mendelson AS4 server 2024
What is new
- Added a new dialog to automatically find out the mail server configuration by just knowing the replyto mail address for the notification mail setup
- Added a notification badge for the configuration problems in the status bar, set up UI scalin of the list of configuration issues (Client UI)
- Added support for the client credentials autorization (RFC 6749 4.4) in the OAuth2 plugin for the mail notification (available as plugin in the professional edition and higher), added a related documentation
- Added the usage profile EU-ICS2-TI AS4 Profile V3.x and all it's presets and requirements
- Added the possibility to set the used signature binary security token type per partner to either "#X509PKIPathv1"
or "#X509v3" - "#X509v3" is always the default. This is a requirement for the AS4 profiles ICS2, BDEW and ENTSOG 4.0 - Added the possibility to use the senders AS4 id in the outbound agreement ref by replacing ${senderid} in the agreement ref by the sender AS4 id - this could be defined directly in the PMode and will be processed during the message preparation process
- Added support for HSM (Hardware Security Modules) via plugin, available in the professional edition or higher
- Reworked the import/export functions of the certificate manager
- New Icons in the certificate manager
- Certificate manager: It is no longer possible to the collapse parts of the trust path tree by double clicking it
- Added support for the ENTSOG 4.0 which currently exists just as draft - this uses ECDH-ES.
- Added a new profile ENTSOG v4.0 to the product, allows presets
- Added the signatur algorithm eddsa-ed25519, required for the AS4 profile ENTSOG 4.0
- Added the possibility to perform the key agreement using X25519 keys (static DH (ECDH-ES)). There has been added the possibility to work with ephemeral keys that are either on the X25519 (ENTSOG 4.0) or BrainPool (BDEW 1.0) curve
- Added the possibility to generate Ed25519 keys in the the certificate manager, this is required for the ENTSOG 4.0 profile
- Added the possibility to perform the ephemeral key encryption/wrapping kw-aes128 using XDH. This is required for the AS4 profiles BDEW 1.0 and ENTSOG 4.0
- Added HA (high availability via cluster) support to the mendelson AS4, available via plugin in the professional edition and higher
- The internal client-server communication has been reduced by adding an additional compression layer
- Added additional information to the usage profiles regarding the support TLS protocols, if TLS is mandatory, the supported MEPs
- Added additional information to the usage profiles to the documentation
- There are warnings now in the user interface if the user tries to perform MEPs for users that use a usage profile that does not support this - nonetheless it is still possible to perform the operations and configuration
- Depending on the usage profile of a user the outbound TLS protocol list is passed to the TLS engine now. This is because several AS4 profiles require just special TLS protocol levels
- There is a warning now in the log if a partners usage profile defines TLS to be mandatory and the connection is a unsecured connection. Several AS4 profiles do not allow to use unsecured connections.
- Added the possibility to define separate Security Providers for several purpose in the Java API: SSLContext, KeystoreManagerFactory, TLS Keystore, TrustStoreManagerFactory
- Added the name of the used PMode set (in- and outbound) as variable ${pmode} for the message postprocessing
- Added inbound X509SKI support: In the receipt process of ECDH_ES messages the identification of the receivers key information using the X509SKI tag (subject key identifier) was not supported (AS4 profiles ENTSOG 4, BDEW)
- The ReceipientKeyInfo tag for the BDEW AS4 profile has been extended (outbound) by the X509SKI tag - but only if the extension with the OID 2.5.29.14 (subject key identifier) is defined in the certifiate
- Added support for the BDEW Transmission path change request message and BDEW Transmission path change confirm switch message
- Added support for AS4 messages that contain no payload - this is required because BDEW special defines special testmessages that do not match the common AS4 definition
- Added support to create user defined error signals from inbound AS4 messages (Java API: available via plugin in the professional edition or higher)
- Added additional error details for missing or misspelled attributes and node values in inbound SOAP data
- Added the possibility to generate a subject key identifier (ski) extension in the key generator of the certificate manager. This is required because it is possible to work with X509SKI tag certificate identification in the AS4 profiles BDEW 1.0 and ENTSOG 4.0
- Added a fallback to the MIME single part processing for AS4 responses in the Java API
- Added the possibility that the trust chain is sent with root certificate first or root certificate last (Signature verification, compatibility issue)
- Certificate manager: Display the sign algorithm and the name of the EC curve in the overview
- Adding support for SHA-2 512, SHA2 512 PSSRSA, SHA3 512 und SHA-3 512 PSSRSA signed keys (Key generation)
- Added the description howto setup a TLS proxy for inbound TLS connections to the documentation. That might be required because some security provider could still not deal with TLS EC keys - in this case the connection security could be handled by an external proxy.
- The formerly file based key/certificate management has been moved to the database. This results in less file IO and more stable operations in cluster mode. R/O and access problems to keystore files are no longer an issue during operations.
- Added the possibility to export a full keystore file from the certificate manager
- Added the possibility to import a full keystore file to the system at server start
- Removed several filesystem based configuration checks regarding keystore files
- Removed several keystore file related server settings and configuration interfaces
- If you use Postgres (avialble via plugin in the professional edition or higher) and the database was not reachable there was just a NullPointer Exception - now there should be a proper error message
- Reworked all AS4 profile presets - for some AS4 profiles there were missing settings
Resolved problems
- The wrong MGF algorithms have been used for the outbound message encryption - the used algorithms were for the signature and not the encryption
- Fixed the problem "Comparison method violates its general contract" that happend very seldom on internal certificate access
- There were missing constants in the Java API for the BDEW support
- Inbound conversion Ids were not ignored for the AS4 profile ICS2, please see section "4.2.3.4" of the ICS2 Interface Control Document for further information
- Inbound PULL signals on non empty MPCs created a OS path error sometimes
- The field RefToMessageId was set in outbound user messages even if the message was pulled - this has to be empty for PULL messages
- There was an issue in the java API, the message send function tried to get data from a running AS4 server instance (which does not exist if you are just using the library functionality..)
- There was an issue in the java API during the parse process of inbound AS4 messages
- Certificate Manager: It was not possible to export private keys into an external PKCS#12 keystore if their algorithm was EC or EdDSA - this is an important point for the usage profiles BDEW 1.0 and ENTSOG 4.0
- The PModes of a single partner are now sorted alphabetical in the client UI
- Fixed inbound SOAP parsing problems - sometimes BDEW path change message were not detected correctly
- In ECDH_ES (BDEW 1.0, ENTSOG 4.0) a SecurityTokenReference did not point to the right element in the XML metadata structure. For most partners this was no problem but some system had issues with this
- Fixed a problem in the MIME parsing process for the content type "multipart/mixed"
- Importing a private key into the certificate manager did not test for an existing alias - if the alias did already exist the import was just skipped without any error message
- Fixed the very seldom issue that the outbound connection entity is not repeatable. The error message was "[NonRepeatableRequestException] Cannot retry request with a non-repeatable request entity"
Updated software packages
- Update to Bouncycastle v176 (Crypto API)
- Update to Lucene 9.8.0 (indexing of system events)
- Update to MINA 2.2.3 (client-server interface)
- Update to HSQLDB 2.72
- Update to wss4j 3.0.1 (web service security for java)
- Update jetty to 10.0.18 (embedded HTTP server)