+  archiveClassifier = ''
+  append('reference.conf')
+  exclude('**/module-info.class')
+  from rootProject.file("LICENSE.txt")
+  mergeServiceFiles()
 }
 
 testJar.enabled = true
diff --git a/src/signer-console/build.gradle b/src/signer-console/build.gradle
index 6319c4a609..d962751b04 100644
--- a/src/signer-console/build.gradle
+++ b/src/signer-console/build.gradle
@@ -21,11 +21,12 @@ jar {
 }
 
 shadowJar {
-    archiveClassifier = ''
-    exclude('**/module-info.class')
-    exclude 'asg/cliche/example/**'
-    append('reference.conf')
-    from rootProject.file("LICENSE.txt")
+  archiveClassifier = ''
+  exclude('**/module-info.class')
+  exclude 'asg/cliche/example/**'
+  append('reference.conf')
+  from rootProject.file("LICENSE.txt")
+  mergeServiceFiles()
 }
 
 jar.enabled = false
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index 061cd6abce..7e6a0223dd 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -60,9 +60,10 @@ bootJar {
 }
 
 shadowJar {
-    archiveClassifier = ''
-    exclude('**/module-info.class')
-    from rootProject.file("LICENSE.txt")
+  archiveClassifier = ''
+  exclude('**/module-info.class')
+  from rootProject.file("LICENSE.txt")
+  mergeServiceFiles()
 }
 
 jar.finalizedBy shadowJar

From 4194b40f4c5eb6b6a0a3b8ef5c36bd10d1746b38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas?= <ricardas.buciunas@nortal.com>
Date: Thu, 28 Sep 2023 16:41:13 +0300
Subject: [PATCH 095/127] feat: op-monitor akka removal (#1803)

* chore: migrate op-monitor from akka to native java
Refs: XRDDEV-2487

* chore: limit spring bom to required modules
Refs: XRDDEV-2487

* chore: remove unused akka references

Refs: XRDDEV-2498

* chore: improve OpMonitoringBuffer
Refs: XRDDEV-2487
---
 src/addons/op-monitoring/build.gradle         | 15 ++-
 .../opmonitoring/OpMonitoringBuffer.java      | 93 ++++++++++++-------
 .../OpMonitoringDaemonSender.java             | 57 +++++++-----
 .../opmonitoring/OpMonitoringBufferTest.java  | 19 +---
 .../config/SignerIpAddressConfiguration.java  | 56 -----------
 .../core/facade/SignerProxyFacadeImpl.java    | 22 +----
 .../resources/application-override.yml        |  2 +-
 .../AbstractOpMonitoringBuffer.java           | 50 ++--------
 .../ee/ria/xroad/commonui/UIServices.java     | 79 ----------------
 .../xroad/common/util/MessageSendingJob.java  | 14 ---
 src/monitor/build.gradle                      |  7 +-
 src/op-monitor-daemon/build.gradle            |  1 -
 .../opmonitordaemon/OpMonitorDaemonMain.java  | 36 +++----
 .../OperationalDataRecordCleaner.java         | 75 +++++++--------
 .../src/main/resources/application.conf       | 17 ----
 .../java/ee/ria/xroad/proxy/ProxyMain.java    | 15 +--
 .../opmonitoring/NullOpMonitoringBuffer.java  | 19 ++--
 .../proxy/opmonitoring/OpMonitoring.java      | 42 ++++-----
 .../proxy/AbstractProxyIntegrationTest.java   |  4 +-
 .../xroad/proxy/testsuite/ProxyTestSuite.java |  3 +-
 .../config/SignerIpAddressConfiguration.java  | 55 -----------
 .../restapi/config/StartStopListener.java     | 93 -------------------
 src/signer/build.gradle                       |  8 +-
 23 files changed, 195 insertions(+), 587 deletions(-)
 delete mode 100644 src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/SignerIpAddressConfiguration.java
 delete mode 100644 src/common/common-ui/src/main/java/ee/ria/xroad/commonui/UIServices.java
 delete mode 100644 src/op-monitor-daemon/src/main/resources/application.conf
 delete mode 100644 src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/SignerIpAddressConfiguration.java
 delete mode 100644 src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java

diff --git a/src/addons/op-monitoring/build.gradle b/src/addons/op-monitoring/build.gradle
index 95d2c6929d..075c2e834a 100644
--- a/src/addons/op-monitoring/build.gradle
+++ b/src/addons/op-monitoring/build.gradle
@@ -1,15 +1,14 @@
 dependencies {
-    implementation project(':common:common-op-monitoring')
+  implementation project(':common:common-op-monitoring')
 
-    implementation project(':proxy')
-    implementation project(':common:common-util')
-    implementation project(':serverconf')
+  implementation project(':proxy')
+  implementation project(':common:common-util')
+  implementation project(':serverconf')
 
-    testImplementation "com.typesafe.akka:akka-testkit_$akkaVersion"
-    testImplementation 'commons-cli:commons-cli:1.4'
+  testImplementation 'commons-cli:commons-cli:1.4'
 }
 
 task runOpMonitoringBufferMemoryUsage(type: JavaExec) {
-   mainClass = 'ee.ria.xroad.proxy.opmonitoring.OpMonitoringBufferMemoryUsage'
-   classpath = sourceSets.test.runtimeClasspath
+  mainClass = 'ee.ria.xroad.proxy.opmonitoring.OpMonitoringBufferMemoryUsage'
+  classpath = sourceSets.test.runtimeClasspath
 }
diff --git a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java
index 88004b0eb2..c236e61490 100644
--- a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java
+++ b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -34,22 +34,21 @@
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.common.util.TimeUtils;
 
-import akka.actor.ActorRef;
-import akka.actor.Cancellable;
-import akka.actor.Props;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectWriter;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.impl.client.CloseableHttpClient;
-import scala.concurrent.duration.FiniteDuration;
 
 import java.net.NetworkInterface;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
 
 import static java.net.NetworkInterface.getNetworkInterfaces;
@@ -62,8 +61,6 @@
  */
 @Slf4j
 public class OpMonitoringBuffer extends AbstractOpMonitoringBuffer {
-    public static final String OP_MONITORING_DAEMON_SENDER = "OpMonitoringDaemonSender";
-
     private static final String NO_ADDRESS_FOUND = "No suitable IP address is bound to the network interface ";
     private static final String NO_INTERFACE_FOUND = "No non-loopback network interface found";
 
@@ -82,10 +79,11 @@ public class OpMonitoringBuffer extends AbstractOpMonitoringBuffer {
 
     private static final ObjectWriter OBJECT_WRITER = JsonUtils.getObjectWriter();
 
-    private Cancellable tick;
+    private final ExecutorService executorService;
+    private final ScheduledExecutorService taskScheduler;
 
     final Map<Long, OpMonitoringData> buffer =
-            new LinkedHashMap<Long, OpMonitoringData>() {
+            new LinkedHashMap<>() {
                 @Override
                 protected boolean removeEldestEntry(Map.Entry eldest) {
                     boolean overflow = size() > MAX_BUFFER_SIZE;
@@ -104,7 +102,7 @@ protected boolean removeEldestEntry(Map.Entry eldest) {
 
     private final CloseableHttpClient httpClient;
 
-    private final ActorRef sender;
+    private final OpMonitoringDaemonSender sender;
 
     private static String ipAddress;
 
@@ -114,14 +112,20 @@ protected boolean removeEldestEntry(Map.Entry eldest) {
      * @throws Exception if an error occurs
      */
     public OpMonitoringBuffer() throws Exception {
+
         if (ignoreOpMonitoringData()) {
             log.info("Operational monitoring buffer is switched off, no operational monitoring data is stored");
 
             httpClient = null;
             sender = null;
+            executorService = null;
+            taskScheduler = null;
         } else {
             httpClient = createHttpClient();
             sender = createSender();
+
+            executorService = Executors.newSingleThreadExecutor();
+            taskScheduler = Executors.newSingleThreadScheduledExecutor();
         }
     }
 
@@ -130,33 +134,51 @@ CloseableHttpClient createHttpClient() throws Exception {
                 CLIENT_CONNECTION_TIMEOUT_MILLISECONDS, CLIENT_SOCKET_TIMEOUT_MILLISECONDS);
     }
 
-    ActorRef createSender() {
-        return getContext().system().actorOf(Props.create(OpMonitoringDaemonSender.class, httpClient),
-                OP_MONITORING_DAEMON_SENDER);
+    OpMonitoringDaemonSender createSender() {
+        return new OpMonitoringDaemonSender(this, httpClient);
     }
 
     @Override
-    protected void store(OpMonitoringData data) throws Exception {
+    public void store(final OpMonitoringData data) throws Exception {
         if (ignoreOpMonitoringData()) {
             return;
         }
 
-        data.setSecurityServerInternalIp(getIpAddress());
+        executorService.execute(() -> {
+            try {
+                if (ignoreOpMonitoringData()) {
+                    return;
+                }
+
+                data.setSecurityServerInternalIp(getIpAddress());
 
-        buffer.put(getNextBufferIndex(), data);
+                buffer.put(getNextBufferIndex(), data);
 
-        send();
+                sendInternal();
+            } catch (Exception e) {
+                log.error("Failed to process OpMonitoringData..", e);
+            }
+        });
     }
 
-    @Override
-    protected void send() throws Exception {
+    private void send() {
+        executorService.execute(() -> {
+            try {
+                this.sendInternal();
+            } catch (Exception e) {
+                log.error("Failed to send message", e);
+            }
+        });
+    }
+
+    private void sendInternal() throws Exception {
         if (!canSend()) {
             return;
         }
 
         String json = prepareMonitoringMessage();
 
-        sender.tell(json, getSelf());
+        sender.sendMessage(json);
     }
 
     private boolean canSend() {
@@ -180,8 +202,7 @@ private String prepareMonitoringMessage() throws JsonProcessingException {
         return OBJECT_WRITER.writeValueAsString(request);
     }
 
-    @Override
-    protected void sendingSuccess() throws Exception {
+    void sendingSuccess() {
         processedBufferIndices.forEach(buffer::remove);
         processedBufferIndices.clear();
 
@@ -190,10 +211,8 @@ protected void sendingSuccess() throws Exception {
         }
     }
 
-    @Override
-    protected void sendingFailure() throws Exception {
+    void sendingFailure() {
         processedBufferIndices.clear();
-
         // Do not worry, scheduled sending retries..
     }
 
@@ -204,14 +223,11 @@ long getNextBufferIndex() {
     }
 
     private void scheduleSendMonitoringData() {
-        FiniteDuration interval = FiniteDuration.create(SENDING_INTERVAL_SECONDS, TimeUnit.SECONDS);
-
-        tick = getContext().system().scheduler().schedule(interval, interval, getSelf(), SEND_MONITORING_DATA,
-                getContext().dispatcher(), ActorRef.noSender());
+        taskScheduler.scheduleWithFixedDelay(this::send, SENDING_INTERVAL_SECONDS, SENDING_INTERVAL_SECONDS, TimeUnit.SECONDS);
     }
 
     @Override
-    public void preStart() throws Exception {
+    public void start() {
         if (ignoreOpMonitoringData()) {
             return;
         }
@@ -220,14 +236,20 @@ public void preStart() throws Exception {
     }
 
     @Override
-    public void postStop() throws Exception {
-        if (tick != null) {
-            tick.cancel();
-        }
-
+    public void stop() {
         if (httpClient != null) {
             IOUtils.closeQuietly(httpClient);
         }
+        if (executorService != null) {
+            executorService.shutdown();
+        }
+        if (taskScheduler != null) {
+            taskScheduler.shutdown();
+        }
+
+        if (sender != null) {
+            sender.stop();
+        }
     }
 
     private boolean ignoreOpMonitoringData() {
@@ -267,4 +289,5 @@ private static String getIpAddress() {
     private static boolean isNonLoopback(NetworkInterface ni) {
         return !ni.isLoopback() && ni.isUp();
     }
+
 }
diff --git a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java
index d869d8f3d3..5fdd2d28ee 100644
--- a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java
+++ b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,7 +25,6 @@
  */
 package ee.ria.xroad.proxy.opmonitoring;
 
-import ee.ria.xroad.common.opmonitoring.AbstractOpMonitoringBuffer;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringDaemonEndpoints;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringSystemProperties;
 import ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataResponse;
@@ -33,10 +32,9 @@
 import ee.ria.xroad.common.util.JsonUtils;
 import ee.ria.xroad.common.util.MimeTypes;
 import ee.ria.xroad.common.util.MimeUtils;
+import ee.ria.xroad.common.util.StartStop;
 import ee.ria.xroad.common.util.TimeUtils;
 
-import akka.actor.ActorRef;
-import akka.actor.UntypedAbstractActor;
 import com.fasterxml.jackson.databind.ObjectReader;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
@@ -45,6 +43,8 @@
 
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 
 import static ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataResponse.STATUS_ERROR;
 import static ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataResponse.STATUS_OK;
@@ -54,7 +54,7 @@
  * OpMonitoringBuffer class for periodically forwarding operational data gathered in the buffer.
  */
 @Slf4j
-public class OpMonitoringDaemonSender extends UntypedAbstractActor {
+public class OpMonitoringDaemonSender implements StartStop {
 
     private static final ObjectReader OBJECT_READER = JsonUtils.getObjectReader();
 
@@ -64,39 +64,31 @@ public class OpMonitoringDaemonSender extends UntypedAbstractActor {
     private static final int SOCKET_TIMEOUT_MILLISECONDS = TimeUtils.secondsToMillis(
             OpMonitoringSystemProperties.getOpMonitorBufferSocketTimeoutSeconds());
 
-    private CloseableHttpClient httpClient;
+    private final OpMonitoringBuffer opMonitoringBuffer;
+    private final CloseableHttpClient httpClient;
+    private final ExecutorService executorService = Executors.newSingleThreadExecutor();
+
 
-    OpMonitoringDaemonSender(CloseableHttpClient httpClient) {
+    OpMonitoringDaemonSender(OpMonitoringBuffer opMonitoringBuffer, CloseableHttpClient httpClient) {
         this.httpClient = httpClient;
+        this.opMonitoringBuffer = opMonitoringBuffer;
     }
 
-    @Override
-    public void onReceive(Object message) throws Exception {
-        if (message instanceof String) {
-            String json = (String) message;
-
-            log.trace("onReceive: {}", json);
+    void sendMessage(String json) {
+        log.trace("onReceive: {}", json);
 
+        executorService.execute(() -> {
             try {
                 send(json);
-                success();
+                opMonitoringBuffer.sendingSuccess();
             } catch (Exception e) {
                 log.error("Sending operational monitoring data failed", e);
 
-                failure();
+                opMonitoringBuffer.sendingFailure();
             }
-        } else {
-            unhandled(message);
-        }
+        });
     }
 
-    private void success() {
-        getSender().tell(AbstractOpMonitoringBuffer.SENDING_SUCCESS, ActorRef.noSender());
-    }
-
-    private void failure() {
-        getSender().tell(AbstractOpMonitoringBuffer.SENDING_FAILURE, ActorRef.noSender());
-    }
 
     private void send(String json) throws Exception {
         try (HttpSender sender = new HttpSender(httpClient)) {
@@ -134,4 +126,19 @@ private URI getAddress() throws URISyntaxException {
                 OpMonitoringSystemProperties.getOpMonitorHost(), OpMonitoringSystemProperties.getOpMonitorPort(),
                 OpMonitoringDaemonEndpoints.STORE_DATA_PATH, null, null);
     }
+
+    @Override
+    public void start() {
+        //No-OP
+    }
+
+    @Override
+    public void stop() {
+        executorService.shutdown();
+    }
+
+    @Override
+    public void join() {
+        //NO-OP
+    }
 }
diff --git a/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java b/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java
index c5041aca4f..3bc60a6948 100644
--- a/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java
+++ b/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,10 +27,6 @@
 
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.testkit.TestActorRef;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.junit.Test;
 
@@ -40,7 +36,6 @@
  * Tests operational monitoring buffer.
  */
 public class OpMonitoringBufferTest {
-    private static final ActorSystem ACTOR_SYSTEM = ActorSystem.create();
 
     private static class TestOpMonitoringBuffer extends OpMonitoringBuffer {
         TestOpMonitoringBuffer() throws Exception {
@@ -53,12 +48,12 @@ CloseableHttpClient createHttpClient() throws Exception {
         }
 
         @Override
-        ActorRef createSender() {
+        OpMonitoringDaemonSender createSender() {
             return null;
         }
 
         @Override
-        protected void store(OpMonitoringData data) throws Exception {
+        public synchronized void store(OpMonitoringData data) throws Exception {
             buffer.put(getNextBufferIndex(), data);
         }
     }
@@ -67,13 +62,7 @@ protected void store(OpMonitoringData data) throws Exception {
     public void bufferOverflow() throws Exception {
         System.setProperty("xroad.op-monitor-buffer.size", "2");
 
-        final Props props = Props.create(TestOpMonitoringBuffer.class);
-        final TestActorRef<TestOpMonitoringBuffer> testActorRef =
-                TestActorRef.create(ACTOR_SYSTEM, props, "testActorRef");
-
-        TestOpMonitoringBuffer opMonitoringBuffer =
-                testActorRef.underlyingActor();
-
+        final TestOpMonitoringBuffer opMonitoringBuffer = new TestOpMonitoringBuffer();
         OpMonitoringData opMonitoringData = new OpMonitoringData(
                 OpMonitoringData.SecurityServerType.CLIENT, 100);
 
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/SignerIpAddressConfiguration.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/SignerIpAddressConfiguration.java
deleted file mode 100644
index 27a5614a8d..0000000000
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/SignerIpAddressConfiguration.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- * <p>
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- * <p>
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package org.niis.xroad.cs.admin.core.config;
-
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Profile;
-
-/**
- * Enable customization of signer IP address when development profile is active.
- * Otherwise use 127.0.0.1
- */
-@Configuration
-public class SignerIpAddressConfiguration {
-
-    @Value("${custom.signer.ip:127.0.0.1}")
-    private String customIp;
-
-    @SuppressWarnings("SameReturnValue")
-    @Bean(name = "signer-ip")
-    @Profile("!development")
-    public String defaultBean() {
-        return "127.0.0.1";
-    }
-
-    @Bean(name = "signer-ip")
-    @Profile("development")
-    public String customBean() {
-        return customIp;
-    }
-
-}
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
index f361cd4d44..868dc892a4 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
@@ -25,7 +25,6 @@
  */
 package org.niis.xroad.cs.admin.core.facade;
 
-import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.SignerProxy;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
@@ -33,17 +32,12 @@
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.Config;
-import com.typesafe.config.ConfigFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.cs.admin.api.facade.SignerProxyFacade;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Component;
 
 import javax.annotation.PostConstruct;
-import javax.annotation.PreDestroy;
 
 import java.security.PublicKey;
 import java.util.Date;
@@ -59,26 +53,12 @@
 @Profile("!int-test")
 public class SignerProxyFacadeImpl implements SignerProxyFacade {
 
-    private final String signerIp;
-    private ActorSystem actorSystem;
-
-    public SignerProxyFacadeImpl(@Qualifier("signer-ip") String signerIp) {
-        this.signerIp = signerIp;
-    }
-
     @PostConstruct
     void init() throws Exception {
-        Config config = ConfigFactory.load().getConfig("admin-service").withFallback(ConfigFactory.load());
-        actorSystem = ActorSystem.create("SignerService", config);
-        RpcSignerClient.init(signerIp, SystemProperties.getGrpcSignerPort(), SystemProperties.getSignerClientTimeout());
+        RpcSignerClient.init();
         log.info("SignerService actorSystem initialized with admin-service config");
     }
 
-    @PreDestroy
-    void cleanUp() {
-        actorSystem.terminate();
-    }
-
     /**
      * {@link SignerProxy#initSoftwareToken(char[])}
      */
diff --git a/src/central-server/management-service/int-test/src/intTest/resources/application-override.yml b/src/central-server/management-service/int-test/src/intTest/resources/application-override.yml
index 18172dc8d5..a0fe625aef 100755
--- a/src/central-server/management-service/int-test/src/intTest/resources/application-override.yml
+++ b/src/central-server/management-service/int-test/src/intTest/resources/application-override.yml
@@ -19,7 +19,7 @@ test-automation:
       tags: "not @Skip"
   containers:
     testable-container:
-      reuse-between-runs: true
+      reuse-between-runs: false
       spring-boot:
         jar-debug-enabled: true
         debug-port: 9000
diff --git a/src/common/common-op-monitoring/src/main/java/ee/ria/xroad/common/opmonitoring/AbstractOpMonitoringBuffer.java b/src/common/common-op-monitoring/src/main/java/ee/ria/xroad/common/opmonitoring/AbstractOpMonitoringBuffer.java
index b35f8dfe35..7e4a9a9881 100644
--- a/src/common/common-op-monitoring/src/main/java/ee/ria/xroad/common/opmonitoring/AbstractOpMonitoringBuffer.java
+++ b/src/common/common-op-monitoring/src/main/java/ee/ria/xroad/common/opmonitoring/AbstractOpMonitoringBuffer.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -25,56 +25,20 @@
  */
 package ee.ria.xroad.common.opmonitoring;
 
-import akka.actor.UntypedAbstractActor;
+import ee.ria.xroad.common.util.StartStop;
+
 import lombok.extern.slf4j.Slf4j;
 
 /**
  * Abstract operational monitoring buffer.
  */
 @Slf4j
-public abstract class AbstractOpMonitoringBuffer extends UntypedAbstractActor {
+public abstract class AbstractOpMonitoringBuffer implements StartStop {
 
-    public static final String SEND_MONITORING_DATA = "sendMonitoringData";
-    public static final String SENDING_SUCCESS = "sendingSuccess";
-    public static final String SENDING_FAILURE = "sendingFailure";
-
-    private static final String LOGGING_FORMAT = "onReceive: {}";
+    public abstract void store(OpMonitoringData data) throws Exception;
 
     @Override
-    public void onReceive(Object message) throws Exception {
-        try {
-            if (message instanceof OpMonitoringData) {
-                OpMonitoringData data = (OpMonitoringData) message;
-
-                log.trace(LOGGING_FORMAT, data);
-
-                store(data);
-            } else if (message.equals(SEND_MONITORING_DATA)) {
-                log.trace(LOGGING_FORMAT, SEND_MONITORING_DATA);
-
-                send();
-            } else if (message.equals(SENDING_SUCCESS)) {
-                log.trace(LOGGING_FORMAT, SENDING_SUCCESS);
-
-                sendingSuccess();
-            } else if (message.equals(SENDING_FAILURE)) {
-                log.trace(LOGGING_FORMAT, SENDING_FAILURE);
-
-                sendingFailure();
-            } else {
-                unhandled(message);
-            }
-        } catch (Exception e) {
-            log.error("Operational monitoring buffer failed", e);
-        }
+    public void join() throws InterruptedException {
+        //No-OP
     }
-
-    protected abstract void store(OpMonitoringData data) throws Exception;
-
-    protected abstract void send() throws Exception;
-
-    protected abstract void sendingSuccess() throws Exception;
-
-    protected abstract void sendingFailure() throws Exception;
-
 }
diff --git a/src/common/common-ui/src/main/java/ee/ria/xroad/commonui/UIServices.java b/src/common/common-ui/src/main/java/ee/ria/xroad/commonui/UIServices.java
deleted file mode 100644
index 83c6fc9ccd..0000000000
--- a/src/common/common-ui/src/main/java/ee/ria/xroad/commonui/UIServices.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.commonui;
-
-import akka.actor.ActorSystem;
-import com.typesafe.config.Config;
-import com.typesafe.config.ConfigFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
-
-/**
- * Encapsulates actor system management in UI.
- */
-public final class UIServices {
-
-    private static final Logger LOG = LoggerFactory.getLogger(UIServices.class);
-
-    private ActorSystem actorSystem;
-
-    /**
-     * Creates the instance using the provided actor system name and
-     * configuration name.
-     * @param actorSystemName the actor system name
-     * @param configName the configuration name
-     */
-    public UIServices(String actorSystemName, String configName) {
-        LOG.debug("Creating ActorSystem...");
-
-        Config config = ConfigFactory.load().getConfig(configName)
-                .withFallback(ConfigFactory.load());
-
-        LOG.debug("Akka using configuration: {}", config);
-        actorSystem = ActorSystem.create(actorSystemName, config);
-    }
-
-    /**
-     * @return the actor system
-     */
-    public ActorSystem getActorSystem() {
-        return actorSystem;
-    }
-
-    /**
-     * Stops the actor system.
-     * @throws Exception if an error occurs
-     */
-    public void stop() throws Exception {
-        LOG.info("stop()");
-
-        if (actorSystem != null) {
-            Await.ready(actorSystem.terminate(), Duration.Inf());
-        }
-    }
-}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java
index 6d091f4061..1b2aa4d328 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java
@@ -42,20 +42,6 @@ public class MessageSendingJob implements Job {
     private static final String KEY_ACTOR = "actorSelection";
     private static final String KEY_MESSAGE = "message";
 
-    /**
-     * Create job data containing a selection of actors and a message.
-     * @param actor a selection of actors that should receive the message
-     * @param message message that needs to be sent to actors
-     * @return the created job data
-     */
-    public static JobDataMap createJobData(ActorSelection actor,
-            Object message) {
-        JobDataMap data = new JobDataMap();
-        data.put(KEY_ACTOR, actor);
-        data.put(KEY_MESSAGE, message);
-        return data;
-    }
-
     @Override
     public void execute(JobExecutionContext context)
             throws JobExecutionException {
diff --git a/src/monitor/build.gradle b/src/monitor/build.gradle
index e03f44e4c3..9a5ed7440b 100644
--- a/src/monitor/build.gradle
+++ b/src/monitor/build.gradle
@@ -1,6 +1,4 @@
 plugins {
-  id 'io.spring.dependency-management'
-  id 'org.springframework.boot'
   id 'com.github.johnrengelman.shadow'
 }
 
@@ -15,6 +13,8 @@ jar {
 }
 
 dependencies {
+  implementation(platform("org.springframework.boot:spring-boot-dependencies:$springBootVersion"))
+
   implementation project(':common:common-util')
   implementation project(':monitor-common')
   implementation project(':signer-protocol')
@@ -30,9 +30,6 @@ dependencies {
   testImplementation "org.mockito:mockito-core:$mockitoVersion"
 }
 
-bootJar.enabled = false
-bootJarMainClassName.enabled = false
-
 shadowJar {
   append('reference.conf')
   exclude('**/module-info.class')
diff --git a/src/op-monitor-daemon/build.gradle b/src/op-monitor-daemon/build.gradle
index a07ac8b0c1..4158cecfde 100644
--- a/src/op-monitor-daemon/build.gradle
+++ b/src/op-monitor-daemon/build.gradle
@@ -60,7 +60,6 @@ task xjc() {
 }
 
 shadowJar {
-  append('reference.conf')
   archiveClassifier = ''
   exclude('**/module-info.class')
   manifest {
diff --git a/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OpMonitorDaemonMain.java b/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OpMonitorDaemonMain.java
index 2fdd6ed0bf..9d727b600a 100644
--- a/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OpMonitorDaemonMain.java
+++ b/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OpMonitorDaemonMain.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -35,11 +35,9 @@
 import ee.ria.xroad.common.util.JobManager;
 import ee.ria.xroad.common.util.StartStop;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -52,30 +50,25 @@
  * and providing monitoring data.
  */
 @Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class OpMonitorDaemonMain {
-
-    public static final String OP_MONITOR_DAEMON_NAME = "OpMonitorDaemon";
     private static final String APP_NAME = "xroad-opmonitor";
 
     static {
         SystemPropertiesLoader.create().withCommonAndLocal()
-            .with(CONF_FILE_OP_MONITOR, "op-monitor")
-            .load();
+                .with(CONF_FILE_OP_MONITOR, "op-monitor")
+                .load();
     }
 
-    private static ActorSystem actorSystem;
-
     private static final List<StartStop> SERVICES = new ArrayList<>();
 
-    private OpMonitorDaemonMain() {
-    }
-
     /**
      * Main entry point of the daemon.
+     *
      * @param args command-line arguments
      * @throws Exception in case of any errors
      */
-    public static void main(String args[]) throws Exception {
+    public static void main(String[] args) throws Exception {
         try {
             startup();
             loadConfigurations();
@@ -92,10 +85,6 @@ public static void main(String args[]) throws Exception {
     private static void startup() {
         log.info("Starting the operational monitoring daemon");
         Version.outputVersionInfo(APP_NAME);
-
-        actorSystem = ActorSystem.create(OP_MONITOR_DAEMON_NAME,
-                ConfigFactory.load().getConfig("opmonitordaemon")
-                        .withFallback(ConfigFactory.load()));
     }
 
     private static void loadConfigurations() {
@@ -113,7 +102,7 @@ private static void startServices() throws Exception {
 
         createServices();
 
-        for (StartStop service: SERVICES) {
+        for (StartStop service : SERVICES) {
             String name = service.getClass().getSimpleName();
 
             try {
@@ -128,7 +117,7 @@ private static void startServices() throws Exception {
             }
         }
 
-        for (StartStop service: SERVICES) {
+        for (StartStop service : SERVICES) {
             service.join();
         }
     }
@@ -136,7 +125,7 @@ private static void startServices() throws Exception {
     private static void createServices() throws Exception {
         JobManager jobManager = new JobManager();
 
-        OperationalDataRecordCleaner.init(jobManager, actorSystem);
+        OperationalDataRecordCleaner.init(jobManager);
 
         SERVICES.add(jobManager);
         SERVICES.add(new OpMonitorDaemon());
@@ -164,7 +153,7 @@ private static AdminPort createAdminPort() throws Exception {
     }
 
     private static void stopServices() throws Exception {
-        for (StartStop service: SERVICES) {
+        for (StartStop service : SERVICES) {
             log.debug("Stopping " + service.getClass().getSimpleName());
 
             service.stop();
@@ -175,7 +164,6 @@ private static void stopServices() throws Exception {
     private static void shutdown() throws Exception {
         log.info("Shutting down the operational monitoring daemon");
         stopServices();
-        Await.ready(actorSystem.terminate(), Duration.Inf());
     }
 }
 
diff --git a/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OperationalDataRecordCleaner.java b/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OperationalDataRecordCleaner.java
index 6174b42eb8..f1971d6c96 100644
--- a/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OperationalDataRecordCleaner.java
+++ b/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/OperationalDataRecordCleaner.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -27,14 +27,14 @@
 
 import ee.ria.xroad.common.opmonitoring.OpMonitoringSystemProperties;
 import ee.ria.xroad.common.util.JobManager;
-import ee.ria.xroad.common.util.MessageSendingJob;
 
-import akka.actor.ActorSelection;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.quartz.DisallowConcurrentExecution;
+import org.quartz.Job;
 import org.quartz.JobDataMap;
+import org.quartz.JobExecutionContext;
 import org.quartz.SchedulerException;
 
 import java.time.Instant;
@@ -47,41 +47,26 @@
  * Deletes outdated operational data records from the database.
  */
 @Slf4j
-final class OperationalDataRecordCleaner extends UntypedAbstractActor {
-
-    public static final String START_CLEANING = "doClean";
-
-    private static final String OPERATIONAL_DATA_RECORD_CLEANER =
-            OperationalDataRecordCleaner.class.getSimpleName();
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+final class OperationalDataRecordCleaner {
 
     /**
      * Initializes the operational data recorder cleaner creating an operational
-     * data records cleaner actor in the given actor system and scheduling a
+     * data records cleaner job and scheduling a
      * periodic cleanup with the provided job manager.
-     * @param jobManager  the job manager
-     * @param actorSystem the actor system
+     *
+     * @param jobManager the job manager
      */
-    public static void init(JobManager jobManager, ActorSystem actorSystem) {
-        actorSystem.actorOf(Props.create(OperationalDataRecordCleaner.class),
-                OPERATIONAL_DATA_RECORD_CLEANER);
-
-        registerCronJob(jobManager, actorSystem, START_CLEANING,
-                OpMonitoringSystemProperties.getOpMonitorCleanInterval());
+    public static void init(JobManager jobManager) {
+        registerCronJob(jobManager, OpMonitoringSystemProperties.getOpMonitorCleanInterval());
     }
 
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onReceive({})", message);
-
-        if (message.equals(START_CLEANING)) {
-            try {
-                handleCleanup();
-            } catch (Exception e) {
-                log.error("Failed to clean outdated operational data records"
-                        + " from the database", e);
-            }
-        } else {
-            unhandled(message);
+    public static void doClean() {
+        try {
+            handleCleanup();
+        } catch (Exception e) {
+            log.error("Failed to clean outdated operational data records"
+                    + " from the database", e);
         }
     }
 
@@ -112,19 +97,23 @@ static int cleanRecords(Instant before) throws Exception {
         });
     }
 
-    private static void registerCronJob(JobManager jobManager,
-            ActorSystem actorSystem, Object message, String cronExpression) {
-        ActorSelection actor = actorSystem.actorSelection(
-                "/user/" + OPERATIONAL_DATA_RECORD_CLEANER);
-
-        JobDataMap jobData = MessageSendingJob.createJobData(actor, message);
+    private static void registerCronJob(JobManager jobManager, String cronExpression) {
 
         try {
-            jobManager.registerJob(MessageSendingJob.class,
-                    OPERATIONAL_DATA_RECORD_CLEANER + "Job", cronExpression,
-                    jobData);
+            jobManager.registerJob(OperationalDataRecordCleanerJob.class,
+                    OperationalDataRecordCleanerJob.class.getSimpleName(), cronExpression,
+                    new JobDataMap());
         } catch (SchedulerException e) {
             log.error("Unable to schedule job", e);
         }
     }
+
+    @DisallowConcurrentExecution
+    public static class OperationalDataRecordCleanerJob implements Job {
+
+        @Override
+        public void execute(JobExecutionContext context) {
+            OperationalDataRecordCleaner.doClean();
+        }
+    }
 }
diff --git a/src/op-monitor-daemon/src/main/resources/application.conf b/src/op-monitor-daemon/src/main/resources/application.conf
deleted file mode 100644
index 85415f0116..0000000000
--- a/src/op-monitor-daemon/src/main/resources/application.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-opmonitordaemon {
-    include "akka-global.conf"
-    akka {
-        actor {
-            provider = remote
-        }
-
-        remote {
-            artery {
-                canonical {
-                    hostname = "127.0.0.1"
-                    port = 0 // automatic
-                }
-            }
-        }
-    }
-}
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index 8d62fff37a..e35ec5119e 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -67,6 +67,8 @@
 import com.typesafe.config.ConfigFactory;
 import com.typesafe.config.ConfigValueFactory;
 import io.grpc.BindableService;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.niis.xroad.common.rpc.server.RpcServer;
@@ -98,6 +100,7 @@
  * Main program for the proxy server.
  */
 @Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class ProxyMain {
 
     private static final String APP_NAME = "xroad-proxy";
@@ -123,7 +126,7 @@ public final class ProxyMain {
 
     private static ActorSystem actorSystem;
 
-    private static ServiceLoader<AddOn> addOns = ServiceLoader.load(AddOn.class);
+    private static final ServiceLoader<AddOn> ADDONS = ServiceLoader.load(AddOn.class);
 
     private static final int STATS_LOG_REPEAT_INTERVAL = 60;
 
@@ -135,16 +138,13 @@ public final class ProxyMain {
 
     private static MessageLogEncryptionStatusDiagnostics messageLogEncryptionStatusDiagnostics;
 
-    private ProxyMain() {
-    }
-
     /**
      * Main program entry point.
      *
      * @param args command-line arguments
      * @throws Exception in case of any errors
      */
-    public static void main(String args[]) throws Exception {
+    public static void main(String[] args) throws Exception {
         try {
             startup();
             loadConfigurations();
@@ -199,6 +199,7 @@ private static void startup() throws Exception {
 
     private static void shutdown() throws Exception {
         log.trace("shutdown()");
+        OpMonitoring.shutdown();
         stopServices();
         Await.ready(actorSystem.terminate(), Duration.Inf());
 
@@ -214,10 +215,10 @@ private static void createServices() throws Exception {
         RpcSignerClient.init();
         BatchSigner.init();
         boolean messageLogEnabled = MessageLog.init(actorSystem, jobManager);
-        OpMonitoring.init(actorSystem);
+        OpMonitoring.init();
 
         AddOn.BindableServiceRegistry bindableServiceRegistry = new AddOn.BindableServiceRegistry();
-        for (AddOn addOn : addOns) {
+        for (AddOn addOn : ADDONS) {
             addOn.init(bindableServiceRegistry);
         }
         rpcServer = createRpcServer(bindableServiceRegistry.getRegisteredServices());
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/NullOpMonitoringBuffer.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/NullOpMonitoringBuffer.java
index 8fe4c09912..71029a6833 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/NullOpMonitoringBuffer.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/NullOpMonitoringBuffer.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -35,22 +35,17 @@
 class NullOpMonitoringBuffer extends AbstractOpMonitoringBuffer {
 
     @Override
-    protected void store(OpMonitoringData data) throws Exception {
-        // do nothing
-    }
-
-    @Override
-    protected void send() throws Exception {
-        // do nothing
+    public void store(OpMonitoringData data) throws Exception {
+        //No-OP
     }
 
     @Override
-    protected void sendingSuccess() throws Exception {
-        // do nothing
+    public void start() throws Exception {
+        //No-OP
     }
 
     @Override
-    protected void sendingFailure() throws Exception {
-        // do nothing
+    public void stop() throws Exception {
+        //No-OP
     }
 }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoring.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoring.java
index a5628bcc29..b19fa0aea5 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoring.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoring.java
@@ -1,4 +1,4 @@
-/**
+/*
  * The MIT License
  * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
@@ -29,40 +29,37 @@
 import ee.ria.xroad.common.opmonitoring.AbstractOpMonitoringBuffer;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
 /**
  * Contains method for storing operational monitoring data.
  */
 @Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class OpMonitoring {
 
-    public static final String OP_MONITORING_BUFFER = "OpMonitoringBuffer";
-
-    public static final String OP_MONITORING_BUFFER_IMPL_CLASS =
+    private static final String OP_MONITORING_BUFFER_IMPL_CLASS =
             SystemProperties.PREFIX + "proxy.opMonitoringBufferImpl";
 
-    private static ActorRef opMonitoringBuffer;
-
-    private OpMonitoring() {
-    }
+    private static AbstractOpMonitoringBuffer opMonitoringBuffer;
 
     /**
      * Initializes the operational monitoring using the provided actor system.
-     * @param actorSystem the actor system
+     *
      * @throws Exception if initialization fails
      */
-    public static void init(ActorSystem actorSystem) throws Exception {
-        Class<? extends AbstractOpMonitoringBuffer> clazz =
-                getOpMonitoringManagerImpl();
+    public static void init() throws Exception {
+        Class<? extends AbstractOpMonitoringBuffer> clazz = getOpMonitoringManagerImpl();
 
         log.trace("Using implementation class: {}", clazz);
+        opMonitoringBuffer = clazz.getDeclaredConstructor().newInstance();
+        opMonitoringBuffer.start();
+    }
 
-        opMonitoringBuffer = actorSystem.actorOf(Props.create(clazz),
-                OP_MONITORING_BUFFER);
+    public static void shutdown() throws Exception {
+        opMonitoringBuffer.stop();
     }
 
     /**
@@ -72,15 +69,14 @@ public static void store(OpMonitoringData data) {
         log.trace("store()");
 
         try {
-            tell(data);
+            opMonitoringBuffer.store(data);
         } catch (Throwable t) {
             log.error("Storing operational monitoring data failed", t);
         }
     }
 
     @SuppressWarnings("unchecked")
-    private static Class<? extends AbstractOpMonitoringBuffer>
-            getOpMonitoringManagerImpl() {
+    private static Class<? extends AbstractOpMonitoringBuffer> getOpMonitoringManagerImpl() {
         String opMonitoringBufferImplClassName = System.getProperty(
                 OP_MONITORING_BUFFER_IMPL_CLASS,
                 NullOpMonitoringBuffer.class.getName());
@@ -90,13 +86,9 @@ public static void store(OpMonitoringData data) {
 
             return (Class<? extends AbstractOpMonitoringBuffer>) clazz;
         } catch (ClassNotFoundException e) {
-            throw new RuntimeException(
-                    "Unable to load operational monitoring buffer impl: "
+            throw new RuntimeException("Unable to load operational monitoring buffer impl: "
                     + opMonitoringBufferImplClassName, e);
         }
     }
 
-    private static void tell(Object message) throws Exception {
-        opMonitoringBuffer.tell(message, ActorRef.noSender());
-    }
 }
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
index f9859ac42a..af3181884b 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
@@ -135,7 +135,7 @@ public static void setup() throws Exception {
                 .withValue("akka.remote.artery.canonical.port", ConfigValueFactory.fromAnyRef(getFreePort())));
 
         MessageLog.init(actorSystem, jobManager);
-        OpMonitoring.init(actorSystem);
+        OpMonitoring.init();
         AddOn.BindableServiceRegistry serviceRegistry = new AddOn.BindableServiceRegistry();
         for (AddOn addon : ServiceLoader.load(AddOn.class)) {
             addon.init(serviceRegistry);
@@ -163,6 +163,8 @@ public static void teardown() throws Exception {
             svc.stop();
             svc.join();
         }
+
+        OpMonitoring.shutdown();
         actorSystem.terminate();
         RESERVED_PORTS.clear();
     }
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
index 48b1bd381b..bd07cfdd84 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
@@ -106,13 +106,14 @@ public static void main(String[] args) throws Exception {
 
         try {
             MessageLog.init(actorSystem, jobManager);
-            OpMonitoring.init(actorSystem);
+            OpMonitoring.init();
 
             runNormalTestCases(normalTestCases);
             runSslTestCases(sslTestCases);
             runIsolatedSslTestCases(isolatedSslTestCases);
 
         } finally {
+            OpMonitoring.shutdown();
             jobManager.stop();
             Await.ready(actorSystem.terminate(), Duration.Inf());
 
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/SignerIpAddressConfiguration.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/SignerIpAddressConfiguration.java
deleted file mode 100644
index 267b167601..0000000000
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/SignerIpAddressConfiguration.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/**
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package org.niis.xroad.securityserver.restapi.config;
-
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Profile;
-
-/**
- * Enable customization of signer IP address when development profile is active.
- * Otherwise use 127.0.0.1
- */
-@Configuration
-public class SignerIpAddressConfiguration {
-
-    @Value("${custom.signer.ip:127.0.0.1}")
-    private String customIp;
-
-    @Bean(name = "signer-ip")
-    @Profile("!development")
-    public String defaultBean() {
-        return "127.0.0.1";
-    }
-
-    @Bean(name = "signer-ip")
-    @Profile("development")
-    public String customBean() {
-        return customIp;
-    }
-
-}
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
deleted file mode 100644
index 6676cddde2..0000000000
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/config/StartStopListener.java
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package org.niis.xroad.securityserver.restapi.config;
-
-import ee.ria.xroad.commonui.UIServices;
-
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.boot.context.event.ApplicationReadyEvent;
-import org.springframework.context.ApplicationEvent;
-import org.springframework.context.ApplicationListener;
-import org.springframework.context.event.ContextClosedEvent;
-import org.springframework.stereotype.Component;
-
-/**
- * Listener which can be used to bootstrap Akka.
- * See ProxyUIServices in old proxy-ui.
- * System properties bootstrapping is done with SystemPropertiesInitializer
- */
-@Slf4j
-@Component
-public class StartStopListener implements ApplicationListener<ApplicationEvent> {
-
-    private UIServices uiApiActorSystem;
-
-    private synchronized void stop() throws Exception {
-        log.info("stop");
-
-        if (uiApiActorSystem != null) {
-            uiApiActorSystem.stop();
-            uiApiActorSystem = null;
-        }
-    }
-
-    @Autowired
-    @Qualifier("signer-ip")
-    private String signerIp;
-
-    /**
-     * Maybe be called multiple times since ContextRefreshedEvent can happen multiple times
-     *
-     * @throws Exception
-     */
-    private synchronized void start() throws Exception {
-        log.info("start");
-        if (uiApiActorSystem == null) {
-            uiApiActorSystem = new UIServices("ProxyUIApi", "proxyuiapi");
-        }
-    }
-
-
-    @Override
-    public void onApplicationEvent(ApplicationEvent event) {
-        try {
-            if (event instanceof ContextClosedEvent) {
-                stop();
-            } else if (event instanceof ApplicationReadyEvent) {
-                if (signerIp != null) {
-                    // ApplicationReadyEvent happens twice, first has not injected
-                    // beans such as signerIp (should always have value), second has
-                    // only start the second time
-                    start();
-                }
-            }
-        } catch (Exception e) {
-            throw new RuntimeException(e);
-        }
-    }
-}
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index 7e6a0223dd..69f4bb0b3e 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -1,6 +1,4 @@
 plugins {
-  id 'io.spring.dependency-management'
-  id 'org.springframework.boot'
   id 'com.github.johnrengelman.shadow'
 }
 
@@ -22,6 +20,8 @@ sourceSets {
 }
 
 dependencies {
+    implementation(platform("org.springframework.boot:spring-boot-dependencies:$springBootVersion"))
+
     implementation project(':common:common-util')
     implementation project(':common:common-verifier')
     implementation project(':common:common-rpc')
@@ -55,10 +55,6 @@ jar {
 
 }
 
-bootJar {
-  enabled = false
-}
-
 shadowJar {
   archiveClassifier = ''
   exclude('**/module-info.class')

From 7d7e73e1dc1e60cf73ece18ae80ac6e072812ef7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 28 Sep 2023 16:50:19 +0300
Subject: [PATCH 096/127] chore: remove unused akka references

Refs: XRDDEV-2468
---
 src/configuration-proxy/build.gradle                |  1 -
 .../src/main/resources/application.conf             | 13 -------------
 src/monitor/build.gradle                            |  1 -
 src/signer-console/build.gradle                     |  1 -
 4 files changed, 16 deletions(-)
 delete mode 100644 src/configuration-proxy/src/main/resources/application.conf

diff --git a/src/configuration-proxy/build.gradle b/src/configuration-proxy/build.gradle
index b15c6d1e92..34f42e8cf7 100644
--- a/src/configuration-proxy/build.gradle
+++ b/src/configuration-proxy/build.gradle
@@ -25,7 +25,6 @@ jar {
 shadowJar {
   classifier = ''
   exclude('**/module-info.class')
-  append('reference.conf')
   from rootProject.file("LICENSE.txt")
   mergeServiceFiles()
 }
diff --git a/src/configuration-proxy/src/main/resources/application.conf b/src/configuration-proxy/src/main/resources/application.conf
deleted file mode 100644
index 6af8380b31..0000000000
--- a/src/configuration-proxy/src/main/resources/application.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-configuration-proxy {
-    include "akka-global.conf"
-    akka {
-        actor {
-          provider = remote
-        }
-
-        coordinated-shutdown {
-          exit-jvm = on
-          phases.actor-system-terminate.timeout = 3s
-        }
-    }
-}
diff --git a/src/monitor/build.gradle b/src/monitor/build.gradle
index 9a5ed7440b..b122b2ff10 100644
--- a/src/monitor/build.gradle
+++ b/src/monitor/build.gradle
@@ -31,7 +31,6 @@ dependencies {
 }
 
 shadowJar {
-  append('reference.conf')
   exclude('**/module-info.class')
   archiveBaseName = "monitor"
   archiveClassifier = ''
diff --git a/src/signer-console/build.gradle b/src/signer-console/build.gradle
index d962751b04..1ab4ed4870 100644
--- a/src/signer-console/build.gradle
+++ b/src/signer-console/build.gradle
@@ -24,7 +24,6 @@ shadowJar {
   archiveClassifier = ''
   exclude('**/module-info.class')
   exclude 'asg/cliche/example/**'
-  append('reference.conf')
   from rootProject.file("LICENSE.txt")
   mergeServiceFiles()
 }

From 90791d337dc82f502fa3d903e0d92df011db744b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 2 Oct 2023 15:27:33 +0300
Subject: [PATCH 097/127] chore: improve base signer testcontainer config

Refs: XRDDEV-2468
---
 .../common/test/signer/container/BaseTestSignerSetup.java     | 2 ++
 .../src/main/resources/signer-container-files/Dockerfile      | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
index 0d6a999e1b..0a0f7af0b8 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
@@ -98,6 +98,8 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                         .waitingFor(Wait.forLogMessage(".*Signer has been initialized in.*", 1));
                 genericContainer
                         .withCommand("java",
+                                "-Xmx50m",
+                                "-XX:MaxMetaspaceSize=70m",
                                 "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
                                 "-Dxroad.internal.passwordstore-provider=file",
                                 "-Dxroad.grpc.internal.host=0.0.0.0",
diff --git a/src/common/common-int-test/src/main/resources/signer-container-files/Dockerfile b/src/common/common-int-test/src/main/resources/signer-container-files/Dockerfile
index 90cf8684e0..0d4ec1bc35 100644
--- a/src/common/common-int-test/src/main/resources/signer-container-files/Dockerfile
+++ b/src/common/common-int-test/src/main/resources/signer-container-files/Dockerfile
@@ -1,6 +1,6 @@
 # Explicitly defining linux/amd64 ubuntu:22.04 image
-FROM ubuntu@sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564
-RUN apt-get clean && apt-get -y update && apt-get install -y locales && locale-gen en_US.UTF-8
+FROM ubuntu@sha256:b492494d8e0113c4ad3fe4528a4b5ff89faa5331f7d52c5c138196f69ce176a6
+RUN apt-get clean && apt-get -y update && apt-get install -qq -y locales && locale-gen en_US.UTF-8
 ENV LANG en_US.UTF-8
 ENV LANGUAGE en_US:en
 ENV LC_ALL en_US.UTF-8

From bd89878909a9de9daba08c3506e9d6fb11453c4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 2 Oct 2023 15:28:47 +0300
Subject: [PATCH 098/127] chore: enable withWaitForReady for all grpc client
 channels

Refs: XRDDEV-2468
---
 .../ee/ria/xroad/proxymonitor/util/MonitorClient.java     | 3 +--
 .../java/org/niis/xroad/common/rpc/client/RpcClient.java  | 4 ++--
 .../java/ee/ria/xroad/monitor/SystemMetricsSensor.java    | 2 +-
 .../java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java  | 2 +-
 .../ee/ria/xroad/signer/protocol/RpcSignerClient.java     | 8 ++++----
 5 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
index 98ba3b80ad..89fde3a37a 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
@@ -62,7 +62,6 @@ public MetricSetType getMetrics(List<String> metricNames, boolean isOwner) {
                     .setIsClientOwner(isOwner)
                     .addAllMetricNames(metricNames)
                     .build()));
-            //TODO grpc REQUEST timeout is missing? it was 5secs
 
             return MetricTypes.of(response.getMetrics());
         } catch (Exception e) {
@@ -80,7 +79,7 @@ private static class MetricsRpcExecutionContext implements RpcClient.ExecutionCo
         private final MetricsServiceGrpc.MetricsServiceBlockingStub metricsServiceBlockingStub;
 
         MetricsRpcExecutionContext(Channel channel) {
-            metricsServiceBlockingStub = MetricsServiceGrpc.newBlockingStub(channel);
+            metricsServiceBlockingStub = MetricsServiceGrpc.newBlockingStub(channel).withWaitForReady();
         }
     }
 
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
index 6a776684b5..427d663801 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -49,7 +49,7 @@
 
 @Slf4j
 public final class RpcClient<C extends RpcClient.ExecutionContext> {
-    private static final int DEFAULT_DEADLINE_MILIS = 60000;
+    private static final int DEFAULT_DEADLINE_MILLIS = 60 * 1000;
 
     private final ManagedChannel channel;
 
@@ -65,7 +65,7 @@ private RpcClient(final ManagedChannel channel, final C executionContext) {
 
     public static <C extends RpcClient.ExecutionContext> RpcClient<C> newClient(
             String host, int port, ExecutionContextFactory<C> contextFactory) throws Exception {
-        return newClient(host, port, DEFAULT_DEADLINE_MILIS, contextFactory);
+        return newClient(host, port, DEFAULT_DEADLINE_MILLIS, contextFactory);
     }
 
     public static <C extends RpcClient.ExecutionContext> RpcClient<C> newClient(
diff --git a/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java b/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java
index 16c6c7ec75..d32ea5e718 100644
--- a/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java
+++ b/src/monitor/src/main/java/ee/ria/xroad/monitor/SystemMetricsSensor.java
@@ -127,7 +127,7 @@ private static class ProxyRpcExecutionContext implements RpcClient.ExecutionCont
         private final MonitorServiceGrpc.MonitorServiceStub monitorServiceStub;
 
         ProxyRpcExecutionContext(Channel channel) {
-            monitorServiceStub = MonitorServiceGrpc.newStub(channel);
+            monitorServiceStub = MonitorServiceGrpc.newStub(channel).withWaitForReady();
         }
     }
 
diff --git a/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java b/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java
index 4c25c84801..81c9e73221 100644
--- a/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java
+++ b/src/monitor/src/test/java/ee/ria/xroad/monitor/MetricsRpcServiceTest.java
@@ -66,7 +66,7 @@ private static class TestMetricsExecutionContext implements RpcClient.ExecutionC
         private final MetricsServiceGrpc.MetricsServiceBlockingStub metricsServiceBlockingStub;
 
         TestMetricsExecutionContext(Channel channel) {
-            metricsServiceBlockingStub = MetricsServiceGrpc.newBlockingStub(channel);
+            metricsServiceBlockingStub = MetricsServiceGrpc.newBlockingStub(channel).withWaitForReady();
         }
     }
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
index 1e46ffc6a0..8727e9044c 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/RpcSignerClient.java
@@ -79,10 +79,10 @@ public static class SignerRpcExecutionContext implements RpcClient.ExecutionCont
         private final OcspServiceGrpc.OcspServiceBlockingStub blockingOcspService;
 
         public SignerRpcExecutionContext(Channel channel) {
-            blockingTokenService = TokenServiceGrpc.newBlockingStub(channel);
-            blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel);
-            blockingKeyService = KeyServiceGrpc.newBlockingStub(channel);
-            blockingOcspService = OcspServiceGrpc.newBlockingStub(channel);
+            blockingTokenService = TokenServiceGrpc.newBlockingStub(channel).withWaitForReady();
+            blockingCertificateService = CertificateServiceGrpc.newBlockingStub(channel).withWaitForReady();
+            blockingKeyService = KeyServiceGrpc.newBlockingStub(channel).withWaitForReady();
+            blockingOcspService = OcspServiceGrpc.newBlockingStub(channel).withWaitForReady();
         }
     }
 

From 877581a9223b5bcfb174d88359a6a19ba94c2bd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 2 Oct 2023 15:38:09 +0300
Subject: [PATCH 099/127] chore: fix ss admin service startup

Refs: XRDDEV-2468
---
 .../application/src/main/resources/META-INF/spring.factories     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/security-server/admin-service/application/src/main/resources/META-INF/spring.factories b/src/security-server/admin-service/application/src/main/resources/META-INF/spring.factories
index e861793a4a..4ed281e878 100644
--- a/src/security-server/admin-service/application/src/main/resources/META-INF/spring.factories
+++ b/src/security-server/admin-service/application/src/main/resources/META-INF/spring.factories
@@ -1,2 +1 @@
-org.springframework.context.ApplicationListener=org.niis.xroad.securityserver.restapi.config.StartStopListener
 org.springframework.boot.env.EnvironmentPostProcessor=org.niis.xroad.securityserver.restapi.config.DatabasePropertiesEnvironmentPostProcessor,org.niis.xroad.securityserver.restapi.config.SslPropertiesEnvironmentPostProcessor,org.niis.xroad.securityserver.restapi.config.CommonPropertyEnvironmentPostProcessor

From fafee7c8fa4a7a717db449f246eceb7002cfe13d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 2 Oct 2023 16:27:51 +0300
Subject: [PATCH 100/127] chore: add test case to check for signer connection
 recovery

Refs: XRDDEV-2468
---
 .../xroad/ss/test/ui/glue/SignerStepDefs.java | 45 +++++++++++++++++++
 .../0300-ss-keys-and-certificates.feature     |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 src/security-server/system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/SignerStepDefs.java

diff --git a/src/security-server/system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/SignerStepDefs.java b/src/security-server/system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/SignerStepDefs.java
new file mode 100644
index 0000000000..1205ddf4a1
--- /dev/null
+++ b/src/security-server/system-test/src/intTest/java/org/niis/xroad/ss/test/ui/glue/SignerStepDefs.java
@@ -0,0 +1,45 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.ss.test.ui.glue;
+
+import com.nortal.test.testcontainers.TestableApplicationContainerProvider;
+import io.cucumber.java.en.Step;
+import lombok.SneakyThrows;
+import org.springframework.beans.factory.annotation.Autowired;
+
+public class SignerStepDefs extends BaseUiStepDefs {
+    @Autowired
+    private TestableApplicationContainerProvider containerProvider;
+
+    @SneakyThrows
+    @Step("signer service is restarted")
+    public void signerServiceIsRestarted() {
+        var execResult = containerProvider.getContainer()
+                .execInContainer("supervisorctl", "restart", "xroad-signer");
+
+        testReportService.attachJson("supervisorctl restart xroad-signer", execResult);
+    }
+}
diff --git a/src/security-server/system-test/src/intTest/resources/behavior/01-ui/0300-ss-keys-and-certificates.feature b/src/security-server/system-test/src/intTest/resources/behavior/01-ui/0300-ss-keys-and-certificates.feature
index 0436cac76d..7c8e5fab01 100644
--- a/src/security-server/system-test/src/intTest/resources/behavior/01-ui/0300-ss-keys-and-certificates.feature
+++ b/src/security-server/system-test/src/intTest/resources/behavior/01-ui/0300-ss-keys-and-certificates.feature
@@ -6,6 +6,7 @@ Feature: 0300 - SS: Keys and certificates
     Given SecurityServer login page is open
     And Page is prepared to be tested
     And User xrd logs in to SecurityServer with password secret
+    And signer service is restarted
 
   Scenario Outline: <$label> key is added and imported
     Given Keys and certificates tab is selected

From 102d58aea7b6b685d35a3f4a8b518127d96abc06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 2 Oct 2023 16:32:24 +0300
Subject: [PATCH 101/127] chore: remove non relevant todos

Refs: XRDDEV-2468
---
 .../src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
index 6883f6253b..d960fee3ba 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
@@ -43,7 +43,7 @@ public class ProxyMonitor implements AddOn {
     public void init(final BindableServiceRegistry bindableServiceRegistry) {
         try {
             bindableServiceRegistry.register(new ProxyMonitorService());
-            //TODO grpc, client might require delayed init due to missing rpc service
+
             monitorClient = new MonitorClient();
         } catch (Exception e) {
             log.error("ProxyMonitor addon has failed to start. Monitor data will not be available!", e);

From b0e7ec6cf2261c3c350399614d6172fc67091f94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Tue, 3 Oct 2023 11:25:30 +0300
Subject: [PATCH 102/127] chore: improve proxy suite test cases

These changes enable macos native execution if loopback interface is aliased for sudo ifconfig lo0 alias 127.0.0.* up (ranging 2 to 7)

Refs: XRDDEV-2468
---
 src/addons/metaservice/build.gradle                  |  3 ++-
 src/proxy/build.gradle                               |  3 ++-
 .../ria/xroad/proxy/testsuite/DummyServerProxy.java  |  5 ++++-
 .../ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java | 12 ++++++++++--
 .../testcases/InvalidContentTypeFromClientProxy.java |  3 ++-
 .../testcases/NoSignatureToServerProxy.java          |  3 ++-
 .../testsuite/testcases/NoSoapToServerProxy.java     |  3 ++-
 .../testcases/ServerProxyProcessingError.java        |  3 ++-
 .../testcases/SslClientCertVerificationError.java    |  5 -----
 .../testcases/UnsignedMessageFromClientProxy.java    |  3 ++-
 .../testcases/WrongHttpMethodServerProxy.java        |  3 ++-
 11 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/src/addons/metaservice/build.gradle b/src/addons/metaservice/build.gradle
index bebffc7ab9..4b481619c3 100644
--- a/src/addons/metaservice/build.gradle
+++ b/src/addons/metaservice/build.gradle
@@ -42,7 +42,8 @@ task runMetaserviceTest(type: JavaExec) {
             '-Dxroad.proxy.server-connector-so-linger=-1',
             '-Dxroad.proxy.serverServiceHandlers=ee.ria.xroad.proxy.serverproxy.MetadataServiceHandlerImpl',
             '-Dxroad.proxy.clientHandlers=ee.ria.xroad.proxy.clientproxy.MetadataHandler',
-            '-Dproxy.akka.remote.artery.canonical.port=0'
+            '-Dproxy.akka.remote.artery.canonical.port=0',
+            '-Dxroad.grpc.internal.tls-enabled=false'
 
     mainClass = 'ee.ria.xroad.proxy.testsuite.ProxyTestSuite'
     classpath = sourceSets.test.runtimeClasspath
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index d5281a2241..7f66fafc36 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -129,7 +129,8 @@ task runProxyTest(type: JavaExec) {
         '-Dxroad.proxy.server-connector-so-linger=-1',
         '-Dlogback.configurationFile=src/test/logback-proxytest.xml',
         '-Dproxy.akka.loglevel=DEBUG',
-        '-Dproxy.akka.remote.artery.canonical.port=0'
+        '-Dproxy.akka.remote.artery.canonical.port=0',
+        '-Dxroad.grpc.internal.tls-enabled=false'
 //      '-Djava.security.properties==src/main/resources/java.security'
 
     mainClass = 'ee.ria.xroad.proxy.testsuite.ProxyTestSuite'
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/DummyServerProxy.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/DummyServerProxy.java
index 2f7696378a..9b4902c90c 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/DummyServerProxy.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/DummyServerProxy.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite;
 
 import ee.ria.xroad.common.PortNumbers;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.StartStop;
 
 import lombok.extern.slf4j.Slf4j;
@@ -56,7 +57,9 @@ class DummyServerProxy extends Server implements StartStop {
 
         connector.setName("ClientConnector");
         connector.setHost("127.0.0.2");
-        connector.setPort(PortNumbers.PROXY_PORT);
+
+        final var port = System.getProperty(SystemProperties.PROXY_SERVER_PORT, String.valueOf(PortNumbers.PROXY_PORT));
+        connector.setPort(Integer.parseInt(port));
 
         addConnector(connector);
         setHandler(new ServiceHandler());
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
index aacef0e075..9af1c9f551 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite;
 
 import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.common.TestPortUtils;
 import ee.ria.xroad.common.conf.globalconf.GlobalConf;
 import ee.ria.xroad.common.conf.serverconf.ServerConf;
 import ee.ria.xroad.common.util.JobManager;
@@ -41,6 +42,7 @@
 
 import akka.actor.ActorSystem;
 import com.typesafe.config.ConfigFactory;
+import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.common.rpc.server.RpcServer;
 import scala.concurrent.Await;
@@ -55,6 +57,8 @@
 import java.util.Timer;
 import java.util.TimerTask;
 
+import static java.lang.String.valueOf;
+
 /**
  * Proxy test suite program.
  */
@@ -139,12 +143,16 @@ public static void main(String[] args) throws Exception {
         }
     }
 
+    @SneakyThrows
     private static void setPropsIfNotSet() {
 
         PropsSolver solver = new PropsSolver();
 
-        solver.setIfNotSet(SystemProperties.PROXY_CLIENT_HTTP_PORT, "8080");
-        solver.setIfNotSet(SystemProperties.PROXY_CLIENT_HTTPS_PORT, "8443");
+        solver.setIfNotSet(SystemProperties.PROXY_CLIENT_HTTP_PORT, valueOf(TestPortUtils.findRandomPort()));
+        solver.setIfNotSet(SystemProperties.PROXY_CLIENT_HTTPS_PORT, valueOf(TestPortUtils.findRandomPort()));
+        final var proxyPort = valueOf(TestPortUtils.findRandomPort());
+        solver.setIfNotSet(SystemProperties.PROXY_SERVER_LISTEN_PORT, proxyPort);
+        solver.setIfNotSet(SystemProperties.PROXY_SERVER_PORT, proxyPort);
         solver.setIfNotSet(SystemProperties.JETTY_CLIENTPROXY_CONFIGURATION_FILE, "src/test/clientproxy.xml");
         solver.setIfNotSet(SystemProperties.JETTY_SERVERPROXY_CONFIGURATION_FILE, "src/test/serverproxy.xml");
         solver.setIfNotSet(SystemProperties.JETTY_OCSP_RESPONDER_CONFIGURATION_FILE, "src/test/ocsp-responder.xml");
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/InvalidContentTypeFromClientProxy.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/InvalidContentTypeFromClientProxy.java
index 9b50e1b321..542910cd12 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/InvalidContentTypeFromClientProxy.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/InvalidContentTypeFromClientProxy.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite.testcases;
 
 import ee.ria.xroad.common.PortNumbers;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MessageTestCase;
 
@@ -49,7 +50,7 @@ public class InvalidContentTypeFromClientProxy extends MessageTestCase {
     public InvalidContentTypeFromClientProxy() {
         requestFileName = "getstate.query";
 
-        url = "http://127.0.0.1:" + PortNumbers.PROXY_PORT;
+        url = "http://127.0.0.1:" + System.getProperty(SystemProperties.PROXY_SERVER_PORT, String.valueOf(PortNumbers.PROXY_PORT));
     }
 
     @Override
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSignatureToServerProxy.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSignatureToServerProxy.java
index d021befa85..4f4d36be4b 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSignatureToServerProxy.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSignatureToServerProxy.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite.testcases;
 
 import ee.ria.xroad.common.PortNumbers;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MessageTestCase;
 
@@ -49,7 +50,7 @@ public NoSignatureToServerProxy() {
         requestContentType = "multipart/mixed; "
                 + "boundary=jetty42534330h7vzfqv2;charset=ISO-8859-1";
 
-        url = "http://127.0.0.1:" + PortNumbers.PROXY_PORT;
+        url = "http://127.0.0.1:" + System.getProperty(SystemProperties.PROXY_SERVER_PORT, String.valueOf(PortNumbers.PROXY_PORT));
     }
 
     @Override
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSoapToServerProxy.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSoapToServerProxy.java
index 537922e7f6..763f4c52de 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSoapToServerProxy.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/NoSoapToServerProxy.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite.testcases;
 
 import ee.ria.xroad.common.PortNumbers;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MessageTestCase;
 
@@ -50,7 +51,7 @@ public NoSoapToServerProxy() {
         requestContentType = "multipart/mixed; charset=UTF-8; "
                 + "boundary=jetty771207119h3h10dty";
 
-        url = "http://127.0.0.1:" + PortNumbers.PROXY_PORT;
+        url = "http://127.0.0.1:" + System.getProperty(SystemProperties.PROXY_SERVER_PORT, String.valueOf(PortNumbers.PROXY_PORT));
     }
 
     @Override
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServerProxyProcessingError.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServerProxyProcessingError.java
index b6ca45bea9..df0b6e27e5 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServerProxyProcessingError.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServerProxyProcessingError.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite.testcases;
 
 import ee.ria.xroad.common.PortNumbers;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MessageTestCase;
 
@@ -47,7 +48,7 @@ public ServerProxyProcessingError() {
         requestFileName = "getstate.query";
         requestContentType = "multipart/mixed; boundary=foobar";
 
-        url = "http://127.0.0.1:" + PortNumbers.PROXY_PORT;
+        url = "http://127.0.0.1:" + System.getProperty(SystemProperties.PROXY_SERVER_PORT, String.valueOf(PortNumbers.PROXY_PORT));
     }
 
     @Override
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SslClientCertVerificationError.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SslClientCertVerificationError.java
index 1ab53f40b5..2c03092f17 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SslClientCertVerificationError.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/SslClientCertVerificationError.java
@@ -50,11 +50,6 @@ public SslClientCertVerificationError() {
         requestFileName = "getstate.query";
     }
 
-    @Override
-    public String getProviderAddress(String providerName) {
-        return "127.0.0.5";
-    }
-
     @Override
     protected void startUp() throws Exception {
         ServerConf.reload(new TestSuiteServerConf());
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/UnsignedMessageFromClientProxy.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/UnsignedMessageFromClientProxy.java
index 4cfc4d1551..d3008f01ee 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/UnsignedMessageFromClientProxy.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/UnsignedMessageFromClientProxy.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite.testcases;
 
 import ee.ria.xroad.common.PortNumbers;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MessageTestCase;
 
@@ -48,7 +49,7 @@ public UnsignedMessageFromClientProxy() {
                 + "boundary=jetty771207119h3h10dty";
 
         // Connect directly to serverproxy
-        url = "http://127.0.0.1:" + PortNumbers.PROXY_PORT;
+        url = "http://127.0.0.1:" + System.getProperty(SystemProperties.PROXY_SERVER_PORT, String.valueOf(PortNumbers.PROXY_PORT));
     }
 
     @Override
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/WrongHttpMethodServerProxy.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/WrongHttpMethodServerProxy.java
index 11c31a1fde..72376ff1ef 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/WrongHttpMethodServerProxy.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/WrongHttpMethodServerProxy.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.proxy.testsuite.testcases;
 
 import ee.ria.xroad.common.PortNumbers;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MessageTestCase;
 
@@ -44,7 +45,7 @@ public class WrongHttpMethodServerProxy extends MessageTestCase {
     public WrongHttpMethodServerProxy() {
         requestFileName = "getstate.query";
         httpMethod = "GET";
-        url = "http://127.0.0.1:" + PortNumbers.PROXY_PORT;
+        url = "http://127.0.0.1:" + System.getProperty(SystemProperties.PROXY_SERVER_PORT, String.valueOf(PortNumbers.PROXY_PORT));
     }
 
     @Override

From 4d5c9ebccd0050b346d41aafe697df770d29eb6e Mon Sep 17 00:00:00 2001
From: justasnortal <113103740+justasnortal@users.noreply.github.com>
Date: Wed, 4 Oct 2023 09:26:28 +0300
Subject: [PATCH 103/127] XRDDEV-2498 Akka removal from messagelog-addon
 (#1809)

feat: removing akka from messagelog-addon

Refs: XRDDEV-2498
---
 .../messagelog/messagelog-addon/build.gradle  |   1 -
 .../xroad/proxy/messagelog/LogManager.java    | 226 ++++++++----------
 .../SetTimestampingStatusMessage.java         |   7 +-
 .../ria/xroad/proxy/messagelog/TaskQueue.java |  48 ++--
 .../xroad/proxy/messagelog/Timestamper.java   |  41 ++--
 .../proxy/messagelog/TimestamperWorker.java   |  36 +--
 .../messagelog/AbstractMessageLogTest.java    | 104 ++------
 .../proxy/messagelog/LogManagerTest.java      | 155 ------------
 .../messagelog/MessageLogIntegrationTest.java |   2 -
 .../messagelog/MessageLogPerformanceTest.java |   2 -
 .../proxy/messagelog/MessageLogTest.java      |  41 ++--
 .../MessageRecordingLogManager.java           | 103 --------
 .../proxy/messagelog/TestLogArchiver.java     |   5 -
 .../proxy/messagelog/TestLogManager.java      |  17 +-
 .../xroad/proxy/messagelog/TestTaskQueue.java |   9 +-
 .../proxy/messagelog/TestTimestamper.java     |   7 +-
 .../messagelog-archiver/build.gradle          |   5 -
 .../messagelog/archiver/LogArchiver.java      |  39 ++-
 .../messagelog/archiver/LogArchiverMain.java  |  50 +---
 .../xroad/messagelog/archiver/LogCleaner.java |  32 +--
 .../src/main/resources/application.conf       |   3 -
 .../common/messagelog/AbstractLogManager.java |  49 +---
 .../common/messagelog/FindByQueryId.java      |  42 ----
 .../common/messagelog/TimestampMessage.java   |  38 ---
 .../ee/ria/xroad/common/CommonMessages.java   |  37 ---
 .../ee/ria/xroad/common/util/JobManager.java  |   6 +-
 .../addons/messagelog-archiver-logback.xml    |   1 -
 .../default-configuration/signer-logback.xml  |   1 -
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |  20 +-
 .../xroad/proxy/messagelog/MessageLog.java    |  91 +++----
 .../proxy/messagelog/NullLogManager.java      |  17 +-
 .../proxy/AbstractProxyIntegrationTest.java   |   5 +-
 .../xroad/proxy/testsuite/ProxyTestSuite.java |   3 +-
 33 files changed, 301 insertions(+), 942 deletions(-)
 delete mode 100644 src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/LogManagerTest.java
 delete mode 100644 src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageRecordingLogManager.java
 delete mode 100644 src/addons/messagelog/messagelog-archiver/src/main/resources/application.conf
 delete mode 100644 src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/FindByQueryId.java
 delete mode 100644 src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/TimestampMessage.java
 delete mode 100644 src/common/common-util/src/main/java/ee/ria/xroad/common/CommonMessages.java

diff --git a/src/addons/messagelog/messagelog-addon/build.gradle b/src/addons/messagelog/messagelog-addon/build.gradle
index 1b39e72431..1207733799 100644
--- a/src/addons/messagelog/messagelog-addon/build.gradle
+++ b/src/addons/messagelog/messagelog-addon/build.gradle
@@ -11,7 +11,6 @@ dependencies {
     testImplementation project(':common:common-test')
     testImplementation project(':addons:messagelog:messagelog-archiver')
     testImplementation "org.hsqldb:hsqldb:$hsqldbVersion"
-    testImplementation "com.typesafe.akka:akka-testkit_$akkaVersion"
     testImplementation "org.bouncycastle:bcpg-jdk15on:${bouncyCastleVersion}"
 }
 
diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java
index 668e107d7f..ed55e41026 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java
@@ -26,7 +26,6 @@
 package ee.ria.xroad.proxy.messagelog;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.CommonMessages;
 import ee.ria.xroad.common.DiagnosticsErrorCodes;
 import ee.ria.xroad.common.DiagnosticsStatus;
 import ee.ria.xroad.common.DiagnosticsUtils;
@@ -34,7 +33,6 @@
 import ee.ria.xroad.common.conf.serverconf.ServerConf;
 import ee.ria.xroad.common.messagelog.AbstractLogManager;
 import ee.ria.xroad.common.messagelog.LogMessage;
-import ee.ria.xroad.common.messagelog.LogRecord;
 import ee.ria.xroad.common.messagelog.MessageLogProperties;
 import ee.ria.xroad.common.messagelog.MessageRecord;
 import ee.ria.xroad.common.messagelog.RestLogMessage;
@@ -42,22 +40,18 @@
 import ee.ria.xroad.common.messagelog.TimestampRecord;
 import ee.ria.xroad.common.util.JobManager;
 
-import akka.actor.ActorRef;
-import akka.actor.Cancellable;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.input.BoundedInputStream;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
-import scala.concurrent.duration.FiniteDuration;
 
+import java.time.Duration;
 import java.time.Instant;
 import java.time.OffsetDateTime;
+import java.time.temporal.ChronoUnit;
 import java.util.Date;
-import java.util.concurrent.TimeUnit;
+import java.util.Map;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ScheduledFuture;
 
 import static ee.ria.xroad.common.ErrorCodes.X_LOGGING_FAILED_X;
 import static ee.ria.xroad.common.ErrorCodes.X_MLOG_TIMESTAMPER_FAILED;
@@ -67,9 +61,8 @@
 import static ee.ria.xroad.common.messagelog.MessageLogProperties.shouldTimestampImmediately;
 import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest;
 import static ee.ria.xroad.common.util.CryptoUtils.encodeBase64;
-import static ee.ria.xroad.proxy.messagelog.TaskQueue.START_TIMESTAMPING;
-import static ee.ria.xroad.proxy.messagelog.TaskQueue.START_TIMESTAMPING_RETRY_MODE;
 import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.concurrent.TimeUnit.SECONDS;
 
 /**
  * Message log manager. Sets up the whole logging system components.
@@ -78,67 +71,58 @@
 @Slf4j
 public class LogManager extends AbstractLogManager {
 
-    private static final Timeout TIMESTAMP_TIMEOUT = new Timeout(Duration.create(30, TimeUnit.SECONDS));
-    public static final String FAILED = "Failed";
-    public static final String SUCCESS = "Success";
-
-    // Actor names of message log components
-    static final String TASK_QUEUE_NAME = "RequestLogTaskQueue";
-    static final String TIMESTAMPER_NAME = "RequestLogTimestamper";
-
     static final long MAX_LOGGABLE_BODY_SIZE = MessageLogProperties.getMaxLoggableBodySize();
     static final boolean TRUNCATED_BODY_ALLOWED = MessageLogProperties.isTruncatedBodyAllowed();
 
     // Date at which a time-stamping first failed.
     private Instant timestampFailed;
 
-    private final ActorRef timestamper;
-    private final ActorRef timestamperJob;
+    private final Timestamper timestamper;
+    private final TimestamperJob timestamperJob;
 
     // package private for testing
-    final ActorRef taskQueueRef;
+    final TaskQueue taskQueue;
 
     LogManager(JobManager jobManager) {
         super(jobManager);
 
-        taskQueueRef = createTaskQueue();
-        timestamper = createTimestamper();
-        timestamperJob = createTimestamperJob();
-    }
-
-    private ActorRef createTaskQueue() {
-        return getContext().actorOf(getTaskQueueImpl(), TASK_QUEUE_NAME);
+        timestamper = getTimestamperImpl();
+        taskQueue = getTaskQueueImpl(timestamper);
+        timestamperJob = createTimestamperJob(taskQueue);
     }
 
-    private ActorRef createTimestamper() {
-        return getContext().actorOf(getTimestamperImpl(), TIMESTAMPER_NAME);
+    @Override
+    public void shutdown() {
+        timestamperJob.shutdown();
+        super.shutdown();
     }
 
-    private ActorRef createTimestamperJob() {
-        return getContext().actorOf(Props.create(TimestamperJob.class, getTimestamperJobInitialDelay()));
+    private TimestamperJob createTimestamperJob(TaskQueue taskQueueParam) {
+        return new TimestamperJob(getTimestamperJobInitialDelay(), taskQueueParam);
     }
 
     /**
      * Can be overwritten in test classes if we want to make sure that timestamping does not start prematurely.
+     *
      * @return timestamper job initial delay.
      */
-    protected FiniteDuration getTimestamperJobInitialDelay() {
-        return Duration.create(1, TimeUnit.SECONDS);
+    protected Duration getTimestamperJobInitialDelay() {
+        return Duration.of(1, ChronoUnit.SECONDS);
     }
 
     // ------------------------------------------------------------------------
 
     @Override
-    protected void log(LogMessage message) throws Exception {
+    public void log(LogMessage message) throws Exception {
         boolean shouldTimestampImmediately = shouldTimestampImmediately();
 
         verifyCanLogMessage(shouldTimestampImmediately);
 
         MessageRecord logRecord;
         if (message instanceof SoapLogMessage) {
-            logRecord = createMessageRecord((SoapLogMessage)message);
+            logRecord = createMessageRecord((SoapLogMessage) message);
         } else {
-            logRecord = createMessageRecord((RestLogMessage)message);
+            logRecord = createMessageRecord((RestLogMessage) message);
         }
         logRecord = saveMessageRecord(logRecord);
 
@@ -148,10 +132,10 @@ protected void log(LogMessage message) throws Exception {
     }
 
     @Override
-    protected TimestampRecord timestamp(Long messageRecordId) throws Exception {
+    public TimestampRecord timestamp(Long messageRecordId) throws Exception {
         log.trace("timestamp({})", messageRecordId);
 
-        MessageRecord record = (MessageRecord)LogRecordManager.get(messageRecordId);
+        MessageRecord record = (MessageRecord) LogRecordManager.get(messageRecordId);
 
         if (record.getTimestampRecord() != null) {
             return record.getTimestampRecord();
@@ -167,49 +151,29 @@ protected TimestampRecord timestamp(Long messageRecordId) throws Exception {
     }
 
     @Override
-    protected LogRecord findByQueryId(String queryId, Date startTime, Date endTime) throws Exception {
-        log.trace("findByQueryId({}, {}, {})", queryId, startTime, endTime);
-
-        return LogRecordManager.getByQueryId(queryId, startTime, endTime);
-    }
-
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onReceive({})", message);
-
-        try {
-            if (CommonMessages.TIMESTAMP_STATUS.equals(message)) {
-                getSender().tell(statusMap, getSelf());
-            } else if (message instanceof SetTimestampingStatusMessage) {
-                setTimestampingStatus((SetTimestampingStatusMessage)message);
-            } else {
-                super.onReceive(message);
-            }
-        } catch (Exception e) {
-            getSender().tell(e, getSelf());
-        }
+    public Map<String, DiagnosticsStatus> getDiagnosticStatus() {
+        return statusMap;
     }
 
     // ------------------------------------------------------------------------
 
-    protected Props getTaskQueueImpl() {
-        return Props.create(TaskQueue.class);
+    protected TaskQueue getTaskQueueImpl(Timestamper timestamperParam) {
+        return new TaskQueue(timestamperParam, this);
     }
 
-    protected Props getTimestamperImpl() {
-        return Props.create(Timestamper.class);
+    protected Timestamper getTimestamperImpl() {
+        return new Timestamper();
     }
 
     private TimestampRecord timestampImmediately(MessageRecord logRecord) throws Exception {
         log.trace("timestampImmediately({})", logRecord);
 
-        Object result = Await.result(Patterns.ask(timestamper, new Timestamper.TimestampTask(logRecord),
-                TIMESTAMP_TIMEOUT), TIMESTAMP_TIMEOUT.duration());
+        Timestamper.TimestampResult result = timestamper.handleTimestampTask(new Timestamper.TimestampTask(logRecord));
 
         if (result instanceof Timestamper.TimestampSucceeded) {
-            return saveTimestampRecord((Timestamper.TimestampSucceeded)result);
+            return saveTimestampRecord((Timestamper.TimestampSucceeded) result);
         } else if (result instanceof Timestamper.TimestampFailed) {
-            Exception e = ((Timestamper.TimestampFailed)result).getCause();
+            Exception e = ((Timestamper.TimestampFailed) result).getCause();
 
             log.error("Timestamping failed", e);
 
@@ -298,6 +262,7 @@ static TimestampRecord saveTimestampRecord(Timestamper.TimestampSucceeded messag
 
     /**
      * Put success state into statusMap (used for diagnostics) for a given TSA url
+     *
      * @param url url of timestamper which stamped successfully
      */
     static void putStatusMapSuccess(String url) {
@@ -308,6 +273,7 @@ static void putStatusMapSuccess(String url) {
      * Put failure state into statusMap (used for diagnostics).
      * Timestamping ({@link AbstractTimestampRequest} attempts to use all TSAs, and failure means that
      * all were tried and failed, so all TSAs will be marked with failed status
+     *
      * @param e exception which is used to determine diagnostics error code
      */
     static void putStatusMapFailures(Exception e) {
@@ -346,14 +312,14 @@ void setTimestampingStatus(SetTimestampingStatusMessage statusMessage) {
     void setTimestampSucceeded() {
         if (timestampFailed != null) {
             timestampFailed = null;
-            this.timestamperJob.tell(SUCCESS, ActorRef.noSender());
+            this.timestamperJob.onSuccess();
         }
     }
 
     void setTimestampFailed(Instant atTime) {
         if (timestampFailed == null) {
             timestampFailed = atTime;
-            this.timestamperJob.tell(FAILED, ActorRef.noSender());
+            this.timestamperJob.onFailure();
         }
     }
 
@@ -389,75 +355,79 @@ private static byte[] getInputHash(String str) throws Exception {
     /**
      * Timestamper job is responsible for firing up the timestamping periodically.
      */
-    public static class TimestamperJob extends UntypedAbstractActor {
+    public static class TimestamperJob {
         private static final int MIN_INTERVAL_SECONDS = 60;
         private static final int MAX_INTERVAL_SECONDS = 60 * 60 * 24;
         private static final int TIMESTAMP_RETRY_DELAY_SECONDS = getTimestampRetryDelay();
 
-        private final FiniteDuration initialDelay;
-        private Cancellable tick;
         // Flag for indicating backoff retry state
         private boolean retryMode = false;
 
-        public TimestamperJob(FiniteDuration initialDelay) {
-            this.initialDelay = initialDelay;
+        private final ScheduledExecutorService taskScheduler;
+        private final TaskQueue taskQueue;
+        private ScheduledFuture<?> scheduledTask;
+
+        public TimestamperJob(Duration initialDelay, TaskQueue taskQueue) {
+            log.trace("Initializing TimestamperJob");
+            this.taskQueue = taskQueue;
+            this.taskScheduler = Executors.newSingleThreadScheduledExecutor();
+            schedule(initialDelay, this::handleStartTimestamping);
         }
 
-        @Override
-        public void onReceive(Object message) {
-            log.trace("onReceive({})", message);
-
-            if (START_TIMESTAMPING.equals(message)) {
-                handle(message);
-                schedule(getNextDelay());
-            } else if (START_TIMESTAMPING_RETRY_MODE.equals(message)) {
-                handle(message);
-                schedule(getNextDelay(), message);
-            } else if (SUCCESS.equals(message)) {
-                log.info("Batch time-stamping refresh cycle successfully completed, continuing with normal scheduling");
-                // Move back into normal state.
-                // Cancel next tick, run a batch immediately and schedule next one.
-                cancelNextTick();
-                retryMode = false;
-                handle(START_TIMESTAMPING);
-                schedule(getNextDelay());
-            } else if (FAILED.equals(message)) {
-                log.info("Batch time-stamping failed, switching to retry backoff schedule");
-                log.info("Time-stamping retry delay value is: {}s", TIMESTAMP_RETRY_DELAY_SECONDS);
-                // Move into recover-from-failed state.
-                // Cancel next tick and start backoff schedule.
-                cancelNextTick();
-                retryMode = true;
-                schedule(getNextDelay(), START_TIMESTAMPING_RETRY_MODE);
-            } else {
-                unhandled(message);
-            }
+        void onSuccess() {
+            log.info("Batch time-stamping refresh cycle successfully completed, continuing with normal scheduling");
+            // Move back into normal state.
+            // Cancel next tick, run a batch immediately and schedule next one.
+            retryMode = false;
+            this.taskQueue.handleStartTimestamping();
         }
 
-        private void handle(Object message) {
-            getContext().actorSelection("../" + TASK_QUEUE_NAME).tell(message, getSelf());
+        void onFailure() {
+            log.info("Batch time-stamping failed, switching to retry backoff schedule");
+            log.info("Time-stamping retry delay value is: {}s", TIMESTAMP_RETRY_DELAY_SECONDS);
+            // Move into recover-from-failed state.
+            // Cancel next tick and start backoff schedule.
+            retryMode = true;
+        }
+
+        private void handleStartTimestamping() {
+            log.trace("handleStartTimestamping()");
+            try {
+                this.taskQueue.handleStartTimestamping();
+            } finally {
+                scheduleNext();
+            }
         }
 
-        @Override
-        public void preStart() {
-            schedule(initialDelay);
+        private void handleStartTimestampingRetryMode() {
+            log.trace("handleStartTimestamping()");
+            try {
+                this.taskQueue.handleStartTimestampingRetryMode();
+            } finally {
+                scheduleNext();
+            }
         }
 
-        @Override
-        public void postStop() {
-            cancelNextTick();
+        private void scheduleNext() {
+            if (retryMode) {
+                schedule(getNextDelay(), this::handleStartTimestampingRetryMode);
+            } else {
+                schedule(getNextDelay(), this::handleStartTimestamping);
+            }
         }
 
-        private void schedule(FiniteDuration delay) {
-            schedule(delay, START_TIMESTAMPING);
+        public void shutdown() {
+            log.trace("shutdown()");
+            cancelNext();
+            taskScheduler.shutdown();
         }
 
-        private void schedule(FiniteDuration delay, Object message) {
-            tick = getContext().system().scheduler().scheduleOnce(delay, getSelf(), message,
-                    getContext().dispatcher(), ActorRef.noSender());
+        private void schedule(Duration delay, Runnable runnable) {
+            cancelNext();
+            this.scheduledTask = taskScheduler.schedule(runnable, delay.getSeconds(), SECONDS);
         }
 
-        private FiniteDuration getNextDelay() {
+        private Duration getNextDelay() {
             int actualInterval = MIN_INTERVAL_SECONDS;
             log.debug("Use batch time-stamping retry backoff schedule: {}", retryMode);
 
@@ -475,14 +445,14 @@ private FiniteDuration getNextDelay() {
             int intervalSeconds = Math.min(Math.max(actualInterval, MIN_INTERVAL_SECONDS), MAX_INTERVAL_SECONDS);
             log.debug("Time-stamping interval is: {}s", intervalSeconds);
 
-            return Duration.create(intervalSeconds, TimeUnit.SECONDS);
+            return Duration.of(intervalSeconds, ChronoUnit.SECONDS);
         }
 
-        protected void cancelNextTick() {
-            if (tick != null) {
-                if (!tick.isCancelled()) {
-                    boolean result = tick.cancel();
-                    log.info("cancelNextTick called, cancel() return value: {}", result);
+        protected void cancelNext() {
+            if (scheduledTask != null) {
+                if (!scheduledTask.isCancelled()) {
+                    boolean result = scheduledTask.cancel(false);
+                    log.trace("cancelNext called, cancel() return value: {}", result);
                 }
             }
         }
diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/SetTimestampingStatusMessage.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/SetTimestampingStatusMessage.java
index 7fefe09018..70c46cc2fd 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/SetTimestampingStatusMessage.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/SetTimestampingStatusMessage.java
@@ -25,7 +25,6 @@
  */
 package ee.ria.xroad.proxy.messagelog;
 
-import akka.dispatch.ControlMessage;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
 
@@ -33,14 +32,15 @@
 
 @Data
 @RequiredArgsConstructor
-class SetTimestampingStatusMessage implements ControlMessage {
+class SetTimestampingStatusMessage {
     /**
      * Status
      */
     public enum Status {
         SUCCESS,
-        FAILURE;
+        FAILURE
     }
+
     private final Status status;
     /**
      * Time when the status was achieved
@@ -49,6 +49,7 @@ public enum Status {
 
     /**
      * Constructor that sets status change timestamp to current time.
+     *
      * @param status
      */
     SetTimestampingStatusMessage(Status status) {
diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TaskQueue.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TaskQueue.java
index 9de5b9bb7d..e3c3e767fb 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TaskQueue.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TaskQueue.java
@@ -30,9 +30,6 @@
 import ee.ria.xroad.proxy.messagelog.Timestamper.TimestampSucceeded;
 import ee.ria.xroad.proxy.messagelog.Timestamper.TimestampTask;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSelection;
-import akka.actor.UntypedAbstractActor;
 import lombok.AccessLevel;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -41,7 +38,6 @@
 import java.util.Arrays;
 import java.util.List;
 
-import static ee.ria.xroad.proxy.messagelog.LogManager.TIMESTAMPER_NAME;
 import static ee.ria.xroad.proxy.messagelog.MessageLogDatabaseCtx.doInTransaction;
 
 /**
@@ -49,29 +45,13 @@
  */
 @Slf4j
 @RequiredArgsConstructor(access = AccessLevel.PACKAGE)
-public class TaskQueue extends UntypedAbstractActor {
+public class TaskQueue {
 
-    static final String START_TIMESTAMPING = "StartTimestamping";
-    static final String START_TIMESTAMPING_RETRY_MODE = "StartTimestampingRetryMode";
     static final double TIMESTAMPED_RECORDS_RATIO_THRESHOLD = 0.7;
     static final int TIMESTAMP_RECORDS_LIMIT_RETRY_MODE = 1;
 
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onReceive({})", message);
-
-        if (message.equals(START_TIMESTAMPING)) {
-            handleStartTimestamping();
-        } else if (message.equals(START_TIMESTAMPING_RETRY_MODE)) {
-            handleStartTimestamping(TIMESTAMP_RECORDS_LIMIT_RETRY_MODE);
-        } else if (message instanceof Timestamper.TimestampSucceeded) {
-            handleTimestampSucceeded((Timestamper.TimestampSucceeded) message);
-        } else if (message instanceof Timestamper.TimestampFailed) {
-            handleTimestampFailed((Timestamper.TimestampFailed) message);
-        } else {
-            unhandled(message);
-        }
-    }
+    private final Timestamper timestamper;
+    private final LogManager logManager;
 
     protected void handleTimestampSucceeded(TimestampSucceeded message) {
         log.trace("handleTimestampSucceeded");
@@ -133,10 +113,11 @@ private void indicateFailure(Exception cause) {
 
     /**
      * Sends timestamping status message to LogManager.
+     *
      * @param status timestamping status message.
      */
     private void sendTimestampingStatusToLogManager(SetTimestampingStatusMessage.Status status) {
-        getContext().parent().tell(new SetTimestampingStatusMessage(status), ActorRef.noSender());
+        logManager.setTimestampingStatus(new SetTimestampingStatusMessage(status));
     }
 
     protected void handleTimestampFailed(TimestampFailed message) {
@@ -149,7 +130,11 @@ protected void handleStartTimestamping() {
         handleStartTimestamping(MessageLogProperties.getTimestampRecordsLimit());
     }
 
-    protected void handleStartTimestamping(int timestampRecordsLimit) {
+    protected void handleStartTimestampingRetryMode() {
+        handleStartTimestamping(TIMESTAMP_RECORDS_LIMIT_RETRY_MODE);
+    }
+
+    private void handleStartTimestamping(int timestampRecordsLimit) {
         List<Task> timestampTasks;
 
         try {
@@ -176,12 +161,14 @@ protected void handleStartTimestamping(int timestampRecordsLimit) {
                     TIMESTAMPED_RECORDS_RATIO_THRESHOLD * 100);
         }
 
-        sendToTimestamper(createTimestampTask(timestampTasks));
-    }
+        final Timestamper.TimestampResult timestampResult = timestamper
+                .handleTimestampTask(createTimestampTask(timestampTasks));
+        if (timestampResult instanceof TimestampSucceeded) {
+            handleTimestampSucceeded((TimestampSucceeded) timestampResult);
+        } else if (timestampResult instanceof TimestampFailed) {
+            handleTimestampFailed((TimestampFailed) timestampResult);
+        }
 
-    private void sendToTimestamper(TimestampTask timestampTask) {
-        ActorSelection timestamper = getContext().actorSelection("../" + TIMESTAMPER_NAME);
-        timestamper.tell(timestampTask, getSelf());
     }
 
     private TimestampTask createTimestampTask(List<Task> timestampTasks) {
@@ -211,7 +198,6 @@ private List<Task> getTimestampTasks(Session session, int timestampRecordsLimit)
         return session.createQuery(getTaskQueueQuery()).setMaxResults(timestampRecordsLimit).list();
     }
 
-    @SuppressWarnings("unchecked")
     private static Long getTasksQueueSize(Session session) {
         return (Long) session.createQuery(getTaskQueueSizeQuery()).uniqueResult();
     }
diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/Timestamper.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/Timestamper.java
index f0d2faea9d..04f383f43e 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/Timestamper.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/Timestamper.java
@@ -25,13 +25,11 @@
  */
 package ee.ria.xroad.proxy.messagelog;
 
+import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.conf.globalconf.GlobalConf;
 import ee.ria.xroad.common.conf.serverconf.ServerConf;
 import ee.ria.xroad.common.messagelog.MessageRecord;
 
-import akka.actor.ActorRef;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import lombok.ToString;
@@ -39,11 +37,13 @@
 
 import java.io.Serializable;
 
+import static ee.ria.xroad.common.ErrorCodes.X_OUTDATED_GLOBALCONF;
+
 /**
  * Timestamper is responsible for routing timestamping tasks to the timestamp worker.
  */
 @Slf4j
-public class Timestamper extends UntypedAbstractActor {
+public class Timestamper {
 
     @Data
     @RequiredArgsConstructor
@@ -53,15 +53,16 @@ static final class TimestampTask implements Serializable {
         private final String[] signatureHashes;
 
         TimestampTask(MessageRecord messageRecord) {
-            this.messageRecords = new Long[] {messageRecord.getId()};
-            this.signatureHashes = new String[] {messageRecord.getSignatureHash()};
+            this.messageRecords = new Long[]{messageRecord.getId()};
+            this.signatureHashes = new String[]{messageRecord.getSignatureHash()};
         }
     }
 
-    interface TimestampResult { }
+    interface TimestampResult {
+    }
 
     @Data
-    @ToString(exclude = { "timestampDer", "hashChains" })
+    @ToString(exclude = {"timestampDer", "hashChains"})
     static final class TimestampSucceeded implements TimestampResult, Serializable {
         private final Long[] messageRecords;
         private final byte[] timestampDer;
@@ -76,28 +77,16 @@ static final class TimestampFailed implements TimestampResult, Serializable {
         private final Exception cause;
     }
 
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onReceive({})", message.getClass());
-
-        if (message instanceof TimestampTask) {
-            handleTimestampTask((TimestampTask) message);
-        } else {
-            unhandled(message);
-        }
-    }
-
-    protected Class<? extends TimestamperWorker> getWorkerImpl() {
-        return TimestamperWorker.class;
+    protected TimestamperWorker getWorkerImpl() {
+        return new TimestamperWorker(ServerConf.getTspUrl());
     }
 
-    private void handleTimestampTask(TimestampTask message) {
+    public TimestampResult handleTimestampTask(TimestampTask message) {
         if (!GlobalConf.isValid()) {
-            return;
+            return new TimestampFailed(message.getMessageRecords(),
+                    new CodedException(X_OUTDATED_GLOBALCONF, "Global configuration is not valid"));
         }
 
-        // Spawn a new temporary child actor that will do the actual time stamping, which is probably lengthy process.
-        ActorRef worker = getContext().actorOf(Props.create(getWorkerImpl(), ServerConf.getTspUrl()));
-        worker.tell(message, getSender());
+        return getWorkerImpl().timestamp(message);
     }
 }
diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TimestamperWorker.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TimestamperWorker.java
index 8b7bd6bb05..76841755c2 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TimestamperWorker.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/TimestamperWorker.java
@@ -27,8 +27,6 @@
 
 import ee.ria.xroad.proxy.messagelog.Timestamper.TimestampTask;
 
-import akka.actor.ActorRef;
-import akka.actor.UntypedAbstractActor;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
@@ -40,39 +38,29 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class TimestamperWorker extends UntypedAbstractActor {
+public class TimestamperWorker {
 
     private final List<String> tspUrls;
 
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.trace("onReceive({})", message.getClass());
-
-        if (message instanceof TimestampTask) {
-            try {
-                handleTimestampTask((TimestampTask) message);
-            } catch (Exception e) {
-                handleFailure((TimestampTask) message, e);
-            } finally {
-                getContext().stop(getSelf());
-            }
-        } else {
-            unhandled(message);
+    public Timestamper.TimestampResult timestamp(TimestampTask message) {
+        log.trace("timestamp({})", message.getClass());
+        try {
+            return handleTimestampTask(message);
+        } catch (Exception e) {
+            return handleFailure(message, e);
         }
     }
 
-    private void handleFailure(TimestampTask message, Exception e) {
+    private Timestamper.TimestampResult handleFailure(TimestampTask message, Exception e) {
         log.error("Timestamper failed for message records {}: {}",
                 Arrays.toString(message.getMessageRecords()), e.getMessage());
 
-        getSender().tell(new Timestamper.TimestampFailed(
-                message.getMessageRecords(), e), ActorRef.noSender());
+        return new Timestamper.TimestampFailed(message.getMessageRecords(), e);
     }
 
-    private void handleTimestampTask(TimestampTask message) throws Exception {
+    private Timestamper.TimestampResult handleTimestampTask(TimestampTask message) throws Exception {
         if (tspUrls.isEmpty()) {
-            throw new RuntimeException(
-                    "Cannot time-stamp, no TSP URLs configured");
+            throw new RuntimeException("Cannot time-stamp, no TSP URLs configured");
         }
 
         Long[] logRecords = message.getMessageRecords();
@@ -99,7 +87,7 @@ private void handleTimestampTask(TimestampTask message) throws Exception {
                 message.getMessageRecords().length,
                 (System.currentTimeMillis() - start));
 
-        getSender().tell(result, ActorRef.noSender());
+        return result;
     }
 
     private AbstractTimestampRequest createTimestampRequest(Long[] logRecords,
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/AbstractMessageLogTest.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/AbstractMessageLogTest.java
index ec7df7963b..f8d8773ca8 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/AbstractMessageLogTest.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/AbstractMessageLogTest.java
@@ -40,128 +40,62 @@
 import ee.ria.xroad.messagelog.archiver.LogArchiver;
 import ee.ria.xroad.messagelog.archiver.LogCleaner;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.DeadLetter;
-import akka.actor.Props;
-import akka.actor.UntypedAbstractActor;
-import akka.testkit.TestActorRef;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigRenderOptions;
-import com.typesafe.config.ConfigValueFactory;
-import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
+import org.quartz.JobExecutionContext;
 
 import java.io.ByteArrayInputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.ArrayList;
-import java.util.List;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
 
 @Slf4j
 abstract class AbstractMessageLogTest {
 
     JobManager jobManager;
-    ActorSystem actorSystem;
     LogManager logManager;
 
-    protected final Path archivesPath = Paths.get("build/archive");
+    protected final String archivesDir = "build/archive";
+    protected final Path archivesPath = Paths.get(archivesDir);
 
-    @Getter
-    private TestActorRef<LogManager> logManagerRef;
-    private TestActorRef<LogArchiver> logArchiverRef;
-    private TestActorRef<LogCleaner> logCleanerRef;
+    private LogArchiver logArchiverRef;
+    private LogCleaner logCleanerRef;
 
     void testSetUp() throws Exception {
         testSetUp(false);
     }
 
-    private List<DeadLetter> deadLetters = new ArrayList<>();
-
-    List<DeadLetter> getDeadLetters() {
-        return deadLetters;
-    }
-
-    private void clearDeadLetters() {
-        deadLetters = new ArrayList<>();
-    }
-
-    synchronized void addDeadLetter(DeadLetter d) {
-        deadLetters.add(d);
-    }
-
-    public static class DeadLetterActor extends UntypedAbstractActor {
-
-        private final AbstractMessageLogTest test;
-
-        DeadLetterActor(AbstractMessageLogTest test) {
-            this.test = test;
-        }
-
-        public void onReceive(Object message) {
-            if (message instanceof DeadLetter) {
-                log.info("dead letter: " + message);
-
-                test.addDeadLetter((DeadLetter) message);
-            }
-        }
-    }
-
     protected void testSetUp(boolean timestampImmediately) throws Exception {
         System.setProperty(SystemProperties.TEMP_FILES_PATH, "build/tmp");
+        System.setProperty(MessageLogProperties.ARCHIVE_PATH, archivesDir);
 
         jobManager = new JobManager();
-        clearDeadLetters();
-
-        actorSystem = ActorSystem.create("Proxy", ConfigFactory.load()
-                .getConfig("proxy")
-                .withValue("akka.actor.provider", ConfigValueFactory.fromAnyRef("local"))); //remoting is not needed
-
-        actorSystem.eventStream().subscribe(actorSystem.actorOf(Props.create(DeadLetterActor.class, this)),
-                DeadLetter.class);
 
         System.setProperty(MessageLogProperties.TIMESTAMP_IMMEDIATELY, timestampImmediately ? "true" : "false");
 
         System.setProperty(MessageLogProperties.MESSAGE_BODY_LOGGING_ENABLED, "true");
 
-        logManagerRef = TestActorRef.create(actorSystem, Props.create(getLogManagerImpl(), jobManager),
-                MessageLog.LOG_MANAGER);
+        logManager = (LogManager) getLogManagerImpl().getDeclaredConstructor(JobManager.class).newInstance(jobManager);
 
         if (!Files.exists(archivesPath)) {
             Files.createDirectory(archivesPath);
         }
-        logArchiverRef = TestActorRef.create(actorSystem, Props.create(TestLogArchiver.class, archivesPath));
-        logCleanerRef = TestActorRef.create(actorSystem, Props.create(TestLogCleaner.class));
-
-        logManager = logManagerRef.underlyingActor();
-    }
-
-    // Use this to print Akka configuration out to log. May be useful when solving problems.
-    protected void logAkkaConfiguration() {
-        ConfigRenderOptions renderOpts = ConfigRenderOptions.defaults()
-                .setOriginComments(false)
-                .setComments(false)
-                .setJson(false);
-        String configString = ConfigFactory.load().root().render(renderOpts);
-
-        log.info("akka configuration: {}", configString);
+        logArchiverRef = new TestLogArchiver();
+        logCleanerRef = new TestLogCleaner();
     }
 
     void testTearDown() throws Exception {
+        logManager.shutdown();
         jobManager.stop();
-        Await.ready(actorSystem.terminate(), Duration.Inf());
         FileUtils.deleteDirectory(archivesPath.toFile());
     }
 
-    protected Class<? extends AbstractLogManager> getLogManagerImpl() throws Exception {
+    protected Class<? extends AbstractLogManager> getLogManagerImpl() {
         return LogManager.class;
     }
 
@@ -171,10 +105,11 @@ void initLogManager() {
 
     /**
      * Sends time stamping status message to LogManager
+     *
      * @param status status message
      */
     private void signalTimestampingStatus(SetTimestampingStatusMessage.Status status) {
-        logManagerRef.tell(new SetTimestampingStatusMessage(status), ActorRef.noSender());
+        logManager.setTimestampingStatus(new SetTimestampingStatusMessage(status));
     }
 
     protected void log(SoapMessageImpl message, SignatureData signature) throws Exception {
@@ -201,19 +136,15 @@ TimestampRecord timestamp(MessageRecord record) throws Exception {
     }
 
     void startTimestamping() {
-        logManager.taskQueueRef.tell(TaskQueue.START_TIMESTAMPING, ActorRef.noSender());
+        logManager.taskQueue.handleStartTimestamping();
     }
 
     void startArchiving() {
-        logArchiverRef.tell(LogArchiver.START_ARCHIVING, ActorRef.noSender());
+        logArchiverRef.execute(mock(JobExecutionContext.class));
     }
 
     void startCleaning() {
-        logCleanerRef.tell(LogCleaner.START_CLEANING, ActorRef.noSender());
-    }
-
-    void awaitTermination() throws Exception {
-        Await.result(actorSystem.whenTerminated(), Duration.Inf());
+        logCleanerRef.execute(mock(JobExecutionContext.class));
     }
 
     static void assertMessageRecord(Object o, String queryId) {
@@ -240,5 +171,4 @@ static Timestamper.TimestampSucceeded waitForTimestampSuccessful() throws Except
         return (Timestamper.TimestampSucceeded) result;
     }
 
-
 }
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/LogManagerTest.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/LogManagerTest.java
deleted file mode 100644
index c359c3b0fb..0000000000
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/LogManagerTest.java
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.messagelog;
-
-import ee.ria.xroad.common.messagelog.FindByQueryId;
-import ee.ria.xroad.common.messagelog.SoapLogMessage;
-import ee.ria.xroad.common.util.JobManager;
-
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.pattern.Patterns;
-import akka.testkit.javadsl.TestKit;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigValueFactory;
-import lombok.extern.slf4j.Slf4j;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import scala.concurrent.Await;
-import scala.concurrent.Future;
-import scala.concurrent.duration.FiniteDuration;
-
-import java.time.Duration;
-import java.util.ArrayList;
-import java.util.List;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-/**
- * Tests logmanager messaging
- */
-@Slf4j
-public class LogManagerTest {
-
-    private static ActorSystem system;
-    private static JobManager jobManager;
-
-    @BeforeClass
-    public static void setup() throws Exception {
-        system = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy")
-                .withValue("akka.remote.artery.canonical.port", ConfigValueFactory.fromAnyRef(0)));
-        jobManager = new JobManager();
-    }
-
-    @AfterClass
-    public static void teardown() throws Exception {
-        jobManager.stop();
-        TestKit.shutdownActorSystem(system);
-        system = null;
-    }
-
-    @Test
-    public void testControlMessageOvertakesOthers() throws Exception {
-        new TestKit(system) {
-            {
-                final Props props = Props.create(MessageRecordingLogManager.class, jobManager)
-                        .withDispatcher("akka.control-aware-dispatcher");
-                final ActorRef subject = system.actorOf(props);
-
-                // request direct access to logmanager instance
-                subject.tell(MessageRecordingLogManager.GET_INSTANCE_MESSAGE, getRef());
-                // wait for response with handle to logmanager
-                final int timeout = 5000;
-                final Duration timeoutDuration = Duration.ofMillis(timeout);
-                MessageRecordingLogManager logManager =
-                        expectMsgClass(timeoutDuration, MessageRecordingLogManager.class);
-
-                // stop processing messages
-                log.debug("stopping processing");
-
-                logManager.stopProcessingMessages();
-                // send bunch of messages. first one will be received and
-                // then processing stops. once processing is freed, the
-                // next one (2nd overall) should be the control message
-                List<Future<?>> replies = new ArrayList<>();
-
-                log.debug("asking first message");
-
-                replies.add(Patterns.ask(subject, "dummy first message guaranteed to be processed as first item",
-                        timeout));
-                // wait until the first message has arrived
-                // (this is needed for predictable results, otherwise 2nd message may overtake the first
-                // on the way to mailbox)
-                log.debug("waiting for first message");
-
-                logManager.waitForFirstMessageToArrive();
-
-                // then the rest of the messages - these are the actual test targets
-                log.debug("asking the rest of messages");
-
-                replies.add(Patterns.ask(subject, "another-foostring", timeout));
-                replies.add(Patterns.ask(subject, new SoapLogMessage(null, null, false), timeout));
-                replies.add(Patterns.ask(subject, new FindByQueryId(null, null, null), timeout));
-                replies.add(Patterns.ask(subject, new SetTimestampingStatusMessage(
-                        SetTimestampingStatusMessage.Status.SUCCESS), timeout));
-                // enable processing
-                logManager.resumeProcessingMessages();
-
-                // wait for all processed
-                for (Future<?> f : replies) {
-                    Await.ready(f, FiniteDuration.fromNanos(timeoutDuration.toNanos()));
-                }
-
-                List<Object> messages = MessageRecordingLogManager.getMessages();
-
-                log.debug("logManager mailbox contents: " + dumpMailbox(messages));
-
-                assertEquals(5, messages.size());
-                // check that item #2 is the control message
-
-                assertTrue("message should have been SetTimestampingStatusMessage, was "
-                        + messages.get(1), messages.get(1) instanceof SetTimestampingStatusMessage);
-            }
-        };
-    }
-
-    private String dumpMailbox(List<Object> messages) {
-        StringBuilder buf = new StringBuilder();
-        int number = 1;
-
-        for (Object o : messages) {
-            buf.append(number++);
-            buf.append(".");
-            buf.append(o);
-            buf.append(" ");
-        }
-
-        return buf.toString();
-    }
-}
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogIntegrationTest.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogIntegrationTest.java
index cbdff2f627..1294fd28d7 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogIntegrationTest.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogIntegrationTest.java
@@ -60,8 +60,6 @@ void run() throws Exception {
             //timestampSynchronously();
 
             startArchiving();
-
-            awaitTermination();
         } finally {
             testTearDown();
         }
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogPerformanceTest.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogPerformanceTest.java
index 654d4142cf..048cc6c987 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogPerformanceTest.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogPerformanceTest.java
@@ -69,8 +69,6 @@ void run() throws Exception {
         try {
             timestampAsynchronously();
             //timestampSynchronously();
-
-            awaitTermination();
         } finally {
             testTearDown();
         }
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogTest.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogTest.java
index 3d901bbd01..7a0a6dddec 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogTest.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageLogTest.java
@@ -74,6 +74,7 @@
 import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.UUID;
 import java.util.zip.ZipEntry;
@@ -105,10 +106,10 @@ public class MessageLogTest extends AbstractMessageLogTest {
 
     @Parameterized.Parameters(name = "encrypted = {0}")
     public static Object[] params() {
-        return new Object[] {Boolean.FALSE, Boolean.TRUE};
+        return new Object[]{Boolean.FALSE, Boolean.TRUE};
     }
 
-    @Parameterized.Parameter(0)
+    @Parameterized.Parameter()
     public boolean encrypted;
 
     static Date logRecordTime;
@@ -118,6 +119,7 @@ public static Object[] params() {
 
     /**
      * Logs a message and timestamps it explicitly.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -142,6 +144,7 @@ record = (MessageRecord) findByQueryId("forced", "02-04-2014 12:34:50.100", "02-
 
     /**
      * Logs a message and calls explicit timestamping on it twice. The returned timestamps must match.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -167,6 +170,7 @@ public void timestampingDouble() throws Exception {
     /**
      * Logs 3 messages (message and signature is same) and time-stamps them. Expects 1 time-stamp record and 3 message
      * records that refer to the time-stamp record. The time-stamp record must have hash chains.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -190,10 +194,6 @@ public void logThreeMessagesAndTimestamp() throws Exception {
         assertEquals(3, timestamp.getHashChains().length);
 
         assertTaskQueueSize(0);
-
-        assertEquals(0, getDeadLetters().size());
-
-        log.info("dead letters: " + getDeadLetters());
     }
 
     /**
@@ -228,6 +228,7 @@ public void testTimestampRecordsLimit() throws Exception {
         log.trace("testTimestampRecordsLimit()");
         int orig = MessageLogProperties.getTimestampRecordsLimit();
         try {
+            TestTaskQueue.successfulMessageSizes.clear();
             System.setProperty(MessageLogProperties.TIMESTAMP_RECORDS_LIMIT, "2");
             log(createMessage(), createSignature());
             log(createMessage(), createSignature());
@@ -238,10 +239,7 @@ public void testTimestampRecordsLimit() throws Exception {
 
             startTimestamping();
 
-            TimestampSucceeded timestamp = waitForTimestampSuccessful();
-            assertTrue(TestTaskQueue.waitForTimestampSaved());
-
-            assertEquals(2, timestamp.getMessageRecords().length);
+            assertEquals(List.of(2, 2, 1), TestTaskQueue.successfulMessageSizes);
         } finally {
             System.setProperty(MessageLogProperties.TIMESTAMP_RECORDS_LIMIT, String.valueOf(orig));
         }
@@ -249,6 +247,7 @@ public void testTimestampRecordsLimit() throws Exception {
 
     /**
      * Timestamps message immediately. No messages are expected to be in the task queue.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -263,6 +262,7 @@ public void timestampImmediately() throws Exception {
 
     /**
      * Timestamps message immediately, but time-stamping fails.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -284,11 +284,12 @@ public void timestampImmediatelyFail() throws Exception {
 
     /**
      * Logs messages, time-stamps them. Then archives the messages and cleans the database.
-     * @throws Exception in case of any unexpected errors
      *
-     *         FUTURE As this test is quite expensive in terms of time and usable resources (in addition
-     *         depends on external
-     *         utilities), consider moving this test apart from unit tests.
+     * @throws Exception in case of any unexpected errors
+     *                   <p>
+     *                   FUTURE As this test is quite expensive in terms of time and usable resources (in addition
+     *                   depends on external
+     *                   utilities), consider moving this test apart from unit tests.
      */
     @Test
     public void logTimestampArchiveAndClean() throws Exception {
@@ -323,6 +324,7 @@ public void logTimestampArchiveAndClean() throws Exception {
     /**
      * Logs 3 messages, time-stamping fails. Task queue must have 3 tasks. Logs 1 more message, task queue must
      * have 4 tasks.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -347,6 +349,7 @@ public void timestampingFailed() throws Exception {
 
     /**
      * Logs messages, time-stamping failed. After acceptable period no more messages are accepted.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -373,6 +376,7 @@ public void timestampingFailedStopLogging() throws Exception {
 
     /**
      * Saving timestamp to database fails.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -411,6 +415,7 @@ public void failedToSaveTimestampToDatabase() throws Exception {
 
     /**
      * Get message by query id.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -436,6 +441,7 @@ public void findByQueryId() throws Exception {
 
     /**
      * Wants to time-stamp, but no TSP urls configured.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Test
@@ -450,11 +456,11 @@ public void timestampNoTspUrls() throws Exception {
     }
 
 
-
     // ------------------------------------------------------------------------
 
     /**
      * Set up configuration.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @Before
@@ -503,6 +509,7 @@ private void initLastHashStep() throws Exception {
 
     /**
      * Cleanup test environment for other tests.
+     *
      * @throws Exception in case of any unexpected errors
      */
     @After
@@ -549,11 +556,11 @@ protected void log(Instant instant, RestRequest message, SignatureData signature
     }
 
     protected LogRecord findByQueryId(String queryId, String startTime, String endTime) throws Exception {
-        return logManager.findByQueryId(queryId, getDate(startTime), getDate(endTime));
+        return LogRecordManager.getByQueryId(queryId, getDate(startTime), getDate(endTime));
     }
 
     protected LogRecord findByQueryId(String queryId, Instant startTime, Instant endTime) throws Exception {
-        return logManager.findByQueryId(queryId, Date.from(startTime), Date.from(endTime));
+        return LogRecordManager.getByQueryId(queryId, Date.from(startTime), Date.from(endTime));
     }
 
     private String getLastEntryDeleteQuery() {
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageRecordingLogManager.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageRecordingLogManager.java
deleted file mode 100644
index 7cb2521047..0000000000
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/MessageRecordingLogManager.java
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.messagelog;
-
-import ee.ria.xroad.common.util.JobManager;
-
-import lombok.Getter;
-import lombok.extern.slf4j.Slf4j;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.concurrent.CountDownLatch;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-
-/**
- * Log manager which just records messages, to test that control mailbox
- * works properly. Can be controlled from outside to start / stop processing
- * messages.
- */
-@Slf4j
-public class MessageRecordingLogManager extends LogManager {
-    MessageRecordingLogManager(JobManager jobManager) throws Exception {
-        super(jobManager);
-    }
-
-    @Getter
-    private static List<Object> messages = Collections.synchronizedList(new ArrayList<>());
-
-    // continue processing messages when 1) first message has been sent 2) test signals that it
-    // is ready to continue (it has sent the first message)
-    private static CountDownLatch continueWhenFirstMessageHasArrivedLatch = new CountDownLatch(2);
-
-    // locked from outside when stopProcessingMessages() is called
-    // (if stopProcessingMessages is used, it has to be called before sending ay messages to this actor)
-    private static Lock messageProcessingStoppedLock = new ReentrantLock();
-
-    public static final String GET_INSTANCE_MESSAGE = "getInstance";
-
-    @Override
-    public void onReceive(Object message) throws Exception {
-        log.info("onReceive {}", message);
-        if (message instanceof String && GET_INSTANCE_MESSAGE.equals(message)) {
-            // send "this" back to caller
-            getSender().tell(this, getSelf());
-        } else {
-            continueWhenFirstMessageHasArrivedLatch.countDown();
-            log.debug("(2) first message latch = " + continueWhenFirstMessageHasArrivedLatch.getCount());
-            continueWhenFirstMessageHasArrivedLatch.await();
-            try {
-                messageProcessingStoppedLock.lock();
-                messages.add(message);
-                getSender().tell("done", getSelf());
-            } finally {
-                messageProcessingStoppedLock.unlock();
-            }
-        }
-
-    }
-
-    public void stopProcessingMessages() {
-        messageProcessingStoppedLock.lock();
-    }
-
-    public void resumeProcessingMessages() {
-        messageProcessingStoppedLock.unlock();
-    }
-
-    /**
-     * Continue when first actual message (not GET_INSTANCE) has arrived in onReceive
-     *
-     * @throws InterruptedException
-     */
-    public void waitForFirstMessageToArrive() throws InterruptedException {
-        continueWhenFirstMessageHasArrivedLatch.countDown();
-        log.debug("(1) waiting for message latch = " + continueWhenFirstMessageHasArrivedLatch.getCount());
-        continueWhenFirstMessageHasArrivedLatch.await();
-    }
-}
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogArchiver.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogArchiver.java
index 4431918895..3121d9295f 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogArchiver.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogArchiver.java
@@ -27,7 +27,6 @@
 
 import ee.ria.xroad.messagelog.archiver.LogArchiver;
 
-import java.nio.file.Path;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 
@@ -35,10 +34,6 @@ class TestLogArchiver extends LogArchiver {
 
     private static CountDownLatch gate = new CountDownLatch(1);
 
-    TestLogArchiver(Path archivePath) {
-        super(archivePath);
-    }
-
     public static void waitForArchiveSuccessful() throws Exception {
         try {
             gate.await(5, TimeUnit.SECONDS);
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogManager.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogManager.java
index 71b1029cda..4771e4cf51 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogManager.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestLogManager.java
@@ -29,11 +29,10 @@
 import ee.ria.xroad.common.messagelog.MessageRecord;
 import ee.ria.xroad.common.util.JobManager;
 
-import akka.actor.Props;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.duration.Duration;
-import scala.concurrent.duration.FiniteDuration;
 
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 
@@ -71,13 +70,13 @@ static void initSetTimestampingStatusLatch() {
      *         To avoid this problem, tests have "long enough" initial delay for TimestamperJob.
      */
     @Override
-    protected FiniteDuration getTimestamperJobInitialDelay() {
-        return Duration.create(1, TimeUnit.MINUTES);
+    protected Duration getTimestamperJobInitialDelay() {
+        return Duration.of(1,  ChronoUnit.MINUTES);
     }
 
     @Override
-    protected Props getTaskQueueImpl() {
-        return Props.create(TestTaskQueue.class);
+    protected TestTaskQueue getTaskQueueImpl(Timestamper timestamper) {
+        return new TestTaskQueue(timestamper, this);
     }
 
     /**
@@ -89,8 +88,8 @@ synchronized void setTimestampSucceeded() {
     }
 
     @Override
-    protected Props getTimestamperImpl() {
-        return Props.create(TestTimestamper.class);
+    protected TestTimestamper getTimestamperImpl() {
+        return new TestTimestamper();
     }
 
     @Override
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTaskQueue.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTaskQueue.java
index ef525a275a..3f2caf9f3c 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTaskQueue.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTaskQueue.java
@@ -30,12 +30,16 @@
 
 import lombok.extern.slf4j.Slf4j;
 
+import java.util.ArrayList;
+import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 
 @Slf4j
 class TestTaskQueue extends TaskQueue {
 
+    static List<Integer> successfulMessageSizes = new ArrayList<>();
+
     private static CountDownLatch gate = new CountDownLatch(1);
     private static Object lastMessage;
 
@@ -44,8 +48,8 @@ class TestTaskQueue extends TaskQueue {
 
     static Exception throwWhenSavingTimestamp;
 
-    TestTaskQueue() {
-        super();
+    TestTaskQueue(Timestamper timestamper, LogManager logManager) {
+        super(timestamper, logManager);
     }
 
     static void initGateLatch() {
@@ -96,6 +100,7 @@ protected void saveTimestampRecord(TimestampSucceeded message) throws Exception
                 throw throwWhenSavingTimestamp;
             }
 
+            successfulMessageSizes.add(message.getMessageRecords().length);
             super.saveTimestampRecord(message);
         } finally {
             timestampSavedLatch.countDown();
diff --git a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTimestamper.java b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTimestamper.java
index e619966c36..ce522ec6cb 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTimestamper.java
+++ b/src/addons/messagelog/messagelog-addon/src/test/java/ee/ria/xroad/proxy/messagelog/TestTimestamper.java
@@ -25,10 +25,13 @@
  */
 package ee.ria.xroad.proxy.messagelog;
 
+import ee.ria.xroad.common.conf.serverconf.ServerConf;
+
 class TestTimestamper extends Timestamper {
 
     @Override
-    protected Class<? extends TimestamperWorker> getWorkerImpl() {
-        return TestTimestamperWorker.class;
+    protected TimestamperWorker getWorkerImpl() {
+        return new TestTimestamperWorker(ServerConf.getTspUrl());
     }
+
 }
diff --git a/src/addons/messagelog/messagelog-archiver/build.gradle b/src/addons/messagelog/messagelog-archiver/build.gradle
index 14734a694a..0a62f69ddc 100644
--- a/src/addons/messagelog/messagelog-archiver/build.gradle
+++ b/src/addons/messagelog/messagelog-archiver/build.gradle
@@ -9,10 +9,6 @@ dependencies {
     implementation(project(':common:common-messagelog'))
     implementation(project(':addons:messagelog:messagelog-db'))
     implementation(project(':asic-util'))
-
-    testImplementation project(':common:common-test')
-    testImplementation "org.hsqldb:hsqldb:$hsqldbVersion"
-    testImplementation "com.typesafe.akka:akka-testkit_$akkaVersion"
 }
 
 jar {
@@ -25,7 +21,6 @@ shadowJar {
   archiveVersion = ''
   archiveClassifier = ''
   exclude('**/module-info.class')
-  append('reference.conf')
   from rootProject.file("LICENSE.txt")
   mergeServiceFiles()
 }
diff --git a/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiver.java b/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiver.java
index c5d5c5c9e7..411ce23ac4 100644
--- a/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiver.java
+++ b/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiver.java
@@ -28,6 +28,7 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.ErrorCodes;
 import ee.ria.xroad.common.messagelog.LogRecord;
+import ee.ria.xroad.common.messagelog.MessageLogProperties;
 import ee.ria.xroad.common.messagelog.MessageRecord;
 import ee.ria.xroad.common.messagelog.archive.ArchiveDigest;
 import ee.ria.xroad.common.messagelog.archive.DigestEntry;
@@ -35,11 +36,11 @@
 import ee.ria.xroad.common.messagelog.archive.LogArchiveWriter;
 import ee.ria.xroad.messagelog.database.MessageRecordEncryption;
 
-import akka.actor.UntypedAbstractActor;
-import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
 import org.hibernate.Session;
+import org.quartz.Job;
+import org.quartz.JobExecutionContext;
 
 import javax.persistence.criteria.CriteriaBuilder;
 import javax.persistence.criteria.CriteriaQuery;
@@ -68,34 +69,26 @@
  * to archive file and marks the records as archived.
  */
 @Slf4j
-@RequiredArgsConstructor
-public class LogArchiver extends UntypedAbstractActor {
+public class LogArchiver implements Job {
 
     private static final String PROPERTY_NAME_ARCHIVED = "archived";
 
-    public static final String START_ARCHIVING = "doArchive";
     public static final int FETCH_SIZE = 10;
 
-    private final Path archivePath;
+    private final Path archivePath = Paths.get(MessageLogProperties.getArchivePath());
 
     @Override
-    public void onReceive(Object message) {
-        log.trace("onReceive({})", message);
-
-        if (START_ARCHIVING.equals(message)) {
-            try {
-                Long maxRecordId = doInTransaction(this::getMaxRecordId);
-                if (maxRecordId != null) {
-                    while (handleArchive(maxRecordId)) {
-                        // body intentionally empty
-                    }
+    public void execute(JobExecutionContext context) {
+        try {
+            Long maxRecordId = doInTransaction(this::getMaxRecordId);
+            if (maxRecordId != null) {
+                while (handleArchive(maxRecordId)) {
+                    // body intentionally empty
                 }
-                onArchivingDone();
-            } catch (Exception ex) {
-                log.error("Failed to archive log records", ex);
             }
-        } else {
-            unhandled(message);
+            onArchivingDone();
+        } catch (Exception ex) {
+            log.error("Failed to archive log records", ex);
         }
     }
 
@@ -118,7 +111,7 @@ private boolean handleArchive(long maxRecordId) throws Exception {
             try (LogArchiveWriter archiveWriter = createLogArchiveWriter(session)) {
                 List<Long> recordIds = new ArrayList<>(100);
                 try (Stream<MessageRecord> records = getNonArchivedMessageRecords(session, maxRecordId, limit)) {
-                    for (Iterator<MessageRecord> it = records.iterator(); it.hasNext();) {
+                    for (Iterator<MessageRecord> it = records.iterator(); it.hasNext(); ) {
                         MessageRecord messageRecord = it.next();
                         recordIds.add(messageRecord.getId());
                         messageRecordEncryption.prepareDecryption(messageRecord);
@@ -236,7 +229,7 @@ private static void runTransferCommand(String transferCommand) {
         log.info("Transferring archives with shell command: \t{}", transferCommand);
         Process process = null;
         try {
-            String[] command = new String[] {"/bin/bash", "-c", transferCommand};
+            String[] command = new String[]{"/bin/bash", "-c", transferCommand};
             String standardError = null;
 
             process = new ProcessBuilder(command).redirectOutput(Paths.get("/dev/null").toFile()).start();
diff --git a/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiverMain.java b/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiverMain.java
index 2261923cd6..d050a8b6ef 100644
--- a/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiverMain.java
+++ b/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogArchiverMain.java
@@ -31,18 +31,8 @@
 import ee.ria.xroad.common.messagelog.MessageLogProperties;
 import ee.ria.xroad.common.util.JobManager;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.CoordinatedShutdown;
-import akka.actor.Props;
-import com.typesafe.config.ConfigFactory;
-import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
-import org.quartz.Job;
 import org.quartz.JobDataMap;
-import org.quartz.JobExecutionContext;
-
-import java.nio.file.Paths;
 
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_MESSAGE_LOG;
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_NODE;
@@ -50,7 +40,6 @@
 @Slf4j
 public final class LogArchiverMain {
 
-    private static ActorSystem actorSystem;
     private static JobManager jobManager;
 
     private LogArchiverMain() {
@@ -67,14 +56,8 @@ public static void main(String[] args) {
                     .load();
 
             jobManager = new JobManager();
-            actorSystem = ActorSystem.create("MessageLogArchiver", ConfigFactory.load().getConfig("messagelog-archiver")
-                    .withFallback(ConfigFactory.load()));
-
-            final ActorRef archiver = actorSystem.actorOf(
-                    Props.create(LogArchiver.class, Paths.get(MessageLogProperties.getArchivePath())));
-            final ActorRef cleaner = actorSystem.actorOf(Props.create(LogCleaner.class));
 
-            CoordinatedShutdown.get(actorSystem).addJvmShutdownHook(() -> {
+            Runtime.getRuntime().addShutdownHook(new Thread(() -> {
                 log.info("MessageLogArchiver shutting down...");
                 try {
                     if (jobManager != null) {
@@ -84,14 +67,13 @@ public static void main(String[] args) {
                 } catch (Exception e) {
                     log.warn("JobManager failed to stop", e);
                 }
-            });
-
+            }));
 
-            jobManager.registerJob(ArchiverJob.class, "ArchiverJob", MessageLogProperties.getArchiveInterval(),
-                    jobData(archiver, LogArchiver.START_ARCHIVING));
+            jobManager.registerJob(LogArchiver.class, "ArchiverJob", MessageLogProperties.getArchiveInterval(),
+                    new JobDataMap());
 
-            jobManager.registerJob(ArchiverJob.class, "CleanerJob", MessageLogProperties.getCleanInterval(),
-                    jobData(cleaner, LogCleaner.START_CLEANING));
+            jobManager.registerJob(LogCleaner.class, "CleanerJob", MessageLogProperties.getCleanInterval(),
+                    new JobDataMap());
 
             jobManager.start();
 
@@ -101,24 +83,4 @@ public static void main(String[] args) {
         }
     }
 
-    private static JobDataMap jobData(ActorRef actor, Object message) {
-        final JobDataMap dataMap = new JobDataMap();
-        dataMap.put(ArchiverJob.ACTOR_PROPERTY, actor);
-        dataMap.put(ArchiverJob.MESSAGE_PROPERTY, message);
-        return dataMap;
-    }
-
-    @Setter
-    public static class ArchiverJob implements Job {
-        private static final String ACTOR_PROPERTY = "actor";
-        private static final String MESSAGE_PROPERTY = "message";
-
-        private ActorRef actor;
-        private Object message;
-
-        @Override
-        public void execute(JobExecutionContext context) {
-            actor.tell(message, ActorRef.noSender());
-        }
-    }
 }
diff --git a/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogCleaner.java b/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogCleaner.java
index cfb17541f8..f410eab00f 100644
--- a/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogCleaner.java
+++ b/src/addons/messagelog/messagelog-archiver/src/main/java/ee/ria/xroad/messagelog/archiver/LogCleaner.java
@@ -28,9 +28,10 @@
 import ee.ria.xroad.common.messagelog.MessageLogProperties;
 import ee.ria.xroad.messagelog.database.MessageLogDatabaseCtx;
 
-import akka.actor.UntypedAbstractActor;
 import lombok.extern.slf4j.Slf4j;
 import org.hibernate.query.Query;
+import org.quartz.Job;
+import org.quartz.JobExecutionContext;
 
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -39,29 +40,22 @@
  * Deletes all archived log records from the database.
  */
 @Slf4j
-public class LogCleaner extends UntypedAbstractActor {
+public class LogCleaner implements Job {
 
-    public static final String START_CLEANING = "doClean";
     public static final int CLEAN_BATCH_LIMIT = MessageLogProperties.getCleanTransactionBatchSize();
 
     @Override
-    public void onReceive(Object message) {
-        log.trace("onReceive({})", message);
-
-        if (message.equals(START_CLEANING)) {
-            try {
-                log.info("Removing archived records from database...");
-                final long removed = handleClean();
-                if (removed == 0) {
-                    log.info("No archived records to remove from database");
-                } else {
-                    log.info("Removed {} archived records from database", removed);
-                }
-            } catch (Exception e) {
-                log.error("Error when cleaning archived records from database", e);
+    public void execute(JobExecutionContext context) {
+        try {
+            log.info("Removing archived records from database...");
+            final long removed = handleClean();
+            if (removed == 0) {
+                log.info("No archived records to remove from database");
+            } else {
+                log.info("Removed {} archived records from database", removed);
             }
-        } else {
-            unhandled(message);
+        } catch (Exception e) {
+            log.error("Error when cleaning archived records from database", e);
         }
     }
 
diff --git a/src/addons/messagelog/messagelog-archiver/src/main/resources/application.conf b/src/addons/messagelog/messagelog-archiver/src/main/resources/application.conf
deleted file mode 100644
index 7be677130e..0000000000
--- a/src/addons/messagelog/messagelog-archiver/src/main/resources/application.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-messagelog-archiver {
-    include "akka-global.conf"
-}
diff --git a/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/AbstractLogManager.java b/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/AbstractLogManager.java
index 5cfdc47d31..d68a914697 100644
--- a/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/AbstractLogManager.java
+++ b/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/AbstractLogManager.java
@@ -28,22 +28,18 @@
 import ee.ria.xroad.common.DiagnosticsStatus;
 import ee.ria.xroad.common.util.JobManager;
 
-import akka.actor.UntypedAbstractActor;
-import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 
-import java.util.Date;
-import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 /**
  * Base class for log manager actors.
  */
 @Slf4j
-public abstract class AbstractLogManager extends UntypedAbstractActor {
+public abstract class AbstractLogManager {
 
-    @Getter
-    protected static Map<String, DiagnosticsStatus> statusMap = new HashMap<>();
+    protected static Map<String, DiagnosticsStatus> statusMap = new ConcurrentHashMap<>();
 
     protected AbstractLogManager(JobManager jobManager) {
         if (jobManager == null) {
@@ -51,43 +47,14 @@ protected AbstractLogManager(JobManager jobManager) {
         }
     }
 
-    @Override
-    public void onReceive(Object message) throws Exception {
-        try {
-            if (message instanceof LogMessage) {
-                LogMessage m = (LogMessage) message;
-                log(m);
-                getSender().tell(new Object(), getSelf());
-            } else if (message instanceof FindByQueryId) {
-                FindByQueryId f = (FindByQueryId) message;
-                LogRecord result = findByQueryId(f.getQueryId(), f.getStartTime(), f.getEndTime());
+    public abstract void log(LogMessage message) throws Exception;
 
-                getSender().tell(result, getSelf());
-            } else if (message instanceof TimestampMessage) {
-                try {
-                    TimestampMessage m = (TimestampMessage) message;
-                    TimestampRecord result = timestamp(m.getMessageRecordId());
+    public abstract TimestampRecord timestamp(Long messageRecordId) throws Exception;
 
-                    log.info("message: {}, result: {}", message, result);
+    public abstract Map<String, DiagnosticsStatus> getDiagnosticStatus();
 
-                    getSender().tell(result, getSelf());
-                } catch (Exception e) {
-                    log.info("Timestamp failed: {}", e);
-
-                    getSender().tell(e, getSelf());
-                }
-
-            } else {
-                unhandled(message);
-            }
-        } catch (Exception e) {
-            getSender().tell(e, getSelf());
-        }
+    public void shutdown() {
+        // NO-OP
     }
 
-    protected abstract void log(LogMessage message) throws Exception;
-
-    protected abstract LogRecord findByQueryId(String queryId, Date startTime, Date endTime) throws Exception;
-
-    protected abstract TimestampRecord timestamp(Long messageRecordId) throws Exception;
 }
diff --git a/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/FindByQueryId.java b/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/FindByQueryId.java
deleted file mode 100644
index 3ebe3f188a..0000000000
--- a/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/FindByQueryId.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common.messagelog;
-
-import lombok.Value;
-
-import java.io.Serializable;
-import java.util.Date;
-
-/**
- * Message for finding a log record for a given message Query Id, start and end time.
- */
-@Value
-public class FindByQueryId implements Serializable {
-
-    private final String queryId;
-    private final Date startTime;
-    private final Date endTime;
-}
diff --git a/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/TimestampMessage.java b/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/TimestampMessage.java
deleted file mode 100644
index b2169e611c..0000000000
--- a/src/common/common-messagelog/src/main/java/ee/ria/xroad/common/messagelog/TimestampMessage.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common.messagelog;
-
-import lombok.Value;
-
-import java.io.Serializable;
-
-/**
- * Message for timestamping an existing message record.
- */
-@Value
-public class TimestampMessage implements Serializable {
-    private final Long messageRecordId;
-}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/CommonMessages.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/CommonMessages.java
deleted file mode 100644
index ad148e5b08..0000000000
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/CommonMessages.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common;
-
-/**
- * Created by sjk on 12/11/15.
- */
-public final class CommonMessages {
-
-    private CommonMessages() {
-    }
-
-    public static final String TIMESTAMP_STATUS = "TimestampStatus";
-}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/JobManager.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/JobManager.java
index decc620ce0..710cb9efb6 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/JobManager.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/JobManager.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
diff --git a/src/packages/src/xroad/default-configuration/addons/messagelog-archiver-logback.xml b/src/packages/src/xroad/default-configuration/addons/messagelog-archiver-logback.xml
index 2fc56058c3..99a7c002bb 100644
--- a/src/packages/src/xroad/default-configuration/addons/messagelog-archiver-logback.xml
+++ b/src/packages/src/xroad/default-configuration/addons/messagelog-archiver-logback.xml
@@ -16,7 +16,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="INFO"/>
-    <logger name="akka" level="WARN" />
 
     <root level="INFO">
         <appender-ref ref="FILE"/>
diff --git a/src/packages/src/xroad/default-configuration/signer-logback.xml b/src/packages/src/xroad/default-configuration/signer-logback.xml
index 188f4d58d4..14606049a0 100644
--- a/src/packages/src/xroad/default-configuration/signer-logback.xml
+++ b/src/packages/src/xroad/default-configuration/signer-logback.xml
@@ -30,7 +30,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="INFO" />
-    <logger name="akka" level="WARN" />
 
     <!--TokenManager is very verbose /-->
     <logger name="ee.ria.xroad.signer.tokenmanager.TokenManager" level="OFF" />
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index e35ec5119e..ec35fb0efd 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -27,7 +27,6 @@
 
 import ee.ria.xroad.common.AddOnStatusDiagnostics;
 import ee.ria.xroad.common.BackupEncryptionStatusDiagnostics;
-import ee.ria.xroad.common.CommonMessages;
 import ee.ria.xroad.common.DiagnosticsErrorCodes;
 import ee.ria.xroad.common.DiagnosticsStatus;
 import ee.ria.xroad.common.DiagnosticsUtils;
@@ -60,10 +59,7 @@
 import ee.ria.xroad.proxy.util.ServerConfStatsLogger;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
-import akka.actor.ActorSelection;
 import akka.actor.ActorSystem;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
 import com.typesafe.config.ConfigFactory;
 import com.typesafe.config.ConfigValueFactory;
 import io.grpc.BindableService;
@@ -89,7 +85,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.ServiceLoader;
-import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.SystemProperties.CONF_FILE_NODE;
@@ -187,7 +182,7 @@ private static void stopServices() throws Exception {
         }
     }
 
-    private static void startup() throws Exception {
+    private static void startup() {
         log.trace("startup()");
         Version.outputVersionInfo(APP_NAME);
         actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy")
@@ -199,6 +194,7 @@ private static void startup() throws Exception {
 
     private static void shutdown() throws Exception {
         log.trace("shutdown()");
+        MessageLog.shutdown();
         OpMonitoring.shutdown();
         stopServices();
         Await.ready(actorSystem.terminate(), Duration.Inf());
@@ -214,7 +210,7 @@ private static void createServices() throws Exception {
         MonitorAgent.init(actorSystem);
         RpcSignerClient.init();
         BatchSigner.init();
-        boolean messageLogEnabled = MessageLog.init(actorSystem, jobManager);
+        boolean messageLogEnabled = MessageLog.init(jobManager);
         OpMonitoring.init();
 
         AddOn.BindableServiceRegistry bindableServiceRegistry = new AddOn.BindableServiceRegistry();
@@ -285,7 +281,7 @@ private static void loadConfigurations() {
         }
     }
 
-    private static AdminPort createAdminPort() throws Exception {
+    private static AdminPort createAdminPort() {
         AdminPort adminPort = new AdminPort(PortNumbers.ADMIN_PORT);
 
         addShutdownHook(adminPort);
@@ -404,14 +400,8 @@ public void handle(HttpServletRequest request, HttpServletResponse response) {
 
                 log.info("simple connection check result {}", statusesFromSimpleConnectionCheck);
 
-                ActorSelection logManagerSelection = actorSystem.actorSelection("/user/LogManager");
-
-                Timeout timeout = new Timeout(DIAGNOSTICS_CONNECTION_TIMEOUT_MS, TimeUnit.MILLISECONDS);
                 try {
-                    Map<String, DiagnosticsStatus> statusesFromLogManager =
-                            (Map<String, DiagnosticsStatus>) Await.result(
-                                    Patterns.ask(logManagerSelection, CommonMessages.TIMESTAMP_STATUS, timeout),
-                                    timeout.duration());
+                    Map<String, DiagnosticsStatus> statusesFromLogManager = MessageLog.getDiagnosticStatus();
 
                     log.info("statusesFromLogManager {}", statusesFromLogManager.toString());
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/MessageLog.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/MessageLog.java
index 048f89ecdd..28617aa4f8 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/MessageLog.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/MessageLog.java
@@ -25,36 +25,26 @@
  */
 package ee.ria.xroad.proxy.messagelog;
 
+import ee.ria.xroad.common.DiagnosticsStatus;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.message.RestRequest;
 import ee.ria.xroad.common.message.RestResponse;
 import ee.ria.xroad.common.message.SoapMessageImpl;
 import ee.ria.xroad.common.messagelog.AbstractLogManager;
-import ee.ria.xroad.common.messagelog.FindByQueryId;
 import ee.ria.xroad.common.messagelog.MessageRecord;
 import ee.ria.xroad.common.messagelog.RestLogMessage;
 import ee.ria.xroad.common.messagelog.SoapLogMessage;
-import ee.ria.xroad.common.messagelog.TimestampMessage;
 import ee.ria.xroad.common.messagelog.TimestampRecord;
 import ee.ria.xroad.common.signature.SignatureData;
 import ee.ria.xroad.common.util.CacheInputStream;
 import ee.ria.xroad.common.util.JobManager;
 
-import akka.actor.ActorRef;
-import akka.actor.ActorSystem;
-import akka.actor.Props;
-import akka.pattern.Patterns;
-import akka.util.Timeout;
 import lombok.extern.slf4j.Slf4j;
-import scala.concurrent.Await;
 
-import java.util.Date;
-import java.util.concurrent.TimeUnit;
-import java.util.logging.LogRecord;
+import java.util.Map;
 
 import static ee.ria.xroad.common.ErrorCodes.X_LOGGING_FAILED_X;
 import static ee.ria.xroad.common.ErrorCodes.X_TIMESTAMPING_FAILED_X;
-import static ee.ria.xroad.common.ErrorCodes.translateException;
 import static ee.ria.xroad.common.ErrorCodes.translateWithPrefix;
 
 /**
@@ -62,15 +52,8 @@
  */
 @Slf4j
 public final class MessageLog {
-
-    private static final int ASK_TIMEOUT = 120;
-
-    public static final String LOG_MANAGER = "LogManager";
-
     private static final String LOG_MANAGER_IMPL_CLASS = SystemProperties.PREFIX + "proxy.messageLogManagerImpl";
-    public static final String CONTROL_AWARE_DISPATCHER = "akka.control-aware-dispatcher";
-
-    private static ActorRef logManager;
+    private static AbstractLogManager logManager;
 
     private MessageLog() {
     }
@@ -78,22 +61,28 @@ private MessageLog() {
     /**
      * Initializes the message log using the provided actor system. Use control aware mailbox.
      *
-     * @param actorSystem the actor system
-     * @param jobManager  the job manager
+     * @param jobManager the job manager
      * @return false if NullLogManager was initialized, true otherwise
-     * @throws Exception if initialization fails
      */
-    public static boolean init(ActorSystem actorSystem, JobManager jobManager) {
+    public static boolean init(JobManager jobManager) {
         Class<? extends AbstractLogManager> clazz = getLogManagerImpl();
 
         log.trace("Using implementation class: {}", clazz);
 
-        logManager = actorSystem.actorOf(Props.create(clazz, jobManager).withDispatcher(CONTROL_AWARE_DISPATCHER),
-                LOG_MANAGER);
+        try {
+            logManager = clazz.getDeclaredConstructor(JobManager.class).newInstance(jobManager);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to initialize LogManager", e);
+        }
 
         return NullLogManager.class != clazz;
     }
 
+    public static void shutdown() {
+        logManager.shutdown();
+    }
+
+
     /**
      * Save the message and signature to message log. Attachments are not logged.
      *
@@ -103,9 +92,10 @@ public static boolean init(ActorSystem actorSystem, JobManager jobManager) {
      * @param xRequestId (optional) additional request if to distinguish request/response pairs
      */
     public static void log(SoapMessageImpl message, SignatureData signature, boolean clientSide,
-            String xRequestId) {
+                           String xRequestId) {
         try {
-            ask(new SoapLogMessage(message, signature, clientSide, xRequestId));
+            assertInitialized();
+            logManager.log(new SoapLogMessage(message, signature, clientSide, xRequestId));
         } catch (Exception e) {
             throw translateWithPrefix(X_LOGGING_FAILED_X, e);
         }
@@ -115,9 +105,10 @@ public static void log(SoapMessageImpl message, SignatureData signature, boolean
      * Save the message and signature to message log. The message body is saved from an input stream.
      */
     public static void log(RestRequest message, SignatureData signature, CacheInputStream body, boolean clientside,
-            String xRequestId) {
+                           String xRequestId) {
         try {
-            ask(new RestLogMessage(message.getQueryId(), message.getClientId(), message.getServiceId(),
+            assertInitialized();
+            logManager.log(new RestLogMessage(message.getQueryId(), message.getClientId(), message.getServiceId(),
                     message, signature, body, clientside, xRequestId));
         } catch (Exception e) {
             throw translateWithPrefix(X_LOGGING_FAILED_X, e);
@@ -128,9 +119,10 @@ public static void log(RestRequest message, SignatureData signature, CacheInputS
      * Save the message and signature to message log. The message body is saved from an input stream.
      */
     public static void log(RestRequest request, RestResponse message,
-            SignatureData signature, CacheInputStream body, boolean clientside, String xRequestId) {
+                           SignatureData signature, CacheInputStream body, boolean clientside, String xRequestId) {
         try {
-            ask(new RestLogMessage(request.getQueryId(), request.getClientId(), request.getServiceId(),
+            assertInitialized();
+            logManager.log(new RestLogMessage(request.getQueryId(), request.getClientId(), request.getServiceId(),
                     message, signature, body, clientside, xRequestId));
         } catch (Exception e) {
             throw translateWithPrefix(X_LOGGING_FAILED_X, e);
@@ -150,24 +142,12 @@ public static void log(RestRequest request, RestResponse message,
         log(request, message, signature, body, clientside, null);
     }
 
-    /**
-     * Returns a log record for a given message Query Id, start and end time.
-     *
-     * @param queryId   the message query id
-     * @param startTime the start time
-     * @param endTime   the end time
-     * @return the log record or null, if log record is not found in database.
-     */
-    public static LogRecord findByQueryId(String queryId, Date startTime, Date endTime) {
-        try {
-            assertInitialized();
-            log.trace("findByQueryId({}, {}, {})", queryId, startTime, endTime);
-            return (LogRecord) ask(new FindByQueryId(queryId, startTime, endTime));
-        } catch (Exception e) {
-            throw translateException(e);
-        }
+    public static Map<String, DiagnosticsStatus> getDiagnosticStatus() {
+        assertInitialized();
+        return logManager.getDiagnosticStatus();
     }
 
+
     /**
      * Returns a time-stamp record for a given message record.
      *
@@ -177,7 +157,8 @@ public static LogRecord findByQueryId(String queryId, Date startTime, Date endTi
     public static TimestampRecord timestamp(MessageRecord record) {
         try {
             log.trace("timestamp()");
-            return (TimestampRecord) ask(new TimestampMessage(record.getId()));
+            assertInitialized();
+            return logManager.timestamp(record.getId());
         } catch (Exception e) {
             throw translateWithPrefix(X_TIMESTAMPING_FAILED_X, e);
         }
@@ -202,16 +183,4 @@ private static void assertInitialized() {
         }
     }
 
-    private static Object ask(Object message) throws Exception {
-        assertInitialized();
-
-        Timeout timeout = new Timeout(ASK_TIMEOUT, TimeUnit.SECONDS);
-        Object result = Await.result(Patterns.ask(logManager, message, timeout), timeout.duration());
-
-        if (result instanceof Exception) {
-            throw (Exception) result;
-        } else {
-            return result;
-        }
-    }
 }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java
index b669be3b64..c9a0d0ae88 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java
@@ -25,13 +25,13 @@
  */
 package ee.ria.xroad.proxy.messagelog;
 
+import ee.ria.xroad.common.DiagnosticsStatus;
 import ee.ria.xroad.common.messagelog.AbstractLogManager;
 import ee.ria.xroad.common.messagelog.LogMessage;
-import ee.ria.xroad.common.messagelog.LogRecord;
 import ee.ria.xroad.common.messagelog.TimestampRecord;
 import ee.ria.xroad.common.util.JobManager;
 
-import java.util.Date;
+import java.util.Map;
 
 /**
  * A dummy implementation of message log that does nothing.
@@ -39,24 +39,23 @@
  */
 public class NullLogManager extends AbstractLogManager {
 
-    NullLogManager(JobManager jobManager) throws Exception {
+    NullLogManager(JobManager jobManager) {
         super(jobManager);
     }
 
     @Override
-    protected void log(LogMessage message) throws Exception {
+    public void log(LogMessage message) {
         // do nothing
     }
 
-    @Override
-    protected LogRecord findByQueryId(String queryId, Date startTime,
-            Date endTime) throws Exception {
+     @Override
+    public TimestampRecord timestamp(Long messageRecordId) {
         return null;
     }
 
     @Override
-    protected TimestampRecord timestamp(Long messageRecordId) throws Exception {
-        return null;
+    public Map<String, DiagnosticsStatus> getDiagnosticStatus() {
+        throw new RuntimeException("Status not available while using NullLogManager");
     }
 
 }
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
index af3181884b..641d12b589 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
@@ -64,7 +64,7 @@
 
 /**
  * Base class for proxy integration tests
- * Starts and stops an test proxy instance and a service simulator.
+ * Starts and stops the test proxy instance and a service simulator.
  */
 @Category(IntegrationTest.class)
 public abstract class AbstractProxyIntegrationTest {
@@ -134,7 +134,7 @@ public static void setup() throws Exception {
         actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy")
                 .withValue("akka.remote.artery.canonical.port", ConfigValueFactory.fromAnyRef(getFreePort())));
 
-        MessageLog.init(actorSystem, jobManager);
+        MessageLog.init(jobManager);
         OpMonitoring.init();
         AddOn.BindableServiceRegistry serviceRegistry = new AddOn.BindableServiceRegistry();
         for (AddOn addon : ServiceLoader.load(AddOn.class)) {
@@ -165,6 +165,7 @@ public static void teardown() throws Exception {
         }
 
         OpMonitoring.shutdown();
+        MessageLog.shutdown();
         actorSystem.terminate();
         RESERVED_PORTS.clear();
     }
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
index 9af1c9f551..f64aa7aafd 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
@@ -109,7 +109,7 @@ public static void main(String[] args) throws Exception {
         startWatchdog();
 
         try {
-            MessageLog.init(actorSystem, jobManager);
+            MessageLog.init(jobManager);
             OpMonitoring.init();
 
             runNormalTestCases(normalTestCases);
@@ -117,6 +117,7 @@ public static void main(String[] args) throws Exception {
             runIsolatedSslTestCases(isolatedSslTestCases);
 
         } finally {
+            MessageLog.shutdown();
             OpMonitoring.shutdown();
             jobManager.stop();
             Await.ready(actorSystem.terminate(), Duration.Inf());

From 05a832458b28e5ef76e9a96d0e07a8b75ce7c006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 4 Oct 2023 11:00:11 +0300
Subject: [PATCH 104/127] chore: sonarqube fixes

Refs: XRDDEV-2468
---
 .../xroad/common/test/signer/container/BaseTestSignerSetup.java  | 1 +
 .../java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java | 1 +
 .../src/main/java/ee/ria/xroad/common/util/PasswordStore.java    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
index 0a0f7af0b8..2d3cba5bd0 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
@@ -89,6 +89,7 @@ public TestContainerConfigurator.TestContainerInitListener testContainerInitList
         return new TestContainerConfigurator.TestContainerInitListener() {
 
             @Override
+            @SuppressWarnings("squid:S2068")
             public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                 var modulemanager = enableHwModule
                         ? "-Dxroad.signer.moduleManagerImpl=ee.ria.xroad.signer.tokenmanager.module.HardwareModuleManagerImpl"
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
index 0a0eb504a3..cb37fccc4b 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/FilePasswordStoreProvider.java
@@ -40,6 +40,7 @@
  * This implementation is designed purely for testing purposes.
  */
 @Slf4j
+@SuppressWarnings("squid:S2068")
 public class FilePasswordStoreProvider implements PasswordStore.PasswordStoreProvider {
     private static final String CFG_FILE_PASSWORD_STORE_PATH = SystemProperties.PREFIX + "internal.passwordstore-file-path";
 
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
index a04cf98ade..2242336c53 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/PasswordStore.java
@@ -43,6 +43,7 @@
  * Manages passwords that are shared across different JVMs.
  */
 @Slf4j
+@SuppressWarnings("squid:S2068")
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class PasswordStore {
     private static final String CFG_PASSWORD_STORE_PROVIDER = SystemProperties.PREFIX + "internal.passwordstore-provider";

From 63e80750a95220c519ec3b859303d8717f323f4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 4 Oct 2023 11:49:33 +0300
Subject: [PATCH 105/127] chore: remove akka references from documentation

---
 ...-ss_x-road_security_server_architecture.md |   7 ++--
 .../arc-tec_x-road_technologies.md            |  37 +++++++++---------
 .../Monitoring-architecture.md                |  31 ++++++++-------
 .../img/monitoring.graphml                    |   2 +-
 .../img/monitoring.png                        | Bin 39195 -> 71535 bytes
 .../ug-syspar_x-road_v6_system_parameters.md  |  12 +++---
 .../xroad/default-configuration/common.ini    |   3 --
 7 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/doc/Architecture/arc-ss_x-road_security_server_architecture.md b/doc/Architecture/arc-ss_x-road_security_server_architecture.md
index e08d9be759..17ca7eb3d4 100644
--- a/doc/Architecture/arc-ss_x-road_security_server_architecture.md
+++ b/doc/Architecture/arc-ss_x-road_security_server_architecture.md
@@ -2,7 +2,7 @@
 
 **Technical Specification** <!-- omit in toc -->
 
-Version: 1.15 
+Version: 1.16
 01.06.2023
 <!-- 15 pages -->
 Doc. ID: ARC-SS
@@ -35,6 +35,7 @@ Doc. ID: ARC-SS
 | 03.05.2022 | 1.13    | Update `xroad-addon-messagelog` process section                                                      | Petteri Kivimäki   |
 | 01.06.2023 | 1.14    | Update references                                                                                    | Petteri Kivimäki   |
 | 20.06.2023 | 1.15    | Fixed Security Server Admin API OpenAPI specification link                                           | Madis Loitmaa      |
+| 03.10.2023 | 1.16    | Remove Akka references                                                                               | Ričardas Bučiūnas  |
 
 ## Table of Contents <!-- omit in toc -->
 
@@ -332,13 +333,13 @@ The SSCD needs to be a PKCS \#11 (see \[[PKCS11](#Ref_PKCS11)\]) compliant hardw
 
 ### 2.13 Environmental Monitoring Service
 
-Provides methods that can be used by X-Road participants to get environmental data of the security server. It requests the data from the local monitoring service via Akka interface and translates it to a SOAP XML response.
+Provides methods that can be used by X-Road participants to get environmental data of the security server. It requests the data from the local monitoring service via gRPC interface and translates it to a SOAP XML response.
 
 The component is a proxy addon.
 
 ### 2.14 Monitor
 
-Monitor component collects environmental monitoring information such as running processes, available disk space, installed packages etc. The monitoring data is published via Akka and (optional) JMX interfaces.
+Monitor component collects environmental monitoring information such as running processes, available disk space, installed packages etc. The monitoring data is published via gRPC and (optional) JMX interfaces.
 
 The component is a separate daemon process.
 
diff --git a/doc/Architecture/arc-tec_x-road_technologies.md b/doc/Architecture/arc-tec_x-road_technologies.md
index 94e8e90d02..873e0669dd 100644
--- a/doc/Architecture/arc-tec_x-road_technologies.md
+++ b/doc/Architecture/arc-tec_x-road_technologies.md
@@ -2,7 +2,7 @@
 
 **Technical Specification**
 
-Version: 1.9<br/>
+Version: 1.10
 08.06.2023
 <!-- 3 pages -->
 Doc. ID: ARC-TEC
@@ -11,18 +11,19 @@ Doc. ID: ARC-TEC
 
 ## Version history
 
-| Date       | Version | Description                                            | Author           |
-|------------|---------|--------------------------------------------------------|------------------|
-| 02.02.2018 | 1.0     | Initial version                                        | Antti Luoma      |
-| 02.03.2018 | 1.1     | Added uniform terms and conditions reference           | Tatu Repo        |
-| 17.04.2019 | 1.2     | Added RHEL7, Ubuntu 18.04, systemd and Postgres 10     | Petteri Kivimäki |
-| 11.09.2019 | 1.3     | Remove Ubuntu 14.04 support                            | Jarkko Hyöty     |
-| 12.05.2020 | 1.4     | Add link to X-Road core tech radar                     | Petteri Kivimäki |
-| 15.09.2020 | 1.5     | Updated to match Security Server REST API architecture | Janne Mattila    |
-| 02.06.2021 | 1.6     | Backup encryption related updates                      | Andres Allkivi   |
-| 07.09.2021 | 1.7     | Update technologies                                    | Ilkka Seppälä    |
-| 26.09.2022 | 1.8     | Remove Ubuntu 18.04 support                            | Andres Rosenthal |
-| 08.06.2023 | 1.9     | Central Server technologies update                     | Justas Samuolis  |
+| Date       | Version | Description                                            | Author            |
+|------------|---------|--------------------------------------------------------|-------------------|
+| 02.02.2018 | 1.0     | Initial version                                        | Antti Luoma       |
+| 02.03.2018 | 1.1     | Added uniform terms and conditions reference           | Tatu Repo         |
+| 17.04.2019 | 1.2     | Added RHEL7, Ubuntu 18.04, systemd and Postgres 10     | Petteri Kivimäki  |
+| 11.09.2019 | 1.3     | Remove Ubuntu 14.04 support                            | Jarkko Hyöty      |
+| 12.05.2020 | 1.4     | Add link to X-Road core tech radar                     | Petteri Kivimäki  |
+| 15.09.2020 | 1.5     | Updated to match Security Server REST API architecture | Janne Mattila     |
+| 02.06.2021 | 1.6     | Backup encryption related updates                      | Andres Allkivi    |
+| 07.09.2021 | 1.7     | Update technologies                                    | Ilkka Seppälä     |
+| 26.09.2022 | 1.8     | Remove Ubuntu 18.04 support                            | Andres Rosenthal  |
+| 08.06.2023 | 1.9     | Central Server technologies update                     | Justas Samuolis   |
+| 04.10.2023 | 1.10    | Remove Akka references                                 | Ričardas Bučiūnas |
 
 ## Table of Contents
 
@@ -80,7 +81,7 @@ Table 1. Technology matrix of the X-Road
 | Java 11                            |          X          |         X          |            X            |                 X                 |
 | C                                  |          X          |         X          |                         |                                   |
 | Logback                            |          X          |         X          |            X            |                 X                 |
-| Akka 2                             |          X          |         X          |            X            |                 X                 |
+| gRPC                               |          X          |         X          |            X            |                 X                 |
 | Jetty 9                            |  X\[[3](#Ref_3)\]   |  X\[[4](#Ref_4)\]  |                         |                                   |
 | Ubuntu 20.04                       |          X          |         X          |            X            |                 X                 |
 | Ubuntu 22.04                       |          X          |         X          |            X            |                 X                 |
@@ -128,7 +129,7 @@ Table 2. Technology matrix of the Central Server
 | Java 11                       |     X      |                    |                  X                  |              |                    |      X       |                     |            X             |
 | C                             |            |         X          |                                     |              |                    |              |                     |                          |
 | Logback                       |     X      |                    |                  X                  |              |                    |      X       |                     |            X             |
-| Akka 2                        |     X      |                    |                                     |              |                    |      X       |                     |                          |
+| gRPC                          |     X      |                    |                                     |              |                    |      X       |                     |                          |
 | Embedded Jetty 9              |            |                    |                  X                  |              |                    |              |                     |                          |
 | Embedded Tomcat 9             |            |                    |                                     |              |                    |      X       |                     |                          |
 | Spring Boot 2                 |            |                    |                  X                  |              |                    |      X       |                     |                          |
@@ -164,7 +165,7 @@ Table 3. Technology matrix of the configuration proxy
 |--------------------------|:--------------:|:---------------------------:|:----------:|:------------------------:|
 | Java 11                  |                |              X              |     X      |            X             |
 | Logback                  |                |              X              |     X      |            X             |
-| Akka 2                   |                |              X              |     X      |                          |
+| gRPC                     |                |              X              |     X      |                          |
 | nginx                    |       X        |                             |            |                          |
 | systemd                  |       X        |              X              |     X      |            X             |
 | PKCS \#11\[[2](#Ref_2)\] |                |                             |     X      |                          |
@@ -186,7 +187,7 @@ Table 4. Technology matrix of the Security Server
 | Java 11                      |     X      |     X     |                    |        X        |           X           |              |            X             |                             |      X       |      X      |                  X                   |                 X                 |                  X                  |
 | C                            |            |           |         X          |                 |                       |              |                          |                             |              |             |                                      |                                   |                                     |
 | Logback                      |     X      |     X     |                    |        X        |           X           |              |            X             |                             |      X       |             |                  X                   |                 X                 |                  X                  |
-| Akka 2                       |     X      |     X     |                    |        X        |                       |              |                          |                             |      X       |      X      |                  X                   |                 X                 |                                     |
+| gRPC                         |     X      |     X     |                    |        X        |                       |              |                          |                             |      X       |      X      |                  X                   |                 X                 |                                     |
 | Embedded Jetty 9             |            |     X     |                    |                 |                       |              |                          |                             |              |             |                                      |                                   |                                     |
 | Javascript                   |            |           |                    |                 |                       |              |                          |              X              |              |             |                                      |                                   |                                     |
 | PostgreSQL 9+\[[3](#Ref_3)\] |            |           |                    |                 |                       |      X       |                          |                             |      X       |             |                                      |                                   |                                     |
@@ -224,7 +225,7 @@ Table 5. Technology matrix of the operational monitoring daemon
 |:-----------------------------|:------------------------:|:---------------------:|:--------------------:|:------------------------:|
 | Java 11                      |            X             |           X           |          X           |            X             |
 | Logback                      |            X             |           X           |          X           |            X             |
-| Akka 2                       |            X             |           X           |                      |                          |
+| gRPC                         |            X             |           X           |                      |                          |
 | PostgreSQL 9+\[[1](#Ref_1)\] |            X             |           X           |                      |                          |
 | Liquibase 3                  |            X             |           X           |                      |                          |
 | Dropwizard Metrics 4         |            X             |           X           |                      |                          |
diff --git a/doc/EnvironmentalMonitoring/Monitoring-architecture.md b/doc/EnvironmentalMonitoring/Monitoring-architecture.md
index a623b3321f..6f99aeafbd 100644
--- a/doc/EnvironmentalMonitoring/Monitoring-architecture.md
+++ b/doc/EnvironmentalMonitoring/Monitoring-architecture.md
@@ -1,20 +1,21 @@
 # X-Road: Environmental Monitoring Architecture
 
-Version: 1.9  
+Version: 1.10  
 Doc. ID: ARC-ENVMON
 
-| Date       | Version | Description                                                                                                     | Author             |
-|------------|---------|-----------------------------------------------------------------------------------------------------------------|--------------------|
-| 15.12.2015 | 1.0     | Initial version                                                                                                 | Ilkka Seppälä         |
-| 04.01.2017 | 1.1     | Fix documentation links                                                                                         | Ilkka Seppälä         |
-| 20.01.2017 | 1.2     | Added license text, table of contents and version history                                                       | Sami Kallio |
-| 23.2.2017  | 1.3     | Added reference to the Security Server targeting extension and moved the modified X-Road protocol details there | Olli Lindgren |
-| 18.8.2017  | 1.4     | Added details about the security server certificates monitoring data                                            | Olli Lindgren |
-| 18.10.2017 | 1.5     |                                                                                                                 | Joni Laurila |
-| 02.03.2018 | 1.6     | Added numbering, terms document references, removed unnecessary anchors                                         | Tatu Repo
-| 20.01.2020 | 1.7     | Update XroadProcessLister description                                                                           | Jarkko Hyöty
-| 25.06.2020 | 1.8     | Add chapter [2.2.1 JMX interface](#221-jmx-interface)                                                           | Petteri Kivimäki
-| 01.06.2023 | 1.9     | Update references                                                                                               | Petteri Kivimäki |
+| Date       | Version | Description                                                                                                     | Author            |
+|------------|---------|-----------------------------------------------------------------------------------------------------------------|-------------------|
+| 15.12.2015 | 1.0     | Initial version                                                                                                 | Ilkka Seppälä     |
+| 04.01.2017 | 1.1     | Fix documentation links                                                                                         | Ilkka Seppälä     |
+| 20.01.2017 | 1.2     | Added license text, table of contents and version history                                                       | Sami Kallio       |
+| 23.2.2017  | 1.3     | Added reference to the Security Server targeting extension and moved the modified X-Road protocol details there | Olli Lindgren     |
+| 18.8.2017  | 1.4     | Added details about the security server certificates monitoring data                                            | Olli Lindgren     |
+| 18.10.2017 | 1.5     |                                                                                                                 | Joni Laurila      |
+| 02.03.2018 | 1.6     | Added numbering, terms document references, removed unnecessary anchors                                         | Tatu Repo         |
+| 20.01.2020 | 1.7     | Update XroadProcessLister description                                                                           | Jarkko Hyöty      |
+| 25.06.2020 | 1.8     | Add chapter [2.2.1 JMX interface](#221-jmx-interface)                                                           | Petteri Kivimäki  |
+| 01.06.2023 | 1.9     | Update references                                                                                               | Petteri Kivimäki  |
+| 04.10.2023 | 1.10    | Remove Akka references                                                                                          | Ričardas Bučiūnas |
 
 
 # Table of Contents
@@ -73,7 +74,7 @@ See X-Road terms and abbreviations documentation \[[TA-TERMS](#Ref_TERMS)\].
 
 ### 2.1 Monitoring metaservice (proxymonitor add-on)
 
-Monitoring metaservice responds to queries for monitoring data from security server's serverproxy interface. This metaservice requests the current monitoring data from local monitoring service, using [Akka](http://akka.io/). Monitoring metaservice translates the monitoring data to a SOAP XML response.
+Monitoring metaservice responds to queries for monitoring data from security server's serverproxy interface. This metaservice requests the current monitoring data from local monitoring service, using [gRPC](https://grpc.io/). Monitoring metaservice translates the monitoring data to a SOAP XML response.
 
 Monitoring service handles authorization of the requests, see [Access control](#33-access-control). It reads monitoring configuration from distributed global monitoring configuration (see [UC-GCONF, PR-GCONF](#12-references)).
 
@@ -81,7 +82,7 @@ Monitoring metaservice is installed as a proxy add-on, with name `xroad-addon-pr
 
 ### 2.2 Monitoring service (xroad-monitor)
 
-Monitoring service is responsible for collecting the monitoring data from one security server instance. It distributes the collected data to monitoring clients (normally the local monitoring metaservice) when requested through an Akka interface.
+Monitoring service is responsible for collecting the monitoring data from one security server instance. It distributes the collected data to monitoring clients (normally the local monitoring metaservice) when requested through an gRPC interface.
 
 Monitoring service uses several _sensors_ to collect the data. Sensors and related functionalities are build on top of [Dropwizard Metrics](https://github.com/dropwizard/metrics).
 
diff --git a/doc/EnvironmentalMonitoring/img/monitoring.graphml b/doc/EnvironmentalMonitoring/img/monitoring.graphml
index bb0c74c366..839a4ef88f 100644
--- a/doc/EnvironmentalMonitoring/img/monitoring.graphml
+++ b/doc/EnvironmentalMonitoring/img/monitoring.graphml
@@ -366,7 +366,7 @@
           <y:Path sx="-0.0" sy="0.0" tx="-0.0" ty="0.0"/>
           <y:LineStyle color="#000000" type="line" width="1.0"/>
           <y:Arrows source="none" target="none"/>
-          <y:EdgeLabel alignment="center" configuration="AutoFlippingLabel" distance="2.0" fontFamily="Liberation Sans" fontSize="12" fontStyle="plain" hasBackgroundColor="false" hasLineColor="false" height="17.40625" modelName="custom" preferredPlacement="anywhere" ratio="0.5" textColor="#000000" visible="true" width="57.37890625" x="-28.818661141199357" y="24.404894688015986">&lt;&lt;akka&gt;&gt;<y:LabelModel>
+          <y:EdgeLabel alignment="center" configuration="AutoFlippingLabel" distance="2.0" fontFamily="Liberation Sans" fontSize="12" fontStyle="plain" hasBackgroundColor="false" hasLineColor="false" height="17.40625" modelName="custom" preferredPlacement="anywhere" ratio="0.5" textColor="#000000" visible="true" width="57.37890625" x="-28.818661141199357" y="24.404894688015986">&lt;&lt;gRPC&gt;&gt;<y:LabelModel>
               <y:SmartEdgeLabelModel autoRotationEnabled="false" defaultAngle="0.0" defaultDistance="10.0"/>
             </y:LabelModel>
             <y:ModelParameter>
diff --git a/doc/EnvironmentalMonitoring/img/monitoring.png b/doc/EnvironmentalMonitoring/img/monitoring.png
index 0761b786c9a076402acead2673a3ce6a0fc7448a..3507f777329eea5515311b263e18023b1aecf45c 100644
GIT binary patch
literal 71535
zcmeFZcTiN@_BBeBAju|4klfH@MFl}JEuo1`MiE3n1O+7LoNO{pHz*((2_jKMvLYD)
zMUWtZB#|UJr*E~MbM)N%`{%u?_v-szy(;fLRj}E6ues)0Ys@jm+$bF_6-shuay&dd
zN;OruE*>5M5)Y3kk@OV!$@S>FH^6`JU366x@k)AG=kf43@YLW6`krP>Pe?Fy*M`DH
zB@2nj&~RcRcy=%cnutg(n9BrR08_|@DI9h}h{%FrYVt&CXa(nZ7#D<xEE{Ix9KV@S
zy?f_eQrMIE!pA8kUI(mHUG5V_-VV##mDP5&(_{5s8&6j`@FD;FTaA)uMPSV9J;li4
z@&5V;Bf!A4h<;!5Kt2#Mi^nX=`TOq>baQ`S4gTy3hdjy|FDCh)JH+EbBV7WCRR8|R
zN|Onf3~W>X=Lf2RkXA`~0-nGBQIYCov&v6H|M>xrJZg&dpSR?|Cn16%sWR6fzuzho
z?nL$bfq{hJrAgj<lKmcrPWBa&-w%9^kB`6*-mMS){Z=q!8sYB;ehtKfcHv(#Q~do_
z7+CM`Aw&KT3d5LdXC%F#)od3wxXH=$*!|<#VWVG>J0Zmg7$8<jRH_}m9M(OuInV%e
zdr`pS38~3`)5(DxBC)Q&Z5$0IS6+wIck_b^rjR2(4^E6<G#?+&=lj-^>QH=YPqSqs
z6*Vtg;rH{VL0`|T7AwM=7=_Fmr9ESmZ&@KQ)@nNpu;XtQCeD(qxQiahzpfOR9O=bR
zm=YbJl5cxJ21QV}mpz;k);Z)Qi^7!A;%0(IoCuLD^8BTze5P?ie<A|{!xn3C2C9{I
zrHH*)KJ1#*Fd6P<q*n>pz<ox&b(K*4Z$Eg_Y12m%SWD9{{mjWwVSN2;4&7qqd9^d(
zAu7{I<1n#w0{5TEXsQr62=lYehR<8t3PA!Y&xfZ|CW1c;TqIph&l0u9!2E<_u1)Et
zU)a3=2$w3RDuIx^zki+$XHx15R|9u?jU|%4A@49=Ki_p6p`Oo=oJ6DW_7za%cx<9j
zkTgN0AcOl8U2!8&&e6$^p0b(7jqs}!$Ws~q9Qgd?-Am-qE||Z#7B1mRxN(<@{eSjy
z#4ELdHz6eS)O{1mlVwgIKo7ZBJGkRWk5^w^1uHXsL;*LIcQFqV3J6K4I=Zle^r!2Y
zq+PzfQ?B`WeFrz5q;ch)7z_-lxH^%Cz(z`w%0@qe%o6gjYh}Ur@c75HF9;(Gt~@s`
zS48QR-)^0mj9{nouv%gV(>qJVp?hzr#6ZlT*44IKW$|PchCIF)HBbI4;*T&e(t+Kz
zX{@x&&X|j`B<_j$kcV1$TwCqz0jfF5F{JHLcu+*2Yv#|Hi{wXT%QI<SW#PkztR~<U
z=>{C{@m-6A%uYwI9bH0TR*IXqHS{1=zI)C!{zp=RIu=(i4qpKGq{i3Joob8e&TBZq
zw*dFsIfYBn9HfRS-L||1tyg>OxtQ1|F+WqXlt}h?*K+>T^VHJ(8-8q1gtj+7()$W?
z%x%SNkkTp6xYPmLRuOV-s&$%g8$Q6t==7CPK{|~VY_~Ry;zlX)uos;I`okLd?qJ`0
zO+pYsbq>w$zZ>L}14GKbW0=4Nu8qIAFB=}_<~=M4rsX`>YiPrb&RgK!a&v!<6;S{s
z&**yVZ1zOTEjl*!*Sj@={TKran0wdIn-8DQwS_T2yJ$Sc)qiGqBA>Ql#`~zvq2@A3
zp3Q=8_U402%wZ5~Iyqdt9-P5P&<P@?@&%y?K24=^7&82Ir3r}5(3wm)GTT+_Is&7W
z5`G(*O%Y^M`PbS23pVWq2KM9<Wh+>O1buhFBE&7tYp8xnTYjXJEpy~Glo(NZ57@e1
z#e(AplIPN|o9)_vi7pCaO)8xV7UhF;;K5MDTyEZfy)g!c!1SuAqx#i8>Ifk)oU8Z6
zZxK8*e2zA2@GiWv>&V7KLmLEvB1n&2e~d}qk_Xr8zfSBB1S#=*2<=4D>!D3`uJc^2
zQH(|sYPdhbf0sD;%t*a2U1rdi4E_`sv?mi_m-#)Ab7x*tmiz9l<4;hWyWAUPs*Q(L
zf0uPFib0b3G#JM0-Knuzu0JE<Pn#*f7Zc6cBF{mSkd2F&zaIF%e@42MDv#z-GY(o$
zWfpyi3e@}S8kK)t6BTGf=*4kha%dONcS9SmyZMp!@lt-y&%0Ub{CT%1yds@sk(=v_
z%;_2gJ6vD)0)yoaK>FYYV({lc{CHmrVEPI?vonYepDQD?VMu?ia-VdqKZ5$n2JC(r
z$TheenNId0(RS0v=@wMZ@#43h)Lw#Bfop*f>o@RBxJf*`JL2m~Os_L5Yq~PQF}ai=
zvKVfg<_{isUK1q1W3E1TKd3xv9ZT1@ksR1`03L?R#^Huun?GkH13bo8xs~<^Y{u)f
z!zWsE&gmB&K9quN`e*z7K?t@V>UhscZt!j@!=aGbXcn+0tIHx4QRL5D%Pw93;Kk`W
z5m^3R5*7JcPtbx!C8|>`D5!N81_PTYYxQOjM3!@rpU}dPlNmXxE1Xb)ejEAKHf>bo
z<K<xD(^kE~lIw3r*=L5HG$E#VP*CI)+<A7Lev8jyDip%!z`EzYUaebVTJsg!vEG4!
zorY+jDmYL{)IktyuV6~5IEdTTL;R3a9c5W>dECMWbc^jS@atp;TJ@#ggz#yyx=rP6
zBwO{pl&Nr-lp3k`tW1;hGrL}OA1a($ed&>!hqxxn*=F2f@iMe4nCH4I5dt$yCVoX4
zF(ABqnn5I9eED-nP7NFO`m&u`I+vGkZ<qG70JP&NU+(r3X^{{TilqKL^#fn~+zeGz
z#jR61*+Qz>vr1r=(r<;l&4Hsf_g^Jb?72RC!P2kQH2|Bw!g88V7;`Lqpg!bqGw(~?
zGHW|3_cT9}!73GEtpE{bCxCXX6S1(G<*Mr+P>*(3V7qhMC1hr@BG}2V&^E0c->m)g
zL!eYY;970Ku*_G_mn681us~pl)n53LVqo30_aAsB2qFFUcM=LOKJAKcRpOaHQme9_
z94Oc8FESPMI_Rm+GuSX3of<v+5IoWlJe%jkIwyE@?XowM*NWi6CKYhIq36Pu646+S
zxI6FDgC^V$d1KOTdDI)txxm^RWSd9|1T!I~_OF=`)rAT;2G#2xG>qytYVBoy$dK`V
zDa2N7{OP$F;|uXIHgFtmQ$&*fE70|-m;wv#@XmK(7xN}Oj)Justsf_?-+3#MhYV3x
zaO{qu)X5%uRCU+y>953>M^#9_ITgW(f?zLtXxUz^e=cpXP?(u$F5^+9u_TEUFP&iB
zd^t7@@-fCF2mDP{2QvXwpkn=8*9YYk_;b@5-IQuuk?HDaYNl^S>;VQcBZr0g!J_t@
zESRU^Fl35+3dLIlMs5H8XGW0n=CCzZJ|Zs7Y$^8zSpIZIl0;q8yhMp$a!E()1|#&^
z0^Rz`Yyi|hco!n-UvE6^JG!mcnIIM6`eQ)ylMDAUNGD>Z{C~f?EySSS)v54fVXU;?
z52lPl$LlZEWS3V9c@St-XT~n!d*4bEx*0{gS6kl>()L<jP3kii>24EF+^d{xceiWt
zdje*y>px~K1)k>zd#<r-8=R|^G0L~F$XJ@pFngn8*v&G>jM(L9)NOvEs7c@6)F2(U
z2`_e{T9)Kl7N|;`*gj@htVwVOSr;6w_pjuQ;z89qO^5TS#><PFO?<z&b}EcTwN_(3
z_ayqb`lid;*tHr^FY)+rm=u?<HczcnW0OzMiMDt<<URqD#4!yL1bugp28K-H8~(b=
zrIsynvzDijO#^yQq+|_sg{M$wOtHVrQpt9tI!}A3#T6o8)QYA{d}dTC6>G5=hRZMY
zf9DsPhy2lWTZ|w}iM>w1fpdNQ4`TismBsZEn=<BFacgNCHofXtA%mHv`N~+!VQ)?_
zrgysk9@8aM*X9FWrW(84+yI^i?San*_xJ*qj+7erW?3>?1--xeH7zANRMmBsUiIH9
z>`|3MfndM<uV7<Kjm^5649pOX`u%(hbpfNoTjZbgumvf?cFH#^?Y0Hfk|m$az~Z?-
zUD@F4P0pA*6#Dp7BWi0*^(xr56x#mlhFeQt^tM?ixL2sWhin#Z4Bf{%P}Zp>v6{@3
z^RXqKwh>hwx7k2ol?{9&KkURb>PkC0*$!4<wdYj&)j*^wH2)o`ejdBUPtVu;1w}if
zk1ifQ_1|x?t#RK<>5EfYy`&?1)61mEy}_zGsb@vpz6qQw3gQ3tM)+>!=+<1js3P6%
z!3qUFIh!TcJ&RH53eWMW%<9>;Q!u2%yX!Ax|08GMs1$MgluhRM>W!u+*6%xqdi0D=
z?XU=mHtybj|Jm7+5CfCA69XRjiR&IIrl6zC1E#`)f)F=~>U%4!OJ}GoynM!TY0R=N
z4*T{qb@#i%iy@!FKNIR@kEJV|vG|Xj16y#j&Ry-8V9)w{bJn_kVg3u7Tg!)4{mWGj
z6>i;zooHy(_U=ofT(JDq{@Ng4str88Xfrcb<AUbb<K5Z;SOj{r)-}oIf^-C9Atda+
zM!J~E^=b#<5Jrlm_6@lbVTI41>=QqUzDy#c<y9RNFsN#+x<CV7r1-DQDpSi|oiC_$
zTSR<(s+nj1`K6fijOs{@OFjjYSj&o#S(E?Gh9)8Z!(D&#?$Zuu9$KNAcUAl^=+?T=
z3w+^oOK!G4O(HF9*mqO-=As+6FFb&^bTB~pKR0%9H9Fm`?az+t+e;%@xTH+U%{tzd
z`i<Bk9_h6f+Ul?%<5m=HyY2UfwIcmc^3HT|zm!W3{l?60cX?uJFFB{3h}QaZew51)
zv22gUc3}ms#?q=Wf)R9x{}t0}1fA8L*Ma!!I}-ujpca|k8Zu8tU<IzJ=^yQH4GvMW
z%L*m(YC;|&0o<{gX!JvKC=kql%#T|dsZ;@@=Y^^#VL&w1`*YQ-w-yH1m#ZfbZ^J3`
zw4O-m);L=~zT%W!`|W*}QboXt|K3t%ACF2bYk#$)xmp5O7$}WR$GsPY@w<<Y4%CbE
z3$0eh8^j)bmG}A@M3SqSDqh4D&T^~rPEW30z7{|jA_kXz4%gbPcULEiGHB#qJQ26Q
zE_ml0bit6Bn)M2Y{lq=Ns~*dkl;`&lRZj<fyF|@Iq!*)1#Jt{H@teLXqgaqo6|?I2
z`mst{Efjz%p}#?uA!@YVt1_BJLMxn-g?D4F&&UVPtDWw914?e*uF^Z#`$X_GgOE;z
zL8+Mx^s;S#Zo+tjk02^&ICDY2?3M!4WjhQVzb+gAOfI>T!^(Z{=hv$+6j{&X<c^J7
zTZW2^N=1xHOpz6!O5>uhR*7Rni<-;Q9}JlXU`reK5o8dy@ZC2g?5Ya`g$CHuBs|o9
z<}dF*MpqW<<rlf!mxLj!ZJa-3UlW_D<gB<e$jpx{44n~9H>&v7DPVi?DHg5<>70#9
zo*m9;w_17GP~rQ{d8E;y4)aV$Yux_01S4{DG|Bc%g_BOUVz`tiB{Dm>Jt<*}=D{;~
zR*GJxJigb~pphftWJ6j+Q7^9CgHKL4&AfZ8x9k=SS14Hj*7K}L<*QDPGNspiUh+)U
zkXfB(w$5y`*Gl6-Ns)3Ec^E>k$^U33L4^&e9sx#YaN@VUWMWV?`pPM%=)vTK48f-?
zC6c|li~t^|sg@#9KCQI)caJZ2?{6(y&-dpQEfCvQ&St_}(>mpjca=EwpA9`vx_Q;3
z&~5?SZN%e*Zb8c`d5=_CCa1~yn00#WZ#Fi(8%~nUabf*8(*A0QYSv}h7Ia%4HHe|l
zXnyNF_Jya&Zm<YpH(GTszqg%lN5@`qYu*8})h*goK#s14Kausj{$&{CD)ih{_h>Xs
zyUO-pdl`NC-Y1wsbCabPwE^G#2LUHXJ2?W#?<yPLdIs49?_057xE<Q(<?<GVf!Ua>
zFV%!BZ9LEdlu_EvVN*2}d8&RHw+AQgZTgMC-K^g|x=`eO(R=gmmZ`W<kAm;&WucYH
ziDV&@Y$D=-ry7s5c}S-Q8hktqde&9-tLz46W|Pg6PEj($-YABVmfv`BH>*f{rC}%i
zIztN^|57Cw5VnXXt2s31{zygtD<?~XNw9N0xxSxz`Cih}c*Bh?LhYmy<MQn5wHr(J
zK?Q|JA|a;=8$Y}1WT#mt0wjN9^BL@C$*hPHi_C~QkbnIg5{7^jNyWo_nW-y+ZQvGO
zD}W|2Bnau5zW1pZX&z#1P@to*%F&{mhbZi#xqYjYOgt+mIIL6-5CaHwnF{&P?Izl7
zdHc~9YC1j5r(A{3fEv-jZm2|f=Zi<i==t=k9u6jT?$2M`AJJ7~OoDLQQp;?{*ROX8
z7Rd;aDR!m%uB+|sFP07tJ;+o%RkLx}L~ZNR$`9fTSSiVAWk7=n7ia5aHw&Cw(x4z3
z6F{bCnZA0UfQG7nb8#rAh?u=>PSpp=vXP{w7w~0XF^jtrXnF+pGV}#Y<&5+TVd6TS
z&3v2puX=AS<b@B^xY%Tbhj(%2GWc|J?E&_pQ&#Zb5m|=JzNI0QCC=#WPUMU8h6k4r
zvh<ecFZ9Ws=&O4@bo{J<a!x`bFc%$)LD|G$h=d_6uvG56rwES6zjIM?u~`Ss%1Ae7
z-swrPQ`2g9+FQ4-nlXN=!BiD`cY1PV>^5}a6WD*|_Z$GJfa5w~NaeLkCw9`^I>*+C
zc<C@AI{f>+?J9ff7}zB38Bn5k<)fyi!J*Ht5Vm29DR|IJb?}YzHB_dT_zNg46|?+)
zmhsYnp7@7&SY*UE%sFgsP4wdk6rkIV->WT5gKV+ui_Gnvf8%>44A4Zm59Goi^gozx
zpVU7?8oRH}Jyr3>Rp@*MFx>riJZPZ^2_)ef40$TEQmvh+tXL(%IXaFp@}XYP&oVoJ
z5R}lgmucc4)_78>6b}Pca%n;h3IlbN2U^pilkz-iKG_bMOd@mhd!MrYtT5y8ipXSq
zwxhj8bOBT2cN~g+%j@;Hn^ZpKL9toGb?Fnz`R%Pl&kK~vI6h;~9#Db*@DPTl@%#EI
z9MI`3c}cG+ro0K*OqwTZc~XB~83RbOf38dd43FDSTINY&5+pD2X_hetru210=qJ0W
z14?8mKH)#B<Nw_#m;ZkN|942Q+H;3R2G1z0gL}d+;wY-Ki)?ebE}OL*$|$g(WW;!w
zsr{WKs-<QPxi)?20)({z-<c7Dse>A?xy1lDOz3@b^<J#M&6O7sUZ^HXz9-Y$y)4;8
zDOYieaqm7@XjY8k<y<D&UCE-Q4!T*j7s56BN6rAktNC29<a7dGA7uu?>=lFRo8O;Q
zPqju}WzfSdslMn#_V!c>$MFHC_;N*U4qYfYK^TjEX4B(vS<CwuSV@U2k3AhWqZovp
zeG{ok#3#oh<eBtvi8?2dyn$o11R+p?vl8-3^OlvT$iAnk1dWeT-hOcNV^G=CpH!je
zFJkOk3Vf2Jz^1T;###K{8T^NIMUR6->Y!?9xN#8qmzLEf2|||uD%@Z)_8^~YFa^V;
zHD4DKc#*G6!00=PA6qbf0Rlxt=R|7x&M<8Ij@U9hkRL~JRbqdwqy!#hy$Mr_Rg%Qw
z%$=o}(A$o8g0Gypg&XDE{a<{dA&(lJqhUDj<Jlgm8YZ83ouwWvssQ3gKRHUvKRL?l
z*IpN9>Se#vA_TkYF#rlk#&yE|-d(SfY&db7s8C5P9f~~nIt>HrHeYi}pdM;{hnMXW
zjp?vtK!8XYq!n<Lw*R8l1PHXOJLcUC-(0+M7Tj{T7#t)FM*@GU2}v{$1eCN&D~VFq
zEWqiQ2hQ;S;JHMgU-iS&%;t18EQah6m`V(|%n2t{fGz(pp@5c8t0RbzWM-x_(RsR!
z5{FxP06PzkC5DW4*VV5ICXK!|1BH6+bN5`+zOPWLpR*TJp856EDAtNM=L(zT7+>)%
z7|MbZ`5QEO14jx&#ZlL5obxnN#55bt>y5Qo<#?GYtP-s{*)dm~raNa(+sy2mH+5GD
zCg*t;&gB`#*y&0zNCE~}Q-XyWf}bxovsueQ$vxGq3x<@28xlC&UWFN8>eL2`SMI3y
z$sWyQT(rr%RU?I796_M@ea6oo`0o!}jMVs-FB$JWXB|DNeBtm}OZNMF@irHJaI*Qk
zE7ShGv6SYQ*xmEsT-N&|R*;+7V6E_JrdGvkrdF$twB4MUcdj~ISXrqP?_MYKn;9!t
z5?iR`)O~UH!{?HG_+D5dUtMUR9+R{86ZNuCKM8(huPz+r+!h1Li@0HYZ7r!F+1%g6
z%)csjMrb`)-*!(;{>W6$qgZ3<i-s)A1w@Lt?OFOL2tAFV8S7J`w66G%i_LT)i?!Fl
zp$z1riw;0e8fzAaRLLIqKd|3(-`6M{-c;h>UjKZ3-}6?xGSh}XI9)7^yz)m_1bCr{
z)7MXtUHp|U7UI4tUlaxpz=B1K+>}xoT72~ogpdo`#Uuez$H9WWl^bdM(I$yJ=BiqG
za;oj}1iR16u6U2Gj$9ONu5(@_2KL;QNywD+3YIf}D6IPx;e2~X0=G4&B0%v$L;r1k
zwi|uLX-Zyk-%l9Y<!H4)@cWI)dF;N%_su+JwCj4d9C0eoQLZ#a_~Stncb)qomrZZl
zBsW#C;$sC($j`jph^Ai=*%*7T5i9rpW%d0LF3Yy)1dF%f#LQi#i~LCc$w;ZkzcX65
zPD{q5Vx44OW=>w`;IfY@i(2Zg`QB;>6{a8)edhr!E|7_f``gQc=Kgzm^_%_bViwIr
zUJHf!R-iHwvm1ah$#}mQC_pOd%)Yt!MQ2vhZ2_~ta=SHBEmhp!>Qk{vf1w_q*K*Ym
z(aPcHTDNButXFiNT(#}zVUlt!sNbE6TK`eEf&iuL;KtWe)NDdqi$lpy(`{;i<sAs1
zX1=7ly7bCx<6Gfe>k+_${Y?P@YFGj6(w91YL3H=uUI3%kmJgtuP<tX(bqD}nh10b1
z2&mqQu27ymFHZ%^Rc__zcp&r^`HSBl)*1I%k$H1AXNP62zCGeOzFHzLCF~1G-(488
z_Z1RoFsGlv9<%rG8eFG{Kg=s4t}-_gNl)%IU`t~9__T{X;P6d^{VA+?NJL5?Et4Yq
z6VsiIJ~{OSu4|Y>976^w<vb#oQaFWfg_YW4xqwDfQ1^pD%I?i1YGZEU%8UMdZP9{V
z`CuvcCD`Ye_Id{i4}{@lKA4I-Jpy`9H4*@itPVt#T#uD;y9o$eK@=_o2181&0MtJZ
zr4$<i2*2=pRng}64@w|)@=HSW{XoIiUu<$w(tYXCf(p3lEI{i?+smH?Il)AvynAxh
z$RJaCumHrjeb{lc&&SugJBjj24;VKoSZcq<ji3|ip8O7Uw7xY)5mT6B)dI&8zLTkq
z%Ry<czHaoczuuzNU8v#06v)f3kCt(Ng@>mh1{(bic(l`{o#*?Zty$nbA);o|Q00*d
z>!^JX{XiZ1{jVX^177iIHtAl<QXW5wL-{>^j1`H6$))G0CyNwC61`E7CjEpJG~&4y
zNw<*9u8&zAhIBx9PSFdKp5<8pC1gUSO`kxyQY%@r%jS3F{CGoMk@VKmh+ZdzXEjQ+
zG2XH1$gnMrogIplJK9Vvy7cAwL=5xgT6<q9UVN}dul>E2f*GJM^W#(;U-{<@&Ds@>
z={_}kN8L8?<wH)>N|JUe7IVzL1Mp~gx2G~05IP@HSdo?Lt|!5S+7(`uy^A0m<R;Yu
z$Y4O1iHEe?>8kru{J~0-`I8W+n0`u`P(+?|v|ue<=Hze#k^Vp?l!Cq#6l?`As~smw
zicB6xL1l%8vIJ)1;NbNDUqc1$`Yv=*>I5WR_-d7?_Z7RCsWbdUN8fYeewaK)By%Rd
zU@q6~x9VDOVRsmNC1Rt^hNZI=>u9Y!QSB$u-S-vNTGEq<t2caByU)qm^>$+7iqeS0
z%UOQ{UY;(!Ed^^*>^c1?4p}gf@voew$-nsm&c<rz$Cn~q13<!TZDi_XDcTiMbvrpW
z?md-0+Wcrojh+jP7QR`lPezk_IwM8>u~;6fl&dPBaX_iNI}&_h`rs@<xE*6IIej50
znmPg3Gcz40XLwLr78=o@UI4dn929Lj%ofn{q&|0SR$+x2eH-Rs2V4orPbD`60eRDq
zGhrON$(9joGQHAA+<0|`!3}|l9pO_1#T?Ry&M~1jRbx`3xA|I>dS6Yz?wG8sb+yGY
zT<zqph~z8F#FiL#^OOLw&vT1TQ#0e5P?w5lU<;b_zsdN$^Z2-o;)RSEy9tqo>Hv#l
zeU|vWoOMDnMFY~*22R9E(@EnfBXOZxlF(!6&G$;qGaYAe)YE|S4?tOHF$iDJ-DaDV
z(tlR=fwdj%^Mma758Ln+LR`Um(O#eH6BVsr4gUJ3{_Zr`UyM>emUA8fb}Ttb_yz)?
zvH{(5NoyRk!<S-ZGb!~SzmF@oY!~Rf4n%l}uqwlp;WI-`d)0PGo<~yzHM@wh9WDY)
z-#`R#u&BL$qXkrbxrLI3t_hJMdfiFFiQ-SZ5gU`;z7Bgwk&pAdqh!}LTK9uvrgFwh
z`Gq6i?d*A{?H;uRIlK3f?>X#O|5pI$#G}kXu`QhcW$|@Cvj7RT>~5yE+8bHeeWCV7
z!2s$_lH19k3P!QZHJT?|64veHFCQ*fo5vijSOMgOD}l7WjeIG&z>5?#ET*Y>adSrZ
zt~h)#l%dP`WXQ3$c=*A3EU(<cZsd&jOgKflmlE?<`m9T`vPU5w3!}gA*3~%lT+wCh
zqR|O<myCALS4PWJZbfjU!75tlX8rrpMFN?T3HGF*m+gz(QSvY#n-{%3wFcDiQ-@~)
zR)n&qLbW?A*y+WSRGKIMiqhOp*aeg#*19$LtMpl2zRU*?=@a2u=Gs<u=DJpb+>}1O
zn>DG!gv1G>$8QO|)<+ogY*#wbGmSH{=5e%~7FQX3MY@xP))#B#wYPU7tTUI__B*&}
z1W?UyFP9TV93h4~Vumiydk^#aONPNMP$FK=Cyk|FQtbZ<htymx5{1@F%)8Oueoc4q
zjM`MdhzZ}r2Qda;3+JpBOD<NsQTJiqq@y<YJUUJ&p9nfqn0__dSyS@eite-4&8UXn
zYrMTa{{6E5%_iqj)xCQkHB8R$Tx}{jy$K?2d}@@fG){;h3tiBW&3yP_|G*{aCmI%f
zs{$N4(hl4@fRo!gFWWbnz;_r!Xzo+vPUscTFP_nHRO6AlA0uJ;@<wy5-M%VRw_%PI
zL-NsPjsKKZ%H`r59?1ZCUd`REe}m0Tc+JJ3<73mGK7w9gzR^lyw)8r!@9MRF$z^%;
zvf88b2^2S76d*j2M|l|m?8DHHr>YXah1^je^IRK5k29_eq5Y$dli+ITy|IHc&&}e|
zVd<}yxd&y<Szn`YOEHt*j5!Dt**`RD0i6A*f?s@sD-oU=vjx?rN_$Ccm=;!`OYH<Z
zjVkPlpP%^bWxE#b7f7$eIk)CsZ&T_n<?-s4X~Y<pZlygq+P`djleIMaY{B-;(DhX?
zfv|(Nmt)!haQ3qP6RnT9+QIH&SR8cvbvj>P#g~R=DmF0<-aZqN(w!$i^cIsv(-YyS
z#LmZwDg$rDk7UF}9>MC8W0QF)7uHd;$Ia7w7Mg(&`cLyU_vQc?SZ|B4m-@RtxSsu$
zHp<foE4n^oOVjrlpoZtJ88t(tewtcWrI(h`>+aK|3-mOe0?sgMFr(oWj`zEdZ~=Ii
z1p;7<x(x~-jb9cJ!@>&snWY}9{^AVBL0JBmu@}26BUkL>eI@)Ny&DLjUHochjIl%-
zYIJN4DD8K=8jsGimbVP^Ew#6FN3;8FBAfPoj}P~Z*@YI2<bCDu3<_+CC`dPaNe%%?
zvu>Tf>kSSUBV7w$HnY6*58l&wH4F`*t378kH|e?q{T64j7jl$Ud($NOkqTMwGI_}!
z#ls$wn&tI_T`O>gV5LpT?TS8$ER$)q!_BQJ%YbyJFh<x=v58*8qV^ErxRlY|UcIlb
zH392LM9v48@u{Wpocys2>AZRghmhRfuM>_DjjsNR$wttCUKQ)_nf?pHYsK(A#hAHQ
zD0$$KQD38Ez7!9L>{C4Qo(qzpyx!1nZ80nh(6&ie`E9#_0#3jEO{Yyn%A+<#0N#P1
z{SSDbJLf|$(7<y*&4zwT_)Ti`l7F>==HigXl)0?PMpIptsVcA{Y*t=OAq~Brt%L1M
z;EveGEM_T1;Hr5XFbOin@sTo$GZF0m@wOkIs{N%TI3Mmh&A-nIIRx7}La{75?4*6s
zY_<QEejd;`iUi;XJ1fb+dx8VC1A6ZO>gI1c+D@etGS&e!G9TcmbG#KUj3*iacmS)B
zeDF2!5I_UOYd|yP_8uG`tjvP{B?}l772E>|lmmyQ?@u(|G{|0c{7&mHeoGoFU{K3_
zoa)$EC>B<pmC-2D)S6_5(7zvg`&jB<Wd@l31k<=g`L-B#QMbC-#P)SM%7P3}p5_6w
z7^q48vx-~2(FMksg21x%sq;`8J5=yHigQx>0Q^3EC?C!No$%Xvg2Uj-(Py*ZIBiAu
z`Sr^<&{%(Re4zWxP`HYbO#OC-|9+uWN4&y&58rbtlg(k)!(|o=)~&lQM2RSa4FF|H
zPtqOX*szs^=6&G=Fd4soLA;bB@Ol&>h`g?X5+GMCQ90dniVSK6f^6WV9Lvh@v%Q22
zcAsn}hTiqmW*<!h$QUHHLfH!J>Fz@k+wPRh&tC4F0`;k%67qLJT@NLXQ{Huc=Lzbv
zRNV#>3I2~|i8+nOFYbrG+bhn|f39mF%ObY=@+<~+5`X(+ncRW$VN`FW+Zoa-IF8pa
zu*UJomqUR%^GrY=XcGF^QzuQ%vxqH6AXz2jkmcT8z@FofyS;Mz#aTAbulP7o14A?^
zPfvCmKP!l5(z+!+g;z6$)Zg%h{bxga@^-!;WI}V0ae<h^Lk<OSkJx7NwdR`mr!I57
zg)ff}H?%v`W$Mr{eeC-<BXhsY3(WeJw<F_@E%l^|uG7FtuV<2gNmclr*a%mY;@s-z
zd!J)(&g5sjRPAJ5>CmHR?(pMhi>{iuk))LvQ>oH9d$B#wvGj*-l^ynKNfx{{68Yr8
zw|7i#ADbaP0N|8tH^R*o-#|!;sB%=|44Z1Es}DUU{EQ6Fwna1LBwb?`zYp8nm@|^l
z9xDTdLB2zF!P!jbpyZKk^m+FsV}qVY7c9fCFPH$GX}^UrDWoiV+K<fvjgw|-T;{p}
z5`qHl5?6w~>7gDBcb)Gqgz^Yo$P#^}kYoN`eW>K7HGqm0x84vK)RfJF_{$uwzFqH;
znCPhNll6&!Tl8@XbdN*A@}%{hSF5<LMHbxSFz$F<4Yx>?D$*;hUyp>GQyl<>fYo@t
zmq7mR4%id~J8>FO_O>M_L(+1#I^8$&Z#Qe4X9w0f#mjuu>5>RIl^!u(5izST_-3uK
zrkAUl_3g9Y&X@coR(7AI^1ys*5NE|d;;aFgo&UNp_{{qILs9EbFC2M{-q=9(N}AD9
z8`I9_k(VG6X3{mTKVGEmE(WrG*-2a)er38oBgo;{^uc&xs5D^cf^N32x?HX;P(l%A
z94fDZT3@tG?ma(;B^<l8npOsU;{rimd$Y;ddih5Wl!$%CUX=9_OAJuU9qI^w{>mGX
zmugz$T*v|wpaFKb<RLR3%`d7xo8O&2d%g1dSvo8{&@0x-3f>=}+phe2Cn{B_q*YoT
zi?0Ga%7Z;D_LIs7zzwR3qsK!ggDVw*k#qHyrKEE-VK6~L&^tw)wG$xE)ByFySKgEJ
zrLlujNtwpZyNi7VMeh^1RrIUKeUi#hEL?<zZw}w27Xj70Fi%eP@;5c0N@3HK(mBQo
z++*0~%sQ*)<gEokF={6(zw301?RLo|W0*<hox&^e$H3`ndZdV#70E9<8cw0e;q*MV
zT?&w3elCA3+#gWnxE$#k%Tk-BTvw^jPG?~v-yr2d5DB_FC(bG%pM1tZq9vN?Vw;pW
zLcjRo09m>pw`V$ogX}AXwihk<sLmwe)S|PVu?iul_-&ghDZ8(}%4$5?{=Crb*+P_L
z&Vfu9z}wEfB}zdxmZ=ldoX(^#RqL@La@FI9{vbi0SAhrxyR5XGizu90LQB8&fqcP(
zjTXv&ms=<@30?g>Tp?Yeg6&D-9)J+PWRY;t?{){++%Pz1MXiHW9IKrnd$V%@C_Ba5
zia`?2##MF(RmI^A$YH&(8oV_vKtZ6lfEn+ZjK(9Dc-x1J-`IFgL!zzWq%yr>(U!K9
zd%n{#5(8%ZFHns^5p#i8a)ODo+FYKO+2gs;1-z%)kMLI-b`s{1@%B|^rSd(uala#;
z^ZHY8Y%?kU&elj#NM7YzV4b^ro6H(iZv6#FZUg$)d<9)e!anT~atDVGP;z?W`)qAJ
z&j91H@GUGgzdCeMIg*8|$j~DZre7_4uyhfs3f3G{b}43UDF+xHVrw6l-l*34g5gwu
zg_=Go$2=sI@D!p|{H8<vCT8F%E*`zZDxopsG#uvCOZ?4gYU$Em15g^4F*;;kb5Ko$
z_NPhHLl)<VfRN3p2^o?i{Z~{Q-_0WU#v6JSGSJYvqif$jOmkCh-<f12H21gI2qS}b
zF(N$Dm41_XS@19escfl`xIjy_9&RZbdR3iGC<Zt&RP6h={7a|>D2@F`UfQQdqKXKP
zH6Dvyv%l0<L0zOl!y=SLC+xlW@zJ=CJ%`0^z*0jn+^aVvaPp&Jx*z|;Fh9cr)mu%p
z`_T)7&0(jlTO;X_5;ody_}$myB~oK`)aiyT_9&LhlPOtR?B!OCNtT|yO&f9pshg1d
zACh9V8l3>V0Im>P=6l8uH621N8xQ!*XVz!*-OGfgB+GomsY!3;NKpBPp7TlOFf?v_
zQ|VP!O|0%%aQ9Y*Mi+)3dr9FzS#EG?0FWH*Y|rm|(TM4%mT81QSxFg2-^!j7x@bXo
zHJADz7qDK%aPkA=vK{h_sfy+EoXA@b?aokX(|3xOj8BubB@P09<_^Vg6ad6I!}*5`
z6iGT|Rv|1TvN1D~zBd)$RK0qWtvKU%i+|ayTP_|ZG-Qz|Dog2BN~nH*H<Uq~>cIIH
z_ddwk!EvU~RQeP3J9&Fjvia+?_k7bm90`U+9}+f2?>eu3@v4R)vwa^6muI{kYHaC+
zE%jx>!~7x@KPfz9WYZ3W%IQbDp2JzhSt5{6njz-*eeSwev2<O*6zKGS8UpraCUsm2
z|7{*c<f_tfTy6Nkq^U#7(*Cie+%;Ls&2Gz9&^K7SJ;+)?`V$^YubcE|6_pIvwp9<c
zjyn4Q$0@0U9^+~@%AgP|?BotW#BydHS5trCO`tHCN?ni|EVdt;U@4b)C{Oh6dL}39
zqoyWfC&?8<XTX~C^8XT0fz!<Mt=M0eI=Rwdd@ky}MIGwmloOl3T-D&3z(*27O0+%w
zcb<$r%*n|dOMT3$HS<$ql)Ujvj-a=Ngt0Kd$>Z=qY(hB~?teN(Km)5cYwyfo&yF*X
zh#q-;N#F8yAD-{YK`mp~N70{p2kT#YN3I&(dA(c;P4TFdEmDjYQ@&~#5Jl)=o3THO
zJoUexfr88m>v{@QH#NmDBj{5p2?^5kBwUF%lsztg<hDsm-cNiUBK*^^edm{9TTmC;
z74mr_gkD0akMfMD-Zuq;aUyAh>|33B8uk{2G-6>PF8w3ErVZXzMbgu8HhUs8Yk5Ep
zO6zHPgtPVnQP?n79Yb=}zhjD|Bp+c7J9l4PgUquC8#ESpbdGs0x2ffaH2dB<X+i85
z&ZivI*LA}6r|J3ss#*O1apm%e>j8kHdjQ1`UY2y8i3cLgft!prFaEiog73MF4%(1E
zB;R6lqF8o05kMfme3vSr%^+&_E<$_%S{&aZmpo7f=Tp=lg3g(Ll;cm11Tx;6@c>Ke
zWgqgkpLYFa#P5NE0vdhF5*YEDt25_?Z@g3mWyK7r4Eigq)%O-lo2+_LE`#z)1=pjH
zcGW{`;nQ<Lzz`<@?iBGRn0WS!#{^ctP`9v@5@2;UP~q);OLepY-V*2CRf`&6y_Avz
z`rA4n+q!Vn)|A}pYr=&SOJLA7E|YKQrgB=d0f40crTvXThW!g3KTP?JO44eNfy%W0
zmRhbOQz66(7_gkDTF44bDxbcv8$_f?IEnyYU?Q-lsRFO|z&#@%j`D);jC>*B`4zM7
z;yF6lVI;i?n0bTyYza!gItV_S{Ei00<tUH($uFR*?jaJCMKf#d?8(fR?Fwck4zCgw
zx-XB4`E1`uu}GBc*FBhQ2L2gCobhW6AX3CFaJ0xBmZ2F{k$da2)+fhD6@CZqTU(_~
z$NMGNf)}<Qi?*F)Lzi*nZVZb=7l2B6#^txsyqe5jb5A_<qqXIZ^aTuyVZdRo583Jx
zEG=;1bkLUF%Z<F~wxGYYg->`2Rs)E%R7gIs;i=WRFK6fWWa~S_%7I56*9egKJB#bD
z^_bPVs-=4`@Z$=%qJE%ADaMo-KEIAg0;7P&Nv}UF(p5+SW8(ojg3e%uq|3LCiGY*m
zE#GlfT?h$v5qUp&RTxfc*_{9Q3_;^yHs0;UulE$=f3#od?mXA~eC9MH%x)0OHwN!A
z&>%X&Z0F^wCU7B_r<h*^$!0p{YiA^7UyDM3&XZi9ogY7CmW>_>g8-^?QamVHKEvgK
zQgidC+8HGRx&W3T2gTSDKpz0EuVebRW;$MRr~Fd*Y^k)@dI!iqs6sFi5)#%$lhp2i
zv}MGvlNor)wjUl2SV&;ZOJururvoIj!DVunwa<=CSWv4NsL>VOFg|{J5&#5+YBl}C
z-8BPWRse+Rffw$FI4Zb)a*;;3-je}Bd_j?zoCHqA^}?o)4T>y?v>2heO~l`V=AhDl
z4*YE;$39?ki@d{TRrK>$C#1PRV*sw(q)qRit_cu&MKlLJ4WCff*8E2m0Lso8*ak~m
zccQPw3|EFmq@I}}QTL%ae|U9UD27#1*WeikvS9z#9!2+q;r!4eP0((ns~-AFd_M?5
zSEO9<(4usZgx#0pMzsUBJ6UuBiE3u!?_f$=)k>Ex9KG@CK^8{HL>DLj7(8w^6M1oj
zvwW!t;Pe?8vq|7yw2RYk4kZ)r;)<9$jcbAFO7@yslmymqwXiiWOu>1r*weM)4G3e0
zw`MtDZFS#pY{>Jb#BUCFkxqH7=LOthBPF2TEm|O)Y}O<jEKHMhDRNmHD9lOf=8)Y5
zv--tOlx~~fVx=EIah#>gumZ4{7NWG<NQ-GtzyVkRMaQm?nx2>R%s#MJae`7OvM5xc
zw(Q+Q%4uWS7PDe-dw!&ndD&Qmwe%)EiPf3D;^qoyTnA{2!?pfw{kFfczv;Q1BOz|5
zWD2y2X^^i5^qfmUwVrF)Xx1g4=AaW5`tJY^*bzz<8C^J+E`u!a<zx^?wY#%kb=LqC
zI3FO5zshJ|yG)K12SGdwJdo@+?)raGBmffF1-S&&97`)Iry^=ajjb27kEB(eP89^Y
za3Z-o4;}%Ha2#otZYbq9DQY41+beW4Wb}e;32K25H^CJk#BOB#I?J<?U=$4Yw^3mv
zWZ${U>;RGV9iJ6v1M{vA?j>Y-5B4LQs>jkM6;@J87n9UUzb2*>z^9bR68v?tH{ap?
z)sqH1YG`tG$v&B#v=8N#KReP^v3Rm>k$L9QV%+`IKw@D6Rw2+eM@I_@v%v@TP5K}#
z=kd=@!(*DSy5j*aK$qLQw7Lw?+4R?C_&Lm2NtZiYJhp7OengsHqO#}+>PuzhZi2vn
zC4=)j;MlLHJds@1mzM9R0aK9*fpJ@iJQjE>+Xa{8fN;&%4z6U4QNF;Bq~p&i{P{ev
z1If2iJcQ)U-H7<>7EtmK^YYta-X8>$wqK2meRsWuYk}kfY9RC0K9}^HbahV;Eiy0)
zN7`Q_4h?~O;dxpu;0$>uGkc$59JmfQnlnVJq=c-yET#Ox(vz(t(lF$k6hchFtprMo
zu?J{aU)kEc3~PFm(!&tV1Uxc03_tEXGVOK-UNOA2w<Gx?4B4ndzTwi0%x-37s#C#r
zTb==QXdd6uuTf;dnOghW)Ht|EP3zn>8|0Zq3)=_<MNMC2j)!!-eF6?x?{%Cj4}=+k
zK^}sTG^e}<i8KrBp?ZGBH|t&kqb~cxwRe68+gKHLKYc$AKojvgA0K)Z8azv4m2`$T
z#AJeBqB)gLjZ`~k?62TV-MGRxLiK^j@p6pBIO$?}rHcn2n9Yk<|1>Nn%BzwB>*KWs
zJ(}Coeq*nklo*7JIdH7nJ-OAAD-Zj?nKB@W6LEMnQ}lrYFYma?;F;k%*!4O=-9fyD
zz`!`cmW&1q69K5vJg`_7Sf%fgwS!kA5=Hd_J_n~(L*)DqKaaKzZLds-_Q@XHR~;@p
zbAs#9vSIj0|L-sr5aFo42JbC2V1+s*CVaVpu~l#RCfIH60R9jMBmf7}0q6~p#i7#V
z&P2XvaXa~dHv`9oFlg<>0Q%$EA}5kj)C@yFOkTiv0VjvI+I@T)1LSWbHM&@ETohHG
z0p5L0oJSexj&awUH)Mg{U3|L_pcyhlaOUSE?UXG=EPMiVYpzlRRZ%eg(SD|)<*G4w
z>D$+4K9Yexv-4p)YM6r6UTPl|0xi<7Oe!?F)9rEU8M1!*Tcjl0yb9qsSGU*t403J;
z^qV658+WHp<ILJ<4*ldZD-zUoz({$=vg8(fu1y8+bja*}4M9Sx?vIFh0gtK`uqm$t
zg<MeK-j~`c`6Pdk1$9)DfUru!9pi1W=L7*d(hC5hcxkUn8aR)-KRv%OxDEuYEq&tX
z2rpbCuq05({^>;1A{Zsp2j<hxcfb--NYqhz$+WHcZ!bXfsjN4;EG^_dPjrITWp(nv
zv5f(T?KRW@Fy(+rK2^eh<7IJ?ltLsqgV0$w{$olsu?aXW%=N3D0j>d2>%KC6Zt*No
zv<n4v%>$0AAeTrV&%NFP!e+&2+-1u)ia~0&J0N<StANe_*E=1qcZ(MFhuYC?b1MWx
zcr^+}->jS9z*WG`%7k2zV%SLrKtM0<4QU<WbjVAN<EBsMOnMK1nLiKcsfg^C_MdqH
zYS1^2YfPJCq7l$Yx6|KjFdh#H=dsAy2hhTxm2BC&$Q0=2*mN16B9dDGpcnu!$#R)t
z`Rm#Dzq$s$Y{36CH1W_}A^`YIcPi)z5sxu4^SWk`SGLDO{{&ahYWHUa>%V$n;U*&f
zNN#IDZ-Le`oiL;JEjL-&9N7W3%!vFTz04{ibsk4eiw7%t)>E5q3|qz(@&zcpm%ads
zTcaxYP7AGe!Anke08taF$Gz3jeA*(w%!UDEqo9|R&vx;G5zym*3<t7ZdO*P{h>zoY
ze5HaQv$RiFWl<3N@jZ(bRSq2jV>_j-`9y75WW|hRnH)Jwr`-N`Zm0qc_k9uVRPpEg
zJnTiryECSsy><XPEJ~c!Y)Os)UGQvvs|(LcaXlBa!{wHC=Crb%bAGqTegLJGQD_Lu
zucvI!5b-KYZa6ATfI&RLXT@!QK0ibM-A_(V*gJ`vaQ5}$7J%~e7Qg}c$M&VDjMq<h
z<V0|n^@NHn_(kSEuyHX-`t84<V3RghONu2l;Fqq&!}2?#q6+19XE<6qU2;BskhS~{
zIxhR)CjQ#pF|eH7kt<}O#6h5Iq#$x&b@J_?e}UWLr$ReA@rVtMpzpYi^Bd8hmR|_z
zX@UY}3wFp1KWL4xs}WI860-Op;m&mkKL4;e6Z)?^gKs<F8hH`gUH{q;fA#8v%X6du
zU%T8h^vvszjZVd;HDb-mKVm170NiSL8s6T3TQ2Wt{>;iV@_19BD;E!!YZNw=&!wYO
zVpmD1*;>`pyjsAQ7V>QFfWP>s8M-<RkL`MAYQ+KiT}D(fJnZ%--E2h#$qxI~h->lq
z7kyhGf$~{XEs^0q`GNVtuRt^T4iy)v3}|ts*8lUNNsvtWkwoLjfhRS<s`+^0&kb9c
zCvb(IwHW-~6tTAa^Y@?s<M%A@dQv5XK_eCw*}*7>?z_e3l3=1Y8gR4y_n|i?Mo_G1
zlB82QS;oA@P5};WFW^A@^VhFF+-8c4J6|SL&b6SIwCmNW`3?BRQ-A~MCJ$vBIAlZn
zo<8S(ohQAh>-{<KkvXtQr%nEbb$xf9^Sn+i#@fa((`^8_BKh_=`cLn<t`gWS^C@pL
z7T>7`c$;04euHi4)GClBU9}k9>>p@d2ce;hL%+J@e_8%-z(MmDQfx(x&M?~;+_w8a
zZVR!#iHI@E1_z-a=;y!!WTqlw-dMb!c*W^9?kvE$D%M{UQlAa#1tDMhSLi@7T>*Q1
zN)QPQZ;6_64hf)@qifG)j>oI$68g%>5k$hDYw#J%&@r}~v9I&7UON;ZK3sE;*M4Cz
z8q_lJP>>TOm;YQNQD7+uA)ex+YQ49Le4DHa?~m83Rao^vsqc7d=;r!=PuJ;7lNR7R
zk>ZHhUcnp^r=y*%Gm_ybhfc%u01~p*{tvInnN$G$=N)M^8$6o(5m3GDL-ctkNYgE|
z24|Dw;W~rZbFw&4fi{(N*>`Jb;sZ1Qlwo7<f4UQ<V2ee(C_ifsreoS~)d8Vtp;e*k
zOwahFT0R%4R-S#0Fw(6w3e3R!KimGRAA%{$whC9x{`7o;0~F}VV|^H`6?N_a!RplB
z#R`|V5HGNM&DPw0bA}&*Nz%uC9^{`^fnPDXL&{@^Ynt+F)8N;sM~eroyRvXqxot^%
z7246`B+=~_u(&t?IrY!!<p4f4fVtL5Q31E0-Ft8G7PJ~>Bn-^6laaqlR5^~9xiO^L
z&CoMwdB&9ujP=t0kT)Sh$PGpz^z=zuVzE~SrNE1cm!-*=9cYpOR?yBKAYBr^|KUw(
zpyYi)%$M%QOB<D!@Mxr6DtHgd#%rHMcCTN*<XFP?zHkw2%bb61%VS&s4@9Av;5b7p
zmQ~tU=(_=|kH-IVqk`B|H4*DB=~7_@@RG29zvOEM6t497sts(5O6YU?cSHbgHM4~L
zh=}!=qh!CJTQMWRx)^fFt^A75!lR`Fub3BhBZ@|<zz?SIACDJT9RLUQz*}Y@nFxY1
z`m~xmuAu&0?U;OqTe)C+HTKFEmMk|)9vxKhd8(89q0&Z${`$%84hL$dcILV2UOHku
zM%@$Aw7(^5d%K}S4t6@;<=x<M8+Ap_rAv94nh9Xd`*YPrS3KA`Ub%0s;-fE(`1N~y
zzrwFmP#~0YQPbPq+sMpu+{~_VJA8kX`gCKG#Kheqd$l;QZ-Va${IPF73{2%&05}pN
z;V^b~-l*6Zi4y@qKM}c?ySU@Hkh$+#nD6o49H-;w<Wq!LnDnPx^O2X=tv;+*UzRvp
zydZYGp>4h0l`+^9ci>wV&GyNB;j*nr&!}spl*d?yf|%Ess#lh-o9$3l>Hbd7qLF&4
zgk87Fk!+%_s6JZu=I74tDwa-Kuha0G)s}B}bSs80qV+x|zT-zWzDpYJ0}|#x^zyJm
zG7afVxPmXR2nqoUwSM**sE-jp#%l5aPVcX@(H?0EXu_%L0D}9v_2TM$P&{CPlzwfr
z+VQ79YiYP#iL49Ae|(;U9iTqPYV-ixBMuvnRN5r3O}BS{|By2~Xk^|HbC`1Zp8i$h
z(+rr|?&N1LS5K~ZfSDA#^X{xcE8tC%0oGDs^IcUKY4E8A6dAnL7GPJLsEu=z0=RB;
zq}VzS=(r@%+@}|l4@wW`^%*tL28d!_1VqAY-AZF3xa^q|C4dURCB_TrxkQ`;(#aUm
z5Yh+tAIQyq!#`61$Jr5Hu1La0Ht6eOmZLkTt){+Ph*@^t*;+A=VaEA;(S_!IoEx8(
z;z`i?@c^i*t@J*h?Qe}**J;z}FHz4ZI7{=a@6>iY#M%sl7`)eA3GE(d2$&FEgwEwK
z;V7o-jj1r?_4Df%sov*PV!&?So$>s$62~xvSQluvdh2+$R|1afqt9J6#9x|dYQmXH
z0Y+DWa^l!Ef<ZuGLZz$j4H>QjTPkDK4yj@yFhQGu_A;w3j2h0e3f4g)5g9}k9QVND
zDqEwJ%^?PipjaFmc*USdA9?$t%QuZdSt5I&59?+r5<`*1<aF^rzSId8rbv5L)F1CJ
zIs@AFF=$p>U>x-Vy>-}7O(6RKKDL;L%<|EBi{Q~@ET1-8)d0zeH^|qYt)xx<emEG7
z`}mSBuq3!?t<Q8Si6szV3k;qab-!skPH1<QJNFDuFKD1OZmXkdki%R*f@nN&&(76M
zHsdh;0A1MMy4U|5>%6{#6%@1W6~HpCOusG>Mqh9f^J;Xp6;8v&4Q$W1F0p{GvLwmf
zsE&|_@sPjZVDii(A?naG*~QVcpxP`F2qB~|0tKN4B1wqfv&<6ENVq=6g%i%JG>;v=
z)OLbJI13U3*U5_W1lKZjdjV$C&^~h^gd6aNh*(?!3b;xvXyxO_4|Y`;*XdNG=+FhI
z-vCQ)uGCt1_d~Wbz@PJ@RnK^Uv0=G7SjhfMt-%(Pp9+09H}b~I`w6(t(N3l!<9K=2
z0@*CFu*kEy)Xh(yRZJ}kQRKm~&-69F^`&v?@%i(AY?|OX*)en3^W42MKV1Le9Hh!)
z$el^NtnU6unW6BBLOoyu?hKB3nf6|6H@ne|f!V{DV9jKqh-{8CIH{ga&`{&fyGL0C
zD#<X_Q@MG_9A%^~F<H=gO`LK{wcY+z>LHcYDd%qqFrj>fmZzGjPmcjHe!qx(21wRK
zSyIF(KtZQd0E4zcyqHa|(C|UXJscMg2revG{{=-DIY`(7U6KH@p&5T|L;o{q@Y}iG
zo4P&-dtC9A<g%gAoI*B)N0n!=n-1ekoRQ#+HBU-5doFrz+<#ddB^B_a*wwolwaF}f
zy{wv?rH8NAjNgQ<hhghn=WPAz;UpYI-dDdnC<s34_6mH|Z43)$b^&Dgf}RVgld(9J
z-i{(^u>P6kcaG56*Fl7KH7lU_wG+kJq%cGlAFs@i({t+wtkNjAC>j(2Gp#PDqoAV3
z;!*z6partO<mS~vvxeFtxP=Lcx<@*Wp}d;|M%SOIK#1#m+*}w`2S$m|2<t20GhC*-
zJRAaA!%dfgrQQUT(_a(43mz$Ct`3J_`1Ojcl~rj+72HlA)UBSpV&G!x;(m|N-;9}6
zIo?-_J@zx+UK$l4*;&C-eUUYMyZ2%xLieenftT3H$NrtS?iIdkrh5*1+UP54y0#xy
ztvll-qg)pxRdKH3CpVfnw^HhJdRv{x?+qflLu~uI-j{#mF{{7P?R{0kR}}iHTpFX-
zn*S1f2g!nbB@ukO<q7+CuMAPJFmm_1+&2AWSOxe{Qr2~|1HeY<SCMv`6`WEqH1l1%
zh7&$8rdi&h<h0vV3immTjN6p*=Bp?C^|A?UK_FsAQ$zh!h9AVr7;&q_>O-a_b*=^7
zQYevf{hoPydKcLJv1hZ608d~hJPW#SHJ0mw$F_caxdB=xGR0#om9Dn@c;Ydh&~$Qq
zgN%;nG(lLSCA$&eaP;#i6~nA$@B5bmtpjrTA#EE4>aDD3S|adY#cQJFp#uBdRMHv6
zK8?Qgg@a#(w@|fJf{n>>bydmWOitW6aSS|kS;#FmmIkNn2hN2xVt&26q?b>8_-n4e
zyc@g8enBBpdZ(UM>Xo^@>_oYJ)Tq^X$vt+pty|0{)ekBz`89Of?@<sj@4$%_SDNnq
z8;5{xcUH6r^m-L(H%#g|$J6!&b?IlrQ3JZH4&mu4=f0kbL!9A(y`Q^e!OkFFVfoQ}
zQ?s``hLEMJ;o$TKoVDsY?<GGX(0VMFPK%vI*<`c5^qM@BR0AO4CcEUB?~nS@r9=+=
z&3ZtS0=XFJkY08$-sJ&Keq<JJ@AiEtjRVA5&?a%ZpA%SnOVAT1QoJS`q2J0WnwEz-
zm~{D)D}0xuItytnKVu5Y)KMqrvf+Du(MIv|8lX(w?mK-B64rBsvxm|7oDt>Fg6Q8J
zDlto_+TiQHx>En#o}c>MH|O;97ym{fKQZmNHB5?!JZnza7{+&8!(p<)K>5Ged+(^I
zmga2~#zBT8!;mGz07DQI5kZ24A;%#o2$G`#NeU>E(~!XdM3FEE5>y0HQ4x?JNkI^d
zh=?Q=B}x{*+Ir6KJ?FjOch|ai-9PVI{KcN#ySuu(y1MGAr=%6Fi!Je{1e+@Bfww!r
zJ~aF1ZH)`A<aU&&!p0oSS6Bp;9BL<}L@Qo+{kBPeflYeII2mlx67l~#n-r67uGO2r
z&v=2mTDI%Ec`@fm>7tj%*Gr+6r2*n6XL}aE3&YL%!9Q=#e_e!hgh}3G38(pxz}Z6E
zUXMFu4)n2(C*lj%k5QJJ_ea(Alfm4&Y4tC2>u=-z`O^nK_yz-O12_nB6)z6*W83~V
zqx-#*y92etr1pwS7b)r<HTmb=@Gr|&o2+g1FnBgcC2-2{ZA!X9+02@_3$-o$al`s7
z=UU+GA(a5{ChJNE!-CH2p6ahZ)ghrrzUE@zKiyG(8}v2AVih&?kB!ov@oT#d8s%I!
z?~LIU%pPYgdnh@0`&wETxoJnI&_=LPLD*WUL*CS#Q=;h=z|5f@2w+{rzx~^NQLhV=
z&n5mMk{EgknC4PWZ22e84Bs)9JK7-JWmTHlW+;?VKhIun<?HZJ8Ufkvy_P29(sGWq
zFubzpEWK;_4w%=0|IICFyLk6QAIuOE4FQWQI#_b7SteB21Wrz-3gyt1|D%M-#5fre
z+^wJf%S-U*?gZD{JQH|!|6lj+Ke9E1AW59_0V}FDjmm3N3u?6K#d$F@O}I`|=%Oc{
zMTPpLdvnBSKjg-hssHo3(u0|kIBut1!jiBC*QWozj#~g#9unCF#>npOdEJGgdWQ|C
zWeAln0{zXu?*6OcEzizCR4gYorB%z<Uo%VWC){uHX#XV|d?X(;K52;XFsr9j?GQDn
z&)bONOWi&O;bl#)3y0X9_jNZe)iRzwX9l0x+wm{`VnlPU#DY9FkiNlgBGtGz0UBPs
z^v{`WM-wc+o6FHjPx6Cd^Az$I|HHeO!#=u_tI9sJh8H~B$I5UE$9dh(gv`kG2K!`!
zbq(9%X~kyTym&rdT*FtHwa<sfza^?k-MHo{rwr+F{tXB;46u++7+EK3-sZ)veqcEZ
zo_lw;cr=(q6=!w*lhjoldXukY%6kFVSTV=s6r}E}Y0U^CM5M92aQ`fb{pV}~0p1^`
zyU&Ka|C|c=?{9)SN&)4cO6LFn`8*b<40{vF#fsfkD}}pt0dWdC{&RUGBsK%$Zan+2
zV`ggtt8qLtuRDNy!6J{t-s$x;XqH1<?Q4J74F7O$3W}l-{3k@b4L}e6zScnAixc7_
zr@nl{%<vjQ(4~@v|6IS1FtUyfwq<5lq~UgP0m%d$s<c7kDFGARoL#x{g$Ut8j@(gc
z2#aJR0UiW-$n)`+h#q48#xk&X16<)MgcP!XAmUApTLNX5{UM-&lmVP=4!D$!0o64D
zoFoHPhvnCRT4t~*7@XkXi;_i18zFp9<%q;scJB8DB!hb<kdz_Dw+BG7YF*nI*Wd=}
zG1?qeX^yP}WLX!m%#;EVj`T|=`37OYA3O+K{h08Zu?A2H6G#s4{Fv@g6Wj?uoOuuN
zimU6LG3a3+`Yn}2!hjIm`x6#>1SADx9qIDhwlilyto10|uCM33kKZ9s89NQpa|+m#
z3^|i?`!<C;1{`9xvy4Ojr;#J1MOC#iOnuUnor#OS_-Og<@c>8={`~G<wXFSJ6C0|q
z2ISGfm1>O$>BD7cChgcy0KTMLD-1tk_!bPGs+?Z{im1eYfk-w5BKzfw!n$xp%mw$d
zAxLAqUth>(fS&i=ZLjpC!*$-I`+gsz*WV%`CrB@R@a+MFcq0R&&<+6aD3t_~!hepZ
z$kpn$r|Erwh11zoK&(K90kPR|64tS|su_mLp%KTUDlRRt1hV#!7esJKxa|F>9P{8l
zci<Fq&jYNrDxT3PMp>)OLZD?OW=eCY90D=5J})GO<gKqHam&lWTNmI`BqMSJAWFDO
zm|(r5^!_m>9~*#ns49u`N%S#}N>f1BWFW|pw6Ds%2F<$=cew(<9{%G~O>TzhT8Xr>
z=_N%HXAy#<ImS|Hg7_L=Tr)R@Xx>m3Z>1p;AFH$;x?z9#B+oC%vh%GXszXZVv9(<i
z<mjtfX>&e6J94Pn@hAf?u_y4vySt`8C5aWVd=|ittz0JEiGF<&F#CX|4oqNnfgrtt
z`9UCT5d|%0^=+cB(20SslGHzud?5-wtc}Ri>fiDNJ6;cH0px!pR7-*Ers|QYZBpw8
zTS1*{`g3_n98%O}q80^w5arT(ulr&>?g3MlwoRI_f$d$Lp>hzu0`SG$nPNP5{Z?JV
zv3^(xvXF0(eckSM<rxy)B0qLl*dsu#9Fre{e^JV{sLwUF9>Pj6O1tI7xKX4=|8};&
zBmowlPJ09Z+^w@`+PR&qU+KJceUQc;{l8z-fYNtlumWKJkPttFbgVfgtxMJDbKbz+
zK?I?3S-%FcsES2D=e{g?dRHK>u>?rLwPm|vMkM0+PEOZhreB-x>Fr+(lFpyy472dS
z6&3wZDXu&3UdG2Zpm3^CQr|D^wB8kHAk2?M3EboUoK~;#_He5HxU8nsu^=2}AZh_Q
zi%6Qn+Y$g3s2N0}zney`FrVKGv5@rA8iUPvgrGQqfmW?s*s&qRWq|KY47%kq&0+ba
z32;89m-ZVJ49H58$_?h>{6PMqE+Vm%XG}&EjT}9(&_=2Ht6qvMNE|;B;?|K<j!|Z3
zmqp@FC$u&M0`$W?<KTO@eceJw)N+wuh^Esl_qj4*H1giwu)o*2tthmOLU^WW8o#*3
z64P^5V(;U-2>Y?{CdRK_JHm`WTF={=I=#zs)3nuF`nB@!Gmnney1?&L^9SWs<GYP@
z(3u+M%LXH&ab{X&aAbC|Ou1YTLFi~B(b2}uVkRRCvFf*NTRtVEFV%pl=f-;|Q*D+t
zM)R)$C7wVz<YCOVq)3lH?o=YFE5v;;QftbKHJy6R_GiFF*g5OVwxNuSBjrVu^3es4
zpx^&T#9<7gmo=45(EXd!8|#4j|Mn+QwwM{!nS<05yg!@b4<mf!k-l)+yeIOeqYXxt
zP=banA2xoi&l;PJOG(sWE3flzZ6xX6A{@z21RTO+2~9GilFJjxD2(VRTZ!&vUzQ`e
z1Qp%sUACNzs;MnsK}ZI|p3q<~GYqE#Eo@l8c)`jgz;X}c)m`R8NtP4J-x@ODOA(+x
z@)@DYaJI<iRV$wb1KfDK{l)xFD-(eqiTP8<Z55VmYP-1~oaT({u9j-P0Mqyv|9K;B
z&av!aZc#{Er<mjeV%Mv1y@RJdKC%BbmTXHZ&$paBjmO?c+me%phXcp)SQ%RLAt@z)
zMsA;^lbVfk2VK>!o3-m*Z~{x^FG}`dEn%fl?KlRi%Yy+9?=Kb=3$mt9IFc1O2`-N2
zs53xL{N{>NS{iy&)K5ONRyW@jHCAEq-n5)x6>cg9B(rRwwmJ7yOllgAj-bCE%C501
za23_wv1tYb^Z<ZCa=_Hm(XtY|!(Lt~^iEa`O)409*u_z0$rT~y=Zzng1f#34IphGt
zYa&gLEtW7VHZak}okulzvvjn%CL=Ns<T*7HBF<2MNz){ot6S@-RH{!kkH?Fl7ll_O
zX%S6)WVZr_p*~sD1U1xfY2)BY?itw(`&$fqHQ=Anfun1#rwoOiQT@6!oSYaA)(@DB
z!c+MnTnt1MM1k?{d2Y<ow6pZ2v%l_5@fv+xk}aJ^HBYE|S&6MX*81W4A3oEc&D{R!
zhib3Ef;7%=KXmxvV#i2AM&!zioBh|TXT6d?PfmoUI}qq()>8{noUg|(z3F578w;@K
z*^3PuHM6Ob{j`nC61UcxtHi)4l2%ykC2bf8-<1sB;F&DArgc?Y#O7rDuUDylmHE@o
z-qLymnR5?HrIb7=m9H`LU-81)<S|*{C>~7P((u)XQ42Q#5urx!c=qd6ZEVWr!%LTc
z7EPKwltcBu`7&HIn;8-@+5djBWF<sB@Wre8>qov^+LhwQ2VFnOI}w5s^{Wo92=z6K
zYB=%gHa^j8<m;7_1zI5^=G@b@g~6Oj``aSR3{tqy8Q<H{*my`&J>5?88Y)k$vDa9@
z?S*+En_)9QG^Mh9LL~+I^W3m6RSN5~;E{;E_xh@I#uv&xo&||%W4+CTlIxrPmY)}O
z^MeenPKb>^M7xQ#RbOb{g=~`8L<zrpe7RlpQrc&44F}vy{koNet+FW28#AjS)pT9x
zx{nD6`)TSu$!hP9tP<75CyvL3u`ixIUSjDvXIo=a9%lE&jnk-=IKL;hX{h{MSAg;}
zoxZu&pBwERit~!N=SFY>a!SVBkBfZg7#dLh=*UW?iOP+%dhzs+FU?Pl1iy0*ukN-|
z?zReg;=3`za8IRW3$Z0V4r{3F6vEW6kzcG-nziGtMvOzvmOrmXUbq&*R)2V6*3r0Q
z)!Hkr<-3+)W`Oz4*Dpq4H__$Fmn85;O{dGv1xJvSSvqnbNmI(7dp<p9*taNq^PEjV
zkj4&?I<ZH0yjTl&{}_2VH933DV$to~8GwVn$<$A4p+_k(P`v7c-yM#*oVPL=q~Y))
zfr0vwGL4I4v@%Jry=ADRz1B=(k#fcS&)DK*Xx~LV|8TsIBf#~Asj9=&#cNI@Lrv4?
zPq!9GN`}S2?<IeJ+=s_XgD$nm^i+L<c`au#;(Xq2Y;R5?#z$F#Tx(O%V72qnz}Lyr
zZcJV!f7y1J9TqIFXc)uAaKr0T3L^^br47$LMGl<nD<NpVW7>OT{%4A3{cW2-*nE?(
zZ%<&cb6ek(2i#Hn15;EoUPZ+U>%LT?jY?Ns&RjQ6zH{N?wq(!*(uas@k8hys&0BBe
zxi!5viTn`k+bg*7T^{DPsV$`OIA-p&<V{0P)nmL-1~+N!bBuOKazR(j*kl;s$)U3B
zm;i>T>7KL0?%%W8YAyq{HW8uLu8*P-QurJ%Ta&JYTuUcs0!|1b>x=Fy<`yFaj8%lW
zaq#~*L$}<Ypu!jUc;zv{s9~nx>|&yEG(vaSr1H{+{Vl1Y`&SO7<=YTsUUX~Sr)Vx6
z<8X@pHbAU>7YtyEvGH3;G*uRdN-xCJL`JTR5PWyv6E5a&If<xd>`SaOXZI!R0AVh+
z#4StDL=INmtvFCVIVJ)8uygUkQFHia^PYGw$JbTOaL}Q=Ix#NV%^URla#>pNQZw5b
z5;3_;$}A_~OSSuMvnk2>I;Y->4XnQ@+ALjDHPGI>t_6w4^s)sz8_}ye2f_kd3o>a|
zbp3a{hE?uy+*9m?!$=R^1QXes!0$q%?100#!Hn-V+wqVK3u;btHN?LjJNjhEuM54Q
zh1vtRY=T#OD)e2+b6?AowhsYfvLE?x%0Sl~@|4aT_#^mNAmaNPar~NS?5O0DsBjmX
zGSSEyE%E-YNTAhyM3tNXvhLbFRs8HwL!|i!G<VZngdR(aUOm5))-bJE1cbW#^Iev_
zgZU?W2pw)>wBdzsFWRJ$p`ys>S(Jl>-+4xrNDP!DNs7elk7A`rY!`#x#XmLw`8tP`
z)}aUU$alMY4+*M+I3S7E>l^_zY?_grpD+di=pC6j&M3osCp#&GcM9F}uc1zfhua|)
z38;4x`4t&Rq4o}86j)gQ>bMp4#GjrRQBv(DE+XgZO~CR6{OL&Z?2CUjy~*<GZc2dK
zUADRKee6$^%I}{P8xIjhR<q^aQ~mWoQ!9Q!rzR_M<r7P-2ZxX2vu>9F3pVJ<zj~$@
z*_T+mtAsy20jag}_-{EmtI*EQ_AkT{r8(|~HS;^RfhN#3sr)8D5bqut4sbt%9W4t`
zUFakY18B9~?js0H8W9*x4`M2r`=MFWah#94?s-g)6mEVjv$3!3_J6G%*);w-%P>t$
z0@(yie@|g#JGx$|du%+w8(EIGqG@uOt{aHayNJ++pE`2UdWTdJbnU`pM%1u_ukKD2
zOb^CSs;@RSKsgv;RJXK+)#vfA|3l-nstj}c9aR^*N%t?)<Sq<fIk>EG28AFw6TRvq
zY4+zn6gHf3C9;jmE3svNPZW?9mv*%}^{RO-+Uns#SATtBB%C$oQo#`#D$y5VNXmP!
zi!`4ny}X*W%^yS~%@MCqe!qvl?fZr1qcDxi`{1$Z^}ik;Dt0K)JoDi%lKM73NqF;P
zfylBv4z@ifgWV*LI<hmF4zZ11i@I(kN&iV3P%-y+`^?nB&LDJ5hqx%?MjOlho-%H5
zNTF@xk|-vD`PZRPjjds%@!3D>h8Dh(ML1){M|+4`SL|NoC)}(r5Ua!WI>7+nENzYV
zyy8}dyrB<oyey?`3!p{b$iSZ=se)EJbCucqQsh0NM-O43;nHWpn)A3@myt1l2s|@&
zspR1m5c%Gg11N`q+j6D+7Ch{UjVTFEM}Ta>Kp2OtTag|%Wj(piy3PYC;~DIUTTDz&
zv$zG0TUxC!w0QRB$rzo;!U3iohxNp1PoW$ROob%|!LBzbq~%KgaIQoqmq*r2F~KvI
zCU-u?*{j4w57wn8gG=xd+o<Q^^Rm2TbOVDQZ~9^s+86xX{t~vv!t1PO50zXu-AB*m
ziVAxZoEUZc{w>f+jPC|-xgEgx^~LW<O3_070--vo@EMFAL>AfhDuy}w@VOV~z)ius
z+c`4m>q}GQYK;I$wc{Ay-}wms0Asko#k{O>?qEIAag^g?Hi26_`6!Dt=q8JKg%D-z
zDC_2PcM;%eQGh&PpTX&0Z&ca+E>|k0HBCzCOo~_$-4iXJ)K7*=D7<hk%d)fXRMX9*
zbYpP}y76#UX-m63d1}?UsXn`K<=y>P0?Q*_-ySVHZZs8kSgnlQc{O+LmHI~ThdaFo
zZj_vy1HVBTTnz`{I(*_Y<^7L$13s*Wk`9`w@hAqp;X-8)>~B#m_p>!KHSX<qCa(je
zvI3GQ5H8dMA#=hLPxCHJ_Fgdt-~wH?yi)-rff!8n6<z~Ch9%_Qmjh$c5`4iD;;%k%
z(+&FZ#b&2k$Zn(x3S8|?A>>;2{$a4ygP_mTZDjU3@cPc5h7=bcAWTvWTlJg&39))h
zNZt`0{7~(5&};km7l-CL$mZM9UG#-%$StvRbhHhl?}R2JiTeP(*=e0FsO}9|8_1}U
zUSE1)?gP#MMc-lNw~gl?uC75e@iV~vv?Br2U;^3Z+@dzXnEN1fQNr}%ZiIr62*E84
zAcVTaCFfuO=t(wI`-08GGbh&}jNaDA$SIBAQiW{Zx%F>CHBI)-eET;AB2u<!X$?3$
zqvbK9bRV{M(;E+h^Fs%ciP*GTe<8HO_yqA|P#r~d?+=h&vKinT(!YOblE){-RYG7>
zG-e2}6!VJ^lO_Q<u{R|4k8NF14ITg_G~#K&$hWS%x?!ISv3#6k(@!xyrjSqDCnG;F
zXi_&dwuLE%!|?e|+{W2JMl2%}6MN6uuz5?t9-P-@*9+y4RnCMk#p|s~{7B}OAAp(I
zL9X5Zl<ioDkmQaQJ*%5|8ghV#?Q<zrr1v{2S-&)#Tajx|7jinWbBg%|upjTr`KZiv
z$D@a<X6Z>@IUqd9kIVpeS)8u1ZV>hea?8PwccD`e$&-@(1{7AQ5Fi)(;#mPV=Dbyv
zCZ;)PgR>_FRv1^$*;5Vk+mR|aGgS~%v<UeL#A2lYQGT=Edr%fLn$B*5KFA(PTvJ)s
z;8%5=o1njvt{ei0<=FAL{_PNyXY28WqzCTHP1j5>>j67W8AKs1;QJNe%o~I#u0I|%
z8?g>9$hNXYK$kG_eoFle*+Q6S`6^bFsb|xh`<fQ3!MPapWl(AzQiXiL^RHcxpktSv
z=5a#uoZG*6X&GNqtk|S2(Q_}^O|Lon3oT5#$k-?vd4jU;cRPr#ho#A09{gH42cDds
zR}cmF;?2$<_LV&Q^F$-lZ585};`WKskOv4Cd6M>^I`w!z#aaqG$J1!cy<^@*8H%I9
z8|50f^2aj>^Lg-aGDb(bpjJP%?Uv>kOoT@z&aQ+f3@{POG88ne7#dbOn-QUekJf<V
z%hn#^Dvn)iZ#3FNt?X+*%f}c=gK5*IiO6?OT1}<Fcb{VG2$2ez-Hv8tN1?~rn)PM7
z+{l+2v}kY>smjH<Sr~Lva$*(#J44I%^6h9%O)REY?{uXxMU|;JGO`hdx&DMpESV@=
zt0}@1Cxt>SFrd9kY>RBK`b9<FgvSr`xIUdtq{*4zEv4Dai&FmH%-id&s}6lz=P9D!
zfo)bO*p|_c#%vbSC|z`uUWKuC%V#dnE7zn<eHwL}Ho`c^+{ev$Tf=stpr*YC>>xWM
zFlYafZL|`RERz@M!-b2iso}O;v@A1OE3{L1y3J-jx1fv7<a7Ic+Iwd{-nhH#K-WjX
zqWcyYO4UJe$~*sRZPaV$n^=uYXHp^+$m<aAp1v}|BEU!3xgZ(!RmCfwRn2%<JZOIO
zL`3x5XnDlzfC6yv8iP()be`?^kp1kkV>JriWK1~cmM*01mcochd}Q&kHtwF<a&`&h
z*(ix!Y|8z)EtgJFqgor|iFT;zw9B`yPNgXqaWAu3$di^+S@vz@(=2O;hM@S%S;z~1
ztEi(L50?}%qVZTUPzw@?IcUGDQ5~&}<b@C#p&+3RY8^&wJKHvRR+f;1&WKwGu@xZ+
zvW`Z)?|6LqZ7gmZIhqE~_(EG1)v4`+wKSk?*9zN>o=F~%pzvVu-D@gy;O~C{0XkwU
ztlkpP+6O)`Fzpgl3&{W|s4=qKISHdTK1oJ9)y=Pka7E9?+Y6I?6Qd~_&W7fUde&o>
zs7~S={)>CPdY^-r+6451gvQHaKuq1O>qHRmO2GJ%Nm&Q)q6z4qBA}D*2a<F`so6DY
z21gB^cU={S`qQl8V5m^GITT;A!+Jpf-5J=nZ%i*HZr{OgfKZN~#GPJW@{xwJYWsYL
zZR^B8J%D0TKtumD5Xad-Nsy(a<Q0|gFrbLeEh{FUCoTKw-uS|>sz(in{32ka7I=R@
zFu^h6=jj9fW9S=BO$8c1m#n%Aem1e+0HW_;NV#AE)`_?yb>3RAoe``{KTuj213&mx
zaJnZJnii<#2}W%CUs4H_KrlIja15!h&$Y5jfff;!8GLa1c)y_h$N5*8dr9CgEd}g;
z(gAROngU-P`=cK(?FWIq@Yvfrsrjt8kVt4y7_p^dbJHOYI7f(xW}g7}yFO@v;{78b
zF+f9M4%G8S0E<QH4G|BPNC*GgI=?3ev>`cfWx!azU#7Z2`$PD~jn!~C_z?)X>r)_4
zoxe(Skuv|8oJ0}Sq+WFnG8TW$J&|KjBvgxtf@c`QF4F+0V8gYGwzXvKpZ#_4j6~vz
zZ*T9kFYx8MX&rlcJuia-RB{85!l@s}#9by?5E4E4G*1U~-!-U0fOz~7-a{%&@AkO3
zxPHjD@P;7D5`gmuAW?(YLqZxD{*WX2K=`II0*vc?1Fv}l@J>4euo*<4mk{q|KK*?d
z=<nnN<Vb*1#CiN$n-a?0!&vtSls8Y$x7Rf>jcb#9I}e7dK^}n7%(<N!Vf9$)ocoX>
z$(Xt1D#2(RTI(drF+@+cM2{4B&Ud7$JCLf*q8hWxf#xC6bO7QaRA`F?h5e@Cz!G(9
zv%}|Hg;Yoj2+PDO`rn7Fy(HNeZt3b03U-BI3k(o4$OVEpA~5M;E!#zdASE}Gu98#|
zkCn(_yEz5Xfi!=W^w|lMAwULsgEb+l+GbZwB;&~I^*6yCo}Aa>bbHjV30O)D`qUPg
zA=NPfgvqN#rOH6)YTu>ZE~qQuXLr98!s`b)g08%~pYMohf`nJ?)dmTYZMW60Xwe(=
z83Z4~dkZ$D+=n8J(=h_*FmV#IAJ{mq3^xFL)Mgw8i;mN-6p|lFVEudssN+Xm`<r42
zf<1?{Q$obnrl{2-Bw#Upz6ii8LXYuDh*e=NZLXOKh>#$$wdh*GStHqdH9YNglG3(R
z+u;x&U!bX{Kye2VQ>XJkvTX-GCGT|w<A@5um}I1ci-PO7clWq^(jMoPPj}Za2gIlD
zwSis7aT?h3ZQQ%-9UZmDx2_uJnssKs!ZSvEdpnOSE;swL4VlQb2{OlQ%$pD6+Ix;e
zaFIQ_rN>j&8uFq-2#irC>|VJc=~$;IakXCA`K+B@H<V@CK2%$lG6IdDse2W4(7M*6
zM-R-ZYtV^gbt7O#VmlAeL2IaJhxt}h2OzmvNc@yq7M;h58NUMtq;d#CvMG=ng2}q6
zxpN`r)^UuS-VlQlJ>HIk6l3|!>@j9L>j`MOUU~7!&yS^gT%~Z-lWY9SQa4(R3!b(g
zN7!qA$P)(6(vY*_2X=9OTzRo8Q}duZZZ4JR?}=pbh(2u1%K^2<n6~+IG%#ap^%Lva
zk8#|I=@J<Cf_i@Wcd)9B+{0~~ZOcMbQgb)zW##WfDWa^9E<X^0cC2!1E3dr9De{Wo
z{QNdq`^Sf!&5;5CZ6uVepTogZ_^A|9o`Q!r0ApQmuR}h9u7K<TSz^QCq}-3nmvbOw
zT2r0mk(h3sSUC&<LgR+?q}(sIbGA7lYGD0wZafTGRP&n3k#~|CPl=O(oGw>ZF0Yrv
zVJ=dA&-!bg?>C^(d4F%DyWI0$KxnCVC+!CV%04x=*|DEiveL5h4aNELj@!qtTfnw&
zpFG9IIl|h`9q}x>bvEhKvv>KAlEUb67L~uY|F|XFerDdW42&((+d7}t<N*6kGtHaw
ze!4bk5l`&oxoRN)Pq9Jvl<$<dc5m5yBcb|e2BBJ4HfKwls>nnzlY1ps#FGIgx1};0
z%4?55H^g`OwIVsr^jt7?J4lgi<vM>&gmj6Hf{B>+=C)+U;7ZTzn5*46dul9suSFEg
z__1>n&tCdpEZqNz>tr?ZOAcJ=QO!NV?$q7%OCph`RqJh*DQH}&ou&xsEgi?UXrjxG
zX)T&lg)ha@*z{=019IiIy)Wdh@?diochd(6M{;`!P<ecqGYH?JlMbG#W0KmACb#fE
zj{-X?fdHLOacvtPBh$}5|0EO4MKwEpT4>LcDSA{$aDfo@`WlZ2Y3FvHJmh5)${CUN
z$c+EIEXrQ$!jVZHP%q~Z>V<#LX@JGD;<ox6lYw-jljwsCFpuz*Rsf?(4N4SMAnnv+
z%OkvxNtzd7k5d^v4~OGy2R4tu;>P1+u&O?E@JTqoh*HkRo-dbDRaV>cKFqhyZa$vy
zN7?o+f?4og18?*&!&TF^w-p(HhJa%N!Bxe)m7vFi!yBz&HUh&siEDemA4%OQ-+Lr(
z@v-yojzGhRJQPS5w;jMXKMen?Cwp2lGWNVwZ`tA(QXp-mJUmnqPxRq5bEhgYOR_TH
zN`0KqYseZ<`XnReS|iR6M2PXeGt4Eeh43TtU0oIU-RN&2i(ofVsln4eSR2F)**t}L
z{Kj=lZtHo!bVH*cvjVAcN0UZOhh>yT4To41e8b{|^egFn9uq8L-NbOAqk%{gTdidP
zvPRE0iD**m7$vuFLj;{llf$H#Ou!peMY`TUTIJ`uI|C6X1DGf!<uG}S5^PG@$2rZI
zx8veeio|I7PZyD_VPT;6hDfm*e|sCtxozzr?F_la`gsyf4vQj#B;M$PCeGy`MX9(=
zlZspo>z*fR&Sg1fyAo{*UmOeB;$_AgUAFzi%6C$m9Hj}XE=Us0&PzldT&b>b4dt3H
z&z?jcj4*rL=VAd`_Yy^n6y7LC*j36rS=bf32Ny|niT2hP4p3s0ym)SRTLyu3`!3hq
znA;Yc?D>}8*D_pbklCAKqUCS=Ja3>wRTI>7FIE%MWNyaNx>K25v_-%fGx9vibW$)`
z7~kzitHag(f>vj07g$bqdI@~*&4d>MP&q$_1#617w5Vzv*ApHl9duR`&<Gkq!}?>e
zC45mwJqC~OxkT%kJ>%*gVFc;`6Rwmaf{^MaZ%tV8t9}K`v4LyP(kqUr&dX0lEc-vX
z9g?}rMu$(z)y(dqu!<Wc1ZV4Qoo`imP?0Ocu`CSj(#OQhT^6IsOv*caOHEg<Vn)D5
z<3f4o8@{v{ZaN}8o8ros=z(xa8uG#h^IX@eh$SoiflB&dKdI8fz{$O2#t|J36-&oV
zDcMhJ<Lw-+DVj96IEIgWC=!`+SkR(2n#1a4mksMFAw%o&zMN0WbG66jCYD2Y+7%6t
zIN3Fsm(wE`tZj{=qlYt-3=5P$alHP;(ZF94#NL>Wm#z%14fP3SMNL%YS}-f&kYyD+
ziy?|zI=+v=S<QvyM_tz&{Us*<N_Rv}a8vW}U7;k^&+O!+{J5mes5id3QW(mtqsAU*
z1CB`=jGFN1GCd_*xn07{!OL$_sy@~EzV!p4Zb_VnwI=o5!?LqovJ3Mfl^bpoD|9Q7
zn&s#WGGn&z_Z3Cjdm2SgHTQ{{?dh`evyU?2z;~OVpXTn9wurh^(o;~`S+suIa5#+O
zpCAM?u!;3Z*>ecBr;CFru68kt`uV<zf07Y(^_*>Q^69s>(%5c0qyA@B1%>w&*mWIu
z)D1r7@lDD<Zz<wm+Y!62Da?V&D7TpY=y(Iuww&{;c}s*-yPef>D|l`^=GT)T-FpsR
zc-z<P9<i3*9?`t^&sN(N4~G^kh#Qwv&sk{`7G)Kq>-o^bI&kkRuq~356Tx0K@!!8K
zVy!34mM&f>-(zgHUBWbKt5ey9ALsD_pJJq^eV*R^MBq@RMZ3he*T399sA)YLfm`gt
zp@!%7^bBZ0d}iMa`6g2oGpBqN+9`AI;m4M3d8M5T?m>xX+);jQQKa?B?l+Ip2}*g4
zOG*z^js*$6-81zxljwu><Ayc%a4c%1o<ei*>Z(F*zGnv(#oDCl`S_-|?yCkJ^AfQg
z`C;7UcJuoW92POxGc3;kfC!PxKjknZt!invluObMB5dUH9@89`<Dw)I1I5b3%|0u6
zmlF2cYs|+fVNFo{vNW^|=;+*O(ODNpN9m7c(YYJZdyUR`<UZXYA7a?|<%!qrlN#0|
zpKzQ*Tax<?44r-T3QBzQ6GZw%tZ7g?u#rR+8eY@L$Xrb90#}&Nr=?p&-R$$05+wtu
z=p;=VG!^90(m+Ft4N25=XY)J8Al)D)NGYFALp7_unPb|HS_cjBna@6j8LcgfU31pe
z*X`E9#RXEdFL~DUqSZ`cIzG=8FA6)$M~#|J4rjU9ak3g%2Q7>fB+s>`zty5ayNbXk
zIB03Hi8+z)r}%U~_?=`t-bmiQW8)Iw+@~rr?RfLo8{>d%-z)5_3S#}1*iVBADU7_}
zCBSe*?kTZd!d$^DWo66cF-Ei53HH@i(tbTAR1QPilE|}KjcdCa0_8HxFSe04zQnsR
z$<lM|kEX%In$X}l6|_MJTO!z@1xM#4%N1iOC^XT=urOY@mX;Z<c><cMVQcAwJ_?Fr
zUwGZI`}zDGCRG{A;g~P$y<}*@2-Bc4!6CI<5+o(dp7<^1l%3jY?3u0V3idZAv&u)=
zAEt)waMjF5y^-uG@)N^EM&>}9N8&kSP_$kQw@i35vm#T_8tW2A?lY38qCL2Kd}}3U
zR56atH*sZceRkvCENIPUI(SD8gL*)NI>3erQ(jCuIjPT?k>fD0M|u^!^1L}%-|CX0
z5A`}>!3(!D`)X&l)}^N%48h<hQ9}*{6PUeQshXPQDV`NAssSfuPOeXgPCQ#VQHS%m
z^CCl{YTQo<6RGJAhxbzkEDdc32Cd{D7!ze;N#VVU6_-{k$zFT>9OdK|+FN5$B7z0i
zqX9*}B}FSbaz7?^*5mD-B#o^v^4%Lj+obK4zOeU*F|nb$`1a_@YiUYCqgSY82$spA
zwTEqQGHp-U1|xb8Bl@1kdX^rw1&+7{ui-t%uyZ`nYzHd-dvv5cY=kg2Pi7pt!3@^V
z4-EB}FdT*klr&QNMNLgrX!M(Q5^YrEc4%iOnoWm>_9slkQu-b}3~EFST6BE++zmS?
z0<W;fq>02pC`gm)AS4=uMQhSX=D6(u+0<u(qb8N4RS0t@%BCs7XoZ5Fokx0>%y1Ts
z5}reja|t?_v<>LbFgN=W2Hu8qnFb|1N(+5pMKc^l(_-P(K$?HQI$B^d2rzVZ4`pD;
z1HVhb?T_F8#sXxQAoZMqSzyJ2cauMC_rb8ajXk$H;`V(Y!o4qPZfE3&h|R4}D<9~a
zesLB20{^)+HN;4PBx~T};==k!Qz42baT?EbFk&~US@IY|2YAfGgU)4zzYa(v7;4Sy
z+l*?5?IWL3j3A0NCRS%p@u?z-WIx48vb2@kZ^SC@q@%^|HlyhYePUOP$E;qYVWJon
zT4a&OLKd52ezh#k^EW?-6)y_svx^zXDI^j+MGG{1L2TeW;{=IHFL-mqaM85lIL_CK
zH;;*3WY8cmqJ)dUfn!8>x{d)=AU4`Fp*9q=JS?k~pw)Z|WE!5V`~<cnrhJ*fBae{H
z_gGe!aeovIMp+*wnE!Yk8YL(J^X51A{4^}V%OLO*sN`c>n(`p$M`PrE=tw6l<}59?
z(~*(O(BRtyo^2rf-JoDRcJlht&>qCil@k4n{LLsr*HoV{qqf78Ge>Lhf#$N&loPUt
zRh;Ws{ylRRq9kQWMs`-Trm!A-#{>(%-G&akpMUM_^X+5NqOiTCp%ui@BRtBBsywf4
zC&4&H4E0Q-mI#lkfh-oE_KRXdGGHaeXzApF*iOJGYI%28($lKL7?u*n^k`AS!WTd?
z5~hQ6sJEakefW+rGlKvX;C+vvdN%YXu{jslPWwcK6n<%vM+S2d_Jjfhb2~I=jkTz)
zacI}<mw;uM04=I<$OdtuH;pyP#E<!eUuMcF{AgyjNFr}bthVrIFsjj^*Gk>H$^1Zy
z5E?2|L$nlI93wos{eL=t-(|g+Re01A#+$o+`+F2^FuZ+VMzC?#)LB~rvlZb0qelLq
zel`GQ*?uuOz!D5%=D~OG8T2Mdpz?Y76}_>-Fn2H~k(vf*R3A>#oe{@rS?(8Djt)V^
zgU{t~YlJCUB7Dw?tN3or1`Gr?*%BTba+@bzZZ+M1E8?MUH;fsXt#zle(HSev0%5Z+
zpP~hkHY0Nx&<E}Fu~OOB|C+a-LQznaBvC%7a6D1v_je<2qoWV21cg5#WD@e(CuZE!
zD(^HqF&;4Y{Xyy92J?uWlaF%FJOV+C*k@C<<*NZI=0A!&==yqopldCF24iJm_w!)n
zcQmxz?4#=UqQ0rhTGq-BX%x${#|2W|&BZ_c5MlDj=QM)D0(xaD=^U)Yi1Scas(&F$
z>s~Ay-Fotmq{<l3wWKq$pS7qa3ETF^8o{|Dtu@U0TZqn-$SYMs8H5s&riv6ARbivi
z-JJHrN9qbu{Ljm8v9}iQe=;VI<wXTj2RFlCtK<!(U~c^RW_?~{Z=ZlTU(b8~6Yn?5
z7TsT}pWy*r4VyCa_Y*j1se?avPOIe&k#u|hwAjyvwD@QLEn43TRM^Oqd9vfrl<uQd
zEmZw`8CR^Gz8$Dg#mjaCGy(|1Z!hvRgRo!Uv9<AyO5VP<IFUcI9Ba_rJGBEZ-8MRU
zCJ;T7|8(+f^uV95g$p}R1=8at5_rd{d)}(#9aS_5qC;j|vsoNH6ZU=8lB#@DS<>j)
z%-#R`)|En4Bc+^&Dz6``m`-(FKR2^m<M*_Q(jrgru+J(s_B{_(s47Xy`LlqiV(_hw
z+@8=%`fpPezEkeYdk?1w{Qj8mG1M82VC#+8S`&_5vgP7e&nfpqdqsoqorU@e4<deP
zAocdXe<#3+BV5E81r$Gt^XRRr06%z3m?SOswe{||{HGdiyb~FA`4{&lTireJhL{KN
zRTL{CZe_huVD#XSG~=H?V14(5oiwo8xt-Ma?L@?4WM}*H&8;gJ-V_qW(hl7EPz}Ie
zYru>OgGoa}TZ%?<Sd;kn%bk3ED+<u$rTD!bh{#HV&aPGat4iMf<*mm*4=Nh!iJWUg
z#W5iR8YV`19D};TM#S#ksWf@<BuTE{!}9nuth#Oo2=*~W1?Ve3XTs7%5itDfXDOb2
z1>fooK5q__YHRp!+Y8WMk-RNk`INHP0(@cCLv(da$SR1(+%kY<Uow!Koh)xi(LQi6
zm|_4z%i6Q+#!&I1`&~W!(!<p&Wv{n!9?%~|&N^n=UOm{;Dt8b5?o95YHS60vpD(?K
zU?qI#uX*%Ho2%Qgu^eVXQ-k)}ZPGtxBI{SO%T+xXWajc|nO3#g;rlVcW1qQfQ|Qr(
zlB4cQ&>#qKk^JTEM_6(1l@3X+?>)aBRKqRpCrDvGNo7Hn1SXpXFKr#o`dwebXor5^
zAc~yDC*51V40(&brR88DA!@f-U$8A*=tHKC^0%<>!t5T4M6Dle46vPkcJ9PYbd<Y2
z75?p?P}yS*XWh+D`2-bOMSCWEw`|SD9v$lV0ukBHz1Ziv)cj)3^D^CdqaV#b--3t2
zcU*)N5K2{ou6Th49``$h92-VvbJw9Kwc5MZ&k6tM`LrnMHT%TVFfEy1aCgj7<^0F9
z-|yy-TU1B^DDS&m1{6EjJ-G?Qt_kv67(zan!C9@mIPruMuVYcfE*4I_k(~M9_TLj=
zK;iGrAgJ)GTQNb0%Kxj;cw*Pb>AWNGUmbB{>dR^;bHrJH<<qYYI<QY0=31EAenCM~
zdSziO96HvW7+pFed=eiVIREGfs|_`JLTb)$oL*cGn`ja_)eQ;j-gBdm2Z3n2lcUVQ
z03DQBo*`^dZ<j|joK~&81;&sE?GfgCv7)5>&@p<k9`-gvUx%RT)TtdkgW%@e9UR1Z
z*Yr~iv5U5fNcA(L<d51_(BVAdjx4R%W|ub)2;_K<KWR0;Qxgg4l60aI*NTk!tK<-+
zhBsrh<^)^cdM4#5<(4Q3OV}GrQj$PnrJk}@!RddfOSi%N_hH<{Q1k{y?n!QU7)e5y
z)?*P!_&u@mXZO&ko|cBX1SWI}oVvW?oPjDJ#<T+Hg7|)GPjN;&!u?IsyKN}h$=5=0
zZy;KU?`FO+-J=atykxQ~gK)oCL59?+-8GT^RuDV-h@`wlbNewfoZ7rcU@qzu%aMi>
zJ@L|h`LsDl$Dh#LQCGH4xt)K}{vwMW*bOOJN%!-!OgMrWrilOSW(pGikUKZHECdFo
zXN(={fdS=>e~(<X3Duny{eu?_ScNBD-ckk>k|n`wKdmh1J5$^0by$UC75^<qSW~ca
zU&7a}-(LK5<pHvj7e39{D0>=E99CfrYNX4j;jI5Uvl#-uBD2A4kKZ#vbLmEVIdNV^
z4~dyT&iuubEr%yWNR5p5s_2=>0jEP8UV*goGmte4!XOzU<(0g<2E^;m{5<k@@vGng
z{~4eP%1`wD@W8ao3V%(_e6kog)~xPy54G7>`2PgEF7C}Jf}^-cY~lMEN$euC<9}~o
zoGeLw<cpTull0<8=T<Cjuk4n#Y{aPBjT?4T)Y;opxeup&9=LBD<UK30e)>~&ozG{9
z1LqcGPtUy0Jo{r>7YQIet^f9gfbW*8Eq^5o^I-?xIaYEOd&Hml6&EI{ERJ7|CF2H+
z)g7rjcOB>X{%hpqIiHdG&^oUk!JX=^ibK^-ALbq%;EE-F=CL`I#(<l6R$uXDAM`L(
z9M^ud<ImQ}VH4AT4k_0aqz=8olh*rh-%H5-P=7)!^_x=8&V9Z_vG|l*4(YE>#S%l+
zqt};&aHZz5S9r*BxCwOC#kUp`q)Phl9m`X_myMz7GF8NhrMUJ^PkhSgm(nW5Tc0(%
zuk6}ydRbxD_<DmaExtRM^x}4320{JPu~*0r@03PN8*#}H&ts6Lz00QJNSwsYiw1p^
zb5EY$sLA<8x=pWsW!7h>YQTx>9;am>`o4=gBEX98epqAGA9(cl33^do<M<*}=CUp~
z5c#tE`Zk+m4u<Q~zaDML-#Op7>&NU+A<&zMJPO}`7()&S4B8w5zkAb|z!z^3QZX*f
zuj%)3n#HaucBf(ZqsN2nRj$)~$Ir7`pZGRodoN~P@rw@qiqKUE#y&aZaJf*2TE|cd
zzGm`57)C$<Y~CHd$c)^5<$79dD@{PP+~|k&(znc0QZ8e$cb5aLuaTB)lRCV|H^fe!
z>@dyNp$>DfM6A%^CT3SJ3#cQixg1f=enD5cWX^THZ5W8RR4a%+vh3q?PRN{JL(7y=
zv3PN+m%XWI<6|^&O{9B-M-1Q1=O17!51U1l7W8R<&5@Rt7NR}GzS;FT+k)OVgkG?`
zYM^DDwySvXvz6*VM<dI+<%=Vx6_B8kR(I_In*rqursyXPY|Y7NURb_+>!|XezUoyE
z<z5?Se)sMUl+%tq^L<!~C@qn9qydV+{&H4Mby68wiaa$^Z}{rheY1*zGOGQr5$Y<#
zm{r5-yz33Gt|?>hR|7|vo(-RJ-BqOnYjy`|&<&jU>SNP`grH2qwGiD`X$oXZb-(I+
zLf8t;L(<ZDU*6x_f7C22&oO+%qqX(@T~EH$h~sMFMp=mk(#sq_>u2=Gf<KrZQ6UFR
z_V6B8zqWNix0(_bXLd!I^SGS=BjTc`3c7)NhE4w(L=v)ej*y9VZ{CS{)t?>0$y$=S
ztZ$sXGabhzZ?U#M!NL-@*!^tqzLD4Z%(cF9=lSTdf``H12Rd(xRh+r}meOP!uJeNu
zQ3sCMkc*br&UiBPTU<LKjV9MJ$X4$AeGAL0J_V;I=y~q4`PBDIt*l=u%XPzxKGYLU
z2A_A-1%8;o9OMIzoz=5l18)XHwS}ZD8X}7u?}gnI_Xv^Qmbxi1_VDXXr$=UBo?mm9
zf?TPo_D%VLv9)9=r^c}O?sNCC`0k$m7ge*!ozQ2+8#W0>riU2%Ilo+}F*LPhXP8Mp
zIVIns&7p_YzW1`PMDX{zrSGrU3FaTwYDRjptYv-o92=_QJk9%3{N=(PPH($9@n;v6
zVwA1QHs~Pk(K5m-gzr|Z3D7Zz^+N?U+?*-?<qF%P&$rE2iCH{7UwF!u#zpg=xZh6>
zBmX3+^I7z1T`2!l?`VCiEvEGT>zm!Y(pK$HI4h>;)!k%ve(H02x+1#E?p7?+{^-j1
zGT-tngCI}r5;`ACTodc9)nkB3!Qnh2-Rg-qjv7<iE@r?7u8L|GZAA=g6^S}NVbWMG
z@{M_5P4!`@e0_^re0SvfhJ?Voh?K^+KRMe|`CdI&Cvh?w^XlpUI$#8p1GNqbhkZdC
ziCeC(u;WT2QasYIU{OFNHX3~((RGhXk~NPK`62K;x3@#xyt;9*GKz%zIo~5Rc-?z%
zCi&R#eg9SUuT4kId22n38gv()9O;{n>8P->l{^r>6as370BS}g>1+xuu2i4@%1%1i
z<35POTp3Uy`DT?nM<tmRpsd^gqOsJQ80<ap)-c|yr&lO=p!v`?sO34c6tdOv`EB-b
z>vDII%Ap52#Rs@d?THcBw_+xrUUDmMc*UeeZ4lHtzs^b?kjyblA##%gqHRo05-t#i
zw(Wn>Xpff`wy5c{ay|h8>JknqtLF{p7YRSzK0jm5le_Ye80`C@xGrzt(t~QRZv}(P
z?RN*E7NONj=$+m8?yAfe)gLklKV6SaCBo8~2K`!ng?(Z>xwd=ej#)LSA!xq*ebJc!
zPZQ=l{A)ikcVynA^<GiYha>XdBlZ1?02$Nacuo&D{1&y{I-1;wCFe=KS$>@l-~Ht|
z^v77-IQOb<0yk;Fy6eUvx9P^>Z}FCm*Vnw~iXO*zf3<+%pbp0mo^5!ebmas47(q7<
zbSsb?RV9u1{YR<6Q+W&#xvw5R&*SqdpBjIjCYM<8%=E)a>c?u9YcUamS0R$0_qpI2
z7$~p_ZyW##N$1~X-HsEd--FDrycabj1i%DTZC%EG<5Q1_`;NTYz1uZVSFYfZ!MCJ)
zCH-Q0R;}Avp1q%$AIKo2(_55$*MX2z*)|<8H=~$gwfBF;wd)MmdN5_nSzXfG#iLt#
zoT9Y*n42zg%D=A)x|ZZ2vwn<MUbCYQ*B%fKcdPCTQ;*53z?gRx&<gQEPcGKjC0LTc
zrQqUt5e!-d9hvpo48k`4(-{Q8$pH`JiZeIf4n`b{sC<9-Zd7K6!}wCo3&rv`!qSe{
zl}&lnMUbN~%1Io^v8)Dx<tKAu6G$mP1MFmJ^;7x_payR#?KV+^=(>|pzH&{Ty~SVA
zkw2Q+L4q_afSj3;p2ydq++(@<FAeL7cIiQ{0HGxI{b_HciEG(TH?G#a@374EJ?gDl
zNSpKJ`A3N+BaRMV08ESt8Cw%xc@>`53**;+c!uqRR(IhPk7U}NHD05LhO_d>8nSwE
z>L}ib<<YMrHd&yry>EZ}nnh;pl!<V7%Dz@u#P`bA;`aW_q({p?2;nF<ecXwocd{o_
z3-zbW@=N+#^{oH``gCltvcU;|3=)X7FM`pe56QLcLh>B4BmgCq0eE8|Lqw+>rh5sf
zrv@P7c6xJd5i!HNFYS{-U^*0~lSdAOF5m&<lZ`-!07i;~WXlV1((6}0THg5+iq$N2
zNfufFG=(UDU_F3<DpzA`)$Nkf$(_LaografU;=eU%76><IY4OIenC;FBm{YMq~1^D
z$G3O6fH4voS!fEJGTRA-RSBv<oHTY&6ed9L{e#mb2;v67q}QK?#S(qkjr6y}oh-%<
zju-VsgWim1uc#%&`2>!pm63Cbo-I5_?uUuT4Kb96y6Cp)KXmUdAZJOK8#R3Ryjigr
zG<{E}&g+xlTQIA{QwlQ<oSr6rb2@%X@M?VUsune*BDMV-FlsIV`pXKz8}t>Z*Ev6q
zo--K){A_!8Ib?)eK$)HjfK({@j}d{(M-X9bGO&Vd?$40is+}|v@`**n4d5JD*EZ21
zfIz`ro10VK(V^2k8qJV6CB=lG2r2*w1_|K`V|N8Z$Juu7^-L*G)|CZ<^E$VV9U^YP
z0ZRoE)@<N>5&mwPDN1+r(b;V9kBP5$xB(NA41xn4Ea`z$L_DiEMd!C}=zW@-airgd
z+Lp;e6y1Bv{WEUerIoer+=}l3|0VR%jj5gD1{Wg-JPh<h7r=P#<Gyw*yNXQDfAbdx
zMsDlSxba<81poN(_(TKDfAR^oQ%XREd%&jJ@e0Z~063PUk+QOYJW>m}g_Y$((9Dcv
zm?18JX(a97SJnhtv8xEysO-S$FZfy~Sv@G9wBwhC*BwiMd_iq9wh6$TnL<{$8d6;n
z^TNtpU0lIxQ{K;C?*ss*sHYs9#^*!MJL(`R*=qw#>{k2#T)I#~0<94r>G9ns1PHV8
z<gtmpy{q6c(PPfv3o&!33&*xhq{DxK9C6$^!ENVC>t}$YOiZD$-;l%D0yy!7vIvfs
z-0T2u=7WZ}mAQ5~PJXI_`e>qo?LFj%w!<~9y0FIh=Ur}hT{x)ho->iQ*9HiBIE+Jq
z%d7vGG?<%=*S^Jo^3p<-7iq<WLW?HgSZEKrQ^DGl81e7eAVZBMfOsrrc4Fu09r`Zq
zGoCpQ$P8Uzj*%*bEMa$9?p;UlIirx7FNr2khy!z)D0};dPuC^AZX(=4H77cHLV<Yz
zn^z7jWEiQjpEmh7pt5c@wh&5>ki|HV+cxk8ltSq>9rwx*m5dc1PN1Zc9hwgi^=c|O
zzibCgceWu*wod@}z3c7A_0tc8Ne6UaY}LTkYIi)5cN9Zbpy|4%yD3cKKQf}Y1^C=#
z!eaa^fab}mqd?HZ#Va`?(;nTz_aL+yHybf#!kNtKRTL7VEI$i=9TWF-<qK^qvQRA*
z!zSN1Kfo{lwTAd;p<Bi^FK=Z}4SHTdU?obo0zg@!>@Ukq`AANXIj(yY;Yz})<p7g)
z-_OyFdiC$zPB1`@UwWxKOW&u&Ay^N4dNk~6Zm>_ls;0pga?K|b{X;@yR3dKG^|R(q
zvV3T$xV%@t=IE<xCvLmS<^n?F3IN$^d^ab>RW-JY08p@IpGbJ`Mp1~HO7bONZoJXG
z#J8$~aPBpN|KVX;Aaxx5{KPH@>gL!!op@%z;pGt0x5LZOPuDc^gG~ot+nP5zN7{~C
zo?+qPN{A5WDcM)wT8818vz)HaO|Av%++Ba!1sVz@Pw%xVS-g>B!`hXw26V?pc1VN`
zK<usx-0g}`yG5LjDroRBz6Zbod*U}CR<K*##1T)!IJ(bhS0~Y~nCqvyCqC);<E&(d
zt@3ZQw7q@{?dO^S1k48abGTJ2;7+!CWRNZSX}I^FIz(MP`2$$IQG#dW(ki$gZdX}x
z9UNRnyf^=IXS#g{+)%#<X2c=?@RkAHjti7`e1ntvfN)*g^QAbQ7sq)(=O!&8Uj@>3
z;kCL%J2Io}qgy5}G55_SQ`=l_YtG-d&j=t}oVNsLkXexkX}hvEkgqKGu*u-)G8aC(
zXR6IaYSyGI;`Yd4cSGpgBmU5m$3K2nh2xa9d@VNdqKm!dmWYK&b1S%(@kYHw2z?Bn
z{_CWCTtK+p<|-$YMAYSy+Ij$N6rIwYESX$)<`+)Qg?(hTdZIdChq+O!1<tK*nyn@m
z4_xWlQO~#f65Y(ZBC=U*sHi&B<(M@W-Vo>YWV{|9dsK6PKr(yI_uYrxA;R2MRPN`t
z2GrecQ_i7qQ419@I<`(QrVcI%B989W?8x6fAGO^vfC$E9QRTF$98vnW!5t?8hD2Pf
z{HCWkIDMb>%O3cB*Oy`?FPLB7V~KrEhOw9_{$sob6eL9=Cb9z@BI9W6f0k|(aZPcK
zM+p;>kGw+je|*J)O!R*RQHgwTkkCyL^TfFVL&1|$fVdd}{SBTPxDTGv%_CL_*5@r}
zf`QZH1OopPaejadmV6aQ9y@^nhbp_~pC!PfKnfriBmTqvh<nkx>77#^ao%YT6v*jT
zhon2Kolrur^B!FWdEw;r9zX1yBHR!2=d`HIez8Q}$nh7V8HB>^g00(W(;+C=#Q-oG
z8hrx_t%1faxN7^1?m2;-Q$}8)fyMFv^c66IzaRLkv!m}r5kHzBPCQrg*fxj=#KX)?
zfKSYxgt#(%%g(z~pFUqWY=<}rQv0JJs0((q=s%oNc?6k3Y7_mx8h}lfpC>PJC)&i?
zV70E17gu^ZWREiTc@8oY-iSZyb=hxm=lx!WaLV+s-$6oyu%5*e_9BA?AQ7_Y|6k0m
zD*hNSUTT!`zP;rX@-gnYbcWx4S4mo`r%k<!qh1^bPTY$s^$!s^oB#I8=8BLuM+Fqz
z6TK6EeYhe2AfT(OdYABSq!dl|3Y?YUVwuO7+vJ`rxq7Jv^zFl{$zQp6L67#cC`qs5
z_+b?foX4xknR4ztf@=8}l2<v-rqqa2#B6g^-l~ilZPZeS!F(Ql97A_lRnXz_SkDig
z0zBGmQ98u&t%~Hcu^438od!SDf2pTp0}dvRgJIu7I(r04_aDFgwV1O!7;MN4$x~)5
zrH>}pT5-LL`V*zeNN6zocBk{ZP9iUQqSf_~I3sG}sr$zS&f7WJ0BlfU-~Zm;KgK|d
zI{s7v!m)qp0WFE&&T#w8^5y_`1&aVTwxcI$Ga2^<qN4&N9K(Hd@BDs45td#Ww2UlF
zPjTrv;YO$nWKOQ&J>$%3MKC60IPI%>ao?sltMaWCJvnRdZQ*~at@iSaxPb7M*oEfk
z%>zR62kQtr-){s&6Ya#g=QWU);kJ+wcBJk4Z(nXkoaJ6S?NDbCrcw#daBrKT<0#Nx
zGnW5X?R83zsvVlx^X<;T<4kc81UuP?fhXmuIE#Jvz`IhC|4sUu33X;?hQJR|b`N?R
z^)HHIq)yNB)KCJhRNB5Mhv!HzD8_Dv?&UkhzkRIdX;W`_x>H@n+`ms{5CR*lbMH#)
z9GbOKcdVNYM^$ds4~Qdi!r_A*40(VAFeGt{kdm71PrR&TwtLj)y5IkDIs^-}nUwI-
zis5O)EaU+6ZArc;VyNIxS(Cr905T^Id31g`KSGTesf6e@W9otb{`J3pF)B_*@(GYw
z78Jb{kCOK2rcl(+oq?PqyOimfVLcSta?f$oy9^LMeyZOtLK<PbYr|W6w(#C`(LHHQ
z{ZT4Zg3xq&X0KUwxSFa%zjf8bF3_@;Bc0Lu)lCO#Q@T(YfBIC}0;jaah4>%kU=g#r
z#1ah)>_GR<_#saAwQFklZu^?wqFCe-SUN;Ud(UVvnvTi4bB+}Bag6iq16Q}RwIMd$
znN7Bo#I3jYu7rQs6!_+#o@=R=MOk0|qLsQ+2_p}nYZp&grF=y@%LjV9P85ZHO9BiZ
zr)8Cb`wxv%{aUANuzr_`SJcntIDUSey}Y%ontkd`Zb8NCPL3R>mti``8+nY($HVi>
z!j%h<B2m3@%uGxrV37BNb#FQ}wcKKqrtGIm>HMi9(S4jP@Mcp6Vam40y9=2fbG<@R
z!U%d8PeSq@_8l8YDY!8lTX|1tCvJ7NtkLw~t^%{brb~ukGsO|(h<gW~LA*!8H1PE2
zP3|ZaT!4`dHO0RHY-vcmNC7TXpPB8KjqI{Ts#e}8GFw-%(cUxQm_1)<d1vRouZtp_
zRWB_WKYo+(?Dv|jD|Km&@4tMi!Pi*A=*P0KcphOWMoCpQgREfu^nWq-9^h2>{~vIq
zLc=E6G7b*PR<>hg9}Xd-M3UmR_o|FTW(OG=$CeUWMpX75X~@hbl93Veyua%A|K0!p
z^<3BUT-SYH_jM=de7>LWXS~O2C{A%<n`~Y~%H<2PI0&5&={Wv^%tru<-c3$PrfvJ9
zxA}xk%qJV-#3BjYOk{HIx#6ZBH{(<--q!&i<WhHkJG%c|QPU)#A@erl>HKs@hv0MV
z?C{rTnBlr0Yt4w{QecxE%{B+Cmx=nP$f|bp55C^xhJ2)*5H7FdP&?K%YUIU_OS@D5
znE!6P?wkL^sBZ&Pv`zsBu@3X!)3}=V1|(x^ke?et9yJR%e|OM~+Gm?MkJNChWe6Gz
zE)&<jIF`}`9sUF|Qvx3I{m+8-0wJN4$kU9!jij3hYi$-dEIAN38jaQlAeBB9TSP$j
zKA$cT^j8fahPw{Rwji#{fvxdgZZJCo97(#xo6y3n1-;%M+oIOBI=~>{Ogh>n;;}UH
z5O%`_umomgJLewZI@zKO4_g4DMOd(Yz`RCy6wBVP7NEXR1iD{HQVq#bzv}Mv>UHi|
zFr;+i>J~#5VQt*`dz8=kv&@N}i(ApP4=N(8SnQWLB<szY3V7B;7l&UP-O%B}8oGQj
zV&-XMe{!z>#!JlE942djY)cPNIvqBDd{wyywis$aE6IT{p3)4Ib>rjmASaHcWD?N<
z6nq{CbUj2oOt>^5Gs{;9_+<deP!UjjNOuddIoF{q@C>|nxa?u140fh>O+A7B!2={i
zgw{!20TERn7-=?an4w=if$}vric$EkoC_OtRq_!z>i%sg1H4Dd2aw{??^by(rp}%}
z%JHfGB5-Lq=A}oOeEh-KiPERd6j{5WLsxKF@+2Q<KTPH^_WQP2_|_OuTr%5xzGQ!D
zuvX5p(mezb7JDqLNsu6{8$;zc_VFi2PZc8UI1OMhaCbHQBNbU;fR;F|evg_t6X6Ky
zWhw~&-UApPx8rk<Zze9YY(a{gm(d#FC39>v%KiJ0EK<_AHBys;uwsGMNS`9Wc&1Cm
zWw&Os$+`lyys^312I5kAGZ}s{O|cyMaN=cyz<HDuFbDL~v&WCo*0qPL6$8(M*xek<
zQ2>PrZVMvmXl&7FdLHFH{f}~G$O6Cr!MQ(2lq8Y%=kCU%>%;4#MT<W|V-Ebz(zcuL
zA(D73{78Ma?k|AVp_;*5NK?%he3yYTdSxTL@C<VZGYuA={cvLb(@JieCUd8OIW3rT
zdBeviwnC4NPlwu!sKgg}<WrFme_3<n=<N<>{@UBTk;#-tj-R53G`?TvQG=OKm(sE^
z=$?&-zXh2loeMaf-DyuQY?+=iJ%nzF!1@?f68t#kA!weReVX3u@m`Xrzj#vMm#l6x
ztkyb4mR1-a%}K{glYh-vmKU2IFh5XH(6SD!m^)zMa{<Kb7*cq;&MX^4%8Zc25S3cn
z+un1|psKe9`dksO5$(Gi$c3Zws-Y+n<p;uf!sS}9(ipZMZjLi~BuS1~H!d!Jf;9H3
zH(w-gWRNFR_kKaqtucXn<BqtVMTWTPkit^Ijh?KKO@-vC0MqoMal0m9)>_%-ZH@r2
zL2Y2EW#ax>kCJPIk`ex#?m|^((qbNvkv7J?bdvvddBP)-NipO~3lvK8gl6=OirrJ@
zekDc`*7i6^u0Ff{B=3G7So6-pKKFOO_epd={OQ+au_aEHdub6(HNBU5U?DXsoVHSN
z?8~K)UuijQQ@;r{3pJ>5<N^&S;`ksq73KgdEE&YhP?#`rYz<FKy9a1|X91-PpSj%F
z9ta#>8f&*}g>Vi7Ga39>B1>qUsqJOQU+bi|jz`a;ZJ`#zwEf(3;WO8XzKQ60cwda;
zO#vwi0ac%sy8MXVm2qm(doHpHl@G*ifsD(j9TUIZ=~u%YtFJy;(iZn&+jfoFV^&uw
z5#uuLv$9q?+o}KZ<l&B#T;cX>2Knh*vn?aH=%oYw=Ov~u)o-}Hz3}ke^|i6U@mK|B
zP|QQX6*tHJ-Ukm8P>fl?1dsHZXmoENY5xG`OakD+5+>!mQavVfztP5aeSCtEv^^9E
z%90-EH|{sne7=0+#c2Miqk=b$!%9Z%pJ%@6RwTn+pkI<5TA4AsarTE>{Zqe--C94-
z)#-O%bk>tD-Bab*aMH2lLyP+>GNp@`$V;NFO>0<8oASQ!6YPkaUndf~d!WklVBYuR
z*Si>(7X?s&8<#m?#$+Glt<T`RIlVyrX(_yYKk}i{Ios4jUYJnWWm(nNIv8s>EK+}*
z>azLXwP!!8&H8Ibn{id&+ub+Tg(EZ1#DCqc92*yKelKn|{yr<jIju^x>RlX4;N;?C
zGFm%PYtc_mFEPusr<Ov-ryfIzCW=><nJM#RmtVdhu23mYJ2?rP$3MS+g{_j&yBi9S
z7}I{pzRG`&MO6HQ(_Y5c<yCeRW08DXl2J&)huNv@3W3(s0>?+Y4<!e#uruiRr5&!@
zcv7^@iB%@UrR5B?C=)wqSM`0W!RVFeA#>4w@Fbq2B4ovv1xWVmgxzFXgB<DRw0F(z
zn=G{{D&nI{N|lt!#EkcW5*~ZEseBD9{T+%fmS*ICzk^XG=IT5!5PI9RVnCr@!vRTA
z!SM4xVS+q+|55<#j(IQ$EwEz=%)Y38YVc&B|6ZvL$JL}Es-)kax--$38?)o534BJL
z^&y)!N_6v|YhHNY!Qa#NFjQ~NKphSTn3@j9s)rJ>Lp*8@Sfv&jo}aGmzx54ogSrh0
zcne@SV3hfCG|!8PU5aeE|7*b7&(G3D?>{>WIMr<0TyVaz#N^Nr2?~K1#8f^0$>tKB
zE@&L}=e^~4`)k-O!9pG4%~P?$A8cg18B5G@K;|_$`50N^HEKs*8!N*SUmkGQO?#dt
z!tq;)*=;h~WA^3m*LnetGr6o=QTU+njho=g@Fn$J;pz}xRU+S#;+)sId&#0tUN9}v
zJ(<rx0=e-30>61yEwvx}RX5-H^;%yk52KqdmpE>ZR!ST^c7|+a^xH)N?6|G_*3Rho
zQ{9SBeflHW{V(-<?K5?x{2ZT61?+=1ujPd6AZP%jLSRzz?~&$V*kt|*9$^+sA36If
zmq{>F;R8pGb6tuml;bI%7ysBc{)-(;kP6o^zN<qJuqb2nG$(H67$)$F*Y0tCB#|))
zR=masMhNuMP8Ri#cfm?*T*7l8d4G{C{LWF>B`+kP6c#)uKjR5<UKE0ReQ7V=S#C|C
zzSLZ&WK*oMz5(dEBALaaV<{-VSMvssjA$GAqgJyYKx9J8F-+UmXpi9q@e6|Bu~EO7
zE;e5<D8nljwCmK>L5$FQII~Y=wS50J8}RDS<A<BNk)sZ`P&reyw_r)&x^%r%xL0j<
zsI^|==@kV*i>C*6cUHR%4?>eM@_j}dC$Nn_WSbQ5L@IXg^C>|EKkn)B40yPC#Udqf
zE2<ziS?vb<w+(B{Vq6~Y#yY`{R>}@yJQeHXBd2bi-4BZlwxhOxB4N>{8+w%EY-(+4
z-Gg%hn|FlYD9#!ro!I>?B)`$|zE80THn4WfqzNUY^F{?<(&GvnqnM(o=%*Ks*~f4C
zCj(c~2x`Q0k4kH4Ib_n$Tv1sLd5c6r@GoV<&e^jyGhARAI-UVlNdw?UB7q?iOZI{a
z=>=#A(6xhK$x;EtKYc)%#5dE6TFHS@dmY9SD##3(rCy+Qu)KU`ho}f$0T<DBwxEcA
zpgDFOd_;*<Aa0)p3YER@^%ZsX<(BWZWG#ctGJ$%R8KA8YVqEC&<}mEgCd7Z6q5HC>
z8do_4OlScGaf2p1WPAO++??W2d_%-VNB7BowHs$Q-+l`(ah!gWj5<4<m8i`WNyVPL
z>*8EXK%F=N^%Y6A&JTCwvD4m-CSNG<aDVgXfs2R#M>cDS+KAwW7K#|7aw#SXU1Sv1
zL95l+zPM6<7~~?T*<@Ysf=h@xNROU_BQFMES$w$=^FYL>QjT17Jom&cz@aAx%Fw+)
z^Huv8HB|`ih5glD&g0!n69Ky52T>Bo`=s=5i-YU@&Ug#Q1##~mmy50IYU2bMrIWa7
zok5>eg}7<&AM~-rtZ^4CO^G0KtB6yKI%$oLMBha8JA~=O0-g2`m_j4eq$8<QJnF<d
zZQ;Sb-*tM}`@b`dR{G~uBio<1GtEAF`xtepNu%ifqgw)KbO$4zvgkgolL?@iRqEIt
zlcu0FT>Og9^7BMChO5ni6$-;mQ%}=-aO*0A1s)?e5*o&1eZN=E+&$o8f)`~Jf?mPg
zmF)2<2q<{P)X<7`yX!12`QKh|jGR`GMoa+_`#6NV9?dRqZX4`<;W5<LxN{mk7z7M4
zwl$lhpt<sHqLG>Z`yd1@dPs~qP!LS+@-gyIthJ`uZ&IdDOvbxtQ~$Cb2+`UqaLZ0$
z_1%8LrBxtoLUg@gVmHX>B2e9_OWR28yUwDS8E`Io-h)}W+oa61cyoPeriV!7+o#=`
z`u+ipDyEN&me(Z`a$NiwU6Z_3TPeJXmJ2-Z6h1Um+%TRuk~d5`>@ZJcg*^HU($z@G
z0R5C7F)UX3S81+8eDmRn<)xdSr}L_yixXj|!dL*te+iWID5apC<?t5Va^F`73{cR;
z;eKyi<L!d|1Z$&#*1{J53zUV`KH|kKU|%qmGoZ0MPUn+qK=y##Y~mYq8wt=d3!kS#
zkCtJ|ddd#8z4{xp3}~^j-T`ZwK1BVbA!(b#$HxoV{I8-Igw$&;#>}h$5-POBO+8*b
z9>id1w42aV5Q_i;r#s45M!YRWH-@e|8nUSfpL${d*r<$q*#?4$F#!}6$fvxSE1_*-
z6Sz_{r6btx3o5e>9EZ_AhnTv8A@#e6mS1hY^E6mLRRRwupfcoc)a`?Eq8_h?_^=&o
z@I(ddueXiT@3zivRk6*cL`EOW{%zMO{mkd9hWpGH5T&|##`v+h@sRz05W=^vOOY|C
zKt=299>Gh6C{ypY@cHcWo1-<H%i-aN?TJWc!j3@;>==w6nS>4zPg1Y9HI3r4k$?@$
zWu@^v>7-m3FBSqyM0!^xaFeUmj0m)9e7Fd7SzL#MNe)JgQg*ig18n>(nEFUBij_eA
zq@pq1xtfKS&ZD*D1AIxsBSOaD2;)0nR8R;4)L@*fxEv$jr4sPt?GdUE-Bh^RNJe2n
z_9l{$qaN4xBZJT{)<PSrh9d1N5biiY_|Dx0HH!DD?bS6dnRXF*5fx;tELK%hWh)jF
z50+WSye>i{Z;5_XUIS%&wHC?l`;clzZZ);PK+DS=sT=~?pU^ju?tRO4WxdqpU;c`U
z?HnNxv?RDz(3)}=L9|8{a^pN`mqmVEO%Ux?WjvQ8o)jdK(>|q+r+oTQ){!wl#_rVO
z@Tw34+A3abDj=y(J}E6BPe&Ky5|O;n#jdCnw6`U`I8c+iGTpAfXnjlLvAIMnHFS9<
z2jK8O){pV<)VoGE+>>8ON83o+SYFS3sO!XX-zod(&Fptn;(=NJOb4soITU&bU)S7z
z87+a<-QgS$=MjCr%;)r5*1l}>N|Ux9lsXty8mO$h<o;np<B+t=FIUE|aR8mf^PAnC
z%k;a9+gqxUH_t&?JKl0Ez{G!9HC_Ay8o^N0T^)OEX%RMckE163n|%@V&zx;%N*V!E
zp!@JF!~4noE7j<1@0KY=5=YnCKkH$3p%v2pYE~mt^7b{AnNw+{kOM^W;zsnF&2$)D
ze&3T6sUK*3BgSU`NG1l%-8mV3Yd6_4heVdbCvMW)XUlY@Gan~h9hljhk(T}EW8~n(
zJ%_Q_1B_=fGSjn<vDUveGZ|5BUbTh705RxVOuGTiLGfEvW<=77G3k&WOW%_+y?Wl>
z37;EpJUXsXWGJsy={A*X(@jrPD$Y7sDDnrw4*?)lj>O+qqM`K#b-5atT!}4FPpjgI
zdm$-N;u<?=j@NE>2w2U3jS{B_@p`u$e|RTuG6?PXHr#UMP71FO+;eB8x;I?S0+rOg
zmg6Zcg0iSAM2dfz^=y&|IU32nyt;qV^O=;liD_GTULE)irJhjEiZ#shn)W_AG<N7n
z*YD*K*)GAdV{Rsq))kc^wces^9ARy=tPe5E38MB&KEDsOn{W;`r1T;31$NgNd44N&
z8zluKxihXp(mV)dnENuWcLuMOy`NjTjR|dI0q(?G%?(u|&p}D-L%`Hyq@M}Q6EJ1o
zKk7rpb!(h2Y(yn{nT~G``-_S0$BQWe(&kJ@DeX^evc=SFEQT^!WkG#Fqq3%5!{kSP
z5aZgLM!#(D*669I(PwY8UDKx~y+X?)T-4*gO?g?DA8?tD5beUatm8Mn3tQKwgOd=~
zx?x$zq2vkKA!wGCbw?*N`^?3PC)E^0ZW}%}myG{8o_BskwD}XbMyb8HSCLs`tyOT8
zmcd-Yc$*B`c;gU(BAuCW0_M<<b3R{QwZ(mr)Y~5_!!a|WsfzE~EEicsvX!iAOPc?k
zWG|m394ykt-%=w>>!1c6`Q3HB5VTpoF8#0#v3D5HL3wkqiju6dpR@X9*E<zGR)g!H
zZPc*+(TBJIHTIotzclGub1~}M44P@FZ2Yw^+VS`)3E<#&#VotB?UkKz{D@u_uQeU>
zj<p_hWVpF_osO2_l(DrI{posHY_=}zBd^nRc8M1K8?wS!SHGpYFZ<U4j`{?;b%p&!
zOM59+cuD<3^BXbeAKl*gnB-03_OS-&^)iYCezMZxAE~f-DCd(<ZrjQ|f}<X6)b2@N
z9+$VO0vQEo4crANzP3PL%e*1|TPZW%ye{yy%z3=D^@MAN5^Bfi&iT5Wxa6k&ey{tR
z_B%UHie^mCGBfhVP|IP`_OYmgrg7UKjqyI>emGZ|PfNsaKhOEd*j5jmBR5;`fw&E&
z<urP4d|dLRtwl{q`@fUJZ}ZRq*!;(`i*%)WexVj2r0f%cI`vLMD+@{W#AzFG-ewWv
z*p}-uiW(~Mg$CuOU9t4SzWCtcJR4}LnGw-+jZ_>192nG**81m4#0BneyS|-T^olK8
zA@_LYXRdP0*He-%_;<KFpQSION<99DtPuX+)_#W;eL409U*x@T1~OCK1$QS&Tp3j;
z{5^W#z2Tz(U7(@0JCL9sWg3r?yZ7)R8cfT6Ggw7V=}x~wXwk(pv^;`@S>PA-LTl*V
z)T4JMJdq@={!h0lU$wsd^49EUeK!v&y%!gWbO#rV7@y5U_dgJ3#`B}RS6+yoBfJ#E
zlEja9*G#;;d%A+lONvbDw%cRR1;wLsWR-ypdQJ=OPoncigzHwJ$2q@6)FI-ihIF=D
zFe%wnrRCY0xM19mqe4NYaLxR_jdFR$B6X9RW#gdh)tPF}gDw+Nq>G%Mw0DXw7>CHV
zu8KXSzd2JQ5qX@}j)3c!`ok}wlM_NZ;t2Y`C9d#t%J?3YX7EtPuN<jBnX(p{t+;XT
z<vX-xtIe$9=iA<-Pj08DCzt&+V!|5+*d~bK-_aZ?({=F+JOK%XaXzMXkr`=G9tfF5
zTD={R{gT9(c8McM3QnxTak;SLr0fU-gHGwcO(ingsrPTLe&!r=0bH*v2{c##1HSnG
z`zyGAH=deYk+%82`jr3)bcF`|<NpgvXtQ2UlKcW0&wI$V=HfNjvjNZ3Ud;G27<AC$
zQ1yj2=)(U3`~TZREwH|Esn%Z>u<F+7EVj+~`M|FcF6R7M`whNtZg0xY$Kzd(J)b!R
zJ#`V=C$m4GbR__&i#XIpOnv4<q#0ce2<{Vug#Wan0cHWnR-fXMMWm()(8zNEza$b-
z*xR53bOCsNxkz;yEHkvA>Q012qYrF4kjMqm5(I%GnOg(pp@;?)qF)G-Nqz9&S#U$A
zPIw0TS<Aan?(PK*zkT&X(DXNe<a!nioAHLk6YO%DVAn<o;)3`Lzwff<FK#kJ7N+Un
z#I3mbN*|IivOL|iBrw|3N&j%pfAi_AJ|Y?Ax4s}@(?Fhj-b)0DndrfC5$PTvI#*!1
zrUZ_R42m;L`sp(9wR^w)egRzWI$*g7C@gm(m(t(~;C-})97i@-%6?Z7bXG2ofg6Z6
zgvJE`OiG2aB`+r8P?%jVWQ{m*1oT}fYmN}V0P$xQfa%^tiTy4{@_JA33#Vbh--seq
z46CdP<VLhaS4c3wy!Mj@eJryUo#pXHHI`oCnX-;D+s;hIOqd*XNU-S>ken3}I3!y`
zIzQn44rjaqtzmQK)TbA>E`f+2T{PSIB&&d*#=RpD@*!T1jABhwX3r4l5Ex2kQmY0&
z$cJvprfQ<gRyfi#FZo~Sg}{&*G_`#ih?glNF5xFRqbTi@5#2Dzg^D)WgE~j;nZK6M
z*q4s@eiM#Y8$X5(Aw6`xCrcS*A{8mHW?%yuCzu3Q$*!TIGs0%&m?1Y14MPZP0qX<y
zDr1mQYJkaZ!F3@pbiu(5$Yp}Yf}u$^ESHGP<qgv+(twFf#nldRVkgqifXJS^%|+34
zXcJM7M6R+mfHb`ae-j7Dy}89h+Z7SifX)7E`E%|8QTC{uwjQ)Q8sC_zc>AC^vCzNB
z1D&TwkmO3(cd>Gv3xS9{o8;hOa+0IyN*Bfm4pYzpQa|sxK<#mO9V2Z1Op_esB447w
z2t?%u)ZfJsQ039&b4ds=wGS#8e81kVK-UM<$XB}?`>sIb+h}M#HUox|jM|>*vMhl3
zdo=^^oN)H4I@eXv*K4$|x4&2aIz)Rq5}4vzU1ZpQ@BKfJ8D#GpdEBbWoP(9e*zR7#
z!_@NoM*^#T%58CMy7G9QLedi?Jt`j!*m&5Y0$cL}dUaVLCm2%}=Q5lgFKGHSt3};q
z{RR{`sE(&4FOk0c3B8&KyE^a$kAq&&ssZ0T7?Y@!dsD<VeuvUH1NWzw&epvj0h6p&
zCwsLiU>suIG8~v4J_M&19e{G0M6)lR*Flb=lY^?A0)KGR|HVgTdb@e%L$%n(?PpK6
zYGVQ<_XcRy8dj5HoWSxPvzTobl0eu=bkW1LZn%(WV|K;CcePVmEolb2Nlfjx(9$*T
zO|*@DNIS#j8HxQPZwFycDUwtY{P?=JvoRodL$eSw(TGc&2N_JwC!@z})>?kL=0{ar
zs`>gbsB2upu8kh*8A;b;o8!@DVqE&rMWvr|*@{Khc1Pkq7x7<r1)T0HYc{u_?v@QI
zPWY+HH;qd_COW^=tTm;z`QW45e>6_L&(r2l>IcO>hN-xNAT}msHGb7$V%PAjCG?IM
zJj!btL6z+b5j6B(e%5c)4g}K~T4rgB->3f^rBof3wnRB<9yQC!sW|ADMNZLMaB|)`
z;CyB#KnEH>j01vJZTEeaX(-Yw$E9Rc86LK@-lX%WjC}*|2C5tPpv`#2Z)Ra<f{oVB
zZ&Sq?D8T1bEggY+amvhNV%&|mxxim5v)z#PVauQ2j43m`QTxu$fvE|Z<e-uNU;(KA
z*}8uq)1^sevEdLtLC5U5Y%1Fc;J`rsI<qV2|H9z1b7YV@=u!atH}Qbz)biGqxWb;(
zg*Wx-_0UxE-X=Gmu8NWh?e>0Ux6J`bq$Wh!;*GPx7}_41e5}mR9(J>RxWKGQ2oZqt
zCWNRWw{H?+@5E*UT8doeVW^E<9EydHq6=S6QXC=(Y}mu8pI(r=O?8XbmuI}-YI>ve
zW|fSTv@yK$Tv@i<0iBtdm;@cdr)!`BWfk=x_4mpMs!K~bxBrL6BS3ET(i!j?c-j+j
z%@+Gib&o5bwnRxiaC?rjXI^f_HGm{-b+-2GL125wQUG}scawXjqTZW|aGx2)FNSa^
zLt3MC2uE&DmWv#=jqHvc4+2(*ml;(r8{nucDOk^Y>Kuzc6scH%O_Wn6-b}rMU=*Gr
z7=>*A-~*yd%ZmF%_A&Ypr56{}J_;0{{ZdIvgocLj%-4v61%VH_UtHZM(>?>~0)*vy
z4Pg+2Vr0zD-gX%B&38rqval0iVY-?k{eiDgYNu88K}f0ak2gYqtk-!Xi<MH6G{}Q&
zMQIg9`sdTcNfBP{0)FMo4!~+0X;g#$aF~Zw0MsN)3wQ!C1G*1$aw)o(m9T$4FP!}I
z))4l!yygXf24r=1LFeoLd>O9~pVGfFBLn(BL~DM8Xbr*&NORr>Y0j(A{2gHg0`^;Z
zW^gO!TKGYL7#y4WGYTb;e|XUWkTGG?<Hk2;tjWU81*;&laDcRy8%Wj~&-GDeT@wR$
z5Kj6DVCMc`PP!fK)O4`Mcb25p8hYV1hCk!bg>yY22YBrJ$y?X`0kXsNf2rjW!La(k
zLB5Fn*?<q=5zK5*e+cpifM5;J)J>*Iu+8Et210t;?BU2i6Tf*E`7L1N+v*eMmD3)+
zgkY36Y~{~5IfHcw!fx;aj+&?@e%WFQ$v%-qjc~PtgG=`(a*+-&N)Or)pweCLzrRC`
zNS7RcPdbAcIPgI!5$X~LJGY;ZuTDDxsJ)h@dhm$FUv~FkHU4)<@C?N)u&EQ^E#6Z?
z-lEaqsFJVjCe<Oik`GNh#UEuANLtyTWPF@erYGPbCRR!5AjEU6$_=vEgpkxiy_wdV
zq<3zq)dK@<ct<HrW+2SWw{fXv^+cJba(-@(S}14m=@YiyBp+DbcElV(@NYY28HXYp
zDVUEhHF2C>b6V(e+n{~A8taA30-|8hsVBLQffR}jFI70Jf&Pi-RUbcre5p$?=EC6{
z#B)Hl#yed%CM4e`)%G?&-qC#LO8mQol34x&VIqltCNxBc5K?sePo7HqS=$X%J2Po}
z+&&juKlqs&iQNLewU+DT>vd8%h~!8licgrKqHi-hpjy-srJoKn_&OGEU{L=Xy#tVk
z@VL-EkrEpvYFqh<NUW^B5^_XL$<3&qG>>Y*gf{7as(zh>{UCY5Gy3TA^C<NEPekE&
zG6FuSRY@0D05#GOWi70&VD4r2TfA|oPhp4IR!{Cr76j=h+CoC|Wnl;4Jm|AQgmBCp
zhduh!Jjd00J%PyM-{ab!@-6@q5n0UX0l-Ytbn*!3=P5RUdFy|7NCyY9LsqT;nDDnU
z@+trG0mlE?;8CW(fr^iaC4*Bt_wXy1JDcBtjDdw<O#q11h`(9SDFb(D9xWR0BWa-+
zS#lO#2W@0uKZAk5li1JL#tcP62ooAO{5tvfIoAloJUxvI93am^%fn5SabNm=tIB7W
zqso7oHBaX!YN~yMN8aceIe=o`HC*p!48;^pEn&XJq4-fb$A>A9V_}g_D{0mH-B>zG
zvQElVZ~9Gy)b6tsDW@S#0i%K(i4=~4XDQ_fJ|>6lN1j{3>`u{X_k}S9!8Lc9VqCTy
z@S-utIq4p&5Ov<HT*qn>G!BM4RYwNXb+Z{CGy!nu;hTAu=o#i5AU4XHZ!X$Y`6-^T
z3mA9Mia+<djAhSye*JNpyZ@fvxvftm#a6G+F`$1Cinbq$9K*Y&zFJ*WCZ^lRF#ZJQ
zassOnzzLZP@$(C*9Y;>EW`O~B?}Wa*su{cJWugWZ)9Zhx$reW|<Dv4Ya%HM5443>+
zT9vqv`z@x53;R9dpzqgPq@MC#4<i5c!WY~ze1g|(5QY)-dJNx=C!#E;7p^U<oBf`S
zc3c~L@qw_{%3q|i<!U%ju%zJ8lEQ9)=Blf;PS5EjfDd1YVdmLCYg;oqkWy`|VuqGa
zR8qEkira(P3kzz_!!^p)ffnj^?F2?MftOIWc&Ua74C2JDq!88jXySH<DEJED+F01<
z`WT%Ag;9Kf)b3HO1i^#yN!3|qC1GvWwf}^9mRPGiJm;AUAtp;zbCF6MszCFRBgj0&
z$eVve!gg2mpB1V%Z9DSf*7@C?b`e3-@?t#u15w|FZcEI|z3hBZDY2l6XfF`Ix%(}l
zm<uaHL00wEfmAH>e7y4C176pbNDPB?jI7Q06}^0_$bFK?Y=(gv*AtQsLlNwL3uQfm
z3Er?Yxpk6F4&hxLF82uQ!!!&~i=@-p9mE|pZcFVzS|^XUT`CsM3g5)VERE_?%vl#(
zm&Sx(&ly3Ee9S)a@gLQjD(bkOLoTPO0H!8=JEBOx1tYIB^GJ3T<<uuZke#_7bNBw}
z<Ck_HK0zy%L*t8hUxWy)2Y7?K82Ur@7Jcmeq!_<`MlJ|q_>4~ka$>o{Sr~$YWx_Zi
zW`gRK26SjXL`M8+1y9G7w94Jw{729vn}k<uXUuJ>D?>qzBbr%dRP>UP<TvR&FbwYN
zr>LK6d8_E~cAkwO6%h7A*;*zjX`bMh+Gp2-2{;l9oUyL=;a3kwovT`7#YA7KQ3={v
z7xK6@7|~`@q9<&<s2*$Au3T5Lmjonh^?{0ZS#_>{)GR0VD3eGol=pi<VVZT~%PW_w
z#g^4lh_?RSG018>bjCWGSiySzWZRuL^<=j4UPPNHc`W+_mlllLu|8;&IsBTj?psY{
z(b#;Ox$S9G-DEuX$Sw_~{c%AepiL%K%7sVLaS;EdZbZ6fVXgJ5!}?k)u2Nmz*X_-j
z<=yuMfOBK?D8vm!j{B|J2WSD_FYlM`rSMU&u}_(^t<4n%kYHM#b*$mR?qqj^YH)M{
zOVm3^0uVGvjN2}v(|^RU?$`XIn3uP5l{E>VpMDS=USR!aaQ#JZ(%_fBrV3pw^}DXv
zAEFqTBXwM;cW5b)sAE>%%fz9d1^x^@L!$Y8eH<Hxk%Xez(IDrZp1|R`rk~#kXWOr?
zUEABJ7aHCEcH+ip31ecZq4p35+R9?~bBH`a?k!ufSx(ge^%uhtC;YhG3qa%aWXStn
z2dc>$sQ<r*Zpkc2{uY3pVia!~WZy>M4A9s-Sp%+)1U}tUzaZ_s4r;*!(2aG8lpF2l
zZ$sK1YacH;_X6m84!V4FQ?z_KnqZ_@fS>{)%Rl|kuZ4>4>-~k;{$gVxgxDtkv)^cZ
z4`ik<KsKKTo(36+GA{^F3qyVw@qOgAHllU_vxf+KYXUBuPGASxnnqB(ybgpUgqhX5
zfgsHg5ol<{<|DMLvl2Hy8|>WcW}lEXfnHAU=-2x2_kgL=0arwBU8p<&W5>BUiIfZb
zVrM?fFcUd*PRRT{a~^a6FD*~^l9yqv%@rE+7%ie!;v)>(rH>2)g-NBJd1|ZI41OI;
znN1sb4|J#}H-~zDO9ZXkOW1Gmwe6TT*j3lXe&??Wi~$bOWt)a|hUb@vuV&J@05ta~
zt^hE=6h$@^pa6XsXzfNVhG5@a2v9*4BIMvIAV)3&C8t<Wh0#SsvIUIt_tAy08Qnpn
z93X_}A#8~Q=&%Y>?1B7WO#o{l1w!G7i3FCa{Sv@2i!@@{ZDgN-@x>bGd1K$+J``HG
zoKXyEvJv#)Lw_unI~M3Y#P~3tNh*iL$q+#x%7Cu4Mn9;EvmuJ+h}4Ywy_3o{4UoO5
zxrm(XevWkX@wB`cMbm!MnslH;>BXy`KSvk0JcN&ly^(3~f<KZ&$qEEHbZ`xG?Nl9^
zfg@^L8PS$R!4HMn?Tj7SmEsE7Tcgf7UcR2hulMtfO7$LdBosRCS>)9Y5B84o$GpEf
z;MP|ddyQJLf%Ma;235~4G=Ab^c_Nz?0(ZRUM_!+YTm7{E5&|woL1x(xRuu6mtx$}C
zI4}ySEFrwBK9{W(J8XuvEmWn@<ud5YpwC9sVE4ha9JlUx0N^sw$f>AOsE%QQfY`X3
zPIEQHZ#u>PZedx&Kh-tN52qs3M1E9v&^Dw9bYYfv(-VsUbMVUjxzlj!tEKd}l$tpB
zwj$`-uK{r3sEf^&$w$!KwqZq^q7#O^3Pd#t?;CnEV)moz;xDY7CyvlE#Ge#B{@A=a
zgpyE5YsWXAW~>;cJ5iI~Oq<B5%w2pj8^s{<OU}61EOTDshMu#>bsA;jCdrmwsb2r9
zEg_rM(o5Cq{mw1k#pcylyjhy5zUSpGI~gvfN_K|zB&~o}?yCt9f6f64sv!^n)%YSy
zFXJg~AFVHqiYEQ=E)s@zGt!wqb<VxeG=HLV2rbf)k{5a?Jh_#WwsGmfV5J*B0y-J@
zV-Unq_W_|5I-~h7M*}Zu;=mQ<Zp2jU{cymc3W{0yyD;LDDP;%kK;7=DUz*gdh6MH~
zZu^o=--&4HyYwp$U_a?x!BLXN0I6mmnE7wWF2*OWm}}pWuG=W6K%EYqp7*~#v^Sog
z9SN*>Z5lb@xbyU7k;;cJxUo5VhtGq~eP0r_ulIhjM!6*9_E#DQw53Z{dwa24*Yxg;
zysowxh%J2^P~96QIof;A`4hHkjk$5-#P<=E%8ERuc0;FEfLcL3bQg|{PgR4UO_=im
zs;=oXQA}3e%INIpHwO}s01VOE*)H^srEjNcr?B_%rjrKo=Kx(fCht;12pJLQ6~bwa
zhHiyPuTCTmBd677)@E2T8}FdCCn6>sVz%k=Hf7Ux%3Zj!&3}@FOo`szCQxI%i*`{o
zn>B6mz7UsuKz6XfFW<W;R@??|0=n`hl_uJjDIWpRs?KH4&Lg(am5B1)#V9qoH9xK)
zpl2!>)ZKSg_~x&O?Zk<gE%Iu`ouRR;^v9nv_Q{}R@QG<NexfWnFPR;!=&xUYWIc=j
zD1H9O(mi4nT%S}z$p+P3&b^V1)<-Y+N_d#hOWU$84pwW|M3q_=u=iK(erss=MPF`b
z>ddq7S;1y*G#QNSgwB47ZZEu%w_@WQ!y;16I}d<x+#?g=vh-%Z1n*cZm^()dPI*<h
z@F68yT$U2am#0?_K6f6q((Jrw9l$GQ0F|$r&!0iW+x6$$BODRYUu*1(p$CtYmbs*A
zw$dvs(CD|HzzSKd$q}HhIHUm8bToOU9DN=NT6q8*iqxIjvF`F*R(OP1);?=3Z(m#v
z6lUaQl(%{}QTueLGeukjeb6=2hay&7-+zH5icM5M1JwJ;Z2@c_y5_R?>J~q2yZg_2
zlMw5Vgws)fli8BiovC{%1PNWKwm8Y;>$~fZFS#%Mme(S*WE^B!8md+M#uRh`FgG+y
z2i)rIUSd+%PTQ0DIMW45=$$z|65N&64boS1U$<-Q0U#~b<$z$Zy)UwfR;RpvVqM4n
zb=Wg~&erE^=Z|9ede9#UU?Xqw{f=o=`7cL6ARh1g;In8=&~)-Jq15zHg^X~bqK`Mn
zaCKlv>Z@7Rh+#f#(wp)8lh6-2qpZZ~4syCZ%<6?CwENMxt?spvEIFG=lpwBLkXJvk
z2}4!FFkI_N@}b1ac%j+_sLQU}JPY4|&#UmFa6l1>apLg56d^;avSv@Y?=u|6;js7i
z^x9;_)Gan@`|Kx{GRn8ipFexfRsqT_&`YxdqTGf}7<+YWaL0_^WG~PKAftHT4D!G1
zec>Fs*=qx<hD|qpj>Sn>Pc}UldUoq4DV%qC39-ERqUJc%>hjtbHbi{=*scd6_BmNt
zD5X(RAA(WSzt@c#cMFKDHMnn>zqO<q)+rYAWT%uR*)U{hYc^CY&(2ujF#rxE2u~i9
z(@uTq$-2tUeE?t1Wh%qpcDV3x@w2O9d*yD)o2<`C8-=iu8t<8BL(919Zds}^_vPoG
zdp_*)>e?jGobNUEw&!tTtzy`JeP<-~l=B)AlLG3Y6LU>(ASWHe`J%=1f!Ry7m-MzG
zYnA3WjxMqme7h*x``c2n@2Z)Y(L?j^^q`Q4j|{N#eoe;H_KgO!Hw;B0URlb&1s^D-
zZ1sNwK*{@@IdP+pa%!k6<2-!6>shn-JAT*qzCXr^l*lED827F1>WzTjM8b>I7o6A|
zuX2oE|L^LMp1v*d9^J%2wu?{9bq8PG%3IKvQ*#iXA<`FJwHn{v_@(Inee%jVpG_~V
zWCb?kC#E4{wsCcJZJVfjiO~0&n4B^MDH08;0I#FSRBQfET}k#8%f%-a*^l=em*n2$
zqWYS5vr*F#TW2yN=H#&SWEQt+DsIbW6+Y;pYdA3P8bKk4J$CX;NDxnY;RE?Z4(0gE
za#I}{_FXB*wu5R@7Y9-XQXXaud@p+P{bgqOk<Ud>z(Y@bDbUzRe8xCMdWp@f#=ETK
z^+;HG+q`3Iq>!X|0ao-<xhbRQj%wicmY>;~JuioW^2CMO!6(z_0Yw0<EpFpL#rVRN
z0T+HUInpb&OP|*%#IOp}vMDHzxKk*i^%3Ieo%LNR#g^M!M{Rv{qqj~a{QPLy>|eHc
zE$!CFSBKHV(coxf{q|aXA?3ULqR+HSMA8$FZ@Hm8WHfO_4GCCwd}L61eBoyE1DY^>
zU}ZfxOUrPkhqm~rn^<yBv?;wB(T1k!@R1Nqqhiy&GyZ?aAk^-2N~{Y{88kla$kow$
z(;l;Ku0~uaE5)^I;_@`#>!njPYy~u@Vk#xBn0C1dm?wUFv^W|pDBWlK0^@(5*-M>G
zj)X_>a(+79{<lS~+KP~<a;o{<KTdYlR*38U$$_4pv(4mpw`#9$dwka7Yg^CKei&p+
z)Z$G_UqNp)NPpDC`Cn~s5!6P;EdB2>f2Lm?s;t0Wyr>P)nvFQ$;RNoi+j7@?IO(iK
z$d$7G^9aZ^9zv#(*1TbzPA2=aDu<L=VGqrFrQ773Sdt@y&!yRU1ji_-E9NCw@={P@
zjLQ^gv%<}Wg!s?=!I(p=2VwkKyf~(5Taj#*GQs(?c60pfSJWaWXf)Jm*#0$9=1^u9
ze_Nm4;i*m^Z9-FYy&=2owNln8?YM0&gG{CLQLmB<1Z}$LDY;~#U1@0wci!vEKHXMm
zty^XrN)CMSH*Jb0QB)!0WO0S#_p}7x%3^uHQa<}9o!>1h>l8L+BdlaQceCH>v{IP=
zBLyb0igEuoG21a*rYSN89#`3JWbRs#xl{L9>hyu8#hVCJNO7^?dvT03k%V}uj0<@l
zt$#lcedqx)&I2KLsmWIZnqTOf4$#^8_2hM362s=v=E%X1NXV5q)nM+u`CzgR3TIcH
z;di4L&O+_~i07`-gQfE?0-)>`dqIb<?FbLZYm-t3A0S(y2A<#pMtJR{I1b}5*^~eY
zeHwD)hngotWa^eoTQQYVK`od{#<RbU!gm}X#qJLdO7)Z{uTy+z^bt!A4k02R#c9BW
zJm6FQVio0^I^wp(Q>w9kT>ArSg{cb8aUNvVW;;P^EO@p}_0P8(B7bgA`mfb;JW>Vu
zk&?>(QXAwixru%$KWjK6oKk3r$FlE_nNx{RkRS`>?AsqM=3V)%KKAG!{q6nf!O;Aj
zo>q*HW9}3GW&V^xjQl7wdVdzc99suqWodTCcDls2`Nw%_aVYIE2gdymP2XQbD*xxP
z;t*v8=oj&U-%2P5K2vjtoEi0^txUH^W}o5j>=X4bH?w&WpzYcgL34T%44w!aK|5H_
zFAfE>Ug_*AZ_bix;@*&`5=jr6t9V?|o2IQ&#)7Ep56GO`rqi5725(kGFF>T~`t}f$
zCb;R9Y($+<;&dW==RaDuNN2K+8DMuWq9f?Q2>}c5GWjtUDV^G1^Flt`i!Z0bSe)Ya
zc4ic(#}sx4fYBxbsOG9;918mq9$V1<oN5y)C7h0xGt`q?#te8*L{C+HdvYIY4Q*hv
zgo1>Y0A2NVNP<Nm|B449SPS&}gwvd=iqhS>WL<ldkF*ZhX9`1vk*K&kr_ZPQ0f=jr
zQ%RTZU7!0o<ksDKmx9iAt}m~zHo#AItw+@kbQ{aB_i_)|C0p87bV`YDEI<mq(r=`n
zqTqN5(Zi4f`b>VQZ){uI`Zsv&`)=LxpVs78YcDy!X2?EzjS{O(w!h~|{w%Uk*%a;B
z!)jaxgg21<*)=j;Byg#QJ+ONTTvTgl<~#5}0~%ZY_ApC}$)#Jo6V0*GHi(&2iqx&t
zg{So=T%oUiiusFcyRcnf?gjXVPIf%v^yK&Ir6j;Le`)En-urb?_Q#upQ;|YX&KTyn
z=B5-{z4m4P+Q+Mq_^NJicWJJ+_`n>yU}BEG;w}!X7llC9<{pi(B|ENlFmQWOcURCD
za?N<J5g!dbg)Q3@dA}EOzh-l;$qC*Ryu#x2DtpNNz3w%gUrQa^Abn~{pgF`jMv5$@
zo7-e?=84DY5U4bvTSQLgj@K1e5!4rCf%NQtMb|m)7sH;HP8<CC3>mI1R5a#3N`JY2
z`ZN{_2=|3weCF0B;;!S$*KYI@)vWMHXA>e;lP;NwW3p2Oqk9Y9$!&?(N<Uh->E2H~
zCG$@fQuA;HC!SN-L7*zx%{=r<0<CbPF1b}5w?U{l=$hyxA2U8|+~=-Zog_aNeDEF$
zJiV6HiDFAfN%)Ob-cZ6dLAF4d=tfjIa4EM9PMIkU)hHLfENxqun`b32zTD^oo67r(
zbHEZCg2kq8?v8g}o9*Shv<8c_4VIn|l)EHSvg)Z6EkvqjiM}bQ*BavLTRb;_X$h@4
zru$#}#K2tXQLEJBr|&2oI?UC@bqXGOrY?XcO*sGwQh3jGI?eSBLCB5<X~Tr`-(RWv
zZhU`Ot6yO=QhpUsv$`L3mY{=N-jOD)zh*BORJqY8TYFDfmTY{d_9`#k)R%rPx+(L9
zS!Y)ASsF5MX|SG5&=xt{ei;xbrSZoSQJwU2fd$V$nzu)MfHi5iE@|mGVCTB{{8Q?#
zVd_+GM=!LaMI|LA)!!XHc9Ih^i03u%tLmQatvc3Y9uCeAJwBebTmRxH>Q?u%S@3?|
zwS@K2prF$VRhWVSG=tRe>AavvrVja9?K`WPdj!dkru9Qlc8vz!?_zz6<mPIH7w@b)
ze=xo%NqpdE%{tz4k`pcjxg#?Ce{Q&$RtwU@k>`|@8ttJdvH}3*w1qg4<heX%?!=fx
z6LSH1%3;$d1FWU@*e_<?hE!3k!rf${&r@Pz4bG+(s1kPu04!I$JtQT0T`klh(b(i{
z&{|*MZ$M@6RrL4dr3hLcUK8njHfNa2Z{GN;WrF&jMC1lpz`I^HX*f$a^?LJsaHfb#
zmJOM^bK>{vzRu}i4zkE?zD%}O&kUssv7q8dk65g)s2|tFWy#bRq4j9<?$(Tc{3(4M
z{u*am@U>K##&k21kTKZkZ_6Yk2c((}!|9~)eHE?}hp+6I7zkeab4w`IP<Yq9(oYfN
z{Xs<-Sf>zTX}?8P)jxMi8o%<fAo1Wpp`rc3sr`HAjcCZ33InVr&`lJssSJT9k&aZG
z#+U%<{>2r|J!Y5v&V1|XLqZuhHbdT350^82Eyt;=Lp@ZolI4T4Qy6lIkQ7kxd`<Rn
zq@C*Ph`7q9wdLnvvMbF!)pswq6uIVz+MKJ&?z%~{R)w#u01M|vB#J*2Q)|0lR9syA
zMtV=pzG01Q|4O;dm$me5M094PPKe6@Z_!l&7a704g*Y~a)zz*Tr%njp|2}dQNg}^I
zRWa=)&zswKpX(569jX(?wE<S89}pd-r?n(aVMV)t!5<)PB=>%Y6YyF2bqB)`r9;N9
zpMX(2AZ>}<zHrfQa)XcOJKL8aJ(8^W`0pLNLZd`veZZtiIH*jF+P|mcWJvJ@RCM`?
z8rrn3+YhjsIO@Gm&UOF60?-#7{BzAxi;|jvNOl-C-c{IUjp^?nDv$_)cQ*FxktD{y
zgL2`IYnhT8yd&aa7>^fBJo)Ek93cHl_jHl&qZk%~i{F#PL;F!huu?h&C-wv;S?7O^
z2S&%GL1ZPTwY<B3kvAZNCYPn1Qi_}9{u9E)C~@;@<#fnm@oC?Vo%}l(q5To6!|~}z
zlT)|<bO%CyPym(@E^@`E&yeT?;)#g!AsCSv<PyCf`R5Y-^XKH5!M8G>CgI1^3xDu4
z3IC0W#&sb1;jFU#{}>PG+bgxiqmJChF#U;gT*znzu&3<0@LEF__HX_U#+2r1dD)QU
zZCj#6)XClbD2{~uuKt@yjEf#_GbHan(=tTypU4pRCo=pyU7KY4i-LXz6RKEwo#gLx
z+mphK^}<Q^ulf0Z8BZMQh)N7bmYS!EeE)&*r{griC)G_4H$Hvt;GgAA-Vhm_7(Mlb
zM#qq^?R=oh-n#9l=ia^6<ddg+0I}4oIAUyRc^ridCz|`R8c~M77<=~U)HPAw`Bo!T
zw1EH_xB6v3bluibL!;b}kn&P%PP%3+DkoEC;-sz_I&W?Fgag`Jfcw#Ri}}TPkxU`|
z5$A8l#>V-hDRq?^zMSqSNY%)_>uMa%Ch{-!$vR~WT2KcEyZz5|4`e<%w*^{U=}El1
z(X0;T98A6j%%s0gf$*!KVaHzE(*g!^G9>hkw2k=LAW8QD?swH_-e_umDr1d|V16Up
zTy74*bL1huWH29mYOK6%eiKSrtPg_S&$^SQ#(!YCnn9JFlTSiUrUjouZ!eSBh$Ysb
zak{#?GChS1q$g-vEWS+3el-}Iy)jO~V@Q;khjy0p_xqvc%^68K+QBz*?pIa2IjN12
z)u_Rso*mdIK$lpVk~I3tG7Y~btwU-h75N%_#W3HAydf%>0a<Tt`rM*ZMb6YC{0VV|
zZOtK!Il94i->)}^k0^5{D{&{U-h@NWVb+(gtzE&#{_AY{p}Jei=Z>N>$sm@bC3c*g
zz`TJxpdDF8cKKzlA1_Q(&}%a$e$^9lqW!V1=5mdYww&{+^)#65P`h0e$66g0bQ?GU
z2l%^QHAk2U$61Gyq;{~++TNKAq**{`Gqpv2<1oH>VJKVjC7jAmjZq^iuoEtyc!k2I
zhV}_<v>U^6=VP^erVjOuu#7M+1I7@H79jy1r+hl9G|hEG*=_{XMO8Gj??Pfrd&)cP
zc!(H<>42%#HS5R2)8>3y$;*^%)?mJsrY^B?0Az<lID6H|F%f^}<i|CovVJ~V26n$2
zo|&+m1CKE)my^@`bstR&lf;il-1$f4(sfb7r&F{HC%kS%AAwMW-Nlx^6*3Z8YRBZH
z)l=qeM*Xle=wd|7;la&R_3NooQ3q&^8DF%GOh#h1Qgk$Nb~7g)SHgO66|!1mBn=$d
zc$eGYnn6|dL=#t*CkJWhZQXbb9Sol>@bD5RGRCY*ZtSnaSu-kg8{-UBEg0D|UuTJu
zumvU8B#woYlf#mzxu>b>yl&TfY>w|DPx0qKlo*yvm%2FmIE+y$+m@5MkemdPbOvU#
z;Al>4=#_bA5)105x}1g9Epe#9_}l>US89LG1eyD}hAF5ejC-=)L#l9@=jx%s{Hwn#
z<9(+BhvP>Bxv_y4uqQ}+Iscxyl4~Ni#2v9)9T}*l<LaY@a0#6n@-r5^+NR1$PAa&0
zPO<%A4xI4VtP|w8nBdWk+NZv@!gP&S(%y#kFJS~P64yG_l6Bg4k1KxeHDn<>#W&X4
z4_iwsA%G_`1r%1uHv^WAI^w|0rX2YuR_82LVGSZRisSxW?)cMVoj(mRl=w)ClXKK$
zr+DB+oKa3dV*{r;LeBIxlF|Oa6!$Q>&TuOeX=N^)EPsz|!FS2F_>~H?;Sg&08+0h%
z`yid}O+4eykL;})ySyxgBv#MK`+`{8>~|Sv{niwudA2!mg<6=qQk>Krq>v6(hKUx@
zsxh`bPtgiGO7p`lwQeK|b2c0jWJB`(vtN)G^SkX==c%n>Q>XK4^UnQ*+rf&Yftehd
z1jP)(Z6zG}=fKi(J}j#X^#c9cHs9Ba#GQ{!3#h{5q+h9jY^y|JLhCclxu_XQ>be)7
ze$gQM$LWr{veQmowJ~U5CJnT{9*?qD(bC|$4AbKj9(okNqRfb2A;EJ~N1P$46Md$M
zyL(6T6K7m_@aT-E>5n)RhiyF6Hc+G?<aGO=uO<`WejK)PWbi1{v%-#(Jc5GpSsc`;
z*x=DmtUSeXwL^zUE|KjhysV$kOw=Lp8^SGWVY>VMip^D@e>#d<+5QZ|%SKC|i~11h
zM;<}SI~#+*X#TT2;7zEBi>y(SKA{5zd-&a*XUp4s%6x*}>-{GKkePs1K8Ln1d58}D
z&)^ko1t0RaZffr8@$d+me(#??437?a-qGHD+T`B*1K|$CY;k^j=bAB!hfPi{qh_P=
zW@+^xKGJfQ*`R}Be<Da=B0ho;<(18?C+B(EG~Ni%p5Gs7;pfl{lE(D?={Si@hh;oU
z(YhS=<lhfEDoo2z-6Nj$0On`t#L<JaQ+G;)Xs7JOxUdSOdhwrWeyk4lD4)ib9hE;A
zDZBq(&cM57yLTepjd+{Nv5Z%qN6>qE|LNfM6wWp$u&Z!tk(FG)5jg3;MG3*Cl6FXZ
zKR-WTQx9EAwY265%>($zt2kylvW361WHly#Ayv#y>$Ohi#)B76h<SFDmVx?8RL(s8
z$Nq+@xqRdp{QhGEyx5;J6HO!Syef3OelB4f+=Jr^S$7cI;Sxw6%G(4V-DP?}D!B)J
z=oKIcYeA1PH$Pu}#Ak+Wz@gxw;7F{D^z24x(o~I1H)#{2#{SEQW<zE%Z%WQtCPTC6
zjGf40S^7oAF>rq`WOZqvSsC5?eeuO-o2VLb8^9T>{{!vk`KwKvqALLRz5wNeT+j|$
zd0DsH*)R|3miVniUtx<^J&|NdU-Vg~c58dMu~J0UG-^~P@)%pf68`+iWJl5F)vqM!
z8t2NTs1R3<SV&I-@_MFx;96P=DYWO48B9#y?)X8T@7ly{-=fB3$peYk)vDVaVhZ`#
zx7>heuL2EILy_7|o71kBZap_{rIqyhZczz9=BcjpOE+~c+W3`@GMV!TzAy?7X(a5=
zVLh_7e)1Im8qe`3#8}0HjA+|l=P#?@&L63+F?Vm<+9qsZ9P($1A3aHc3`^g{%Ezt}
za@Z*-UBr2OG}Gu(-1B$%P@JffA!ml@XtphZY)CSlz8v<~`l4goqmq)crc*0W1!;#W
zMc=!;-cMDMX^6CK8-J$1O}S1ut7}BjQdu)QUFQu4^>6uUPGTPP38=)E+M=)fpJm@V
z!6MZ`{t?jX!c+>IStYN=Bl+AuLj40OA_0@(9D#A~_0H=eNg#CM;*qM4!mruWbDzs{
z1l&L>tKHITn75hL?cR{@x5q0`u4upU=rQAK3Ko^v9ppW5y(!Ql2Zx&_xAP?;khQe<
z(oW?R(y7U%Xq97L1ES*E+yb6IBMu+~rY{Drv7E*_*KXzCW0mbA*9UrR9$;8p`!4XO
zydMLQx8;CS_2RwHH*1!gu5I1QiIz$L&{7+q7#_y#0#<kms1Ij}c|RXzAtYtb5g&V`
zeAJn63H-AsUrof^7w?v<$im2PP2N|3hg30S0W4@+e_UF^75o?cdOO}Doie}gl?DF5
zhH!<7S44~hw8B<kZMOrQTP;~2=+_*-8OR@XC<qOE0f+d!53Hc*7RdVp^*TOro}1eU
z1uph&DG#MA*FR@lJOjS(?JIXZ0^0jL`Zq)AC-jWRxBHt=qN*t}<Fq8c*XF&zd*i*X
zv?OybG=@)cA!QAnbpazHP6?-lGsHFEQUR)dKPFG49eUg5G4ku5*SZlEUFNekm|t}9
zg0g})#DS*{Axw6kBRsJ5fN&y;fjd!%;dO_0g?Uw-mfhmJqoNX1PhO2v8chZtJaJ|P
z5!_ju{u!w+*M9t0K(-nYeI#<4YwRQmWQ8XSKD#H&V~Y&ffnUt`C|BDe15+gDFs&}G
zpQ?<g;ohuXeBpravy<H2Q>BvU0Wkg3txL(f?yaIm#44{Pr*%D_W=uz>qBUZcUZJzu
zDLwjN9rwmv7F(eanzV`wT+`h}su3HA`ZV7oNdOI;w)QRRnadn>u9FwW&ZN7=piQ4D
zLHSC-NS*heyhM`(DB5vikF$QuE{QArT+@G+njCi*Vk+0g^ukCCQ3XN{fgWh;iuv6m
zG=melh-2yN7iQ<)^U4hKOFH!N%zb>E=413>7n6$b(}~qGGB!?ZHJEc9<x9KC-7UY7
zj&woUloN$4=ilojMW%jN?c-IFSNRGR90~34PgZ`9X;?b%I)rIX>9l)mM^!oOz8G}6
zf61v*O(H69aaQ3G)Un#pZ1XF_SPeG2b*Z9shcwVHy-iaB#?@)R=lDE^rSsZ71#hO>
z4f?NkM!Wl@O$$jZmPiBM(wBVp0GSHc*hVFr)<jh#)~L(Ah-H9f@Q#!1#>3ixPnKSZ
zp!IZmx!ot#<qKf!?LbLjIwAxh_ieDroz_{{yvIVOW3`$==gU#*&Z7>UG^tK>tIu|k
zJKamIZrHI`$gXute$uhO2QD@C3c>}MRenI3z9&=kW0r3X_%dH?LE(B4eqG$`>@er=
zHwURsx*&e*@jSbg-yeeJbH>&-6mg|yG>UeL=;!kKas!OtzNb1~XzIY>QJUD6-Io0Q
z;R>d!`eJixZu^qsiIhT~PRgcJNB*4k40y_@o0xA?PdgXh%ql0RhPKIFb%1JKAEF&^
zpvX1z@OWOk>qx;sjacf3UbJy-M@(B{q|S7n;(Pthxwol-qPzXWfZ@nAw%C5O+a~u?
zup-EOvwEpkJiu|JrgAjj=2F)Za=8u)ym@1zwSUxnJ&nB*AAS8bdPYs+jJpu-&kb!*
zuQWwXzJEoJ9sgt!feBTUBL3vY(i}fFOqmFA3LM@2XAES?NcoZ1;a#tZGu6zo6s2WY
z-0Z3T2O=TZDeu1OKc*&++CSVEFSTOkE~lU47exPJoQGYcRB+)N+5W-zQB~~-=NLV*
zq3H8YdNAT6v1gbgogt=n#?eC!K#TKFs(F|EkOe(dfl(i1l_6y3)^VpL<wYU{kxH9P
zY18|t-NFFX(c$TeJ$j*d2=uwnL^j_>hMKf$L*sNfo^yYaxs-|TxLJCA;|n7WhdG79
zBp?%V<76Q#X~=%KQS<c+Wqje&7WHRVJc7iK>`U3Sf1<!shXuox#*nk>pz}#Q<xz)c
z-_(diHV$8=6Mw=ynVljA(knDb%<?Ee?9a4n;xGqQU#jqq?H_lN$8aY?-XP)8k&&mJ
zI)oRUve+x3&%XM`qs|XGd=T0H9Kx_n?>RDy)0ZKqKb0%<lL;SbB*7eI4HIH*NVo$N
z!u4lD2-Jrz!5Nyw|GW~Jkkfi=w4`}3*ddYUR&`U4FF>JS>p1r5)Q%Qm@&9S>%)_B<
z-~S(JPsvgd60%Gpdt+DjeHdhIVTeLu2q7(xMzW4I+1If>Mv=W$nXzPS*$YGVCu_F+
z&Y_;q_xSz({T;{mIKIcXe`JoCao^W{-`90s=lk_OPaOMHZr<5(hJ{6qVhDS7qyA2c
zTS$2O(}wTLTFri(yGy+ku}%xkN9SG@4S~7fJB=L3vBM~`9@%xD|EqcWizWg6#CQ{`
zJa&TB{#fn-dN#pS4<Fd<+ovN8l6RkC5{2!Jb!~g{#Z*=tWpLo7!sV8CQtk=&21W2;
zk)WUP=?_Ljkfn32{cKnTD~|UBM%+k>>o{GVg%CgD+z6T>DCCG%rkb!#Gmh|ulkA*}
zroBhd;04FQAY-DD7W!Oc-Y$A=-YXb8pQs(0E(KXS_@$GPA(pJ;;V0>{_On9sHv|Ua
zem(lFRNR#QTX%jEi*SGZq@zbsO>3(JgRzAxo6v@eS_vPcyHAN=2s;DpX|{7M{fWG9
zmddPgbG~VA2FZHkEwFjIKh5(}HC2xu5He}{tT>VhG6kWYPI}nl!u0o_9ru^)=j>gV
zaFEp4C|}OTI7+?PA0$VQ&_^s%KSi4#VEzz#|DF{LX!#KJuG@nsp)u8SJNAyiE>-+2
z&)1`{qb$6G9JJymtuRU4V}f+pskd3qdmpMm@_`OvdQ<@3C(mOPzk~V1)IInfT2hIZ
zCRw7kZy4A$;7{C6k7IhgpAM3t84^GFmv+*In7#Brw+nu2M=j(ReHgcuqyQ;7Bp?*b
z-x9y`OwkIvB6ImQQ%a7(MwyN8{V>zxqjbGWS7B?2M0pADGGl_}3oHM<#klGCLn@3=
zuwhZZ-4<^LC-;$F!<z-ZR%e|xS7Zl2fmrR-bQTWH>PLDxh>Gz$*-qb6Gi8;1iiB)|
zyT}z!*&kb{f~B3x^8cO+Ep_z2SLMIu1|wLv$6(WLfbh=fl?l)Mz%aC`AXr1WC1&QB
z&#xtK?!{|wCu0&?_kWe)C;VWNq-tTle-JjI#2AnxGHT?e&KjH4)nKHhDP=aA^D0lx
zQ_GTmNqcvOuF7^iZoKQ`yE?|TToheUWFz-1#c$}*&6tyR{Diw+ef#K6FfecF$1?O>
zF*1?46y9(9qPZJNs<Sl|w2f5>7PfpYz25jTKP*1ca$irWO|a+AQB5Z#L40#5iFD?&
zVY&o)a+=*ehFH|j<>8R6Mqc;p)EylwZu03~pNg^U<~a9{j)hMaTd4IZvtL7DYAeHP
z!h6*o{mFC-$(u0Y=04htjU5ovi-Z77r)r6d`u550#1p286ZYBKI(EbnA&g=L5l>7L
z7;iKwQuEm?&d)EqJH0bG0;6MI`P8yPV$l&_XZL<F+hW5?EQXLDyxxEE-ow}nTRFdJ
z5t!n-KUZ|$<|ll6m8SqDAwE4e8T_?VKUSD3v}@#38?TrhK1Q1mo%mv`eZtiBFJYU&
z=DEvhUM9+h+SX?E`9T2#x5-8o9`B9V&;7H%+dD<nK4(sE7eA?~OWOCjHOxZpc5avv
zE%enXb8Dp5sF<bmNS<wd&SwcLOJ8^U?6L%FB;ic*DGZ}MktkuJ9=mgrXo{`)`!3O|
z>+D79U~v;Z&OxtKVoye&5HlO~`)Ap`?V$gQpFuzdm=tbRaj@p<t5Dx7*3)y=g(IwA
zqVYP07|~vgBY_gm_UWKcRBT0P96=(dpVNnYQ}WD3v)mMR|3;C(vBGyFHRTQs_)z^H
zY|kGbaXE+!xqjvQQHK3Yv{mi^Onvi7D(U-m+Z%Eg@Z2AhgpMtpjIia+7nC0e5Ht*P
zANfF5$nsE4e$N_}_d>m6zeQxId9C4m)_YRjLO*uW$Oqf0OSCM_mT<BBW_Nt5(Wt7B
z7v;6mwiP;H>?&?V47Fe8C;Y9(Se<UU(1v{%Y{PeKp{j8TInlOESzr_%{84_>ToARg
zZ0zHgI1wmUtg;fC!9-kAp+@I;DnH9q9$223inDK@mi=_2^m0_E--|fO=4mlIO-9Xh
z_w1d_Y&qug_4NNmVtHh#lFkvE8_XR*VtwWGMS9d)KvDEcix*dxe(w?`+htF8hD-3&
z)4pA?gX<)-ZokYB5tdpRd2HXCn)1VvnkRG5kIO8ywM>dtO}7r%r$^+jdeGsB%ROpj
zCZXWpdGI8a4^(b`!c`o{T8p55(86C+iR~4-r49t6rgMRlSr<AST9$~_o%hjt#>*X_
zX8g*E<?Y&%CeePZ7Yu6HeF{DOx-~i5l?8Ps18rI!=*(gXk+P%B_^z?+%mxL4sMu`D
z=1I3zqSdn+V@;9vLwb@XcC!`Q*`-Nw(x)PFUsY4Y!!nuvXjvG?5I)og{)xOEJ(FLG
z8p#iH^_nO<#crG?$$vHG!WcB;hLf*QZy?9i9)z+qm!AA_h|(_SK561KACS#1XgF#d
zW#&hnYJwC?%T9h$^CWZOg;d%dT`}^iSOk9VWXAfuRJimEr{kuIAl@`v7OqCutjOGH
zk;!@DIIFTeBCyPv>pAPLWEz(+PQqtY`j0aP62z9zwRDYE^B<1H5oFmTa*4KPulCV*
zLK?sGvta2}eo~5Bhqk8gq_@jof+n#NhuRu1*^=du3X^SK$Y8f@V-4hDXJ?AfTOSQ$
zg!e_?eqzQ^lE+VnAVn)J)`VR9T6&3zSD+OP9c_Iaz6a-gDZO6rPP$CSNQ0i&Uk!$%
z4ZS|e8^V=(NP>JbkB6PlD7|eNC)FbMjC(TrS8-%suU!`T!SD>1Xj_i{)1RS*H<v%D
zna0W%s-~9Ef`a`|J<>Vkv81Y#ID{z52UD-5o7QNuq~RHTg>-gy@-B?EaZRI1^6XIC
zQRj8XWMf5w{M-&4FN^8GnZ4esJLnS_02C5rSc3C?blUkf)tvPGN1owW){E0?2mG51
zJz@u|qsB26Jts$Id<bXaBD)E~>yO^oO4zb*G<3V0_O`5UbOksME|}aMo^3N6i^P$V
zjsVtNBLe}XHUC!RO&UO}rgKE)I<qS(`5{}P56u>(lW(%0XcaW%5Zt-?{Onn)X`#S=
zm%}S7IVUmG*v@GGL+8;wGp45jcfhaBa-ZUJt2O8;o8=F5t*BY)uAD3s%SrO7EvTGu
z#%i9t<81y`d)$H&SF5}j-ZfVJP>q@ZO}c8j1T6njLH=Gcs0;|vW!UIDrgI;Us}e-`
z4SU0|ECtU{5)j4K%dT8mlfU+mE&N4g7z5{i1iSa#-lH8pYzQ1l-Fp$@%Ym|rgX}WK
zhZG8eMJ%c>RZevqH_rxUc`DDe7t9lku}4?%mkk1m{O5*Q0xL`I4sFOr<46gIw9wYJ
z<Ht3P_X6yA18Vy~{PrO-cZfO0zs&d-rlwKsc=NzTQ>$7tuP|h0sb|mF4nEXC+A~81
zIaSfR?>7?`m*R*N(iz>!*d{9BDqmLbRYm*J1z~sFVs440l01P2F;#cty^BqK_xPnz
zKepTEHU>;2=i-*(`IA2pAtYa{3-Pr(#L3jC;aVbGVn*F||HF#Oo4NNI`SuVExLcH1
zC2RW3t8ym3T$I-~?b?~;?INJ#p*=qkplfhG{fWZ4Z|vPpas8O`=|pmKV80FcPDEyF
z=VLkjDC`usuhL3~HVS%8V*HCtgKEs+k`5Z-eDCS8GMjdi_sXjBNC2kx=^-yWmuh;5
zHoiQ`ynHFfAFcW>*s{}~OPBE68b_&eY>ww0OYX7Z-ss|VDp@hpNZ)<<gz(x)&xh4=
zYZzqCSR^GU@MTi_WOZoqgFKh=vNiQ(2R0-<9gd_7JvdGeV<S-Y!QkCbxg;mfOq;@O
zWd707#-vvpe(PxY&f0g~_Uqn<!-r=@{Ja%ad{g3jSh5hFy-&@_87v<^NlK0ag|45e
zpU-Ij&*xt1y^DT;M=90#eloutAj*=Gm|%OKtZ3iXg_~gH3`$LD_PevNcS((^2gEfl
zPF!wZkQ7bH3rqG$pArc=zPMw@(FScbRkXqZU>upLg7f%+q3839A{Bn|hX&maBfoyl
zXmlR{gVV@na-ikv^0=^fXaL%4u=Ih5RV8|<@3tMg=Y|Vq`tJ-35Gw9hg1PL&z5K|F
zd^0T(x#+q{e|^19?eRy=`8wTJqi-_;pr0H;`PlDkO=nJ%3}+Ap=NC@UrkWXc`HD_6
z;xAI^8+j||YD>wuZtjHh8bus;(r$KMJJ5YK$A<c(MLFiF%m6wJIeu{d(VHhnMe$W`
zRjS;t)*M#mz2ra1^ty_rY%JS#+m{}tc)yk=+Rih!4OW<!cad1qS5r6&1TENyMjGPc
z7~81T+IFARsLi|i5r>N1L+R*a__nv+?sUyA`*3rDDD35_Nq=?S$ak`e@(pqc3N5>5
zLqjGVt0k0d;*<zHV_FXiQjRI<m45y9?4@v?>?kj4#etp~Gy4)3d&=n0ZxjI;6hc<i
zLce2{p4e23^*8pRbIKztutnwfFe5b&u&&a7Yq!mB?|PLfp_7nMq~KRd=@`SecvF0n
z`IrXoV6zo22oMJBVM?CU`FK9+!XGgh|6DjsO<Dxyy;;|Q9XymIEV(Q5^z(b9^Lf>^
z3?2JXW@Ut*IqSrUhM0W0C-b$l=TBeWMMYRm45+2g82~o^|1L;ZaTHmjewL1Gm*C2$
zUmlI*dRd6fUunj_XN}8P4fb%bPoDdP8koZxjARuMWx^bvo5#GAMVPKrJi=lxR!*Pk
z=;**SWxN7m_=7Yt^h^;vOs_O#(uXgk@845z=drXaF22}a8*|^7j9rZDcJ4o|nP|)r
zBX>#xTW8+v@m%h-j$*8dl4h8@?86*HV|f?C<#KmIUecUf<8!ClnJkkWM8!;EKChha
zG!{BLz_tp;n2w*o>D*@`13%AK2F00^rOgk=&ac@BJc$#L{m2r3&}3Ac4tb((a_Jm~
zY&z3QzgSnF)tpF_O?1>X@0YMC!%%-ITvo<zw#8TdI#v0w+_CDA2ADM_(41=Yx;&_T
z2jwn$CDMo#K4@g^HF}nrno>2>YgKKZVC{iL*tO*p>vTxW&qDkp`;j$X&v-g5HbBx)
zAR6tKaL(_6uUs+u!l<_L?VLDL)Gxmn2YpN@xh?DB#~KV2?}07JejfyL06%GS{y`M5
z5RZY+xL2;Z1BXbd(TTBr5-SqT-j?04FmBScx%^oXz3N?ch<N?B4iOEF)w}auGrV0&
z3%!dsEFKJg=u)#ySu>spD|jdM>^PF58%Iqn$|Z;L>YH1u+WPoZzUa@-SV<7nTRqO6
zLm7Ii7E}L(!lWg)4f!l(b1}0i_+bcL?Rmm^b80tMUpOstJVTwa{owm;AIcTU#$O|q
zkM}vH`{D7bA17=paK@09_<e_?@4IDy;L14hVjQSJQjAus;oi*uEF$x)P|oaDj;Sn-
zHF%G+z3>_`5#q;aAvi(EmBS+x2!Knkzq<~>%#TZ<kJ$z31PB@aBi(DUdZebq-4rsE
z4QM(KDr{Hij6m`hCe%#3C`$iV4g+<HmPSJFPI(V*VC_&jyCs0t=X68dVThTxR8oxF
z+$q%3mp1nW_?xZaM-(5b2>d>os2m>Vn33<2OV{8pUVC_llfISr3h>Do0AfhZYHI&K
zP9=&T1r>{8z@gCqNqXC(!%+CwqSM0hIdO(6APa}&TL08m5a^K8I`1Hf=q2DE#XoWX
zfM|qcvX91q->f1kEfF@dp3^-Y$9@*quIkA2dzvIjIYrS_!`hh!^Y6-=E8(0V-w>gB
z1sOD<`A!q(!4T{yu(>gS5nfjM`E@4}klDsBF+nMl{{>_gRQ_ORz8j=oEp{e`3#VxV
znah_xw|gJIcKWZ4*+BB<uVrQA_tXcOP<<3Et;{q&_-<1KI9$m)4=eD{WHu?cfxa%q
zNBf~qM*l)agj!5b`L*Y$Amhl@p(kSYukX=GK%d9U%+i6s?sh}XBsFR&7(hQH;;6$~
zXpwiMR30Xd?b|Z#L+SMosMsxgT$s}8bsFT1dFE0UNo#-sNGY!m6t9Nte?TOyLjb6w
z2oUGQHwSOMW26$vqS2}kb~iv`AF(!78m<7qG7an`3Fjp7g1<8JNDkD>(gshUeK40-
zMB2q*nu6v+DyW_#jgARE_l(N@e!VJiwJl`?z9I@#LbPbzx;r}v0u5KFoq<p^I5FTZ
zRGyV^8&Kf0q@kfxAi@glrd45DfbLDS8n3Mdoiu5s)S)Q~N>h<R8+4Q?frBrx5N(|5
zP1#&`1oi4+?)weM>qC*{;}%yRu~BaO1GhT@Y9Le7E#YVVUcH6f;UGYsFIIbcQhDG-
z{zk>dQg4$)PMF~u!LFD<VCIU`8Do^~;{i@p9a#fc++yR5937u6qyq2U`_9ea{yPmC
zt#BYi1jP{tHN^)-)cv8}l7qHWuS>b~rujZp+Gp7{P;d<g?#}CXU(a|N`l_I2sYjz0
zZLAT-=_H{98ev#c!0PxM*r7?Fi8^E!KpztU7VP)5;6&dR<QON)33aMsvZyN52+H?;
zuy+lUpE=(RGUy2S?4*b>R&}ED&@)o!*J5!XdxOcFHklgTUUop0?}BznBexR+@^=)1
zm_7$4;H<db7d4HwdGSs0;umMC=MB06>VCSA+xPwDogdfuZuBhmRd_&cYXMMCN_`d3
zQXY~hx9T5%(Xiy~T2zKc!|oF|uhi#U%i5Uzoc7?zXW)9(1@z*t05@?y?|uFFh4dj-
z{rV^d`ZE8wmI45GPU+3&>f%LDL$SGLExdyT8jTjB;nefxwc|HpHK-R)y0xZ1O1kxS
zpN6~V;m;uE-6U!t4B&~(Rsa*Z1@mHf;QG7AAEDzGwR*l;(jpDOdTm;XG`?er8?CyV
z#mv#dsD#DIy7DjA4pczv#HYFA(oj*_(+GRA9fZ>x4@EtYhHHgU5<r+Q*k<YBC^!3{
z?41xuS0xruulRO)#bvRk$IwWo;nOA1avNJb!_7s*L7b~jR_h0}o>F3`iJUAb4OJni
zIMwS)Vi7LB!liJeeG7)m#w*|K9ghZgAppCwa{f!@I81Nn0I5}_FM`un-%^7O(5dK3
zw8OeqJ3MG&h}lY%^`jxU-ZIOzaJ(ALI*~$bhivBBvdTbxy|~oxJy>8!H(~tT!3$lF
zcJ>UUd?~SOGtS+B2BMYS`I*erMg7Tks$7f++b1|1jI7PuYT&O&Xs!fkjoI+nNc3=%
z8Py^Eg`$ldTD9t*w+E;oA;-36Xg<p_h^fJL*>s8MyFwuejccZq^;;pmCXBccD>Zh*
zKA0nKhu?Z%e++}8x%%yAYnEd{pKP*E^h9c_YsXD3Fm3=JAnWJp$vz_%xbmdi%@gkQ
z1VvOOr#HMgky;G}s^h6jHc@RGI+Y*C6K@oWlg*$gb<GjMLPyZNr7Sr8^#&Cdm6{Oa
zqs~n#<F>+0X5$i;t{aIpt*8Hnve=1P;?w1w!#0(9HdO6W3xvpxf|9>1yxOuVIt#5%
zq_rwuUX2&!^Y!<eEG%!_lzx)!vNX{_{`B12X){I>+6y%$3$Ybib5|x<$Ejdf=C{a)
z!N9?DMoz{!il6CQPp1;7Fp%!z%w;(UlD^YwHaXH)K~3D?$g_c`Gl!Tvu0KTY2nqoJ
z4-xXLJ{@e(YMQdKleR*2T@bLVDf?%W@B5BtJK4z1|C%l5E>3cATVPy{w+j>3y@og&
zt}yqQ2HKAksyzq`dj>2_d$Jvh&1|ry(b^R1`@UMIdhHK-aYtYF>6|IVcPMfNlTtzw
zyjQ4^#Re{hrRJ3%ogw1S4y?o<W5_YC=n)N9>kiv7eKA#v1|6$IaiT1Je5%ez_4NBg
zC|5;a`ylSX&rmF$4@ojzJ~y82D(by2SIc+q`;5?cBzTI1X-uWL^Q{-rDLdR)-!z2+
zThnBpAQ66QZ;_WXfuAnmO)kGn&wUkzZSspK?{kUxH#wy<Lt91JGj(lp!4QkZO37;%
zgGwYqzl~vMwx|XS8>}9@vc9r6A`N4!@>=mf54?ey*ohBr{a(W=ldU`|M-d#iQ;#tT
z#eggZ#-%+MUXwMPFptqZT6ynL^vNnt%Znz@XuzsGXd>R%*s78pYJGT&OAd(bL|l07
z_oJh31#^F#o^E^jJ}Xnx%ql$lRPFG?_TppT?yGR_8zHgKvwakj%+93c2%T;r1rc&4
z*6JibzJ_Tw3AX3wTchib{3BtI@bde5r{R!z%ZZP%Ri`4*v~dw+D?2c3mPV0%cGvB^
z=t7Fph1BD8hVc<O*D@hMVG`2V&SIDRtu}Vs9wAqfD)^L7r7Z9E`l}Q4DE@7NFl<OI
z)o>eDrrV3x__L2dJFz^X{CU|PaLD*0e|}R*JqUR!_Rp_&ZPUmAS@WP8w~1;RiEgx;
zwwH7VDpbPZK>2T|num#fi;i_z@Z6^3Y4G@e((FSr+r0A*1}I&>l^$<Y{_{$o;J<;^
zMgw^-kJ0`hT8AlG%L1BEE?gdC?FCrU92j*B%fKHJHA~&SSLOA;V$?mAvq4aV0$8kq
zp(h^!eGq_t%n?v!i40{zrzVr#5BRwF!-@^YplJ8}Z%Xi4IuNq9d3hC?An<mRU`{&=
z?jA=~soyBnsg0k|zeg0xY#y{p=U~ZCOyqc<FTSJV7(E*Zc&5kCH>vWBGoV?Es%GR?
zfRLd=>j?4gw2Oz3YBP140SVwvxeJ}dCBO&i)LT}#KJ6A54S<&xEL3L_&RxA93XBeL
z2fVZxW&NLbhuy(UMr%Dmg)fY<3qxwS)-0N>z+6U!WibY7J0z^q@F$vU3-Bd2B18sX
zUX=E_RyCZCvo<aktC}J{Imj;Y9#1p9MoKo_r`ge=*ec>iQAIZAt=DuCcYogUp~jep
z_R)%+YCK*KHT~!bQzD60k)LLFqB%IBd}*|j>2YNSUPGQp<}B2=q})#}`f|rj=t~`2
zVu20%__!X}tE&&yH~oQeOQ<vT1tv+x2Vx2gphE7g>c<+uZ^TD)+aGxf)lLjtE5`+V
z7CX$Fh7o6Jo|JGgtFp#*cBFgekz6R^!oiLl&y3!$gV*VUN$HFx7ZzV(h!MGbnbwHH
z+y)!tWWLK47$v+*S+|DL=DNpLjB;?|6)ha*yVY};O{&hWqs9_KE#`ictYJlPdD+SB
zJbo0se5^G2^udI}BHW@`ET0v%p@e6wUAUr*|NMi)O4sd&p^5uZH|<Gq!9@byW?59b
z>dYs)ngj989IT$lag-X(#00P<(zUKt>y}zWLo4YhECiBTP`u=T4!*1~Dr@@sAbMzS
zkqUsB<lCGC-dV~os9|B@)sHnVb=vsE7mkPi7<w{;cRlz}iAUz;J8AYiSh-voh_vD@
z52%O0EpwZpKnryJ)2_+lU-up{QvGuKBbU1Jsr)W5Y&A*r0SXs?l$9-lRxQF7`iw@M
zc7~cD8X;0-Y3Q=i?bYjY0-p<;ii85_-d!^SHDG1dvga1nABmc$(?}^k9SHsF4syx0
zi~PXo;5)~>3o1qOu-8*ev(Z8oFl}CE*+%*`{d7Ld?|rEIH7%H1!tc41?hA-Q6E^e^
zW{D*zRBK~1E!xaU_9axW&yly>QX+U!ESK;1Gy#^ZZVt8rsDML;F!$<`Uf!K?+bptZ
zRij8A6eex3FM3f6k?;v^<22*(hHA8BQT3b-YK1~fbRu=d(V7IrvDB<#1JPjaY9f9E
zmt|u(HYJYRE!92SuW&sK3;w_ClcaYitX@T?dVvqA<X`)MwAaKfWd;)8KR{1u*9B}e
z=1fXW&clX>eV^RStKr7c+ZzcXZK`{?_yv=0-9K`q|8=46P4B+j!41rX5b09D15q08
zL^E`e{VFey!=o(AoVkWu2zM0<gc`L?qpmSIV8pxNx#CJbTdwDATWUsYlF@Dcvd1}}
zW}LJs7K4hu=bn9m_J7)KgN++Hmc`sDsm~~JA{M+*$CkBUIjj36Ob^{%m$2+c%cgnf
z3GrNBU#=R1NrL;z3|LzcAfXeEJ9EH)CHCdMDgf`Ng%JeZf_z#Dnk=m8+2nf&#TC&e
zdg#5@sE~Q$B{r|%a~8YE*}9>SGugAP#DKM^ZnHF*_0SHhx7IfbU!EVmm$RRNlLpQ+
z3svs>J$I|TfQh^{WKT`dwx3Al^^q;75aXB{QsUycz?KmQ9u^;3e$GJTxBUm!zRB$y
zv_i?{JJi>OiCyKj()Paj#m3)lJO51N9J>FmE_OMGmVX<RqVxeG@LFeA{PXn~2wj|&
z^Wwr&k{=huT^RbY%JB8w`qz~=lRJyUtCjgzHc;j-7m(+`RU#o>aJ$^Xra8Z;Naixv
zH`PyE`@`P_ue_Om&=uVNjG;KZo8eC2*Nr!Rfu9r7=HJv~)YESs#LH~?b+&xQ5fJY3
zI2j-N^S5y@B&P-153>GV+Jbl>q*SG3f@zKR{v8a=7vX62a@n_y)$pP!9PRx~ZJR%<
zBmZAJm}BCNB#r)j;y$q0yR@S#{|uMbL4an&(;QO&e1bt6$d4!iEa(_pFGU=O<@MTy
zCY3*jxi<>(!u<LZTP9~1Tpn>a>h}*5gD(931QS1erB-75u0I#@8eB-+KIxsm{YEN0
zTJV(-Qh5jdoYs3lG?-bOcklo6iT|+!u^x!{`K)cYL?&ei{L@x9P%FA{<^KNxTc#F6

literal 39195
zcmb4r2UJsC*Cq&xh=PKM3W7iaQUXequ1E`^NQcm*N^er6qo7Ea0HOEZ1wwBYRC+Jc
z5h>Co^gbt`-~2P{pII~OUF!|Gx%b?2_Sxmx&)&y?rwY<nF5SL_hlh6sE+e6ghj)$(
z50B94;yG}Ild)<F56=e=F7a6P<;Ze9iRShB`rWnSZ@#ofMz?L(1I5WHo*MmHPu5&4
z2^gG$=_wip!>xn`Dp+`P-`?CRp|#`<4167Zvx)Lbw2yJRnZ$$0yM~WKm4j0wjfUR2
z@I=~NR3ariS=&b$=%NqK3DqWdag%i|FSiS|9jtnZZ6vzRC-PB(i6}gw&I2Fa<luiu
zFf$Axm=+p*f#Kufr9koU9wERNGvfd5mTu)QRSvU(pPua!;Q933eVm(;f(NT+OifMQ
znQ*tI#=~R&mE^ukOiC(+u$hMp98xgJP5r)%m*C$L!5oB!2%bNGJ{8I@=#q`isH%Es
zL4cQVg;;)P?9=(qxztQIgZnpClO)ved|ogJMEJ1~tDCjJ-t%aUXdf$6;ysEHM_~AI
zQw9_EW5Gzc6M)%*x&HgX;1Vnqig#Bo6*@wV=X3uJ+RXO<`V9{Zk^Y|t!0Lf8K3_+s
z)#C%%06F}ZkrHz1ZO3c2=EY82+t9E!{1o0F7;_b6Wz-=#v5Hy1cEv;U`OZW-uiexZ
zW3Kp)OuX*W$jC^YDm!{XLATKgYmR437(aAe;0$~kB2MrqpMrwo#pZ7%@HU5??TH$v
z{290ep^y6f^w%JIdU~+9nbnngk3EOZar}oZ!@_$a<XPS1NTk9;JUepmM_PRkIUZ6R
zVMYwL?C)m^6ubfK>A%na_n*Pucaxt9?-6duRA`Rx=g*&^2=wmmE(Txs=j?2`-A{3I
z(bE?o9axw{Zay#^tFr$dM#ss@nkK&adf2M7wKa~*q;=|(?~)O2t!B2E3^Ir!IkOVk
zzGOQ@fZ}XE)fYuYMNznmP$8kwwl)&*HgLBNp}9-v_`;D@5)Z@Q8$;1Kgf3<hXG8g+
z@y>3<gY~>Sog%pYpG){>kE8-+IQ{Jr!UsqKT$JGX@2)6_KYsk!%<OmMg35)LWWQh9
zO79VkR@$CK5P9`(Csi1I3l4Yb!98w9+^vjw#&cUbgm$2-cCx=(WvHoeIKGyDAR$gI
z9O}IjzfJU&NZ!-h!h7xbM09a-XL;E7?9D#tIFg7Kp8eq-vOUr330D)8(DbZ%CL<1J
zZBqumM~8>ljg5crK=}p)hAxhzFCC`rIbCXTL(<e#xreRRAmYIy&S4}N1<TRF#NYIi
z>Mt{2-l9VBNhXJ`E)DauvtRxv6agQR9(Oml?J?Vt$&1Xn3qA`zF>vWqq5GiCB$x+K
zEyjzz>4;xgNPI#r7`(c=`b><3X1VLZG$IaO-G@wqaCwAy^zPo?>7D=^$doD_su~&{
z5~}AJr$?e%cI@?a6I!3(1VbM3I~a+jUZG03x_pnh<vRL$R*)Y~cOD^l()!F7JU;Cu
zC5ce?->DPr!&}2=iopGLx@o+@<*An09r5aPeID<zpYmeV;z@1tx)vHvkh}W0ojJV|
z%*!A+S=38@EN<jZ+1gmcao9GUsN3$QzM}W`*XQ0ICt*v%3zfVEOMb)@r<;x2tuMdl
z$Gc)|3w{MBbm1*|x&1W%IpJGpIceNz?!7hvtmf~oe%T#zKT!+$gfu#N(|;cxcH7Mw
z-fA`3AcAyYgq7oK_<dMChwNo6CoxrPXKh^f3i-Wt7n%;;=_MZq|GkHmKdRW&TXy%A
zzRaWz^d#Wj1+x~GB3Mi94yKlQ!40+bdCG699V=J#Z_xrbPZo}ywwv6++>>t~sABnB
z7H6sRC;rgR=+>geDa027{BfFd4%7c^(61<Wqaky%cQbb5xtrskmxlcmiM5ViZX<ns
zEh<|JVpPY>JO2jejcKGhtUpc{&WOqwNP?KF096dep6Wjs>!wsN?av<%)+ZF*k{_&}
zipd9k8(#2Wux+UA)tBijxA^?7HJyqDT<?lVPjc+vKu=up)KJbWE#(6Hbv7rN&e%?Y
znFWkecKS;}*qIPf1V1S2^Ru6K9c3MbIHRmazn6t^C`^J~CNv9>a&(3fYhTg+Di_ig
zi*o~odi6-@^&4Q?-6d#+L_uE5LH5{|_I6e7DK{iJLmK1in!^b&fGdmm>k7Yx#@!sb
zZ(iOHtOVNdDzw~j^LGys?aN1|mo8ljmNN3KxN`Ag%C)UD=+CvR#uJatu6ob<C!}xs
zSuzUY+H~I7_2j)HInJR7-0bTua&vO-ad9b!dY6@zS@tT!;czP}tCufdIyjWNu|c7d
z$F1t6g^_njW?^JxWLh1@TrIVGdwYwz!|J0F$|X%r64u$uDQ+wo+1YKi7NTryY>bSI
zqM~{g$_NhK8VF~P@{6k!RKNH~ih(f9H?j)3i@4{g2i_H7T^h|BZ!Tq?=iJ&@-HDu3
z=}oEm?Sk9q-<pW&V1qAj&tJG;GucqDm@JxhLmojyMytwQ+WF__7b<qms}vO64l~UI
z`5JA4rPu<kG6n_)CWVBD&pT<ftS1{hS4PSy`kLR4*Sct|h0=+6E%xWOI){mD$J7DO
zoIY$t%Vpf0CK;6R$lLp5Z)2W~($(Fa>c$PdYKKhyMlS&Y0p)^aglFgb_gAw8(|^k%
zm7A}99GNPo$W~nbHT*rj-v7`SyTh#O-CK>AFX;+(I<}|5Nt3EaSx09q=7CXvorAIy
ztVPg}u{@Np80;wc^KKNxJfD(^3Q>`9xxd0%`&w{&kdd+8gfdC7ZY>iDR1tW+zTUem
zvL>nwsXjhFLwfGk<26oLE?!=zsgJKLc=zy>&mkQ;LF_)&RZ=4mJNdL^aPO&i+rpmU
zm$bbiAnMm1T++6LyKDUJPJQC#)xf?yR$VsUFRk9()~2%Y#Gf>3S>C;EXh>rQ;=hOz
zv$sC;C`HAYA3l7D<$gX`1l5|~n@_H+Rgg#aUWUkUL1H7en5G4m67wjHnV6ZSg(0_4
z?KzcvRzL3BP6)%3&@k<{XH%NmN6IQHuJvVy3Ep8&6}x}`Lk*gXn;WXFJXhtofU2o5
z)<7`aESEU`Ufi%RtNTDXuyg{#$oOQ`Tvj&ldQs6ccwS^e0{cPKEhnU+^GLbn&?jG_
zWFZ&QGlTxPRi0r5A#Mc%etU&_duvEvV+i%ZwBxp|?OLu%wk#jTty|_Ah}V(ahE4Ba
z+7-<xtuoV&m<LZbjqcyfOCHuPF?`c3MVZ5K8>U;Mx}-1azP<c4h$??iL(f&RcK@$j
z!6KAnTRY<U;~PSs@x>QzFh_0jWPXH4FbSv)*_~OvI709X(*p}0b93`ouU?_N7BJWT
zx=)zEd8P;!Vc{`)H(;ZSaW_u=0S-Q$J?RkkE=w@=mBNGgjx%3ABM5*5jhI)0TQ}$M
z@UWhq-rwsC>{_M9KwbNNy<!1)`22?C>=iAN_t@DF7Zkl&O;HIgR(vV|M!7J%q8=`U
zOVj2mN?$&EQEx;n<T>j1;04Dw(a}TkwhdZcov;3ek12`&e;@=N#sBxzzt6vG!=bEG
zoOJpf;HCfd^RGAlhe-Z^eirOgHZb^!f+9RTJVtyb{$R1lD!Ww7UDyPQHvp$|7E-X5
zHM^#F*M5Bq5%M~Gsibs`=(FHwE57F@Ch|aRf2KZd@l(JiHsd4^W-XK>wFL#sm5oO$
z`RdJr#S`*RpFVA~gonmK#jnLUhBT=N^k#q6E?@$Jb_m}_7rU=yUz?tuM(QB|Fmvda
z6Yk|b+ak=%paBS2B}easMv+c6fcKUTy}!c5IBuzd@tiwiX{a6&L04pgDmCTPpqLrK
z6<x$<RYYF@7?R;;HQtq8@_~V-{l{QRP9wEhe!1JKK)R<=gYjy(kIKhbC`RF6Hf}4G
zUzEFS`Q>*0ms^b7M<H@fS+Y2&fqN?V*6669L7rmXe{f%1Wqr9{u4pbUXr9I?i-~P@
zVige;TmU+?`2OV;*#B~2W_O$8-n}2!$psCtn+-?xLXH?6?R~1SZL;lkj}dRIck!kD
zeewS&vPHl)-|Y}a?*}!{#nzG)V-NH#r;pujZDjIX-PPY5>XuJ#O4)tp=4=?Q58LU^
zmRh;L{P-XA>=>9}iZI{gOy2VN!T-$Yb44(hk`k<MO`OzKl+UW!uCcChHvJ!9C8~6B
zbaafi5iva$%~7D&Qsg9j>%7`)WVuWGZ!I$)wvz;2n0ARKt=&}U*OwW=@GLq;CnZ^m
zf5ri|xaRiu1YS#=DL$RtZfHd8s2#|M*rDQ#wIB4&eGma+MCqOe&-8XeLP8*R!tw{+
z$A=Xw$Fqrv<{*BfxyOexzsHsVT!@rJkne!(26*c$7oHd!8^hrN6@U73RRRJ6u%$UU
zG831`$TT?n`ub*J<*w@L>QYit9v*d8X=t4qM|gdI;CQ8NGP{`DW=`b$#Kc1NG8UE5
z+(Wfw2@y_Na~1)C;V)kp`S=E{_%tR5=lXEUlXdy#)U4QZdy2#i-RHM?+R0##^UdJm
zt~;ya&pYBMuU&iKb+`-sAL|?8?H@*12Ve?@uj!w>Wk+J}F)@9coYW_6mXMs7n0WK%
z4bawwp<;anh0X+l7wW}&g_kZ96NmR^_=$S%*KLnjDqEc#A0>MqyK2$jyO;A~zH?6K
zM`W%uYkZC(m;JN^i^>gJ;g^425z$^P0p3|b*w{sTNihiBjf!XRw-s@7w^879dWSY%
z-1zfr^z%*%)XWtIm$MzMD10b2C&|sFucK3NL$B6Z{)VjH^!$9biFg`OOHR`Re0+Sv
zM5m>}7HofiKL}!ZPEw&XuA8K&Ng1V5iFSIV@>-w~WUE9w%Zh=U6|T(JYnnmBB44QQ
zIm##<YL<+HPW-d6&!tY7%!<<!Abs)L5wz}~fuvS2M@sR%Yk@RHP$-_HKj|H?Zzic3
zyo1AGTbEp2UAed&e|H10VczEH=_#qe6amLF#~VTeV)<>8;=KQSBKpeX+=iKuh%YY6
zTpSI|!JMv^1oi&?-N|O8`n`Mievc28Js$tG#O<{7tA1+S#EjU&_Iv4TwMx!6Uiycb
z1m(te`k;I7+gnDif`A<_@FJ_@5<nQ!^eyj=rC^gE41BAkQQ0PK=z&~lt;wJYVxTf=
zvY=cG=Y)7)`}(?X{w{G`Q0@sErxbtkgt?KYSTsv(-F~8Y=$5`W=l1w`tW(ip+c3%Z
zlkfSb?_O)H$9lV}v~7HgPSm$sn(OIZYp||C8_(i`?w0=3z*0U5pp?m?p8eJ3AQRWC
zcZ-UQlsOH(o$qfAAjIo>{}XzP6kuwceWnqMNb;lpO;;;&T%xNJQd(O2oz7cl1Pcg_
zSYcNOknMNuPWELhCO3)}DRk_fSlF-m`^&{u8jc*^RZRY=7@VYZuy0Gqyn8s>m=4V;
zyJM?=B7@1uIysosn4R4*RiRLv?ug^H{1$wRd=(hh7PmW_dcoC6xkN!VE{H3FbOf_H
zQue${ukK|@ocC;$2Dnk>XzZC2m|mGPtR>jklu;^J27$<Lz(Me$t`ei~1$69e`kwIA
zncs5tODii!*@{?8m-d6$S+RYkQTb%5{OD1x)+Cw}Y@8zJpck3SJO^1CG^h4X<H7bx
zXMI*IT;7E0_~0N-MZUTMax0+KeVM^_yw0_3JB>*`?m8Wv{)u<Cs0lLN&7a>!8#7~y
z+~>%iHjNCDA3f%AnESyu*w;oe@`flx)Z1b!VSa>}c5+WkU3H}|!CY)&|9Hu%C`(>>
z4)JSryy12aO@zm>DQj#ll)3Ou+ofYwuk8SAv6l^7b|cYP%?%BtLwb)c?QMU^103Gy
z_$~LxtOZ(be9Py#Rs0e4n2F%^5ryNVt~ky4&4K4)i2bPsg80=vj~!pF1COr6o7(eC
z9s4cT(^L_(%u5%J1XDXsmP;lF+w^TWeuZw~5@6u8Yz-r+DsNrBFwjN=OU)b{LP6`B
zlg(mv?r9^BYo)D9GbM|6glLW|7BUmJ+R^=vQyV*97$=bX+bSsGl@s<ztALgV!@Yaw
zXZ1<TThPaAw%j)Q6Gegx_9MVNGldi!C}*k^Yd`cicpfbDWzz{c%Ps9bO}0dES??~t
z-D>;9$b7sQMmOkWol7)?PFZzkucp6HgOG6%6m7;zVO|;<8Xgfzn;G2ZQOG}}x-1IR
zPz50=DXClI7=Ds39Y*VY_=_&zg@OuEUtbcM^pfO@vXIM4HQ#!vTlK=mG|_>Wp!del
z5%+14Z9h8X>l*iI-AjcSrHQ7}AWIw14c9H3=`E{uL^OxU;h!(qO8eyRC10}DrKz*a
zlh}q%yg{&rD;{oFHr^3&bJWq%F~7n;@b>Lng;?DkPXzbmF!mRb+vUT`Y)|Q3mwk9;
zi)}$3$W!h6Oo6u7-)ZDLR<_#o-s2o=DE)O{%gIynb-pXP_}h)#7sdl96zazhO)XSH
zLIGNnEZGfYFU`%(A3oe47|>oH(9plN`e!y;e^B+^*1degyG!eO1Bgs0FJJz3wYK?d
z0DWh@9RjpNOC}~VK3@Ca5>{nFWlf2eFFShh#qT;B&pPkMKX*V#>)w{Ow$UGZRvlE4
z@q-?A{E>j{U7)P@O{Vg!aJ8@aU;N4RKRkOZC)eH_&Nz@$F!CpN`tq>x*FehBl@A7A
z`dJ=72w}fm>)Q@u-Va!lTjT&h*DbUIMB0@$<7~xsX*NjImCPR>KYm;pt!(qZPBsja
zedw~PGgPFDb7h|_5l##X{dHn1&dV_`eUC#Ptba6E(M;x*lt~nHQr;*JE4WQX#oVLc
zX4|hm;`0autC1C1fY5<^DUEa8U&tQ#oRC1HHEcsaX!JSIFUbQ7FMr+MtSyTuO?8eg
z^0=vGQ+e-Ad%gh^07VX*uv;PDRz(g3?KFkEzQ0`=`+9M@I}Ir-BXd*u<%g`y5&sWM
z1NqS>Wbb5bChE*Z6cT6HQ0tpZLyD*<0QFfk0+Nk4hRdGQ2{>eIc4|5gkd)jCFLvKq
zWoWCb6Xu=B??qXe^{s!hQCcj##we9z0K+Yk6Gohrlyo9$os^zb$>Uh1ucdVh`5N7i
zBJ>0~%Dx#3JG)$4G7k^z>$h*DcLY@f=t1gj4!56erG&@t@2t^XyJk>%H9p>T(rpR$
zAmQ*TnnO3w9L|TKjaU1i9ckG7p5DTa5qRJ+1;oaD*NHdqWK%>f^4@~h^Bf|bUSIpn
zQ!~pUow(f36B8L5%Q75LqrKgmiC9F2@_8(7uZ;3q%XIR9P#$}Y%-l^AWJJ5)Z0Pxr
zD5t~2LkXD0Z_Uii%}qyZt3eQvKn6Ynlcmp!Ji$?sF8wHrwFB?o*?NL3DIxO#FO{LB
zB%#ahs<8kSDI;DRBNo@^ok9z0Kt`se6%xwI67HsPC3%1SJDtnggeP{U1+a$!VPVk@
zgN54B5fO}QvU3nLc}I*KQ|%j7x_vVM)<-CrtP|8r!Xuex$*B33mx>#U7B=1$VGhY~
z5q_ZeMVH7>ZSnl{JBpCDh?;GzPJ=_aIur8sjX@OQ&g9`7{}y}S>hBz&yR7lKUTKO>
z={fc9zpd2oqkMeumfCU17cAp2BsA1(>J>-vg$uknL`@{GQpFZV7}>|3>7ETGBdL5V
z>i$AvK>>S9f))EafNz8>;B)d!ecWBa+qA!_t5%+R?!Oijo@w!RZ!O-xq6{RUiO6)R
z2^h*=irZj3c~e7l%HFENb#xM%bDz^Gp2Ti=)lTe68+pm(X$eETHCFhKIA*%bI60Sx
zyWD?7c>NT*!WVYKkq*Xt)OjMvUqbugE>I5j3a`pde|iGr7uFZc!N$Oh-utcw2M6!&
zzFa!u`~5(CznA>AG_Zb?@{ISIH)v>ttw%ORkAy`=Dx;l*g-67Gl<jaHF&Ai2LtNEh
zCN*_v8i#rB#Q1ksH7;u$)KU@>%_x8!k&XEZ+At(WhHqzQN5g2~U0_{(JqZa(u}*bw
zv3_Gh0)UHiW*RKw;^K>9&+eV2D%A?^wg1M;aUF2i<YC+Z2&;D@O1Pz~OA+A<GWcxT
z7FP007cahCDIb#X`k!RRaN^ce+p|mrIC2RDY4t{9r@YlZjmz(DkkBIChnTj)T{4Y%
z#s1<m+r9n$zy!!AwF61ODdI>Fl%=z)*>vKGlZ~MfZ;L-UIXTAVtHt1x3(d8x#i(WZ
z{{v5PO6F7bqn@lD7Qdi~jXu#ROo)nt29|p911f@=>n<R@0+l`QLDXaw6wqPJ+>4l`
z<uuEoB3~l1qOR`bf0N$KhWd}~>CZD+cnub4ahtYZB>=%Q{@mAh$|)l{x;!XhIrp^j
z<>4|aPQ8LTeb-q^>tzdIx))Wz2-S0NVcgSgOmTk3oUCi+-E)KQ9w%m4K0Fg`Dzsi%
zWY~i6j9>uBrd#(uSodk>Hlq_Gm-Xk*pRC%BXZLg1G{MztxC#g^2|xYdD1_D$2>XWK
zkM97PCTyY!m;457+epFo&Zvf$8J4AGW%YG+X6rZd;b2Z?Yo`6ZAkF?3LM;uFT$L<2
zEl{3;O&FeL*(>A0NY=lcgS~8MO8I=nE4|K#Ej{%Tz0$O<8OOT!&DOJqa0xNSh1&xD
zl||q+n$DQIn;NhgwheoxPioKiPRkdZy=iWM{1IE)_aqz{(KGQch5euG!oQ4F90AH~
zz+S=h{!#~^fb&l}c;G5n>uYtuTG{nxz~lLCvsh0T4=gbm1o4(=gNZs<)$?Z$JSG6h
zFeoHMO;Pz|F~8V&!kCNl`t|1a>KF4fwh9WNbx|=fH)&}bo_8gIjW!=`^#DOmQ}ahp
zx->7fB(M?j;lU!bY71aKO9QO#xewhyt`+Umu6QYEeK+H=*o$RvZ*4s-If40R7;$lN
zjZ|3IS`Bjr>=F=>(g-@{3|rmcmr(&(R~ew-7|6W6y~)VJK%m)L8Y%{_Y^5;_0yunY
zZPFWXm8IC$D7K)Wp!)iHA*V$iSM1CKqi;V3P^`mUU26;3$zHoZ{Y{QRnC7dE7|2`e
zS)ET1^KM|jp5Ma6aGzxc)S3QCZWD*8Ayr*557Ldkhw6LnWjbH7`SHPE8V@dQ>;*DK
zi|T^C!;P-CI%8pwou~x5VOy9%CIp3}cui8-AKbj`T%I9&V<`s$m!-(pT2nv|VZJXW
ztL(8uAQE#X)n=%OmuK&qx%7@aV+DBj=P)w3ys_8%^jEIr_wQ3C76JbVVdGL!RmD8}
z^cui&+0PKIP69IF53U=gF#VE-3dmPcPoh|*Hp%-)bJULJS`k`A{UqTvL=Stb={YJB
zL?Ms{pYC_B2;g6)qYhSUZFm3t97HO+Dn5PszTGm~4zeFaY;3yFn^`Ih*ylqY!={Tp
zy|{3fm>}pR+o$~U<!*scb1<vchJPfVY5UEk@qtp@LMS;{RDp}OO4E)0&;Dry1_j|{
z&>bWLX+UHdrbD4I^U2<NT;xu13cRhrq)qfx?Pr>=4L`NA2bD@K?1*J?Y{wif{*)&)
zxi6P|H<n5)hzENTf?i$)+rwVJaaZVpVWZbkf$m?L(F|VvjuPh}v6rLpGBYxMycFjm
zCq62b@VF0H>@Bk);N&|Kh1$g7QO5GIu{`D|hp6j0TuE`5>sPP-neruTZ3p{Ia_N$l
z^K+LlXR+*U&Su2;IOE^pyCDG9<kmpUn%mOS7+{t?y`1p_d6w{7GMB7=)2=XZEdMAm
zdXlUPa`!X3PBx!eN}gUoz;&iMTzM*xlFd<r@@!`b73^6MOX?GjSS&UJ<9V>XQ1Z{z
z{u*Xn0dytpJRZ_QQdU+LjF(o=R$()4!4-Sazz2;?45H$E>*sehs~c5Yxs!ZyIN#hX
zBYra_Q++-?OjOWq^B!=?)$Z<-HBL*uWTIEO;hn0<4WIGMT7J&2;))0gBOvKIq&+Jp
z$G{z!_TcP9cJ%$fDQoURAYi_X98(aSn@Aaagnw52KBdk;iQ8o!>=tL^VX1t|2d#5w
zzhSQC=H`N|p@jH4AL6VO?(^-rSmW_lv5}#n1yWN-hlZNE)^dpB8Y%?s@ZtsFatg~c
z(5jQN?*ao+T$#p8cZPK@o(jiKsI{$4lG@A5>-hM%rKN=z#?Hn@egE0VJhl8LIsmCB
zOHG2Zp!O|{VZx~B=xlSiwz4OiT0<lY6tTx3JgfmD!N>VHLK_Jras-H@2G|HdVk1;>
z9dmwuguI+1F?`l>y}h$-(ViY23dy3n>tEo)OVEMJ(uo65x-j7^<s3Fz`8Ucd$UW2`
z;ra8R&M?&Q^gWb<Sz&W?b9u0EG?GO{0s)XVIf40?)|RlZrtq!80+LAVtnP3$I&%PX
z^;8e0IAp{rXlU3u_O^-vN{H9)6Ho8iZK6;FJVCREl~qA6%HLmFRaF%f3^%Y?RUp-W
z>mj?%V|KK^Ra%U^aqiUXj`6=hVVFckCsscv3b{0F_984&*<Dww=P{OugY6ZHSGk}3
zt#DE`&EQ#D(!5mrcM;E$NvJqLP0MHmV-B2_yo}7%qr+8~#=iaWj$|?K)v@Y9k@bGm
zqPF!2CZH8^+S2gxfy_Bo=@heFbzH-P8F7m1=S#k1xUjf#<uoed8W&E(B<}mE+7kNU
zLUF+Mg})W?bB_@JbO+bmfFbM*9kxQRB^4LjQrqzW`Yh-M%poLv2gvE189g%y1@bZX
zf6lZ-1f!-jTU%R!Z|C;h-vqSC*!gyxw|Ye4xzhyie^SN(h<Y4iF|+llS>M`<5)N=P
zQwMql-216cU&t8>3w`0zA+MzsOXApvE6b<6!AL-#cAe_jT^;4Fe=}RWb*e3X2yoNs
z)cd(l@yuPFGnwPTl>XlP6W0p?VyGWtG4}M`cXeKG^uOp4I}S&=jeQVu7=Jqz#dd=6
z*uzqS%z4C#`txOX@~|wOM*E1r_lqO?H=>_6?mzQ4SgDyJV=$a1%Y<en%L{lO|A<9k
z`B{Dye`92JmiiWy%x6n-Fg<euY#a#Oj5sboDJU?|`8LDgdH;9r$}cWSNS4bbLp)0i
z`p_MtqE!wnf~V7dgqWIg>pVtux?2u<-Sj@Cca@T9w2mf5e(4*Zq8iZ9LYhBc>~K=!
zJibqmoLtoS9<$JAB(PSfo9wYn_-_~=x6T%UGUxHP8NrQwpWzlL>#uU(x#QxvaXaaQ
z9;?SqXt3alg-()j1b3mA?MhVs&?ywdN51|xRA!(dG4tI&?l)vbun%obhg%2$B7`9Y
z^J8OUQ}U_F&-Lv9v59Paz{9<C{qI}5W8BcH3lSL<p$;gy1JSmzF~8F?KOSbLVGD2s
zbv8$DFE|kucVWQ9q{8rD0j==Swp=*#Ne(X}52G6oGh=0)pNTv-HeL=4EaQ{)TQ4iu
z-f50R9hFPo*WU4Pyf^OlW;Y|E^r@-n@v?Wt>T%P4;Yv7>accX`G*MBk)}>Qp>sI!K
z%ge8TOz%ac2QWhbR$JS(ZR=+-TZcW;bYGdXwDM<H#0p%$od~eZ%Y2)hnHAX?<6dq_
z)-L{2rex%`nO?!g$hNsWZmaS#bD+Yrs?l<XNKE87s+~G4;fKMG5L}=*M>V9Zu8xNA
zTO7B?as##x-JP72#6c1f5n*Bgu&R~S^6Gf)07BB<zJz_O+%o#6jP}c|#Q`$0!>4Fw
zD0J8i9_9M;^LeeGAVHPYRW`M;DMF_1>-95XHKJJ9%#gAO#KxaL_iu-on3xPymhT<H
z^t<Bu-q47KYag*EWI@S5IYMNS+U4OBn4(O_y4OsJ^9h!7aW*uJG$4?a=74Kq<|HtU
zPuink{0oN9?9QodbaW7DY5ufs%~pKg8y);0LkGk!!(}?U<Nyk0o8eN)>0>aRXb#=m
zbf8vzxO<-DMl(~X-A5n%eD%V>z`)z09#sWQBnVkqx6R+{6YgsPl2ReJP12z(Www(I
z#f`@`Rt%#JyVF6SLF3b>Pdk&|-otnD)+DX5*f!2KrY<1pvFaBlspLuT3UzCpr|D})
zk>1DZx$|O$$joog3gHODl%aV}x0OoU{8{{0Z71AQcU(2JH$dBs!3_6tL{{Twt9QrH
z4cS;6#RYf<am3U#lDz4vZT%Mdp;2F!d@GUlXhoEV%p8>D79cE;D*(td_+qgR_L}12
zuaP%Fx!ih$r+f~?`~mUU;v#5^t<881bi<Ie2ZiLwhc6nraFzzN1C)no><^A)%rrkJ
z9p(dx(7|D7-uwl6^@`EwpOA<H<x(hxavPB_&!1mi$KR0%uD#30=K6}9@#JVu{m@el
z85%<U0r5g+BArD7b(6QzdX#U8<H8+5$A{j>bzHF-j3`||^jo(^vhZ1gYI2b9%o>Ty
z`&&!-@~Eb|^>5S`I1p}lyVkwrzmV=-ldM~Hd9=f*nxyMAH_EtI-_>*)7iM1k^}POI
zYmI-3euaTz_*5=ZNDz>zdCa;&EM?`UbaBxHYyOVltj{Q9seYFsE0wOqqpqx+hN8@b
zF7cAliLygMC)&@cJH}bgu;FopNV%$~cKMEa!Mr@Z+7P<w2~ntLt~m=(D+?s@j^XaC
zpE<W)T&=KKd^y_qPD=z%)i}6vk4bfKy)MLKl8D*a+36Szh9_W`E4?$x+~8<)p$~v2
zwdcLPeSLsHf^iGEtoF;@73c$GMz-J2U%%3CaOgMG?ZfMk7-JXCa!dH8N*}Z1OR<k{
z2g`EYPI_98C%Y8lM3*#dn}dxd6TLi=kvW*nJ^f2=o6CKZ2iIat277l|ICJEU_Xlim
z98O15^w+I76F+I9Jw?q`RcHx%<ntvBeNU(1QWHJ{&w)I(CvPvuf-<_XYTjg`v6zV4
zCV&|uKvWdu<i;jWO0vC7THhxpy=PmauJoeD>-*E7vEgH#U0s~q+-3U}g+-YFo;HU~
zms6u4Tdt1Xzjnq?BBDMS3?fnHa|!y2?&}&z4ygCZ2h*S(#<1Mc_{bVsw|<xP){w=9
z%*d`V;FbN*AHSBXb_L5OmX=9D@A1jdrVCmNS#Xv=t51JxGg@%!Kn<RJ*t$oSY;vTV
zDIp*GdXR{UlJfLfT%fyBG!HsFyyH*{po^!%`-3lz6#!LJvzd$2^r`W89<on->n<D~
z_NG6L=VrvWwYqAZSN3-wp`IjMKWYj8a0j&S&4Sp9OEDk+N>-=^R?%cM4EVH_xbnw<
zg8cVe#Nr-sc)+;5MfWPDgjhi6d%VQYGrNiNFnDGGZbj2zn+>xVzn}D03AbR!vignW
zPpEJ%^AV!|g<2=Zd1WMw41%MZqz_Po7tRL^{Ea^6h=yJ$DfIxq`GntA)M43s@p|uZ
zmx9f3g@~}nbBbc-|E#y%etTIfyzlMQ)bFY=vP@%|JqC@C->lvdT*q#A1-MPuj;E$V
z7$9&|T<_Xx%LM2(ax3Ee`t>WbLc+U{knt+}Um&rJ=G5o#=C}HBm6FowaCcoQ?APCp
zC<zgYzkn&{`Kjhy<;Z=0*7Vs;z9n}GtS(05ZpMMAoU@-^*%6<j6ui&S(_1k7S2@lg
zZFk+zQVb>%U>$&tfFu9}TYOVoyau{mbNx-B{QN_sqw#03$jx(yNiOD*2oD=5A?ahx
zu7LpCGlA!1#24>>g_;TAr`&>q;7j&*m6K7-0TCBSY3}`f*(1*m$fO8yqV>m~m+tPI
zI#u206L8=Q5ASS<GY;WjyXqP6`_~|Q7Uci6wVr{&|Lq$P1IQx&UBqqYe>aqGzTH{K
zMMp=gP@c8iVnkzOV}E@Q)94Z+BPDeXAxb@WI-_ofnb}!D|E`W!DkAI~_U5S5dtyMI
ztapQostsZNrY)KiA(}BE2xu?Rn^LS-&&pjY41>wHp-JgP$11ExV`5@J%@go(Qrah=
zDP(K1TpbJAVE~@AzLaZjvUih*?es+{Lo-=`YXISCzfVz2#9>B8%i;KN4`}##Lc-wN
zycW1p+w5#+W8=vmq2^15x7!qdk<!xA*1D|SC~igp>I0B}$_bDSK<|U@)xh?;Kc7iJ
zMR;ptLxmg#1;M{)zQ`m%y%cO|QviiYKr<X|45D^vsmEm``gC8rp-M_hAm`Zs^M&l|
zEhrRPY78>;JD~C-D@#7vJTx`#G8q-kN)--8rKk>}lzXW3J?IfUFgP*Si(lWatiNx6
zHvuZ3L|1OBp6IqUU{Fw~1t=$IX=#D1KP*gfg{`mP6dC*Kv2b!m?}{2XzXuWuy(6TK
zuG?SC-vQ&diQNbM2|mFEO<Uy%w1lK{IfMj|lr<nOwFC|p>+7HBCX2YMv&pNYD}$xd
zjjce;&+{~ii#l5Y8+aMW>$qObwcj$|1kE6zuLx|-Co4Yvx|d4iaoycd;VKZS@T#@7
zHBORWzkZo?0Ajwaf=i_qZOo=s<$2&NCML!rtz5LfHd4bA>wUB}^i^;AzN?1bU<20~
zUapw|zN6lK$7?!(8RWoxplG6{j6|~bGy)<Ehz|)^`Z~}eRM#Fv0IANc>LZv=^`|BO
zp5u|p1jChXV{sxyAR=6cb#!U+PKvDMBI4p$H&70_9hUmH&J_EOin_Y#i|p_Y@>;fj
ztpckw^;)~1ug&C^8i!JJ`8Oj7&g`YU1mwN;y+ND}GHN&zN`=~?t%7C$TEO4Naojft
z_6xp`k9UYEnEnh9;msQZdY?QCqL~V<oB}=ubi@=N9@yL4dmP|@9Dd*J*mVaqSO5ax
z>h0SjbEGKlBYeD%=I@2!evlrPd-s~pzlI?#Vq!-sZ6`0_eQdc3t9~2Nt!&ge2PoCh
zPP~t<?^9;Z&9CC@8rOt>+Ln)N!ar@xN1n4&Y&d9`o)fdq9u59{2_$%N0Q>~D@v}N~
zs?oINKD0|S><SMoOja!jEzm4YpYG^zQfzb4Qup%qmXve&nys&z@KD?S*y3wtW<MKf
zqR*lG3Z-;Cf8&h=M7>~4W&NOVt5@+!Hs!S&8UgbSJO(Ua0(Sfi7vOI%2T-;-^J(5k
zkp&o8WxZ{+l6U+%(ZyD}p>!RL!#}skPwB6yUJzE;!GLg9CG=FicAN|KmK8F3@O>{I
zoiAN!Go*XG!qpZ>RixEhTp--m(Bx5CTRB-QuT)w)qeA)SB*hcwwd}~i3K^ia43LS2
z5aZMsqe=U=Ey%jMt81CZg_6!(kD$dFqkdzSy_*c;dl;P8d)1aD{mp2bH$`<bGnbO*
zZotqiHDy5Tw)~z=%<N%O0XWvsO<qNcN?aB&q~4sJ9aLo3h)S3b3<WJ0n4KMME8`8N
zD*?^87Nc`VFE*0VR*ZJFD_ijy1%V7@8(voH5xZOuJJl7ijm_R5!vcMqVOWPYUI;b)
z8*iljYH8AO5Xq3$hVWikQ*MW24++>R9+GHVO=Sj4`ZsrSs$S|ApL7n`vNNxPrh=nm
zAu#8$pn|$uDFaOk>xH(db2F4<vm-zf&CQwRxQJqB*xClGFS71*sqVe#ge9YGt6plK
zY50}UO@IRvS|y@=<qlzONpm&(A<*;v$9;v#_aCz3x_LUIr6e>3;B!mdSAC04CPk$4
zjwg3^YIjdafSeu^?5?^a^ibaGMGIpl2(slHLXDW67cRoZCZ6Av*$21;BTYrT2ORJ@
z8Fz{nR2wqKp%IKu1Q<eCAWhUfrDoCaO>&sV)DjKaagU?zh@YHCr4;tFK)_HPo0~VD
znP^`;ca_de{%**$T_A$pWtaA$f%$5b`)xjn{htxRVqgk!S9${cZU*p{hw&iiA@Rjw
z<q&@IWty~m@HR}CvG81|JY#3~YGstiS0!s0{JA_M5uf9T73R0fWg;K+M|_<IgAy4S
zSwloKRQfx)TLCj@EHPLiB^k4+PLw&Pu0onqo_aOoUgb)}jbn4QxL&j2AifM31G)9u
z<BC}H3Wi3r*+NNrEpCQerWWC#6VWo$c2`@s>YL)FZgQR*0-NZ~95)YF{&ojhW|n-0
zou!%(1~wT;Yik)z{}9i!3PP^o@TR7>dX<VTMO+C&VXZ30MYp9m_f&mfFq$V8CjYR#
zt#xl&Bg_}&ToATld}m8Wf4J4A0c!1e%qqtD2+@5N(u7DT4Pav1(NtJYs2$6Quq`bF
zej$Lcb`c-3tbBrBmU(aGljoQw>qvLfHMK7L?#!f+@5>;k#L^2azpt=yBN7wf2p`P#
z@?a!JbCV$eH<$1Z!(EYW58-cRGrO@DkjzKDvdh9yvifNW^25Ag2Ce+KHg-W%;f|&3
z_*-v_?2)fhC@Wr-3D+&^pg^l{I}sU|03r;z9z7NXffI&5>^;||^8Sd)6v=`3ApzgJ
zPhMf6tRUktYr)*v>v*FSn<v$tA23!7`;I@rN#(gONs@RTcIZDF^98AZz4I%J?GfUc
z|6!0zz~k3mBw?t#`vOt6%x10h9$SxB0^6ffS5|gh{Vbv6W92-R`+E<rp|*ZpMY8cv
zqxAX&ytj(T7-=(;X;Yw8LCc4EY!l?G+B-eOsAMfNgOu}6Ed}6jGjzp>LOu{gfmQ<D
z@}~e$=PKs@9P}(o@%S{Yyjn8=C&ziL8wIv4Iu(6dZt(HL?8N5@L4K-aMzAzq%&%C>
zbSL>>nSz2R@yv!f6lEHX_GmJ8f2t7|#rCErr1-E`v#<SbP$m4)kqsa2<?ouCu4C_^
zT~8_gzR$})ZB@u(o%H&i)6IzGV0(R1Urg;ZdhN3uU|r%5gVYw9_ciD5FiRP`PWc@j
z@Ca-e8QIrXmJ05vT!p&#6<HPqWDyYp6ulZqgSIGnlrVEx^60h3R&DM@gTXP5vKR6S
zRAjsF$#Tc9S;=I47Xx?N+-k&-4ze+9@+8gW9_BrGGTVIHs$0qkS^C9c;HmWb5kh5y
zR0tSW!tE9KRq~6DF0N8skiA3m=MS?g6rCF~y*7W$?*D1YdmMI?;2iKQ{0t|C0|vQ-
z=kVqq*V=cymoWieV}{Rc{0D^ay`7JW(r#Fu5z|{Hkm0q!9!BXq?T6Y}P5CVg=?!!w
ze!-pS(V^K3FMgNfR`t+_0z1B=_A4&pKEUlW(`H87{U_^0c(Aa+9ePMoE8y)~GJA?x
z?>u~L;-kVWH)1U(+>L8ri=I6k$eXClke!;5xKnuB5*Q!SVSUn7jw=ekGnB7k5_QMX
z1NSs#wNve4!8;DAbo}nO8_yo;;a>kf;YC#ApMh{1_t&ELY4Z<znM{>$0q0gtb1mTV
z5}qLAiQ#NC-^0+;_m{uleCH*fA_O9eLle>7HflN@OjX%TBP@DlX8wwsp(nflX_1nl
zC41Ek&F7={<3$EG-<>u2^zk<rPcYcZ#BhX(Pg3_=_bFmI+>5T~GYU|gtC67AdboHm
z3NT%${HJ<)uHz5wYG+e1c!J_f!IfJStOQ`G8b7C<XdjT)oNRNMvVr|9@^xmk{(;X*
z;P|b>TiwfDL*nV_+%K^VUv>rAMK}4wD<fs15sFH;aNO-<%k(QW3Tt*a-Zo{cN9s%4
z+*^rm>S$Y4FZZGEXUo169}*?Dd>Ev9;rHc2-ztxgzbQ$p*^$hZ;P}%b$vHD8g#?pG
zBAom}3zJiz-E0A|QIivjjVW9>;ZtHB#4KR(YMv~8U^J(|X#_*}W17vjz>8A1q`*eZ
z;sk9#*OtolNO7!2cW)pn;Je0Yx35_jp0M5PRy>h#ji-A9y4C(?a_dgg{E}||Sl?q`
za#n+%DfaB@Lzh@-0w0cW+k*W?(^;j{m0z7is~=ZPUP<SA#1DpE-#$REt*lk5Uysct
z!%dfDYXc4UTEwe)L_PV+z#li;$AjP1k3V<mXL3EFGus*M@x2ZtP1W@0i%39rRr-xh
zpNy?nqil^BjmA__-2DQi$us!nDa>3BY>g$K>{Tz|HbQ1~$nhJ2NNNaY0!seW2m;L#
z*C)J^YiB<VSHB$ZJy6*C6j9896Gj~S<kugDDP)+RrQ0;ArxMe}=#eE*;y=%-%E&A8
z&5#GE0M(WzqF}wmta{-g=Rv53m(q}g%IOk$G#YbnFTH9*OdaNu^K;`y+z06F@KbWF
zoQV&2nn)0uBORw$=SQMuJiq5&wi9ePm_W5|KujJXZ2X*edRs*jz7u3Ka%5r;Sj<Hx
z6@g&JUXPln8CB>tJofaVpx2jiDn`jU9O62jt4Wlk*}V7QT3{mAMm~@l5ar++<;Mb+
z>5^2bH?ILB6Ca7qQ<AYcj@ZYUSz?v0dWkX77ZD!{gYmwff8dJ*-Kc|9UCmHIS(8Ug
z>4}<I%%mxx>-2D-_1@L0afg&k-GMV+y1cBG$C9{vYsoj2GGlu?pWf=WxE`$<ayKCc
z?umzVFj6k9eoTnGwKr{jl!0}x5*>6HpaADYIS231RVC6Q-w-h8DKKqlIzB=?rMy1#
zD9Vo*dDD98S?siO4%s7w-8`m&Z~BQI{uVy0W1=g+6Y}B$SvUC@CDqGw5mL&^y&=@W
zZT;k$lSNH2i~t^d1|}6E{w<y3Iw*Nv;~v;t#j(Oa#s%sgd4_xBE#7)IiN>w~IHOKX
zp%GJ1?g%nj&}XuD@YA2}+qZ9MG*a9YiH!62_wO+SwJkP~XT<{6rA@p%bz}w**&sP`
z<}d!RDN<|6wsda1tYVfeTZBNaArRm>*1&c(GJ@Gl5m}j_uNU<FH5_8wKuY+R5uGgr
z`6;fAIKyFSu#h>~1DohF0UCtpcr8>xf>*~D4~|C2B|NkT$4Z^~shEeYGAVyoAjxO6
zvm3lnRou5hNc@l@LjB&a1&Ls|95vgF(7MNM$OyMFHU)=(rYT`?P)v{LRR)!9P)#53
z*y_l)1w+i4xp4MCfzUKRG<=SHK?+l|fLBWhe3L>5IWPYnuie?DyGjl6s%8s7<u-OO
z4Q>onva+&@BR;>egn+P?^48B>(yx|TZmXxaNVitcV_h=-%8HGlh`uLVDHIonCqKp*
zvl4WZ|1o~$W|<2(U#<<n^h;uC%ZAxE_-)3zi(mtwpIF=c{A;Jrs=H*1IJfxWHngjw
zc5x6K+yaa}NVD78+jT(6_z9T^59pkF?0W&w27}TF@vTD4xxEW-n<DOmZhW@Zw*0r0
z^8#|^DO+)1cQ{#C%wLL(+RS#2|0&q(ZK7lXI>Qf4?~00Z>?_iguRWx}Gx@mcWwnsx
zT;7APA>VVz%+8l$SsPzr)#{w$PqjaUg|ql#XnycTt}j)w-N?x=l-Hsrzs#ug6XD{o
zoU*!_H_`s%$82d%^;#4i9pkv+*yfAXMSe~rD7NqmTPicvCchm9o!-Cdzoi*_EufzW
zBdR35a4isc1!^PD{ZM8SA8xx<hk-BsjR#3*M)!eMRCwj`7Jlbz^rz>4ogu~Bro0Ik
z9lZ<8a?=7O!RXs*P!lGmafP8y$(6l(7A_c*nmENbJg)m3{$|tnI3{yw2K0^{2q=(w
z+6eCN6~m3M0s<C_;9gV`6hx(>6<h|bo!MO7%8AWN^#0!jlP?`3W0@ttNgb8>TrwYV
zoS(r5xoxu7Cs$z%;cAnq(X6eW*I~EnY78+<039@xe}Q58Gc%}!FoTdvcD%9!OI*i;
z2{4a5k{Htn0-R<~65;J=ao{}XP1fdTHbGY7lRv4tZI4>`%nSBefU{a(WBenq4jpt;
zdu#Ik!9nh2%uK(>j^_aV_3@@26dO2olr0xq3aEqm!)M??USa8uiO_;e5ZdueoEZlv
zaO=~6-v`xC*Iyz0G-}W6?EdU;E#2Ar<h=Z&2kVsP<gD2cG$C&WCo&sv+VN5_Ny#*2
z;^yu%<3Udnhk&!#5qp4TvRu<^^wLG^02<?XZdNTcFe)LT4)D`}Uz(maESE4fG%|8o
z8HtLEv$(UFo|a}@ZKbD+$eRJhSx_BG^$2!bT?HKofVZFp9kFh1Zt}^}g-j%XQn#vC
ziRaZ;LfErJiD3ztcjwZfcm8DNVyUUg6>)Q!19S(dSLgy-BW3}px+ma0T3hpI16Xa|
ze?00%a60|&emp~u_!dUD_Vechlh*5sid}%WYPm!{{gr~?!e!h6u!2KSh-t9^<doa*
zRDVIxCIbWlsDAY!6f3TWfguL8CP~bxC@U|P)l%ubd_1@?TDgXuZCfe2OClX|JJT8F
z4QSDvZB5UP!QNhwg5UqSDDAaH-LMA)hjZ9Wq-MFpT8&=yG4Rix-$U<gY^>FEr=HsZ
zM-bHnp)Bv}#z1Y~4N>8?{*?;)E4;bL<32cd2F$c27y?H&odD7+-x40hp7#`vx(-#(
z?^<PDy<ErRvN{&0E+Zq;?R<xhj?)39XyyVYfZDF}*(&i^=|S0a7rn(!QDXYZ-w{I|
z*^Xe~bF*u|LGQ|?F%&}0i!&M)5j_%Ha<JB@PhQa5+v_sn3YdC*a;6rC8pj0&TX6nS
zcTlyScv(+dnWP*cp&SXZ*cwhOM=uwB0Ots-htwMHxm#AC(U{st+jr(I!_baT>~v;#
z_=<f1AnA|;CAr@-4F{|4pc80z7SPiA4ZiI^2v?`3p1HEb`nwH-cENB)X;8Azxgi_M
z-~|p;s31qGUu0*!0{!`e8JU2#w3H0FBUB+;TQ-Oqr+oeTweio?C;t6<5K0h0%4$t5
z&EeDsDCTsa7Y4%Wd-d|7l0Yx!W<d9l?}aPm^Z~-4eTq#>(#h5Al{WF*S1NsWPEL*N
z1@$7GJ<z_@8e9bfwJF)F^(}Frm80|zI0;Av1t)j<GoW;Ibg@d$f81c#e40GY0t08j
zByWu9(zCH4ToKMNx<{hDpyzA3XqXk*Yl9!&D7;PqTe!F~jBxz+1kn-HoC19HV(a@>
zcMPo!<@SCa{1Q02!5(Q>EPeud*4G+OytEi{Q3bgP^p>o;@Sm(ICHa|^6K?sSX2r#A
z+<X;o3A8OxNaVI^v45QU#Vc1<ew3uMM^+lYi3_x#gqe%PRekV7Z@%Fh{4%Hr5Xg)N
zXsn3T9=BoK$jpq2eq1Pog|n*bebE&dlzrcO8zZFVu)@~dwn(y4H2j(7;iosCy$k_d
z+~HzTXa-j|imf+r=W;p6$VLyh!(L}PRAha8CrW?Z<qK}?K$)6!CpH(h85xzM3QoOw
zA+XhN`M5yTw7X^#twmdyLHoh6HW+wbL8HAQSr}zB4tMJ?S{;{RHR>5&19cGW+?tKQ
z3@*Of&~UZ6g6w?&fVKYAXYbQHU#sjzH7>rB0H}UJ6EV+$Lv}i^gU4F+o%)r|E($y0
zPPX9=q2c}w330?TMa0+y4#ndmEj)jNbKSVV92nFk001N`dNW9|c60==XfNHOshv%>
zBw|WXr|R3EpP*Z6j3fVWn``$f^4w5rbNjPsGk9hB!IzuRHfJ2<*Led7zmF?XjVrbY
zfRQtpF%M*$w|dB{u8&akZCnE4$Y8#iP6&HtNgkoIH>!ZsIH*W?j23|Hw?G?$V8X+;
zi0mE|M^DnT*cZ4wX-fS1aXPm02w?B;p5VYc$;cOUk=GOOm>mq`PA;%0fpGgd+M8$d
za&{JkxpPB?Yx5un!v%iWg6}fjzR=CzYXE?4RlTfVT!nW2N`>lPb;4i~@gQ>ogGgd*
zrVpFJ8@oB!AKaz|13*~vvC<7paok&GEyFEGHQ1#Z2QrXKeU#i=J;?h>`+L_1osb|R
z&Dxls?DZHohAwGBj^H_{fjB~;4Mbc5e|>;_!Sw|{^A=JmkS=zHI)4^8P5Y)6GmJHk
zr@kucz@-oh?`GCVteqXZ9wVmqL6V*DNu_bGLrP&b6`K8on$2>rC{Vi+h>_6d;~Psg
z=2f!f4AE}Xi%i)OgT4|P5XD}NzW2z(MxPuMqTLtpVFJWpLg4h_N8RClcvNhszEj7^
z`t(-d2Lej{xNg)PfZQFDeKOiA+Y)9ODUZ`x!@633@du(mcD&EYNQB|YCDX32e%IH(
za9@ktX{{D5cLapvmuoBb%$@gX)m*DHC+}#8;KQnULDsOy$zdw!GE8~Qvd0N|(rZ{0
zCqCWNt7|6mq5R+nQp9M&r4IXr(54cXe|(e=FA(RBm?-A<G|v+ptB8$TpROh?hg662
zjU{YB49yBD+>mQR3X`A<q_!Oru^!XenJn`@%E)`gFC$CScK}{zTK5FukL<;wwo1?h
z*Omq+t*qYE4m&g!)ns7iFE+|x2%jn`8CL{P=6z)fP_KD;Gv^{NQ?*5k*a~r-yI5t@
z;56#SEpxan5+&P5lY%nJy;l;h{z^I7{5f*98^Tz*xY7LGF6o#G;L0eF+FRJkMOn+(
zxpdOjkV}Ql0>&C6LbPQQlj&Y^Pu(7%CFqf<ga(p)7;wpIusC;Psl3kp*9kOnn2*mK
z0oA;sD*B@`^YAJ@?9;eR)ex!fKs{qicET*4x)nrvom{R^EcHfDDb}hsBC*vrd_%mZ
z7saPu+?)bVnqOK))fX_f<Yc+}(_JuE+>3y3kID&wE|{A6&%C3d1PEtMsb0&%c6ext
zWvSAXGr~;Bd*Jw1HZb@B<2x8t`)tHJbX-DfanFr|&`Bpf)jSb~o=>{Ju$&`FJWPsU
zASb)&0_*3n0JERT$aAtJ;NL!=F_BL8G9cFE)2%Njog~+^Jb?@wBV6dL%}R6o`ZO9#
z9B-E7?tLIYHxSF$%|W2jW4fgn(sThl<ZCzj$NH!Y6QPxvdqB>Fp5JMI>NObHr$*Kd
zn^nuI>PnKgO-$PE$!rOaGHR)oO=2=AU|KE}ks~?T7gQ&#7y+G+=Cf$(7)s+&N_1*v
zD`batT9<)s_~d}9lTbC_w+wG)AnIw!W=Er*s&z@^RW*^{%hVixN{Swm7!6O}f<sD_
zMsBsKUzx65V-qWT*`Me>ttABKntDqs*E~1C%^aK2lCcmrtLXvgb7u?9hRY5)^o8v5
zI`y8vloJfih#w(RjEcOBsxw>mX{l->nm7egNcWo!x#G<|3!v;H1KL~S#z%^cAN=aF
z61e-_5@+=tRbVYYU!&b*YkBs`!)ac;lUX(`8R_wjv=te)Hq(-a%o{T50$m>5Q8CPt
zq#ii9%VUCi#3VgQq@Y>UF0^Rq%h#m9t*7T;2!nH*+h|sQ#~;5jbCsTPNIBMtHc>Ts
z=H1L6c+DsnVlJa@%;AWMt*h4sLHbHVdSqf4*#~(H>SXdWc!!#yvlr4$Ykpgc++Fy(
zWRsC;i+~Nik1Nj~oux*<`0$_wy`;#iB|AaxpJ~j$O9*IqJb(Jv*KX-lnF`pNatC<L
z_|(5yd)>Qw4SjW(T_Ywz5iz{yvXvG|gE_ybv#8ERZ|=rxKYkIk(Tx)WvkbC?qsUht
zAT3aS7eL5(NX0U&W`La2RYsr^-#Hf6LJHocJO>BV@t#9DGFkPQO{yc&pj=Q?zQ9Q3
z6zQ&t51!#SAj(T~mPq@>;e|;;+e8oFD&_mlh=PEBCduv5>#FitNSx4|Ye8XZCPP`~
zMrDUc9<~%pCxefxCk6Uhtq{K)Ig*q2T+}78fQMAAAA5}osY%MTWIwbd0(+S}lTf=P
z8|=56lP>?V;^~GZ++!oN1xue#R{DYIHa!S}-C|#%E+QLG-P!e|Y`zo=@W!KOB69F&
zmnSmV1yr0xvzNijs;*KM4NuIbUq}v-!Ccl=nl!jZlLsbbG6a--Q|E(FMc<-K+tXJy
zFEd0yg~{wP`E+{dh|9-)%{J|6;%k~AuJAq##8taf06}JJpV~oCRFECz&R*moM|TBq
zz*C1~HP-fDOpQVe-?Phd#r#o(xfHg>O{0Q_VB^q+Mr0)#IP20Z8R(8>8^v4FWX%64
z?z`iu?*G5FuC`DbW^oRoL)m1c>|<|7D9JchMhT&9B{?{<GY*bf92B808bmhPnb|`2
zx?i88uJ85x{qFnmxc|8ycYk#FIG^<%ulamEU&_j{hO2b<%X{(0+~@KQc(%hJw<)fj
z8a|6^b$>R|-JosGWlXW0Guj=6_wd)l@Zt_Tyjd1IUryS6XeSKq*QbMGu!nxk$TNya
za{&~4fbGYtJCWDZoo2KQ;z?pBy~ltu;6mwXfuh&~-L`uc1k9-3jaW1~Ffh{ud#@8?
zmlIOZRmb<2<ef&sv$&F)0XF#l-HPSJFAwIgu{NWyuel)qM1xbpHt&QHfm=dm5UCaT
zKmQ0{|MP`^{aD|H!|MjiuJs+tyS$MXJLFirX4PzdNa_qO$;asHERHCaOgt+=)6Q^V
z?oIO5a`eyzgbl2Akk$ve<+~^y@cv<lU$of=*da$=yx&V_iahMrqx`uOe5HN`m&DD6
zOyB9QBIM!SVsN1dzXDCE751_T^56$G?vBhN)MM1s;he1>U!d={wlPT0z~Kv*`pT&H
z>ue6R-wR7;M8u@O1G$;ajqUQ0yQ$~A`#XZq@W5Xc?C%`Dt-hy}v)wkL$m`$bJLQ~(
zu#=6(*Vos3O_vrOe0`WBWu5tq@3zZNyr$l8i;Ew}jCQJIV7S$uze_yY&TuyeDa5l;
z*^YzIjILck{Oy9+5?v1<JYgw#Ux21Lb|I-<+TCWQU24h%zw5wX530k`_rZD-RQ`$z
zRqr>!PKDc7ol~w=9?+Jx*?aeMYf?Ky8)OY%pikzBh;K{!vID_e0wI$WVk`RFLqq|#
z3=-poHw(?4FOdJH0KdSA{w~qjKZlJ^0qlx8ei($w1kT_vd2sk-u@sg3%q9S=dgNvZ
zKM4#j!WU4_K-Z2l$38Sge(|>tKAraF&*5msJTO9GD;NEr9&NFuG25g_W_2PTU;t;_
zWfy$TVy3@yCXt3{vMW>7W1g}|aL8VQYmggN`uh6*!+GZTaWa#B$YVeOOQOk^Q&FjU
zwEtLAa&nPF=kN^#qMCw5c!1tGXo1~{@{fXwP^j>`d|nRQ0*I}kK^2>TmwU3mfM+G<
z&@mVr8oUa;5J7oBf+i*foH_6I)(uyMH0<JF1`wPJ<Xt3=f)U6TYk=)4qSj3SQC1`p
z=SJ2N0#k!%6Lm1)6JnjzDjOJjrtTOd8-mON?`x;6qc$q#p~3cle*Qf$aE-gfk>5m0
z|6E|}Ixu+<UcQK}%_RMYC(T(xUU^l_Xrq`HDuN(@5PlRjl8m-)hJ{?O!%0EWJN%o%
zBNS_eooz!`#QvK(?c8A;UR9!&1P>fsPe8ch+GGNLWZ)W+dI9+^B`gLuCJuiKsc}+{
ze@JvwzjdoHGV+)+J4V8^u(AM6Y2JfTseRq^=Dd3o0g&CdP*cfhWT6~uAnf10U95rd
zrHJ#-=pf4g84Bv?{T?x7T8%04n#cl0XeAWGn=bz@R)V0$qpd-LKM@@B(f@E;H4ITR
z4~YAdNa7MULpZ!_Mw&-;cW<$)d3;GORWh$D3**uRfCOQSTMgpoIuL@k5#F%)B_LHQ
zomLxH$mLku(^X0yZq5okvs}_kkrh9+G$dwDbXR)H^v1ew3+e|>RPz&@=U{^p+k*G)
zYkz-yl6L@@HFQT3>)%)WwOKQ54X}0Uo53g|qmQ=$kp1Llf%iMFZ3w-Zr`WIVDe2;I
zX$Rz`>j^u$<rW5L7Pu#-dooM<9wu&FY)nmW()N~Gefa1Rb$s6G7c{>F0YnavS5jJ>
zohay~l+$bIgxT|1H9CFW8YzP>#MgzE4}fN^HQD5U(5!v$fO(TDKfWF$_Mpc;DU33%
zCOfx!f;ttjl<+9U<e5{wevQ~BRzM-%VOwk%AX9||Oi<dD<`M1pd*34fY?H9Uv2)-G
zA$uH$H-oqYK)&(jX)j*9h_ue7;;;utCv63zsOu9JaDbu0)vH&blHo^fjQh&3(dgFp
zBgM8WZ%60P)$ZnD&k8gy82z5Q5<3->e?vn{i;nt4msMa>4blM2sCAeY>OKJD0$62H
zJ}I&FHzLk<c=wtz*VPr-4&SAbz9wJk_4Z>4>oe=JIddrqS!aFzzD->`uL(pZB1rs}
zN+6Bt8Qu+mw&N@;_TE-?O`T0Z(bj!#$DO}w4n^md9?;ys2sCIvq}5727pV(zTRTA`
z2jd;7>nxOUJ$3B~qd>6Tc~^U82TzZSC5L)eKP>BJ4s{zQ%zZAUOiYVy>NSPmS(Eh@
zDY%5;`xcj?){YHY521|$(WQRh1rw%cI>|TU$p9!rNUL-W^;tD<9CW~WSNl)!`)-EH
z<`GAo5)P>at*K0oe~XLlV|QChu_)TFi7XBiJ2Ho_MW!WI5aU^DKHIZ-rj(NZ)!ue9
zO{jP82)1x=ww(}NCLkFAi~r3lB8o{=w&L-@rW{OxQ||^T(o7P{kk@nnLky=L^0;QU
zrXv?KKhYg#M-}mj=vC<%sO+El{{1_jVa~U#v$iWKl2F6H+Mll(?9ICzV>v$?tnYOD
z&}@z=wm;kX@JHlD?h@S^59caS^o)!~Mn@%}ECUKj^rx9}z8x=i?s#ikV8>G`>^-~|
z#l|WXe|%p42Y*~b`~pRNR?pk>W?v@gWQZuJVfnp#b%Jb00r?5koCUc}FSOYjRU7e|
z1PVF9T~^TpWGH_s=`qQ`5*utaI1)<Bet4RvJdO7kl1zijCya?pCjX(Ev#(~ZIhi}{
zrVSFa`F2u~ZZ~Bof))<`VV&$_CH?f0ZmRpm-V=RdNvT+4Wbwi-))V6jBin`K(0WKZ
z6tQ&!uN<P#Y{+DJMWuyb6K`OXHE0kVyu22AO0C@=$pAY6vg!j}GG4P-?HO+<QW|jK
zstWV;Silu{>OXR%{#_^27Sy)L47<RZ(kBhpAG>Rvv<~^dtACdxT|6Z`kyS6m|AM5O
zrU5mBd_qFH8w?$A$wpnxx2>Oy3sRV-8{UU_u6p{h>?3QM|2(Bh>rp+;6KAIBat;HW
z2)}?72G~#lx__|a?8%d$v>}XciKTUX`|b6&&}5~B*$EMc9?H#+H$UFFmLZ`JCD1?-
z8T86ZAhx@$WID`8Q<aeN$;Uk>k(88_1QlWr-UC05gCQ1RgRfq_0&NPJCVar#7y^OA
z_c~v@f$Fm&DJdySk^J_op4z%P!|Cc_e8AvUpyBCYBVCx+QP$LqbZ@!y9|j&0m4U}B
z34IdGB*HZ&&HG=9zuyc?)g0U6bbE{TWuI98{%!BIww>7x-Qu+TP`LFGs1LU9*a5h-
zo-|GNS3!-9KuI=~i@OT-hx?D7@ec?9!2RG@OJ+o|<q!}eK(Q#2v4UbCC~<<q&ba4_
z6ja`5Picv#JAiFrbR*{3y(Z2@^#T!H)>!~7Dg+%>xd+u_02?&qon2VqKXc}-%aAH0
zeq3B!Qq&3rPN7hh?O#trW*L+?t6f!geH;;hhydSA9*zjJr=a-!gDEJ8%4(=$IZml~
zTAF1WU%q^%op6ikC4|}gk4GJ={k#SN*uiN?wpj)Ys({$SF`<V1mo3duNHrmpFM?U4
zVV0VjO3NaymCeO|p;{gmFigLTHwLaz%SHdHfsj?7X(+JCPFK?P)<ZY@S}9aFQrsT_
zj{!)2h-$Yxj&V*84-Ju*;a;j^sii~X<9sfJJGfcy99Rt?ys9viBS(*l0+td7Pc5~%
zHg~H;0ifmT7w->V+Pime#|qHQNmoPpc6C)1{UMddD50_JgUq5eF=Cojik#o(%9}?-
zz|yb&8co*tr1I;~fdiBV9V@F;OKdd@RB<%sVD#GvdlXGLHirT8PU2?@NXlxf`~10n
z;W;dxN11#^1YR^Z_ZOe*igB%Bae&Oe3Dg6S7r6xQ%+f_Qg3=CJTX0rs!ypUUe|rfa
z+73nR-%v{nW$|emalGwnmX;}|Ks$3p5Mus-_AjvfcM*7#CqiD+p1!?BA(@1Y#IJvW
z0CDN<84HokYQ9{X$TC3QJtk6ZEK+gk#NcpkjJmPhRbZP_K=XuGdoh`QPf-br&8C)v
zV@~LN2CE_lU-jzSpknZ)yqtIME~u2p&iNvoW+#3d8<xkys*bR+^|&DvE;rTpW40mI
zHH`X&^VI6uu1naA!%QQ`^4p(m9p_JiV0i){ln)F3v6bexrhFF$vqe4k@PMh%_3Ci2
zRdo*8RE<(?AF!erj~?Cll_tvwhF40l?t`aayH(;*8lHopO0k6ke~Fh<UrZvB7>+Q|
z)wllj>+u!?T>wBjgX9VyLP{BkiK#Xj)mk)Vg9qLIyQKS{&);?>xLCm>>PY1j%?r}L
zDQcAk_$^|2p}$R4w-~DFk65%@MlOItsg}u>9ZK~Dk;Mld(x?{pS0&;R&|pN8Vuu@b
z#t}wZnh|yEL2NdRF%_-vSqsJrVz<!X5T^tll{zX2%zw)a{__b+CLQhBpGf*>ONJ`+
zDgqi<;vC-X6A;LS5mOx!KK)B8%CV&@ClQT2_E!>mnf2+v$$|Ty8Nih1=jElUMG4;i
z`F+KYm$xZ9y7M}PYEkXQh!hbA>&^Z?eUHqA(yNkllQv8h?9O;oMSZ|%1u83@jiyva
zz{G?-+|@Hj?Rv33;K1QINmdPn<^yRlc-c};eZ9H}vRV<|5wSgVTx|oc45srYAy=Z-
z62WWz=ANTZt7oVUCNiZVueDWp|F3ZZTQ@}vBXXvIgE|RtQls7PNknuOVoFowW0M5`
zT=XB`qW?&QimR9(5e!_>#}A)+IeI2+^sq|y@Uah=OLZ(x3@ks{9AwOVFlf4ES)-#%
z&=gByCSMu6Tb)mjY=Yood28kRVo%pIy}5;~eaj{I^3mY$53SAa<a?P<C&-9Y)4fu%
zMqFy@M7yP+!>WGOJhxtz9^{*9Cu(y6yYPzX=fsVWgUl<N%R}p!-d9u~3fUjv?0_d$
z;x<0BW+F$mflr;KxJI(EA79YB(TjXTL&M5y7)V9|;(8GaVhVW9%C3oP`<}9GYD{l3
z_4IW7#_-V_mK8=q1PlczF{<5-(8%4uVN~LOU2&@W7v0>iD1jz$3EmVCQB!FtDT6<L
zFdujfY(E47gF_$4aE8N&hpuaDhrVTGW6LqyH##~xn-g6J1r(n@`vY}Kb~6Dm;p9kM
z6{wf6Az(d<xCm4ZEqKun8S_KAE2uGgrD!4{EKFKT3i7wLR<84P*XHguFi>6+)wp!q
z9Ho1@ZzeTpG`gg+Z>DsHbQA)sM3r{|${9)h0$XOFzyEQlfdf9f2w67JQyy=e2NWCL
zJv(*jC<b@r@Zo{!X<6TmJ0uR^vjP7OY%<`?5#Z*w291|#m}_tyD!rBO=_mucn3>n4
z2+tee&5b(Q&9_-}M~*bVakZXfwGY%E&)i~@(+ZS?We-#UCxti)K@0~3R;skfhRp9)
z#MaN^JXfL`>dG0L<+*L!qI?>Y1z;+sGSPcSKp`={|NIsx<q%ZI-=JlyE>>ZoYMLUf
z-1S0`*IDhtg}X-9|B$C{_Vz?wP;ed!>J<7Yw>zrxb>(Y0y5zsQlAKv8jwdwG?PPqQ
z)@7mAZ&}mt`sAay%*UnrQ@p&6mChfe|9X7(FIL7QjPwct>FGOzAG{aI3F(`e9vH2t
z+T<2%9d{F}7w)eAvKS{BI|e*R`i8wL-fJ0-hVEl289?peWG(>|c6K@(vve3TDd~iY
zw_1$4x_U%8uS%nRO0DwwMx4UxwbvEE+h&X<)UVz;U=&Kq4<K6Nn-a(E%Gm*@Mpy+x
z4R3{H#bAE3x2GQwnvSQ+JZ6Ng)O;rd67Tb4Bn;52&`E$$R^6~{&O@Dpns2>1P1$wI
z=Z_TQnP3BRlQuo9)#9fcehm!GdBlx@p?jNegg+Q)5Joi<(w1*cO})lhpxAJEMZ^O;
zic#zYi4#oMq3{cCDVT9m2xfLm72_L#f&GItK?>}{OjS&jD41dv0mPcAkkHF;<qp3k
z$mJK{$91#&z7y4IJ1ONqO%oqHt<3ZSETEkVFVt?Ebpz+C;FDQkaeztGZ)>GxlloSC
z(=Lh!gNe}Nk(M^4oDv$#iyuk!m>Y&vY$+tHBXEKatuM=rF#-2@JJ=zIFn@~nsG>Th
zQdrxZ@omxB<!+C?zCCVltE+S0o|_bKy@to6JOd5jSK=>bRrB26f6v~<nVFeXZ5du(
zRm(ZBbyPf2K`AI8*I~|C|H$lA6Dy%xTfRIT1G#6xQYo7Zbdwcd8{uS>F@T7KgoM-=
zcVpyCz5VN!SIdh|zEZ8-SuUMlo8SFd<H^1RmVtrZk{|E<tH*umVi?5FHp}Isr$GF6
zyeUGB`m1`@a0E^Dl$u<(1E`a_s%qX^c;QRqVA$>B28j07z{s{!+G7WUBF+yxefr`v
z6SRUo#F!b$mp|`)@nh}gkCy84isrZ1nID66eJo`Zf;tBkQjzu_=lhSqc8K_iJ#=XP
zKx;L3F1N{()i1a&(-@VQ@?SPvltqYIf?XgYE1}>7Lx2~4m|w~B<y2P5UE+ivIy$P1
zzp2Ev?s567r_Y6@@g^dFk8fJFKK}R`h;SDJ%*?b<I|I8r#uAIiJ-=nwe?R4z*$JMi
zrnjaFmWZ^A0;5KnD9e&4N^W(<4PlHn22X(m$ItZ;)D%ax+k7td#OHr7p2nPGID~1}
z$3p3j*FwAXP%a~PibFyiKCsUfhaq3i7P}A2T>UmM1IRofTcCO<A}2J3oeHkh-JEwB
zP3%ug7?tw)&{M6{KhHdv&N(y2Mj33xMME?apIyzJNhA`vP$*>;PtW41A9WfLk+Q(w
z21tUoEaPNF`~5((79xPKKv<d7udmSqfm(%MX+~r;v3bClR1mnJ^jyS_=qb;JyN_F?
z1CnVL$>OnTOz;Y7s!iSGmgm(A7kaP2;6C)GGaXtaS}Dzy0#cEP!*@`~>B=hU1n$hh
z9iEF*(l^JNf%j|?2*i%s)@kV1nMUY?A7j}KtS(?p$*Xaq?W#kgKv6dxb(8h290LrC
zr7J%7DF5Z9;TR{pIWTaM+5uybiz`sQr6XloSO9`v#Hoh`Bj@1b&+h$8+b$?!_9X|_
zx-WSyy2#dd)cg@`G{za?bnTj04iq52M9i1N^r3qKdc}_CX%<QPpt9k{o!yh;s=$sz
zyMKRJIY4K$(6FCFt5Y!}Y|^I<q%HJO&EVJQ%UM~5rlO4vSBW_jPtFK-MxPWKJ8>Aq
z(vM5wVKYOKyL~8KAL}Z;Qm<W5KYS8djMmLMK=uJsDuU79*i!-nzFYR<Wgs6tsE#e3
z-5rQ+9GINMELTHiwSpc8xA9`ISdX&0dP{`tm#^uMpva6#I&_+x7SEu2^vIEPzfwF5
zK=4PI=ML)CpxXGH_Q8AOfe-bKcNz_|%+cJ*{BCn*dIVPtR9yXK2?+^k94_A~m?+D0
zAfNQ`;X@FHr_b4U7wc0}sufHLqSA9ULd;^0!VYrQv)6lgbW{C%2D=p$6`AlVts-}%
zGI`HAsE@Q}$9U$^!`wF!VhIAJ&Av5yG3z~zxiN)nU(7d<bqRN)G^A^DVkvHGOU_jq
z%|+J{zV6xj_&DAyn5(A8gKAJri?FEyI|xJX^TI0`X!7CX$4}$6L!P!!!XqL`((yOJ
zJAjQV1_PTKF7}A{f>;2tiEsTp%<Ga4VODE4k~o*~Q-=r`a)NB`Y*hw0gOSx^+sFil
z(F5^uo<OFP7VilhO!oCJAbPCQ_!ZES99XmigF=ASV2ViR{n6x*;#-p$-B$(gXk>m<
zW(r^Mnjf2AU+j%>P`^w<`@&S}V*iHvx`yJoy0_sMGvkh|-@F>sDwC`5#Lex`4rS=-
z_1*N|&le+eQs3)VM$VlBMcV8AF1$|fUDVn{co7yFqA0Y$xQ^Ki^2CB`90@X1s<>{f
zL}ha@_aatq26`sYQi%7e3m)88l!IX2N!<O8W<qsTynToLFQs!WOxw=6tN_Vs(d8nU
zvYf4u^-0WVwO@dVxMyu>Xwi$ZyD&hs1u0WP2XA}4aQbvNr2m$Q;L){qM{lzwhbus8
z?!ZaCnMM}6KRlnMhL=57ds$b=O<&rk;-?BbqKM1OuN%oNjyN+n-uH}xDIj$KQ@FJ?
za1fkuEW(wS4>93%P+VMrvABZyy-X4_4-~3g2?811#nrtdx%)R=+o#?;Y1lzs#>Iqp
z^Wy{ao~5;%%$E>H<sx?B17Wwd-bV8iUUtf<RF5%on&pRJW--+&yWCPMJvr0aIKZb-
z=zxpOW7bkTG$ElEB!g4e>%PfJ@8Oy#zzbnZDvE#|>I-|}xCKtfKk?eNYv%je8w%q>
zlqw$QF|)B9OmJ-BIxX(@{{Hc*%!y;|)ce|0l^M-`e^Q+gtv&QWwD~R5ErIAzkM_W;
zyQ;z<Mp2-a4&bvS$<TW69eX@}u!bgt1FeMHShGq?XsvCXvYRHR<*Fs(|A2a2wWxX^
zbZe^1xJp+j<4*nKhTH2vYEU)ynDI#-JNabr7q#E!MFiNg{;?=Vt<HZ4$nq|+@%r9S
z9MY^!pOs@)th-OJRK9FuBv)y*^!lK_oQ~McGfQQ`<Z56(lY$tZO1xEV^dsVBE$kDj
z_l4O@loC&#O|#NlesM4=QY@4A$Kc>;g%bv!zkY3HD{}t%UCuU}LebMfm<Zd&qO_Ay
zmWP3meY&F{^HE5x0(QaQ{?1l@!qOadj6D1PM1-u!CBqgNlr@m6&<sFc7E$>po*&ol
z(8GM@sH&itKez*ENvp51<l){sbLx|c(>7HzoJhh12~4QsH@-hn9kct3pq~CVtr%nD
zFT-kSBi_!ih<JsttOITHuJ3}1Uf9Ibokh7}K3!c~UQi-hDe<?ObvFT`=i&#{;)1PE
zE%n-`3M^Nooa#^W@Q{f_@#j->&QNagkT{WqhVBDU%1al*+Yk0OtdXLZg1eitWgID%
z0}V%DmUuSC%Qx&GHc^=zcwFYr62-RZOjgZ%x6Bam5i8-*2-j>!f#eD?uy^V%i}n7D
zTzUPRb5k7qYz%N`LyLnF&mHHTOP&xjA|cwGi1xBm*#+M-*ZAyt<pPM=O>pD&#gv`T
zc8?8kne_KC;PQfqU6w3IE_DC>?0+PT5T_VP$x+u2k|nYij{cJ{@)`8nIu4j4=Jr3n
zv<CR*)QO7hgU19D2r!?!{I+Ax4N|irdW)BV3!3%=ln+ZF?@RSL&!EBPI(15J9lwO|
z8<o9$`4b9C1zkrQ(aT;?g{$uhRtMn4JKuWD0k6mlRZA=Q&8{`89f-9PgGC*?P7mc3
zlZkp?VEKjXTPm~{8yGDQ*G#1~t7vGn5`=has;cDJwr)3AiL3tlHOIVs1N=KwzdPW?
z!KZ?dWB*?s$G`x_H>ZbwzLc?R_inG-w-2yNHg|TGfN82DXWsyoy4LX?!v$?-VbxF;
z9f5~BdkCySf(w!gh$-1Zz)PGxi_nPF$*gA8q@||f@+9(CB|s?f096|=$5~rT(4U_X
z>^H23*j0|6wdFbVYbAO4+n%2BP?TJ<(Fzf_h&W|M4uQxs#z{w2hT6=1O$Fm2r<*aD
z3Y{^4I9rfYh0q-C5)~2>A_liK&PpbrY*n+Ys*qQnh4kSUOS5W)u;)84?M7Q0kgP$6
z{_Kd<%4@L^qSGV6#1D_;;o%t@I;<&mYPouSbrE7*Oh=BO_J&zXsK<y#C_p%?Ugzj!
z4?+0+3zjJDM;ynqd8)k5w8yruA3@C!yy+5D0!6)7+-mybasAYl0Qd{&dx19dSey9-
zuBAgdI^x%!bLY;@>XZa=Zl^l|6x6C$fi`-H3>+$|Sg5*geBv@Ys6rwEJxDN*l9k?<
zXxS7pNHk+))OeI*2p7>@T-CfC-aI$Nfc1GR3{e%z!_QB<XV0?>0!Kra_@e^J#PBO-
zzUwztRGY6$E^GDN9yl09ub+~dS{-PypZvzDSBB@#k2rU*U3z>s*8}<cft|%wFqywq
zJzlDvP#e{)X}Vn38$b`_Ob1POSz@W%yvn!$WnfeP;$F3o-gY;TPn??RDe_6>M*<mo
zfT=Z9?$)gZWbDucUKRDI6TtV^tXE7B)o;9JfDPkP_XPIZ>#5+U0{!|cOINE!U9bJK
z1Oer(y#eh37KvvD0cnfZyMJ+by0<*{I_B|-=T}8^F+4j|>{>c5EBNn`mX@Ae$;|p4
zi^>VGwa`0^1VQJ=xeqETC^*~y3A-4(@?n_`%v`}mOeuiE@EceD`~@QNJE)pIs)f+!
zy&r&U+~GvxEEu#8iEIqVju{#m`4efzh~UQq?OO9zIyr*}2n@gFUEdE?(I$m3S1^J_
zkk5m}vYH2oCJ23hP$LK#3tm2s+4gOrBMwrtDU5supQ}DoC5Vq;*r1w=LCvkdnsxWm
zTz(9+vZU11jxH70fN~C|Z*rhAlp0|}^7GVmAz%qw890%KJRoZfDAxoqEeJ(F!(FVB
zC?x11WcbdO>SR$f)f1kLTcIi>>PN+X{PRi04=gnNKfPAf49N9RF*Z6ntwR%cLDfUR
zc<|(5j`!+R%O-=2Xy!|oE@{S!CpL|W2Rj6r<<<d1%{dEs;O{?o_!&lGu;mbC@V3+C
z*vfW0r%D)0XO?#=RAWPDlAez4qz8j_ZYdC|F3!yjh*R_T<T3vD1tqu(xotu^P-TMX
zr+Tz_^HyNe0`13CPq<_g5PI7tz^E$mFN&qY`GrQE?gvEw2!N@Os7jB+z$JZKtSD9H
zQ-8*^7c3$vhO9xY9Y`QAYbUJ;d_IJeSn$ZqWF<mVI-&8A;cW9WxVM&5=9`kh&J47$
zm1ltHs$!V3?l;v{s+lDZfl|14K_UqvGB?M?D$fL(mO6ViPSr>o|DYW<lZka#-$=dg
z8x!m4w%(euYyYuN>kjG*0b!M@02f&b4W7nGjQhDmAA;Z*Q2|_@T349!aA0~mVU*qW
z(@}xoAd@#MApNP|{=Ru53?tF&7a18T<||iIn0w2R2UTI)DXSwJQ}kW=7VRqrKvZ2T
ztSm*J_r49WxpP5Br=`N}-T;SKf?r*Y$;;F0Kea8;z#yOoO6h%-j8s+FQGQ%3aXp(6
zlGs^%R+27Rv@TrKK?SFn2h&~d>no>L!=E{eN{$`P_t>A)yLQhAQk*akc^eg-z_D_y
z$_o!fVlqvEb%uxewz|<7_}qrnJ2o;~+%4lX7qH|s5FmQzdkGn?sU);wfBQm3n4ayY
zvgATYWuISQH{V$1r9Rkc%uFfz$I?$Ar96gtn%#Qi1~wH2t#_%9`gY<^i5YDzRm8Ee
ziZ5Tk_N-hdBx;LtO`HE*wu+*SU)e~!BGbDzG<Bw8pNcJaik4Mb$7b!1n2oEiZCYC6
zbWRJ+be465-MVY!0la$710UOyhrq<?BwwfOw8YA~IFV^(--2_+N>)11GCPwtXHLt;
zHJM^%{wxyODH-L;lnZ73wAhp@UsCXn3f-68aa+JNGQHZ+ak+R|S95djvqzMshIFxK
zx1z;$=s5rZ#)*bm$TdN*k2DNLE`KA-v$H3NI5tsXQfS}alf0a2*e8tfxGg+UFLBb@
zsgPH*N_?Pg=FMNgl;-(n;Y)W?Qk-91YTS~>kphbW!w&c7!vaPlZm$HPGtn%wNCGT{
zm>9kWSwQ^n1L8)KR$5cQXF$!QnDN30l5Ri-n&Xtd%iM4+KzNj|LTMYA3NgSVuVW1x
zvf8ZC3jB+VE5(cjfouA;s=L&&VD$kl3S=KWOUsfN3)Yp8%orir_jW@=!`O)|Mq8Bw
zzorIHOy600#hW1Py}-`p&4De5X7^dMEsuQQ_w@McFgv&1qeiRdSP6|ZphN-s5l}xM
z?|%#o=xS-5{QKwPBD)}%&>#ZV!Hosg$c08fdiW4&eqa!K(cIiz;tABSjdzz6>G5GO
z4()kEVEo9R0!0lfpVAIRXzsn<h6bTG!FXYX2mmv4XNt;UZ;4bB?aU|4Vj2b~pj#94
zf)nlw_y#nMCwUpTqfE6seW@@PiT8eDUJLg5*Nz@2pbUKHsd}jQ#>r2^d~)-n7BGCd
zdzZy&dL<u4akOPB*xx+xfez?_>8;N|3#CW%P<Mot`E_l1SDnxL3K<VsK>8El@di}r
z=;-JnHeW?W1qnfn@rHWj;|OcRkUbR?K%${8WFB%zd-i8uLC*fri)fTOw(%*&pkeC7
zlq?lga~Wl#vlwR4W^bPGJY!1e1m5=A?1pGh-R;#|^^SrPPK7BW?fGeg($N=D0orpA
zhZbhJUZ1X=43$lMVJeaw?fSsi`1laJqY(zeidC1a6p5TdkHun90n0$1+I$BL4tY_l
zB8%67(PAw+3Vit05P&JPW5Gnq@ACuiERS+cR(dy}edc}|t7C1s%bF;^+VhqSFII4V
z)OgOC->8MvQJPI*WG>eci)y~T`$uUJ48$D1#BCI6Osu1pXMS8e+L~huHHAjmsla=N
z<Q#)O0>hnt83#@<tI&PgtiThPpK@F*Q(Z7o-GOLahKmAV?sL#(MT0Et@$!wPqo2aD
zW~`DHHJ$7T_ZL)bU1sFPuu6K9u4fk3E!_-1aS8M206W<rbaZktZQ~PPB3?#fexzeb
zT_X)?Qs=A&dC{HTQQF7eQ(nf$#B{>*+(cve_%gw)6U_Hn_f-FjAOtB^wbpqc{zgLu
zkEj=YE(1J{>JW}$hd#v%L3%`(#@Ul|WZq6pOb9TPH<mp^ku`ttce6Xq4t9MLc?{yL
z*<|`rh>yt^(%^L3+`yWoOj=n_N^?u1>${pa*ycrIW8)!-IASG7$CdG!flqbOB418t
zDM8wJycNU2aZ!+0WJ)710qG>>=eK*;F5tse9)iTF>Q@va5CB1H*2ENfBs7izRkZ)W
z0V$ug+e3UvCO<C{OcBe9L%E=wL>H_zJ-#K(2}CfoOz<3f<v!i*Dv2?Eu1&_?dYsPk
zflkHZmuIO%k<Q+Z!i*9Q-1fx=hD&U*!xf$2SoK`uwqI3yTen%5YS85HN8XdT{RPbF
ztt&qDf8Y=LB7HOPkEEZi=zMwg(rk`*;Yuk<KeLS(5kdc3)VFR*P69ELZb&S7Ik)L+
zO!@ae>Pivf?D5hvZ{gp!Z{K!s^BYa3P$ry?Ri2TI^2%7~6@NvzbkL@%aO%4kmUgCZ
zXm~g<YJo-Ox@kP+N?+0gKS8PjKUbhvnxj!Tc#=JSPz^8$OP_MQA*wR-L00F7fIqkw
zsQ+la5}(_P)4jd$ezS~x3s!?hzg9<_eN9Skb%VP({xkS6pF}hGah+ZbgbGqIjPqd$
zj2TPG{FjvQb)`kNT0>2@h;rNZ-VM&lZ^I9L5yfBIaT6M37D!D!r5YF1UIc-FM@Uu*
zfjDgCNB$__w}W`=&@^<|L(21jD7h*Vd2$2-*U`lAia{Li3F>mo22rItC6%g(xxv@*
zDv}8CU3o+;^0QL?NMuaDQ?@+ut?|hzJq9)&GDV2ZXMw(vPW2}Lm@b3;uXNIyoEJKn
zOU;ly9o4G<=F5S-d-jMs_wW3dEp<0cQM3%~Sp0mj-{Z$F3mq}^oQgHi&pjBRnW97P
ztrHB!-6*t)KuCv6&FXCJO$MK-LarMrD`vsd?s<lZY90o!S<srxV}L<y{2uGixw#lo
z2PTc}X;1ABcz`{+Wt2e{8|>X}TMcL-K`n8YcpNEyqQMw9JT0Z@L8~Mhn#ia2NL>9N
z^A=8O(YSjYaF$57VX*SHGSS=rTnv}tMK$N4&23&1tCuZ#N)GP#d)S}@u@%*Mfs-=g
zXb_M4p4|=blp(DW5fR~hnwllwd9x0-<E4uie|dV_+n<ru+E4Y1(?!8nf=nmKE-jv~
zP~r(0MX02t>;oTHCrSUc&wBCTB|O4e2LxrFbHnOUp|dqLY7v-8kjbD4Al&5(UJ?|A
znwiBLl&7bsC#f?#biZteOASNHQ$$Dmx{NN&3Q#*ZyEK8=2L0s@o-!1lmjJ32L^rh9
zX)gEOg!B#i6c6-Fo-%zJ?r%?Ns;;O&7%%%7c}|Gm_zt|9A5;Wop%vlsd0;qGc@9OP
zr2vnBb82d9MM`XW&UF-D&7XCF&KWvNgQ!Q)c_~6~_?iM12_W6e&jT7T$ee>I;4cJ{
z8G2WOpVidZC@<P5jbaS|x@U%nr^<=p&+#hc5uiuZNg75whn9n$3uOR$vY;MFvVy?Z
zX-Fki+KeOo>aAHR@&}oO>&NH8*#%fngyCP*Pz{4PAK(NTdP{DO8vwQkK#4H$vKvbS
z18mMyT@pM%3@mb)#DS5%{qtQG5s7AJ0sUGY?4hIj6zXeaC5iAwT-S!ioR;=rdi?9c
z@KTT{77UAw<X)FUqSeU&AO<f^Rg@EWqXi;`6$mJ8y&E@PhC}>Qr4|l-DHha)G$Ug{
zgnp(05Ui`7C%EWSMqwL+9IeP^7Ug>jB<mIe&d<+8L?U+@e7&^;^)5O(I>HL~T$pHw
zX9N1L5jV-b>yQ!zI%wcZCG69IMhqMRAGQ&?){JDfCqdAs|9C|1^Oi=iR!DN1nwlas
zi4fc~FckCS?VxlJ`&xt5!a_q&3805`1o(0f*pO5A(jk%7=2M=fJwIa<6$SWs$#2!k
zxh*`rybQs%1B)5<?X$Vk`k8`M2ZhF`3z}$&+X7`Y%RcHpyO(TvjRk5Cs9O%_BK6;P
ziL)N&!>3PQ{Ejg(smlIE6L|`{vT(#y7Ik!;ZYMZ^0j~(e_(OA8HMJDJ9e4MiY?yfE
z0$u+4sYAefb$NDZzB)8^RF{UvT5%RdPuNL;?g7lG3kN*XFA0eNT!@Y4?i?pB55c>1
zo7V<~g#0ka(A>bIp0=!YumaMBMrkL=g1cUbpF~5WWxCV@yk_DKc!fgfHvW~G)S;o-
z+O*W2|GN)4^>r?E+x>qzOUD#xEC+-Pn%nSq-4emzqWkhrT^C9om;r}A3kB(IJJQb~
zP65af`hA~?_8#8#-4v9D&Nj5LaQNn8A{Ri01BfXCA1W*98s0H7KpLsJs^EMCH-vQ>
zcO?!hD|u$I<P0NNlvX-+_S{+23j4QxRZ%IrDsBB*h~wKb3`~X*4|Eq7d)_^Ip^JP|
zo(?|6BS4xe?c65Gc$YD*-3;U+74F}r0iYiLlOR50p)#U}fqv(R9t~BZUf8(}iC@-l
z9kL17vz@A)&>VZ}$uwhTppiK5)5Pt27x>lwpXh^K8o)f|=|H4YX9&)5<GqXLhFL#(
zpIYF7T*i$TP)Psf;x}`_xuci6tFh~ff^{KPy8*cLT>*?7sUrZIjiB>{Po8|icA?Z0
zqKD8%<eAw$;$3^PBCfxOaFbp>N%P8;D*zb>s$w@uR`2H8hVglzFNT&NBR!>FXe;0X
zmPGaoi#k?^Un9xxKD`B36+oO}Yv^_202=U2Dj;XCA^=TRk>1s?DaeHdsG!%kcBhWa
zuc&_Iq51&r+Sp&%bjMx<I(uec8M4xF+g~P}hn0zxWqeoW-UX3z<fp7HIRN^KdBGJV
zH~>Ajb|GflI`j?ucL=6{1g}m#Vj!=)rJi6eF0ZDXgwXjvvw~dpN`()?9t;<SD~emc
zk)feE-l`%mr-vMSkpS^>7_%*f1!XmbluBhFXMj-*+++Kn`AIl}Xita}<s*vE<uC?V
z=N+MeYQdZAjxMnFZp0!tAt*p=4`B!w6ZU~0^J=m%qbtdD5z52hEe8Do+2{&vBcS?#
z%{m%|c#M|dF<Q{-6QZI<`}#tmM_1dpdL&a))2Jnx5|xnPWRz#ylnNyKfgsZixPq~)
z?OF=zC#D|Q#(?nyz#YN?H9pYGHdXPsV)4PmC>Gn5)v=%2a`S_^?IhE+*b7(^i3AEL
z7CH_-+}K!O<x^3vU!0$Z9z{LSCK%x91O5FeH^4aswL*8$|BzZF-rqFk24s?;cZd@}
zO#S6?<3QI5@1>)oqpbWHk_qYsD7*R5rXOLNGNF=r%%F;_Vg$Q(=Q{x1#Gw;{l{S$G
zz72x?v5pMaBz($4A99{PtsG-W0D}kei`tJsgG0aP$SBB&E2ru-=s-RHEt`XZ%JPhj
z_MpD>s$g&{`TChTF;zGVPR!`c?5tpCc;O+&0^@QY@2bJq{=0#rI%8F6a5K)CB2{%g
zj|4$$`~zBuSr%aNgk0qgU_NdF71CGX$BeI<&<O@`DpRn<*{+Ab-8g1jl~z2c`p=w|
z{DhBDqNK@73J#*Sjg{@1h5)>Nfc15%x_78Jzt@CNFAGkVNI7^^=zzh&L5Q6P9@jIo
zNI~agMZoiYA!1X!S5A<*s^|#?Wf#mQ-C@(K7Sp(pNDyscxT~9Lph1L{TM|kn4o^?#
z4g;(q`|lNSZ3|uq7&ia_IGh2sVo1^B<mOHT>q#<BV;J}_Ae9sq6O$PMoTn-Vzmls;
zNf0=}zDXbYG#lhH)<dw>?U2!H<brj#ZXb~QsQ4vur;0l;G%!G35EwogTcJ7uS7?6%
zVhcx(gd@OINccz0LeG!gppOIENlZy}WF9QU&b`6F;t6>AbPAH}^70Sul@Im^u?7^`
zG$aA`HeHhNP`^36!w=z_ZANalhAeX(M&+YPZR5fF^!Y6w8q~t@f;V_GBA38`Z51?0
zpL~FJNZQ(Mj<6HKx}+9gZGCEW;`$FD&01-){GTl}!WIOfw;;`fWOZPRTGtZy<We`<
z!Bq(m!CU9|zXpl1^51?>$6%ZvQ%|Q#04lbfW;Om_8}%VfC2Zu!|B@ZfT_98b`|r(=
zI=htBO3+9fIDL=avy=^UF9s1Rd$WR0LJ|a+Jifzm2(f_>g^DkGM92*#CML3=5mF9%
zkgFH47YZ#)iLaF`On3797qh<4#Wm%S@^7>L*FoSRNC12JeFG(>28Bf*XxWi&SXWmE
zOdPfm;#*kBg%*bTpb@=y#v!0zYyvcP-G$E!0!g~tnxDdRZXMf__jmW)CxY5pI7p9Z
z4~l%+_8YDC0e3I%l*59uD2bm3wL$#`d|uqWOOo+MYcl8|99-)KqK~MzabkyYq?4;>
z_@k4y(eK1GkZC5EIS>tpJOLt@w>{dr)Gg`p22gFtH$cTbq}}Jn`#nqP_w6qrI`dcq
z`EGuX49xSX`!CRc^yc=h`+gIXe}<vox|?x6di%cLH}m{2PsV!W&j8%KZ<ed6rY77O
z<R)qA;v(qhudxd>2)!IW0uppDAx#C-b9O=jMja5cAbR_jK+R%|$>^_i9R4?ffoA5_
zC$_LlNL#vP6C<PJOia8&no=|JDk^(F`DyIp?~R%yp-<j7s(p8F$GCJ7gemb>FdHl<
zBpIRTi#~-`Sxqg=`o5($a^xAtI2RyT^m18>xoxXUOUEUlr7P|JxP4t5+bllspszd!
zUCy5-5<ymqbGh+?LJZiWV-0%Z(!o1)C|AN-z_p8M2w{c)$(vPR@<$L+uKhO111F+6
zlv!PueqNQ(A_#StdB-Hn!58&(sdIzZ0MOx}8q01;#@G6YqQASxVlPlVL9=ctXd7_P
z1zf0sgSW@Ci;x_2DbV%mwm^x}bxfSbr)?>^_e{3T3%=LBn@A4P!lK_g!CUm|-w$8B
zFkD~X@wU{vdC?LK@7A0+_qt=Aiw7sTn=&8xt@#Xo^Pjb?9KZIruPkl@-}L>|)pG9{
zcl=oE`f}mq+v}zwj}LZwc*%CYx>g=(#w2uW0;r=!oqEoggikh-X+9GV;9Z@nOga6R
zE-*v`5EYV_lbx#`qK*^eoigH<pV_&5mfDuFt&VD4QACf^s}oWC#mY(+rh^POz5DPp
zkN7_95@cMjD;m<>Slo2onDvhOTBUb;)4p&0t#5bOXbs6L?fS~p6nU0sF-gr`!|Zjw
zY{|*1Kl<thHaAACzkE_(`Wf-QqGMHhyszP<{&?$yOBbP#l1L!*cZj6}OkQJq<+I%!
z{@L}TZm@Fp9yky#oQ`dCoYq`v3e;zA6w)+X+W0yYv+1>LrP3Gd*HoSpdAWFF8r!y!
z9qXnY`%4)c9TrX$=8n_XSW&^cYi@R_2ztBrX=uE6h|;*TdP6eam+$;$YhM?i`IM9(
zw^hseY2U$Kl3$wjKu&itFm4rF9(@E>4ov>%I)LB;mhgo5NW?eB%&(?zeTEEd8?rYs
zD}BD@n|;2)vA=SaG<e%|UTJ5fNT}G3CWh^sj#7zWlN_C@3X+u=jk$mRFXS;keU*)U
z8ow%+nw2lhvXp8wl~f>bkY&v+vo*oDjDU!fch@;TLt1=&ef<!7ZK-F89+z`tgp$Te
zPrXWr4r%&;E{X3Wxp6rmO*J~KCKdh*Cq9)`jmY~F=Qa@<W+_Q<7s|h*+U1($dSNj%
zS+NO`1h1`jh8E>d|D3Vg{E?#LOla35Cw+0Z(joo5iH&%|-@6{pYg$jSyt6#T&3z(8
zRY@2V_r_zXrZ(H$y4YwFDF`_usVQDIl}yrzOE~{LB9o$LDXOm%IekEf6dmHWRIWGL
znLtui)Tmy06UMN}GCkOP5X$cDk=^hvn{wnZb6a8d;yc6pkv?Ujo941oE;_7F+|If#
z=Um2)O7toT1We1Gra)j*m-9z5n#ORC42aBUfl$rf=x#Wr`00#ypIAAN)7{~JG42(X
z%D-u{R#wq_$7}gk+!Hr(x4e;{@S4r1#v&Ubx@#p1_P_Y*XydkXd9y^gjC3V7iGgL<
zc^$C~#W1#<th4-=S7$T3!&23Jhg!6zt?&2_jgC$ZFtac%w6gbvJT)$J{9<T6T`P4%
zc)Gc$%|WE`)V$66W9HUp%r_U?=VaLz{We*CR@3#;#`%o)HT07W1j>YMnwJ)jWqo@q
zG_ckuBqpTMOUKPB39E-iEFOfp|G{EyG$*Tux7SVgl~<&M+=PW6?d9zAR=vIRzJ&v>
z*_{w;wmJQga3adHtUk>>;X;&|4;p1(X%qFB%yT(aTkv4SXo2<)bJmV=F@fslIWYm5
zWA&x_<As_<j;opG9)&jT)t`zg=1R?3gl{iBJS4N>X4aLOvQAbKI3Daq$9+Bg{OCy}
ztNMKwmuHbuF_YgrT_>48{W%H~P$Fip8EV^}fpNXoKg@4*sws9CUy^0?X49|UIm62A
zRhRi;RzdWH)Y{FJswZKQ81~T{OEm{E`jWTDB&nC|zzMn$cED{gtfDFrh<OR!VhG97
zP4Cx+N|eZr_b!9?-~$@RSpXw3CIoyTDz1(1k%RS!&$eBxnQ%>}>HWxTH~41X1)(<-
z$mLKX%R&^bA}4EjSfeHwEQ?6ydC&}(_d(gOuFdxZcT=%I5sEZy_Bva_wmo_hztWjH
zm~5TfVwnQ<<TuuC-v==+I-)3gV)W$X0X9hv)WqTrv%MZkDowI)W%YyIp3NHiJ@k8A
zD)X}?5jub!&QFRomTr`j;8`COL0rUl1qGH5LTMYnzIw|ymZS4gEV9^bdj5TQ6t{p>
zb7NoEbc?dzt}g=#j@_+ep|nG|;zD-BmAG*X({d%{0mW4~SDAVA<>)k7Q`BKW85;>-
zkJ1h@yJP#Tg_Bh;gR;p?y$h+pGAxw#P=Q-2eEp~T`)t4ErZ;|z_k5U_*zc|Hp1<8!
zMBts2yxjpe;njyo;8Z#&&&6gP_4v^jwkpAHpJm+FkIj!KEG;C)E?CA(L$kIX&L5j=
zz573?jeZg^7K3-PWrrd8j<~e<N^Hr)b#BjY<;i11;z#Kutet<{b?iMN_152AS$ZSq
zPRga}-i1}W3Ea4%<Y}l4r8&0u_hz&Vvz9!KA?xutdiNhzkIv~?y9uI{gq~L*<?3h(
zFRaWzt`tVj!jOi*Sp3g~39+WIYKN-D#|L|@4}U1=yp>@s86GLi6V{fS@N>p{L7?GF
zHrwdWv-;Ka7*ho-4K1@K7%!DvIF}J?$u%kc;y}bsg=QuivCCh#`Ii3emhwO~f}!av
z;x+E%XO`pAh#i@pE|;BSR$86k*Az<IpMo)GpJb``ZcaakIOfQg0EY=A{fB>zeMj@P
z#;z<BKUnj8)Tiv{%eLM&@o3zPmZ`BYZV>=S^PbXRY?V?fPxL#|%cnJ|yoNe6doU9s
zbGo_I<C&O?d<<7+bdNc<R^=K_)be-z)c=^}!Po0Co$M&>>ES5~ux~HuhXir<Q9YWc
zU5E*DqjQf7<h7wCB&7HrKY9e_Y5?hucPAtSW%@$cH$<$K$AWz|yF6^_5_Og4a=zhH
zD!x8(We%e~V>UmOHrM}g(|MNff#1!EU$K5l0CMhx)T~B~D6pY@Ksx~aQa2Kh0h0=-
zPrj`72MHid1rVY;z#<MMneRG3r9r3r_+aLuxdq3zud8C-D+^#M2$o9TR<8W~iqnie
zS-nqieIw2GhRrvp)s3mXU;Wd?i?_`T!duV>8P?q<zKxPL)|H;J@a(<?2~<b}<e4HS
z7(vbfF}Tj0HMlC_2Lymx8ZIs_cRox2@Lm6KT@?<394wc>F2YfDITB+*%+i0NC2$Gg
zZTKB}i9JOP=@>O^*?dS8ri{!8Rvr?(`QJod;((}|UJk79G>~i5Q-M(e3EsSzDyTeh
z@jpSK?QKCP!6S#3i-yo=Ep99(4_qq<l6I_4Hs6tjIl37J7`ZndJ0&2wq^#_}@@58-
zG`zlsf4?lddHeQl`wmLg1d#Z@aFJJ-m6N*t^Fquk%j{^UNR3@uVn|Sg<?MZ=Fmg5o
zu8T&YE*HCzU%xi80wb?QCr%^s@>9!0xa)i0gL@5Rf<kHn3sc=D;7Y>+!JZZ?X@znT
z0KOHhq^j?Q;Ctgm;7Nt#w6-d0mFqm$qi7-!?wvvF=<1*C+Lo-qG&^OP3v`c(Bss+r
zyaCqbM#@E1)xdVeGj|5Som$!Hf9jAUqa5mOb?PUG%t0y*a%<IUfSiM_uc)I~dxxgf
z+Pm9!K!TJX4QU_U2*?~G(1s}bIGa9`vCl{oaOnSAn<H}L`#Ye_!_TY7FdP%bH=h<4
zH!=u6Q4y}}hDH;ts*?UX$n-f0T;HGsh`mdjoA*M07c8s8?x$?hc#85VPjFKoQF=>Q
zhV+t6MOp~QHCm$qMm%8+o~$kB(K2UhAWlbw-^3JQqRfpv;lWcCSo8TydirSy7VE2D
zo?qy6%B*I%L6Se3ZC-A+zn2jGxdy@yyf`dLUeUStB^l~&$&6Sm7QK14nb4YAsNBe9
zE0_1|kj&Bx_*0&8=e8#3*rm+CiSc*m>(IZ10T{R{tL<fjP=f5{a-CwZ(bC5)m_|!I
zp|bbMlLJwq<$}3u!q5y1ak23b0@{D*kl0%an%)<>v!~)R?qKo_tMqgabE!RZQ_r>u
z$DH8TIW_}fcPLhOZa27c<wYn_?HEsr{496HqFGfAUPwm?$GqqdUEPznCJ9VRQZ!yg
zui=H<j=irX<8mM)3+dM!U^H6SD>DFe`x_Th*6BCVDaZ0YYhjT%z5*fo2!Q1k=;`U9
z6;YlIBsJ8dg&TgIJb$J5b2>ellMzMEurw@)f*`)LrHV>Gb8n$T%<obD?vLnRehegk
zAehsd&$9PDLo{E54g|U&-I9_@(W=5l*r?!+pS^Nd9O=v=!sN)!1WAu%;nS(1<$1~n
zv>~#ik_fe`+!4vi$px%*?8h-W!TuO%3Jn=e%fq3ep*lKM%*|Go*)Lw4Y`<iDj+eKZ
zLchOP9I#_5R4ecVr?Roc(bi@~ACofTM_BS7#26M8F7`7z48}Zec<IulZgXC%s+Dwq
z6sJFx(STDFutTQiE@n%xWz#Xw!+wFBLN=~o-=Rb9W4U?Y#Kdw^!@DV}Y*M$i!UQ_E
z$L+g(mg?*wLIZKE5itPV%Ln=g28O;rgk<08cLorSR!Jk|d`Lusjv2Lp;ARqYJoAbB
z+_})?Z6ZpNjn{@Qzj1k#yv>H3m${FnH_)i;jz_5r%6jF<i@zXTaFI|31#uNoyZC8(
zO){`sk^c+9^q4->jV55ks2Vn$gZnM}vg7Z&oyzG3;)coGLlDbf17sWxB=Mkq2}CtP
z7Shn%rQ)^zFLD8J4h*I#M2Wz+6z?qbSosBk#=S^1H3n)NjC3%ZoXN203%h@9!E8P#
z(b$YCDfZtB0{j`IW&mVENJz+4MIw`7VE~MQF7afElK_|5P!%Dc$y81}Gyn7Fv*@;5
z^GFhbfs~ep^?+`E&Fzq5`IgRr0TyXntOP)7g-c8ev|F-{E1P8?xDRas5sdNd(Hckk
zcUSwou-{Xammod32;2#9rCxv??CsZSgr-57GRr6)9x{{#jvaea$(QE_DiyFT%v%7J
zKXJ}y^}gTVZ3BGtsY{P5KYSRS_XNQ*GGasK!C(WR6wE%Q<FSh+7xa*FE6F3aX4y-M
ziW+1i(2Js8pYzZzslc|+<ZL%bg3N0TB(1_<0ZoB`h_w0bPPcRS!j(_A5s-?RA;xph
zR0+cDh&0bb7f>K|NkCQI0TB(t6bD_~CV_Xr3c}?;(2+h2&303GnkJb<`Iuo5=Hj3;
zlXB<5{k```k1qduua006?{Vhen#3jF+o974UhFd^|KpHVJXo4k%Zw*Ow`bgbLY#6S
z7$Cm`pD`_jZ`dc$jx7_Cf$$Xd6Ss7Abq~e>!Uu{#8z6Z{x_;?AZt196(Vp-1NSObf
zG)zPVge8Ji6+_q@^s-ekwpeJt2v9s8rf17w4+K(DUb|1nqt2C;mBGLYb>}qT*nQVt
z?QsHx7lQ9-COmR_?-q1t1r`m<Q)ulDU@USb^dQp)Ah4A83MGY!U;??j*B45PEDf*_
zbv}zLMvx*5RHR5v7O`?)KcfgcD=Vh@9CCG?MDubVV1Rh-HcCh&p1HF>)nu><NG`tn
zE1#Z*46T-y7DTa~dfxJ&LDGytMUcF_JQV7q2FS|T`&q}2AAjvRkIznlG%=t<VZ<A+
z!0?9)00vbL3%W2bXHcgfbFLP|g?f=)u>ojt%6YYD<W5#adyuyXMS`2{*#tr$<XuxA
z@w$@<yN8U5Ovig*ZngoH(v!*^G<V1TUW82gJ6lAS(9j@ZI4{_PT9b&fge?evqwdAm
z`NZZpzGai?A6gm`L*cp_9tuMc1%+>T>+;cV``>pU+S<?mTmx*<|JI}kIdbFVhOC6k
W(r(MRK0Ek3jf#SXe9pxy_x~5m?M+z#

diff --git a/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md b/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
index c340f618c8..f8daa071ef 100644
--- a/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
+++ b/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
@@ -1,6 +1,6 @@
 # X-Road: System Parameters User Guide
 
-Version: 2.77
+Version: 2.78
 Doc. ID: UG-SYSPAR
 
 
@@ -88,6 +88,7 @@ Doc. ID: UG-SYSPAR
 | 13.06.2023 | 2.75    | Added new *complementary-user-role-mappings* parameters                                                                                                                                                                                                                                                                                                                                                        | Andres Rosenthal           |
 | 24.08.2023 | 2.76    | Added new *server-min-supported-client-version* parameter                                                                                                                                                                                                                                                                                                                                                      | Eneli Reimets              |
 | 02.10.2023 | 2.77    | Remove the separate section about changing the global configuration interval on the Central Server.                                                                                                                                                                                                                                                                                                            | Petteri Kivimäki           |
+| 02.10.2023 | 2.78    | Remove Akka references                                                                                                                                                                                                                                                                                                                                                                                         | Ričardas Bučiūnas          |
 
 ## Table of Contents
 
@@ -222,11 +223,10 @@ This chapter describes the system parameters used by the components of the X-Roa
 
 ### 3.1 Common parameters : `[common]`
 
-| **Parameter**                                    | **Default value**                          | **Description**   |
-|--------------------------------------------------|--------------------------------------------|------------------ |
-| configuration-path                               | /etc/xroad/globalconf/                     | Absolute path to the directory where global configuration is stored.|
-| temp-files-path                                  | /var/tmp/xroad/                            | Absolute path to the directory where temporary files are stored. |
-| akka-use-secure-remote-transport                 | true                                       | Should Akka remoting use TLS (true) or not (false). The keypair used is ephemeral and recreated after boot. |
+| **Parameter**      | **Default value**      | **Description**                                                      |
+|--------------------|------------------------|----------------------------------------------------------------------|
+| configuration-path | /etc/xroad/globalconf/ | Absolute path to the directory where global configuration is stored. |
+| temp-files-path    | /var/tmp/xroad/        | Absolute path to the directory where temporary files are stored.     |
 
 ### 3.2 Proxy parameters: `[proxy]`
 
diff --git a/src/packages/src/xroad/default-configuration/common.ini b/src/packages/src/xroad/default-configuration/common.ini
index 635eb3a0a7..c6bdf976ef 100644
--- a/src/packages/src/xroad/default-configuration/common.ini
+++ b/src/packages/src/xroad/default-configuration/common.ini
@@ -3,6 +3,3 @@
 
 ; Directory where temporary files are stored
 temp-files-path=/var/tmp/xroad/
-
-; Should Akka remoting use TLS
-akka-use-secure-remote-transport=true

From 6acd552b073d535bf55acfdf63594a24641985e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 5 Oct 2023 15:06:45 +0300
Subject: [PATCH 106/127] chore: add xroad-base restart during installation

This solves an issue where grpc keystore is missing as xroad-base was not reinitialized

Refs: XRDDEV-2468
---
 src/packages/src/xroad/redhat/SPECS/xroad-base.spec       | 4 ++++
 src/packages/src/xroad/ubuntu/generic/xroad-base.postinst | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/src/packages/src/xroad/redhat/SPECS/xroad-base.spec b/src/packages/src/xroad/redhat/SPECS/xroad-base.spec
index 14e67f46ed..7308fe45cd 100644
--- a/src/packages/src/xroad/redhat/SPECS/xroad-base.spec
+++ b/src/packages/src/xroad/redhat/SPECS/xroad-base.spec
@@ -192,4 +192,8 @@ if [ $1 -gt 1 ] ; then
   fi
 fi
 
+# restart is required to trigger any changes within xroad-base.sh
+%postun
+%systemd_postun_with_restart xroad-base.service
+
 %changelog
diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-base.postinst b/src/packages/src/xroad/ubuntu/generic/xroad-base.postinst
index 8abb4fd95a..2e635604c9 100644
--- a/src/packages/src/xroad/ubuntu/generic/xroad-base.postinst
+++ b/src/packages/src/xroad/ubuntu/generic/xroad-base.postinst
@@ -63,6 +63,9 @@ if [ "$1" = configure ]; then
     test -d /etc/xroad/backup.d || mkdir -p /etc/xroad/backup.d
     chmod 0750 /etc/xroad/backup.d
     chown -R xroad:xroad /etc/xroad/backup.d
+
+    # restart is required to trigger any changes within xroad-base.sh
+    invoke-rc.d --quiet xroad-base try-restart || true
 fi
 
 if [ "$1" = triggered ]; then

From 23d72eec13f4c107f0c09f2f271b23f12d208f73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Fri, 6 Oct 2023 11:53:13 +0300
Subject: [PATCH 107/127] chore: enable ForkJoinPool executors for grpc
 client/server

Refs: XRDDEV-2468
---
 .../java/org/niis/xroad/common/rpc/client/RpcClient.java    | 5 ++++-
 .../java/org/niis/xroad/common/rpc/server/RpcServer.java    | 6 ++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
index 427d663801..18998ddb56 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -44,6 +44,8 @@
 import org.niis.xroad.common.rpc.RpcCredentialsConfigurer;
 import org.niis.xroad.rpc.error.CodedExceptionProto;
 
+import java.util.concurrent.ForkJoinPool;
+
 import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 
@@ -83,8 +85,9 @@ public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
             }
         };
 
-        ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
+        final ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
                 .intercept(timeoutInterceptor)
+                .executor(ForkJoinPool.commonPool())
                 .build();
 
         var executionContext = contextFactory.createContext(channel);
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
index 3c7ab11192..c0fd6278c0 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
@@ -42,6 +42,7 @@
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
+import java.util.concurrent.ForkJoinPool;
 import java.util.function.Consumer;
 
 /**
@@ -52,9 +53,10 @@ public class RpcServer implements StartStop {
     private final Server server;
 
     public RpcServer(final String host, final int port, final ServerCredentials creds, final Consumer<ServerBuilder<?>> configFunc) {
-        ServerBuilder<?> builder = NettyServerBuilder.forAddress(new InetSocketAddress(host, port), creds);
-        configFunc.accept(builder);
+        ServerBuilder<?> builder = NettyServerBuilder.forAddress(new InetSocketAddress(host, port), creds)
+                .executor(ForkJoinPool.commonPool());
 
+        configFunc.accept(builder);
         server = builder.build();
     }
 

From bde5f5162457ab7ddbccb6deb48a0a78ac5f6230 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 9 Oct 2023 10:10:21 +0300
Subject: [PATCH 108/127] chore: disable rpc server epoll and enable nio
 implementation

epoll has huge performance issues in some aws instances, it is requires detailed investigation, but in general NIO performance is sufficient for our use cases.

Refs: XRDDEV-2468
---
 .../org/niis/xroad/common/rpc/server/RpcServer.java    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
index c0fd6278c0..13bc2d45ab 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
@@ -33,6 +33,9 @@
 import io.grpc.ServerBuilder;
 import io.grpc.ServerCredentials;
 import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
+import io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup;
+import io.grpc.netty.shaded.io.netty.channel.socket.nio.NioServerSocketChannel;
+import io.grpc.netty.shaded.io.netty.util.concurrent.DefaultThreadFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.common.rpc.InsecureRpcCredentialsConfigurer;
 import org.niis.xroad.common.rpc.RpcCredentialsConfigurer;
@@ -53,7 +56,14 @@ public class RpcServer implements StartStop {
     private final Server server;
 
     public RpcServer(final String host, final int port, final ServerCredentials creds, final Consumer<ServerBuilder<?>> configFunc) {
+        final var bossGroupThreadFactory = new DefaultThreadFactory("rpc-server-nio-boss-ELG", true);
+        final var workerGroupThreadFactory = new DefaultThreadFactory("rpc-server-nio-worker-ELG", true);
+
         ServerBuilder<?> builder = NettyServerBuilder.forAddress(new InetSocketAddress(host, port), creds)
+                .channelType(NioServerSocketChannel.class)
+                .channelFactory(NioServerSocketChannel::new)
+                .bossEventLoopGroup(new NioEventLoopGroup(1, bossGroupThreadFactory))
+                .workerEventLoopGroup(new NioEventLoopGroup(0, workerGroupThreadFactory))
                 .executor(ForkJoinPool.commonPool());
 
         configFunc.accept(builder);

From c2d50edaba776381361005975c126fa93945138a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Sat, 14 Oct 2023 10:55:32 +0300
Subject: [PATCH 109/127] chore: use junit-vintage-engine globally to replace
 junit4.x

---
 src/addons/op-monitoring/build.gradle                  | 1 +
 src/build.gradle                                       | 8 +++++++-
 src/central-server/registration-service/build.gradle   | 4 ----
 src/common/common-test/build.gradle                    | 4 ++--
 src/gradle.properties                                  | 4 ++--
 src/monitor-common/build.gradle                        | 2 --
 src/security-server/admin-service/ui/package-lock.json | 4 ++--
 7 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/src/addons/op-monitoring/build.gradle b/src/addons/op-monitoring/build.gradle
index 075c2e834a..9ac51e2337 100644
--- a/src/addons/op-monitoring/build.gradle
+++ b/src/addons/op-monitoring/build.gradle
@@ -5,6 +5,7 @@ dependencies {
   implementation project(':common:common-util')
   implementation project(':serverconf')
 
+  testImplementation project(':common:common-test')
   testImplementation 'commons-cli:commons-cli:1.4'
 }
 
diff --git a/src/build.gradle b/src/build.gradle
index 04e2e9cf6a..6e760fcb31 100644
--- a/src/build.gradle
+++ b/src/build.gradle
@@ -188,7 +188,9 @@ configure(subprojects.findAll { !["frontend", "shared-ui", "shared-ui-3", "ui"].
 
         testImplementation 'org.hamcrest:hamcrest:2.2'
         testImplementation 'org.hamcrest:hamcrest-library:2.2'
-        testImplementation "junit:junit:$junitVersion"
+
+        testImplementation("org.junit.jupiter:junit-jupiter-engine:$junitVersion")
+        testImplementation("org.junit.vintage:junit-vintage-engine:$junitVersion")
 
         compileOnly "org.projectlombok:lombok:${lombokVersion}"
         annotationProcessor "org.projectlombok:lombok:${lombokVersion}"
@@ -200,6 +202,10 @@ configure(subprojects.findAll { !["frontend", "shared-ui", "shared-ui-3", "ui"].
         intTestAnnotationProcessor "org.projectlombok:lombok:${lombokVersion}"
     }
 
+  test {
+    useJUnitPlatform()
+  }
+
     task testJar(type: Jar) {
         classifier 'test'
         from sourceSets.test.output
diff --git a/src/central-server/registration-service/build.gradle b/src/central-server/registration-service/build.gradle
index 76d70a057a..42823ee2b5 100644
--- a/src/central-server/registration-service/build.gradle
+++ b/src/central-server/registration-service/build.gradle
@@ -57,7 +57,3 @@ dependencies {
     testImplementation('com.github.tomakehurst:wiremock-jre8:2.33.1')
 }
 
-test {
-  useJUnitPlatform()
-}
-
diff --git a/src/common/common-test/build.gradle b/src/common/common-test/build.gradle
index 636579a36c..8f0254b739 100644
--- a/src/common/common-test/build.gradle
+++ b/src/common/common-test/build.gradle
@@ -7,8 +7,8 @@ dependencies {
   implementation project(':common:common-verifier')
   implementation 'org.antlr:ST4:4.0.7'
   // JUnit is needed for ExpectedCodedException
-  implementation "junit:junit:$junitVersion"
-  api "org.mockito:mockito-core:$mockitoVersion"
+  implementation "org.junit.vintage:junit-vintage-engine:$junitVersion"
+  api "org.mockito:mockito-junit-jupiter:$mockitoVersion"
   api("org.awaitility:awaitility:$awaitilityVersion")
 
   implementation "io.vavr:vavr:$vavrVersion"
diff --git a/src/gradle.properties b/src/gradle.properties
index 9ddefed848..126f321cf4 100644
--- a/src/gradle.properties
+++ b/src/gradle.properties
@@ -32,11 +32,11 @@ mockito.version=${mockitoVersion}
 cxfVersion=3.4.10
 xercesVersion=2.12.2
 woodstoxVersion=6.4.0
-springBootVersion=2.7.12
+springBootVersion=2.7.16
 springDependenciesVersion=1.1.0
 springCloudVersion=2021.0.5
 openFeignVersion=11.10
-junitVersion=4.13.2
+junitVersion=5.8.2
 guavaVersion=32.0.1-jre
 guava.version=${guavaVersion}
 vavrVersion=0.10.4
diff --git a/src/monitor-common/build.gradle b/src/monitor-common/build.gradle
index bfca70b037..e97a2b8fab 100644
--- a/src/monitor-common/build.gradle
+++ b/src/monitor-common/build.gradle
@@ -17,8 +17,6 @@ dependencies {
   api project(':common:common-rpc')
   implementation "com.google.guava:guava:$guavaVersion"
   implementation "org.slf4j:slf4j-api:$slf4jVersion"
-
-  testImplementation "junit:junit:$junitVersion"
 }
 
 protobuf {
diff --git a/src/security-server/admin-service/ui/package-lock.json b/src/security-server/admin-service/ui/package-lock.json
index d3f9c1471c..a29961bf89 100644
--- a/src/security-server/admin-service/ui/package-lock.json
+++ b/src/security-server/admin-service/ui/package-lock.json
@@ -2782,7 +2782,7 @@
     "node_modules/@niis/shared-ui": {
       "version": "0.1.0",
       "resolved": "file:../../../shared-ui/niis-shared-ui-0.1.0.tgz",
-      "integrity": "sha512-IFTTqGFNLYhv9hh7EoY/VJfuxy3HyJZMaaH5MHjG04MTXO7uYPxOMevvkwM8cHyjV0eTKn+dFU8PF0ggZT19qQ==",
+      "integrity": "sha512-sFAe/6NXrcZI2CXc2r4syDYqopdDvKfufAETrS7BPruDdq4R6odL3WCW63q7g8iMGa5RsURY2zAVezhO+KR3xg==",
       "dependencies": {
         "@fontsource/open-sans": "~4.5.0",
         "@mdi/font": "~6.5.95",
@@ -27980,7 +27980,7 @@
     },
     "@niis/shared-ui": {
       "version": "file:../../../shared-ui/niis-shared-ui-0.1.0.tgz",
-      "integrity": "sha512-IFTTqGFNLYhv9hh7EoY/VJfuxy3HyJZMaaH5MHjG04MTXO7uYPxOMevvkwM8cHyjV0eTKn+dFU8PF0ggZT19qQ==",
+      "integrity": "sha512-sFAe/6NXrcZI2CXc2r4syDYqopdDvKfufAETrS7BPruDdq4R6odL3WCW63q7g8iMGa5RsURY2zAVezhO+KR3xg==",
       "requires": {
         "@fontsource/open-sans": "~4.5.0",
         "@mdi/font": "~6.5.95",

From 6481d83cdbb814e29aed5b805f04e7591617ec36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Sat, 14 Oct 2023 11:10:27 +0300
Subject: [PATCH 110/127] chore: refactor OpMonitoring buffer

Making implementation more readable and predictable.

Refs: XRDDEV-2468
---
 .../opmonitoring/OpMonitoringBuffer.java      | 195 +++++-------------
 .../OpMonitoringDaemonSender.java             |  41 +++-
 .../OpMonitoringDataProcessor.java            |  95 +++++++++
 .../opmonitoring/OpMonitoringBufferTest.java  | 163 +++++++++++++--
 .../src/test/resources/logback.xml            |  16 ++
 5 files changed, 334 insertions(+), 176 deletions(-)
 create mode 100644 src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDataProcessor.java
 create mode 100644 src/addons/op-monitoring/src/test/resources/logback.xml

diff --git a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java
index c236e61490..bd4328dc17 100644
--- a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java
+++ b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBuffer.java
@@ -25,35 +25,21 @@
  */
 package ee.ria.xroad.proxy.opmonitoring;
 
-import ee.ria.xroad.common.conf.serverconf.ServerConf;
 import ee.ria.xroad.common.opmonitoring.AbstractOpMonitoringBuffer;
-import ee.ria.xroad.common.opmonitoring.OpMonitoringDaemonHttpClient;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringSystemProperties;
-import ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataRequest;
-import ee.ria.xroad.common.util.JsonUtils;
-import ee.ria.xroad.common.util.TimeUtils;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectWriter;
-import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.io.IOUtils;
-import org.apache.http.impl.client.CloseableHttpClient;
 
-import java.net.NetworkInterface;
-import java.util.HashSet;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import java.util.Set;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.BlockingDeque;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
+import java.util.concurrent.LinkedBlockingDeque;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
 
-import static java.net.NetworkInterface.getNetworkInterfaces;
-import static java.util.Collections.list;
-
 /**
  * Operational monitoring buffer. This buffer is used for gathering
  * operational data and for periodically sending the data to the operational
@@ -61,50 +47,15 @@
  */
 @Slf4j
 public class OpMonitoringBuffer extends AbstractOpMonitoringBuffer {
-    private static final String NO_ADDRESS_FOUND = "No suitable IP address is bound to the network interface ";
-    private static final String NO_INTERFACE_FOUND = "No non-loopback network interface found";
-
-    private static final long MAX_BUFFER_SIZE = OpMonitoringSystemProperties.getOpMonitorBufferSize();
-
-    private static final int MAX_RECORDS_IN_MESSAGE =
-            OpMonitoringSystemProperties.getOpMonitorBufferMaxRecordsInMessage();
-    private static final long SENDING_INTERVAL_SECONDS =
-            OpMonitoringSystemProperties.getOpMonitorBufferSendingIntervalSeconds();
-
-    private static final int CLIENT_CONNECTION_TIMEOUT_MILLISECONDS = TimeUtils.secondsToMillis(
-            OpMonitoringSystemProperties.getOpMonitorBufferConnectionTimeoutSeconds());
-
-    private static final int CLIENT_SOCKET_TIMEOUT_MILLISECONDS = TimeUtils.secondsToMillis(
-            OpMonitoringSystemProperties.getOpMonitorBufferSocketTimeoutSeconds());
-
-    private static final ObjectWriter OBJECT_WRITER = JsonUtils.getObjectWriter();
+    private final int maxBufferSize = OpMonitoringSystemProperties.getOpMonitorBufferSize();
+    private final int maxRecordsInMessage = OpMonitoringSystemProperties.getOpMonitorBufferMaxRecordsInMessage();
 
     private final ExecutorService executorService;
     private final ScheduledExecutorService taskScheduler;
-
-    final Map<Long, OpMonitoringData> buffer =
-            new LinkedHashMap<>() {
-                @Override
-                protected boolean removeEldestEntry(Map.Entry eldest) {
-                    boolean overflow = size() > MAX_BUFFER_SIZE;
-
-                    if (overflow) {
-                        log.warn("Operational monitoring buffer overflow, removing eldest record: {}", eldest.getKey());
-                    }
-
-                    return overflow;
-                }
-            };
-
-    private long bufferIndex = 0;
-
-    private final Set<Long> processedBufferIndices = new HashSet<>();
-
-    private final CloseableHttpClient httpClient;
-
+    private final OpMonitoringDataProcessor opMonitoringDataProcessor;
     private final OpMonitoringDaemonSender sender;
 
-    private static String ipAddress;
+    final BlockingDeque<OpMonitoringData> buffer = new LinkedBlockingDeque<>();
 
     /**
      * Constructor.
@@ -112,48 +63,48 @@ protected boolean removeEldestEntry(Map.Entry eldest) {
      * @throws Exception if an error occurs
      */
     public OpMonitoringBuffer() throws Exception {
-
         if (ignoreOpMonitoringData()) {
             log.info("Operational monitoring buffer is switched off, no operational monitoring data is stored");
 
-            httpClient = null;
             sender = null;
             executorService = null;
             taskScheduler = null;
+            opMonitoringDataProcessor = null;
         } else {
-            httpClient = createHttpClient();
             sender = createSender();
-
             executorService = Executors.newSingleThreadExecutor();
             taskScheduler = Executors.newSingleThreadScheduledExecutor();
+            opMonitoringDataProcessor = createDataProcessor();
         }
     }
 
-    CloseableHttpClient createHttpClient() throws Exception {
-        return OpMonitoringDaemonHttpClient.createHttpClient(ServerConf.getSSLKey(), 1, 1,
-                CLIENT_CONNECTION_TIMEOUT_MILLISECONDS, CLIENT_SOCKET_TIMEOUT_MILLISECONDS);
+    OpMonitoringDataProcessor createDataProcessor() {
+        return new OpMonitoringDataProcessor();
     }
 
-    OpMonitoringDaemonSender createSender() {
-        return new OpMonitoringDaemonSender(this, httpClient);
+    OpMonitoringDaemonSender createSender() throws Exception {
+        return new OpMonitoringDaemonSender(this);
     }
 
     @Override
-    public void store(final OpMonitoringData data) throws Exception {
+    public void store(final OpMonitoringData data) {
         if (ignoreOpMonitoringData()) {
             return;
         }
-
         executorService.execute(() -> {
             try {
-                if (ignoreOpMonitoringData()) {
-                    return;
+                data.setSecurityServerInternalIp(opMonitoringDataProcessor.getIpAddress());
+
+                buffer.addLast(data);
+                if (buffer.size() > maxBufferSize) {
+                    synchronized (buffer) {
+                        if (buffer.size() > maxBufferSize) {
+                            buffer.removeFirst();
+                            log.warn("Operational monitoring buffer overflow (limit: {}), removing oldest record. Current size: {}",
+                                    maxBufferSize, buffer.size());
+                        }
+                    }
                 }
-
-                data.setSecurityServerInternalIp(getIpAddress());
-
-                buffer.put(getNextBufferIndex(), data);
-
                 sendInternal();
             } catch (Exception e) {
                 log.error("Failed to process OpMonitoringData..", e);
@@ -171,59 +122,36 @@ private void send() {
         });
     }
 
-    private void sendInternal() throws Exception {
+    private void sendInternal() {
         if (!canSend()) {
             return;
         }
 
-        String json = prepareMonitoringMessage();
+        final List<OpMonitoringData> dataToProcess = new ArrayList<>();
 
-        sender.sendMessage(json);
-    }
-
-    private boolean canSend() {
-        return !buffer.isEmpty() && processedBufferIndices.isEmpty();
-    }
-
-    private String prepareMonitoringMessage() throws JsonProcessingException {
-        StoreOpMonitoringDataRequest request = new StoreOpMonitoringDataRequest();
-
-        for (Map.Entry<Long, OpMonitoringData> entry : buffer.entrySet()) {
-            processedBufferIndices.add(entry.getKey());
-            request.addRecord(entry.getValue().getData());
-
-            if (request.getRecords().size() == MAX_RECORDS_IN_MESSAGE) {
-                break;
-            }
+        buffer.drainTo(dataToProcess, maxRecordsInMessage);
+        if (log.isDebugEnabled()) {
+            log.debug("Op monitoring remaining buffer records count {}", buffer.size());
         }
 
-        log.debug("Op monitoring buffer records count: {}", buffer.size());
+        sender.sendMessage(dataToProcess);
+    }
 
-        return OBJECT_WRITER.writeValueAsString(request);
+    private boolean canSend() {
+        return !buffer.isEmpty() && sender.isReady();
     }
 
-    void sendingSuccess() {
-        processedBufferIndices.forEach(buffer::remove);
-        processedBufferIndices.clear();
+    void sendingSuccess(int count) {
+        log.trace("Sent {} messages from buffer", count);
 
         if (canSend()) {
             send();
         }
     }
 
-    void sendingFailure() {
-        processedBufferIndices.clear();
-        // Do not worry, scheduled sending retries..
-    }
-
-    long getNextBufferIndex() {
-        bufferIndex = bufferIndex == Long.MAX_VALUE ? 0 : bufferIndex + 1;
-
-        return bufferIndex;
-    }
-
-    private void scheduleSendMonitoringData() {
-        taskScheduler.scheduleWithFixedDelay(this::send, SENDING_INTERVAL_SECONDS, SENDING_INTERVAL_SECONDS, TimeUnit.SECONDS);
+    void sendingFailure(List<OpMonitoringData> failedData) {
+        failedData.forEach(buffer::addFirst);
+        // Do not worry, scheduled sending retries.
     }
 
     @Override
@@ -232,14 +160,13 @@ public void start() {
             return;
         }
 
-        scheduleSendMonitoringData();
+        var sendingIntervalSeconds = OpMonitoringSystemProperties.getOpMonitorBufferSendingIntervalSeconds();
+        taskScheduler.scheduleWithFixedDelay(this::send, sendingIntervalSeconds, sendingIntervalSeconds, TimeUnit.SECONDS);
+
     }
 
     @Override
     public void stop() {
-        if (httpClient != null) {
-            IOUtils.closeQuietly(httpClient);
-        }
         if (executorService != null) {
             executorService.shutdown();
         }
@@ -253,41 +180,11 @@ public void stop() {
     }
 
     private boolean ignoreOpMonitoringData() {
-        return MAX_BUFFER_SIZE < 1;
-    }
-
-    private static String getIpAddress() {
-        try {
-            if (ipAddress == null) {
-                NetworkInterface ni = list(getNetworkInterfaces()).stream()
-                        .filter(OpMonitoringBuffer::isNonLoopback)
-                        .findFirst()
-                        .orElseThrow(() -> new Exception(NO_INTERFACE_FOUND));
-
-                Exception addressNotFound = new Exception(NO_ADDRESS_FOUND + ni.getDisplayName());
-
-                ipAddress = list(ni.getInetAddresses()).stream()
-                        .filter(addr -> !addr.isLinkLocalAddress())
-                        .findFirst()
-                        .orElseThrow(() -> addressNotFound)
-                        .getHostAddress();
-
-                if (ipAddress == null) {
-                    throw addressNotFound;
-                }
-            }
-
-            return ipAddress;
-        } catch (Exception e) {
-            log.error("Cannot get IP address of a non-loopback network interface", e);
-
-            return "0.0.0.0";
-        }
+        return maxBufferSize < 1;
     }
 
-    @SneakyThrows
-    private static boolean isNonLoopback(NetworkInterface ni) {
-        return !ni.isLoopback() && ni.isUp();
+    int getCurrentBufferSize() {
+        return buffer.size();
     }
 
 }
diff --git a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java
index 5fdd2d28ee..cb57ad808b 100644
--- a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java
+++ b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDaemonSender.java
@@ -25,7 +25,10 @@
  */
 package ee.ria.xroad.proxy.opmonitoring;
 
+import ee.ria.xroad.common.conf.serverconf.ServerConf;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringDaemonEndpoints;
+import ee.ria.xroad.common.opmonitoring.OpMonitoringDaemonHttpClient;
+import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringSystemProperties;
 import ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataResponse;
 import ee.ria.xroad.common.util.HttpSender;
@@ -43,8 +46,10 @@
 
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.util.List;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
+import java.util.concurrent.atomic.AtomicBoolean;
 
 import static ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataResponse.STATUS_ERROR;
 import static ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataResponse.STATUS_OK;
@@ -64,31 +69,40 @@ public class OpMonitoringDaemonSender implements StartStop {
     private static final int SOCKET_TIMEOUT_MILLISECONDS = TimeUtils.secondsToMillis(
             OpMonitoringSystemProperties.getOpMonitorBufferSocketTimeoutSeconds());
 
+    private final OpMonitoringDataProcessor opMonitoringDataProcessor = new OpMonitoringDataProcessor();
     private final OpMonitoringBuffer opMonitoringBuffer;
     private final CloseableHttpClient httpClient;
     private final ExecutorService executorService = Executors.newSingleThreadExecutor();
 
+    private final AtomicBoolean processing = new AtomicBoolean(false);
 
-    OpMonitoringDaemonSender(OpMonitoringBuffer opMonitoringBuffer, CloseableHttpClient httpClient) {
-        this.httpClient = httpClient;
+    OpMonitoringDaemonSender(OpMonitoringBuffer opMonitoringBuffer) throws Exception {
+        this.httpClient = createHttpClient();
         this.opMonitoringBuffer = opMonitoringBuffer;
     }
 
-    void sendMessage(String json) {
-        log.trace("onReceive: {}", json);
-
+    void sendMessage(final List<OpMonitoringData> dataToProcess) {
         executorService.execute(() -> {
             try {
+                processing.set(true);
+                var json = opMonitoringDataProcessor.prepareMonitoringMessage(dataToProcess);
+                log.trace("onReceive: {}", json);
+
                 send(json);
-                opMonitoringBuffer.sendingSuccess();
+
+                processing.set(false);
+                opMonitoringBuffer.sendingSuccess(dataToProcess.size());
             } catch (Exception e) {
                 log.error("Sending operational monitoring data failed", e);
-
-                opMonitoringBuffer.sendingFailure();
+                processing.set(false);
+                opMonitoringBuffer.sendingFailure(dataToProcess);
             }
         });
     }
 
+    public boolean isReady() {
+        return Boolean.FALSE.equals(processing.get());
+    }
 
     private void send(String json) throws Exception {
         try (HttpSender sender = new HttpSender(httpClient)) {
@@ -127,6 +141,13 @@ private URI getAddress() throws URISyntaxException {
                 OpMonitoringDaemonEndpoints.STORE_DATA_PATH, null, null);
     }
 
+    CloseableHttpClient createHttpClient() throws Exception {
+        return OpMonitoringDaemonHttpClient.createHttpClient(ServerConf.getSSLKey(),
+                1, 1,
+                TimeUtils.secondsToMillis(OpMonitoringSystemProperties.getOpMonitorBufferConnectionTimeoutSeconds()),
+                TimeUtils.secondsToMillis(OpMonitoringSystemProperties.getOpMonitorBufferSocketTimeoutSeconds()));
+    }
+
     @Override
     public void start() {
         //No-OP
@@ -135,6 +156,10 @@ public void start() {
     @Override
     public void stop() {
         executorService.shutdown();
+
+        if (httpClient != null) {
+            IOUtils.closeQuietly(httpClient);
+        }
     }
 
     @Override
diff --git a/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDataProcessor.java b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDataProcessor.java
new file mode 100644
index 0000000000..ab037ac575
--- /dev/null
+++ b/src/addons/op-monitoring/src/main/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringDataProcessor.java
@@ -0,0 +1,95 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.proxy.opmonitoring;
+
+import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
+import ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataRequest;
+import ee.ria.xroad.common.util.JsonUtils;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectWriter;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+
+import java.net.NetworkInterface;
+import java.util.List;
+
+import static java.net.NetworkInterface.getNetworkInterfaces;
+import static java.util.Collections.list;
+
+@Slf4j
+public class OpMonitoringDataProcessor {
+    private static final ObjectWriter OBJECT_WRITER = JsonUtils.getObjectWriter();
+
+    private static final String NO_ADDRESS_FOUND = "No suitable IP address is bound to the network interface ";
+    private static final String NO_INTERFACE_FOUND = "No non-loopback network interface found";
+
+    private String ipAddress;
+
+    String prepareMonitoringMessage(List<OpMonitoringData> dataToProcess) throws JsonProcessingException {
+        StoreOpMonitoringDataRequest request = new StoreOpMonitoringDataRequest();
+
+        for (OpMonitoringData data : dataToProcess) {
+            request.addRecord(data.getData());
+        }
+
+        return OBJECT_WRITER.writeValueAsString(request);
+    }
+
+    String getIpAddress() {
+        try {
+            if (ipAddress == null) {
+                NetworkInterface ni = list(getNetworkInterfaces()).stream()
+                        .filter(OpMonitoringDataProcessor::isNonLoopback)
+                        .findFirst()
+                        .orElseThrow(() -> new Exception(NO_INTERFACE_FOUND));
+
+                Exception addressNotFound = new Exception(NO_ADDRESS_FOUND + ni.getDisplayName());
+
+                ipAddress = list(ni.getInetAddresses()).stream()
+                        .filter(addr -> !addr.isLinkLocalAddress())
+                        .findFirst()
+                        .orElseThrow(() -> addressNotFound)
+                        .getHostAddress();
+
+                if (ipAddress == null) {
+                    throw addressNotFound;
+                }
+            }
+
+            return ipAddress;
+        } catch (Exception e) {
+            log.error("Cannot get IP address of a non-loopback network interface", e);
+
+            return "0.0.0.0";
+        }
+    }
+
+    @SneakyThrows
+    private static boolean isNonLoopback(NetworkInterface ni) {
+        return !ni.isLoopback() && ni.isUp();
+    }
+}
diff --git a/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java b/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java
index 3bc60a6948..a52cb5cd26 100644
--- a/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java
+++ b/src/addons/op-monitoring/src/test/java/ee/ria/xroad/proxy/opmonitoring/OpMonitoringBufferTest.java
@@ -26,52 +26,177 @@
 package ee.ria.xroad.proxy.opmonitoring;
 
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
+import ee.ria.xroad.common.opmonitoring.StoreOpMonitoringDataResponse;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.http.Header;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpRequestBase;
 import org.apache.http.impl.client.CloseableHttpClient;
-import org.junit.Test;
+import org.apache.http.protocol.HttpContext;
+import org.awaitility.Awaitility;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
 
-import static org.junit.Assert.assertEquals;
+import java.time.Duration;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.stream.IntStream;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.RETURNS_DEEP_STUBS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 /**
  * Tests operational monitoring buffer.
  */
-public class OpMonitoringBufferTest {
+@Slf4j
+@ExtendWith(MockitoExtension.class)
+class OpMonitoringBufferTest {
+    private final ObjectMapper objectMapper = new ObjectMapper();
+
+    @Mock
+    private CloseableHttpClient httpClient;
 
-    private static class TestOpMonitoringBuffer extends OpMonitoringBuffer {
+    private class TestOpMonitoringBuffer extends OpMonitoringBuffer {
         TestOpMonitoringBuffer() throws Exception {
             super();
         }
 
         @Override
-        CloseableHttpClient createHttpClient() throws Exception {
-            return null;
+        OpMonitoringDaemonSender createSender() throws Exception {
+            return new OpMonitoringDaemonSender(this) {
+                @Override
+                CloseableHttpClient createHttpClient() {
+                    return httpClient;
+                }
+            };
         }
 
         @Override
-        OpMonitoringDaemonSender createSender() {
-            return null;
+        OpMonitoringDataProcessor createDataProcessor() {
+            return new TestOpMonitoringDataProcessor();
         }
+    }
 
+    private static class TestOpMonitoringDataProcessor extends OpMonitoringDataProcessor {
         @Override
-        public synchronized void store(OpMonitoringData data) throws Exception {
-            buffer.put(getNextBufferIndex(), data);
+        String getIpAddress() {
+            return "127.0.0.1";
         }
     }
 
+    @AfterEach
+    void cleanUp() {
+        System.clearProperty("xroad.op-monitor-buffer.size");
+    }
+
     @Test
-    public void bufferOverflow() throws Exception {
-        System.setProperty("xroad.op-monitor-buffer.size", "2");
+    void bufferSaturatesUnderLoad() throws Exception {
+        final ExecutorService executorService = Executors.newFixedThreadPool(80);
+
+        when(httpClient.execute(any(HttpRequestBase.class), any(HttpContext.class))).thenAnswer(invocation -> {
+            doSleep(20, 80);
+
+            CloseableHttpResponse response = mock(CloseableHttpResponse.class, RETURNS_DEEP_STUBS);
+            when(response.getStatusLine().getStatusCode()).thenReturn(200);
+            when(response.getAllHeaders()).thenReturn(new Header[0]);
+
+            when(response.getEntity().getContent())
+                    .thenReturn(IOUtils.toInputStream(objectMapper.writeValueAsString(new StoreOpMonitoringDataResponse()), UTF_8));
+            return response;
+        });
+        System.setProperty("xroad.op-monitor-buffer.size", "10000");
 
         final TestOpMonitoringBuffer opMonitoringBuffer = new TestOpMonitoringBuffer();
-        OpMonitoringData opMonitoringData = new OpMonitoringData(
+        int requestCount = 30_000;
+        AtomicInteger processedCounter = new AtomicInteger();
+        try {
+            IntStream.range(0, requestCount).forEach(index -> {
+                executorService.execute(() -> {
+                    doSleep(0, 50);
+                    OpMonitoringData opMonitoringData = new OpMonitoringData(
+                            OpMonitoringData.SecurityServerType.CLIENT, RandomUtils.nextLong());
+
+                    try {
+                        opMonitoringBuffer.store(opMonitoringData);
+                        processedCounter.incrementAndGet();
+                    } catch (Exception e) {
+                        throw new RuntimeException(e);
+                    }
+
+                    if (index % 10000 == 0) {
+                        log.info("Current execution {}+", index);
+                    }
+                });
+
+            });
+
+            Awaitility.await()
+                    .atMost(Duration.ofSeconds(120))
+                    .pollDelay(Duration.ofSeconds(1))
+                    .untilAsserted(() -> {
+                        assertEquals(requestCount, processedCounter.get());
+                        assertEquals(0, opMonitoringBuffer.getCurrentBufferSize());
+                    });
+        } finally {
+            executorService.shutdownNow();
+        }
+    }
+
+    @Test
+    void bufferOverflow() throws Exception {
+
+        System.setProperty("xroad.op-monitor-buffer.size", "2");
+
+        final TestOpMonitoringBuffer opMonitoringBuffer = new TestOpMonitoringBuffer() {
+            @Override
+            OpMonitoringDaemonSender createSender() throws Exception {
+                var mockedSender = mock(OpMonitoringDaemonSender.class);
+                when(mockedSender.isReady()).thenReturn(false);
+                return mockedSender;
+            }
+        };
+        OpMonitoringData opMonitoringData1 = new OpMonitoringData(
                 OpMonitoringData.SecurityServerType.CLIENT, 100);
+        OpMonitoringData opMonitoringData2 = new OpMonitoringData(
+                OpMonitoringData.SecurityServerType.CLIENT, 200);
+        OpMonitoringData opMonitoringData3 = new OpMonitoringData(
+                OpMonitoringData.SecurityServerType.CLIENT, 300);
+
+        opMonitoringBuffer.store(opMonitoringData1);
+        opMonitoringBuffer.store(opMonitoringData2);
+        opMonitoringBuffer.store(opMonitoringData3);
 
-        opMonitoringBuffer.store(opMonitoringData);
-        opMonitoringBuffer.store(opMonitoringData);
-        opMonitoringBuffer.store(opMonitoringData);
+        Awaitility.await()
+                .atMost(Duration.ofSeconds(20))
+                .pollDelay(Duration.ofSeconds(1))
+                .untilAsserted(() -> {
+                    assertEquals(2, opMonitoringBuffer.buffer.size());
+                    assertFalse(opMonitoringBuffer.buffer.contains(opMonitoringData1));
+                    assertTrue(opMonitoringBuffer.buffer.contains(opMonitoringData2));
+                    assertTrue(opMonitoringBuffer.buffer.contains(opMonitoringData3));
+                });
+
+//
+    }
 
-        assertEquals(2, opMonitoringBuffer.buffer.size());
-        assertEquals(true, opMonitoringBuffer.buffer.containsKey(2L));
-        assertEquals(true, opMonitoringBuffer.buffer.containsKey(3L));
+    @SneakyThrows
+    private void doSleep(long min, long max) {
+        var sleep = RandomUtils.nextLong(min, max);
+        Thread.sleep(sleep);
     }
 }
diff --git a/src/addons/op-monitoring/src/test/resources/logback.xml b/src/addons/op-monitoring/src/test/resources/logback.xml
new file mode 100644
index 0000000000..68f8202838
--- /dev/null
+++ b/src/addons/op-monitoring/src/test/resources/logback.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<configuration>
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC} %-5level [%thread] %logger{36} - %msg%n</pattern>
+            <charset>UTF-8</charset>
+        </encoder>
+    </appender>
+
+    <logger name="ee.ria.xroad.proxy.opmonitoring.OpMonitoringBuffer" level="TRACE" />
+
+    <root level="DEBUG">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>

From d113c9896b2fb7ee6c5c0b27705cf761666ad570 Mon Sep 17 00:00:00 2001
From: Ovidijus Narkevicius <ovidijus.narkevicius@nortal.com>
Date: Fri, 6 Oct 2023 16:51:05 +0300
Subject: [PATCH 111/127] refactor: from akka to gRPC, environmental monitoring

Closes XRDDEV-2486
---
 .../AsicContainerClientRequestProcessor.java  |   2 +-
 .../MetadataClientRequestProcessor.java       |   2 +-
 .../monitoring/DefaultMonitorAgentImpl.java   |  79 ----------
 .../xroad/common/monitoring/FaultInfo.java    |  41 ------
 .../common/monitoring/SuccessfulMessage.java  |  42 ------
 src/proxy/build.gradle                        |  21 +++
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |  17 +--
 .../AbstractClientProxyHandler.java           |   4 +-
 .../clientproxy/ClientMessageProcessor.java   |   6 +-
 .../ClientRestMessageProcessor.java           |   4 +-
 .../proxy/messagelog/NullLogManager.java      |   2 +-
 .../monotoring/DefaultMonitorAgentImpl.java   | 111 ++++++++++++++
 .../xroad/proxy/monotoring}/MessageInfo.java  |   2 +-
 .../xroad/proxy/monotoring/MessageMapper.java | 135 ++++++++++++++++++
 .../xroad/proxy/monotoring}/MonitorAgent.java |  40 +++---
 .../monotoring}/MonitorAgentProvider.java     |   2 +-
 .../xroad/proxy/monotoring/Shutdownable.java} |  15 +-
 .../serverproxy/ServerMessageProcessor.java   |   6 +-
 .../proxy/serverproxy/ServerProxyHandler.java |   4 +-
 .../ServerRestMessageProcessor.java           |   6 +-
 .../proxy/util/MessageProcessorBase.java      |   2 +-
 .../src/main/proto/monitor_service.proto      |  98 +++++++++++++
 .../MonitorAgentMessageTestCase.java          |   5 +-
 .../testsuite/TestSuiteMonitorAgent.java      |   4 +-
 .../MonitorAgentServerProxyFailed.java        |   4 +-
 .../testcases/ServiceConnectionRefused.java   |   4 +-
 ...100-ss-jmx.feature => 2000-ss-jmx.feature} |   2 +-
 27 files changed, 425 insertions(+), 235 deletions(-)
 delete mode 100644 src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/DefaultMonitorAgentImpl.java
 delete mode 100644 src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/FaultInfo.java
 delete mode 100644 src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/SuccessfulMessage.java
 create mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
 rename src/{common/common-util/src/main/java/ee/ria/xroad/common/monitoring => proxy/src/main/java/ee/ria/xroad/proxy/monotoring}/MessageInfo.java (98%)
 create mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java
 rename src/{common/common-util/src/main/java/ee/ria/xroad/common/monitoring => proxy/src/main/java/ee/ria/xroad/proxy/monotoring}/MonitorAgent.java (77%)
 rename src/{common/common-util/src/main/java/ee/ria/xroad/common/monitoring => proxy/src/main/java/ee/ria/xroad/proxy/monotoring}/MonitorAgentProvider.java (98%)
 rename src/{common/common-util/src/main/java/ee/ria/xroad/common/monitoring/ServerProxyFailed.java => proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java} (84%)
 create mode 100644 src/proxy/src/main/proto/monitor_service.proto
 rename src/security-server/system-test/src/intTest/resources/behavior/02-addons/{1100-ss-jmx.feature => 2000-ss-jmx.feature} (94%)

diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java
index ec6feea241..bc2031d4db 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java
@@ -45,12 +45,12 @@
 import ee.ria.xroad.common.messagelog.archive.EncryptionConfigProvider;
 import ee.ria.xroad.common.messagelog.archive.GPGOutputStream;
 import ee.ria.xroad.common.messagelog.archive.GroupingStrategy;
-import ee.ria.xroad.common.monitoring.MessageInfo;
 import ee.ria.xroad.common.util.HttpHeaders;
 import ee.ria.xroad.common.util.MimeTypes;
 import ee.ria.xroad.messagelog.database.MessageRecordEncryption;
 import ee.ria.xroad.proxy.messagelog.LogRecordManager;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
 import lombok.extern.slf4j.Slf4j;
diff --git a/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java b/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java
index ed5deb5061..8e67e49d4e 100644
--- a/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java
+++ b/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java
@@ -29,9 +29,9 @@
 import ee.ria.xroad.common.metadata.ClientListType;
 import ee.ria.xroad.common.metadata.ClientType;
 import ee.ria.xroad.common.metadata.ObjectFactory;
-import ee.ria.xroad.common.monitoring.MessageInfo;
 import ee.ria.xroad.common.util.MimeTypes;
 import ee.ria.xroad.common.util.MimeUtils;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/DefaultMonitorAgentImpl.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/DefaultMonitorAgentImpl.java
deleted file mode 100644
index bffaea22c6..0000000000
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/DefaultMonitorAgentImpl.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common.monitoring;
-
-import ee.ria.xroad.common.SystemProperties;
-
-import akka.actor.ActorRef;
-import akka.actor.ActorSelection;
-import akka.actor.ActorSystem;
-
-import java.util.Date;
-
-/**
- * Default implementation of the monitor agent interface.
- */
-public class DefaultMonitorAgentImpl implements MonitorAgentProvider {
-
-    private final ActorSelection actor;
-
-    /**
-     * Constructs a monitor agent that uses the given actor system.
-     * @param actorSystem actor system to be used by this monitor agent
-     */
-    public DefaultMonitorAgentImpl(ActorSystem actorSystem) {
-        String actorName = getActorName();
-        actor = actorName != null
-                ? actorSystem.actorSelection(actorName)
-                : null;
-    }
-
-    @Override
-    public void success(MessageInfo messageInfo, Date startTime, Date endTime) {
-        tell(new SuccessfulMessage(messageInfo, startTime, endTime));
-    }
-
-    @Override
-    public void serverProxyFailed(MessageInfo messageInfo) {
-        tell(new ServerProxyFailed(messageInfo));
-    }
-
-    @Override
-    public void failure(MessageInfo messageInfo, String faultCode,
-            String faultMessage) {
-        tell(new FaultInfo(messageInfo, faultCode, faultMessage));
-    }
-
-    private void tell(Object message) {
-        if (actor != null) {
-            actor.tell(message, ActorRef.noSender());
-        }
-    }
-
-    private static String getActorName() {
-        return System.getProperty(SystemProperties.MONITORING_AGENT_URI);
-    }
-}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/FaultInfo.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/FaultInfo.java
deleted file mode 100644
index bd1b73d8da..0000000000
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/FaultInfo.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common.monitoring;
-
-import lombok.Data;
-
-import java.io.Serializable;
-
-/**
- * Information about fault in proxy.
- */
-@Data
-public final class FaultInfo implements Serializable {
-
-    private final MessageInfo message;
-    private final String faultCode;
-    private final String faultMessage;
-}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/SuccessfulMessage.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/SuccessfulMessage.java
deleted file mode 100644
index 9a87170c0b..0000000000
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/SuccessfulMessage.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common.monitoring;
-
-import lombok.Data;
-
-import java.io.Serializable;
-import java.util.Date;
-
-/**
- * Serizalizable message denoting successful message exchange.
- */
-@Data
-public class SuccessfulMessage implements Serializable {
-
-    private final MessageInfo message;
-    private final Date startTime;
-    private final Date endTime;
-}
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index 7f66fafc36..9f5d32f4da 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -2,9 +2,17 @@ import nl.javadude.gradle.plugins.license.License
 
 plugins {
     id 'com.github.johnrengelman.shadow'
+    id 'com.google.protobuf'
 }
 
 sourceSets {
+  main {
+    java.srcDirs = [
+      'src/main/java'
+      , 'build/generated-sources'
+      , 'build/generated/source/proto/main/grpc'
+      , 'build/generated/source/proto/main/java']
+  }
   intTest {
     resources {
       srcDir '../common/common-int-test/src/main/resources/'
@@ -19,6 +27,7 @@ dependencies {
     implementation project(':signer-protocol')
     implementation project(':common:common-messagelog')
     implementation project(':common:common-op-monitoring')
+    implementation project(':common:common-rpc')
 
     implementation "org.eclipse.jetty:jetty-xml:$jettyVersion"
     implementation "xerces:xercesImpl:$xercesVersion"
@@ -56,6 +65,18 @@ shadowJar {
   mergeServiceFiles()
 }
 
+protobuf {
+  protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+  plugins {
+    grpc { artifact = "io.grpc:protoc-gen-grpc-java:$grpcVersion" }
+  }
+  generateProtoTasks {
+    all()*.plugins { grpc {} }
+  }
+}
+
+compileJava.dependsOn generateProto
+
 testJar.enabled = true
 assemble.finalizedBy shadowJar
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index ec35fb0efd..9433829493 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -43,7 +43,6 @@
 import ee.ria.xroad.common.messagelog.MessageLogProperties;
 import ee.ria.xroad.common.messagelog.archive.EncryptionConfigProvider;
 import ee.ria.xroad.common.messagelog.archive.GroupingStrategy;
-import ee.ria.xroad.common.monitoring.MonitorAgent;
 import ee.ria.xroad.common.signature.BatchSigner;
 import ee.ria.xroad.common.util.AdminPort;
 import ee.ria.xroad.common.util.JobManager;
@@ -53,23 +52,19 @@
 import ee.ria.xroad.proxy.addon.AddOn;
 import ee.ria.xroad.proxy.clientproxy.ClientProxy;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.opmonitoring.OpMonitoring;
 import ee.ria.xroad.proxy.serverproxy.ServerProxy;
 import ee.ria.xroad.proxy.util.CertHashBasedOcspResponder;
 import ee.ria.xroad.proxy.util.ServerConfStatsLogger;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigValueFactory;
 import io.grpc.BindableService;
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.niis.xroad.common.rpc.server.RpcServer;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -119,7 +114,7 @@ public final class ProxyMain {
 
     private static RpcServer rpcServer;
 
-    private static ActorSystem actorSystem;
+    //private static ActorSystem actorSystem;
 
     private static final ServiceLoader<AddOn> ADDONS = ServiceLoader.load(AddOn.class);
 
@@ -185,10 +180,6 @@ private static void stopServices() throws Exception {
     private static void startup() {
         log.trace("startup()");
         Version.outputVersionInfo(APP_NAME);
-        actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy")
-                .withFallback(ConfigFactory.load())
-                .withValue("akka.remote.artery.canonical.port",
-                        ConfigValueFactory.fromAnyRef(PortNumbers.PROXY_ACTORSYSTEM_PORT)));
         log.info("Starting proxy ({})...", readProxyVersion());
     }
 
@@ -197,17 +188,17 @@ private static void shutdown() throws Exception {
         MessageLog.shutdown();
         OpMonitoring.shutdown();
         stopServices();
-        Await.ready(actorSystem.terminate(), Duration.Inf());
 
         BatchSigner.shutdown();
         rpcServer.stop();
+        MonitorAgent.shutdown();
         RpcSignerClient.shutdown();
     }
 
     private static void createServices() throws Exception {
         JobManager jobManager = new JobManager();
 
-        MonitorAgent.init(actorSystem);
+        MonitorAgent.init();
         RpcSignerClient.init();
         BatchSigner.init();
         boolean messageLogEnabled = MessageLog.init(jobManager);
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java
index 41ef75326c..ae59c4a8c4 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java
@@ -29,11 +29,11 @@
 import ee.ria.xroad.common.CodedExceptionWithHttpStatus;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.conf.serverconf.IsAuthenticationData;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MonitorAgent;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HandlerBase;
 import ee.ria.xroad.common.util.PerformanceLogger;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.opmonitoring.OpMonitoring;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java
index d9d5f5f71d..b48039a388 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java
@@ -37,14 +37,14 @@
 import ee.ria.xroad.common.message.SoapMessageDecoder;
 import ee.ria.xroad.common.message.SoapMessageImpl;
 import ee.ria.xroad.common.message.SoapUtils;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MessageInfo.Origin;
-import ee.ria.xroad.common.monitoring.MonitorAgent;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HttpSender;
 import ee.ria.xroad.common.util.MimeUtils;
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java
index 45961e455f..61310fd933 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java
@@ -33,8 +33,6 @@
 import ee.ria.xroad.common.identifier.ServiceId;
 import ee.ria.xroad.common.message.RestRequest;
 import ee.ria.xroad.common.message.RestResponse;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MonitorAgent;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.CachingStream;
 import ee.ria.xroad.common.util.CryptoUtils;
@@ -42,6 +40,8 @@
 import ee.ria.xroad.common.util.MimeUtils;
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java
index c9a0d0ae88..aec4b58f8d 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/messagelog/NullLogManager.java
@@ -48,7 +48,7 @@ public void log(LogMessage message) {
         // do nothing
     }
 
-     @Override
+    @Override
     public TimestampRecord timestamp(Long messageRecordId) {
         return null;
     }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
new file mode 100644
index 0000000000..a8851f2737
--- /dev/null
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
@@ -0,0 +1,111 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.proxy.monotoring;
+
+import ee.ria.xroad.proxy.monitoring.MonitorServiceGrpc;
+import ee.ria.xroad.proxy.monitoring.Void;
+
+import io.grpc.Channel;
+import io.grpc.stub.StreamObserver;
+import lombok.Getter;
+import org.niis.xroad.common.rpc.client.RpcClient;
+
+import java.util.Date;
+
+/**
+ * Default implementation of the monitor agent interface.
+ */
+public class DefaultMonitorAgentImpl implements MonitorAgentProvider, Shutdownable {
+
+    private static final StreamObserver<Void> NOOP_OBSERVER = new StreamObserver<>() {
+        @Override
+        public void onNext(Void value) {
+        }
+
+        @Override
+        public void onError(Throwable t) {
+        }
+
+        @Override
+        public void onCompleted() {
+        }
+    };
+
+    private final RpcClient<RpcMonitorAgentContext> rpcClient;
+
+    /**
+     * Construct agent for accessing monitoring agent using the provided channel.
+     */
+    public DefaultMonitorAgentImpl(final RpcClient<RpcMonitorAgentContext> client) {
+        this.rpcClient = client;
+    }
+
+    @Override
+    public void success(MessageInfo messageInfo, Date startTime, Date endTime) {
+        call(ctx -> ctx.getMonitorServiceStub().success(
+                MessageMapper.successfulMessage(messageInfo, startTime, endTime),
+                NOOP_OBSERVER));
+    }
+
+    @Override
+    public void serverProxyFailed(MessageInfo messageInfo) {
+        call(ctx -> ctx.getMonitorServiceStub().serverProxyFailed(
+                MessageMapper.serverProxyFailed(messageInfo),
+                NOOP_OBSERVER
+        ));
+    }
+
+    @Override
+    public void failure(MessageInfo messageInfo, String faultCode, String faultMessage) {
+        call(ctx -> ctx.getMonitorServiceStub().failure(
+                MessageMapper.faultInfo(messageInfo, faultCode, faultMessage),
+                NOOP_OBSERVER
+        ));
+    }
+
+    private void call(final RpcClient.AsyncRpcExecution<RpcMonitorAgentContext> grpcCall) {
+        if (rpcClient != null) {
+            rpcClient.executeAsync(grpcCall);
+        }
+    }
+
+
+    @Override
+    public void shutdown() {
+        if (rpcClient != null) {
+            rpcClient.shutdown();
+        }
+    }
+
+    @Getter
+    public static class RpcMonitorAgentContext implements RpcClient.ExecutionContext {
+        private final MonitorServiceGrpc.MonitorServiceStub monitorServiceStub;
+
+        RpcMonitorAgentContext(Channel channel) {
+            monitorServiceStub = MonitorServiceGrpc.newStub(channel).withWaitForReady();
+        }
+    }
+}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MessageInfo.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageInfo.java
similarity index 98%
rename from src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MessageInfo.java
rename to src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageInfo.java
index 99f29ac3a8..8a119a195f 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MessageInfo.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageInfo.java
@@ -23,7 +23,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.common.monitoring;
+package ee.ria.xroad.proxy.monotoring;
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.ServiceId;
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java
new file mode 100644
index 0000000000..14bb0bdeac
--- /dev/null
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java
@@ -0,0 +1,135 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.proxy.monotoring;
+
+import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.identifier.ServiceId;
+import ee.ria.xroad.proxy.monitoring.ClientIdProto;
+import ee.ria.xroad.proxy.monitoring.FaultInfo;
+import ee.ria.xroad.proxy.monitoring.MessageInfoProto;
+import ee.ria.xroad.proxy.monitoring.Origin;
+import ee.ria.xroad.proxy.monitoring.ServerProxyFailed;
+import ee.ria.xroad.proxy.monitoring.ServiceIdProto;
+import ee.ria.xroad.proxy.monitoring.SuccessfulMessage;
+import ee.ria.xroad.proxy.monitoring.XRoadObjectType;
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Date;
+
+public final class MessageMapper {
+
+    private MessageMapper() {
+    }
+
+    public static SuccessfulMessage successfulMessage(MessageInfo messageInfo, Date startTime, Date endTime) {
+        var builder = SuccessfulMessage.newBuilder()
+                .setDateStartTime(startTime.getTime())
+                .setDateEndTime(endTime.getTime());
+
+        if (messageInfo != null) {
+            builder = builder.setMessage(mapMessage(messageInfo));
+        }
+        return builder
+                .build();
+    }
+
+    public static FaultInfo faultInfo(MessageInfo messageInfo, String faultCode, String faultMessage) {
+        var builder = FaultInfo.newBuilder();
+
+        if (messageInfo != null) {
+            builder = builder.setMessage(mapMessage(messageInfo));
+        }
+        if (faultCode != null) {
+            builder = builder.setFaultCode(faultCode);
+        }
+        if (faultMessage != null) {
+            builder = builder.setFaultMessage(faultMessage);
+        }
+        return builder
+                .build();
+    }
+
+    public static ServerProxyFailed serverProxyFailed(MessageInfo messageInfo) {
+        var builder = ServerProxyFailed.newBuilder();
+
+        if (messageInfo != null) {
+            builder = builder.setMessage(mapMessage(messageInfo));
+        }
+        return builder
+                .build();
+    }
+
+    private static MessageInfoProto mapMessage(MessageInfo messageInfo) {
+        var builder = MessageInfoProto.newBuilder()
+                .setOrigin(Origin.valueOf(messageInfo.getOrigin().name()))
+                .setService(mapServiceId(messageInfo.getService()))
+                .setClient(mapClientId(messageInfo.getClient()));
+
+
+        if (StringUtils.isNotEmpty(messageInfo.getUserId())) {
+            builder = builder.setUserId(messageInfo.getUserId());
+        }
+
+        if (StringUtils.isNotEmpty(messageInfo.getQueryId())) {
+            builder = builder.setQueryId(messageInfo.getQueryId());
+        }
+
+        return builder.build();
+    }
+
+    private static ClientIdProto mapClientId(ClientId clientId) {
+        var builder = ClientIdProto.newBuilder()
+                .setXroadInstance(clientId.getXRoadInstance())
+                .setMemberClass(clientId.getMemberClass())
+                .setMemberCode(clientId.getMemberCode())
+                .setObjectType(XRoadObjectType.valueOf(clientId.getObjectType().name()));
+
+        if (StringUtils.isNotEmpty(clientId.getSubsystemCode())) {
+            builder = builder.setSubsystemCode(clientId.getSubsystemCode());
+        }
+
+        return builder.build();
+    }
+
+    private static ServiceIdProto mapServiceId(ServiceId serviceId) {
+        var builder = ServiceIdProto.newBuilder()
+                .setXroadInstance(serviceId.getXRoadInstance())
+                .setMemberClass(serviceId.getMemberClass())
+                .setMemberCode(serviceId.getMemberCode())
+                .setServiceCode(serviceId.getServiceCode());
+
+        if (serviceId.getSubsystemCode() != null) {
+            builder = builder.setSubsystemCode(serviceId.getSubsystemCode());
+        }
+
+        if (serviceId.getServiceVersion() != null) {
+            builder = builder.setServiceVersion(serviceId.getServiceVersion());
+        }
+
+        return builder.build();
+    }
+}
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MonitorAgent.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgent.java
similarity index 77%
rename from src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MonitorAgent.java
rename to src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgent.java
index 7d884aff91..cca988e9aa 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MonitorAgent.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgent.java
@@ -23,13 +23,17 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.common.monitoring;
+package ee.ria.xroad.proxy.monotoring;
 
-import akka.actor.ActorSystem;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.rpc.client.RpcClient;
 
 import java.util.Date;
 
+import static ee.ria.xroad.common.SystemProperties.getGrpcInternalHost;
+import static ee.ria.xroad.common.SystemProperties.getProxyGrpcPort;
+import static ee.ria.xroad.common.SystemProperties.getSignerClientTimeout;
+
 /**
  * This class encapsulates monitoring agent that can receive
  * monitoring information.
@@ -42,22 +46,24 @@ public final class MonitorAgent {
     private MonitorAgent() {
     }
 
-    /**
-     * Initialize the MonitorAgent with given ActorSystem.
-     * This method must be called before any other methods in this class.
-     * @param actorSystem actor system to be used by this monitoring agent
-     */
-    public static void init(ActorSystem actorSystem) {
-        monitorAgentImpl = new DefaultMonitorAgentImpl(actorSystem);
+    public static void init() throws Exception {
+        init(getGrpcInternalHost(), getProxyGrpcPort(), getSignerClientTimeout());
     }
 
-    /**
-     * Initialize the MonitorAgent with given implementation.
-     * This method must be called before any other methods in this class.
-     * @param implementation monitor agent implementation to be used by this monitoring agent
-     */
-    public static void init(MonitorAgentProvider implementation) {
-        MonitorAgent.monitorAgentImpl = implementation;
+    public static void init(String host, int port, int clientTimeoutMillis) throws Exception {
+        var client = RpcClient.newClient(host, port, clientTimeoutMillis, DefaultMonitorAgentImpl.RpcMonitorAgentContext::new);
+        init(new DefaultMonitorAgentImpl(client));
+    }
+
+    public static void init(final MonitorAgentProvider monitorAgent) throws Exception {
+        monitorAgentImpl = monitorAgent;
+    }
+
+
+    public static void shutdown() {
+        if (monitorAgentImpl instanceof Shutdownable) {
+            ((Shutdownable) monitorAgentImpl).shutdown();
+        }
     }
 
     /**
@@ -67,7 +73,7 @@ public static void init(MonitorAgentProvider implementation) {
      * @param endTime Time of end of the processing.
      */
     public static void success(MessageInfo messageInfo, Date startTime,
-            Date endTime) {
+                               Date endTime) {
         try {
             if (monitorAgentImpl != null) {
                 monitorAgentImpl.success(messageInfo, startTime, endTime);
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MonitorAgentProvider.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgentProvider.java
similarity index 98%
rename from src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MonitorAgentProvider.java
rename to src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgentProvider.java
index c025ab2f5e..5d86dbffe8 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/MonitorAgentProvider.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgentProvider.java
@@ -23,7 +23,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.common.monitoring;
+package ee.ria.xroad.proxy.monotoring;
 
 import java.util.Date;
 
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/ServerProxyFailed.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java
similarity index 84%
rename from src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/ServerProxyFailed.java
rename to src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java
index 2af0882b60..d90728416e 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/monitoring/ServerProxyFailed.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java
@@ -23,17 +23,8 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package ee.ria.xroad.common.monitoring;
+package ee.ria.xroad.proxy.monotoring;
 
-import lombok.Data;
-
-import java.io.Serializable;
-
-/**
- * Serializable message denoting server proxy failure.
- */
-@Data
-public class ServerProxyFailed implements Serializable {
-
-    private final MessageInfo message;
+public interface Shutdownable {
+    void shutdown();
 }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java
index 412d808f21..e06bbc6085 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java
@@ -43,15 +43,15 @@
 import ee.ria.xroad.common.message.SoapMessageDecoder;
 import ee.ria.xroad.common.message.SoapMessageImpl;
 import ee.ria.xroad.common.message.SoapUtils;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MessageInfo.Origin;
-import ee.ria.xroad.common.monitoring.MonitorAgent;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HttpSender;
 import ee.ria.xroad.common.util.TimeUtils;
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.conf.SigningCtx;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java
index b92f70855c..2e51688bf8 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java
@@ -28,11 +28,11 @@
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.conf.globalconf.GlobalConf;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MonitorAgent;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HandlerBase;
 import ee.ria.xroad.common.util.PerformanceLogger;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.opmonitoring.OpMonitoring;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java
index 09b709fdde..a9980b57b1 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java
@@ -39,9 +39,6 @@
 import ee.ria.xroad.common.message.RestResponse;
 import ee.ria.xroad.common.message.SoapFault;
 import ee.ria.xroad.common.message.SoapUtils;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MessageInfo.Origin;
-import ee.ria.xroad.common.monitoring.MonitorAgent;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.CachingStream;
 import ee.ria.xroad.common.util.CryptoUtils;
@@ -49,6 +46,9 @@
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.conf.SigningCtx;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java
index ca7e305b12..a37f04ca3e 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java
@@ -32,10 +32,10 @@
 import ee.ria.xroad.common.identifier.XRoadId;
 import ee.ria.xroad.common.message.RestRequest;
 import ee.ria.xroad.common.message.SoapMessageImpl;
-import ee.ria.xroad.common.monitoring.MessageInfo;
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HttpSender;
 import ee.ria.xroad.common.util.MimeUtils;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.client.HttpClient;
diff --git a/src/proxy/src/main/proto/monitor_service.proto b/src/proxy/src/main/proto/monitor_service.proto
new file mode 100644
index 0000000000..d69cda9e35
--- /dev/null
+++ b/src/proxy/src/main/proto/monitor_service.proto
@@ -0,0 +1,98 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+
+package ee.ria.xroad.proxy.monitoring;
+
+option java_multiple_files = true;
+
+service MonitorService {
+  rpc success(SuccessfulMessage) returns (Void) {}
+  rpc failure(FaultInfo) returns (Void) {}
+  rpc serverProxyFailed(ServerProxyFailed) returns (Void) {}
+}
+
+message Void {
+}
+
+message SuccessfulMessage {
+  optional MessageInfoProto message = 1;
+  int64 date_start_time = 2;
+  int64 date_end_time = 3;
+}
+
+message FaultInfo {
+  optional MessageInfoProto message = 1;
+  optional string faultCode = 2;
+  optional string faultMessage = 3;
+}
+
+message ServerProxyFailed {
+  optional MessageInfoProto message = 1;
+}
+
+message MessageInfoProto {
+  Origin origin = 1;
+  ClientIdProto client = 2;
+  ServiceIdProto service = 3;
+  optional string user_id = 4;
+  optional string query_id = 5;
+}
+
+enum Origin {
+  CLIENT_PROXY = 0;
+  SERVER_PROXY = 1;
+}
+
+message ServiceIdProto {
+  string member_class = 1;
+  string member_code = 2;
+  optional string subsystem_code = 3;
+  string service_code = 4;
+  optional string service_version = 5;
+
+  string xroad_instance = 6;
+}
+
+message ClientIdProto {
+  string member_class = 1;
+  string member_code = 2;
+  optional string subsystem_code = 3;
+  string xroad_instance = 4;
+  XRoadObjectType object_type = 5;
+}
+
+enum XRoadObjectType {
+  XROAD_OBJECT_TYPE_UNSPECIFIED = 0;
+  SERVER = 1;
+  SERVICE = 2;
+  MEMBER = 3;
+  SUBSYSTEM = 4;
+  GLOBALGROUP = 5;
+  LOCALGROUP = 6 [deprecated = true]; // Deprecated
+}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java
index 9a09110734..4b88609001 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java
@@ -25,8 +25,7 @@
  */
 package ee.ria.xroad.proxy.testsuite;
 
-import ee.ria.xroad.common.monitoring.MonitorAgent;
-import ee.ria.xroad.common.monitoring.MonitorAgentProvider;
+import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 
 /**
  * Monitor agent message test case.
@@ -44,7 +43,7 @@ public void execute() throws Exception {
 
         monitorAgent.verifyAPICalls();
 
-        MonitorAgent.init((MonitorAgentProvider) null); // deinitialize
+        MonitorAgent.shutdown(); // deinitialize
     }
 
 }
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java
index 98788c7663..7dba3d72c0 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java
@@ -25,8 +25,8 @@
  */
 package ee.ria.xroad.proxy.testsuite;
 
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MonitorAgentProvider;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MonitorAgentProvider;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.builder.EqualsBuilder;
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java
index e1abecd795..38ed1b7bc4 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java
@@ -27,8 +27,8 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.ServiceId;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MessageInfo.Origin;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MonitorAgentMessageTestCase;
 
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java
index 6a20f76963..2e6f588a74 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java
@@ -27,8 +27,8 @@
 
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.ServiceId;
-import ee.ria.xroad.common.monitoring.MessageInfo;
-import ee.ria.xroad.common.monitoring.MessageInfo.Origin;
+import ee.ria.xroad.proxy.monotoring.MessageInfo;
+import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
 import ee.ria.xroad.proxy.testsuite.Message;
 import ee.ria.xroad.proxy.testsuite.MonitorAgentMessageTestCase;
 
diff --git a/src/security-server/system-test/src/intTest/resources/behavior/02-addons/1100-ss-jmx.feature b/src/security-server/system-test/src/intTest/resources/behavior/02-addons/2000-ss-jmx.feature
similarity index 94%
rename from src/security-server/system-test/src/intTest/resources/behavior/02-addons/1100-ss-jmx.feature
rename to src/security-server/system-test/src/intTest/resources/behavior/02-addons/2000-ss-jmx.feature
index 64f8acec16..2000cf9fbe 100644
--- a/src/security-server/system-test/src/intTest/resources/behavior/02-addons/1100-ss-jmx.feature
+++ b/src/security-server/system-test/src/intTest/resources/behavior/02-addons/2000-ss-jmx.feature
@@ -1,6 +1,6 @@
 @SecurityServer
 @Addon
-Feature: 0110 - SS: JMX monitor
+Feature: 2000 - SS: JMX monitor
 
   Background:
     Given SecurityServer login page is open

From 6a3aaaa00632698c968c39dd0adadaf4761cc65b Mon Sep 17 00:00:00 2001
From: Ovidijus Narkevicius <ovidijus.narkevicius@nortal.com>
Date: Mon, 9 Oct 2023 10:44:01 +0300
Subject: [PATCH 112/127] refactor: from akka to gRPC, environmental monitoring
 Sonar fixes

Closes XRDDEV-2486
---
 .../ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
index a8851f2737..50eb59797d 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
@@ -43,14 +43,17 @@ public class DefaultMonitorAgentImpl implements MonitorAgentProvider, Shutdownab
     private static final StreamObserver<Void> NOOP_OBSERVER = new StreamObserver<>() {
         @Override
         public void onNext(Void value) {
+            //Noop impl, ignore item
         }
 
         @Override
         public void onError(Throwable t) {
+            //Noop impl, ignore error
         }
 
         @Override
         public void onCompleted() {
+            //Noop impl, ignore completion
         }
     };
 

From 2db369f5cc4f0f4d29dd1d177fdafcb466990a5c Mon Sep 17 00:00:00 2001
From: Ovidijus Narkevicius <ovidijus.narkevicius@nortal.com>
Date: Fri, 13 Oct 2023 15:15:41 +0300
Subject: [PATCH 113/127] refactor: Remove MonitorAgent and related code

Closes XRDDEV-2486
---
 .../AsicContainerClientRequestProcessor.java  |   6 -
 .../MetadataClientRequestProcessor.java       |   6 -
 src/proxy/build.gradle                        |  18 --
 .../java/ee/ria/xroad/proxy/ProxyMain.java    |  15 +-
 .../AbstractClientProxyHandler.java           |  13 -
 .../clientproxy/ClientMessageProcessor.java   |  28 +--
 .../ClientRestMessageProcessor.java           |  28 +--
 .../monotoring/DefaultMonitorAgentImpl.java   | 114 ---------
 .../xroad/proxy/monotoring/MessageInfo.java   |  52 ----
 .../xroad/proxy/monotoring/MessageMapper.java | 135 ----------
 .../xroad/proxy/monotoring/MonitorAgent.java  | 119 ---------
 .../monotoring/MonitorAgentProvider.java      |  59 -----
 .../xroad/proxy/monotoring/Shutdownable.java  |  30 ---
 .../serverproxy/ServerMessageProcessor.java   |  32 ---
 .../proxy/serverproxy/ServerProxyHandler.java |  11 -
 .../ServerRestMessageProcessor.java           |  28 ---
 .../proxy/util/MessageProcessorBase.java      |   6 -
 .../src/main/proto/monitor_service.proto      |  98 --------
 .../MonitorAgentMessageTestCase.java          |  49 ----
 .../testsuite/TestSuiteMonitorAgent.java      | 233 ------------------
 .../testsuite/testcases/FaultyHeader.java     |  14 +-
 .../testsuite/testcases/FaultyHeader2.java    |  51 ----
 .../testcases/MonitorAgentNormalMessage.java  |  52 ----
 .../MonitorAgentServerProxyFailed.java        |  75 ------
 .../testcases/ServiceConnectionRefused.java   |  74 ------
 25 files changed, 25 insertions(+), 1321 deletions(-)
 delete mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
 delete mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageInfo.java
 delete mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java
 delete mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgent.java
 delete mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgentProvider.java
 delete mode 100644 src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java
 delete mode 100644 src/proxy/src/main/proto/monitor_service.proto
 delete mode 100644 src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java
 delete mode 100644 src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java
 delete mode 100644 src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader2.java
 delete mode 100644 src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentNormalMessage.java
 delete mode 100644 src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java
 delete mode 100644 src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java

diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java
index bc2031d4db..049105edb6 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/clientproxy/AsicContainerClientRequestProcessor.java
@@ -50,7 +50,6 @@
 import ee.ria.xroad.messagelog.database.MessageRecordEncryption;
 import ee.ria.xroad.proxy.messagelog.LogRecordManager;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
 import lombok.extern.slf4j.Slf4j;
@@ -429,11 +428,6 @@ private String getParameter(String param, boolean optional) {
         return paramValue;
     }
 
-    @Override
-    public MessageInfo createRequestMessageInfo() {
-        return null; // nothing to return
-    }
-
     private static class VerificationConfWriter implements FileConsumer, Closeable {
 
         private static final String PREFIX = "verificationconf/";
diff --git a/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java b/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java
index 8e67e49d4e..d0f742f4f1 100644
--- a/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java
+++ b/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/MetadataClientRequestProcessor.java
@@ -31,7 +31,6 @@
 import ee.ria.xroad.common.metadata.ObjectFactory;
 import ee.ria.xroad.common.util.MimeTypes;
 import ee.ria.xroad.common.util.MimeUtils;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
@@ -106,11 +105,6 @@ public void process() throws Exception {
         }
     }
 
-    @Override
-    public MessageInfo createRequestMessageInfo() {
-        return null; // nothing to return
-    }
-
     private void handleListClients() throws Exception {
         log.trace("handleListClients()");
 
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index 9f5d32f4da..3d14e924df 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -6,13 +6,6 @@ plugins {
 }
 
 sourceSets {
-  main {
-    java.srcDirs = [
-      'src/main/java'
-      , 'build/generated-sources'
-      , 'build/generated/source/proto/main/grpc'
-      , 'build/generated/source/proto/main/java']
-  }
   intTest {
     resources {
       srcDir '../common/common-int-test/src/main/resources/'
@@ -27,7 +20,6 @@ dependencies {
     implementation project(':signer-protocol')
     implementation project(':common:common-messagelog')
     implementation project(':common:common-op-monitoring')
-    implementation project(':common:common-rpc')
 
     implementation "org.eclipse.jetty:jetty-xml:$jettyVersion"
     implementation "xerces:xercesImpl:$xercesVersion"
@@ -65,16 +57,6 @@ shadowJar {
   mergeServiceFiles()
 }
 
-protobuf {
-  protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
-  plugins {
-    grpc { artifact = "io.grpc:protoc-gen-grpc-java:$grpcVersion" }
-  }
-  generateProtoTasks {
-    all()*.plugins { grpc {} }
-  }
-}
-
 compileJava.dependsOn generateProto
 
 testJar.enabled = true
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index 9433829493..dfd5c2eece 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -52,19 +52,23 @@
 import ee.ria.xroad.proxy.addon.AddOn;
 import ee.ria.xroad.proxy.clientproxy.ClientProxy;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.opmonitoring.OpMonitoring;
 import ee.ria.xroad.proxy.serverproxy.ServerProxy;
 import ee.ria.xroad.proxy.util.CertHashBasedOcspResponder;
 import ee.ria.xroad.proxy.util.ServerConfStatsLogger;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
+import akka.actor.ActorSystem;
+import com.typesafe.config.ConfigFactory;
+import com.typesafe.config.ConfigValueFactory;
 import io.grpc.BindableService;
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.niis.xroad.common.rpc.server.RpcServer;
+import scala.concurrent.Await;
+import scala.concurrent.duration.Duration;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -114,7 +118,7 @@ public final class ProxyMain {
 
     private static RpcServer rpcServer;
 
-    //private static ActorSystem actorSystem;
+    private static ActorSystem actorSystem;
 
     private static final ServiceLoader<AddOn> ADDONS = ServiceLoader.load(AddOn.class);
 
@@ -180,6 +184,10 @@ private static void stopServices() throws Exception {
     private static void startup() {
         log.trace("startup()");
         Version.outputVersionInfo(APP_NAME);
+        actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy")
+                .withFallback(ConfigFactory.load())
+                .withValue("akka.remote.artery.canonical.port",
+                        ConfigValueFactory.fromAnyRef(PortNumbers.PROXY_ACTORSYSTEM_PORT)));
         log.info("Starting proxy ({})...", readProxyVersion());
     }
 
@@ -188,17 +196,16 @@ private static void shutdown() throws Exception {
         MessageLog.shutdown();
         OpMonitoring.shutdown();
         stopServices();
+        Await.ready(actorSystem.terminate(), Duration.Inf());
 
         BatchSigner.shutdown();
         rpcServer.stop();
-        MonitorAgent.shutdown();
         RpcSignerClient.shutdown();
     }
 
     private static void createServices() throws Exception {
         JobManager jobManager = new JobManager();
 
-        MonitorAgent.init();
         RpcSignerClient.init();
         BatchSigner.init();
         boolean messageLogEnabled = MessageLog.init(jobManager);
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java
index ae59c4a8c4..e290a0c580 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/AbstractClientProxyHandler.java
@@ -32,8 +32,6 @@
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HandlerBase;
 import ee.ria.xroad.common.util.PerformanceLogger;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.opmonitoring.OpMonitoring;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
@@ -48,7 +46,6 @@
 
 import java.io.IOException;
 import java.security.cert.X509Certificate;
-import java.util.Date;
 
 import static ee.ria.xroad.common.ErrorCodes.SERVER_CLIENTPROXY_X;
 import static ee.ria.xroad.common.ErrorCodes.translateWithPrefix;
@@ -153,21 +150,12 @@ public void handle(String target, Request baseRequest, HttpServletRequest reques
 
     private static void success(MessageProcessorBase processor, long start, OpMonitoringData opMonitoringData) {
         final boolean success = processor.verifyMessageExchangeSucceeded();
-        final MessageInfo messageInfo = processor.createRequestMessageInfo();
 
         updateOpMonitoringSucceeded(opMonitoringData, success);
-        if (success) {
-            MonitorAgent.success(messageInfo, new Date(start), new Date());
-        } else {
-            MonitorAgent.failure(messageInfo, null, null);
-        }
     }
 
     protected void failure(MessageProcessorBase processor, HttpServletRequest request, HttpServletResponse response,
                            CodedException e, OpMonitoringData opMonitoringData) throws IOException {
-        MessageInfo info = processor != null ? processor.createRequestMessageInfo() : null;
-
-        MonitorAgent.failure(info, e.getFaultCode(), e.getFaultString());
 
         updateOpMonitoringResponseOutTs(opMonitoringData);
 
@@ -176,7 +164,6 @@ protected void failure(MessageProcessorBase processor, HttpServletRequest reques
 
     protected void failure(HttpServletResponse response, CodedExceptionWithHttpStatus e,
             OpMonitoringData opMonitoringData) throws IOException {
-        MonitorAgent.failure(null, e.withPrefix(SERVER_CLIENTPROXY_X).getFaultCode(), e.getFaultString());
 
         updateOpMonitoringResponseOutTs(opMonitoringData);
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java
index b48039a388..553ba9219f 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientMessageProcessor.java
@@ -42,9 +42,6 @@
 import ee.ria.xroad.common.util.MimeUtils;
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
@@ -251,17 +248,10 @@ private void sendRequest(HttpSender httpSender) throws Exception {
             // Add unique id to distinguish request/response pairs
             httpSender.addHeader(HEADER_REQUEST_ID, xRequestId);
 
-            try {
-                opMonitoringData.setRequestOutTs(getEpochMillisecond());
-                httpSender.doPost(getServiceAddress(addresses), reqIns, CHUNKED_LENGTH, outputContentType);
-                opMonitoringData.setResponseInTs(getEpochMillisecond());
-            } catch (Exception e) {
-                // Failed to connect to server proxy
-                MonitorAgent.serverProxyFailed(createRequestMessageInfo());
-
-                // Rethrow
-                throw e;
-            }
+            opMonitoringData.setRequestOutTs(getEpochMillisecond());
+            httpSender.doPost(getServiceAddress(addresses), reqIns, CHUNKED_LENGTH, outputContentType);
+            opMonitoringData.setResponseInTs(getEpochMillisecond());
+
         } finally {
             if (reqIns != null) {
                 reqIns.close();
@@ -431,16 +421,6 @@ private void setError(Throwable ex) {
         }
     }
 
-    @Override
-    public MessageInfo createRequestMessageInfo() {
-        if (requestSoap == null) {
-            return null;
-        }
-
-        return new MessageInfo(Origin.CLIENT_PROXY, requestSoap.getClient(), requestServiceId, requestSoap.getUserId(),
-                requestSoap.getQueryId());
-    }
-
     public void handleSoap() {
         try (SoapMessageHandler handler = new SoapMessageHandler()) {
             SoapMessageDecoder soapMessageDecoder = new SoapMessageDecoder(servletRequest.getContentType(),
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java
index 61310fd933..ad99b167d8 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/clientproxy/ClientRestMessageProcessor.java
@@ -40,8 +40,6 @@
 import ee.ria.xroad.common.util.MimeUtils;
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
@@ -187,15 +185,10 @@ private void sendRequest(HttpSender httpSender) throws Exception {
         // Add unique id to distinguish request/response pairs
         httpSender.addHeader(HEADER_REQUEST_ID, xRequestId);
 
-        try {
-            final String contentType = MimeUtils.mpMixedContentType("xtop" + RandomStringUtils.randomAlphabetic(30));
-            opMonitoringData.setRequestOutTs(getEpochMillisecond());
-            httpSender.doPost(getServiceAddress(addresses), new ProxyMessageEntity(contentType));
-            opMonitoringData.setResponseInTs(getEpochMillisecond());
-        } catch (Exception e) {
-            MonitorAgent.serverProxyFailed(createRequestMessageInfo());
-            throw e;
-        }
+        final String contentType = MimeUtils.mpMixedContentType("xtop" + RandomStringUtils.randomAlphabetic(30));
+        opMonitoringData.setRequestOutTs(getEpochMillisecond());
+        httpSender.doPost(getServiceAddress(addresses), new ProxyMessageEntity(contentType));
+        opMonitoringData.setResponseInTs(getEpochMillisecond());
     }
 
     private void parseResponse(HttpSender httpSender) throws Exception {
@@ -292,19 +285,6 @@ private void sendResponse() throws Exception {
         }
     }
 
-    @Override
-    public MessageInfo createRequestMessageInfo() {
-        if (restRequest == null) {
-            return null;
-        }
-
-        return new MessageInfo(MessageInfo.Origin.CLIENT_PROXY,
-                restRequest.getClientId(),
-                requestServiceId,
-                null,
-                null);
-    }
-
     class ProxyMessageEntity extends AbstractHttpEntity {
 
         ProxyMessageEntity(String contentType) {
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
deleted file mode 100644
index 50eb59797d..0000000000
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/DefaultMonitorAgentImpl.java
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.monotoring;
-
-import ee.ria.xroad.proxy.monitoring.MonitorServiceGrpc;
-import ee.ria.xroad.proxy.monitoring.Void;
-
-import io.grpc.Channel;
-import io.grpc.stub.StreamObserver;
-import lombok.Getter;
-import org.niis.xroad.common.rpc.client.RpcClient;
-
-import java.util.Date;
-
-/**
- * Default implementation of the monitor agent interface.
- */
-public class DefaultMonitorAgentImpl implements MonitorAgentProvider, Shutdownable {
-
-    private static final StreamObserver<Void> NOOP_OBSERVER = new StreamObserver<>() {
-        @Override
-        public void onNext(Void value) {
-            //Noop impl, ignore item
-        }
-
-        @Override
-        public void onError(Throwable t) {
-            //Noop impl, ignore error
-        }
-
-        @Override
-        public void onCompleted() {
-            //Noop impl, ignore completion
-        }
-    };
-
-    private final RpcClient<RpcMonitorAgentContext> rpcClient;
-
-    /**
-     * Construct agent for accessing monitoring agent using the provided channel.
-     */
-    public DefaultMonitorAgentImpl(final RpcClient<RpcMonitorAgentContext> client) {
-        this.rpcClient = client;
-    }
-
-    @Override
-    public void success(MessageInfo messageInfo, Date startTime, Date endTime) {
-        call(ctx -> ctx.getMonitorServiceStub().success(
-                MessageMapper.successfulMessage(messageInfo, startTime, endTime),
-                NOOP_OBSERVER));
-    }
-
-    @Override
-    public void serverProxyFailed(MessageInfo messageInfo) {
-        call(ctx -> ctx.getMonitorServiceStub().serverProxyFailed(
-                MessageMapper.serverProxyFailed(messageInfo),
-                NOOP_OBSERVER
-        ));
-    }
-
-    @Override
-    public void failure(MessageInfo messageInfo, String faultCode, String faultMessage) {
-        call(ctx -> ctx.getMonitorServiceStub().failure(
-                MessageMapper.faultInfo(messageInfo, faultCode, faultMessage),
-                NOOP_OBSERVER
-        ));
-    }
-
-    private void call(final RpcClient.AsyncRpcExecution<RpcMonitorAgentContext> grpcCall) {
-        if (rpcClient != null) {
-            rpcClient.executeAsync(grpcCall);
-        }
-    }
-
-
-    @Override
-    public void shutdown() {
-        if (rpcClient != null) {
-            rpcClient.shutdown();
-        }
-    }
-
-    @Getter
-    public static class RpcMonitorAgentContext implements RpcClient.ExecutionContext {
-        private final MonitorServiceGrpc.MonitorServiceStub monitorServiceStub;
-
-        RpcMonitorAgentContext(Channel channel) {
-            monitorServiceStub = MonitorServiceGrpc.newStub(channel).withWaitForReady();
-        }
-    }
-}
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageInfo.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageInfo.java
deleted file mode 100644
index 8a119a195f..0000000000
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageInfo.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.monotoring;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.common.identifier.ServiceId;
-
-import lombok.Data;
-
-import java.io.Serializable;
-
-/**
- * Monitoring info about a message processed by the proxy.
- */
-@Data
-public final class MessageInfo implements Serializable {
-
-    /** Where does the message originate from? */
-    public enum Origin {
-        CLIENT_PROXY,
-        SERVER_PROXY
-    }
-
-    private final Origin origin;
-    private final ClientId client;
-    private final ServiceId service;
-    private final String userId;
-    private final String queryId;
-}
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java
deleted file mode 100644
index 14bb0bdeac..0000000000
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MessageMapper.java
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.monotoring;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.common.identifier.ServiceId;
-import ee.ria.xroad.proxy.monitoring.ClientIdProto;
-import ee.ria.xroad.proxy.monitoring.FaultInfo;
-import ee.ria.xroad.proxy.monitoring.MessageInfoProto;
-import ee.ria.xroad.proxy.monitoring.Origin;
-import ee.ria.xroad.proxy.monitoring.ServerProxyFailed;
-import ee.ria.xroad.proxy.monitoring.ServiceIdProto;
-import ee.ria.xroad.proxy.monitoring.SuccessfulMessage;
-import ee.ria.xroad.proxy.monitoring.XRoadObjectType;
-
-import org.apache.commons.lang3.StringUtils;
-
-import java.util.Date;
-
-public final class MessageMapper {
-
-    private MessageMapper() {
-    }
-
-    public static SuccessfulMessage successfulMessage(MessageInfo messageInfo, Date startTime, Date endTime) {
-        var builder = SuccessfulMessage.newBuilder()
-                .setDateStartTime(startTime.getTime())
-                .setDateEndTime(endTime.getTime());
-
-        if (messageInfo != null) {
-            builder = builder.setMessage(mapMessage(messageInfo));
-        }
-        return builder
-                .build();
-    }
-
-    public static FaultInfo faultInfo(MessageInfo messageInfo, String faultCode, String faultMessage) {
-        var builder = FaultInfo.newBuilder();
-
-        if (messageInfo != null) {
-            builder = builder.setMessage(mapMessage(messageInfo));
-        }
-        if (faultCode != null) {
-            builder = builder.setFaultCode(faultCode);
-        }
-        if (faultMessage != null) {
-            builder = builder.setFaultMessage(faultMessage);
-        }
-        return builder
-                .build();
-    }
-
-    public static ServerProxyFailed serverProxyFailed(MessageInfo messageInfo) {
-        var builder = ServerProxyFailed.newBuilder();
-
-        if (messageInfo != null) {
-            builder = builder.setMessage(mapMessage(messageInfo));
-        }
-        return builder
-                .build();
-    }
-
-    private static MessageInfoProto mapMessage(MessageInfo messageInfo) {
-        var builder = MessageInfoProto.newBuilder()
-                .setOrigin(Origin.valueOf(messageInfo.getOrigin().name()))
-                .setService(mapServiceId(messageInfo.getService()))
-                .setClient(mapClientId(messageInfo.getClient()));
-
-
-        if (StringUtils.isNotEmpty(messageInfo.getUserId())) {
-            builder = builder.setUserId(messageInfo.getUserId());
-        }
-
-        if (StringUtils.isNotEmpty(messageInfo.getQueryId())) {
-            builder = builder.setQueryId(messageInfo.getQueryId());
-        }
-
-        return builder.build();
-    }
-
-    private static ClientIdProto mapClientId(ClientId clientId) {
-        var builder = ClientIdProto.newBuilder()
-                .setXroadInstance(clientId.getXRoadInstance())
-                .setMemberClass(clientId.getMemberClass())
-                .setMemberCode(clientId.getMemberCode())
-                .setObjectType(XRoadObjectType.valueOf(clientId.getObjectType().name()));
-
-        if (StringUtils.isNotEmpty(clientId.getSubsystemCode())) {
-            builder = builder.setSubsystemCode(clientId.getSubsystemCode());
-        }
-
-        return builder.build();
-    }
-
-    private static ServiceIdProto mapServiceId(ServiceId serviceId) {
-        var builder = ServiceIdProto.newBuilder()
-                .setXroadInstance(serviceId.getXRoadInstance())
-                .setMemberClass(serviceId.getMemberClass())
-                .setMemberCode(serviceId.getMemberCode())
-                .setServiceCode(serviceId.getServiceCode());
-
-        if (serviceId.getSubsystemCode() != null) {
-            builder = builder.setSubsystemCode(serviceId.getSubsystemCode());
-        }
-
-        if (serviceId.getServiceVersion() != null) {
-            builder = builder.setServiceVersion(serviceId.getServiceVersion());
-        }
-
-        return builder.build();
-    }
-}
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgent.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgent.java
deleted file mode 100644
index cca988e9aa..0000000000
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgent.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.monotoring;
-
-import lombok.extern.slf4j.Slf4j;
-import org.niis.xroad.common.rpc.client.RpcClient;
-
-import java.util.Date;
-
-import static ee.ria.xroad.common.SystemProperties.getGrpcInternalHost;
-import static ee.ria.xroad.common.SystemProperties.getProxyGrpcPort;
-import static ee.ria.xroad.common.SystemProperties.getSignerClientTimeout;
-
-/**
- * This class encapsulates monitoring agent that can receive
- * monitoring information.
- */
-@Slf4j
-public final class MonitorAgent {
-
-    private static MonitorAgentProvider monitorAgentImpl;
-
-    private MonitorAgent() {
-    }
-
-    public static void init() throws Exception {
-        init(getGrpcInternalHost(), getProxyGrpcPort(), getSignerClientTimeout());
-    }
-
-    public static void init(String host, int port, int clientTimeoutMillis) throws Exception {
-        var client = RpcClient.newClient(host, port, clientTimeoutMillis, DefaultMonitorAgentImpl.RpcMonitorAgentContext::new);
-        init(new DefaultMonitorAgentImpl(client));
-    }
-
-    public static void init(final MonitorAgentProvider monitorAgent) throws Exception {
-        monitorAgentImpl = monitorAgent;
-    }
-
-
-    public static void shutdown() {
-        if (monitorAgentImpl instanceof Shutdownable) {
-            ((Shutdownable) monitorAgentImpl).shutdown();
-        }
-    }
-
-    /**
-     * Message was processed successfully by the proxy.
-     * @param messageInfo Successfully processed message.
-     * @param startTime Time of start of the processing.
-     * @param endTime Time of end of the processing.
-     */
-    public static void success(MessageInfo messageInfo, Date startTime,
-                               Date endTime) {
-        try {
-            if (monitorAgentImpl != null) {
-                monitorAgentImpl.success(messageInfo, startTime, endTime);
-            }
-        } catch (RuntimeException re) {
-            log.error("MonitorAgent::success() failed", re);
-        }
-    }
-
-    /**
-     * Client proxy failed to make connection to server proxy.
-     * @param messageInfo information about the message that could not be sent
-     */
-    public static void serverProxyFailed(MessageInfo messageInfo) {
-        try {
-            if (monitorAgentImpl != null) {
-                monitorAgentImpl.serverProxyFailed(messageInfo);
-            }
-        } catch (RuntimeException re) {
-            log.error("MonitorAgent::serverProxyFailed() failed", re);
-        }
-    }
-
-    /**
-     * Processing of a given message failed for various reasons.
-     * Parameter messageInfo can be null if the message is not available
-     * at the point of the failure.
-     * @param messageInfo information about the message that could not be processed
-     * @param faultCode fault code of the failure
-     * @param faultMessage fault message of the failure
-     */
-    public static void failure(MessageInfo messageInfo, String faultCode,
-            String faultMessage) {
-        try {
-            if (monitorAgentImpl != null) {
-                monitorAgentImpl.failure(messageInfo, faultCode, faultMessage);
-            }
-        } catch (RuntimeException re) {
-            log.error("MonitorAgent::failure() failed", re);
-        }
-    }
-
-}
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgentProvider.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgentProvider.java
deleted file mode 100644
index 5d86dbffe8..0000000000
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/MonitorAgentProvider.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.monotoring;
-
-import java.util.Date;
-
-/**
- * Interface describing monitor agent functionality.
- */
-public interface MonitorAgentProvider {
-
-    /**
-     * Message was processed successfully by the proxy.
-     * @param messageInfo Successfully processed message.
-     * @param startTime Time of start of the processing.
-     * @param endTime Time of end of the processing.
-     */
-    void success(MessageInfo messageInfo, Date startTime, Date endTime);
-
-    /**
-     * Client proxy failed to make connection to server proxy.
-     * @param messageInfo information about the message that could not be sent
-     */
-    void serverProxyFailed(MessageInfo messageInfo);
-
-    /**
-     * Processing of a given message failed for various reasons.
-     * Parameter messageInfo can be null if the message is not available
-     * at the point of the failure.
-     * @param messageInfo information about the message that could not be processed
-     * @param faultCode fault code of the failure
-     * @param faultMessage fault message of the failure
-     */
-    void failure(MessageInfo messageInfo, String faultCode,
-            String faultMessage);
-}
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java
deleted file mode 100644
index d90728416e..0000000000
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/monotoring/Shutdownable.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.monotoring;
-
-public interface Shutdownable {
-    void shutdown();
-}
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java
index e06bbc6085..3911a07a7e 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerMessageProcessor.java
@@ -49,9 +49,6 @@
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.conf.SigningCtx;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
@@ -511,8 +508,6 @@ private void handleException(Exception ex) throws Exception {
                 exception = translateWithPrefix(SERVER_SERVERPROXY_X, ex);
             }
 
-            monitorAgentNotifyFailure(exception);
-
             opMonitoringData.setFaultCodeAndString(exception);
             opMonitoringData.setResponseOutTs(getEpochMillisecond(), false);
 
@@ -523,33 +518,6 @@ private void handleException(Exception ex) throws Exception {
         }
     }
 
-    private void monitorAgentNotifyFailure(CodedException ex) {
-        MessageInfo info = null;
-
-        boolean requestIsComplete = requestMessage != null && requestMessage.getSoap() != null
-                && requestMessage.getSignature() != null;
-
-        // Include the request message only if the error was caused while
-        // exchanging information with the adapter server.
-        if (requestIsComplete && ex.getFaultCode().startsWith(SERVER_SERVERPROXY_X + "." + X_SERVICE_FAILED_X)) {
-            info = createRequestMessageInfo();
-        }
-
-        MonitorAgent.failure(info, ex.getFaultCode(), ex.getFaultString());
-    }
-
-    @Override
-    public MessageInfo createRequestMessageInfo() {
-        if (requestMessage == null) {
-            return null;
-        }
-
-        SoapMessageImpl soap = requestMessage.getSoap();
-
-        return new MessageInfo(Origin.SERVER_PROXY, soap.getClient(), requestServiceId, soap.getUserId(),
-                soap.getQueryId());
-    }
-
     private X509Certificate getClientAuthCert() {
         return clientSslCerts != null ? clientSslCerts[0] : null;
     }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java
index 2e51688bf8..1a17e3e209 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java
@@ -31,8 +31,6 @@
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HandlerBase;
 import ee.ria.xroad.common.util.PerformanceLogger;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.opmonitoring.OpMonitoring;
 import ee.ria.xroad.proxy.util.MessageProcessorBase;
 
@@ -46,7 +44,6 @@
 
 import java.io.IOException;
 import java.security.cert.X509Certificate;
-import java.util.Date;
 
 import static ee.ria.xroad.common.ErrorCodes.SERVER_SERVERPROXY_X;
 import static ee.ria.xroad.common.ErrorCodes.X_INVALID_HTTP_METHOD;
@@ -92,13 +89,6 @@ public void handle(String target, Request baseRequest, final HttpServletRequest
             baseRequest.getHttpChannel().setIdleTimeout(idleTimeout);
             final MessageProcessorBase processor = createRequestProcessor(request, response, opMonitoringData);
             processor.process();
-
-            final MessageInfo messageInfo = processor.createRequestMessageInfo();
-            if (processor.verifyMessageExchangeSucceeded()) {
-                MonitorAgent.success(messageInfo, new Date(start), new Date());
-            } else {
-                MonitorAgent.failure(messageInfo, null, null);
-            }
         } catch (Throwable e) { // We want to catch serious errors as well
             CodedException cex = translateWithPrefix(SERVER_SERVERPROXY_X, e);
 
@@ -133,7 +123,6 @@ private MessageProcessorBase createRequestProcessor(HttpServletRequest request,
     @Override
     protected void failure(HttpServletRequest request, HttpServletResponse response, CodedException e)
             throws IOException {
-        MonitorAgent.failure(null, e.getFaultCode(), e.getFaultString());
         sendErrorResponse(request, response, e);
     }
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java
index a9980b57b1..1f49944cd1 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerRestMessageProcessor.java
@@ -46,9 +46,6 @@
 import ee.ria.xroad.proxy.conf.KeyConf;
 import ee.ria.xroad.proxy.conf.SigningCtx;
 import ee.ria.xroad.proxy.messagelog.MessageLog;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
 import ee.ria.xroad.proxy.protocol.ProxyMessage;
 import ee.ria.xroad.proxy.protocol.ProxyMessageDecoder;
 import ee.ria.xroad.proxy.protocol.ProxyMessageEncoder;
@@ -418,7 +415,6 @@ private void handleException(Exception ex) throws Exception {
                 exception = translateWithPrefix(SERVER_SERVERPROXY_X, ex);
             }
             opMonitoringData.setFaultCodeAndString(exception);
-            monitorAgentNotifyFailure(exception);
             encoder.fault(SoapFault.createFaultXml(exception));
             encoder.close();
         } else {
@@ -426,30 +422,6 @@ private void handleException(Exception ex) throws Exception {
         }
     }
 
-    private void monitorAgentNotifyFailure(CodedException ex) {
-        MessageInfo info = null;
-
-        boolean requestIsComplete = requestMessage != null && requestMessage.getRest() != null
-                && requestMessage.getSignature() != null;
-
-        // Include the request message only if the error was caused while
-        // exchanging information with the adapter server.
-        if (requestIsComplete && ex.getFaultCode().startsWith(SERVER_SERVERPROXY_X + "." + X_SERVICE_FAILED_X)) {
-            info = createRequestMessageInfo();
-        }
-
-        MonitorAgent.failure(info, ex.getFaultCode(), ex.getFaultString());
-    }
-
-    @Override
-    public MessageInfo createRequestMessageInfo() {
-        if (requestMessage == null) {
-            return null;
-        }
-        final RestRequest rest = requestMessage.getRest();
-        return new MessageInfo(Origin.SERVER_PROXY, rest.getClientId(), requestServiceId, null, rest.getQueryId());
-    }
-
     private X509Certificate getClientAuthCert() {
         return clientSslCerts != null ? clientSslCerts[0] : null;
     }
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java
index a37f04ca3e..695279853e 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/util/MessageProcessorBase.java
@@ -35,7 +35,6 @@
 import ee.ria.xroad.common.opmonitoring.OpMonitoringData;
 import ee.ria.xroad.common.util.HttpSender;
 import ee.ria.xroad.common.util.MimeUtils;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.client.HttpClient;
@@ -98,11 +97,6 @@ protected void postprocess() throws Exception {
      */
     public abstract void process() throws Exception;
 
-    /**
-     * @return MessageInfo object for the request message being processed
-     */
-    public abstract MessageInfo createRequestMessageInfo();
-
     /**
      * Update operational monitoring data with SOAP message header data and
      * the size of the message.
diff --git a/src/proxy/src/main/proto/monitor_service.proto b/src/proxy/src/main/proto/monitor_service.proto
deleted file mode 100644
index d69cda9e35..0000000000
--- a/src/proxy/src/main/proto/monitor_service.proto
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-syntax = "proto3";
-
-import "google/protobuf/timestamp.proto";
-
-package ee.ria.xroad.proxy.monitoring;
-
-option java_multiple_files = true;
-
-service MonitorService {
-  rpc success(SuccessfulMessage) returns (Void) {}
-  rpc failure(FaultInfo) returns (Void) {}
-  rpc serverProxyFailed(ServerProxyFailed) returns (Void) {}
-}
-
-message Void {
-}
-
-message SuccessfulMessage {
-  optional MessageInfoProto message = 1;
-  int64 date_start_time = 2;
-  int64 date_end_time = 3;
-}
-
-message FaultInfo {
-  optional MessageInfoProto message = 1;
-  optional string faultCode = 2;
-  optional string faultMessage = 3;
-}
-
-message ServerProxyFailed {
-  optional MessageInfoProto message = 1;
-}
-
-message MessageInfoProto {
-  Origin origin = 1;
-  ClientIdProto client = 2;
-  ServiceIdProto service = 3;
-  optional string user_id = 4;
-  optional string query_id = 5;
-}
-
-enum Origin {
-  CLIENT_PROXY = 0;
-  SERVER_PROXY = 1;
-}
-
-message ServiceIdProto {
-  string member_class = 1;
-  string member_code = 2;
-  optional string subsystem_code = 3;
-  string service_code = 4;
-  optional string service_version = 5;
-
-  string xroad_instance = 6;
-}
-
-message ClientIdProto {
-  string member_class = 1;
-  string member_code = 2;
-  optional string subsystem_code = 3;
-  string xroad_instance = 4;
-  XRoadObjectType object_type = 5;
-}
-
-enum XRoadObjectType {
-  XROAD_OBJECT_TYPE_UNSPECIFIED = 0;
-  SERVER = 1;
-  SERVICE = 2;
-  MEMBER = 3;
-  SUBSYSTEM = 4;
-  GLOBALGROUP = 5;
-  LOCALGROUP = 6 [deprecated = true]; // Deprecated
-}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java
deleted file mode 100644
index 4b88609001..0000000000
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/MonitorAgentMessageTestCase.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.testsuite;
-
-import ee.ria.xroad.proxy.monotoring.MonitorAgent;
-
-/**
- * Monitor agent message test case.
- */
-public class MonitorAgentMessageTestCase extends MessageTestCase {
-
-    protected final TestSuiteMonitorAgent monitorAgent =
-            new TestSuiteMonitorAgent();
-
-    @Override
-    public void execute() throws Exception {
-        MonitorAgent.init(monitorAgent);
-
-        super.execute();
-
-        monitorAgent.verifyAPICalls();
-
-        MonitorAgent.shutdown(); // deinitialize
-    }
-
-}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java
deleted file mode 100644
index 7dba3d72c0..0000000000
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/TestSuiteMonitorAgent.java
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.testsuite;
-
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MonitorAgentProvider;
-
-import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.lang3.builder.EqualsBuilder;
-import org.apache.commons.lang3.builder.HashCodeBuilder;
-import org.apache.commons.lang3.builder.ToStringBuilder;
-
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-
-/**
- * Monitor agent implementation for the testsuite.
- */
-@Slf4j
-public class TestSuiteMonitorAgent implements MonitorAgentProvider {
-
-    private static final String FAILURE = "failure";
-    private static final String SERVER_PROXY_FAILED = "serverProxyFailed";
-    private static final String SUCCESS = "success";
-
-    private class ApiCall {
-        final String name;
-        final Object[] params;
-
-        ApiCall(String name) {
-            this(name, (Object[]) null);
-        }
-
-        ApiCall(String name, Object[] params) {
-            this.name = name;
-            this.params = params;
-        }
-
-        @Override
-        public boolean equals(Object obj) {
-            if (obj instanceof ApiCall
-                    && (((ApiCall) obj).params == null || params == null)) {
-                return ((ApiCall) obj).name.equals(name);
-            }
-
-            return EqualsBuilder.reflectionEquals(this, obj);
-        }
-
-        @Override
-        public int hashCode() {
-            return HashCodeBuilder.reflectionHashCode(this);
-        }
-
-        @Override
-        public String toString() {
-            return ToStringBuilder.reflectionToString(this);
-        }
-    }
-
-    private final List<ApiCall> expectedApiCalls = new ArrayList<>();
-
-    private boolean apiCalled;
-
-    /**
-     * Expect a success.
-     */
-    public void expectSuccess() {
-        expectedApiCalls.add(new ApiCall(SUCCESS));
-    }
-
-    /**
-     * Expect a success with the given message info.
-     * @param messageInfo the message info
-     */
-    public void expectSuccess(MessageInfo messageInfo) {
-        expectedApiCalls.add(new ApiCall(SUCCESS,
-                new Object[] {messageInfo.getOrigin(), messageInfo.getClient(),
-                    messageInfo.getService()}));
-    }
-
-    /**
-     * Expect a server proxy failure.
-     */
-    public void expectServerProxyFailed() {
-        expectedApiCalls.add(new ApiCall(SERVER_PROXY_FAILED));
-    }
-
-    /**
-     * Expect a server proxy failure with the given message info.
-     * @param messageInfo the message info
-     */
-    public void expectServerProxyFailed(MessageInfo messageInfo) {
-        expectedApiCalls.add(new ApiCall(SERVER_PROXY_FAILED,
-                new Object[] {messageInfo.getOrigin(), messageInfo.getClient(),
-                    messageInfo.getService()}));
-    }
-
-    /**
-     * Expect a failure.
-     */
-    public void expectFailure() {
-        expectedApiCalls.add(new ApiCall(FAILURE));
-    }
-
-    /**
-     * Expect a failure with the given message info and fault code.
-     * @param messageInfo the message info
-     * @param faultCode the fault code
-     */
-    public void expectFailure(MessageInfo messageInfo, String faultCode) {
-        if (messageInfo == null) {
-            expectedApiCalls.add(new ApiCall(FAILURE,
-                    new Object[] {faultCode}));
-        } else {
-            expectedApiCalls.add(new ApiCall(FAILURE, new Object[] {
-                    messageInfo.getOrigin(), messageInfo.getClient(),
-                    messageInfo.getService(), faultCode}));
-        }
-    }
-
-    /**
-     * Verify that the monitor agent API calls were made.
-     */
-    public void verifyAPICalls() {
-        if (!apiCalled) {
-            throw new RuntimeException("MonitorAgent expected API calls");
-        }
-    }
-
-    @Override
-    public void success(MessageInfo messageInfo, Date startTime, Date endTime) {
-        log.info("success({}, {}, {})",
-                new Object[] {messageInfo, startTime, endTime});
-
-        if (messageInfo == null) {
-            assertApiCall(new ApiCall(SUCCESS));
-        } else {
-            assertApiCall(new ApiCall(SUCCESS, new Object[] {
-                    messageInfo.getOrigin(), messageInfo.getClient(),
-                    messageInfo.getService()}));
-        }
-    }
-
-    @Override
-    public void serverProxyFailed(MessageInfo messageInfo) {
-        log.info("serverProxyFailed({})", messageInfo);
-
-        if (messageInfo == null) {
-            assertApiCall(new ApiCall(SERVER_PROXY_FAILED));
-        } else {
-            assertApiCall(new ApiCall(SERVER_PROXY_FAILED, new Object[] {
-                    messageInfo.getOrigin(), messageInfo.getClient(),
-                    messageInfo.getService()}));
-        }
-    }
-
-    @Override
-    public void failure(MessageInfo messageInfo, String faultCode,
-            String faultMessage) {
-        log.info("failure({}, {}, {})",
-                new Object[] {messageInfo, faultCode, faultMessage});
-
-        if (messageInfo == null) {
-            assertApiCall(new ApiCall(FAILURE, new Object[] {faultCode}));
-        } else {
-            assertApiCall(new ApiCall(FAILURE, new Object[] {
-                    messageInfo.getOrigin(), messageInfo.getClient(),
-                    messageInfo.getService(), faultCode }));
-        }
-    }
-
-    private void assertApiCall(ApiCall actual) {
-        apiCalled = true;
-
-        if (!expectedApiCalls.contains(actual)) {
-            throw new RuntimeException(
-                    "MonitorAgent got unexpected API call " + actual);
-        }
-    }
-
-/*
-    public static void main(String... args) {
-        TestSuiteMonitorAgent a = new TestSuiteMonitorAgent();
-        a.expectFailure();
-        a.failure(null, "", "");
-
-        a = new TestSuiteMonitorAgent();
-        a.expectFailure(messageInfo("client", "service", "foo", "query1"),
-                "code");
-        a.failure(messageInfo("client", "service", "foo", "query1"),
-                "code", "message");
-
-        a = new TestSuiteMonitorAgent();
-        a.expectSuccess();
-        a.success(messageInfo("aa", "bb", "cc", "dd"), new Date(), new Date());
-        a.success(null, null, null);
-
-        System.out.println("OK");
-    }
-
-    private static MessageInfo messageInfo(String client, String service,
-            String userId, String queryId) {
-        return new MessageInfo(Origin.SERVER_PROXY,
-                ClientId.create("EE", "BB", client),
-                ServiceId.create("EE", "XX", "foobar", null, service),
-                userId, queryId);
-    }
-*/
-}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader.java
index 7f3a543e8f..aa76d09ba0 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader.java
@@ -26,28 +26,26 @@
 package ee.ria.xroad.proxy.testsuite.testcases;
 
 import ee.ria.xroad.proxy.testsuite.Message;
-import ee.ria.xroad.proxy.testsuite.MonitorAgentMessageTestCase;
+import ee.ria.xroad.proxy.testsuite.MessageTestCase;
 
 import static ee.ria.xroad.common.ErrorCodes.CLIENT_X;
-import static ee.ria.xroad.common.ErrorCodes.X_MISSING_HEADER_FIELD;
+import static ee.ria.xroad.common.ErrorCodes.X_DUPLICATE_HEADER_FIELD;
 
 /**
- * Client sends request with faulty SOAP header (missing field).
+ * Client sends request with faulty SOAP header (duplicate field).
  * Result: Client.* error.
  */
-public class FaultyHeader extends MonitorAgentMessageTestCase {
+public class FaultyHeader extends MessageTestCase {
 
     /**
      * Constructs the test case.
      */
     public FaultyHeader() {
-        requestFileName = "faulty-header.query";
-
-        monitorAgent.expectFailure();
+        requestFileName = "faulty-header2.query";
     }
 
     @Override
     protected void validateFaultResponse(Message receivedResponse) {
-        assertErrorCode(CLIENT_X, X_MISSING_HEADER_FIELD);
+        assertErrorCode(CLIENT_X, X_DUPLICATE_HEADER_FIELD);
     }
 }
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader2.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader2.java
deleted file mode 100644
index 2b83f76920..0000000000
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/FaultyHeader2.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.testsuite.testcases;
-
-import ee.ria.xroad.proxy.testsuite.Message;
-import ee.ria.xroad.proxy.testsuite.MessageTestCase;
-
-import static ee.ria.xroad.common.ErrorCodes.CLIENT_X;
-import static ee.ria.xroad.common.ErrorCodes.X_DUPLICATE_HEADER_FIELD;
-
-/**
- * Client sends request with faulty SOAP header (duplicate field).
- * Result: Client.* error.
- */
-public class FaultyHeader2 extends MessageTestCase {
-
-    /**
-     * Constructs the test case.
-     */
-    public FaultyHeader2() {
-        requestFileName = "faulty-header2.query";
-    }
-
-    @Override
-    protected void validateFaultResponse(Message receivedResponse) {
-        assertErrorCode(CLIENT_X, X_DUPLICATE_HEADER_FIELD);
-    }
-}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentNormalMessage.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentNormalMessage.java
deleted file mode 100644
index 33056332c3..0000000000
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentNormalMessage.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.testsuite.testcases;
-
-import ee.ria.xroad.proxy.testsuite.Message;
-import ee.ria.xroad.proxy.testsuite.MonitorAgentMessageTestCase;
-
-/**
- * The simplest case -- normal message and normal response.
- * Result: client receives message.
- */
-public class MonitorAgentNormalMessage extends MonitorAgentMessageTestCase {
-
-    /**
-     * Constructs the test case.
-     */
-    public MonitorAgentNormalMessage() {
-        requestFileName = "getstate.query";
-        responseFile = "getstate.answer";
-
-        monitorAgent.expectSuccess();
-    }
-
-    @Override
-    protected void validateNormalResponse(Message receivedResponse)
-            throws Exception {
-        // Normal response, nothing more to check here.
-    }
-}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java
deleted file mode 100644
index 38ed1b7bc4..0000000000
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/MonitorAgentServerProxyFailed.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.testsuite.testcases;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.common.identifier.ServiceId;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
-import ee.ria.xroad.proxy.testsuite.Message;
-import ee.ria.xroad.proxy.testsuite.MonitorAgentMessageTestCase;
-
-import static ee.ria.xroad.common.ErrorCodes.SERVER_CLIENTPROXY_X;
-import static ee.ria.xroad.common.ErrorCodes.X_NETWORK_ERROR;
-
-/**
- * Client sends normal message. The CP gets connection refused error
- * when connecting to SP.
- * Result: CP responds with error
- */
-public class MonitorAgentServerProxyFailed extends MonitorAgentMessageTestCase {
-
-    /**
-     * Constructs the test case.
-     */
-    public MonitorAgentServerProxyFailed() {
-        requestFileName = "getstate.query";
-
-        monitorAgent.expectServerProxyFailed(
-                new MessageInfo(Origin.CLIENT_PROXY,
-                        ClientId.Conf.create("EE", "BUSINESS", "consumer"),
-                        ServiceId.Conf.create("EE", "BUSINESS", "producer", null,
-                                "getState"), null, null));
-
-        monitorAgent.expectFailure(
-                new MessageInfo(Origin.CLIENT_PROXY,
-                        ClientId.Conf.create("EE", "BUSINESS", "consumer"),
-                        ServiceId.Conf.create("EE", "BUSINESS", "producer", null,
-                                "getState"), null, null),
-                errorCode(SERVER_CLIENTPROXY_X, X_NETWORK_ERROR));
-    }
-
-    @Override
-    public String getProviderAddress(String providerName) {
-        // Nobody listens to port 5555 on this address.
-        return "127.0.0.3";
-    }
-
-    @Override
-    protected void validateFaultResponse(Message receivedResponse) {
-        assertErrorCode(SERVER_CLIENTPROXY_X, X_NETWORK_ERROR);
-    }
-}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java
deleted file mode 100644
index 2e6f588a74..0000000000
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/testcases/ServiceConnectionRefused.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.proxy.testsuite.testcases;
-
-import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.common.identifier.ServiceId;
-import ee.ria.xroad.proxy.monotoring.MessageInfo;
-import ee.ria.xroad.proxy.monotoring.MessageInfo.Origin;
-import ee.ria.xroad.proxy.testsuite.Message;
-import ee.ria.xroad.proxy.testsuite.MonitorAgentMessageTestCase;
-
-import static ee.ria.xroad.common.ErrorCodes.SERVER_SERVERPROXY_X;
-import static ee.ria.xroad.common.ErrorCodes.X_NETWORK_ERROR;
-import static ee.ria.xroad.common.ErrorCodes.X_SERVICE_FAILED_X;
-
-/**
- * Client sends normal request, SP receives connection refused when
- * connecting to service.
- * Result: SP responds with ServiceFailed.
- */
-public class ServiceConnectionRefused extends MonitorAgentMessageTestCase {
-
-    private final String expectedErrorCode =
-            errorCode(SERVER_SERVERPROXY_X, X_SERVICE_FAILED_X,
-                    X_NETWORK_ERROR);
-
-    /**
-     * Constructs the test case.
-     */
-    public ServiceConnectionRefused() {
-        requestFileName = "getstate.query";
-
-        monitorAgent.expectFailure(null, expectedErrorCode);
-        monitorAgent.expectFailure(
-                new MessageInfo(Origin.CLIENT_PROXY,
-                        ClientId.Conf.create("EE", "BUSINESS", "consumer"),
-                        ServiceId.Conf.create("EE", "BUSINESS", "producer", null,
-                                "getState"), null, null), expectedErrorCode);
-    }
-
-    @Override
-    public String getServiceAddress(ServiceId service) {
-        return "http://127.0.0.5:8989/";
-    }
-
-    @Override
-    protected void validateFaultResponse(Message receivedResponse) {
-        assertErrorCode(expectedErrorCode);
-    }
-
-}

From 90d5581e614a569b5762b58b00c853b683bfa864 Mon Sep 17 00:00:00 2001
From: Ovidijus Narkevicius <Ovidijus.Narkevicius@nortal.com>
Date: Sat, 14 Oct 2023 12:38:41 +0300
Subject: [PATCH 114/127] refactor: remove MonitorAgent

clean some gRpc leftovers
---
 src/proxy/build.gradle | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index 3d14e924df..7f66fafc36 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -2,7 +2,6 @@ import nl.javadude.gradle.plugins.license.License
 
 plugins {
     id 'com.github.johnrengelman.shadow'
-    id 'com.google.protobuf'
 }
 
 sourceSets {
@@ -57,8 +56,6 @@ shadowJar {
   mergeServiceFiles()
 }
 
-compileJava.dependsOn generateProto
-
 testJar.enabled = true
 assemble.finalizedBy shadowJar
 

From c3e85d7297ed647beb119ec9da8f216a8be063a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 16 Oct 2023 12:33:07 +0300
Subject: [PATCH 115/127] chore: switch grpc client to nio as well Refs:
 XRDDEV-2468

---
 .../xroad/common/rpc/client/RpcClient.java    | 29 ++++++++++---------
 .../xroad/common/rpc/server/RpcServer.java    |  4 +--
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
index 18998ddb56..076bb6199c 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -25,20 +25,17 @@
  */
 package org.niis.xroad.common.rpc.client;
 
+import com.google.protobuf.Any;
+import com.google.protobuf.InvalidProtocolBufferException;
+
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
 
-import com.google.protobuf.Any;
-import com.google.protobuf.InvalidProtocolBufferException;
-import io.grpc.CallOptions;
-import io.grpc.Channel;
-import io.grpc.ClientCall;
-import io.grpc.ClientInterceptor;
-import io.grpc.Grpc;
-import io.grpc.ManagedChannel;
-import io.grpc.MethodDescriptor;
-import io.grpc.Status;
-import io.grpc.StatusRuntimeException;
+import io.grpc.*;
+import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
+import io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup;
+import io.grpc.netty.shaded.io.netty.channel.socket.nio.NioSocketChannel;
+import io.grpc.netty.shaded.io.netty.util.concurrent.DefaultThreadFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.common.rpc.InsecureRpcCredentialsConfigurer;
 import org.niis.xroad.common.rpc.RpcCredentialsConfigurer;
@@ -75,7 +72,7 @@ public static <C extends RpcClient.ExecutionContext> RpcClient<C> newClient(
         var credentials = SystemProperties.isGrpcInternalTlsEnabled()
                 ? RpcCredentialsConfigurer.createClientCredentials() : InsecureRpcCredentialsConfigurer.createClientCredentials();
 
-        log.info("Starting grpc client with {} credentials..", credentials.getClass().getSimpleName());
+        log.info("Starting grpc client to {}:{} with {} credentials..", host, port, credentials.getClass().getSimpleName());
 
         final ClientInterceptor timeoutInterceptor = new ClientInterceptor() {
             @Override
@@ -85,9 +82,13 @@ public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
             }
         };
 
-        final ManagedChannel channel = Grpc.newChannelBuilderForAddress(host, port, credentials)
-                .intercept(timeoutInterceptor)
+        final var workerGroupThreadFactory = new DefaultThreadFactory("rpc-client-" + port + "-nio-worker", true);
+        final ManagedChannel channel = NettyChannelBuilder.forAddress(host, port, credentials)
                 .executor(ForkJoinPool.commonPool())
+                .channelType(NioSocketChannel.class)
+                .channelFactory(NioSocketChannel::new)
+                .eventLoopGroup(new NioEventLoopGroup(0, workerGroupThreadFactory))
+                .intercept(timeoutInterceptor)
                 .build();
 
         var executionContext = contextFactory.createContext(channel);
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
index 13bc2d45ab..cdd4455327 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/server/RpcServer.java
@@ -56,8 +56,8 @@ public class RpcServer implements StartStop {
     private final Server server;
 
     public RpcServer(final String host, final int port, final ServerCredentials creds, final Consumer<ServerBuilder<?>> configFunc) {
-        final var bossGroupThreadFactory = new DefaultThreadFactory("rpc-server-nio-boss-ELG", true);
-        final var workerGroupThreadFactory = new DefaultThreadFactory("rpc-server-nio-worker-ELG", true);
+        final var bossGroupThreadFactory = new DefaultThreadFactory("rpc-server-nio-boss", true);
+        final var workerGroupThreadFactory = new DefaultThreadFactory("rpc-server-" + port + "-nio-worker", true);
 
         ServerBuilder<?> builder = NettyServerBuilder.forAddress(new InetSocketAddress(host, port), creds)
                 .channelType(NioServerSocketChannel.class)

From 8129864e071d099154b6b1cdad87fd1794a5ad0a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 16 Oct 2023 12:47:38 +0300
Subject: [PATCH 116/127] chore: checkstyle fix Refs: XRDDEV-2468

---
 .../niis/xroad/common/rpc/client/RpcClient.java    | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
index 076bb6199c..98a8a59c0a 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -25,13 +25,19 @@
  */
 package org.niis.xroad.common.rpc.client;
 
-import com.google.protobuf.Any;
-import com.google.protobuf.InvalidProtocolBufferException;
-
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
 
-import io.grpc.*;
+import com.google.protobuf.Any;
+import com.google.protobuf.InvalidProtocolBufferException;
+import io.grpc.CallOptions;
+import io.grpc.Channel;
+import io.grpc.ClientCall;
+import io.grpc.ClientInterceptor;
+import io.grpc.ManagedChannel;
+import io.grpc.MethodDescriptor;
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
 import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
 import io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup;
 import io.grpc.netty.shaded.io.netty.channel.socket.nio.NioSocketChannel;

From ecbbb1de952fcd8de54cb3a48dc20b36c38a5ed1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 16 Oct 2023 13:10:11 +0300
Subject: [PATCH 117/127] chore: remove remaining akka references

Refs: XRDDEV-2468
---
 .../addons/messagelog-archiver-logback.xml    |  1 -
 sidecar/files/addons/monitor-logback.xml      |  1 -
 sidecar/files/confclient-logback.xml          |  1 -
 sidecar/files/op-monitor-logback.xml          |  1 -
 sidecar/files/proxy-logback.xml               |  1 -
 sidecar/files/proxy-ui-api-logback.xml        |  1 -
 sidecar/files/signer-logback.xml              |  1 -
 src/addons/metaservice/build.gradle           |  1 -
 src/asicverifier/build.gradle                 |  4 +-
 src/build.gradle                              | 14 +---
 .../src/main/resources/application.conf       |  8 --
 ...ntralserver-admin-service-test-logback.xml |  1 -
 ...ntralserver-admin-service-test-logback.xml |  1 -
 .../centralserver-admin-service-logback.xml   |  1 -
 .../management-service/core-api/build.gradle  |  1 -
 .../registration-service/build.gradle         |  1 -
 src/common/common-util/build.gradle           |  5 --
 .../xroad/common/util/MessageSendingJob.java  | 79 -------------------
 .../src/main/resources/akka-global.conf       | 68 ----------------
 src/gradle.properties                         |  2 -
 .../usr/share/xroad/scripts/xroad-base.sh     |  5 --
 .../addons/monitor-logback.xml                |  1 -
 .../centralserver-admin-service-logback.xml   |  1 -
 .../confclient-logback.xml                    |  1 -
 .../confproxy-logback.xml                     |  1 -
 .../op-monitor-logback.xml                    |  1 -
 .../default-configuration/proxy-logback.xml   |  1 -
 .../proxy-ui-api-logback.xml                  |  1 -
 src/proxy/build.gradle                        |  3 -
 .../java/ee/ria/xroad/proxy/ProxyMain.java    | 12 ---
 src/proxy/src/main/resources/application.conf | 21 -----
 .../proxy/AbstractProxyIntegrationTest.java   |  7 --
 .../xroad/proxy/testsuite/ProxyTestSuite.java |  8 +-
 .../src/main/resources/application.conf       |  8 --
 .../AbstractFacadeMockingTestContext.java     |  2 +-
 .../etc/xroad/conf.d/proxy-ui-api-logback.xml |  1 -
 36 files changed, 7 insertions(+), 260 deletions(-)
 delete mode 100644 src/central-server/admin-service/application/src/main/resources/application.conf
 delete mode 100644 src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java
 delete mode 100644 src/common/common-util/src/main/resources/akka-global.conf
 delete mode 100644 src/proxy/src/main/resources/application.conf
 delete mode 100644 src/security-server/admin-service/application/src/main/resources/application.conf

diff --git a/sidecar/files/addons/messagelog-archiver-logback.xml b/sidecar/files/addons/messagelog-archiver-logback.xml
index 0bf619fd96..8f04aebc7a 100644
--- a/sidecar/files/addons/messagelog-archiver-logback.xml
+++ b/sidecar/files/addons/messagelog-archiver-logback.xml
@@ -8,7 +8,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="${XROAD_LOG_LEVEL:-INFO}" />
-    <logger name="akka" level="WARN" />
 
     <root level="${XROAD_ROOT_LOG_LEVEL:-WARN}">
         <appender-ref ref="STDOUT" />
diff --git a/sidecar/files/addons/monitor-logback.xml b/sidecar/files/addons/monitor-logback.xml
index cd4935972b..b5e1ae9de3 100644
--- a/sidecar/files/addons/monitor-logback.xml
+++ b/sidecar/files/addons/monitor-logback.xml
@@ -8,7 +8,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="${XROAD_LOG_LEVEL:-INFO}" />
-    <logger name="akka" level="WARN" />
 
     <root level="${XROAD_ROOT_LOG_LEVEL:-WARN}">
         <appender-ref ref="STDOUT" />
diff --git a/sidecar/files/confclient-logback.xml b/sidecar/files/confclient-logback.xml
index eb5c2a93e6..72ee81029e 100644
--- a/sidecar/files/confclient-logback.xml
+++ b/sidecar/files/confclient-logback.xml
@@ -8,7 +8,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="${XROAD_LOG_LEVEL:-INFO}" />
-    <logger name="akka" level="WARN" />
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF" />
 
     <root level="${XROAD_ROOT_LOG_LEVEL:-WARN}">
diff --git a/sidecar/files/op-monitor-logback.xml b/sidecar/files/op-monitor-logback.xml
index 7b937810b3..cc6759d2d5 100644
--- a/sidecar/files/op-monitor-logback.xml
+++ b/sidecar/files/op-monitor-logback.xml
@@ -8,7 +8,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="${XROAD_LOG_LEVEL:-INFO}" />
-    <logger name="akka" level="WARN" />
 
     <root level="${XROAD_ROOT_LOG_LEVEL:-WARN}">
         <appender-ref ref="STDOUT" />
diff --git a/sidecar/files/proxy-logback.xml b/sidecar/files/proxy-logback.xml
index 30225a5490..6c2bb1e1da 100644
--- a/sidecar/files/proxy-logback.xml
+++ b/sidecar/files/proxy-logback.xml
@@ -8,7 +8,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="${XROAD_LOG_LEVEL:-INFO}" />
-    <logger name="akka" level="WARN" />
 
     <root level="${XROAD_ROOT_LOG_LEVEL:-WARN}">
         <appender-ref ref="STDOUT" />
diff --git a/sidecar/files/proxy-ui-api-logback.xml b/sidecar/files/proxy-ui-api-logback.xml
index a8a026e1dd..e0ceb98cd3 100644
--- a/sidecar/files/proxy-ui-api-logback.xml
+++ b/sidecar/files/proxy-ui-api-logback.xml
@@ -8,7 +8,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="${XROAD_LOG_LEVEL:-INFO}" />
-    <logger name="akka" level="WARN" />
 
     <root level="${XROAD_ROOT_LOG_LEVEL:-WARN}">
         <appender-ref ref="STDOUT" />
diff --git a/sidecar/files/signer-logback.xml b/sidecar/files/signer-logback.xml
index f1e44cc597..2551cfaf7d 100644
--- a/sidecar/files/signer-logback.xml
+++ b/sidecar/files/signer-logback.xml
@@ -8,7 +8,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="${XROAD_LOG_LEVEL:-INFO}"/>
-    <logger name="akka" level="WARN" />
 
     <!--TokenManager is very verbose /-->
     <logger name="ee.ria.xroad.signer.tokenmanager.TokenManager" level="OFF" />
diff --git a/src/addons/metaservice/build.gradle b/src/addons/metaservice/build.gradle
index 4b481619c3..21d1ded4a7 100644
--- a/src/addons/metaservice/build.gradle
+++ b/src/addons/metaservice/build.gradle
@@ -42,7 +42,6 @@ task runMetaserviceTest(type: JavaExec) {
             '-Dxroad.proxy.server-connector-so-linger=-1',
             '-Dxroad.proxy.serverServiceHandlers=ee.ria.xroad.proxy.serverproxy.MetadataServiceHandlerImpl',
             '-Dxroad.proxy.clientHandlers=ee.ria.xroad.proxy.clientproxy.MetadataHandler',
-            '-Dproxy.akka.remote.artery.canonical.port=0',
             '-Dxroad.grpc.internal.tls-enabled=false'
 
     mainClass = 'ee.ria.xroad.proxy.testsuite.ProxyTestSuite'
diff --git a/src/asicverifier/build.gradle b/src/asicverifier/build.gradle
index 527cc59795..ee44168102 100644
--- a/src/asicverifier/build.gradle
+++ b/src/asicverifier/build.gradle
@@ -6,9 +6,7 @@ dependencies {
     implementation  project(':common:common-verifier'),
                     project(':asic-util')
 
-    implementation(project(':common:common-util')) {
-        exclude group: 'com.typesafe.akka'
-    }
+    implementation(project(':common:common-util'))
 
     testImplementation project(':common:common-test')
 }
diff --git a/src/build.gradle b/src/build.gradle
index 6e760fcb31..3aad62deaa 100644
--- a/src/build.gradle
+++ b/src/build.gradle
@@ -167,16 +167,10 @@ configure(subprojects.findAll { !["frontend", "shared-ui", "shared-ui-3", "ui"].
                 }
             }
             add('implementation', 'org.apache.commons:commons-text') {
-                because("Vulnerability fix regarding CVE-2022-42889")
-                version {
-                    require("$commonsTextVersion")
-                }
-            }
-            add('implementation', 'org.scala-lang:scala-library') {
-                because("Vulnerability fix regarding CVE-2022-36944")
-                version {
-                    require("$scalaLibraryVersion")
-                }
+              because("Vulnerability fix regarding CVE-2022-42889")
+              version {
+                require("$commonsTextVersion")
+              }
             }
             add('implementation', 'com.fasterxml.woodstox:woodstox-core') {
                 because("Vulnerability fix regarding CVE-2022-40152")
diff --git a/src/central-server/admin-service/application/src/main/resources/application.conf b/src/central-server/admin-service/application/src/main/resources/application.conf
deleted file mode 100644
index 67276e6765..0000000000
--- a/src/central-server/admin-service/application/src/main/resources/application.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-admin-service {
-    include "akka-global.conf"
-    akka {
-        actor {
-            provider = remote
-        }
-    }
-}
diff --git a/src/central-server/admin-service/application/src/test/resources/centralserver-admin-service-test-logback.xml b/src/central-server/admin-service/application/src/test/resources/centralserver-admin-service-test-logback.xml
index 7f0e634f2e..a0c3abf5bf 100644
--- a/src/central-server/admin-service/application/src/test/resources/centralserver-admin-service-test-logback.xml
+++ b/src/central-server/admin-service/application/src/test/resources/centralserver-admin-service-test-logback.xml
@@ -9,7 +9,6 @@
         </encoder>
     </appender>
 
-    <logger name="akka" level="WARN"/>
     <logger name="ee.ria.xroad" level="DEBUG"/>
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF"/>
     <logger name="org.niis.xroad" level="DEBUG"/>
diff --git a/src/central-server/admin-service/core/src/test/resources/centralserver-admin-service-test-logback.xml b/src/central-server/admin-service/core/src/test/resources/centralserver-admin-service-test-logback.xml
index 7f0e634f2e..a0c3abf5bf 100644
--- a/src/central-server/admin-service/core/src/test/resources/centralserver-admin-service-test-logback.xml
+++ b/src/central-server/admin-service/core/src/test/resources/centralserver-admin-service-test-logback.xml
@@ -9,7 +9,6 @@
         </encoder>
     </appender>
 
-    <logger name="akka" level="WARN"/>
     <logger name="ee.ria.xroad" level="DEBUG"/>
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF"/>
     <logger name="org.niis.xroad" level="DEBUG"/>
diff --git a/src/central-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/centralserver-admin-service-logback.xml b/src/central-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/centralserver-admin-service-logback.xml
index 6068192735..f8ec3b6821 100644
--- a/src/central-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/centralserver-admin-service-logback.xml
+++ b/src/central-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/centralserver-admin-service-logback.xml
@@ -9,7 +9,6 @@
         </encoder>
     </appender>
 
-    <logger name="akka" level="WARN"/>
     <logger name="ee.ria.xroad" level="DEBUG"/>
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF"/>
     <logger name="org.niis.xroad" level="DEBUG"/>
diff --git a/src/central-server/management-service/core-api/build.gradle b/src/central-server/management-service/core-api/build.gradle
index 86b416636a..a719666d60 100644
--- a/src/central-server/management-service/core-api/build.gradle
+++ b/src/central-server/management-service/core-api/build.gradle
@@ -5,7 +5,6 @@ plugins {
 dependencies {
     api project(':common:common-management-request')
     api(project(':common:common-util')) {
-        exclude group: 'com.typesafe.akka'
         exclude group: 'org.eclipse.jetty'
         exclude group: 'org.quartz-scheduler'
     }
diff --git a/src/central-server/registration-service/build.gradle b/src/central-server/registration-service/build.gradle
index 42823ee2b5..f56d882384 100644
--- a/src/central-server/registration-service/build.gradle
+++ b/src/central-server/registration-service/build.gradle
@@ -28,7 +28,6 @@ dependencies {
     implementation(project(":central-server:admin-service:api-client"))
     implementation(project(':central-server:openapi-model'))
     implementation(project(':common:common-util')) {
-        exclude group: 'com.typesafe.akka'
         exclude group: 'org.eclipse.jetty'
         exclude group: 'org.quartz-scheduler'
     }
diff --git a/src/common/common-util/build.gradle b/src/common/common-util/build.gradle
index dd8588d615..759c9f95e1 100644
--- a/src/common/common-util/build.gradle
+++ b/src/common/common-util/build.gradle
@@ -32,11 +32,6 @@ dependencies {
     api 'org.apache.httpcomponents:httpclient:4.5.13'
     api 'org.apache.httpcomponents:httpasyncclient:4.1.4'
 
-    api "org.scala-lang:scala-library:$scalaLibraryVersion"
-    api "com.typesafe.akka:akka-actor_$akkaVersion"
-    api "com.typesafe.akka:akka-remote_$akkaVersion"
-    api "com.typesafe.akka:akka-slf4j_$akkaVersion"
-
     api platform("com.fasterxml.jackson:jackson-bom:$jacksonBomVersion")
     api "com.fasterxml.jackson.core:jackson-databind"
     api "com.fasterxml.jackson.datatype:jackson-datatype-jsr310"
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java
deleted file mode 100644
index 628612a00d..0000000000
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/MessageSendingJob.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.common.util;
-
-import akka.actor.ActorRef;
-import akka.actor.ActorSelection;
-import lombok.extern.slf4j.Slf4j;
-import org.quartz.Job;
-import org.quartz.JobDataMap;
-import org.quartz.JobExecutionContext;
-import org.quartz.JobExecutionException;
-
-/**
- * Job that sends messages to actors.
- */
-@Slf4j
-public class MessageSendingJob implements Job {
-
-    private static final String KEY_ACTOR = "actorSelection";
-    private static final String KEY_MESSAGE = "message";
-
-    @Override
-    public void execute(JobExecutionContext context)
-            throws JobExecutionException {
-        ActorSelection actor = getActor(context);
-        if (actor == null) {
-            log.error("Cannot execute job, no actor specified");
-            return;
-        }
-
-        Object message = getMessage(context);
-        if (message == null) {
-            log.error("Cannot execute job, no message specified");
-            return;
-        }
-
-        actor.tell(message, ActorRef.noSender());
-    }
-
-    private Object getMessage(JobExecutionContext context) {
-        JobDataMap data = context.getJobDetail().getJobDataMap();
-        return data.get(KEY_MESSAGE);
-    }
-
-    private ActorSelection getActor(JobExecutionContext context) {
-        JobDataMap data = context.getJobDetail().getJobDataMap();
-
-        Object actor = data.get(KEY_ACTOR);
-        if (actor != null && actor instanceof ActorSelection) {
-            return (ActorSelection) actor;
-        }
-
-        return null;
-    }
-
-}
diff --git a/src/common/common-util/src/main/resources/akka-global.conf b/src/common/common-util/src/main/resources/akka-global.conf
deleted file mode 100644
index 5d109888cf..0000000000
--- a/src/common/common-util/src/main/resources/akka-global.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-akka {
-  stdout-loglevel = "OFF"
-  loggers = ["akka.event.slf4j.Slf4jLogger"]
-  loglevel = "DEBUG"
-  logging-filter = "akka.event.slf4j.Slf4jLoggingFilter"
-
-  actor {
-    # for now, using java serialization
-    allow-java-serialization = true
-    warn-about-java-serializer-usage = false
-  }
-
-  remote {
-    artery {
-      transport = ${?XROAD_COMMON_AKKA_REMOTE_TRANSPORT}
-
-      canonical {
-        port = 0
-        hostname = "127.0.0.1"
-      }
-
-      ssl.config-ssl-engine {
-          trust-store=${?XROAD_COMMON_AKKA_TRUSTSTORE}
-          trust-store-password=${?XROAD_COMMON_AKKA_TRUSTSTORE_PASSWORD}
-
-          key-password=${?XROAD_COMMON_AKKA_KEYSTORE_PASSWORD}
-          key-store=${?XROAD_COMMON_AKKA_KEYSTORE}
-          key-store-password=${?XROAD_COMMON_AKKA_KEYSTORE_PASSWORD}
-
-          protocol = "TLSv1.2"
-          enabled-algorithms = [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
-      }
-
-      advanced {
-        # Maximum serialized message size, including header data.
-        maximum-frame-size = 256 KiB
-
-        # Disable compression:
-        #   Most actors are temporary (often used only once), but
-        #   the compression cache seems to keep mappings also to those
-        #   and use lot of memory.
-        #   All communications are over the loopback interface, compression
-        #   effect on performance is small.
-        compression {
-          actor-refs {
-            max = "off"
-          }
-          manifests {
-            max = "off"
-          }
-        }
-
-        # see https://github.com/akka/akka/issues/29828
-        # make the problem less probable
-        remove-quarantined-association-after = 2 h
-      }
-    }
-
-    # for now, using remoting directly instead of a cluster
-    warn-about-direct-use = off
-
-    # but disable remote deployment
-    deployment {
-      enable-whitelist = on
-      whitelist = []
-    }
-  }
-}
diff --git a/src/gradle.properties b/src/gradle.properties
index 126f321cf4..069070223f 100644
--- a/src/gradle.properties
+++ b/src/gradle.properties
@@ -9,8 +9,6 @@ sonarqubeProjectKey=xroad
 sonarqubeOrganization=
 
 # common dependency versions
-akkaVersion=2.13:2.6.20
-scalaLibraryVersion=2.13.10
 metricsVersion=4.1.26
 jettyVersion=9.4.51.v20230217
 jetty.version=${jettyVersion}
diff --git a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
index 1c4efa5deb..fe859dadf1 100755
--- a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
+++ b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
@@ -30,11 +30,6 @@ gen_grpc_internal_keypair() {
       chown xroad:xroad "$keystore"
 
       cat <<EOF >"$env_file"
-XROAD_COMMON_AKKA_REMOTE_TRANSPORT=tls-tcp
-XROAD_COMMON_AKKA_KEYSTORE="$keystore"
-XROAD_COMMON_AKKA_KEYSTORE_PASSWORD="$keystore_pw"
-XROAD_COMMON_AKKA_TRUSTSTORE="$keystore"
-XROAD_COMMON_AKKA_TRUSTSTORE_PASSWORD="$keystore_pw"
 XROAD_GRPC_INTERNAL_KEYSTORE_PASSWORD="$keystore_pw"
 XROAD_GRPC_INTERNAL_TRUSTSTORE_PASSWORD="$keystore_pw"
 EOF
diff --git a/src/packages/src/xroad/default-configuration/addons/monitor-logback.xml b/src/packages/src/xroad/default-configuration/addons/monitor-logback.xml
index 1bd94ee719..3840695f6c 100644
--- a/src/packages/src/xroad/default-configuration/addons/monitor-logback.xml
+++ b/src/packages/src/xroad/default-configuration/addons/monitor-logback.xml
@@ -16,7 +16,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="INFO" />
-    <logger name="akka" level="WARN" />
 
     <root level="INFO">
         <appender-ref ref="FILE" />
diff --git a/src/packages/src/xroad/default-configuration/centralserver-admin-service-logback.xml b/src/packages/src/xroad/default-configuration/centralserver-admin-service-logback.xml
index 8f4898cb48..dfaef704ff 100644
--- a/src/packages/src/xroad/default-configuration/centralserver-admin-service-logback.xml
+++ b/src/packages/src/xroad/default-configuration/centralserver-admin-service-logback.xml
@@ -31,7 +31,6 @@
         <suffixPattern>correlation-id:[%X{traceId:-}] %-5level [%contextName] %d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX"} - %msg</suffixPattern>
     </appender>
 
-    <logger name="akka" level="WARN" />
     <logger name="ee.ria.xroad" level="INFO" />
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF" />
     <logger name="org.niis.xroad" level="INFO" />
diff --git a/src/packages/src/xroad/default-configuration/confclient-logback.xml b/src/packages/src/xroad/default-configuration/confclient-logback.xml
index 4716815139..091511596b 100644
--- a/src/packages/src/xroad/default-configuration/confclient-logback.xml
+++ b/src/packages/src/xroad/default-configuration/confclient-logback.xml
@@ -23,7 +23,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="INFO" />
-    <logger name="akka" level="WARN" />
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF" />
 
     <root level="INFO">
diff --git a/src/packages/src/xroad/default-configuration/confproxy-logback.xml b/src/packages/src/xroad/default-configuration/confproxy-logback.xml
index f04e790f54..283edfdf10 100644
--- a/src/packages/src/xroad/default-configuration/confproxy-logback.xml
+++ b/src/packages/src/xroad/default-configuration/confproxy-logback.xml
@@ -16,7 +16,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="INFO" />
-    <logger name="akka" level="WARN" />
 
     <root level="INFO">
         <appender-ref ref="FILE" />
diff --git a/src/packages/src/xroad/default-configuration/op-monitor-logback.xml b/src/packages/src/xroad/default-configuration/op-monitor-logback.xml
index 5b41fe2f3a..93ec087a36 100644
--- a/src/packages/src/xroad/default-configuration/op-monitor-logback.xml
+++ b/src/packages/src/xroad/default-configuration/op-monitor-logback.xml
@@ -16,7 +16,6 @@
     </appender>
 
     <logger name="ee.ria.xroad" level="INFO" />
-    <logger name="akka" level="WARN" />
 
     <root level="INFO">
         <appender-ref ref="FILE" />
diff --git a/src/packages/src/xroad/default-configuration/proxy-logback.xml b/src/packages/src/xroad/default-configuration/proxy-logback.xml
index d3b7f99e92..db86e5aed7 100644
--- a/src/packages/src/xroad/default-configuration/proxy-logback.xml
+++ b/src/packages/src/xroad/default-configuration/proxy-logback.xml
@@ -48,7 +48,6 @@
     </logger>
 
     <logger name="ee.ria.xroad" level="INFO"/>
-    <logger name="akka" level="WARN" />
 
     <root level="INFO">
         <appender-ref ref="FILE"/>
diff --git a/src/packages/src/xroad/default-configuration/proxy-ui-api-logback.xml b/src/packages/src/xroad/default-configuration/proxy-ui-api-logback.xml
index 7faecd9584..40bb2420c0 100644
--- a/src/packages/src/xroad/default-configuration/proxy-ui-api-logback.xml
+++ b/src/packages/src/xroad/default-configuration/proxy-ui-api-logback.xml
@@ -31,7 +31,6 @@
         <suffixPattern>correlation-id:[%X{traceId:-}] %-5level [%contextName] %d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX"} - %msg</suffixPattern>
     </appender>
 
-    <logger name="akka" level="WARN" />
     <logger name="ee.ria.xroad" level="INFO" />
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF" />
     <logger name="org.niis.xroad" level="INFO" />
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index 7f66fafc36..16ba3b8d16 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -31,7 +31,6 @@ dependencies {
     testImplementation project(path: ':common:common-util', configuration: 'testArtifacts')
 
     testImplementation "org.hsqldb:hsqldb:$hsqldbVersion"
-    testImplementation "com.typesafe.akka:akka-testkit_$akkaVersion"
     testImplementation 'io.rest-assured:rest-assured:4.4.0'
     testImplementation 'wsdl4j:wsdl4j:1.6.3'
     testImplementation "org.mockito:mockito-inline:$mockitoVersion"
@@ -128,8 +127,6 @@ task runProxyTest(type: JavaExec) {
         '-Dxroad.proxy.client-httpclient-so-linger=-1',
         '-Dxroad.proxy.server-connector-so-linger=-1',
         '-Dlogback.configurationFile=src/test/logback-proxytest.xml',
-        '-Dproxy.akka.loglevel=DEBUG',
-        '-Dproxy.akka.remote.artery.canonical.port=0',
         '-Dxroad.grpc.internal.tls-enabled=false'
 //      '-Djava.security.properties==src/main/resources/java.security'
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
index dfd5c2eece..20b544c651 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/ProxyMain.java
@@ -58,17 +58,12 @@
 import ee.ria.xroad.proxy.util.ServerConfStatsLogger;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigValueFactory;
 import io.grpc.BindableService;
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.niis.xroad.common.rpc.server.RpcServer;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -118,8 +113,6 @@ public final class ProxyMain {
 
     private static RpcServer rpcServer;
 
-    private static ActorSystem actorSystem;
-
     private static final ServiceLoader<AddOn> ADDONS = ServiceLoader.load(AddOn.class);
 
     private static final int STATS_LOG_REPEAT_INTERVAL = 60;
@@ -184,10 +177,6 @@ private static void stopServices() throws Exception {
     private static void startup() {
         log.trace("startup()");
         Version.outputVersionInfo(APP_NAME);
-        actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy")
-                .withFallback(ConfigFactory.load())
-                .withValue("akka.remote.artery.canonical.port",
-                        ConfigValueFactory.fromAnyRef(PortNumbers.PROXY_ACTORSYSTEM_PORT)));
         log.info("Starting proxy ({})...", readProxyVersion());
     }
 
@@ -196,7 +185,6 @@ private static void shutdown() throws Exception {
         MessageLog.shutdown();
         OpMonitoring.shutdown();
         stopServices();
-        Await.ready(actorSystem.terminate(), Duration.Inf());
 
         BatchSigner.shutdown();
         rpcServer.stop();
diff --git a/src/proxy/src/main/resources/application.conf b/src/proxy/src/main/resources/application.conf
deleted file mode 100644
index 404f283e99..0000000000
--- a/src/proxy/src/main/resources/application.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-proxy {
-    include "akka-global.conf"
-
-    akka {
-        actor {
-            provider = remote
-        }
-        remote {
-            artery {
-                canonical {
-                    hostname = "127.0.0.1"
-                    port = 5568 #TODO this is temporary change until akka is migrated
-                }
-            }
-        }
-
-        control-aware-dispatcher {
-            mailbox-type = "akka.dispatch.UnboundedControlAwareMailbox"
-        }
-    }
-}
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
index 641d12b589..e8611b720d 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/AbstractProxyIntegrationTest.java
@@ -43,9 +43,6 @@
 import ee.ria.xroad.proxy.testutil.TestService;
 import ee.ria.xroad.proxy.util.CertHashBasedOcspResponder;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
-import com.typesafe.config.ConfigValueFactory;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
@@ -71,7 +68,6 @@ public abstract class AbstractProxyIntegrationTest {
 
     private static final Set<Integer> RESERVED_PORTS = new HashSet<>();
 
-    private static ActorSystem actorSystem;
     private static JobManager jobManager;
     private static ClientProxy clientProxy;
     private static ServerProxy serverProxy;
@@ -131,8 +127,6 @@ public static void setup() throws Exception {
         System.setProperty(SystemProperties.DATABASE_PROPERTIES, "src/test/resources/hibernate.properties");
 
         jobManager = new JobManager();
-        actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy")
-                .withValue("akka.remote.artery.canonical.port", ConfigValueFactory.fromAnyRef(getFreePort())));
 
         MessageLog.init(jobManager);
         OpMonitoring.init();
@@ -166,7 +160,6 @@ public static void teardown() throws Exception {
 
         OpMonitoring.shutdown();
         MessageLog.shutdown();
-        actorSystem.terminate();
         RESERVED_PORTS.clear();
     }
 
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
index f64aa7aafd..1c77d4ccfa 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
@@ -40,13 +40,9 @@
 import ee.ria.xroad.proxy.serverproxy.ServerProxy;
 import ee.ria.xroad.proxy.util.CertHashBasedOcspResponder;
 
-import akka.actor.ActorSystem;
-import com.typesafe.config.ConfigFactory;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.common.rpc.server.RpcServer;
-import scala.concurrent.Await;
-import scala.concurrent.duration.Duration;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -73,7 +69,6 @@ public final class ProxyTestSuite {
     private static ServerProxy serverProxy;
 
     private static JobManager jobManager;
-    private static ActorSystem actorSystem;
     private static RpcServer proxyRpcServer;
 
     private ProxyTestSuite() {
@@ -81,6 +76,7 @@ private ProxyTestSuite() {
 
     /**
      * Main program entry point.
+     *
      * @param args command-line arguments
      * @throws Exception in case of any errors
      */
@@ -120,7 +116,6 @@ public static void main(String[] args) throws Exception {
             MessageLog.shutdown();
             OpMonitoring.shutdown();
             jobManager.stop();
-            Await.ready(actorSystem.terminate(), Duration.Inf());
 
             List<MessageTestCase> failed = getFailedTestcases(testCasesToRun);
 
@@ -181,7 +176,6 @@ private static void setUp() throws Exception {
         jobManager = new JobManager();
         jobManager.start();
 
-        actorSystem = ActorSystem.create("Proxy", ConfigFactory.load().getConfig("proxy"));
         AddOn.BindableServiceRegistry serviceRegistry = new AddOn.BindableServiceRegistry();
         for (AddOn addon : ServiceLoader.load(AddOn.class)) {
             addon.init(serviceRegistry);
diff --git a/src/security-server/admin-service/application/src/main/resources/application.conf b/src/security-server/admin-service/application/src/main/resources/application.conf
deleted file mode 100644
index 89145478f0..0000000000
--- a/src/security-server/admin-service/application/src/main/resources/application.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-proxyuiapi {
-    include "akka-global.conf"
-    akka {
-        actor {
-            provider = remote
-        }
-    }
-}
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/config/AbstractFacadeMockingTestContext.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/config/AbstractFacadeMockingTestContext.java
index e84fd94fe3..288515c16a 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/config/AbstractFacadeMockingTestContext.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/config/AbstractFacadeMockingTestContext.java
@@ -39,7 +39,7 @@
 /**
  * Base for all tests that mock GlobalConfFacade, ManagementRequestSenderService, and SignerProxyFacade.
  * Tests usually always want to do this, since they want to make sure they do not (accidentally) attempt to
- * read global configuration from filesystem, send actual management requests, or send Akka requests to signer.
+ * read global configuration from filesystem, send actual management requests, or send rpc requests to signer.
  *
  * Extending this base class also helps in keeping mock injections standard, and reduce number of different
  * application contexts built for testing.
diff --git a/src/security-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/proxy-ui-api-logback.xml b/src/security-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/proxy-ui-api-logback.xml
index 519c586cca..0372395cb7 100644
--- a/src/security-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/proxy-ui-api-logback.xml
+++ b/src/security-server/admin-service/int-test/src/intTest/resources/container-files/etc/xroad/conf.d/proxy-ui-api-logback.xml
@@ -10,7 +10,6 @@
         </encoder>
     </appender>
 
-    <logger name="akka" level="WARN"/>
     <logger name="ee.ria.xroad" level="DEBUG"/>
     <logger name="ee.ria.xroad.common.SystemPropertiesLoader" level="OFF"/>
     <logger name="org.niis.xroad" level="DEBUG"/>

From f568c5305fba581b1efa2df04cdd9473b910c9a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 16 Oct 2023 15:41:01 +0300
Subject: [PATCH 118/127] chore: fix an issue where cpuLoad returns NaN which
 leads to AntiDos protection being triggerred.

This behavior was noted in JDK17 on MacOS.
---
 .../antidos/AntiDosConnectionManager.java     | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/antidos/AntiDosConnectionManager.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/antidos/AntiDosConnectionManager.java
index ed1e6868b0..3ba32da01f 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/antidos/AntiDosConnectionManager.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/antidos/AntiDosConnectionManager.java
@@ -67,6 +67,9 @@ private class HostData {
     // Used to determine if should sync the database when conf changed.
     private Set<String> previousKnownOrganizations = new HashSet<>();
 
+    // Fallback cpu load value in cases where OS fails to properly respond.
+    private double previousCpuLoad = 0d;
+
     AntiDosConnectionManager(AntiDosConfiguration configuration) {
         if (configuration == null) {
             throw new IllegalArgumentException("configuration cannot be null");
@@ -169,7 +172,13 @@ protected long getFreeFileDescriptorCount() {
 
     protected double getCpuLoad() {
         try {
-            return SystemMetrics.getStats().getSystemCpuLoad();
+            final double cpuLoad = SystemMetrics.getStats().getCpuLoad();
+            if (Double.isNaN(cpuLoad)) {
+                return previousCpuLoad;
+            } else {
+                previousCpuLoad = cpuLoad;
+                return cpuLoad;
+            }
         } catch (InternalError err) {
             log.error("Error getting cpu load", err);
 
@@ -227,11 +236,11 @@ private boolean hasSufficientResources() {
         double maxHeapUsage = configuration.getMaxHeapUsage();
 
         log.trace("Resource usage when considering connection:\n"
-                + "freeFileDescriptorCount: {} ( >= {})\n"
-                + "cpuLoad: {} ( < {})\n"
-                + "heapUsage: {} ( < {})",
-                new Object[] {freeFileDescriptorCount, minFreeFileHandles,
-                    cpuLoad, maxCpuLoad, heapUsage, maxHeapUsage});
+                        + "freeFileDescriptorCount: {} ( >= {})\n"
+                        + "cpuLoad: {} ( < {})\n"
+                        + "heapUsage: {} ( < {})",
+                freeFileDescriptorCount, minFreeFileHandles,
+                cpuLoad, maxCpuLoad, heapUsage, maxHeapUsage);
 
         return freeFileDescriptorCount >= minFreeFileHandles
                 && cpuLoad < maxCpuLoad

From 84c8f127f8aba9f0d3ff7226f2c2053843366e4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Mon, 16 Oct 2023 16:13:41 +0300
Subject: [PATCH 119/127] chore: checkstyle fix

Refs: XRDDEV-2468
---
 .../src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java
index db1ad73284..0537879727 100644
--- a/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java
+++ b/src/addons/messagelog/messagelog-addon/src/main/java/ee/ria/xroad/proxy/messagelog/LogManager.java
@@ -46,7 +46,6 @@
 
 import java.time.Duration;
 import java.time.Instant;
-import java.time.OffsetDateTime;
 import java.time.temporal.ChronoUnit;
 import java.util.Date;
 import java.util.Map;

From b686a0b38190b8823c0490bbec1255e414f32f19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 18 Oct 2023 09:51:52 +0300
Subject: [PATCH 120/127] chore: align grpc properties with already existing
 patterns

Refs: XRDDEV-2468
---
 .../ug-syspar_x-road_v6_system_parameters.md  | 120 ++++++++++--------
 src/addons/metaservice/build.gradle           |   2 +-
 .../proxymonitor/metaservice/build.gradle     |   2 +-
 .../core/facade/SignerProxyFacadeImpl.java    |   2 +-
 .../signer/container/BaseTestSignerSetup.java |  10 +-
 .../java/ee/ria/xroad/common/PortNumbers.java |  19 +--
 .../ee/ria/xroad/common/SystemProperties.java |  20 +--
 src/proxy/build.gradle                        |   3 +-
 .../ss/test/container/ContainerSetup.java     |   2 +-
 9 files changed, 89 insertions(+), 91 deletions(-)

diff --git a/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md b/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
index f8daa071ef..3d0c775d2b 100644
--- a/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
+++ b/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
@@ -1,6 +1,6 @@
 # X-Road: System Parameters User Guide
 
-Version: 2.78
+Version: 2.79
 Doc. ID: UG-SYSPAR
 
 
@@ -89,6 +89,7 @@ Doc. ID: UG-SYSPAR
 | 24.08.2023 | 2.76    | Added new *server-min-supported-client-version* parameter                                                                                                                                                                                                                                                                                                                                                      | Eneli Reimets              |
 | 02.10.2023 | 2.77    | Remove the separate section about changing the global configuration interval on the Central Server.                                                                                                                                                                                                                                                                                                            | Petteri Kivimäki           |
 | 02.10.2023 | 2.78    | Remove Akka references                                                                                                                                                                                                                                                                                                                                                                                         | Ričardas Bučiūnas          |
+| 18.10.2023 | 2.79    | Add gRPC properties                                                                                                                                                                                                                                                                                                                                                                                            | Ričardas Bučiūnas          |
 
 ## Table of Contents
 
@@ -223,64 +224,70 @@ This chapter describes the system parameters used by the components of the X-Roa
 
 ### 3.1 Common parameters : `[common]`
 
-| **Parameter**      | **Default value**      | **Description**                                                      |
-|--------------------|------------------------|----------------------------------------------------------------------|
-| configuration-path | /etc/xroad/globalconf/ | Absolute path to the directory where global configuration is stored. |
-| temp-files-path    | /var/tmp/xroad/        | Absolute path to the directory where temporary files are stored.     |
+| **Parameter**                     | **Default value**                               | **Description**                                                      |
+|-----------------------------------|-------------------------------------------------|----------------------------------------------------------------------|
+| configuration-path                | /etc/xroad/globalconf/                          | Absolute path to the directory where global configuration is stored. |
+| temp-files-path                   | /var/tmp/xroad/                                 | Absolute path to the directory where temporary files are stored.     |
+| grpc-internal-host    127.0.0.1   |                                                 | Bind gRPC servers to a specific host.                                |
+| grpc-internal-tls-enabled         | true                                            | Enables mTLS for gRPC services                                       |
+| grpc-internal-keystore            | /var/run/xroad/xroad-grpc-internal-keystore.p12 | gRPC keystore for mTLS configuration.                                |
+| grpc-internal-keystore-password   | <generated-value>                               | gRPC keystore password.                                              |
+| grpc-internal-truststore          | /var/run/xroad/xroad-grpc-internal-keystore.p12 | gRPC truststore for mTLS configuration.                              |
+| grpc-internal-truststore-password | <generated-value>                               | gRPC truststore password.                                            |
 
 ### 3.2 Proxy parameters: `[proxy]`
 
-| **Parameter**                                    | **Default value**                          | **FI-package value** | **EE-package value** | **Description** |
-|--------------------------------------------------|--------------------------------------------|----------------------|----------------------|-----------------|
-| client-http-port                                 | 80 <br/> 8080 (RHEL)                       |   |   | TCP port on which the service client's security server listens for HTTP requests from client applications. |
-| client-https-port                                | 443 <br/> 8443 (RHEL)                      |   |   | TCP port on which the service client's security server listens for HTTPS requests from client applications. |
-| client-timeout                                   | 30000                                      |   |   | Defines the time period (in milliseconds), for which the service client's security server tries to connect to the service provider's security server. When the timeout is reached, the service client's security server informs the service client's information system that a service timeout has occurred. |
-| configuration-anchor-file                        | /etc/xroad/configuration-anchor.xml        |   |   | Absolute file name of the configuration anchor that is used to download global configuration. |
-| connector-host                                   | 0.0.0.0                                    |   | 127.0.0.1 | IP address on which the service client's security server listens for connections from client applications. The value 0.0.0.0 allows listening on all IPv4 interfaces. The value 127.0.0.1 allows listening on localhost only. |
-| database-properties                              | /etc/xroad/db.properties                   |   |   | Absolute file name of the properties file for the configuration of the security server database. |
-| ocsp-responder-listen-address                    | 0.0.0.0                                    |   |   | IP address on which the service provider's security server listens for requests for OCSP responses from the service client's security server. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers. The value 0.0.0.0 allows listening on all IPv4 interfaces. Must match the value of proxy.server-listen-address. |
-| ocsp-responder-port                              | 5577                                       |   |   | TCP port on which the service provider's security server listens for requests for OCSP responses from the service client's security server. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers. |
-| ocsp-responder-client-connect-timeout            | 20000                                      |   |   | Connect timeout (in milliseconds) of the OCSP responder client. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers. |
-| ocsp-responder-client-read-timeout               | 30000                                      |   |   | Read timeout (in milliseconds) of the OCSP responder client. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers. |
-| server-listen-address                            | 0.0.0.0                                    |   |   | IP address on which the service provider's security server listens for connections from the service client's security servers. The value 0.0.0.0 allows listening on all IPv4 interfaces. |
-| server-listen-port                               | 5500                                       |   |   | TCP port on which the service provider's security server listens for connections from the service client's security server. |
-| server-port                                      | 5500                                       |   |   | Destination TCP port for outgoing queries in the service client's security server. |
-| jetty-clientproxy-configuration-file             | /etc/xroad/jetty/clientproxy.xml           |   |   | Absolute filename of the Jetty configuration file for the service client's security server. For more information about configuring Jetty server, see https://www.eclipse.org/jetty/documentation/jetty-9/index.html. |
-| jetty-serverproxy-configuration-file             | /etc/xroad/jetty/serverproxy.xml           |   |   | Absolute filename of the Jetty configuration file for the service provider's security server. For more information about configuring Jetty server, see https://www.eclipse.org/jetty/documentation/jetty-9/index.html. |
-| jetty-ocsp-responder-configuration-file          | /etc/xroad/jetty/ocsp-responder.xml        |   |   | Absolute filename of the Jetty configuration file for the OCSP responder of the service provider's security server. For more information about configuring Jetty server, see https://www.eclipse.org/jetty/documentation/jetty-9/index.html. |
-| ssl-enabled                                      | true                                       |   |   | If true, TLS is used for connections between the service client's and service provider's security servers. |
-| client-tls-ciphers                               | See [1](#Ref_note1)                        |   |   | TLS ciphers (comma-separated list) enabled on the client-side interfaces (for both incoming and outgoing requests). (since version 6.7) |
-| xroad-tls-ciphers                                | See [2](#Ref_note2)                        |   |   | TLS ciphers (comma-separated list in preferred order) accepted on requests between security servers, and between operational monitoring daemon and client. (since version 6.20)  |
-| client-tls-protocols                             | TLSv1.2                                    |   |   | TLS protocols (comma-separated list) enabled on the client-side interfaces (for both incoming and outgoing requests). For backward compatibility TLSv1.1 is still supported on the client-side interfaces for outgoing requests (since version 6.7) |
-| server-connector-initial-idle-time               | 30000                                      |   |   | The initial idle time (in milliseconds) that unauthenticated connections are allowed to be idle before the provider security server starts closing them. Value of 0 means that an infinite idle time is allowed. | 
-| server-connector-max-idle-time                   | 0                                          | 120000 |   | The maximum time (in milliseconds) that connections from a service consuming security server to a service providing security server are allowed to be idle before the provider security server starts closing them. Value of 0 means that an infinite idle time is allowed. A non-zero value should allow some time for a pooled connection to be idle, if  pooled connections are to be supported.|
-| server-connector-so-linger                       | -1                                         |   |   | The SO_LINGER time (in seconds) at the service providing security server end for connections between security servers.<br>A value larger than 0 means that upon closing a connection, the system will allow SO_LINGER seconds for the transmission and acknowledgement of all data written to the peer, at which point the socket is closed gracefully. Upon reaching the linger timeout, the socket is closed forcefully, with a TCP RST. Enabling the option with a timeout of zero does a forceful close immediately.<br>Value of -1 disables the forceful close.|
-| server-support-clients-pooled-connections        | false                                      | true |   | Whether this service providing security server supports pooled connections from the service consumer side. If set to *false*, connections are to be closed immediately after each message. This may be a wanted approached for security servers behind load balancers. |
-| client-connector-initial-idle-time               | 30000                                      |   |   | The initial idle time (in milliseconds) that client connections are allowed to be idle before the security server starts closing them. Value of 0 means that an infinite idle time is allowed. |
-| client-connector-max-idle-time                   | 0                                          |   |   | The maximum time (in milliseconds) that connections from a service consumer to the service consumer's security server are allowed to be idle before the security server starts closing them. Value of 0 means that an infinite idle time is allowed.|
-| client-connector-so-linger                       | -1                                         |   |   | The SO_LINGER time (in seconds) at the service consuming security server end for connections between a consumer and a security server.<br>A value larger than 0 means that upon closing a connection, the system will allow SO_LINGER seconds for the transmission and acknowledgement of all data written to the peer, at which point the socket is closed gracefully. Upon reaching the linger timeout, the socket is closed forcefully, with a TCP RST. Enabling the option with a timeout of zero does a forceful close immediately.<br>Value of -1 disables the forceful close.|
-| client-httpclient-timeout                        | 0                                          |   |   | The maximum time (SO_TIMEOUT, in milliseconds) that connections from a service consuming security server to a service providing security server are allowed to wait for a response before the consumer end httpclient gives up. Value of 0 means that an infinite wait time is allowed. This does not affect idle connections.|
-| client-httpclient-so-linger                      | -1                                         |   |   | The SO_LINGER time (in seconds) at the service consuming security server end for connections between security servers.<br>A value larger than 0 means that upon closing a connection, the system will allow SO_LINGER seconds for the transmission and acknowledgement of all data written to the peer, at which point the socket is closed gracefully. Upon reaching the linger timeout, the socket is closed forcefully, with a TCP RST. Enabling the option with a timeout of zero does a forceful close immediately.<br>Value of -1 disables the forceful close.|
-| client-use-idle-connection-monitor               | true                                       |   |   | Should the idle connection monitor be used to clean up idle and expired connections from the connection pool. |
-| client-idle-connection-monitor-interval          | 30000                                      |   |   | How often (in milliseconds) should the connection monitor go through the pooled connections to see if it can clean up any idle or expired connections. This option requires the connection monitor to be enabled to have any effect.|
-| client-idle-connection-monitor-timeout           | 60000                                      |   |   | The minimum time (in milliseconds) that a pooled connection must be unused (idle) before it can be removed from the pool. Note that removal from the pool also depends on how often the connection monitor runs. This option requires the connection monitor to be enabled to have any effect. |
-| pool-total-max-connections                       | 10000                                      |   |   | The total maximum number of connections that are allowed in the pool. |
-| pool-total-default-max-connections-per-route     | 2500                                       |   |   | The default route specific connection maximum that is set unless a route specific connection limit is set. Due to the current implementation, this is actually the total maximum limit of connections, indepedent of what the above setting is.|
-| pool-validate-connections-after-inactivity-of-millis | 2000                                   |   |   | When reusing a pooled connection to a service providing security server, check that the connection (the socket) is not half-closed if it has been idle for at least this many milliseconds. This method cannot detect half-open connections. Value of -1 disables the check. |
-| pool-enable-connection-reuse                     | false                                      | true |   | Allow pooled connections between security servers to be used more than once on the client side. The service provider end of the connections has to have the setting `server-support-clients-pooled-connections=true` for the pooling to work between a provider and consumer security servers.|
-| client-use-fastest-connecting-ssl-socket-autoclose | true                                     |   |   | On TLS connections between security servers, should the underlying TCP-layer connection (socket) be closed on the service consumer end when the TLS layer connection is terminated.|
-| client-fastest-connecting-ssl-uri-cache-period      | 3600                                    |   |   | When a service consumer's security server finds the fastest responding service providing security server, how long the result should be kept in the TLS session cache? 0 to disable. |
-| health-check-port                                | 0 (disabled)                               |   |   | The TCP port where the health check service listens to requests. Setting the port to 0 disables the health check service completely.|
-| health-check-interface                           | 0.0.0.0                                    |   |   | The network interface where the health check service listens to requests. Default is all available interfaces.|
-| actorsystem-port                                 | 5567                                       |   |   | The (localhost) port where the proxy actorsystem binds to. Used for communicating with xroad-signer and xroad-monitor. |
-| server-conf-cache-period                         | 60                                         |   |   | Number of seconds to keep selected serverconf configuration items in memory |
-| server-conf-client-cache-size                    | 100                                        |   |   | Maximum number of local clients to keep cached |
-| server-conf-service-cache-size                   | 1000                                       |   |   | Maximum number of services to keep cached |
-| server-conf-acl-cache-size                       | 100000                                     |   |   | Maximum number of access rights to keep cached in memory. |
-| enforce-client-is-cert-validity-period-check     | false                                      |   |   | Whether to reject a request when client information system certificate is expired or not yet valid. |
-| backup-encryption-enabled                        | false                                      |   |   | Whether to encrypt security server backup files using server's OpenPGP key. |
-| backup-encryption-keyids                         |                                            |   |   | Comma-separated list of additional recipient OpenPGP key identifiers. |
-| server-min-supported-client-version              |                                            |   |   | Minimum version of the client Security Server that is allowed to access a service. This property must be configured on the service provider Security Server. |
+| **Parameter**                                        | **Default value**                   | **FI-package value** |  **EE-package value** | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+|------------------------------------------------------|-------------------------------------|----------------------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| client-http-port                                     | 80 <br/> 8080 (RHEL)                |                      |                       | TCP port on which the service client's security server listens for HTTP requests from client applications.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| client-https-port                                    | 443 <br/> 8443 (RHEL)               |                      |                       | TCP port on which the service client's security server listens for HTTPS requests from client applications.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| client-timeout                                       | 30000                               |                      |                       | Defines the time period (in milliseconds), for which the service client's security server tries to connect to the service provider's security server. When the timeout is reached, the service client's security server informs the service client's information system that a service timeout has occurred.                                                                                                                                                                                                                                                                         |
+| configuration-anchor-file                            | /etc/xroad/configuration-anchor.xml |                      |                       | Absolute file name of the configuration anchor that is used to download global configuration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| connector-host                                       | 0.0.0.0                             |                      | 127.0.0.1             | IP address on which the service client's security server listens for connections from client applications. The value 0.0.0.0 allows listening on all IPv4 interfaces. The value 127.0.0.1 allows listening on localhost only.                                                                                                                                                                                                                                                                                                                                                        |
+| database-properties                                  | /etc/xroad/db.properties            |                      |                       | Absolute file name of the properties file for the configuration of the security server database.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| ocsp-responder-listen-address                        | 0.0.0.0                             |                      |                       | IP address on which the service provider's security server listens for requests for OCSP responses from the service client's security server. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers. The value 0.0.0.0 allows listening on all IPv4 interfaces. Must match the value of proxy.server-listen-address.                                                                                                                                         |
+| ocsp-responder-port                                  | 5577                                |                      |                       | TCP port on which the service provider's security server listens for requests for OCSP responses from the service client's security server. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers.                                                                                                                                                                                                                                                           |
+| ocsp-responder-client-connect-timeout                | 20000                               |                      |                       | Connect timeout (in milliseconds) of the OCSP responder client. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers.                                                                                                                                                                                                                                                                                                                                       |
+| ocsp-responder-client-read-timeout                   | 30000                               |                      |                       | Read timeout (in milliseconds) of the OCSP responder client. The service client's security server downloads OCSP responses from the service provider's security server while establishing a secure connection between the security servers.                                                                                                                                                                                                                                                                                                                                          |
+| server-listen-address                                | 0.0.0.0                             |                      |                       | IP address on which the service provider's security server listens for connections from the service client's security servers. The value 0.0.0.0 allows listening on all IPv4 interfaces.                                                                                                                                                                                                                                                                                                                                                                                            |
+| server-listen-port                                   | 5500                                |                      |                       | TCP port on which the service provider's security server listens for connections from the service client's security server.                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| server-port                                          | 5500                                |                      |                       | Destination TCP port for outgoing queries in the service client's security server.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| jetty-clientproxy-configuration-file                 | /etc/xroad/jetty/clientproxy.xml    |                      |                       | Absolute filename of the Jetty configuration file for the service client's security server. For more information about configuring Jetty server, see https://www.eclipse.org/jetty/documentation/jetty-9/index.html.                                                                                                                                                                                                                                                                                                                                                                 |
+| jetty-serverproxy-configuration-file                 | /etc/xroad/jetty/serverproxy.xml    |                      |                       | Absolute filename of the Jetty configuration file for the service provider's security server. For more information about configuring Jetty server, see https://www.eclipse.org/jetty/documentation/jetty-9/index.html.                                                                                                                                                                                                                                                                                                                                                               |
+| jetty-ocsp-responder-configuration-file              | /etc/xroad/jetty/ocsp-responder.xml |                      |                       | Absolute filename of the Jetty configuration file for the OCSP responder of the service provider's security server. For more information about configuring Jetty server, see https://www.eclipse.org/jetty/documentation/jetty-9/index.html.                                                                                                                                                                                                                                                                                                                                         |
+| ssl-enabled                                          | true                                |                      |                       | If true, TLS is used for connections between the service client's and service provider's security servers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| client-tls-ciphers                                   | See [1](#Ref_note1)                 |                      |                       | TLS ciphers (comma-separated list) enabled on the client-side interfaces (for both incoming and outgoing requests). (since version 6.7)                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| xroad-tls-ciphers                                    | See [2](#Ref_note2)                 |                      |                       | TLS ciphers (comma-separated list in preferred order) accepted on requests between security servers, and between operational monitoring daemon and client. (since version 6.20)                                                                                                                                                                                                                                                                                                                                                                                                      |
+| client-tls-protocols                                 | TLSv1.2                             |                      |                       | TLS protocols (comma-separated list) enabled on the client-side interfaces (for both incoming and outgoing requests). For backward compatibility TLSv1.1 is still supported on the client-side interfaces for outgoing requests (since version 6.7)                                                                                                                                                                                                                                                                                                                                  |
+| server-connector-initial-idle-time                   | 30000                               |                      |                       | The initial idle time (in milliseconds) that unauthenticated connections are allowed to be idle before the provider security server starts closing them. Value of 0 means that an infinite idle time is allowed.                                                                                                                                                                                                                                                                                                                                                                     | 
+| server-connector-max-idle-time                       | 0                                   | 120000               |                       | The maximum time (in milliseconds) that connections from a service consuming security server to a service providing security server are allowed to be idle before the provider security server starts closing them. Value of 0 means that an infinite idle time is allowed. A non-zero value should allow some time for a pooled connection to be idle, if  pooled connections are to be supported.                                                                                                                                                                                  |
+| server-connector-so-linger                           | -1                                  |                      |                       | The SO_LINGER time (in seconds) at the service providing security server end for connections between security servers.<br>A value larger than 0 means that upon closing a connection, the system will allow SO_LINGER seconds for the transmission and acknowledgement of all data written to the peer, at which point the socket is closed gracefully. Upon reaching the linger timeout, the socket is closed forcefully, with a TCP RST. Enabling the option with a timeout of zero does a forceful close immediately.<br>Value of -1 disables the forceful close.                 |
+| server-support-clients-pooled-connections            | false                               | true                 |                       | Whether this service providing security server supports pooled connections from the service consumer side. If set to *false*, connections are to be closed immediately after each message. This may be a wanted approached for security servers behind load balancers.                                                                                                                                                                                                                                                                                                               |
+| client-connector-initial-idle-time                   | 30000                               |                      |                       | The initial idle time (in milliseconds) that client connections are allowed to be idle before the security server starts closing them. Value of 0 means that an infinite idle time is allowed.                                                                                                                                                                                                                                                                                                                                                                                       |
+| client-connector-max-idle-time                       | 0                                   |                      |                       | The maximum time (in milliseconds) that connections from a service consumer to the service consumer's security server are allowed to be idle before the security server starts closing them. Value of 0 means that an infinite idle time is allowed.                                                                                                                                                                                                                                                                                                                                 |
+| client-connector-so-linger                           | -1                                  |                      |                       | The SO_LINGER time (in seconds) at the service consuming security server end for connections between a consumer and a security server.<br>A value larger than 0 means that upon closing a connection, the system will allow SO_LINGER seconds for the transmission and acknowledgement of all data written to the peer, at which point the socket is closed gracefully. Upon reaching the linger timeout, the socket is closed forcefully, with a TCP RST. Enabling the option with a timeout of zero does a forceful close immediately.<br>Value of -1 disables the forceful close. |
+| client-httpclient-timeout                            | 0                                   |                      |                       | The maximum time (SO_TIMEOUT, in milliseconds) that connections from a service consuming security server to a service providing security server are allowed to wait for a response before the consumer end httpclient gives up. Value of 0 means that an infinite wait time is allowed. This does not affect idle connections.                                                                                                                                                                                                                                                       |
+| client-httpclient-so-linger                          | -1                                  |                      |                       | The SO_LINGER time (in seconds) at the service consuming security server end for connections between security servers.<br>A value larger than 0 means that upon closing a connection, the system will allow SO_LINGER seconds for the transmission and acknowledgement of all data written to the peer, at which point the socket is closed gracefully. Upon reaching the linger timeout, the socket is closed forcefully, with a TCP RST. Enabling the option with a timeout of zero does a forceful close immediately.<br>Value of -1 disables the forceful close.                 |
+| client-use-idle-connection-monitor                   | true                                |                      |                       | Should the idle connection monitor be used to clean up idle and expired connections from the connection pool.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| client-idle-connection-monitor-interval              | 30000                               |                      |                       | How often (in milliseconds) should the connection monitor go through the pooled connections to see if it can clean up any idle or expired connections. This option requires the connection monitor to be enabled to have any effect.                                                                                                                                                                                                                                                                                                                                                 |
+| client-idle-connection-monitor-timeout               | 60000                               |                      |                       | The minimum time (in milliseconds) that a pooled connection must be unused (idle) before it can be removed from the pool. Note that removal from the pool also depends on how often the connection monitor runs. This option requires the connection monitor to be enabled to have any effect.                                                                                                                                                                                                                                                                                       |
+| pool-total-max-connections                           | 10000                               |                      |                       | The total maximum number of connections that are allowed in the pool.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| pool-total-default-max-connections-per-route         | 2500                                |                      |                       | The default route specific connection maximum that is set unless a route specific connection limit is set. Due to the current implementation, this is actually the total maximum limit of connections, indepedent of what the above setting is.                                                                                                                                                                                                                                                                                                                                      |
+| pool-validate-connections-after-inactivity-of-millis | 2000                                |                      |                       | When reusing a pooled connection to a service providing security server, check that the connection (the socket) is not half-closed if it has been idle for at least this many milliseconds. This method cannot detect half-open connections. Value of -1 disables the check.                                                                                                                                                                                                                                                                                                         |
+| pool-enable-connection-reuse                         | false                               | true                 |                       | Allow pooled connections between security servers to be used more than once on the client side. The service provider end of the connections has to have the setting `server-support-clients-pooled-connections=true` for the pooling to work between a provider and consumer security servers.                                                                                                                                                                                                                                                                                       |
+| client-use-fastest-connecting-ssl-socket-autoclose   | true                                |                      |                       | On TLS connections between security servers, should the underlying TCP-layer connection (socket) be closed on the service consumer end when the TLS layer connection is terminated.                                                                                                                                                                                                                                                                                                                                                                                                  |
+| client-fastest-connecting-ssl-uri-cache-period       | 3600                                |                      |                       | When a service consumer's security server finds the fastest responding service providing security server, how long the result should be kept in the TLS session cache? 0 to disable.                                                                                                                                                                                                                                                                                                                                                                                                 |
+| health-check-port                                    | 0 (disabled)                        |                      |                       | The TCP port where the health check service listens to requests. Setting the port to 0 disables the health check service completely.                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| health-check-interface                               | 0.0.0.0                             |                      |                       | The network interface where the health check service listens to requests. Default is all available interfaces.                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| grpc-port                                            | 5567                                |                      |                       | The (localhost) port where the proxy gRPC server binds to. Used for communicating with xroad-signer and xroad-monitor.                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| server-conf-cache-period                             | 60                                  |                      |                       | Number of seconds to keep selected serverconf configuration items in memory                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| server-conf-client-cache-size                        | 100                                 |                      |                       | Maximum number of local clients to keep cached                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| server-conf-service-cache-size                       | 1000                                |                      |                       | Maximum number of services to keep cached                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| server-conf-acl-cache-size                           | 100000                              |                      |                       | Maximum number of access rights to keep cached in memory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| enforce-client-is-cert-validity-period-check         | false                               |                      |                       | Whether to reject a request when client information system certificate is expired or not yet valid.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| backup-encryption-enabled                            | false                               |                      |                       | Whether to encrypt security server backup files using server's OpenPGP key.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| backup-encryption-keyids                             |                                     |                      |                       | Comma-separated list of additional recipient OpenPGP key identifiers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| server-min-supported-client-version                  |                                     |                      |                       | Minimum version of the client Security Server that is allowed to access a service. This property must be configured on the service provider Security Server.                                                                                                                                                                                                                                                                                                                                                                                                                         |
 
 Note about `database-properties` file: Management REST API module uses the same database-properties file, but
 limits the configuration parameters usage:
@@ -307,6 +314,7 @@ Proxy-ui has been removed in version 6.24 and it's parameters are not used anymo
 | device-configuration-file       | /etc/xroad/signer/devices.ini |                      |                       |     | Absolute filename of the configuration file of the signature creation devices.                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | key-configuration-file          | /etc/xroad/signer/keyconf.xml |                      |                       |     | Absolute filename of the configuration file containing signature and authentication keys and certificates.                                                                                                                                                                                                                                                                                                                                                                                                       |
 | port                            | 5556                          |                      |                       |     | TCP port on which the signer process listens.                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| grpc-port                       | 5560                          |                      |                       |     | TCP port on which the signer gRPC services listens.                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | key-length                      | 2048                          | 3072                 | 3072                  |     | Key length for generating authentication and signing keys (since version 6.7)                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | csr-signature-digest-algorithm  | SHA-256                       |                      |                       |     | Certificate Signing Request signature digest algorithm.<br/>Possible values are<br/>-   SHA-256,<br/>-   SHA-384,<br/>-   SHA-512.                                                                                                                                                                                                                                                                                                                                                                               |
 | ocsp-retry-delay                | 60                            |                      |                       |     | OCSP retry delay for signer when fetching OCSP responses fail. After failing to fetch OCSP responses signer waits for the time period defined by "ocsp-retry-delay" before trying again. This is repeated until fetching OCSP responses succeeds. After successfully fetching OCSP responses signer returns to normal OCSP refresh schedule defined by "ocspFetchInterval". If the value of "ocsp-retry-delay" is higher than "ocspFetchInterval", the value of "ocspFetchInterval" is used as OCSP retry delay. |
diff --git a/src/addons/metaservice/build.gradle b/src/addons/metaservice/build.gradle
index 21d1ded4a7..0d9204634d 100644
--- a/src/addons/metaservice/build.gradle
+++ b/src/addons/metaservice/build.gradle
@@ -42,7 +42,7 @@ task runMetaserviceTest(type: JavaExec) {
             '-Dxroad.proxy.server-connector-so-linger=-1',
             '-Dxroad.proxy.serverServiceHandlers=ee.ria.xroad.proxy.serverproxy.MetadataServiceHandlerImpl',
             '-Dxroad.proxy.clientHandlers=ee.ria.xroad.proxy.clientproxy.MetadataHandler',
-            '-Dxroad.grpc.internal.tls-enabled=false'
+            '-Dxroad.common.grpc-internal-tls-enabled=false'
 
     mainClass = 'ee.ria.xroad.proxy.testsuite.ProxyTestSuite'
     classpath = sourceSets.test.runtimeClasspath
diff --git a/src/addons/proxymonitor/metaservice/build.gradle b/src/addons/proxymonitor/metaservice/build.gradle
index cdff3ba63e..f0da760dd3 100644
--- a/src/addons/proxymonitor/metaservice/build.gradle
+++ b/src/addons/proxymonitor/metaservice/build.gradle
@@ -89,7 +89,7 @@ task runProxymonitorMetaserviceTest(type: JavaExec) {
         '-Dxroad.proxy.client-httpclient-so-linger=-1',
         '-Dxroad.proxy.server-connector-so-linger=-1',
         '-Dxroad.proxy.serverServiceHandlers=ee.ria.xroad.proxy.serverproxy.ProxyMonitorServiceHandlerImpl',
-        '-Dxroad.grpc.internal.tls-enabled=false'
+        '-Dxroad.common.grpc-internal-tls-enabled=false'
 
     mainClass = 'ee.ria.xroad.proxy.testsuite.ProxyTestSuite'
     classpath = sourceSets.test.runtimeClasspath
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
index 868dc892a4..7e740b564f 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
@@ -56,7 +56,7 @@ public class SignerProxyFacadeImpl implements SignerProxyFacade {
     @PostConstruct
     void init() throws Exception {
         RpcSignerClient.init();
-        log.info("SignerService actorSystem initialized with admin-service config");
+        log.info("SignerService rpcClient initialized with admin-service config");
     }
 
     /**
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
index 2d3cba5bd0..d87608559d 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
@@ -103,11 +103,11 @@ public void beforeStart(@NotNull GenericContainer<?> genericContainer) {
                                 "-XX:MaxMetaspaceSize=70m",
                                 "-Dlogback.configurationFile=/etc/xroad/signer/signer-logback.xml",
                                 "-Dxroad.internal.passwordstore-provider=file",
-                                "-Dxroad.grpc.internal.host=0.0.0.0",
-                                "-Dxroad.grpc.internal.keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
-                                "-Dxroad.grpc.internal.keystore-password=111111",
-                                "-Dxroad.grpc.internal.truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
-                                "-Dxroad.grpc.internal.truststore-password=111111",
+                                "-Dxroad.common.grpc-internal-host=0.0.0.0",
+                                "-Dxroad.common.grpc-internal-keystore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
+                                "-Dxroad.common.grpc-internal-keystore-password=111111",
+                                "-Dxroad.common.grpc-internal-truststore=/etc/xroad/transport-keystore/grpc-internal-keystore.p12",
+                                "-Dxroad.common.grpc-internal-truststore-password=111111",
                                 "-agentlib:jdwp=transport=dt_socket,address=*:5005,server=y,suspend=n",
                                 modulemanager,
                                 "-cp",
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
index 66bd8f4b72..5e1cb08251 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/PortNumbers.java
@@ -25,10 +25,14 @@
  */
 package ee.ria.xroad.common;
 
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
 /**
  * This interface contains global constants, such as port numbers
  * and configuration locations.
  */
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class PortNumbers {
     /** Client proxy listens for HTTP queries. */
     public static final int CLIENT_HTTP_PORT = 80;
@@ -56,12 +60,6 @@ public final class PortNumbers {
      */
     public static final int SIGNER_GRPC_PORT = 5560;
 
-    /** Center-Service HTTP port. */
-    public static final int CENTER_SERVICE_HTTP_PORT = 3333;
-
-    /** Center-Service HTTPS port. */
-    public static final int CENTER_SERVICE_HTTPS_PORT = 3443;
-
     /** Port for Distributed Files Client. */
     public static final int CONFIGURATION_CLIENT_PORT = 5665;
 
@@ -74,18 +72,9 @@ public final class PortNumbers {
     /** Port of the operational monitoring daemon. */
     public static final int OP_MONITOR_DAEMON_PORT = 2080;
 
-    /**
-     * Proxy actorsystem port
-     */
-    @Deprecated
-    public static final int PROXY_ACTORSYSTEM_PORT = 5568;
-
-
     /**
      * Proxy grpc port
      */
     public static final int PROXY_GRPC_PORT = 5567;
 
-    private PortNumbers() {
-    }
 }
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
index efb5e4d991..48b09a60c4 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -622,33 +622,35 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
      * Property name for gRPC host.
      */
     public static final String GRPC_INTERNAL_HOST =
-            PREFIX + "grpc.internal.host";
+            PREFIX + "common.grpc-internal-host";
 
     /**
      * Property name for gRPC host.
      */
     public static final String GRPC_INTERNAL_TLS_ENABLED =
-            PREFIX + "grpc.internal.tls-enabled";
+            PREFIX + "common.grpc-internal-tls-enabled";
 
     /**
      * Property name for gRPC signer port.
      */
-    public static final String GRPC_SIGNER_PORT =
-            PREFIX + "grpc.signer.port";
+    public static final String GRPC_SIGNER_PORT = PREFIX + "signer.grpc-port";
 
-    public static final String PROXY_GRPC_PORT = PREFIX + "grpc.proxy.port";
+    /**
+     * Property name for gRPC proxy port.
+     */
+    public static final String PROXY_GRPC_PORT = PREFIX + "proxy.grpc-port";
 
     /**
      * Property name for gRPC internal keystore location.
      */
     public static final String GRPC_INTERNAL_KEYSTORE =
-            PREFIX + "grpc.internal.keystore";
+            PREFIX + "common.grpc-internal-keystore";
 
     /**
      * Property name for gRPC internal keystore password.
      */
     public static final String GRPC_INTERNAL_KEYSTORE_PASSWORD =
-            PREFIX + "grpc.internal.keystore-password";
+            PREFIX + "common.grpc-internal-keystore-password";
     public static final String GRPC_INTERNAL_KEYSTORE_PASSWORD_ENV =
             GRPC_INTERNAL_KEYSTORE_PASSWORD.toUpperCase().replaceAll("[.-]", "_");
 
@@ -656,13 +658,13 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM }
      * Property name for gRPC internal truststore location.
      */
     public static final String GRPC_INTERNAL_TRUSTSTORE =
-            PREFIX + "grpc.internal.truststore";
+            PREFIX + "common.grpc-internal-truststore";
 
     /**
      * Property name for gRPC internal truststore password.
      */
     public static final String GRPC_INTERNAL_TRUSTSTORE_PASSWORD =
-            PREFIX + "grpc.internal.truststore-password";
+            PREFIX + "common.grpc-internal-truststore-password";
     public static final String GRPC_INTERNAL_TRUSTSTORE_PASSWORD_ENV =
             GRPC_INTERNAL_TRUSTSTORE_PASSWORD.toUpperCase().replaceAll("[.-]", "_");
     // Cluster node configuration ------------------------------------------ //
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index 16ba3b8d16..25d54f5b53 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -49,7 +49,6 @@ jar {
 
 shadowJar {
   archiveClassifier = ''
-  append('reference.conf')
   exclude('**/module-info.class')
   from rootProject.file("LICENSE.txt")
   mergeServiceFiles()
@@ -127,7 +126,7 @@ task runProxyTest(type: JavaExec) {
         '-Dxroad.proxy.client-httpclient-so-linger=-1',
         '-Dxroad.proxy.server-connector-so-linger=-1',
         '-Dlogback.configurationFile=src/test/logback-proxytest.xml',
-        '-Dxroad.grpc.internal.tls-enabled=false'
+        '-Dxroad.common.grpc-internal-tls-enabled=false'
 //      '-Djava.security.properties==src/main/resources/java.security'
 
     mainClass = 'ee.ria.xroad.proxy.testsuite.ProxyTestSuite'
diff --git a/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java b/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java
index cbd2ff6d3b..d374592715 100644
--- a/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java
+++ b/src/security-server/admin-service/int-test/src/intTest/java/org/niis/xroad/ss/test/container/ContainerSetup.java
@@ -70,7 +70,7 @@ public void customizeDockerFileBuilder(@NotNull DockerfileBuilder dockerfileBuil
             public List<String> customizeCommandParts() {
                 return List.of(
                         "-Dxroad.signer.enforce-token-pin-policy=true",
-                        "-Dxroad.grpc.internal.tls-enabled=false");
+                        "-Dxroad.common.grpc-internal-tls-enabled=false");
             }
 
             @NotNull

From 85b775f918151f48867fc1e1b7f3706fbd8289c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 18 Oct 2023 10:27:20 +0300
Subject: [PATCH 121/127] chore: sonarqube fixes

Refs: XRDDEV-2468
---
 .../org/niis/xroad/common/test/glue/TestCaStepDefs.java     | 1 +
 .../common/test/signer/hook/SignerProxyAfterSuiteHook.java  | 6 +++++-
 .../java/ee/ria/xroad/common/signature/BatchSigner.java     | 1 +
 .../java/ee/ria/xroad/signer/SignerAdminPortConfig.java     | 4 ++++
 4 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/TestCaStepDefs.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/TestCaStepDefs.java
index 4bd1709c6f..9707ae5064 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/TestCaStepDefs.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/glue/TestCaStepDefs.java
@@ -63,6 +63,7 @@ public void csrIsBeingProcessed() {
     }
 
     @SneakyThrows
+    @SuppressWarnings("squid:S5443")
     private void csrIsBeingProcessed(TestCaFeignApi.CsrType csrType) {
         Optional<File> csrFileOpt = getStepData(StepDataKey.DOWNLOADED_FILE);
         File csrFile = csrFileOpt.orElseThrow();
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java
index dc4e04d1fd..d48b474a5e 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyAfterSuiteHook.java
@@ -33,6 +33,8 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
+import java.io.IOException;
+
 @Slf4j
 @Component
 @ConditionalOnProperty(value = "test-automation.custom.signer-container-enabled", havingValue = "true")
@@ -46,8 +48,10 @@ public void afterSuite() {
         log.info("Setting permissions for signer files so they could be deleted");
         try {
             containerProvider.getContainer().execInContainer("chmod", "-R", "777", "/etc/xroad/signer/");
-        } catch (Exception e) {
+        } catch (IOException e) {
             log.error("Failed to change file permissions", e);
+        } catch (InterruptedException e) {
+            Thread.currentThread().interrupt();
         }
     }
 
diff --git a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
index 0b3d9a5406..8358f16b46 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/common/signature/BatchSigner.java
@@ -209,6 +209,7 @@ private synchronized void process() {
                     }
                 } catch (InterruptedException interruptedException) {
                     log.trace("queue polling interrupted");
+                    Thread.currentThread().interrupt();
                 }
             }
             log.trace("Worker thread stopped");
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java b/src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java
index 0c028e4df7..1d155e76e0 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/SignerAdminPortConfig.java
@@ -52,6 +52,7 @@ public class SignerAdminPortConfig {
     CertificationServiceDiagnostics certificationServiceDiagnostics() {
         return new CertificationServiceDiagnostics();
     }
+
     @Bean
     AdminPort createAdminPort(final CertificationServiceDiagnostics diagnosticsDefault,
                               final OcspClientWorker ocspClientWorker,
@@ -128,6 +129,9 @@ public void destroy() {
 
             } catch (Exception e) {
                 log.error("Error stopping admin port", e);
+                if (e instanceof InterruptedException) {
+                    Thread.currentThread().interrupt();
+                }
             }
         }
     }

From e7c7ea696a6cf245d400fabda2f69e10cfbf8f98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 18 Oct 2023 14:46:34 +0300
Subject: [PATCH 122/127] chore: fix signer test issues in jenkins

Refs: XRDDEV-2468
---
 .../signer/container/BaseTestSignerSetup.java |   2 +-
 .../test/signer/hook/SignerProxyInitHook.java |   8 ++++++--
 .../etc/xroad/transport-keystore/gen-cert.sh  |   2 +-
 .../grpc-internal-keystore.p12                | Bin 1074 -> 1090 bytes
 .../xroad/common/rpc/client/RpcClient.java    |   9 ++++++---
 src/proxy/build.gradle                        |   6 ++++++
 .../src/intTest/resources/application-ci.yml  |   3 +++
 src/signer/build.gradle                       |   7 +++++++
 .../signer/test/glue/SignerStepDefs.java      |   2 +-
 .../src/intTest/resources/application-ci.yml  |   3 +++
 10 files changed, 34 insertions(+), 8 deletions(-)
 create mode 100644 src/proxy/src/intTest/resources/application-ci.yml
 create mode 100644 src/signer/src/intTest/resources/application-ci.yml

diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
index d87608559d..db96140e8b 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/container/BaseTestSignerSetup.java
@@ -124,7 +124,7 @@ public void afterStart(@NotNull GenericContainer<?> genericContainer) {
 
             @SneakyThrows
             private void prepareSignerDirs() {
-                deleteIfPresent("build/resources/intTest/container-files/etc/xroad/signer/softtoken/");
+                deleteIfPresent("build/resources/intTest/signer-container-files/etc/xroad/signer/softtoken/");
                 deleteIfPresent("build/container-passwordstore/");
             }
 
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
index 4d1fd4efe8..341e2d29fb 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
@@ -35,6 +35,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
@@ -47,12 +48,15 @@
 public class SignerProxyInitHook implements BeforeSuiteHook {
     private final TestableApplicationInfoProvider testableApplicationInfoProvider;
 
+    @Value("${test-automation.custom.grpc-client-host-override:#{null}}")
+    private String grpcHostOverride;
+
     @Override
     @SneakyThrows
     public void beforeSuite() {
-        var host = testableApplicationInfoProvider.getHost();
+        var host = grpcHostOverride != null ? grpcHostOverride : testableApplicationInfoProvider.getHost();
         var port = testableApplicationInfoProvider.getMappedPort(SIGNER_GRPC_PORT);
-        log.info("Will use {}:{}  for signer RPC connection..", host, port);
+        log.info("Will use {}:{} (original port {})  for signer RPC connection..", host, port, SIGNER_GRPC_PORT);
 
         System.setProperty(SystemProperties.GRPC_INTERNAL_HOST, host);
         System.setProperty(SystemProperties.GRPC_SIGNER_PORT, String.valueOf(port));
diff --git a/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/gen-cert.sh b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/gen-cert.sh
index 1dee917cf9..7dfc0ac55e 100644
--- a/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/gen-cert.sh
+++ b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/gen-cert.sh
@@ -16,7 +16,7 @@ ${KEYTOOL} -genkeypair -alias grpc-internal \
         -sigalg SHA256withECDSA \
         -keystore grpc-internal-keystore.p12 \
         -dname "CN=127.0.0.1" \
-        -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
+        -ext "SAN:c=DNS:localhost,IP:127.0.0.1,DNS:host.docker.internal" \
         -validity 3650 \
         -storepass 111111 \
         -keypass 111111
diff --git a/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12 b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12
index 9e33a1ef62962afb9ebd386413e1d12fd06fc07c..c4b514f77ca5f83a6eaff36b21081eb35260dc6b 100644
GIT binary patch
delta 856
zcmV-e1E>752*L;=FoFa=0s#Xsf&=IV2`Yw2hW8Bt2LYgh1K9+E1Jy8s1JRKpQWW1B
z9$^{XO@BDMNrPZ_H=17k_N|k<0VHDJLt-+4aY!TO?Xp|nI&e}1P<@b1x$MA;Q6DK(
zo0Al?TuUDY8LlB+Za|`te0+!q;Jj<N-fy+qr}B5NIbAtf6c?KkY0l2?I3T5y5z1Y2
z+PDjpFBCsczLa_D+D&r(xswh7MkqHnGB`6fH!v_VFoFV+1_>&LNQU<f0S5-4f&zjt
zf&zX50RS+90(X;q0V@;(00iYksC+V9rVMh{V_R>%8f`?Ay8$GBUaL@#&I2?QcG5Z1
zD;09^fPw-5PO1FuVAN$|*0KA}nJiMc!P#29CMgCce)W$7nLynr-2O&JWED2)z5Ic8
zN3?!6h4EFYMFB(Uu2vS6Ki>UJh&cT@o?b>g;T^=9ZTzzMFvaWGyfn)K{@IBop*H<?
zPCQ|lwx(KBK_-)b`TGKw$*SA5V++0^4FdE;vOnO%_&U{A*J>wx7l<{4ni4#ziU0t0
zzh}5zs45dAAx5#PnC*Wtej>lSYRo9PBO&1Vf=NyXb#g2G74_@aCK@tTX$J(?kQ8{>
z<qx@&!xctTbrJW*76TKTHqOk=?sTs>W!yI$FBgK@7~%wfS=znTzIr1Zt!x)tCOHNw
z<2=YNe{EbDMdrvRE)DWr5$8M4R5Z>jYRxHAHyXgLz=<q6N(*#fd2xy1-@rj8L`a@&
zXe}_$mWSMNAhHN1v*Z!l34|5a<XTa*NDhM9f^`hu69y*_tO6oRt`TK;c&yg_h;>?d
z{r8^!HAT9AdF>8RX;Jixhp1e;4jbY@I^*D@Y(j+crMp{51Wh>m*y?j7vUBvw&Z48E
z)LGBbaSG~M?f#oDNzOX^#hmv?DKlU99_SstgVQGqLmt(vdn}!*=KByqUO9%5m-_tz
zl5q8uOXqy-B_57%&Jb{pxbqeMSndG14#kdu+J1j$Gt4jbNFpdX!dOzE*(^sV)}mom
zU+SPsFikKqFbxI?V1`HmWdj5P0R;dAAX2^*1#gwpG--j$pDM;Pr@99T6q7RUPBvd#
iy8viq)dUo-QmEHg&#w(<NiRDrFTk;*Zg@um0w)lGJ$d2)

delta 840
zcmV-O1GoIb2(kzwFoFaw0s#Xsf&<tF2`Yw2hW8Bt2LYgh1IYw}1H~|c1Hq9ZQWPe{
zl9M@UzLK?qjWv_=L(JDC9oCb(0VHA?EDCT!8*;A%SH6ULA0aFRP%U$C;|4m%vBA1y
zqm`p)PZDmVH>1(+MK@nO%Q>tKmAo&d7p2@yTVtv={Mg-@VijNv@RhqN1jFV%QgB#^
z5u_WR!vtzJPwA9Y%yC*qrjrf<Mkq8kF*7wZF*G+fFoFVs1_>&LNQU<f0S5-4f&y|d
zf&y*=0RS+90%wza0V@<Z2R+(UIt5Yp4NY0A8SqpCCmxZLy8$GB6#Gnp^w%t)FJd~R
zU77#6fPw+=e4P}BW*geVP0LPU%%H@d9pzMpu8953gn#g#P)_pVDjOv|2ZHHxb|{{r
zjpOYa3C>8U{_{UFT$p&ZWUPY&eA28s%2}`uIQ(I2Q;wkQllob%&BEne2^nsW!}wg#
zVcGkQ*-KwB@DJjD*M0<6xH&@)k?c5y7enu<AvxhgRYKdubS&~;17gxcEPap;Q`GX2
zO<+K1V&x>5QBYj4`j8=|0m2}bQ8Ee{oj5R8oexV{H%xmnjY)V>v--8TW&gZF)6^Kp
zm}tbi#@nJiy?udDdHEJRgvqT6QgAm)B+mO|2tNQhG6FY$Il(IrqZD(!+H~=Fl-v~B
zz}oNeHYY)J@QsOF7{*ad`|>dfRffkv`R%=<gBh;=LJ=T<bL>QgF&SFz0>khj`9<FO
z4&IZvXU2_&{HSI^x++U=`eC6>MK@6Q##n?t_T*{;B$6%cy`5@xi8s9BEfcM>TF#dd
zk&@+kyvmDz?@pTB&g{#mMr2oho{z3&>3zx;7$6JIWG63j90`FFzP(_C_$(ktOtNfH
z^j74~q9|D|5fWXyH*2{ypofiD7oZn=)^F%EbKx5GS4zH`Bs7fGro-|>4B%QlU}a;X
zZBQk7U%pl+*h#e#k<Hpkv^9^xZiHmu(^@P~in^^=;Tp?dC0gK3FikKqFbxI?V1`Hm
zWdj5P0R;dAAi`*Ne*uEK=|q}@Bf!^HQt3o@F@FA)*|*~S@5Zr4)dUpOrdA-!dT*$Q
ShkZj~0;b)(6-KB60w)mM^?Bw1

diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
index 98a8a59c0a..4af52f76cf 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -56,6 +56,7 @@
 public final class RpcClient<C extends RpcClient.ExecutionContext> {
     private static final int DEFAULT_DEADLINE_MILLIS = 60 * 1000;
 
+    private final long rpcDeadlineMillis;
     private final ManagedChannel channel;
 
     private final C executionContext;
@@ -63,8 +64,9 @@ public final class RpcClient<C extends RpcClient.ExecutionContext> {
     /**
      * Construct client for accessing Signer services using the provided channel.
      */
-    private RpcClient(final ManagedChannel channel, final C executionContext) {
+    private RpcClient(final ManagedChannel channel, final long rpcDeadlineMillis, final C executionContext) {
         this.channel = channel;
+        this.rpcDeadlineMillis = rpcDeadlineMillis;
         this.executionContext = executionContext;
     }
 
@@ -98,7 +100,7 @@ public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
                 .build();
 
         var executionContext = contextFactory.createContext(channel);
-        return new RpcClient<>(channel, executionContext);
+        return new RpcClient<>(channel, clientTimeoutMillis, executionContext);
     }
 
     public void shutdown() {
@@ -118,7 +120,8 @@ public <V> V execute(RpcExecution<V, C> grpcCall) throws Exception {
             return grpcCall.exec(executionContext);
         } catch (StatusRuntimeException error) {
             if (error.getStatus().getCode() == Status.Code.DEADLINE_EXCEEDED) {
-                throw CodedException.tr(SIGNER_X, "signer_client_timeout", "Signer client timed out")
+                throw CodedException.tr(SIGNER_X, "signer_client_timeout",
+                                "Signer client timed out. Deadline: " + rpcDeadlineMillis + " ms")
                         .withPrefix(SIGNER_X);
             }
             com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
diff --git a/src/proxy/build.gradle b/src/proxy/build.gradle
index 25d54f5b53..c5d2699d56 100644
--- a/src/proxy/build.gradle
+++ b/src/proxy/build.gradle
@@ -155,6 +155,12 @@ tasks.register('intTest', Test) {
   testClassesDirs = sourceSets.intTest.output.classesDirs
   classpath = sourceSets.intTest.runtimeClasspath
 
+  def intTestArgs = []
+  if (project.hasProperty('intTestProfilesInclude')) {
+    intTestArgs += "-Dspring.profiles.include=" + project.getProperty('intTestProfilesInclude')
+  }
+
+  jvmArgs intTestArgs
   testLogging {
     showStackTraces(true)
     showExceptions(true)
diff --git a/src/proxy/src/intTest/resources/application-ci.yml b/src/proxy/src/intTest/resources/application-ci.yml
new file mode 100644
index 0000000000..b4d61eb116
--- /dev/null
+++ b/src/proxy/src/intTest/resources/application-ci.yml
@@ -0,0 +1,3 @@
+test-automation:
+  custom:
+    grpc-client-host-override:  "host.docker.internal"
diff --git a/src/signer/build.gradle b/src/signer/build.gradle
index 69f4bb0b3e..177c309618 100644
--- a/src/signer/build.gradle
+++ b/src/signer/build.gradle
@@ -137,6 +137,13 @@ tasks.register('intTest', Test) {
   testClassesDirs = sourceSets.intTest.output.classesDirs
   classpath = sourceSets.intTest.runtimeClasspath
 
+  def intTestArgs = []
+  if (project.hasProperty('intTestProfilesInclude')) {
+    intTestArgs += "-Dspring.profiles.include=" + project.getProperty('intTestProfilesInclude')
+  }
+
+  jvmArgs intTestArgs
+
   testLogging {
     showStackTraces(true)
     showExceptions(true)
diff --git a/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 6749cabb5a..9f9938723d 100644
--- a/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -633,7 +633,7 @@ public void signerClientReinitializedWithTimeoutMilliseconds(int timeoutMillis)
     public void signerGetTokensFailsWithTimeoutException() {
         assertThatThrownBy(SignerProxy::getTokens)
                 .isInstanceOf(CodedException.class)
-                .hasMessage("Signer: Signer client timed out");
+                .hasMessageContaining("Signer: Signer client timed out.");
     }
 
 
diff --git a/src/signer/src/intTest/resources/application-ci.yml b/src/signer/src/intTest/resources/application-ci.yml
new file mode 100644
index 0000000000..b4d61eb116
--- /dev/null
+++ b/src/signer/src/intTest/resources/application-ci.yml
@@ -0,0 +1,3 @@
+test-automation:
+  custom:
+    grpc-client-host-override:  "host.docker.internal"

From 07502a581f0242e1e65d47b5951c06a76967f332 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Wed, 18 Oct 2023 17:14:26 +0300
Subject: [PATCH 123/127] chore: sonarqube fixes

Refs: XRDDEV-2468
---
 .../ria/xroad/proxymonitor/ProxyMonitor.java  |  8 +++---
 .../RestoreMonitorClientAfterTest.java        |  2 +-
 .../xroad/common/rpc/client/RpcClient.java    | 26 +++++++++++--------
 .../java/ee/ria/xroad/proxy/addon/AddOn.java  |  1 -
 .../signer/certmanager/OcspClientWorker.java  |  1 +
 .../handler/GetAuthKeyReqHandler.java         |  5 ++--
 6 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
index d960fee3ba..4f45db3181 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/ProxyMonitor.java
@@ -37,14 +37,14 @@
 @Slf4j
 public class ProxyMonitor implements AddOn {
 
-    private static volatile MonitorClient monitorClient;
+    private static MonitorClient monitorClient;
 
     @Override
     public void init(final BindableServiceRegistry bindableServiceRegistry) {
         try {
             bindableServiceRegistry.register(new ProxyMonitorService());
 
-            monitorClient = new MonitorClient();
+            setMonitorClient(new MonitorClient());
         } catch (Exception e) {
             log.error("ProxyMonitor addon has failed to start. Monitor data will not be available!", e);
         }
@@ -61,8 +61,8 @@ public static MonitorClient getClient() {
         return monitorClient;
     }
 
-    static void setTestClient(MonitorClient testMonitorClient) {
-        ProxyMonitor.monitorClient = testMonitorClient;
+    static void setMonitorClient(MonitorClient monitorClient) {
+        ProxyMonitor.monitorClient = monitorClient;
     }
 
 }
diff --git a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxymonitor/RestoreMonitorClientAfterTest.java b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxymonitor/RestoreMonitorClientAfterTest.java
index 9adf05f9ea..69d801d521 100644
--- a/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxymonitor/RestoreMonitorClientAfterTest.java
+++ b/src/addons/proxymonitor/metaservice/src/test/java/ee/ria/xroad/proxymonitor/RestoreMonitorClientAfterTest.java
@@ -48,6 +48,6 @@ protected void after() {
      * @param monitorClient
      */
     public static void setMonitorClient(MonitorClient monitorClient) {
-        ProxyMonitor.setTestClient(monitorClient);
+        ProxyMonitor.setMonitorClient(monitorClient);
     }
 }
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
index 4af52f76cf..6f37ac8a31 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -126,22 +126,26 @@ public <V> V execute(RpcExecution<V, C> grpcCall) throws Exception {
             }
             com.google.rpc.Status status = io.grpc.protobuf.StatusProto.fromThrowable(error);
             if (status != null) {
-                for (Any any : status.getDetailsList()) {
-                    if (any.is(CodedExceptionProto.class)) {
-                        try {
-                            final CodedExceptionProto ce = any.unpack(CodedExceptionProto.class);
-                            throw CodedException.tr(ce.getFaultCode(), ce.getTranslationCode(), ce.getFaultString())
-                                    .withPrefix(SIGNER_X);
-                        } catch (InvalidProtocolBufferException e) {
-                            throw new RuntimeException("Failed to parse grpc message", e);
-                        }
-                    }
-                }
+                handleGenericStatusRuntimeException(status);
             }
             throw error;
         }
     }
 
+    private void handleGenericStatusRuntimeException(com.google.rpc.Status status) {
+        for (Any any : status.getDetailsList()) {
+            if (any.is(CodedExceptionProto.class)) {
+                try {
+                    final CodedExceptionProto ce = any.unpack(CodedExceptionProto.class);
+                    throw CodedException.tr(ce.getFaultCode(), ce.getTranslationCode(), ce.getFaultString())
+                            .withPrefix(SIGNER_X);
+                } catch (InvalidProtocolBufferException e) {
+                    throw new RuntimeException("Failed to parse grpc message", e);
+                }
+            }
+        }
+    }
+
     @FunctionalInterface
     public interface RpcExecution<V, C extends ExecutionContext> {
         /**
diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java
index 9700e3a59d..268fd409b8 100644
--- a/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java
+++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/addon/AddOn.java
@@ -43,7 +43,6 @@ public interface AddOn {
      */
     void init(BindableServiceRegistry bindableServiceRegistry);
 
-
     void shutdown();
 
     class BindableServiceRegistry {
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
index 55bb1ee23e..62eb118f23 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/certmanager/OcspClientWorker.java
@@ -144,6 +144,7 @@ public void reload(OcspClientExecuteScheduler ocspClientExecuteScheduler) {
         }
     }
 
+    @SuppressWarnings("squid:S3776")
     public void execute(OcspClientExecuteScheduler ocspClientExecuteScheduler) {
         log.trace("execute()");
         log.info("OCSP-response refresh cycle started");
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
index b6c807a04e..8ac7f98400 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GetAuthKeyReqHandler.java
@@ -67,6 +67,7 @@ public class GetAuthKeyReqHandler
         extends AbstractRpcHandler<GetAuthKeyReq, AuthKeyInfoProto> {
 
     @Override
+    @SuppressWarnings("squid:S3776")
     protected AuthKeyInfoProto handle(GetAuthKeyReq request) throws Exception {
         var securityServer = SecurityServerIdMapper.fromDto(request.getSecurityServer());
         log.trace("Selecting authentication key for security server {}", securityServer);
@@ -169,8 +170,8 @@ private boolean authCertValid(CertificateInfo certInfo,
         }
 
         log.trace("Ignoring authentication certificate {} because it does "
-                + "not belong to security server {} "
-                + "(server id from global conf: {})", CertUtils.identify(cert),
+                        + "not belong to security server {} "
+                        + "(server id from global conf: {})", CertUtils.identify(cert),
                 securityServer, serverIdFromConf);
 
         return false;

From 6f862c2077dac56f4be9abd7fb43814997b41a71 Mon Sep 17 00:00:00 2001
From: Justas Samuolis <justas.samuolis@nortal.com>
Date: Wed, 18 Oct 2023 17:58:36 +0300
Subject: [PATCH 124/127] chore: minor styling fixes

Refs: XRDDEV-2468
---
 .../xroad/proxymonitor/util/MetricTypes.java  |  6 +--
 .../proxymonitor/util/MonitorClient.java      |  6 +--
 .../test/signer/hook/SignerProxyInitHook.java |  2 -
 .../ee/ria/xroad/common/TestPortUtils.java    |  6 +--
 .../src/main/proto/monitor_service.proto      |  6 +--
 .../xroad/proxy/testsuite/ProxyTestSuite.java |  6 +--
 .../xroad/signer/protocol/ComponentNames.java | 45 -------------------
 .../signer/protocol/dto/AuthKeyInfo.java      |  1 -
 .../signer/protocol/dto/CertificateInfo.java  |  6 +--
 .../src/main/proto/token_status_info.proto    |  7 ---
 .../signer/test/container/ContainerSetup.java |  1 -
 .../job/OcspClientExecuteScheduler.java       |  4 --
 .../module/AbstractModuleManager.java         |  4 +-
 13 files changed, 20 insertions(+), 80 deletions(-)
 delete mode 100644 src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java

diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java
index 3d09b32f50..742bc23410 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MetricTypes.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
diff --git a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
index 89fde3a37a..101ed97450 100644
--- a/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
+++ b/src/addons/proxymonitor/metaservice/src/main/java/ee/ria/xroad/proxymonitor/util/MonitorClient.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
diff --git a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
index 341e2d29fb..f3cffb8be1 100644
--- a/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
+++ b/src/common/common-int-test/src/main/java/org/niis/xroad/common/test/signer/hook/SignerProxyInitHook.java
@@ -61,8 +61,6 @@ public void beforeSuite() {
         System.setProperty(SystemProperties.GRPC_INTERNAL_HOST, host);
         System.setProperty(SystemProperties.GRPC_SIGNER_PORT, String.valueOf(port));
 
-        System.setProperty(SystemProperties.GRPC_INTERNAL_HOST, host);
-
         System.setProperty(SystemProperties.GRPC_INTERNAL_KEYSTORE,
                 "build/resources/intTest/signer-container-files/etc/xroad/transport-keystore/grpc-internal-keystore.p12");
         System.setProperty(SystemProperties.GRPC_INTERNAL_KEYSTORE_PASSWORD, "111111");
diff --git a/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java b/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
index eb4b987579..4cc4e5c4d8 100644
--- a/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
+++ b/src/common/common-test/src/main/java/ee/ria/xroad/common/TestPortUtils.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
diff --git a/src/monitor-common/src/main/proto/monitor_service.proto b/src/monitor-common/src/main/proto/monitor_service.proto
index f33ba74bed..a1378c6057 100644
--- a/src/monitor-common/src/main/proto/monitor_service.proto
+++ b/src/monitor-common/src/main/proto/monitor_service.proto
@@ -73,9 +73,9 @@ message SystemMetricsResp {
 
 message Metrics {
   oneof value {
-    MetricsGroup metricsGroup = 1;
-    SingleMetrics singleMetrics = 2;
-    HistogramMetrics singleHistogram = 3;
+    MetricsGroup metrics_group = 1;
+    SingleMetrics single_metrics = 2;
+    HistogramMetrics single_histogram = 3;
   }
 }
 
diff --git a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
index 1c77d4ccfa..66c2344a33 100644
--- a/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
+++ b/src/proxy/src/test/java/ee/ria/xroad/proxy/testsuite/ProxyTestSuite.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
deleted file mode 100644
index a4f8f926a9..0000000000
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/ComponentNames.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
- * Copyright (c) 2018 Estonian Information System Authority (RIA),
- * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
- * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-package ee.ria.xroad.signer.protocol;
-
-/**
- * Holds the names of actors in signer.
- */
-public final class ComponentNames {
-
-    public static final String SIGNER = "Signer";
-
-    public static final String TOKEN_SIGNER = "TokenSigner";
-
-    public static final String TOKEN_WORKER = "TokenWorker";
-
-    public static final String OCSP_RESPONSE_MANAGER = "OcspResponseManager";
-
-    public static final String MODULE_MANAGER = "ModuleManager";
-
-    private ComponentNames() {
-    }
-}
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
index f0d9cf8147..521d11b11d 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/AuthKeyInfo.java
@@ -34,7 +34,6 @@
  * Authentication key info DTO.
  */
 @Value
-@Deprecated
 @ToString(exclude = { "password" })
 public class AuthKeyInfo implements Serializable {
 
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
index d31c91c655..4a43f26f46 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/dto/CertificateInfo.java
@@ -4,17 +4,17 @@
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- * <p>
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * <p>
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * <p>
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
diff --git a/src/signer-protocol/src/main/proto/token_status_info.proto b/src/signer-protocol/src/main/proto/token_status_info.proto
index 08b7dd713d..96104c57b3 100644
--- a/src/signer-protocol/src/main/proto/token_status_info.proto
+++ b/src/signer-protocol/src/main/proto/token_status_info.proto
@@ -25,16 +25,9 @@
  */
 syntax = "proto3";
 
-//package protocol;
-
 option java_multiple_files = true;
 option java_package = "ee.ria.xroad.signer.protocol.dto";
 
-//option java_outer_classname = "TokenStatusInfo";
-//option objc_class_prefix = "HLW";
-
-//import "google/protobuf/empty.proto";
-
 /* Token status info DTO. */
 enum TokenStatusInfo {
   TOKEN_STATUS_UNSPECIFIED = 0;
diff --git a/src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
index cee83314e2..a5785ba0e4 100644
--- a/src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
+++ b/src/signer/src/intTest/java/org/niis/xroad/signer/test/container/ContainerSetup.java
@@ -47,5 +47,4 @@ public TestContainerConfigurator.TestContainerInitListener testContainerInitList
         return super.testContainerInitListener(true);
     }
 
-
 }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java b/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java
index 1f7c545ac8..9212726268 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/job/OcspClientExecuteScheduler.java
@@ -63,13 +63,11 @@ private Duration getNextDelay() {
     }
 
     public void success() {
-        log.debug("received message OcspClientJob.SUCCESS");
         log.info("OCSP-response refresh cycle successfully completed, continuing with normal scheduling");
         retryMode = false;
     }
 
     public void failure() {
-        log.debug("received message OcspClientJob.FAILED");
         if (!retryMode) {
             log.info("OCSP-response refresh cycle failed, switching to retry backoff schedule");
             retryMode = true;
@@ -80,7 +78,6 @@ public void failure() {
     }
 
     public void globalConfInvalidated() {
-        log.debug("received message OcspClientWorker.GLOBAL_CONF_INVALIDATED");
         log.info("OCSP-response refresh cycle failed due to invalid global configuration, "
                 + "switching to global configuration recovery schedule");
         // attempted to execute OCSP refresh, but global conf was
@@ -102,7 +99,6 @@ private void runJob() {
     }
 
     public void reschedule() {
-        log.debug("received message OcspClientWorker.RESCHEDULE");
         log.info("OCSP-response refresh cycle rescheduling");
         this.reschedule(getNextDelay());
     }
diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
index 04b1e9b89e..561b44c705 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java
@@ -102,7 +102,7 @@ public void stop() {
             try {
                 TokenManager.saveToConf();
             } catch (Exception e) {
-                throw new RuntimeException(e); //TODO
+                throw new RuntimeException(e);
             }
         }
 
@@ -234,7 +234,7 @@ private Map<String, AbstractModuleWorker> loadModules(Collection<ModuleType> mod
 
                 newModules.put(moduleWorker.getModuleType().getType(), moduleWorker);
             } catch (Exception e) {
-                throw new RuntimeException(e); //TODO
+                throw new RuntimeException(e);
             }
         });
         return newModules;

From 6f8502a204bc26701d3182d8c6ec6ebc12756c4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 19 Oct 2023 09:27:42 +0300
Subject: [PATCH 125/127] chore: fix cs ui system tests

Refs: XRDDEV-2468
---
 Docker/centralserver/files/cs-entrypoint.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Docker/centralserver/files/cs-entrypoint.sh b/Docker/centralserver/files/cs-entrypoint.sh
index 0641f4a5fd..185b0ef65f 100755
--- a/Docker/centralserver/files/cs-entrypoint.sh
+++ b/Docker/centralserver/files/cs-entrypoint.sh
@@ -76,4 +76,10 @@ log "Making sure that token pin policy is enforced by default"
 if ! crudini --get /etc/xroad/conf.d/local.ini signer enforce-token-pin-policy &>/dev/null; then
   crudini --set /etc/xroad/conf.d/local.ini signer enforce-token-pin-policy "true"
 fi
+
+#initialize transport keys
+mkdir -p -m0750 /var/run/xroad
+chown xroad:xroad /var/run/xroad
+su - xroad -c sh -c /usr/share/xroad/scripts/xroad-base.sh
+
 exec /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf

From 74afa5d1ff1d17b9896d28b11a80a416e0f043e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ri=C4=8Dardas=20Bu=C4=8Di=C5=ABnas?=
 <ricardas.buciunas@nortal.com>
Date: Thu, 19 Oct 2023 10:04:37 +0300
Subject: [PATCH 126/127] chore: fix grpc keystore env props

Refs: XRDDEV-2468
---
 .../xroad/common/base/usr/share/xroad/scripts/xroad-base.sh   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
index fe859dadf1..868363ac3f 100755
--- a/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
+++ b/src/packages/src/xroad/common/base/usr/share/xroad/scripts/xroad-base.sh
@@ -30,8 +30,8 @@ gen_grpc_internal_keypair() {
       chown xroad:xroad "$keystore"
 
       cat <<EOF >"$env_file"
-XROAD_GRPC_INTERNAL_KEYSTORE_PASSWORD="$keystore_pw"
-XROAD_GRPC_INTERNAL_TRUSTSTORE_PASSWORD="$keystore_pw"
+XROAD_COMMON_GRPC_INTERNAL_KEYSTORE_PASSWORD="$keystore_pw"
+XROAD_COMMON_GRPC_INTERNAL_TRUSTSTORE_PASSWORD="$keystore_pw"
 EOF
 
     chown xroad:xroad "$env_file"

From 32aa8ff421e4644a9a60187784633ee2ade8fc92 Mon Sep 17 00:00:00 2001
From: Eneli Reimets <eneli.reimets@nortal.com>
Date: Thu, 19 Oct 2023 16:21:32 +0300
Subject: [PATCH 127/127] fix: signing key uses

Refs: XRDDEV-2468
---
 .../protocol/handler/GenerateSelfSignedCertReqHandler.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
index 15c227c2e5..dfc5812eef 100644
--- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
+++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
@@ -123,7 +123,7 @@ X509Certificate build(TokenAndKey tokenAndKey, GenerateSelfSignedCertReq message
                     fromUnixTimestamp(message.getDateNotAfter()), subject, publicKey);
 
             if (message.getKeyUsage() == KeyUsageInfo.SIGNING) {
-                KeyUsage keyUsage = new KeyUsage(KeyUsage.nonRepudiation);
+                KeyUsage keyUsage = new KeyUsage(KeyUsage.nonRepudiation | KeyUsage.keyCertSign);
                 builder.addExtension(X509Extension.keyUsage, true, keyUsage);
                 builder.addExtension(X509Extension.basicConstraints,
                         true, new BasicConstraints(true));