PrimeKey PKI Appliance 3.4.0 Released
PrimeKey is proud to announce the release of PKI Appliance 3.4.0 With this release, we have added support for IPv6 connectivity and new updated versions of EJBCA Enterprise and SignServer Enterprise.
IPv6 connectivity is now supported
Basic IPv6 connectivity is now supported and services running on the Appliance can now be reached over IPv6. IPv6 is configured in the management and application interface, and once configured WebConf, EJBCA, and SignServer are available via IPv6.
Please note, the following constraints apply to the Appliance IPv6 connectivity support:
* IPv6 connectivity is optional and disabled by default.
* Outgoing PeerConnectors cannot use IPv6.
* Support for cluster connections over IPv6 is not supported.
* The initial installation of the Appliance has to be performed using IPv4 since IPv6 addresses cannot be configured using the front display.
* If SSH access is enabled and IPv6 is configured on the management interface, SSH access via IPv6 is possible (even using link-local addressing).
New versions of EJBCA Enterprise and SignServer Enterprise
EJBCA Enterprise 7.2.1
Updated version of EJBCA Enterprise, please check out the EJBCA 7.2.1 Release Notes.
Updated version of SignServer Enterprise, please check out the Signserver 5.1 Release Notes.
New Features and Improvements
The following lists additional new features and other changes included in the release.
* WebConf sessions are now tracked using a cookie only and not using a URL parameter as it did before.
* The user dialogue for smart card operations (e.g. change PIN) has been improved.
Limitations and Known Issues
The following notes limitations to be aware of.
* While smart card activated slots are supported with PKCS#11 R2, "FIPS restrictions applied" mode is not.
* When using smart card activated slots with PKCS#11 R2, an issue currently limits the maximum number of users to one. The issue will be resolved in a future release. Meantime, if more users are required, the workaround is currently to install your Appliance with PKCS#11 R1 instead of R2.
* When installing updates on a PKI Appliance running 3.2.0, make sure to unplug any USB sticks before performing the update. When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable and the EJBCA Admin interface displays an error message. The problem remediates itself within one hour while a restart of EJBCA resolves the issue instantly. Note however, if your installation uses smart card authentication, PIN pad interactions will be required to activate slots again.
* When restoring large backups coming from EJBCA versions prior to 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M, it takes about an hour to re-index the database. Once re-indexed, an additional reboot is required.
* For cluster backups taken on PKI Appliance versions 2.4 up to 2.8 - when restoring the first backup onto the 3.4.0 version, the cluster configuration will be deleted and it is required to add the IP addresses of all the other nodes manually before proceeding with the cluster setup.
* Version 3.4.0 does not support restoring backups of versions older than 2.4.0.
* The 2nd generation hardware version offers four Ethernet ports, but only two of them are usable at the moment. Support for the disabled Ethernet ports will be added in future versions.
* Due to a firmware limitation, the PKI Appliance only becomes reachable when both management and application Ethernet ports are successfully connected to a network.
* Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
* "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version since it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.
* After upgrading to 3.4.0 (or later), it is not possible to downgrade to versions lower than 3.4.0. If a downgrade is required, please contact PrimeKey Support.
Please find the detailed release notes here.
the PrimeKey PKI Appliance Team