diff --git a/.classpath b/.classpath
index 91de5ef62a8..3944f690d77 100644
--- a/.classpath
+++ b/.classpath
@@ -1,15 +1,13 @@
+
-
-
-
@@ -25,14 +23,14 @@
+
+
+
+
-
-
-
-
@@ -43,7 +41,6 @@
-
@@ -56,31 +53,30 @@
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
@@ -90,9 +86,11 @@
+
+
-
+
@@ -107,55 +105,68 @@
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -166,66 +177,84 @@
-
-
-
-
-
+
-
-
-
-
-
+
+
+
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md
new file mode 100644
index 00000000000..2033d4c107f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -0,0 +1,45 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the Bug**
+
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected Behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Screenshots and Logs**
+
+If applicable, add screenshots and logs to help explain your problem.
+
+**Product Deployment**
+
+Please complete the following information:
+ - Deployment format: [e.g. software, container]
+ - Version [e.g. 8.0.0]
+
+**Desktop**
+
+Please complete the following information:
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Additional Context**
+
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 00000000000..ee92520c230
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+ - name: GitHub Discussions
+ url: https://github.com/Keyfactor/ejbca-ce/discussions
+ about: Join in-depth discussions or ask questions
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 00000000000..05a453e5e89
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,25 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem or specific use case? Please describe.**
+A clear and concise description of the problem or use case.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Product deployment**
+Please complete the following information:
+ - Deployment format: [e.g. software, container]
+ - Version [e.g. 8.0.0]
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/.github/images/community-ejbca-icon.png b/.github/images/community-ejbca-icon.png
new file mode 100644
index 00000000000..25ceb5a23e2
Binary files /dev/null and b/.github/images/community-ejbca-icon.png differ
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000000..1866168aa32
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,16 @@
+## Describe your changes
+
+
+
+## How has this been tested?
+
+
+
+## Checklist before requesting a review
+
+
+- [ ] I have performed a self-review of my code
+- [ ] I have kept the patch limited to only change the parts related to the patch
+- [ ] This change requires a documentation update
+
+See also [Contributing Guidelines](../../CONTRIBUTING.md).
diff --git a/.gitignore b/.gitignore
index 9e693901c7a..1fdf0f909d4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,21 @@
out/
/p12/
dist/
-build*/
+build/
+build-*/
tmp/
conf/*.properties
velocity.log
src/java/jndi.properties
validationtool.log
+reports/
+modules/ra-gui/resources/js/jquery.min.js
+/.DS_Store
+.vscode/
+/.tern-project
+*.iml
+.project
+/.idea
+/.metadata
+/.project
+.gradle
diff --git a/.project b/.project
index cd9815eee5b..911d12d89f4 100644
--- a/.project
+++ b/.project
@@ -33,4 +33,15 @@
org.eclipse.wst.common.project.facet.core.natureorg.eclipse.wst.jsdt.core.jsNature
+
+
+ 1628709532251
+
+ 30
+
+ org.eclipse.core.resources.regexFilterMatcher
+ node_modules|.git|__CREATED_BY_JAVA_LANGUAGE_SERVER__
+
+
+
diff --git a/.settings/.gitignore b/.settings/.gitignore
new file mode 100644
index 00000000000..4f150efdd36
--- /dev/null
+++ b/.settings/.gitignore
@@ -0,0 +1 @@
+/org.eclipse.jdt.launching.prefs
diff --git a/.settings/.jsdtscope b/.settings/.jsdtscope
index b143148d8b7..70f7895c96d 100644
--- a/.settings/.jsdtscope
+++ b/.settings/.jsdtscope
@@ -3,7 +3,6 @@
-
diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs
index 3442432c7ab..29554c11346 100644
--- a/.settings/org.eclipse.core.resources.prefs
+++ b/.settings/org.eclipse.core.resources.prefs
@@ -1,5 +1,4 @@
eclipse.preferences.version=1
-encoding//doc/xdocs/site/complementary.xml=UTF-8
encoding//modules/admin-gui/resources/languages/languagefile.bs.properties=UTF-8
encoding//modules/admin-gui/resources/languages/languagefile.cs.properties=UTF-8
encoding//modules/admin-gui/resources/languages/languagefile.de.properties=UTF-8
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
index 4c32edae97b..d8371db4aa8 100644
--- a/.settings/org.eclipse.jdt.core.prefs
+++ b/.settings/org.eclipse.jdt.core.prefs
@@ -1,15 +1,18 @@
eclipse.preferences.version=1
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
org.eclipse.jdt.core.compiler.codegen.methodParameters=do not generate
-org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=11
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
-org.eclipse.jdt.core.compiler.compliance=1.8
+org.eclipse.jdt.core.compiler.compliance=11
org.eclipse.jdt.core.compiler.debug.lineNumber=generate
org.eclipse.jdt.core.compiler.debug.localVariable=generate
org.eclipse.jdt.core.compiler.debug.sourceFile=generate
org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
+org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
-org.eclipse.jdt.core.compiler.source=1.8
+org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=warning
+org.eclipse.jdt.core.compiler.release=disabled
+org.eclipse.jdt.core.compiler.source=11
org.eclipse.jdt.core.formatter.align_type_members_on_columns=false
org.eclipse.jdt.core.formatter.alignment_for_arguments_in_allocation_expression=16
org.eclipse.jdt.core.formatter.alignment_for_arguments_in_annotation=0
@@ -277,7 +280,7 @@ org.eclipse.jdt.core.formatter.number_of_empty_lines_to_preserve=1
org.eclipse.jdt.core.formatter.put_empty_statement_on_new_line=true
org.eclipse.jdt.core.formatter.tabulation.char=space
org.eclipse.jdt.core.formatter.tabulation.size=4
-org.eclipse.jdt.core.formatter.use_on_off_tags=false
+org.eclipse.jdt.core.formatter.use_on_off_tags=true
org.eclipse.jdt.core.formatter.use_tabs_only_for_leading_indentations=false
org.eclipse.jdt.core.formatter.wrap_before_binary_operator=true
org.eclipse.jdt.core.formatter.wrap_outer_expressions_when_nested=true
diff --git a/.settings/org.eclipse.jdt.ui.prefs b/.settings/org.eclipse.jdt.ui.prefs
index cf6eac520f5..c93e1a010f7 100644
--- a/.settings/org.eclipse.jdt.ui.prefs
+++ b/.settings/org.eclipse.jdt.ui.prefs
@@ -1,4 +1,3 @@
-#Mon Oct 03 16:16:16 CEST 2011
cleanup.add_default_serial_version_id=true
cleanup.add_generated_serial_version_id=false
cleanup.add_missing_annotations=true
@@ -56,4 +55,4 @@ eclipse.preferences.version=1
formatter_profile=_ejbca
formatter_settings_version=11
org.eclipse.jdt.ui.javadoc=false
-org.eclipse.jdt.ui.text.custom_code_templates=/**\n * @return the ${bare_field_name}\n *//**\n * @param ${param} the ${bare_field_name} to set\n *//**\n * ${tags}\n *//*************************************************************************\n * *\n * EJBCA\: The OpenSource Certificate Authority *\n * *\n * This software is free software; you can redistribute it and/or *\n * modify it under the terms of the GNU Lesser General Public *\n * License as published by the Free Software Foundation; either *\n * version 2.1 of the License, or any later version. *\n * *\n * See terms of license at gnu.org. *\n * *\n *************************************************************************//**\n * @version $$Id$$\n *\n *//**\n * ${tags}\n *//* (non-Javadoc)\n * ${see_to_overridden}\n *//**\n * ${tags}\n * ${see_to_target}\n */${filecomment}\n${package_declaration}\n\n${typecomment}\n${type_declaration}\n\n\n\n// ${todo} Auto-generated catch block\n${exception_var}.printStackTrace();// ${todo} Auto-generated method stub\n${body_statement}${body_statement}\n// ${todo} Auto-generated constructor stubreturn ${field};${field} \= ${param};
+org.eclipse.jdt.ui.text.custom_code_templates=/**\n * @return the ${bare_field_name}\n *//**\n * @param ${param} the ${bare_field_name} to set\n *//**\n * ${tags}\n *//*************************************************************************\n * *\n * EJBCA\: The OpenSource Certificate Authority *\n * *\n * This software is free software; you can redistribute it and/or *\n * modify it under the terms of the GNU Lesser General Public *\n * License as published by the Free Software Foundation; either *\n * version 2.1 of the License, or any later version. *\n * *\n * See terms of license at gnu.org. *\n * *\n *************************************************************************//**\n *\n *//**\n * ${tags}\n *//**\n * ${tags}\n * ${see_to_target}\n */${filecomment}\n${package_declaration}\n\n${typecomment}\n${type_declaration}\n\n\n\n// ${todo} Auto-generated catch block\nthrow new IllegalStateException(${exception_var});// ${todo} Auto-generated method stub\n${body_statement}${body_statement}\n// ${todo} Auto-generated constructor stubreturn ${field};${field} \= ${param};
diff --git a/.settings/org.eclipse.wst.common.project.facet.core.xml b/.settings/org.eclipse.wst.common.project.facet.core.xml
index 60072bc6447..ca303555435 100644
--- a/.settings/org.eclipse.wst.common.project.facet.core.xml
+++ b/.settings/org.eclipse.wst.common.project.facet.core.xml
@@ -4,5 +4,5 @@
-
+
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 00000000000..a31719f5654
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,42 @@
+# EJBCA Contributing Guidelines
+
+Thank you for contributing to EJBCA!
+
+In this guide, you get an overview of the contribution workflow from starting a discussion or opening an issue, to creating, reviewing, and merging a pull request.
+
+For an overview of the project, see [README](README.md).
+
+### Start a discussion
+If you have a question or problem, you can [search in discussions](../../discussions), if someone has already found a solution to your problem.
+
+Or you can [start a new discussion](../../discussions/new/choose) and ask your question.
+
+### Create an issue
+
+If you find a problem with EJBCA, [search if an issue already exists](../../issues).
+
+If a related discussion or issue doesn't exist, you can [open a new issue](../../issues/new/choose). An issue can be converted into a discussion if regarded as one.
+
+### Contribute to the code
+
+#### Create a pull request
+
+You are welcome to send patches, under the LGPLv2.1+ license, as pull requests. For more information, see [Creating a pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request). For minor updates, you can instead choose to create an issue with short snippets of code. See above.
+
+* Create a JUnit test case for your change, it may be a simple addition to an existing test. If you do not know how to do this, ask us and we will help you.
+* If you run into any merge issues, check out this [git tutorial](https://github.com/skills/resolve-merge-conflicts) to help you resolve merge conflicts and other issues.
+
+For more information, refer to the EJBCA documentation on [Getting Started With EJBCA Development](https://docs.keyfactor.com/ejbca/latest/getting-started-with-ejbca-development).
+
+#### Self-review
+
+Don't forget to self-review. Please follow these simple guidelines:
+* Keep the patch limited, only change the parts related to your patch.
+* Do not change other lines, such as whitespace, adding line breaks to Java doc, etc. It will make it very hard for us to review the patch.
+
+
+#### Your pull request is merged
+
+For acceptance, pull requests need to meet specific quality criteria, including tests for anything substantial. Someone on the EJBCA core team will review the pull request when there is time, and let you know if something is missing or suggest improvements. If it is a useful and generic feature it will be integrated in EJBCA to be available in a later release.
+
+For substantial, non-trivial contributions, you will be asked to sign a contributor assignment agreement. Optionally, you can also have your name and contact information listed on the [Contributors](https://www.ejbca.org/contributors/) page.
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 00000000000..5ab7695ab8c
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,504 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL. It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+ This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it. You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+ When we speak of free software, we are referring to freedom of use,
+not price. Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+ To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights. These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+ For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you. You must make sure that they, too, receive or can get the source
+code. If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it. And you must show them these terms so they know their rights.
+
+ We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+ To protect each distributor, we want to make it very clear that
+there is no warranty for the free library. Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+ Finally, software patents pose a constant threat to the existence of
+any free program. We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder. Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+ Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License. This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License. We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+ When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library. The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom. The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+ We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License. It also provides other free software developers Less
+of an advantage over competing non-free programs. These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries. However, the Lesser license provides advantages in certain
+special circumstances.
+
+ For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard. To achieve this, non-free programs must be
+allowed to use the library. A more frequent case is that a free
+library does the same job as widely used non-free libraries. In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+ In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software. For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+ Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+ The precise terms and conditions for copying, distribution and
+modification follow. Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library". The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+ GNU LESSER GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+ A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+ The "Library", below, refers to any such software library or work
+which has been distributed under these terms. A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language. (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+ "Source code" for a work means the preferred form of the work for
+making modifications to it. For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+ Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it). Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+ 1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+ You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+ 2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) The modified work must itself be a software library.
+
+ b) You must cause the files modified to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ c) You must cause the whole of the work to be licensed at no
+ charge to all third parties under the terms of this License.
+
+ d) If a facility in the modified Library refers to a function or a
+ table of data to be supplied by an application program that uses
+ the facility, other than as an argument passed when the facility
+ is invoked, then you must make a good faith effort to ensure that,
+ in the event an application does not supply such function or
+ table, the facility still operates, and performs whatever part of
+ its purpose remains meaningful.
+
+ (For example, a function in a library to compute square roots has
+ a purpose that is entirely well-defined independent of the
+ application. Therefore, Subsection 2d requires that any
+ application-supplied function or table used by this function must
+ be optional: if the application does not supply it, the square
+ root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library. To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License. (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.) Do not make any other change in
+these notices.
+
+ Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+ This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+ 4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+ If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library". Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+ However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library". The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+ When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library. The
+threshold for this to be true is not precisely defined by law.
+
+ If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work. (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+ Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+ 6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+ You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License. You must supply a copy of this License. If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License. Also, you must do one
+of these things:
+
+ a) Accompany the work with the complete corresponding
+ machine-readable source code for the Library including whatever
+ changes were used in the work (which must be distributed under
+ Sections 1 and 2 above); and, if the work is an executable linked
+ with the Library, with the complete machine-readable "work that
+ uses the Library", as object code and/or source code, so that the
+ user can modify the Library and then relink to produce a modified
+ executable containing the modified Library. (It is understood
+ that the user who changes the contents of definitions files in the
+ Library will not necessarily be able to recompile the application
+ to use the modified definitions.)
+
+ b) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (1) uses at run time a
+ copy of the library already present on the user's computer system,
+ rather than copying library functions into the executable, and (2)
+ will operate properly with a modified version of the library, if
+ the user installs one, as long as the modified version is
+ interface-compatible with the version that the work was made with.
+
+ c) Accompany the work with a written offer, valid for at
+ least three years, to give the same user the materials
+ specified in Subsection 6a, above, for a charge no more
+ than the cost of performing this distribution.
+
+ d) If distribution of the work is made by offering access to copy
+ from a designated place, offer equivalent access to copy the above
+ specified materials from the same place.
+
+ e) Verify that the user has already received a copy of these
+ materials or that you have already sent this user a copy.
+
+ For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it. However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+ It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system. Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+ 7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+ a) Accompany the combined library with a copy of the same work
+ based on the Library, uncombined with any other library
+ facilities. This must be distributed under the terms of the
+ Sections above.
+
+ b) Give prominent notice with the combined library of the fact
+ that part of it is a work based on the Library, and explaining
+ where to find the accompanying uncombined form of the same work.
+
+ 8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License. Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License. However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+ 9. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Library or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+ 10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+ 11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all. For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded. In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+ 13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation. If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+ 14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission. For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this. Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+ NO WARRANTY
+
+ 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Libraries
+
+ If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change. You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+ To apply these terms, attach the following notices to the library. It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the
+ library `Frob' (a library for tweaking knobs) written by James Random Hacker.
+
+ , 1 April 1990
+ Ty Coon, President of Vice
+
+That's all there is to it!
+
+
diff --git a/README b/README
deleted file mode 100644
index cdc9b1bcf4d..00000000000
--- a/README
+++ /dev/null
@@ -1,4 +0,0 @@
-See doc/README for general documentation.
-
-See doc/licences/LICENSE for license conditions of EJBCA and others
-files for 3rd party tools.
diff --git a/README.md b/README.md
new file mode 100644
index 00000000000..5d3e774b369
--- /dev/null
+++ b/README.md
@@ -0,0 +1,70 @@
+
+
+
+[](https://github.com/Keyfactor/ejbca-ce/discussions)
+[](https://www.bestpractices.dev/projects/9419)
+
+The open-source public key infrastructure (PKI) and certificate authority (CA) software **EJBCA** is one of the longest-running CA software projects. EJBCA is platform-independent and covers all your needs – from certificate enrollment, via certificate management, to certificate validation.
+
+EJBCA is developed in Java and runs on a JVM such as OpenJDK, available on most platforms, such as Linux and Windows. There are two versions of EJBCA:
+* **[EJBCA Community](https://www.ejbca.org/)** (EJBCA CE) - free and open source, OSI Certified Open Source Software, LGPL-licensed subset of EJBCA Enterprise
+* **[EJBCA Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/)** (EJBCA EE) - commercial and Common Criteria certified
+
+OSI Certified is a certification mark of the Open Source Initiative.
+
+## Get started
+
+To get started with **EJBCA Community**, clone **[ejbca-ce](https://github.com/Keyfactor/ejbca-ce)** and install it, see **[EJBCA Installation](https://docs.keyfactor.com/ejbca/latest/ejbca-installation)**.
+
+You can also easily run EJBCA as a container from **[Dockerhub](https://hub.docker.com/r/keyfactor/ejbca-ce)**.
+
+## Community Support
+
+The Community software is open source and community supported, there is no support SLA, but a helpful best-effort Community.
+
+* To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab.
+* If you want to contribute to the project, see our **[Contributing guidelines](CONTRIBUTING.md)**.
+* If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
+* Ask the community for ideas: **[EJBCA Discussions](https://github.com/Keyfactor/ejbca-ce/discussions)**.
+* Read more in our documentation: **[EJBCA Documentation](https://docs.keyfactor.com/ejbca/)**.
+* See release information: **[EJBCA Release information](https://docs.keyfactor.com/ejbca/latest/ejbca-release-information)**.
+* Read more on the open source project website: **[EJBCA website](https://www.ejbca.org/)**.
+* Check out the download options: **[Download EJBCA](https://www.ejbca.org/download)**.
+* View differences between Community and Enterprise: **[EJBCA Community vs Enterprise](https://www.ejbca.org/community-vs-enterprise/)**.
+
+## Commercial Support
+Commercial support is available for **[EJBCA Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/)**.
+
+## License
+EJBCA Community is licensed under the LGPL license, please see **[LICENSE](LICENSE)**.
+
+## Related projects
+* [Keyfactor/ejbca-tools](https://github.com/Keyfactor/ejbca-tools)
+* [Keyfactor/keyfactorcommunity](https://github.com/Keyfactor/keyfactorcommunity)
+* [Keyfactor/ejbca-cert-cvc](https://github.com/Keyfactor/ejbca-cert-cvc)
+* [Keyfactor/signserver-ce](https://github.com/Keyfactor/signserver-ce)
+
+### Integrations
+* [Vault PKI Engine](https://github.com/Keyfactor/ejbca-vault-pki-engine)
+* [Cert-manager issuer](https://github.com/Keyfactor/ejbca-cert-manager-issuer)
+* [K8s CSR Signer](https://github.com/Keyfactor/ejbca-k8s-csr-signer)
+
+### Automation and Containers
+* [Ansible Playbooks](https://github.com/Keyfactor/ansible-ejbca-signserver-playbooks)
+* [Community Helm Chart](https://github.com/Keyfactor/ejbca-community-helm)
+
+### Clients and Client SDKs
+* [Java Easy Rest Client](https://github.com/Keyfactor/ejbca-easy-rest-client)
+* [Go Client](https://github.com/Keyfactor/ejbca-go-client)
+* [Go Client SDK](https://github.com/Keyfactor/ejbca-go-client-sdk)
+* [Python Client SDK](https://github.com/Keyfactor/ejbca-python-client-sdk)
+* [Java Client SDK](https://github.com/Keyfactor/ejbca-java-client-sdk)
+* [C# Client SDK](https://github.com/Keyfactor/ejbca-csharp-client-sdk)
+
+### All EJBCA repos
+* [All Keyfactor EJBCA repositories](https://github.com/orgs/Keyfactor/repositories?q=ejbca+sort%3Astars)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000000..1eda3fa7b7e
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Policy
+
+## Reporting a Vulnerability
+If you think that you have found a security vulnerability, please report it to this email address: [security@primekey.com](mailto:security@primekey.com)
+
+Describe the issue including all details, for example:
+* Short summary of the problem
+* Steps to reproduce
+* Affected product versions
+* Logs if available
+
+The Keyfactor team will send a response indicating the next steps in handling your report. You may be asked to provide additional information or guidance.
+
+If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. Optionally, you can have your name and contact information listed on the [Contributors](https://www.ejbca.org/contributors/) page.
diff --git a/bin/batchenrollmentgui.cmd b/bin/batchenrollmentgui.cmd
deleted file mode 100644
index b320aa7cebf..00000000000
--- a/bin/batchenrollmentgui.cmd
+++ /dev/null
@@ -1,44 +0,0 @@
-@echo off
-
-rem Check that JAVA_HOME is set
-if "%JAVA_HOME%" == "" (
- echo You must set JAVA_HOME before running the EJBCA batch enrollment gui.
- goto end
-)
-
-set EJBCA_HOME=..
-rem It must work to call both as bin\ejbca.cmd or from within bin
-if not exist ejbca.cmd set EJBCA_HOME=.
-
-rem check that we have built the JAR
-if not exist %EJBCA_HOME%\modules\batchenrollment-gui\dist\batchenrollment-gui.jar (
- echo You must build EJBCA before using the cli, use 'ant'.
- goto end
-)
-
-
-rem Fixup arguments, we have to do this since windows normally only
-rem supports %1-%9 as command line arguments
-set a=%1
-set b=%2
-set c=%3
-set d=%4
-set e=%5
-set f=%6
-set g=%7
-set h=%8
-set i=%9
-shift
-set j=%9
-shift
-set k=%9
-shift
-set l=%9
-shift
-set m=%9
-rem echo %a% %b% %c% %d% %e% %f% %g% %h% %i% %j% %k% %l% %m%
-
-cd "%EJBCA_HOME%\modules\batchenrollment-gui"
-"%JAVA_HOME%\bin\java" -jar "dist\batchenrollment-gui.jar" %a% %b% %c% %d% %e% %f% %g% %h% %i% %j% %k% %l% %m%
-
-:end
\ No newline at end of file
diff --git a/bin/batchenrollmentgui.sh b/bin/batchenrollmentgui.sh
deleted file mode 100755
index 9dfb618efec..00000000000
--- a/bin/batchenrollmentgui.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-
-JAVACMD=`which java`
-# Check that JAVA_HOME is set
-if [ ! -n "$JAVA_HOME" ]; then
- if [ ! -n "$JAVACMD" ]
- then
- echo "You must set JAVA_HOME before running the EJBCA Batch Enrollment GUI." 1>&2
- exit 1
- fi
-else
- JAVACMD=$JAVA_HOME/bin/java
-fi
-
-if [ -z "$EJBCA_HOME" ] ; then
- EJBCA_FILE="$0"
- EJBCA_HOME=`echo $(dirname $EJBCA_FILE)`
- cd $EJBCA_HOME
- cd ..
- EJBCA_HOME=`pwd`
-fi
-
-OLD_PWD=`pwd`
-cd "$EJBCA_HOME/modules/batchenrollment-gui"
-exec "$JAVACMD" -jar $EJBCA_HOME/modules/batchenrollment-gui/dist/batchenrollment-gui.jar "$@"
-cd "$OLD_PWD"
-
diff --git a/bin/cli.xml b/bin/cli.xml
index 61c8e7c76ee..b7001aba83f 100644
--- a/bin/cli.xml
+++ b/bin/cli.xml
@@ -42,7 +42,7 @@
-
+
@@ -65,6 +65,7 @@ ca.policy : ${ca.policy}
ca.tokenproperties : ${ca.tokenproperties}
httpsserver.hostname : ${httpsserver.hostname}
httpsserver.dn : ${httpsserver.dn}
+httpsserver.tokentype : ${httpsserver.tokentype}
superadmin.cn : ${superadmin.cn}
superadmin.dn : ${superadmin.dn}
superadmin.batch : ${superadmin.batch}
@@ -77,7 +78,7 @@ appserver.home : ${appserver.home}
-
+ Adding to or creating keystore: ${trust.keystore}
@@ -109,371 +110,85 @@ appserver.home : ${appserver.home}
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
+
+
+
+
-
-
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- You still should configure SSL manually for Glassfish
-
-
-
- Undeploying any existing EJBCA application.
-
-
-
- Deploying EJBCA application.
-
-
-
-
-
-
-
-
- You still have to configure DataSources manually for Glassfish
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/bin/jboss.xml b/bin/jboss.xml
index 7add73993cf..7c97669fe4f 100644
--- a/bin/jboss.xml
+++ b/bin/jboss.xml
@@ -24,7 +24,6 @@
-
@@ -40,8 +39,18 @@
-
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -65,20 +74,20 @@
-
-
+
+
-
+
-
-
+
+
-
+
@@ -97,9 +106,4 @@
-
-
-
-
-
diff --git a/bin/log4j-cli.properties b/bin/log4j-cli.properties
new file mode 100755
index 00000000000..14054d51f7f
--- /dev/null
+++ b/bin/log4j-cli.properties
@@ -0,0 +1,20 @@
+# Set root logger level to DEBUG for debug output.
+log4j.rootLogger=INFO, A1
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+
+# A1 uses PatternLayout.
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+# Don't use any timestamp in CLI outputs. The output may be consumed by scripts, and should not be prefixed
+log4j.appender.A1.layout.ConversionPattern=%m%n
+log4j.logger.org.apache.commons.beanutils=ERROR
+log4j.logger.org.jboss=WARN
+log4j.logger.org.wildfly=WARN
+log4j.logger.org.xnio=WARN
+log4j.logger.com.keyfactor=INFO
+log4j.logger.org.cesecore=INFO
+# Suppress "Allow external re-configuration: ..." message
+log4j.logger.org.cesecore.config.ConfigurationHolder=WARN
+log4j.logger.org.ejbca.config.EjbcaConfigurationHolder=WARN
+log4j.logger.org.ejbca=INFO
diff --git a/bin/log4j.properties b/bin/log4j.properties
deleted file mode 100644
index 64bc561db25..00000000000
--- a/bin/log4j.properties
+++ /dev/null
@@ -1,9 +0,0 @@
-# Set root logger level to DEBUG for debug output.
-log4j.rootLogger=INFO, A1
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-
-# A1 uses PatternLayout.
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
diff --git a/bin/nCipherHSM.cmd b/bin/nCipherHSM.cmd
deleted file mode 100755
index 455bc2acdb0..00000000000
--- a/bin/nCipherHSM.cmd
+++ /dev/null
@@ -1,38 +0,0 @@
-@echo off
-
-rem
-rem Bruno Bonfils,
-rem January 2007
-rem
-rem Create a key via a netHSM device
-rem Example:
-rem
-if "%JAVA_HOME%" == "" (
- echo You must set JAVA_HOME before running the nCipher cli.
- goto end
-)
-
-if "%EJBCA_HOME%" == "" (
- echo You must set EJBCA_HOME before running the nCipher cli.
- goto end
-)
-
-if "%NFAST_HOME%" == "" (
- echo Warning: NFAST_HOME not set, using default to /opt/nfast
- set NFAST_HOME=\opt\nfast
-)
-
-set NFAST_JARS=%NFAST_HOME%\java\classes
-
-rem Add nfast's JARs to classpath
-set CLASSES=%NFAST_JARS%\rsaprivenc.jar;%NFAST_JARS%\nfjava.jar;%NFAST_JARS%\kmjava.jar;%NFAST_JARS%\kmcsp.jar;%NFAST_JARS%\jutils.jar
-
-if exist "%EJBCA_HOME%\dist\clientToolBox\clientToolBox.jar" goto exists
- echo You have to build the ClientToolBox before running this command.
- goto end
-:exists
-
-@echo on
-"%JAVA_HOME%\bin\java" -cp %CLASSES% -jar "%EJBCA_HOME%\dist\clientToolBox\clientToolBox.jar" NCipherHSMKeyTool %1 %2 %3 %4 %5 %6
-
-:end
diff --git a/bin/nCipherHSM.sh b/bin/nCipherHSM.sh
deleted file mode 100755
index 7f5c1facdfd..00000000000
--- a/bin/nCipherHSM.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-
-#
-# Bruno Bonfils,
-# January 2007
-#
-# Create a key via a netHSM device #
-# Example:
-#
-
-if [ -z "$EJBCA_HOME" ] ; then
- EJBCA_FILE="$0"
- EJBCA_HOME=`echo $(dirname $(dirname $EJBCA_FILE))`
-fi
-
-JAVACMD=`which java`
-# Check that JAVA_HOME is set
-if [ ! -n "$JAVA_HOME" ]; then
- if [ ! -n "$JAVACMD" ]
- then
- echo "You must set JAVA_HOME before running the nCipherHSM cli."
- exit 1
- fi
-else
- JAVACMD=$JAVA_HOME/bin/java
-fi
-
-if [ -z $NFAST_HOME ]; then
- echo "Warning: NFAST_HOME not set, using default to /opt/nfast"
- NFAST_HOME=/opt/nfast
-fi
-
-NFAST_JARS=$NFAST_HOME/java/classes
-
-# Add nfast's JARs to classpath
-for jar in rsaprivenc.jar nfjava.jar kmjava.jar kmcsp.jar jutils.jar
-do
- CLASSES="$CLASSES:$NFAST_JARS/$jar"
-done
-
-if [ ! -f $EJBCA_HOME/dist/clientToolBox/clientToolBox.jar ] ; then
- echo "You have to build the ClientToolBox before running this command."
- exit 1
-fi
-
-# Finally run java
-#set -x
-$JAVACMD -cp $CLASSES -jar $EJBCA_HOME/dist/clientToolBox/clientToolBox.jar NCipherHSMKeyTool "${@}"
-
diff --git a/bin/nCipherJboss.cmd b/bin/nCipherJboss.cmd
deleted file mode 100755
index 72c1e7784d5..00000000000
--- a/bin/nCipherJboss.cmd
+++ /dev/null
@@ -1,48 +0,0 @@
-@echo off
-
-rem
-rem JBoss Control Script
-rem
-
-rem make java is on your path
-set JAVAPTH=%APPSRV_HOME%\bin
-
-rem define the classpath for the shutdown class
-set JBOSSCP=%APPSRV_HOME%\bin\shutdown.jar:%APPSRV_HOME%\client\jnet.jar
-
-rem define the script to use to start jboss
-rem JBOSSSH=${JBOSSSH:-"$APPSRV_HOME/bin/run.sh -c all"}
-
-if "%1" == "-np" (
- set JBOSSSH=%APPSRV_HOME%\bin\run.bat
-) else (
- set JBOSSSH=%NFAST_HOME%\bin\preload %APPSRV_HOME%\bin\run.bat
-)
-
-set CMD_START=%JBOSSSH%
-set CMD_STOP=java -classpath %JBOSSCP% org.jboss.Shutdown --shutdown
-
-set NFAST_JAR=%NFAST_HOME%\java\classes
-set JBOSS_CLASSPATH=%NFAST_JAR%\kmcsp.jar;%NFAST_JAR%\kmjava.jar;%NFAST_JAR%\nfjava.jar;%NFAST_JAR%\rsaprivenc.jar
-rem export JAVA_OPTS="-server -Xms128m -Xmx512m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -DCKNFAST_LOADSHARING=0 -DJCECSP_DEBUG=229 -DJCECSP_DEBUGFILE=jceLog"
-
-set PATH=%PATH%;%JAVAPTH%
-
-echo CMD_START = %CMD_START%
-
-if "%1" == "start" (
- %CMD_START% %2 %3 %4 %5 %6 %7 %8
-)
-
-if "%1" == "-np" (
- %CMD_START% %3 %4 %5 %6 %7 %8 %9
-)
-
-if "%1" == "stop" (
- %CMD_STOP%
-)
-
-if "%1" == "" (
- echo "usage: %0% ([-np] start|stop|help)"
- echo " -np Run without pre-load"
-)
diff --git a/bin/nCipherJboss.sh b/bin/nCipherJboss.sh
deleted file mode 100755
index 7005c969f13..00000000000
--- a/bin/nCipherJboss.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/bash
-#
-# JBoss Control Script
-#
-
-#make java is on your path
-JAVAPTH=${JAVAPTH:-"$JBOSS_HOME/bin"}
-
-#define the classpath for the shutdown class
-JBOSSCP=${JBOSSCP:-"$JBOSS_HOME/bin/shutdown.jar:$JBOSS_HOME/client/jnet.jar"}
-
-#define the script to use to start jboss
-#JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh -c all"}
-if [ "$1" != "-np" ]; then
- JBOSSSH=${JBOSSSH:-"/opt/nfast/bin/preload $JBOSS_HOME/bin/run.sh"}
-else
- shift
- JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh"}
-fi
-CMD_START="$JBOSSSH"
-CMD_STOP="java -classpath $JBOSSCP org.jboss.Shutdown --shutdown"
-
-NFAST_JAR="/opt/nfast/java/classes"
-export JBOSS_CLASSPATH="$NFAST_JAR/kmcsp.jar:$NFAST_JAR/kmjava.jar:$NFAST_JAR/nfjava.jar:$NFAST_JAR/rsaprivenc.jar"
-#export JAVA_OPTS="-server -Xms128m -Xmx512m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -DCKNFAST_LOADSHARING=0 -DJCECSP_DEBUG=229 -DJCECSP_DEBUGFILE=jceLog"
-
-if [ -z "`echo $PATH | grep $JAVAPTH`" ]; then
- export PATH=$PATH:$JAVAPTH
-fi
-
-if [ ! -d "$JBOSS_HOME" ]; then
- echo JBOSS_HOME does not exist as a valid directory : $JBOSS_HOME
- exit 1
-fi
-
-
-echo CMD_START = $CMD_START
-
-
-case "$1" in
-start)
- shift
- $CMD_START "$@"
- ;;
-stop)
- $CMD_STOP
- ;;
-*)
- echo "usage: $0 ([-np] start|stop|help)"
- echo " -np Run without pre-load"
-esac
diff --git a/bin/pkcs11HSM.cmd b/bin/pkcs11HSM.cmd
deleted file mode 100755
index 074e65b261a..00000000000
--- a/bin/pkcs11HSM.cmd
+++ /dev/null
@@ -1,25 +0,0 @@
-@echo off
-
-rem Create a key via a PKCS11 device
-rem Example:
-rem
-
-if "%JAVA_HOME%" == "" (
- echo You must set JAVA_HOME before running the PKCS#11 cli.
- goto end
-)
-
-if "%EJBCA_HOME%" == "" (
- echo You must set EJBCA_HOME before running the PKCS#11 cli.
- goto end
-)
-
-if exist "%EJBCA_HOME%\dist\clientToolBox\clientToolBox.jar" goto exists
- echo You have to build the ClientToolBox before running this command.
- goto end
-:exists
-
-@echo on
-"%JAVA_HOME%\bin\java" -jar "%EJBCA_HOME%\dist\clientToolBox\clientToolBox.jar" PKCS11HSMKeyTool %1 %2 %3 %4 %5 %6
-
-:end
diff --git a/bin/pkcs11HSM.sh b/bin/pkcs11HSM.sh
deleted file mode 100755
index a40d76829a5..00000000000
--- a/bin/pkcs11HSM.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash
-
-#
-# Create a key via a PKCS#11 device #
-# Example:
-#
-
-if [ -z "$EJBCA_HOME" ] ; then
- EJBCA_FILE="$0"
- EJBCA_HOME=`echo $(dirname $(dirname $EJBCA_FILE))`
-fi
-
-JAVACMD=`which java`
-# Check that JAVA_HOME is set
-if [ ! -n "$JAVA_HOME" ]; then
- if [ ! -n "$JAVACMD" ]
- then
- echo "You must set JAVA_HOME before running the EJBCA cli."
- exit 1
- fi
-else
- JAVACMD=$JAVA_HOME/bin/java
-fi
-
-#CLASSES=$CLASSES:$APPSRV_HOME/server/default/lib/iaik_jce.jar
-#CLASSES=$CLASSES:$APPSRV_HOME/server/default/lib/iaikPkcs11Provider.jar
-#CLASSES=$CLASSES:$APPSRV_HOME/server/default/lib/iaikPkcs11Wrapper.jar
-#CLASSES=$CLASSES:$EJBCA_HOME/tmp/bin/clientToolBox-classes
-# use this instead if you want build from eclipse
-#CLASSES=$CLASSES:$EJBCA_HOME/out/classes
-
-if [ ! -f $EJBCA_HOME/dist/clientToolBox/clientToolBox.jar ] ; then
- echo "You have to build the ClientToolBox before running this command."
- exit 1
-fi
-
-# Finally run java
-#set -x
-# -cp $CLASSES
-$JAVACMD -jar $EJBCA_HOME/dist/clientToolBox/clientToolBox.jar PKCS11HSMKeyTool "${@}"
diff --git a/build.gradle.kts b/build.gradle.kts
new file mode 100644
index 00000000000..73f891fd945
--- /dev/null
+++ b/build.gradle.kts
@@ -0,0 +1,245 @@
+import java.util.Properties
+
+val props: Properties = Properties().apply {
+ load(file("conf/ejbca.properties").inputStream())
+}
+
+// Specify what edition you want to build by passing -Pedition=ee or =ce (default: ee)
+val editionProp = providers.gradleProperty("edition").getOrElse("ee")
+val eeModuleExists = file("modules/edition-specific-ee").exists()
+val edition = if (editionProp == "ce" || !eeModuleExists) "ce" else "ee"
+
+allprojects {
+ repositories {
+ flatDir {
+ dirs(rootProject.projectDir.resolve("lib"))
+ dirs(rootProject.projectDir.resolve("lib/jee"))
+ dirs(rootProject.projectDir.resolve("lib/ext"))
+ dirs(rootProject.projectDir.resolve("lib/hibernate"))
+ dirs(rootProject.projectDir.resolve("lib/xstream"))
+ dirs(rootProject.projectDir.resolve("lib/jee/soapclient"))
+ dirs(rootProject.projectDir.resolve("lib/ext/jackson2"))
+ dirs(rootProject.projectDir.resolve("lib/swagger"))
+ dirs(rootProject.projectDir.resolve("lib/ext/swagger"))
+ dirs(rootProject.projectDir.resolve("lib/primefaces"))
+ dirs(rootProject.projectDir.resolve("lib/ct"))
+ }
+ }
+ extra["edition"] = edition
+}
+
+plugins {
+ ear
+}
+
+configurations {
+ // Custom configuration for jar files that are both modules and lib
+ create("earlibanddeploy")
+}
+
+
+dependencies {
+ "earlibanddeploy"(project(path = ":modules:ejbca-ejb", configuration = "archives"))
+ deploy(project(path = ":modules:cesecore-ejb", configuration = "archives"))
+ deploy(project(path = ":modules:ejbca-ws", configuration = "archives"))
+ deploy(project(path = ":modules:admin-gui", configuration = "archives"))
+ deploy(project(path = ":modules:ejbca-cmp-war", configuration = "archives"))
+ deploy(project(path = ":modules:ejbca-scep-war", configuration = "archives"))
+ deploy(project(path = ":modules:healthcheck-war", configuration = "archives"))
+ deploy(project(path = ":modules:clearcache-war", configuration = "archives"))
+ deploy(project(path = ":modules:ejbca-webdist-war", configuration = "archives"))
+ deploy(project(path = ":modules:va", configuration = "archives"))
+ deploy(project(path = ":modules:certificatestore", configuration = "archives"))
+ deploy(project(path = ":modules:crlstore", configuration = "archives"))
+ deploy(project(path = ":modules:ra-gui", configuration = "archives"))
+ if (edition == "ee") {
+ "earlibanddeploy"(project(path = ":modules:edition-specific-ee", configuration = "archives"))
+ deploy(project(path = ":modules:statedump:ejb", configuration = "archives"))
+ deploy(project(path = ":modules:configdump:ejb", configuration = "archives"))
+ deploy(project(path = ":modules:peerconnector:rar", configuration = "archives"))
+ deploy(project(path = ":modules:peerconnector:war", configuration = "archives"))
+ deploy(project(path = ":modules:peerconnector:ejb", configuration = "archives"))
+ deploy(project(path = ":modules:acme", configuration = "archives"))
+ deploy(project(path = ":modules:ssh:war", configuration = "archives"))
+ deploy(project(path = ":modules:msae", configuration = "archives"))
+ deploy(project(path = ":modules:cits", configuration = "archives"))
+ deploy(project(path = ":modules:est", configuration = "archives"))
+ deploy(project(path = ":modules:ejbca-rest-api", configuration = "archives"))
+ earlib(project(path = ":modules:statedump:common", configuration = "archives"))
+ earlib(project(path = ":modules:configdump:common", configuration = "archives"))
+ earlib(project(path = ":modules:peerconnector:ra", configuration = "archives"))
+ earlib(project(path = ":modules:peerconnector:publ", configuration = "archives"))
+ earlib(project(path = ":modules:peerconnector:interface", configuration = "archives"))
+ earlib(project(path = ":modules:peerconnector:common", configuration = "archives"))
+ earlib(project(path = ":modules:plugins-ee", configuration = "archives"))
+ }
+ if (edition == "ce") {
+ // When edition is CE we use :modules:edition-specific:ejb as a replacement for :modules:edition-specific-ee
+ "earlibanddeploy"(project(path = ":modules:edition-specific:ejb", configuration="archives"))
+ }
+ if (edition == "ee" && !props.getProperty("ejbca.productionmode", "true").toBoolean()) {
+ deploy(":swagger-ui@war")
+ }
+ if (!props.getProperty("ejbca.productionmode", "true").toBoolean()) {
+ deploy(project(":modules:systemtests:ejb"))
+ }
+ // External libraries
+ earlib(libs.bcpkix)
+ earlib(libs.bcprov)
+ earlib(libs.bctls)
+ earlib(libs.bcutil)
+ earlib(libs.cert.cvc)
+ earlib(libs.jldap)
+ earlib(libs.adsddl)
+ earlib(libs.commons.beanutils)
+ earlib(libs.commons.codec)
+ earlib(libs.commons.collections4)
+ earlib(libs.commons.configuration2)
+ earlib(libs.commons.fileupload)
+ earlib(libs.commons.io)
+ earlib(libs.commons.lang)
+ earlib(libs.commons.lang3)
+ earlib(libs.commons.logging)
+ earlib(libs.commons.text)
+ earlib(libs.nimbus.jose.jwt)
+ earlib(libs.httpclient)
+ earlib(libs.httpcore)
+ earlib(libs.httpmime)
+ earlib(libs.json.simple)
+ earlib(libs.jcip.annotations)
+ earlib(libs.snakeyaml)
+ earlib(libs.guava)
+ earlib(libs.caffeine)
+ earlib(libs.jsch)
+ earlib(libs.jna)
+ earlib(libs.kerb4j.server.common)
+ earlib(libs.kerb.core)
+ earlib(libs.kerby.asn1)
+ earlib(libs.kerb.crypto)
+ earlib(libs.x509.common.util)
+ earlib(libs.cryptotokens.api)
+ earlib(libs.cryptotokens.impl)
+ earlib(libs.jacknji11)
+ earlib(libs.log4j.v12.api)
+ earlib(libs.log4j.api)
+ earlib(libs.log4j.core)
+ // Jackson
+ earlib(libs.jackson.annotations)
+ earlib(libs.jackson.core)
+ earlib(libs.jackson.databind)
+ earlib(libs.jackson.dataformat.yaml)
+ // Xstream
+ earlib(libs.xmlpull)
+ earlib(libs.xpp3.min)
+ earlib(libs.xstream)
+ // Internally generated WS files
+ earlib(libs.ejbca.ws.client.gen)
+ // EE Only external libraries
+ if (edition == "ee") {
+ earlib(libs.ctlog)
+ earlib(libs.dnsjava)
+ earlib(libs.protobuf.java)
+ earlib(libs.p11ng)
+ }
+ // Internal modules packaged as libraries
+ earlib(project(path = ":modules:cesecore-common", configuration = "archives"))
+ earlib(project(path = ":modules:cesecore-entity", configuration = "archives"))
+ earlib(project(path = ":modules:cesecore-ejb-interface", configuration = "archives"))
+ earlib(project(path = ":modules:cesecore-x509ca", configuration = "archives"))
+ earlib(project(path = ":modules:ejbca-common", configuration = "archives"))
+ earlib(project(path = ":modules:ejbca-common-web", configuration = "archives"))
+ earlib(project(path = ":modules:ejbca-ejb-interface", configuration = "archives"))
+ earlib(project(path = ":modules:ejbca-entity", configuration = "archives"))
+ earlib(project(path = ":modules:ejbca-ws:common", configuration = "archives"))
+ earlib(project(path = ":modules:va:extensions", configuration = "archives"))
+ earlib(project(path = ":modules:ejbca-properties", configuration = "archives"))
+ earlib(project(path = ":modules:edition-specific:interface", configuration = "archives"))
+ earlib(project(path = ":modules:plugins", configuration = "archives"))
+ earlib(project(path = ":modules:ejbca-ws-cli", configuration = "archives"))
+ if (edition == "ee") {
+ earlib(project(path = ":modules:cesecore-cvcca", configuration = "archives"))
+ earlib(project(path = ":modules:acme:common", configuration = "archives"))
+ earlib(project(path = ":modules:ssh:common", configuration = "archives"))
+ earlib(project(path = ":modules:cits:common", configuration = "archives"))
+ earlib(project(path = ":modules:proxy-ca", configuration = "archives"))
+ earlib(project(path = ":modules:caa", configuration = "archives"))
+ earlib(project(path = ":modules:ct", configuration = "archives"))
+ }
+ if (!props.getProperty("ejbca.productionmode", "true").toBoolean()) {
+ "earlibanddeploy"(project(":modules:systemtests:common"))
+ earlib(project(":modules:systemtests:interface"))
+ }
+}
+
+tasks.ear {
+ generateDeploymentDescriptor = false
+ from("src/deploy/ear/META-INF") {
+ include("application.xml")
+ filter { line: String ->
+ line.replace("", "status.war/ejbca/publicweb/status")
+ .replace("", "certstore.war/ejbca/publicweb/certificates")
+ .replace("", "crlstore.war/ejbca/publicweb/crls")
+ .replace("", "ejbca-ws-ejb.jar")
+ .replace("", "ra-gui.war/ejbca/ra")
+ }
+ if (edition == "ee") {
+ filter { line: String ->
+ line.replace("", "status.war/ejbca/publicweb/status")
+ .replace("", "statedump-ejb.jar")
+ .replace("", "configdump-ejb.jar")
+ .replace("", "peerconnector-ejb.jar")
+ .replace("", "peerconnector.rar")
+ .replace("", "peerconnector.war/ejbca/peer")
+ .replace("", "ejbca-rest-api.war/ejbca/ejbca-rest-api")
+ .replace("", "acme.war/ejbca/acme")
+ .replace("", "msae.war/ejbca/msae")
+ .replace("", "est.war/.well-known/est")
+ .replace("", "ssh.war/ejbca/ssh")
+ .replace("", "swagger-ui.war/ejbca/swagger-ui")
+ .replace("", "cits.war/ejbca/its")
+ }
+ }
+ if (!props.getProperty("ejbca.productionmode", "true").toBoolean()) {
+ filter { line: String ->
+ line.replace("", "systemtests-ejb.jar")
+ }
+ }
+ include("jboss-deployment-structure.xml")
+ include("services/*")
+ into("META-INF")
+ }
+ from(configurations["earlibanddeploy"]) {
+ into("lib")
+ }
+ from(configurations["earlibanddeploy"]) {
+ into("/")
+ }
+}
+
+task("deployear") {
+ dependsOn("ear")
+ val appServerHome = System.getenv("APPSRV_HOME")
+ doFirst {
+ if (appServerHome == null) {
+ throw GradleException("APPSRV_HOME environment variable is not set.")
+ }
+ }
+ from(layout.buildDirectory.file("libs/ejbca.ear"))
+ into("$appServerHome/standalone/deployments")
+ doLast {
+ println("Deployed EAR to application server at $appServerHome")
+ }
+}
+
+// Import all Ant targets from build.xml and make them available as Gradle tasks.
+// NOTE: This is a migration convenience that should gradually be phased out in favor of native Gradle tasks.
+ant.importBuild("$projectDir/build.xml") { antTargetName ->
+ // append "-ant" to Ant targets whoese names match existing Gradle tasks
+ val overlapingTargetNames = arrayOf("build", "clean", "deployear")
+ if (antTargetName in overlapingTargetNames) {
+ antTargetName + "-ant"
+ } else {
+ // Gradle doesn't allow task names to contain the ":" character, so let's remap Ant tasks that contain it.
+ antTargetName.replace(":", "-")
+ }
+}
\ No newline at end of file
diff --git a/build.xml b/build.xml
index b935dba54fc..27ff5564624 100644
--- a/build.xml
+++ b/build.xml
@@ -11,8 +11,6 @@
-
-
"
- replacement-file="${eardd.src}/META-INF/application.xml"
- replacement-enabled="${web.renewalenabled}"
- replacement-web-uri="renew.war"
- replacement-context-root="/ejbca/renew"
- />
-
+
+
+
-
-
-
-
-
-
-
+
-
-
@@ -559,25 +553,36 @@
-
-
-
+
+
+
+
-
-
-
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
@@ -594,14 +599,7 @@
-
-
-
-
-
-
-
@@ -610,7 +608,6 @@
-
@@ -619,8 +616,6 @@
-
-
@@ -633,6 +628,8 @@
+
+
@@ -640,7 +637,6 @@
-
@@ -652,8 +648,7 @@
-
-
+
@@ -666,22 +661,22 @@
+
-
-
-
+
+
-
-
+
+
-
-
-
-
-
-
-
@@ -745,7 +733,7 @@
-
@@ -753,7 +741,6 @@
-
@@ -767,14 +754,14 @@
-
-
+
+
@@ -887,7 +874,9 @@
-
+
+
+
@@ -904,7 +893,7 @@
-
+
@@ -916,24 +905,9 @@
-
-
-
-
+
-
-
-
-
@@ -946,20 +920,17 @@
-
-
-
+
+
+
-
+
-
-
-
-
+
@@ -973,17 +944,40 @@
-
-
-
+
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -996,7 +990,6 @@
-
@@ -1011,7 +1004,16 @@
-
+
+
+
+
+
+
+
+
+
+
@@ -1020,79 +1022,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
@@ -1102,13 +1044,12 @@
-
-
-
+
+
+
-
@@ -1122,15 +1063,18 @@
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
+
+
@@ -1363,12 +1307,17 @@ SHA-256 checksum: ${cesecorebinSHA256}
-
+
+
+
+
+
+
@@ -1379,7 +1328,7 @@ SHA-256 checksum: ${cesecorebinSHA256}
replace='\1${Revision}' />
Updated "git.revision" to: ${Revision}
-
+
@@ -1391,7 +1340,7 @@ SHA-256 checksum: ${cesecorebinSHA256}
replace='\1${app.edition}' />
Updated "app.edition.verbose" to: ${app.edition}
-
+
-
-
-
-
-
-
-
-
-
-
-
diff --git a/conf/catoken.properties.sample b/conf/catoken.properties.sample
index e6a4ed9d4f9..9ba0336add4 100644
--- a/conf/catoken.properties.sample
+++ b/conf/catoken.properties.sample
@@ -26,3 +26,4 @@ defaultKey defaultRoot
certSignKey signRoot
crlSignKey signRoot
testKey testRoot
+alternativeCertSignKey alternativeSignRoot
diff --git a/conf/cesecore.properties.sample b/conf/cesecore.properties.sample
index 709908651f9..604d34a5c56 100644
--- a/conf/cesecore.properties.sample
+++ b/conf/cesecore.properties.sample
@@ -18,13 +18,11 @@
# -------------- NOTE for Upgrades --------------
# When upgrading, the important options are:
-# - ca.keystorepass
# - password.encryption.key
-# - ca.cmskeystorepass (in ejbca.properties)
# -------------- General security --------------
-# The following key (strictly speaking, PBE input password) allows for encrypting passwords used in EJBCA (e.g. End Entity and Crypto Token
-# passwords stored in database).
+# The following key (strictly speaking, PBE input password) allows for encrypting passwords used in EJBCA (e.g. End Entity, Crypto Token,
+# CMP Alias, SCEP Alias, etc, passwords stored in database).
# This property should be set before initial EJBCA installation and it should't be changed later, because there could exist
# passwords encrypted with the key about to be changed and EJBCA would be unable to decrypt them (note that the current implementation
# is capable to try decryption with the default key, i.e. qhrnf.f8743;12%#75, but it won't be able to decrypt passwords encrypted
@@ -44,16 +42,7 @@
#password.encryption.count=100
# ------------ Basic CA configuration ---------------------
-# This password is used internally to protect CA keystores in database unless a password has been set manually.
-# CA keystores are the CAs private key, where a password can be defined manually instead when creating the Crypto Token,
-# and Extended CA Services, such as the 'CMS Service', where a manual password can not be defined..
-# Default value is foo123, which is needed to keep compatibility with default installations of EJBCA 3.0, please change this if possible.
-# This value is not very important if you don't use the CMS Service (which most do not), if you define your own
-# Crypto Token Authentication Codes, which is recommended.
-# Note! If changing this value AFTER installation of EJBCA you must do 'ant clean; ant bootstrap' in order to activate changes.
-#ca.keystorepass=foo123
-#ca.keystorepass=!secret!
-
+#
# Default Random Number Generator algorithm for certificate serial number generation.
# Available algorithms are: BCSP800Hybrid, SHA1PRNG, default, defaultstrong
# From Java 11 and onwards, DRBG is also available
@@ -63,6 +52,11 @@
# separate thread to gather seed material and a core DRBG to satisfy any requests for seed material while it waits.
# There is no noticeable performance difference using this algorithm, so it could be used instead of the default to prove a FIPS compliant method in use.
#
+# You can set to PKCS11 to make the call to SecureRandom.getInstance("PKCS11") use the random number generator from a HSM
+# that has been configured to be available from Java.
+# The PKCS11 provider must have been loaded (but it does not need to have a logged in session). That means that either there must have
+# been an attempt to activate a PKCS11 Crypto Token (successful or not) or database protection with a PKCS11 token must be used (or both).
+#
# Using the value "default" (or an empty value which is hard to set here) uses the OS:es default implementation,
# which may vary. See the documentation of Java's SecureRandom for more information. On Linux this uses /dev/(u)random.
# Using the value "defaultstrong" is only available in JDK 8 and later and will use the SecureRandom.getInstanceStrong(), to get
@@ -75,6 +69,7 @@
#ca.rngalgorithm=default
#ca.rngalgorithm=DRBG
#ca.rngalgorithm=BCSP800Hybrid
+#ca.rngalgorithm=PKCS11
# The default length in octets of certificate serial numbers configured when creating new CAs.
# Note: since EJBCA 7.0.1 this only affects the default value of this field, which is editable in the CA configuration
@@ -149,6 +144,16 @@ certificate.validityoffset=-10m
# Default: 500000
#database.crlgenfetchsize=500000
+# Whether EJBCA should request ordered fetching of revoked certificates when generating CRLs.
+# EJBCA relies on Hibernate to return data in batches (see the database.crlgenfetchsize setting
+# above, to control the read batch size). However, Microsoft SQL Server 2016 is known to return
+# duplicates and/or missing entries when multiple batches are read. The setting below is a
+# workaround for this problem.
+#
+# Default: off (false)
+#database.crlgenfetchordered=true
+
+
# ------------- Core language configuration -------------
# The language that should be used internally for logging, exceptions and approval notifications.
# The languagefile is stored in 'src/intresources/ejbcaresources.xx.properties' and 'intresources.xx.properties'.
@@ -204,19 +209,6 @@ securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml
# Default: not set
#cluster.nodeid=
-#------------------- ECDSA implicitlyCA settings -------------
-# Sets pre-defined EC curve parameters for the implicitlyCA facility.
-# See the User's Guide for more information about the implicitlyCA facility.
-# Setting these parameters are not necessary when using regular named curves.
-# if you don't know what this means, you can safely ignore these settings.
-#
-# Default values that you can experiment with:
-# ecdsa.implicitlyca.q=883423532389192164791648750360308885314476597252960362792450860609699839
-# ecdsa.implicitlyca.a=7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc
-# ecdsa.implicitlyca.b=6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a
-# ecdsa.implicitlyca.g=020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf
-# ecdsa.implicitlyca.n=883423532389192164791648750360308884807550341691627752275345424702807307
-
#------------------- PKCS#11 -------------------------------------
# Configuration of PKCS#11 tokens.
#
@@ -230,16 +222,6 @@ securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml
# Default: true
#cryptotoken.keystorecache=true
-# Setting the PKCS#11 attribute CKA_MODIFYABLE to FALSE after a key is generated.
-#
-# This is only done if the file '$EJBCA_HOME/dist/ext/cesecore-p11.jar' has been
-# deployed to the 'java.ext.dirs' classpath (https://docs.oracle.com/javase/tutorial/ext/basics/install.html).
-# If true and if the jar is not deployed then a warning will be written to the
-# log each time a key (all key types even none p11) is generated.
-# If the key is not a PKCS#11 key then nothing is done.
-# Default: false
-#pkcs11.makeKeyUnmodifiableAfterGeneration=true
-
# ------------------- Authentication Key Binding settings -------------------
# Configuration of available cipher suites for outgoing SSL/TLS connections
# that can be selected for an Authentication Key Binding.
@@ -267,7 +249,9 @@ securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml
#authkeybind.ciphersuite.7=TLSv1;TLS_DHE_RSA_WITH_AES_256_CBC_SHA
#authkeybind.ciphersuite.8=TLSv1;TLS_RSA_WITH_AES_256_CBC_SHA
#authkeybind.ciphersuite.9=TLSv1;TLS_RSA_WITH_AES_128_CBC_SHA
-
+#authkeybind.ciphersuite.10=TLSv1.3;TLS_AES_128_GCM_SHA256
+#authkeybind.ciphersuite.11=TLSv1.3;TLS_AES_256_GCM_SHA384
+#authkeybind.ciphersuite.12=TLSv1.3;TLS_CHACHA20_POLY1305_SHA256
# ------------------- Certificate Transparency settings -------------------
# If your EJBCA has support for CT in it, you may configure caching of SCTs
@@ -315,20 +299,14 @@ securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml
# we need some configuration option to force old behavior in new versions, until we have upgrade
# all nodes and can set the system to use new (improved) behavior.
-# When upgrading a 100% up-time cluster, all nodes should be deployed with db.keepjbossserialization=true.
-# For upgrades from EJBCA version 4.0 to later versions.
-# Once all nodes are running > 4.0, set to false to increase efficiency and portability.
-# Default: false
-#db.keepjbossserialization=true
-
# Option if we should keep internal CA keystores in the CAData table to be compatible with CeSecore 1.1/EJBCA 5.0.
-# Default to true. Set to false when all nodes in a cluster have been upgraded to CeSecore 1.2/EJBCA 5.1 or later,
+# Default to false in defaultvalues.properties, true if no value is present there. Set to false when all nodes in a cluster have been upgraded to CeSecore 1.2/EJBCA 5.1 or later,
# then internal keystore in CAData will be replaced with a foreign key in to the migrated entry in CryptotokenData.
#
# When upgrading a 100% up-time cluster, all nodes should initially be deployed with db.keepinternalcakeystores=true.
# Once all nodes are running > EJBCA 5.0, set to false again to increase efficiency and portability.
# For upgrades from EJBCA version 5.0 to later versions.
-# Default: true
+# Default: false (from defaultvalues.properties)
#db.keepinternalcakeystores=true
# When upgrading a 100% up-time cluster, all nodes should be deployed with ca.keepocspextendedservice=true.
@@ -342,3 +320,8 @@ securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml
# declared here, separated by commas
#custom.class.whitelist=org.widget.Bar,org.widget.Foo
+# Use Legacy PKCS#12 Keystore
+#
+# Set to true to keep the implementation used by EJBCA <7.5 and encrypt certificates in PKCS#12 keystores using
+# pbeWithSHA1And40BitRC2-CBC instead of pbeWithSHA1And3-KeyTripleDES-CBC. Default is false.
+#keystore.use_legacy_pkcs12 = true
\ No newline at end of file
diff --git a/conf/cmptcp.properties.sample b/conf/cmptcp.properties.sample
deleted file mode 100644
index 0d20f98d82b..00000000000
--- a/conf/cmptcp.properties.sample
+++ /dev/null
@@ -1,45 +0,0 @@
-#
-# $Id: cmptcp.properties.sample$
-#
-# This is a sample file to override properties used
-# during deployment of EJBCA
-#
-# You should copy and rename this file to cmptcp.properties
-# and customize at will.
-#
-# Developers: If you add fields in this file, make arrangements in CmpServlet, CmpTcpService, cmptcp-service.xml and cmptcp.xml
-
-# ---------- Settings for the CMP TCP listener ----------
-#
-# The TCP listener is not enabled by default, because it is an MBean, which
-# requires special things. If possible you should stick to the HTTP transport
-# protocol for CMP, it is much better.
-
-# Enabled or disabled
-#
-# Default: false
-#cmp.tcp.enabled=false
-
-# The port number to listen to for TCP connections, if TCP transport is enabled.
-# Please not that the default port number, below 1024, requires the application server to be run with root privileges.
-# It may be more convenient to use a high port number (like 5587) and forward port 829 from the os/firewall level instead.
-#
-# Default: 829
-#cmp.tcp.portno=829
-
-# The directory where TCP log files are stores, if TCP transport is enabled
-#
-# Default: ./log
-#cmp.tcp.logdir=./log
-
-# An optional TCP configuration file, if TCP transport is enabled.
-# This is a configuration file for QuickServer.
-#
-# Default:
-#cmp.tcp.conffile=
-
-# The TCP bind adress, if TCP transport is enabled.
-#
-# Default: 0.0.0.0
-#cmp.tcp.bindadress=0.0.0.0
-
diff --git a/conf/database.properties.sample b/conf/database.properties.sample
index 7fe2dad6bb8..ccd0fd5a41b 100644
--- a/conf/database.properties.sample
+++ b/conf/database.properties.sample
@@ -29,9 +29,19 @@
#database.name=db2
#database.name=ingres
+# The encoded certificate may be stored in the table Base64CertData instead of
+# in a column in the CertificateData table. Using a separate table for the
+# certificate data may speed up searching for certificates if there are lots of
+# them (>100Million).
+# Default: false
+#database.useSeparateCertificateTable=true
+
#
# The below settings are needed to build and run tools the interact directly with the database
# For example ejbca-db-cli
+# NOTE: Do not set these properties for the deployment build of ejbca.ear, it does not need database
+# information as that is configured in the application server, including possible usage
+# of a Vault for the password
#
# Database connection URL.
@@ -72,10 +82,3 @@
# Database password.
# Default: sa (works with H2 on JBoss 7)
#database.password=ejbca
-
-# The encoded certificate may be stored in the table Base64CertData instead of
-# in a column in the CertificateData table. Using a separate table for the
-# certificate data may speed up searching for certificates if there are lots of
-# them (>100Million).
-# Default: false
-#database.useSeparateCertificateTable=true
diff --git a/conf/ejbca.properties.sample b/conf/ejbca.properties.sample
index 24ac8d7395a..a694d7ca931 100644
--- a/conf/ejbca.properties.sample
+++ b/conf/ejbca.properties.sample
@@ -11,20 +11,17 @@
# -------------- NOTE for Upgrades --------------
# When upgrading, the important options are:
-# - ca.keystorepass (in cesecore.properties)
# - password.encryption.key (in cesecore.properties)
-# - ca.cmskeystorepass
# Application server home directory used during development. The path can not end with a slash or backslash.
# On windows use / instead of \
# Default: $APPSRV_HOME
-#appserver.home=/opt/jboss-as-7.1.1.Final
-#appserver.home=/opt/glassfish3/glassfish
-#appserver.home=/Program Files/wildfly-10.1.0Final
+#appserver.home=/opt/jboss-as-7.4.0.Final
+#appserver.home=/Program Files/wildfly-24.0.1Final
#appserver.home=${env.APPSRV_HOME}
# Which application server is used? Normally this is auto-detected from 'appserver.home' and should not be configured.
-# Possible values: jboss, glassfish
+# Possible values: jboss
# Default:
#appserver.type=jboss
@@ -36,6 +33,12 @@
#ejbca.productionmode=true
#ejbca.productionmode=false
+# Enable time limited builds by specifying an expiration date. EJBCA will check the expiration date during startup
+# and stop the deployment if the the build has expired according to the local system clock.
+# The date should be on the format 'yyyy-MM-dd'.
+# Default: Disable
+#ejbca.expireafter=1941-12-07
+
# In order to allow upgrades of EJBCA with a minimum of fuss, EJBCA supports keeping configurations, key stores and custom modifications in an external
# directory which will be shared between versions. This technique can also be used easily when performing several identical installations across
# several instances to share settings.
@@ -54,16 +57,6 @@
# Default: false
#allow.external-dynamic.configuration=false
-# ------------ Basic CA configuration ---------------------
-# Most CA options are configured in cesecore.properties, but some EJBCA-
-# specific ones are configured here. When upgrading, the important options are:
-# - ca.keystorepass (in cesecore.properties)
-# - ca.cmskeystorepass
-
-# Password used to protect CMS keystores in the database (CAs CMS signer/enc certificate).
-# The default value is the same for convenience.
-#ca.cmskeystorepass=foo123
-
# ------------- Approval configuration ------------------------
# Settings working as default values in the approval functionality
#
diff --git a/conf/externalra-gui.properties.sample b/conf/externalra-gui.properties.sample
deleted file mode 100644
index 8b38edcec35..00000000000
--- a/conf/externalra-gui.properties.sample
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# This is the configuration file for the External RA client GUI.
-#
-# Note that External RA is only included in the Enterprise Edition of EJBCA.
-#
-# Rename this file 'externalra-gui.properties' before building and deploying the External RA GUI.
-#
-
-#
-# Application server configuration.
-#
-
-# Application server home directory. Currently only JBoss is supported.
-# Default: $APPSRV_HOME
-#appserver.home=/opt/jboss-as-7.1.1.Final
-#appserver.home=${env.APPSRV_HOME}
-
-#
-# General application behavior
-#
-
-# Define where the user is redirected when clicking the "Help" link.
-# Default: No help available
-#externalra-gui.helpurl=http://...
-
-# Specification of the key we would prefer that browsers generate. Since the
-# keys are generated by client code this key specification should be enforced
-# in the certificate profile for the enrolling user. Only the RSA algorithm is
-# available at the moment and this only affects FireFox and Internet Explorer.
-# Default: 2048
-#externalra-gui.keyspec=2048
-
-# Suggest to the client that generated keys should not be exportable. Since the
-# key generation is executed entirely in the client there is no way of knowing
-# if this is enforced. This option is only available using Internet Explorer.
-# Default: true
-#externalra-gui.exportable=true
-
-#
-# Configuration for the External RA API based client implementation.
-#
-
-# Database configuration. Only MySQL has been properly tested, but Postgres and
-# Hypersonic should work. The JDBC URL is used to connect to the database and
-# determine the database type.
-# Default: jdbc:mysql://127.0.0.1/messages
-#externalra-gui.datasource.jdbc-url=jdbc:mysql://127.0.0.1/messages
-
-# JDBC driver classname.
-# The JEE server needs to be configured with the appropriate JDBC driver for the selected database
-# Default: com.mysql.jdbc.Driver
-#externalra-database.driver=org.mariadb.jdbc.Driver
-#externalra-database.driver=com.mysql.jdbc.Driver
-#externalra-database.driver=org.postgresql.Driver
-#externalra-database.driver=org.hsqldb.jdbcDriver
-#externalra-database.driver=oracle.jdbc.driver.OracleDriver
-#externalra-database.driver=com.ibm.db2.jcc.DB2Driver
-
-# Username for database connection.
-# Default: ejbca
-#externalra-gui.datasource.username=ejbca
-
-# Password for database connection.
-# Default: ejbca
-#externalra-gui.datasource.password=ejbca
-
-# Time to wait for a response from the CA in seconds before giving up.
-# Default: 30
-#externalra-gui.timeout=30
-
-# The path to the certificate of the CA's External RA API service keystore.
-# Default: /home/jboss/extra-keys/externalra-caservice.pem
-#externalra-gui.caservicecert=/home/jboss/extra-keys/externalra-caservice.pem
-
-# The path to the External RA GUI keystore.
-# Default: /home/jboss/extra-keys/externalra-gui.p12
-#externalra-gui.keystore=/home/jboss/extra-keys/externalra-gui.p12
-
-# The password for the External RA GUI keystore.
-# Default: foo123
-#externalra-gui.keystorepassword=foo123
-
-# The path to the CA certificate chain PEM for the CA that has issued the client and service keystores.
-# Default: /home/jboss/extra-keys/externalra-gui.issuer.pem
-#externalra-gui.issuerchain=/home/jboss/extra-keys/externalra-gui.issuer.pem
diff --git a/conf/externalra.properties.sample b/conf/externalra.properties.sample
deleted file mode 100644
index 0654c827dd0..00000000000
--- a/conf/externalra.properties.sample
+++ /dev/null
@@ -1,39 +0,0 @@
-#
-# EJBCA's external RA service can be used to only allow outgoing network traffic from the CA installation.
-# This file is used for configuring the service that polls the external database.
-#
-# Note that External RA is only included in the Enterprise Edition of EJBCA.
-#
-# Properties should be configured in the EJBCA Admin GUI for each worker. For example:
-#
-# Select Worker: Custom Worker
-# Custom Worker Class Path: org.ejbca.extra.caservice.ExtRACAServiceWorker
-# Custom Worker Properties: externalra-caservice.persistenceunit=RAMessage1DS
-# externalra-caservice.raissuer=ManagementCA
-# externalra-caservice.encryption.required=false
-# externalra-caservice.signature.required=false
-# externalra-caservice.keystore.path=/home/ejbca/externalra-caservice.p12
-# externalra-caservice.keystore.pwd=foo123
-# externalra-caservice.whitelist=
-# Select Interval: Periodical Interval
-# Period: 5 seconds
-# Select Action: No Action
-# Active: Checked
-#
-
-# Enable External RA service
-# Default: false
-#externalra.enabled=true
-
-# Specify DataSources that should be available to the External RA service.
-# The SQL dialect and JDBC driver class is derived from the JDBC URL.
-# The DataSources (and JPA persistence units) configured below will be named 'RAMessage1DS', 'RAMessage2DS' etc.
-# This must be configured to build in the persistence unit into EJBCA, even is you configure the Data Source yourself.
-
-#externalra.source-1.jdbc-url=jdbc:mysql://127.0.0.1/messages
-#externalra.source-1.username=ejbca
-#externalra.source-1.password=ejbca
-
-#externalra.source-2.jdbc-url=jdbc:postgresql://127.0.0.1/messages
-#externalra.source-2.username=ejbca
-#externalra.source-2.password=ejbca
diff --git a/conf/install.properties.sample b/conf/install.properties.sample
index 8ed9298f389..b730aa65e0d 100644
--- a/conf/install.properties.sample
+++ b/conf/install.properties.sample
@@ -50,15 +50,15 @@ ca.tokenpassword=null
# On windows use / instead of \
#ca.tokenproperties=/home/ejbca/ejbca/conf/catoken.properties
+# The keytype for the Management CA, can be RSA, ECDSA or DSA
+# For the key to be generated in soft keystore.
+ca.keytype=RSA
+
# The keyspec for the administrative CAs key, to be generated in soft keystore.
# Keyspec for RSA keys is size of RSA keys (1024, 2048, 4096, 8192).
# Keyspec for ECDSA keys is name of curve or 'implicitlyCA', see docs.
ca.keyspec=2048
-# The keytype for the Management CA, can be RSA, ECDSA or DSA
-# For the key to be generated in soft keystore.
-ca.keytype=RSA
-
# Default signing algorithm for the Management CA.
# Available algorithms are:
# SHA1WithRSA, SHA1withECDSA, SHA256WithRSA, SHA256withECDSA.
diff --git a/conf/jndi.properties.glassfish b/conf/jndi.properties.glassfish
deleted file mode 100644
index b50460f0584..00000000000
--- a/conf/jndi.properties.glassfish
+++ /dev/null
@@ -1 +0,0 @@
-# JNDI configuration is not required on Glassfish
diff --git a/conf/jndi.properties.jbosseap6 b/conf/jndi.properties.jbosseap6
deleted file mode 100644
index 06f8a865ba1..00000000000
--- a/conf/jndi.properties.jbosseap6
+++ /dev/null
@@ -1,3 +0,0 @@
-# JBoss 7
-java.naming.factory.url.pkgs=org.jboss.ejb.client.naming
-# To run remote EJB you also need jboss-ejb-client.properties in your classpath
\ No newline at end of file
diff --git a/conf/log4j-glassfish.xml.sample b/conf/log4j-glassfish.xml.sample
deleted file mode 100644
index a22a5091740..00000000000
--- a/conf/log4j-glassfish.xml.sample
+++ /dev/null
@@ -1,115 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/conf/log4j-jboss6.xml.sample b/conf/log4j-jboss6.xml.sample
deleted file mode 100644
index 62589072ac7..00000000000
--- a/conf/log4j-jboss6.xml.sample
+++ /dev/null
@@ -1,135 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/conf/log4j-jbosseap6.xml.sample b/conf/log4j-jbosseap6.xml.sample
deleted file mode 100644
index 1119cb10323..00000000000
--- a/conf/log4j-jbosseap6.xml.sample
+++ /dev/null
@@ -1,111 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/conf/logdevices/log4j.properties.sample b/conf/logdevices/log4j.properties.sample
index e943b479b30..c4b309cda0b 100644
--- a/conf/logdevices/log4j.properties.sample
+++ b/conf/logdevices/log4j.properties.sample
@@ -1,5 +1,5 @@
#
-# $Id$
+# $Id: log4j.properties.sample 11950 2011-05-11 11:20:17Z jeklund $
#
# This is a sample file to override properties specific for the Log4j Log Device used
# during development (or deployment) of EJBCA
diff --git a/conf/ocsp.properties.sample b/conf/ocsp.properties.sample
index da6a6596f5d..e347c973878 100644
--- a/conf/ocsp.properties.sample
+++ b/conf/ocsp.properties.sample
@@ -12,18 +12,6 @@
# Default is '/${app.name}/publicweb/status'
#ocsp.contextroot=/status
-# DEPRECATED VALUE
-# Deprecated since 6.2.4. The current value will be used to perform upgrade at first startup, and may be removed afterwards.
-#
-# Specifies the subject of a certificate which is used to identify the
-# responder which will generate responses when no real CA can be found from the request.
-# This is used to generate 'unknown' responses when a request is received for a certificate
-# that is not signed by any CA on this server. Recommended to use same as ca.dn.
-#
-# For the internal OCSP responder this is the subject DN of the CA to use for signing
-# For an external OCSP responder this is the issuer DN of the OCSP responders certificate to use for signing, i.e. the CAs subject DN.
-ocsp.defaultresponder=CN=ManagementCA,O=EJBCA Sample,C=SE
-
# If set to false the OCSP responses will only contain the signature certificate (if ocsp.includesignercertinresponse is set to 'true'),
# and not the whole certificate chain of the OCSP responder.
# Default true.
@@ -35,11 +23,10 @@ ocsp.defaultresponder=CN=ManagementCA,O=EJBCA Sample,C=SE
# Specifies which signature algorithms can be used in OCSP responses. You can specify several algorithm
# separated by ';'. If RSA keys are used in the OCSP signing certificate, the algorithm with RSA will be used, and
-# if ECDSA keys are used in the OCSP signing certificate, the algorithm with ECDSA will be used and if
-# DSA keys are used in the OCSP signing certificate, the algorithm with DSA will be used.
+# if ECDSA keys are used in the OCSP signing certificate, the algorithm with ECDSA will be used.
#
-# Default: SHA256WithRSA;SHA256withRSAandMGF1;SHA384WithRSA;SHA512WithRSA;SHA224withECDSA;SHA256withECDSA;SHA384withECDSA;SHA512withECDSA;SHA1WithDSA
-#ocsp.signaturealgorithm=SHA256WithRSA;SHA256withRSAandMGF1;SHA384WithRSA;SHA512WithRSA;SHA224withECDSA;SHA256withECDSA;SHA384withECDSA;SHA512withECDSA;SHA1WithDSA
+# Default: SHA256WithRSA;SHA256withRSAandMGF1;SHA384WithRSA;SHA512WithRSA;SHA224withECDSA;SHA256withECDSA;SHA384withECDSA;SHA512withECDSA;Ed25519;Ed448
+#ocsp.signaturealgorithm=SHA256WithRSA;SHA256withRSAandMGF1;SHA384WithRSA;SHA512WithRSA;SHA224withECDSA;SHA256withECDSA;SHA384withECDSA;SHA512withECDSA;Ed25519;Ed448
# The interval on which the the OCSP signing certificates are updated in seconds.
# If set to 0 or negative these certificate are never updated.
@@ -103,23 +90,15 @@ ocsp.defaultresponder=CN=ManagementCA,O=EJBCA Sample,C=SE
#ocsp.nonexistingisrevoked.uri.1=.*\\?thisEndingIsRevoked$
#ocsp.nonexistingisrevoked.uri.2=^http://revoked.myhost.nu:8080/.*
-# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
-# untilNextUpdate is the number of seconds a response will be valid. 0 = disable.
-# Default: 0
-#ocsp.untilNextUpdate = 0
-
# You can also specify different nextUpdate values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the CA UI.
# If no specific certificateProfileId is specified the default value from ocsp.untilNextUpdate is used.
+#
+# NOTE: This function has been deprecated in EJBCA 8.3.0 and will be removed in the following release
+#
#ocsp.999.untilNextUpdate = 50
-# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
-# untilNextUpdate is the number of seconds a response will be valid. 0 = disable.
-# If this configuration is set, its value will override the global value in case of certificate with a revoked status..
-# Default: 0
-#ocsp.revoked.untilNextUpdate = 0
-
# You can also specify different nextUpdate values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the CA UI.
@@ -127,41 +106,25 @@ ocsp.defaultresponder=CN=ManagementCA,O=EJBCA Sample,C=SE
# If this configuration is set, its value will override the global value in case of certificate with a revoked status..
#ocsp.999.revoked.untilNextUpdate = 50
-# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
-# maxAge is how long a response will be cached, in seconds. Should be less than untilNextUpdate.
-# Ignored if untilNextUpdate is disabled. 0 = disable.
-# Note that for responses of certificates with unknown status, the HTTP response header "Cache-control" will not contain the max age, but
-# "no-cache, must-revalidate" instead. That is to prevent caching of unknown status.
-# Default: 30
-#ocsp.maxAge = 30
-
# You can also specify different maxAge values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the CA UI.
# If no specific certificateProfileId is specified the default value from ocsp.maxAge is used.
+#
+# NOTE: This function has been deprecated in EJBCA 8.3.0 and will be removed in the following release
+#
#ocsp.999.maxAge = 100
-# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
-# maxAge is how long a response will be cached, in seconds. Should be less than untilNextUpdate.
-# Ignored if untilNextUpdate is disabled. 0 = disable.
-# Note that for responses of certificates with unknown status, the HTTP response header "Cache-control" will not contain the max age, but
-# "no-cache, must-revalidate" instead. That is to prevent caching of unknown status.
-# If this configuration is set, its value will override the global value in case of certificate with a revoked status.
-# Default: 30
-#ocsp.revoked.maxAge = 30
-
# You can also specify different maxAge values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the CA UI.
# If no specific certificateProfileId is specified the default value from ocsp.maxAge is used.
# If this configuration is set, its value will override the global value in case of certificate with a revoked status.
+#
+# NOTE: This function has been deprecated in EJBCA 8.3.0 and will be removed in the following release
+#
#ocsp.999.revoked.maxAge = 100
-# Specifies OCSP extension by OID that will result in a call to an extension class.
-# Intended for debugging post EJBCA 6.12.0.
-# All other extension configuration may be selected in the CA UI for each Ocsp Key Binding.
-#ocsp.alwayssendcustomextension=1.3.36.8.3.13
-
# Setting this to true will enable unidfnr extension in EJBCA.
# Default is false since it is not normally used by many customers.
# Prior to setting this to true the appropriate data source must be set in JBoss.
@@ -182,86 +145,4 @@ ocsp.defaultresponder=CN=ManagementCA,O=EJBCA Sample,C=SE
# database.
#
# Default: 30000ms
-#ocspconfigurationcache.cachetime=30000
-
-#------------------- Re-keying used by external OCSP responder------------------------------
-# When this feature is enabled a new signing key will automatically be generated a specified time before the certificate of the used key expires.
-# A certificate for the new key will be fetched by WS from EJBCA.
-# You also need to configure an AuthenticationKeyBinding as client SSL credential. (It will be created for you
-# during upgrade to EJBCA 6.0.0 where a client SSL keystore existed previously.)
-
-# Password for rekeying via the servlet.
-# Default: null
-#ocsp.rekeying.trigging.password=
-
-# URL to webservice from which the certificate for a newly generated OCSP responder key should be fetched.
-# The automatic re-keying feature is disabled if this property is not defined.
-# Default: null
-#ocsp.rekeying.wsurl = https://milton:8443/ejbca/ejbcaws/ejbcaws
-
-# Specifies how often the signing certificates should be checked. Default value is 3600 seconds, but consider lowering this value if signing certificates are expected
-# to be valid less than 24h
-#ocsp.rekeying.update.time.in.seconds=
-
-# Specifies how much safety margin a certificate should have before it's updated, i.e when it should be considered a candidate for renewal. The effective
-# validity time for a signing certificate is it's actual validity minus this value. Timer will output warnings if this value is less than the update time.
-#
-# The default for this value is 24h
-#ocsp.rekeying.safety.margin.in.seconds=
-
-# Limits what hosts may request a manual rekeying via web service. Multiple hosts may be separated with a semicolon.
-# Default: 127.0.0.1
-#ocsp.rekeying.trigging.hosts=
-
-#------------------- OCSP Logging settings -------------
-# Transaction logging logs summary lines for all OCSP request/responses, which can be used for charging clients if you are running a commercial OCSP service.
-# Specifies if transaction logging should be performed from the OCSP responder and formats how that information should be logged yyyy-MM-dd:HH:mm:ss
-# Change below to true if you want transaction information to be logged
-#
-# See the OCSP installation guide for more details on the transaction and audit logging.
-#
-# Default: false
-#ocsp.trx-log = true
-
-# Configure how time of logging in auditlog will be output
-# Default: yyyy-MM-dd:HH:mm:ss:z
-#
-# Almost standard example, but the time offset ':z' (e.g. ':CET') is not standard compliant:
-#ocsp.log-date = yyyy-MM-dd HH:mm:ss.SSS:z
-#
-# Reference: RFC 3339 - Date and Time on the Internet: Timestamps
-# Standard compliant example, the final 'Z' means that the time zone is GMT, i.e. time UTC+00:
-#ocsp.log-date = yyyy-MM-dd HH:mm:ss.SSSZ
-
-# Configure which time zone will be used for logging
-# Note: GMT is the time zone for the time UTC+00, and without daylight saving time. It's the best choice for logs.
-# Default: GMT
-#ocsp.log-timezone = GMT
-
-# A pattern for use with ocsp.trx-log-order to replace constants with values during logging
-# Default: \\$\\{(.+?)\\}
-#ocsp.trx-log-pattern = \\$\\{(.+?)\\}
-
-# Use ocsp.trx-log-order to specify what information should be logged and in what order. You can also configure what characters you want in between
-# See OCSP Installation guide for documentation of all parameters.
-# Default: ${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}"${CLIENT_IP}";"${SIGN_ISSUER_NAME_DN}";"${SIGN_SUBJECT_NAME}";${SIGN_SERIAL_NO};"${LOG_TIME}";${REPLY_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;"${ISSUER_NAME_DN}";${ISSUER_NAME_HASH};${ISSUER_KEY};${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS};${CERT_PROFILE_ID};${FORWARDED_FOR}
-#ocsp.trx-log-order = ${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}"${CLIENT_IP}";"${SIGN_ISSUER_NAME_DN}";"${SIGN_SUBJECT_NAME}";${SIGN_SERIAL_NO};"${LOG_TIME}";${REPLY_TIME};${PROCESS_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;"${ISSUER_NAME_DN}";${ISSUER_NAME_HASH};${ISSUER_KEY};${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS};${CERT_PROFILE_ID};${FORWARDED_FOR}
-
-# Audit logging logs the complete requests and responses, which can be used to trace complete transaction afterwards.
-# change ocsp.audit-log to true of you want audit logging turned on
-# Default: false
-#ocsp.audit-log = true
-
-# A pattern for use with ocsp.audit-order to replace constants with values during logging
-# Default: \\$\\{(.+?)\\}
-#ocsp.audit-log-pattern = \\$\\{(.+?)\\}
-
-# Use ocsp.audit-log-order to specify what information should be logged and in what order. You can also configure what characters you want in between
-# See OCSP Installation guide for documentation of all parameters.
-# Default: ocsp.audit-log-order = SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};"${LOG_TIME}";TIME TO PROCESS:${REPLY_TIME};\nOCSP REQUEST:\n"${OCSPREQUEST}";\nOCSP RESPONSE:\n"${OCSPRESPONSE}";\nSTATUS:${STATUS}
-#ocsp.audit-log-order = SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};"${LOG_TIME}";REPLY TIME:${REPLY_TIME};\nTIME TO PROCESS:${PROCESS_TIME};\nOCSP REQUEST:\n"${OCSPREQUEST}";\nOCSP RESPONSE:\n"${OCSPRESPONSE}";\nSTATUS:${STATUS}
-
-# Set to true if you want transactions to be aborted when logging fails
-# This option needs other configuration changes as well, see "Safer Log4j Logging" in the OCSP install guide for more information
-# Default: false
-#ocsp.log-safer = true
+#ocspconfigurationcache.cachetime=30000
\ No newline at end of file
diff --git a/conf/plugins/.gitignore b/conf/plugins/.gitignore
new file mode 100644
index 00000000000..c3448038371
--- /dev/null
+++ b/conf/plugins/.gitignore
@@ -0,0 +1 @@
+/plugin.properties
diff --git a/conf/scepra.properties.sample b/conf/scepra.properties.sample
deleted file mode 100644
index 3b4aeff92b1..00000000000
--- a/conf/scepra.properties.sample
+++ /dev/null
@@ -1,137 +0,0 @@
-#####
-# Configuration file for default values for the External RA SCEP RA Server.
-# Configure as you please, but all values must be set to something.
-#
-# Default values (that you enter here) is built into the application and deployed
-# as default values.
-#
-# 'datasource.jndi-name-prefix' (see conf/database.properties.sample) and 'appserver.home'
-# (see conf/ejbca.properties.sample) also has to be configured.
-#####
-
-# Allow dynamic re-configuration.
-#
-# By setting this property to true, you can also dynamically re-configure
-# the RA by changing values in properties files in the file system.
-#
-# You can put a scepra.properties file in your "app server runtime home"/conf directory
-# to override these values. To find out which this directory is, it is logged during startup as for example:
-# [ExtraConfiguration] Added file to configuration source: /opt/jboss-4.2.2.GA/bin/conf/scepra.properties
-# This file is re-read if changed so changes can be made in runtime.
-#
-# You can put a /etc/ejbca/conf/extra/scepra.properties file to override these values.
-# This file is re-read if changed so changes can be made in runtime.
-#
-# Finally you can override anything by setting system properties for your appserver, for example:
-# java -Dscep.ra.authpwd=mysecret
-allow.external-dynamic.configuration=false
-
-
-#
-# Settings for the Stand-alone SCEP RA Server.
-# The stand-alone SCEP RA sevrer is deployed as an using External RA.
-# See admin guide for more information about the External RA.
-#
-
-# Path to RA keystore. Should be a full pathname.
-scep.ra.keyStorePath.1=/opt/jboss-4.2.2.GA/bin/conf/keystore/sceprakeystore.p12
-
-# Password to the RA keystore configured above
-scep.ra.keyStorePassword.1=foo123
-
-# Advanced users: In theory it is possible to have several SCEP RAs configured with different keystores.
-# In that case add more keystores with .2 etc. And configure new Servlets and mappings in src/WEB-INF/web.xml
-# with these keystoreNumber.
-
-# Set to another value than none if the Scep RA should require
-# a specific password in the SCEP request.
-# This should be used with createOrEditUser=true and will in this case be a set password
-# required in the SCEP Request message. If this password is correct, the request will be automatically granted.
-#
-# Leave as 'none' to not require any password, i.e. allow anything.
-# If createOrEditUser=false this will require the user to be pre-registered and the password in the request will
-# be used to authenticate this user with the pre-registered password.
-#
-# If createOrEdit=false and authPwd=none you can also use Approvals in EJBCA to require an administrator to
-# approve the request in the CA Admin-GUI before a certificate is issued.
-scep.ra.authPwd=none
-
-# Which generation scheme should be used, RANDOM, DN or USERNAME for base username. FIXED to have a fixed username.
-# Random will generate a 12 character long random username.
-# DN will take a part of the request DN, which part is defined by cmp.ra.namegenerationparameters, and use as the username.
-# USERNAME will use the request DN as username.
-# If the same username is constructed (for example UID) as an already existing user, the existing user will be modified with
-# new values for profile etc, and a new certificate will be issued for that user.
-#
-# Default: DN
-scep.ra.namegenerationscheme=DN
-
-# Parameters for name generation, for DN it can be for example CN, UID or SN.
-# Either the CN or the UID from the request can be used.
-# You can add several in order to have fall-back in case the first does not exist in the DN, for example UID;SN;CN. First try UID,
-#if it does not exist try SN (SerialNumber) etc.
-# For FIXED namegenerationscheme the username will be the value specified here.
-#
-# Default: CN
-scep.ra.namegenerationparameters=CN
-
-# Prefix to generated name, a string that can contain the markup ${RANDOM} to insert 10 random chars.
-# Example: 'MyPrefix - ${RANDOM}-' using RANDOM password generation will create a username like 'MyPrefix - DGR89NN54QW-GDHR473NH87Q
-#
-# Default: empty
-#scep.ra.namegenerationprefix=
-
-# Postfix to generated name, a string that can contain the markup ${RANDOM} to insert 10 random chars.
-# Example: MyPostfix - ${RANDOM}
-#
-# Default: empty
-#scep.ra.namegenerationpostfix=
-
-# Defines if a request to the RA will create a new user, or edit an existing in EJBCA. If false users must be
-# pre-registered in EJBCA with a pwd.
-# Note that even when the SCEP request is sent to the RA specific URL, if this option is set to 'false', no users will be added or edited
-#
-# Default: false
-scep.ra.createOrEditUser=true
-
-# The Certificate profile used to register new SCEP users, if createOrEditUser=true.
-scep.ra.certificateProfile=ENDUSER
-
-# The End entity profile used to register new SCEP users, if createOrEditUser=true.
-scep.ra.entityProfile=EMPTY
-
-# The default CA used to register new SCEP users, if createOrEditUser=true.
-scep.ra.defaultCA=ScepCA
-
-# Mapping a CAs issuer DN (as from the Admin-GUI->Edit CAs), which will be
-# received from the client to a CA name.
-# This is used to find a CA from the request. If no CA can be found with a mapping, the defaultCA is used.
-# You can create several mappings for different CAs like this.
-# This is only used by the External RA SCEP Server, i.e. because there is no database with CAs to look in.
-# In the SCEP server in the CA the CAName is looked up in the CA database, but in the External RA server there is no other
-# information about CAs.
-# Note that all =, : or whitespace must be escaped with a \. See example below.
-CN\=Scep\ CA,O\=EJBCA\ Sample,C\=SE=ScepCA
-
-# Database connection information. The right JDBC driver has to be installed manually in the application server.
-# SQL dialect is derived from the JDBC URL.
-# Default: jdbc:mysql://127.0.0.1/messages
-#scep.ra.datasource.jdbc-url=jdbc:mysql://127.0.0.1/messages
-
-# JDBC driver classname.
-# The JEE server needs to be configured with the appropriate JDBC driver for the selected database
-# Default: com.mysql.jdbc.Driver
-#externalra-database.driver=org.mariadb.jdbc.Driver
-#externalra-database.driver=com.mysql.jdbc.Driver
-#externalra-database.driver=org.postgresql.Driver
-#externalra-database.driver=org.hsqldb.jdbcDriver
-#externalra-database.driver=oracle.jdbc.driver.OracleDriver
-#externalra-database.driver=com.ibm.db2.jcc.DB2Driver
-
-# Username for database connection.
-# Default: ejbca
-#scep.ra.datasource.username=ejbca
-
-# Password for database connection.
-# Default: ejbca
-#scep.ra.datasource.password=ejbca
diff --git a/conf/systemtests.properties.sample b/conf/systemtests.properties.sample
index 6288602c020..49db3c8f778 100644
--- a/conf/systemtests.properties.sample
+++ b/conf/systemtests.properties.sample
@@ -59,3 +59,8 @@
#pkcs11.token2_number=2
#pkcs11.token2_label=TEST1
#pkcs11.token2_index=i1
+
+# Uncomment the following line to redact logs generated during test runs. The default value is false.
+#enable.log.redact=true
+# Absolute file name of the server log file. Default value is "/opt/wildfly/standalone/log/server.log". This is only relevant for testing PII redaction in server logs.
+#server.log.path=
diff --git a/conf/web.properties.sample b/conf/web.properties.sample
index 16d71a7626f..574555c9370 100644
--- a/conf/web.properties.sample
+++ b/conf/web.properties.sample
@@ -31,7 +31,7 @@ superadmin.dn=CN=${superadmin.cn}
# Choose a good password here.
superadmin.password=ejbca
-# Set this to false if you want to fetch the certificate from the EJBCA public web pages, instead of
+# Set this to false if you want to enroll the certificate from the EJBCA RA GUI pages, instead of
# importing the P12-keystore. This can be used to put the initial superadmin-certificate on a smart card.
superadmin.batch=true
@@ -56,6 +56,9 @@ httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
# Default: set automatically, so no need to change this property unless you want something specific.
#httpsserver.an=dnsName=${httpsserver.hostname}
+# Desired token type for the SSL server certificate: P12, JKS. default value is P12
+httpsserver.tokentype=P12
+
# END: Installation settings.
# The public port JBoss will listen to http on
@@ -115,34 +118,12 @@ httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
# Default: true
#web.reqcertindb=true
-# Enforce secure authentication by client TLS certificate to access the Admin GUI.
+# Enforce secure authentication by client TLS certificate or OAuth token to access the Admin GUI.
# WARNING: Disabling this is a really good way to get completely pwnd/hacked/compromised and render any support contract invalid.
-# Note that this is different from web.reqcertindb, which still requires a client certificate by a trusted CA.
+# NOTE: If your existing configuration uses the earlier "web.reqcert" setting, it can still be used, however it is
+# deprecated in newer versions. For new installations ONLY "web.reqauth" should be used.
# Default: true
-#(Read the warning!)web.reqcert=true
-
-# Allow users to self-register on public web, by entering their information.
-# This creates an approval request for the admin.
-# Default = false
-#web.selfreg.enabled=false
-
-# Certificate types to make available for the user
-#web.selfreg.defaultcerttype=1
-#web.selfreg.certtypes.1.description=User certificate
-#web.selfreg.certtypes.1.eeprofile=SOMEPROFILE
-#web.selfreg.certtypes.1.certprofile=ENDUSER
-
-# Optional: Instead of asking the user for a username, EJBCA can generate
-# the username from a field in the subject DN
-#web.selfreg.certtypes.1.usernamemapping=CN
-
-# Optional: Prefix to add before the username
-#web.selfreg.certtypes.1.usernameprefix=Example_
-
-# Deploy the request browser certificate renewal web application and show a
-# link to it from the EJBCA public web.
-# Default = false
-#web.renewalenabled=false
+#(Read the warning!)web.reqauth=true
# Whether it should be possible to manually specify a custom class name in
# the admin web (e.g. for a custom Publisher or Service), or if the choice
@@ -189,21 +170,34 @@ httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
# Default: false
#web.log.adminforwardedip=true
+# Allows to provide an alternative Content-Security-Policy header's value
+#web.header.content_security_policy=default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self'; form-action 'self'; reflected-xss block
+
# Available PKCS#11 CryptoToken libraries and their display names
# If a library file's presence is not detected it will not show up in the Admin GUI.
# Default values (see src/java/defaultvalues.properties for most up to date values):
-#cryptotoken.p11.lib.10.name=SafeNet ProtectServer Gold Emulator
+#cryptotoken.p11.lib.10.name=Thales ProtectServer 2 Emulator
#cryptotoken.p11.lib.10.file=/opt/ETcpsdk/lib/linux-x86_64/libctsw.so
-#cryptotoken.p11.lib.11.name=SafeNet ProtectServer Gold
+#cryptotoken.p11.lib.11.name=Thales ProtectServer 2
#cryptotoken.p11.lib.11.file=/opt/ETcpsdk/lib/linux-x86_64/libcryptoki.so
-#cryptotoken.p11.lib.20.name=SafeNet Luna SA
+#cryptotoken.p11.lib.12.name=Thales ProtectServer 2 Emulator
+#cryptotoken.p11.lib.12.file=/opt/safenet/protecttoolkit5/ptk/lib/libctsw.so
+#cryptotoken.p11.lib.13.name=Thales ProtectServer 2
+#cryptotoken.p11.lib.13.file=/opt/safenet/protecttoolkit5/ptk/lib/libcryptoki.so
+#cryptotoken.p11.lib.14.name=Thales ProtectServer 3 Emulator
+#cryptotoken.p11.lib.14.file=/opt/safenet/protecttoolkit7/ptk/lib/libctsw.so
+#cryptotoken.p11.lib.15.name=Thales ProtectServer 3
+#cryptotoken.p11.lib.15.file=/opt/safenet/protecttoolkit7/ptk/lib/libcryptoki.so
+#cryptotoken.p11.lib.20.name=Thales Luna SA
#cryptotoken.p11.lib.20.file=/usr/lunasa/lib/libCryptoki2_64.so
-#cryptotoken.p11.lib.21.name=SafeNet Luna PCI
+#cryptotoken.p11.lib.21.name=Thales Luna PCI
#cryptotoken.p11.lib.21.file=/usr/lunapci/lib/libCryptoki2_64.so
-#cryptotoken.p11.lib.22.name=SafeNet Luna PCI
+#cryptotoken.p11.lib.22.name=Thales Luna PCI
#cryptotoken.p11.lib.22.file=/Program Files/LunaPCI/cryptoki.dll
-#cryptotoken.p11.lib.23.name=SafeNet Luna Client
+#cryptotoken.p11.lib.23.name=Thales Luna Client
#cryptotoken.p11.lib.23.file=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
+#cryptotoken.p11.lib.24.name=Thales DPoD
+#cryptotoken.p11.lib.24.file=/opt/thales/dpodclient/libs/64/libCryptoki2.so
#cryptotoken.p11.lib.30.name=Utimaco
#cryptotoken.p11.lib.30.file=/opt/utimaco/p11/libcs2_pkcs11.so
#cryptotoken.p11.lib.31.name=Utimaco
@@ -212,7 +206,7 @@ httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
#cryptotoken.p11.lib.32.file=/etc/utimaco/libcs2_pkcs11.so
#cryptotoken.p11.lib.33.name=Utimaco
#cryptotoken.p11.lib.33.file=C:/Program Files/Utimaco/SafeGuard CryptoServer/Lib/cs2_pkcs11.dll
-#cryptotoken.p11.lib.40.name=Thales
+#cryptotoken.p11.lib.40.name=nCipher
#cryptotoken.p11.lib.40.file=/opt/nfast/toolkits/pkcs11/libcknfast.so
#cryptotoken.p11.lib.50.name=ARX CoSign
#cryptotoken.p11.lib.50.file=C:/windows/system32/sadaptor.dll
@@ -256,11 +250,32 @@ httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
#cryptotoken.p11.lib.112.file=/etc/utimaco/libcs_pkcs11_R2.so
#cryptotoken.p11.lib.113.name=Cavium Nitrox III
#cryptotoken.p11.lib.113.file=/home/liquidsec_bin/lib/libliquidsec_pkcs11.so
-#cryptotoken.p11.lib.114.name=AWS CloudHSM
-#cryptotoken.p11.lib.114.file=/opt/PrimeKey/cloudhsm/lib/libliquidsec_pkcs11.so
+#cryptotoken.p11.lib.115.name=AWS CloudHSM
+#cryptotoken.p11.lib.115.file=/opt/cloudhsm/lib/libcloudhsm_pkcs11.so
+#cryptotoken.p11.lib.116.name=Utimaco R3
+#cryptotoken.p11.lib.116.file=/opt/utimaco/lib/libcs_pkcs11_R3.so
#cryptotoken.p11.lib.120.name=YubiHSM2
#cryptotoken.p11.lib.120.file=/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
-
+#cryptotoken.p11.lib.130.name=Trident HSM
+#cryptotoken.p11.lib.130.file=/usr/lib/x86_64-linux-gnu/libmpcm-pkcs11.so
+#cryptotoken.p11.lib.131.name=Trident HSM
+#cryptotoken.p11.lib.131.file=/usr/lib64/libmpcm-pkcs11.so
+#cryptotoken.p11.lib.132.name=Primus HSM
+#cryptotoken.p11.lib.132.file=/usr/local/primus/lib/libprimusP11.so
+#cryptotoken.p11.lib.133.name=Primus HSM
+#cryptotoken.p11.lib.133.file=/opt/primus/lib/libprimusP11.so
+#cryptotoken.p11.lib.135.name=GCP KMS P11
+#cryptotoken.p11.lib.135.file=/opt/gcp/libkmsp11-1.1-linux-amd64/libkmsp11.so
+#cryptotoken.p11.lib.140.name=IBM HPCS P11
+#cryptotoken.p11.lib.140.file=/opt/grep11/pkcs11-grep11-amd64.so
+#cryptotoken.p11.lib.145.name=IronCap ICC
+#cryptotoken.p11.lib.145.file=/opt/ironcap/lib/libsofthsm2.so
+#cryptotoken.p11.lib.150.name=FutureX
+#cryptotoken.p11.lib.150.file=/opt/fxpkcs11/x64/OpenSSL-3.x/libfxpkcs11.so
+#cryptotoken.p11.lib.155.name=Crypto4A QxHSM
+#cryptotoken.p11.lib.155.file=/usr/local/share/lib/c4a-pkcs11/libpkcs11rest.so
+#cryptotoken.p11.lib.156.name=Crypto4A QxHSM
+#cryptotoken.p11.lib.156.file=C:/Windows/System32/Pkcs11REST.dll
#
# You can add your own values with an available number, or override numbers from defaults...
@@ -278,8 +293,8 @@ httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
# If you would like to restrict the capabilities, you can use the following property:
# (for a capability that is disabled you have the chance to specify a message that may be displayed in the GUI)
# canGenerateKey can be used to disable key generation in the Web UI, if this does not work properly (typically due to limited p11 support)
-#cryptotoken.p11.lib.114.canGenerateKey=false
-#cryptotoken.p11.lib.114.canGenerateKeyMsg=ClientToolBox must be used to generate keys on AWS CloudHSM
+#cryptotoken.p11.lib.135.canGenerateKey=false
+#cryptotoken.p11.lib.135.canGenerateKeyMsg=The GCP Console must be used to generate keys on GCP Cloud KMS
# Available PKCS#11 CryptoToken attribute files and their display names
# Use if the default PKCS#11 attributes are not good for the PKCS#11 module and if needs specific attributes
@@ -289,12 +304,43 @@ httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
#cryptotoken.p11.attr.255.name=
#cryptotoken.p11.attr.255.file=
+# PQC algorithms can be enabled in the Admin UI
+# Only for testing until officially standardized
+# Default: true (enabled)
+#cryptotoken.pqc.enabled=true
+
#
# Enable usage of Azure Key Vault Crypto Token in the Admin UI
-# Default: false (not enabled)
+# Default: true (enabled)
#keyvault.cryptotoken.enabled=true
#
# Enable usage of AWS KMS Crypto Token in the Admin UI
-# Default: false (not enabled)
+# Default: true (enabled)
#awskms.cryptotoken.enabled=true
+
+#
+# Enable usage of Fortanix DSM Crypto Token in the Admin UI
+# Default: true (enabled)
+#fortanix.cryptotoken.enabled=true
+
+#
+# Enable usage of P11NG Crypto Token in the Admin UI
+# Default: true (enabled)
+#p11ng.cryptotoken.enabled=true
+
+#
+# Utimaco CP5 specific functions are disabled in the Admin UI
+
+#
+# Enable usage of SunP11 Crypto Token in the Admin UI
+# Default: true (enabled)
+#sunp11.cryptotoken.enabled=false
+
+#
+# Enable usage of legacy RA API for EST. Only needed if this is a CA that
+# accepts EST requests from an RA older than version 7.4.1.1, 7.4.3 or 7.5.0.
+# This legacy API does not check the access rules of the peer connector, i.e.
+# domain security restrictions (such as restricted CAs) of the RA peer are not enforced.
+# Default: false (not enabled)
+#raapi.legacyest.enabled=true
diff --git a/doc/README b/doc/README
deleted file mode 100644
index 5c16812ab31..00000000000
--- a/doc/README
+++ /dev/null
@@ -1,19 +0,0 @@
-This software is OSI Certified Open Source Software. OSI Certified is a certification mark of the Open Source Initiative.
-EJBCA is licensed under the LGPL license, please see licenses/LICENSE.
-
-Documentation
--------------
-The main documentation for EJBCA is hosted on PrimeKey's internal Confluence server, from which it is exported and distributed in the docs/dist
-directory in official releases. You can access it either from the link in the UI (deployed on the application server) or directly using
-docs/dist/index.html
-
-In addition, the docs directory contains additional material:
-- howto contains howtos for various things, such as databases, application servers, smart card login etc.
-- ldapschema contains an addition to the standard ldap schema in order to support devices with certificates.
-- licenses contains the license for EJBCA and depending projects.
-
-
-Release Notes and Upgrade Instructions
--------------------------
-In this directory you previously found release notes and upgrade instructions. These have since EJBCA 6.12 been shifted over to our main
-documentation.
diff --git a/doc/dist/EJBCA.html b/doc/dist/EJBCA.html
index e7e39e33add..66d7ed13e85 100644
--- a/doc/dist/EJBCA.html
+++ b/doc/dist/EJBCA.html
@@ -13,10 +13,14 @@
+
+
+
+
@@ -84,7 +88,7 @@
 "EJBCA"){kind=icon}
+ 
+ 