Skip to content

Latest commit

 

History

History
2246 lines (1296 loc) · 139 KB

ug-ss_x-road_6_security_server_user_guide.md

File metadata and controls

2246 lines (1296 loc) · 139 KB
Raw
European Union / European Regional Development Fund / Investing in your future

SECURITY SERVER USER GUIDE

X-ROAD 6

Version: 2.46 Doc. ID: UG-SS

Version history

Date Version Description Author
05.09.2014 0.1 Initial draft
24.09.2014 0.2 Translation to English
10.10.2014 0.3 Update
14.10.2014 0.4 Title page, header, footer added
16.10.2014 0.5 Minor corrections done
12.11.2014 0.6 Asynchronous messages section removed. Global Configuration distributors section replaced with Configuration Anchor section (10.1). Added Logback information (Chapter 16). A note added about the order of timestamping services (Section 10.2).
1.12.2014 1.0 Minor corrections done
19.01.2015 1.1 License information added
27.01.2015 1.2 Minor corrections done
30.04.2015 1.3 “sdsb” changed to “xroad”
29.05.2015 1.4 Message Log chapter added (Chapter 11)
30.06.2015 1.5 Minor corrections done
3.07.2015 1.6 Audit Log chapter added (Chapter 12)
7.09.2015 1.7 Message Log – how to use remote database (Section 11.3)
14.09.2015 1.8 Reference to the audit log events added
18.09.2015 1.9 Minor corrections done
21.09.2015 2.0 References fixed
07.10.2015 2.1 Default value of the parameter acceptable-timestamp-failure-period set to 14400
14.10.2015 2.2 Instructions for using an external database for the message log corrected
05.11.2015 2.3 Updates related to backup and restore (Chapter 13)
30.11.2015 2.4 X-Road concepts updated (Section 1.2). Security server registration updated (Chapter 3). Security server clients updated (Chapter 4); only subsystems (and not members) can be registered as security server clients and have services or access rights configured. Cross-references fixed. Editorial changes made.
09.12.2015 2.5 Security server client deletion updated (Section 4.5.2). Editorial changes made.
14.12.2015 2.6 Message log updated (Chapter 11)
14.01.2016 2.7 Logs updated (Chapter 16)
08.02.2016 2.8 Corrections in chapter 16
20.05.2016 2.9 Merged changes from xtee6-doc repo. Added Chapter 14 Diagnostics and updated content of 10.3 Changing the Internal TLS Key and Certificate.
29.11.2016 2.10 User Management updated (Chapter 2). XTE-297: Internal Servers tab is displayed to security server owner (Chapter 9).
19.12.2016 2.11 Added Chapter 15 Operational Monitoring
20.12.2016 2.12 Minor corrections in Chapter 15
22.12.2016 2.13 Corrections in Chapter 15.2.5
04.01.2016 2.14 Corrections in Chapter 15.2.5
20.02.2017 2.15 Converted to Github flavoured Markdown, added license text, adjusted tables for better output in PDF Toomas Mölder
16.03.2017 2.16 Added observer role to Chapters 2.1 and 2.2 Tatu Repo
15.06.2017 2.17 Added Chapter 17 on federation Olli Lindgren
25.09.2017 2.18 Added chapter 16 Environmental Monitoring Tomi Tolvanen
17.10.2017 2.19 Added section 16.3 Limiting environmental monitoring remote data set Joni Laurila
05.03.2018 2.20 Added terms and abbreviations reference, document links, moved concepts to terms and abbreviations. Tatu Repo 
10.04.2018 2.21 Update internal server certificate documentation. Jarkko Hyöty
25.05.2018 2.22 Update system parameters documentation. Jarkko Hyöty
15.11.2018 2.23 Minor updates for Ubuntu 18.04 Jarkko Hyöty
06.02.2019 2.24 Minor updates on security server client registration in Chapters 4.3 and 4.4. Petteri Kivimäki
15.03.2019 2.25 Update documentation to cover REST service usage in chapter [6] Jarkko Hyöty
26.03.2019 2.26 Added chapter on API keys 19 Janne Mattila
16.04.2019 2.27 Minor updates regarding REST services in chapter [6] Petteri Kivimäki
30.06.2019 2.28 Update the default connection type from HTTP to HTTPS in chapter [9] Petteri Kivimäki
01.07.2019 2.29 Changing the Security Server Owner chapter added (Chapter 3.4) Petteri Kivimäki
14.08.2019 2.30 Added automatic backups Ilkka Seppälä
29.09.2019 2.31 Added chapter 19.3 on REST API correlation id Janne Mattila
30.09.2019 2.32 Added remote database migration guide Ilkka Seppälä
15.10.2019 2.33 Updated REST services in chapter [6] Ilkka Seppälä
04.11.2019 2.34 Added information about REST API request rate and size limits Janne Mattila
07.11.2019 2.35 Add more information about service descriptions to chapter [6] Ilkka Seppälä
05.12.2019 2.36 Add information about timestamping failover capabilities in chapter 10.2 Petteri Kivimäki
24.02.2020 2.37 Updated notes about key caching after changing internal TLS key and certificate 10.3 Caro Hautamäki
26.03.2020 2.38 Added chapter on updating API keys 19.1.3 Petteri Kivimäki
30.03.2020 2.39 Added description of pre-restore backups Ilkka Seppälä
01.04.2020 2.40 Added notes about IP whitelists for APIs Janne Mattila
03.06.2020 2.41 Updated audit logging description Janne Mattila
05.06.2020 2.42 Added chapter about validation errors 19.4 Caro Hautamäki
25.06.2020 2.43 Update environmental and operational monitoring JMXMP details Petteri Kivimäki
08.07.2020 2.44 Update chapter on access rights 7 Petteri Kivimäki
30.07.2020 2.45 Added mention about proxy_ui_api.log to 17 Logs and System Services Janne Mattila
10.08.2020 2.46 Added mention about unit start rate limits to 17.1 System Services Janne Mattila

Table of Contents

License

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/

1 Introduction

This document describes the management and maintenance of an X-Road version 6 security server.

1.1 The X-Road Security Server

The main function of a security server is to mediate requests in a way that preserves their evidential value.

The security server is connected to the public Internet from one side and to the information system within the organization's internal network from the other side. In a sense, the security server can be seen as a specialized application-level firewall that supports the SOAP protocol; hence, it should be set up in parallel with the organization's firewall, which mediates other protocols.

The security server is equipped with the functionality needed to secure the message exchange between a client and a service provider.

  • Messages transmitted over the public Internet are secured using digital signatures and encryption.

  • The service provider's security server applies access control to incoming messages, thus ensuring that only those users that have signed an appropriate agreement with the service provider can access the data.

To increase the availability of the entire system, the service user's and service provider's security servers can be set up in a redundant configuration as follows.

  • One service user can use multiple security servers in parallel to perform requests.

  • If a service provider connects multiple security servers to the network to provide the same services, the requests are load-balanced between the security servers.

  • If one of the service provider's security servers goes offline, the requests are automatically redirected to other available security servers.

The security server also depends on a central server, which provides the global configuration.

1.2 Terms and abbreviations

See X-Road terms and abbreviations documentation [TA-TERMS].

1.3 References

  1. [ASiC] ETSI TS 102 918, Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC)

  2. [CRON] Quartz Scheduler CRON expression,
    http://www.quartz-scheduler.org/generated/2.2.1/html/qs-all/#page/Quartz_Scheduler_Documentation_Set%2Fco-trg_crontriggers.html

  3. [INI] INI file,
    http://en.wikipedia.org/wiki/INI_file

  4. [JDBC] Connecting to the Database,
    https://jdbc.postgresql.org/documentation/93/connect.html

  5. [JSON] Introducing JSON,
    http://json.org/

  6. [PR-MESS] Cybernetica AS. X-Road: Message Protocol v4.0. Document ID: PR-MESS

  7. [SPEC-AL] Cybernetica AS. X-Road: Audit log events. Document ID: SPEC-AL

  8. [PR-OPMON] Cybernetica AS. X-Road: Operational Monitoring Protocol. Document ID: PR-OPMON

  9. [PR-OPMONJMX] Cybernetica AS. X-Road: Operational Monitoring JMX Protocol. Document ID: PR-OPMONJMX

  10. [UG-OPMONSYSPAR] Cybernetica AS. X-Road: Operational Monitoring System Parameters. Document ID: PR-OPMONSYSPAR

  11. [IG-SS] Cybernetica AS. X-Road: Security Server Installation Guide. Document ID: IG-SS

  12. [JMX] Monitoring and Management Using JMX Technology,
    http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

  13. [ZABBIX-GATEWAY] Zabbix Java Gateway,
    https://www.zabbix.com/documentation/3.0/manual/concepts/java

  14. [ZABBIX-JMX] Zabbix JMX Monitoring,
    https://www.zabbix.com/documentation/3.0/manual/config/items/itemtypes/jmx_monitoring

  15. [ZABBIX-API] Zabbix API,
    https://www.zabbix.com/documentation/3.0/manual/api

  16. [ARC-ENVMON] X-Road: Environmental Monitoring Architecture. Document ID: ARC-ENVMON.

  17. [PR-ENVMONMES] X-Road: Environmental Monitoring Messages. Document ID: PR-ENVMONMES.

  18. [MONITORING_XSD] X-Road XML schema for monitoring extension. monitoring.xsd.

  19. [TA-TERMS] X-Road Terms and Abbreviations. Document ID: TA-TERMS.

  20. [PR-META] X-Road: Service Metadata Protocol. Document ID: PR-META.

  21. [PR-MREST] X-Road: Service Metadata Protocol for REST. Document ID: PR-MREST.

  22. [UG-SYSPAR] X-Road: System Parameters User Guide. Document ID: UG-SYSPAR.

2 User Management

2.1 User Roles

Security servers support the following user roles:

  • Security Officer (xroad-security-officer) is responsible for the application of the security policy and security requirements, including the management of key settings, keys, and certificates.

  • Registration Officer (xroad-registration-officer) is responsible for the registration and removal of security server clients.

  • Service Administrator (xroad-service-administrator) manages the data of and access rights to services

  • System Administrator (xroad-system-administrator) is responsible for the installation, configuration, and maintenance of the security server.

  • Security Server Observer (xroad-securityserver-observer) can view the status of the security server without having access rights to edit the configuration. This role can be used to offer users read-only access to the security server admin user interface.

One user can have multiple roles and multiple users can be in the same role. Each role has a corresponding system group, created upon the installation of the system.

Henceforth each applicable section of the guide indicates, which user role is required to perform a particular action. For example:

Access rights: Security Officer

If the logged-in user does not have a permission to carry out a particular task, the button that would initiate the action is hidden (and neither is it possible to run the task using its corresponding keyboard combinations or mouse actions). Only the permitted data and actions are visible and available to the user.

2.2 Managing the Users

User management is carried out on command line in root user permissions.

To add a new user, enter the command:

adduser username

To grant permissions to the user you created, add it to the corresponding system groups, for example:

adduser username xroad-security-officer
adduser username xroad-registration-officer
adduser username xroad-service-administrator
adduser username xroad-system-administrator
adduser username xroad-securityserver-observer

To remove a user permission, remove the user from the corresponding system group, for example:

deluser username xroad-security-officer

User permissions are applied only after restart of the xroad-jetty service (see Section 16.1).

To remove a user, enter:

deluser username

3 Security Server Registration

To use a security server for mediating (exchanging) messages, the security server and its owner must be certified by a certification service provider approved by the X-Road governing authority, and the security server has to be registered in the X-Road governing authority.

3.1 Configuring the Signing Key and Certificate for the Security Server Owner

The signing keys used by the security servers for signing X-Road messages can be stored on software or hardware based (a Hardware Security Module or a smartcard) security tokens, according to the security policy of the X-Road instance.

Depending on the certification policy, the signing keys are generated either in the security server or by the certification service provider. Sections 3.1.1 to 3.1.3 describe the actions necessary to configure the signing key and certificate in case the key is generated in the security server. Section 3.1.4 describes the importing of the signing key and certificate in case the key is generated by the certification service provider.

The background colors of the devices, keys and certificate are explained in Section 5.1.

3.1.1 Generating a Signing Key

Access rights:

To generate a signing key, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. If you are using a hardware security token, ensure that the device is connected to the security server. The device information must be displayed in the Keys and Certificates table.

  3. To log in to the token, click Enter PIN on the token’s row in the table and enter the PIN code. Once the correct PIN is entered, the Enter PIN button changes to Logout.

  4. To generate a signing key, select the token from the table by clicking the respective row, and click Generate key. Enter the label value for the key and click OK. The generated key appears under the token’s row in the table. The label value is displayed as the name of the key.

3.1.2 Generating a Certificate Signing Request for a Signing Key

Access rights: Security Officer, Registration Officer

To generate a certificate signing request (CSR) for the signing key, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Select a key from the table and click Generate CSR. In the dialog that opens

    2.1 Select the certificate usage policy from the Usage drop down list (SIGN for signing certificates);

    2.2 select the X-Road member the certificate will be issued for from the Client drop-down list;

    2.3 select the issuer of the certificate from the Certification Service drop-down list;

    2.4 select the format of the certificate signing request (PEM or DER), according to the certification service provider’s requirements

    2.5 click OK;

  3. In the form that opens, review the certificate owner’s information that will be included in the CSR and fill in the empty fields, if needed.

  4. Click OK to complete the generation of the CSR and save the prompted file to the local file system.

After the generation of the CSR, a “Request” record is added under the key’s row in the table, indicating that a certificate signing request has been created for this key. The record is added even if the request file was not saved to the local file system.

To certify the signing key, transmit the certificate signing request to the approved certification service provider and accept the signing certificate created from the certificate signing request.

3.1.3 Importing a Certificate from the Local File System

Access rights: Security Officer, Registration Officer

To import the signing certificate to the security server, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Click Import certificate.

  3. Locate the certificate file from the local file system and click OK. After importing the certificate, the "Request" record under the signing key's row is replaced with the information from the imported certificate. By default, the signing certificate is imported in the "Registered" state.

3.1.4 Importing a Certificate from a Security Token

Access rights: Security Officer, Registration Officer

To import a certificate from a security token, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Make sure that a key device containing the signing key and the signing certificate is connected to the security server. The device and the keys and certificates stored on the device must be displayed in the Keys and Certificates view.

  3. To log in to the security token, click Enter PIN on the token’s row in the table and enter the PIN. Once the correct PIN is entered, the Enter PIN button changes to Logout.

  4. Click the Import button on the row of the certificate. By default, the certificate is imported in the "Registered" state.

3.2 Configuring the Authentication Key and Certificate for the Security Server

The background colors of the devices, keys and certificate are explained in Section 5.1.

3.2.1 Generating an Authentication Key

Access rights

The security server's authentication keys can only be generated on software security tokens.

  1. On the Management menu, select Keys and Certificates.

  2. To log in to the software token, click Enter PIN on the token’s row in the table and enter the token’s PIN code. Once the correct PIN is entered, the Enter PIN button changes to Logout.

  3. To generate an authentication key, select the software token from the table by clicking the respective row, and click Generate key. Enter the label value for the key and click OK. The generated key appears under the token’s row in the table. The label value is displayed as the name of the key.

3.2.2 Generating a Certificate Signing Request for an Authentication Key

Access rights: Security Officer

To generate a certificate signing request (CSR) for the authentication key, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Select the authentication key from the table and click Generate CSR. In the dialog that opens

    2.1 Select the certificate usage policy from the Usage drop down list (AUTH for authentication certificates);

    2.2 select the issuer of the certificate from the Certification Service drop-down list;

    2.3 select the format of the certificate signing request (PEM or DER), according to the certification service provider’s requirements

    2.4 click OK;

  3. In the form that opens, review the information that will be included in the CSR and fill in the empty fields, if needed.

  4. Click OK to complete the generation of the CSR and save the prompted file to the local file system.

After the generation of the CSR, a “Request” record is added under the key’s row in the table, indicating that a certificate signing request has been created for this key. The record is added even if the request file was not saved to the local file system.

To certify the authentication key, transmit the certificate signing request to the approved certification service provider and accept the authentication certificate created from the certificate signing request.

3.2.3 Importing an Authentication Certificate from the Local File System

Access rights: Security Officer

To import the authentication certificate to the security server, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Click Import certificate.

  3. Locate the certificate file from the local file system and click OK. After importing the certificate, the "Request" record under the authentication key's row is replaced with the information from the imported certificate. By default, the certificate is imported in the “Saved” (see Section 5.2.2) and “Disabled” states (see Section 5.3).

3.3 Registering the Security Server in the X-Road Governing Authority

To register the security server in the X-Road governing authority, the following actions must be completed.

  • The authentication certificate registration request must be submitted from the security server (see 3.3.1).

  • A request for registering the security server must be submitted to the X-Road governing authority according to the organizational procedures of the X-Road instance.

  • The registration request must be approved by the X-Road governing authority.

3.3.1 Registering an Authentication Certificate

Access rights: Security Officer

The security server's registration request is signed in the security server with the server owner's signing key and the server's authentication key. Therefore, ensure that the corresponding certificates are imported to the security server and are in a usable state (the tokens holding the keys are in logged in state and the OCSP status of the certificates is “good”).

To submit an authentication certificate registration request, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Select an authentication certificate to be registered (it must be in the "saved" state) and click Register.

  3. In the dialog that opens, enter the security server's public DNS name or its external IP address and click OK.

On submitting the request, the message "Request sent" is displayed, and the authentication certificate’s state is set to "Registration in process".

After the X-Road governing authority has accepted the registration, the registration state of the authentication certificate is set to “Registered” and the registration process is completed.

3.4 Changing the Security Server Owner

Access rights: Registration Officer

To change the security server owner, two registered Owner members must be available. If a registered member is already available, jump directly to step 3.

To add a new member and change it to Owner member, the following actions must be completed.

  1. Add a new Owner member to the security server

    1.1 On the Clients view, select Add Member.

    1.2 In the opening wizard, Select the new Owner member from the list of security server clients

    1.3 Add the selected member

    Note: Signing Key and Certificate must be configured for the new Owner member. If needed, the wizard will automatically show the dedicated steps for Key and Certificate configuration to collect the needed information.

  2. Register the new member

    2.1 On the Clients view, locate the new member in the Clients list and click Register in the corresponding row

    2.2 In the opening dialog, click Register. A registeration request is sent to the X-Road Governing Authority

    Note: Once the request is approved, the new member appears as "Registered" - it can be set as Owner member.

  3. Request a change of the security server owner

    3.1 On the Clients view, locate the new member and click its name to open the member's detail view

    3.2 In the detail view, click Make owner

    1.3 In the opening dialog, click Make owner. A owner change request is sent to the X-Road Governing Authority

Once the owner change request, the new member will be automatically shown as the security server Owner member.

  • A new member must be added to the security server (see 4.2). If needed, specify the token on which the member is configured

  • If not yet available, a Signing Key and Certificate must be configured for the new member (see 4.3).

  • The new member must be registered in the X-Road Governing Authority (see 4.3).

  • The security server owner change request must be submitted from the security server. To submit an owner change request follow these steps.

    1. In the Member Detail view click Make Owner.

    2. Click Make Owner to submit a change request.

  • The change request is sent to the X-Road governing authority according to the organizational procedures of the X-Road instance.

  • Once the change request is approved by the X-Road governing authority, the member will automatically become the Owner Member.

  • New Authentication Key and Certificate should be configured for the new security server owner (see 3.2).

4 Security Server Clients

Important: to use or provide X-Road services, a security server client needs to be certified by a certification service provider approved by the X-Road governing authority, and the association between the client and the security server used by the client must be registered at the X-Road governing authority.

This section does not address managing the owner to a security server. The owner's information has been already added to the security server upon the installation, and registered upon the security server's registration. The owner's registration status can be looked up by selecting Security Server Clients on the Configuration menu. The security server's owner is displayed in bold. Before the registration of the security server, the owner is in the "Saved" state and after the completion of the registration process, in the "Registered" state.

The registration of the security server's owner does not extend to the owner's subsystems. The subsystems must be registered as individual clients.

4.1 Security Server Client States

The security server distinguishes between the following client states.

Saved – the client's information has been entered and saved into the security server's configuration (see 4.2), but the association between the client and the security server is not registered in the X-Road governing authority. (If the association is registered in the central server prior to the entry of data, the client will move to the "Registered" state upon data entry.) From this state, the client can move to the following states:

  • “Registration in progress”, if a registration request for the client is submitted from the security server (see 4.4.1);

  • “Deleted”, if the client's information is deleted from the security server configuration (see 4.5.2).

Registration in progress – a registration request for the client is submitted from the security server to the central server, but the association between the client and the security server is not yet approved by the X-Road governing authority. From this state, the client can move to the following states:

  • "Registered", if the association between the client and the security server is approved by the X-Road governing authority (see 4.4.1);

  • "Deletion in progress", if a client deletion request is submitted from the security server (see 4.5.1).

Registered – the association between the client and the security server has been approved in the X-Road governing authority. In this state, the client can provide and use X-Road services (assuming all other prerequisites are fulfilled). From this state, the client can move to the following states:

  • "Global error", if the association between the client and the security server has been revoked by the X-Road governing authority;

  • "Deletion in progress", if a client deletion request is submitted from the security server (see 4.5.1).

Global error – the association between the client and the security server has been revoked in the central server. From this state, the client can move to the following states:

  • "Registered", if the association between the client and the security server has been restored in the central server (e.g., the association between the client and the security server was lost due to an error);

  • "Deleted", if the client's information is deleted from the security server's configuration (see 4.5.2).

Deletion in progress – a client deletion request has been submitted from the security server. From this state, the client can move to the following state:

  • "Deleted", if the client's information is deleted from the security server's configuration (see 4.5.2).

Deleted – the client's information has been deleted from the security server's configuration.

4.2 Adding a Security Server Client

Access rights: Registration Officer

Follow these steps.

  1. On the Configuration menu, select Security Server Clients.

  2. Click Add Client. In the window that opens, either enter the client's information manually or click Select Client from Global List and locate the client's information from within all X-Road members and their subsystems.

  3. Click OK once the client’s information has been entered.

The new client is added to the list of security server clients in the "Saved" state.

4.3 Configuring a Signing Key and Certificate for a Security Server Client

A signing key and certificate must be configured for the security server client to sign messages exchanged over the X-Road. In addition, a signing key and certificate are required for registering a security server client.

Certificates are not issued to subsystems; therefore, the certificate of the subsystem’s owner (that is, an X-Road member) is used for the subsystem.

All particular X-Road member’s subsystems that are registered in the same security server use the same signing certificate for signing messages. Hence, if the security server already contains the member's signing certificate, it is not necessary to configure a new signing key and/or certificate when adding a subsystem of that member.

The process of configuring the signing key and certificate for a security server client is the same as for the security server owner. The process is described in Section 3.1.

4.4 Registering a Security Server Client in the X-Road Governing Authority

To register a security server client in the X-Road governing authority, the following actions must be completed.

  • A signing key and certificate must be configured for the member that owns the subsystem to be registered as a the security server client (see 4.3).

  • The security server client registration request must be submitted from the security server (see 4.4.1).

  • A request for registering the client must be submitted to the X-Road governing authority according to the organizational procedures of the X-Road instance.

  • The registration request must be approved by the X-Road governing authority.

4.4.1 Registering a Security Server Client

Access rights: Registration Officer

To submit a client registration request follow these steps.

  1. On the Configuration menu, select Security Server Clients.

  2. Select the client in the "Saved" state from the list of security server clients.

  3. Click the Details icon and in the window that opens, click Register.

  4. Click Confirm to submit the request.

On submitting the request, the message "Request sent" is displayed, and the client’s state is set to "Registration in process".

After the X-Road governing authority has accepted the registration, the state of the client is set to “Registered” and the registration process is completed.

4.5 Deleting a Client from the Security Server

If a client is deleted from the security server, all the information related to the client is deleted from the server as well – that is, the WSDLs, services, access rights, and, if necessary, the certificates.

When one of the clients is deleted, it is not advisable to delete the signing certificate if the certificate is used by other clients registered to the security server, e.g., other subsystems belonging the same X-Road member as the deleted subsystem.

A client registered or submitted for registration in the X-Road governing authority (indicated by the "Registered" or "Registration in progress" state) must be unregistered before it can be deleted. The unregistering event sends a security server client deletion request from the security server to the central server.

4.5.1 Unregistering a Client

Access rights: Registration Officer

To unregister a client, follow these steps.

  1. On the Configuration menu, select Security Server Clients.

  2. Select the client that you wish to remove from the server and click the Details icon on the client’s row.

  3. In the window that opens, click Unregister and then click Confirm. The security server automatically sends a client deletion request to the X-Road central server, upon the receipt of which the association between the security server and the client is revoked.

  4. Next, a notification is displayed about sending a deletion request to the central server, and a confirmation is presented about deleting the client's information (except its certificates).

  • If you wish to delete the client's information immediately, click Confirm. Next, an option is presented to delete the client's certificates. To delete the certificates, click Confirm again.

  • If you wish to retain the client's information, click Cancel. In that case, the client is moved to the "Deletion in progress" state, wherein the client cannot mediate messages and cannot be registered again in the X-Road governing authority.

  1. To delete the information of a client in the "Deletion in progress" state, select the client by clicking the Details icon on its row, click Delete in the window that opens, and then click Confirm.

Note: It is possible to unregister a registered client from the central server without sending a deletion request through the security server. In this case, the security server's administrator responsible for the client must transmit a request containing information about the client to be unregistered to the central server's administrator. If the client has been deleted from the central server without a prior deletion request from the security server, the client is shown in the "Global error" state in the security server.

4.5.2 Deleting a Client

Access rights: Registration Officer

A security server client can be deleted if its state is "Saved", "Global error" or "Deletion in progress". Clients that are in states "Registered" or "Registration in progress" need to be unregistered before they can be deleted (see Section 4.5.1).

To delete a client, follow these steps.

  1. On the Configuration menu, select Security Server Clients.

  2. Select from the table a client that you wish to remove from the security server and click the Details icon on that row.

  3. In the window that opens, click Delete. Confirm the deletion by clicking Confirm.

5 Security Tokens, Keys, and Certificates

5.1 Availability States of Security Tokens, Keys, and Certificates

To display the availability of objects (that is, tokens, keys or certificates), the following background colors are used in the "Keys and Certificates" view.

  • Yellow background – the object is available to the security server, but the object's information has not been saved to the security server configuration. For example, a smartcard could be connected to the server, but the certificates on the smartcard may not have been imported to the server. Certificates on the yellow background cannot be used for mediating messages.

  • White background – the object is available to the security server and the object's information has been saved to the security server's configuration. Certificates on the white background can be used for mediating messages.

  • Gray background – the object is not available for the security server. Certificates on the gray background cannot be used for mediating messages.

Caution: The key device's and key's information is automatically saved to the configuration when a certificate associated with either of them is imported to the security server, or when a certificate signing request is generated for the key. Similarly, the key device's and key's information is deleted from the security server configuration automatically upon the deletion of the last associated certificate and/or certificate signing request.

5.2 Registration States of Certificates

Registration states indicate if and how a certificate can be used in the X-Road system. In the "Keys and Certificates" view, a certificate's registration states (except "Deleted") are displayed in the "Status" column.

5.2.1 Registration States of the Signing Certificate

A security server signing certificate can be in one of the following registration states.

  • Registered – the certificate has been imported to the security server and saved to its configuration. A signing certificate in a “Registered” state can be used for signing X-Road messages.

  • Deleted – the certificate has been deleted from the server configuration. If the certificate is in the “Deleted” state and stored on a hardware key device connected to the security server, the certificate is displayed on a yellow background.

5.2.2 Registration States of the Authentication Certificate

A security server authentication certificate can be in one of the following registration states.

Saved – the certificate has been imported to the security server and saved to its configuration, but the certificate has not been submitted for registration. From this state, the certificate can move to the following states:

  • "Registration in progress", if the authentication certificate registration request is sent from the security server to the central server (see 3.3.1);

  • "Deleted", if the authentication certificate's information is deleted from the security server configuration (see Section 5.6).

Registration in progress – an authentication certificate registration request has been created and sent to the central server, but the association between the certificate and the security server has not yet been approved. From this state, the certificate can move to the following states:

  • "Registered", if the association between the authentication certificate and the security server is approved by the X-Road governing authority (see 3.3);

  • "Deletion in progress", if the certificate deletion request has been submitted to the central server (see 5.6.1). The user can force this state transition even if the sending of the authentication certificate deletion request fails.

Registered – the association between the authentication certificate and the security server has been approved in the central server. An authentication certificate in this state can be used to establish a secure data exchange channel for exchanging X-Road messages. From this state, the certificate can move to the following states:

  • "Global error", if the association between the authentication certificate and the security server has been revoked in the central server;

  • "Deletion in progress", if the certificate deletion request has been transmitted to the central server (see 5.6.1). The user can force this state transition even if the sending of the authentication certificate deletion request fails.

Global error – the association between the authentication certificate and the security server has been revoked in the central server. From this state, the certificate can move to the following states:

  • "Registered", if the association between the authentication certificate and the security server has been restored in the central server (e.g., the association between the client and the security server was lost due to an error);

  • "Deleted", if the authentication certificate's information is deleted from the security server configuration (see 5.6).

Deletion in progress – an authentication certificate registration request has been created for the certificate and sent to the central server. From this state, the certificate can move to the following state:

  • "Deleted", if the authentication certificate's information is deleted from the security server configuration (see 5.6).

Deleted – the certificate has been deleted from the security server configuration.

5.3 Validity States of Certificates

Validity states indicate if and how a certificate can be used independent of the X-Road system. In the "Keys and Certificates" view, the certificate's validity states are displayed in the "OCSP response" column. Validity states (except "Disabled") are displayed for certificates that are in the "Registered" registration state.

A security server certificate can be in one of the following validity states.

  • Unknown (validity information missing) – the certificate does not have a valid OCSP response (the OCSP response validity period is set by the X-Road governing authority) or the last OCSP response was either “unknown” (the responder doesn't know about the certificate being requested) or an error.

  • Suspended – the last OCSP response about the certificate was "suspended".

  • Good (valid) – the last OCSP response about the certificate was "good". Only certificates in the "good" (valid) state can be used to sign messages or establish a connection between security servers.

  • Expired – the certificate's validity end date has passed. The certificate is not active and OCSP queries are not performed about it.

  • Revoked – the last OCSP response about the certificate was "revoked". The certificate is not active and OCSP queries are not performed about it.

  • Disabled – the user has marked the certificate as disabled. The certificate is not active and OCSP queries are not performed about it.

5.4 Activating and Disabling the Certificates

Access rights

Disabled certificates are not used for signing messages or for establishing secure channels between security servers (authentication). If a certificate is disabled, its status in the “OCSP response” column in the “Keys and Certificates” table is “Disabled”.

To activate or disable a certificate, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. To activate a certificate, select an inactive certificate from the table and click Activate. To deactivate a certificate, select an active certificate from the table and click Disable.

5.5 Configuring and Registering an Authentication key and Certificate

A Security server can have multiple authentication keys and certificates (e.g., during authentication key change).

The process of configuring another authentication key and certificate is described in Section 3.2.

The process of registering an authentication certificate is described in Section 3.3.1.

5.6 Deleting a Certificate

An authentication certificate registered or submitted for registration in the X-Road governing authority (indicated by the "Registered" or "Registration in progress" state) must be unregistered before it can be deleted. The unregistering event sends an authentication certificate deletion request from the security server to the central server.

5.6.1 Unregistering an Authentication Certificate

Access rights: Security Officer

To unregister an authentication certificate, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Select an authentication certificate in the state "Registered" or "Registration in progress" and click Unregister.

    Next, an authentication certificate deletion request is automatically sent to the X-Road central server, upon the receipt of which the associated authentication certificate is deleted from the central server. If the request was successfully sent, the message "Request sent" is displayed and the authentication certificate is moved to the "Deletion in progress" state.

A registered authentication certificate can be deleted from the central server without sending a deletion request through the security server. In this case, the security server's administrator must transmit a request containing information about the authentication certificate to be deleted to the central server's administrator. If the authentication certificate has been deleted from the central server without a deletion request from the security server, the certificate is shown in the "Global error" state in the security server.

5.6.2 Deleting a Certificate or a certificate Signing Request notice

Access rights

An authentication certificate saved in the system configuration can be deleted if its state is "Saved", "Global error" or "Deletion in progress". The signing certificate and request notices can always be deleted from the system configuration.

If a certificate is stored on a hardware security token, then the deletion works on two levels:

  • if the certificate is saved in the server configuration, then the deletion deletes the certificate from server configuration, but not from the security token;

  • if the certificate is not saved in the server configuration (the background of the certificate is yellow), then the deletion deletes the certificate from the security token (assuming the token supports this operation).

To delete a certificate or a signing request notice, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Select from the table a certificate or a certificate signing request notice and click Delete. Confirm the deletion by clicking Confirm.

5.7 Deleting a Key

Warning: Deleting a key from the server configuration also deletes all certificates (and certificate signing request notices) associated with the key.

Access rights

The deletion of keys works on two levels:

  • if the key is saved in the server configuration, then the deletion deletes the key (and associated certificates) from server configuration, but not from the security token;

  • if the key is not saved in the server configuration (the background of the key is yellow), then the deletion deletes the key from the security token (assuming the token supports this operation).

To delete a key, follow these steps.

  1. On the Management menu, select Keys and Certificates.

  2. Select a key and click Delete. Confirm the deletion of the key (and its associated certificates) by clicking Confirm.

6 X-Road Services

X-Road supports both SOAP and REST services. The services are managed on two levels:

  • the addition, deletion, and deactivation of services is carried out on the WSDL / REST API / OpenAPI 3 level;

  • the service address, internal network connection method, and the service timeout values are configured at the service level for SOAP services and at the API level for REST / OpenAPI 3 services. In addition, for SOAP / WSDL, it is easy to extend the configuration of one service to all the other services.

6.1 Adding a service description

Access rights: Service Administrator

6.1.1 SOAP

When a new WSDL file is added, the security server reads service information from it and displays the information in the table of services. The service code, title and address are read from the WSDL.

To add a WSDL, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Click ADD WSDL, enter the WSDL address in the window that opens and click OK. Once the window is closed, the WSDL and the information about the services it contains are added to the table. By default, the WSDL is added in disabled state (see 6.3).

To see a list of services contained in the WSDL

  • click the “+” symbol in front of the WSDL row to expand the list.

6.1.2 REST

When a new REST service is added, the security server displays url and service code provided.

To add a REST service, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Click ADD REST. Select whether the URL type is REST API base path or OpenAPI 3 description. Enter the url and service code in the window that opens and click OK.

  3. Once the window is closed, the url and the service code are added to the table. If the added URL type was OpenAPI 3 description, the service description is parsed and endpoints are added under the service. By default, the REST service is added in disabled state (see 6.3).

To see the service details under the REST service

  • click the "+" symbol in front of the REST row to expand the service details.

6.2 Refreshing a service description

Access rights: Service Administrator

Upon refreshing, the security server reloads the service description file from the service description URL to the security server and checks the service information in the reloaded file against existing services. If the composition of services in the new service description has changed compared to the current version, a warning is displayed and you can either continue with the refresh or cancel.

To refresh the service description, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select from the table a WSDL or REST to be refreshed and click Refresh.

  3. If the new service description contains changes compared to the current service description in the security server, a warning is displayed. To proceed with the refresh, click Continue.

When the service description is refreshed, the existing services’ settings are not overwritten.

6.3 Enabling and Disabling a service description

Access rights: Service Administrator

A disabled service description is displayed in the services’ table in red with a "Disabled" note.

Services described by a disabled service description cannot be accessed by the service clients – if an attempt is made to access the service, an error message is returned, containing the information entered by the security server's administrator when the service description was disabled.

If a service description is enabled, the services described there become accessible to users. Therefore it is necessary to ensure that before enabling the service description, the parameters of all its services are correctly configured (see 6.6).

To enable a service description, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select a disabled service description from the table and click Enable.

To disable a service description, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. To enable a service description, select an enabled service description from the table and click Disable.

  3. In the window that opens, enter an error message, which is shown to clients who try to access any of the services in the service description, and click OK.

6.4 Changing the Address of a service description

Access rights: Service Administrator

To change the service description address, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select from the table a service description whose information you wish to change and click Edit.

  3. In the window that opens, edit the WSDL address for WSDL, URL and/or service code for REST, and click OK. The service information updates accordingly (see section 6.2).

6.5 Deleting a service description

Access rights: Service Administrator

When a service description is deleted, all information related to the services described in the service description, including access rights, are deleted.

To delete a service description, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select from the table a service description to be deleted and click Delete.

  3. Confirm the deletion by clicking Confirm in the window that opens.

6.6 Changing the Parameters of a Service

Access rights: Service Administrator

Service parameters are

  • "Service URL" – the URL where requests targeted at the service are directed;

  • "Timeout (s)" – the maximum duration of a request to the database, in seconds;

  • "Verify TLS certificate" – toggles the verification of the certificate when a TLS connection is established. This option is used for two different scenarios:

    • Between Security Server and service endpoint.
    • Between Security Server and service description URL, when metaservices getWsdl or getOpenAPI are used for this subsystem and service. See [PR-META] and [PR-MREST].

To change service parameters, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select a service from the table and click Edit.

  3. In the window that opens, configure the service parameters. To apply the selected parameter to all services described in the same service description, select the checkbox adjacent to this parameter in the Apply to All in WSDL column. To apply the configured parameters, click OK.

6.7 Managing REST Endpoints

Access rights: Service Administrator

REST type service descriptions can contain API endpoints. The purpose of the endpoints is more fine-grained access control. More about that in chapter 7 Access Rights.

When URL type of the REST service is an OpenAPI 3 description, endpoints are parsed from the service description automatically. These endpoints cannot be manually updated or deleted. Additionally manual endpoints can be added as needed. When URL type is REST API base path, all the endpoints need to be created manually. Manually created endpoints can also be edited and deleted as needed.

To create API endpoint manually, follow these steps

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select from the table a REST service description where the endpoint is going to be added and click "+" to see the service details.

  3. Select the service code item immediately under the service description level and click Add Endpoint.

  4. Select HTTP request method and Path for the endpoint and click OK.

7 Access Rights

Access rights can be granted to the following access right subjects.

  • An X-Road member's subsystem.

  • A global access rights group. Global groups are created in the X-Road governing authority. If a group is granted an access right, it extends to all group members.

  • A local access rights group. To simplify access rights management, each client in the security server can create local access rights groups (see section 8). If a group is granted an access right, it extends to all group members.

There are two options for managing access rights in a security server.

  • Service-based access rights management – if a single service needs to be opened/closed to multiple service clients (see 7.1).

  • Service client-based access rights management – if a single service client needs multiple services opened/closed (see 7.2).

It is possible to define access rights on two levels for REST services:

  • REST service level
  • endpoint level

In general, a REST service usually has multiple endpoints. When access rights are defined on the service level, they apply to all the endpoints of the REST service. Instead, defining access rights on the endpoint level gives access to specific endpoint(s) only. The service level access rights support both service-based and service client-based access rights management. The endpoint level access rights support only service based access rights management.

7.1 Changing the Access Rights of a Service

Access rights: Service Administrator

To change the access rights to a service, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select a service or endpoint from the table and click Access Rights.

  3. In the window that opens, the access rights table displays information about all X-Road subsystems and groups that have access to the selected service.

  4. To add one or more access right subjects to the service, click Add Subjects. The subject search window appears. You can search among all subsystems and global groups registered in the X-Road governing authority and among the security server client's local groups. Select one or more subjects from the table and click Add Selected to ACL. To grant the access right to all subjects in the search results, click Add All to ACL.

  5. To remove service access rights subjects, select the respective rows in the access rights table and click Remove Selected. To clear the access rights list (that is, remove all subjects), click Remove All.

7.2 Adding a Service Client

Access rights: Service Administrator

The service client view (Configuration -> Security Server Clients -> Service Clients) displays all the service level access rights subjects of the services mediated by this security server client. In other words, if an X-Road subsystem or group has been granted a service level access right to a service of this client, then the subject is shown in this view. Subjects that have been granted an endpoint level access right to a REST service, are not shown in the view.

To add a service client, follow these steps.

  1. On the Configuration menu, select Security Server Clients.

  2. Select a client from the table and click the Service Clients icon, then click Add.

  3. In the window that opens, locate and select a subject (a subsystem, or a local or global group) to which you want to grant access rights to and click Next.

  4. Locate the service(s) whose access rights you want to grant to the selected subject. Click Add Selected to ACL to grant access rights to the selected services to this subject. Click Add All to ACL to grant access rights to all services in the filter to the subject. Note that access rights to REST API endpoints can not be added using this view, those need to be added on Services tab as described in 7.1.

The subject is added to the list of service clients, after which the service client's access rights view is displayed where the access rights can be changed.

7.3 Changing the Access Rights of a Service Client

Access rights: Service Administrator

To change the service client's access rights, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Service Clients icon on that row.

  2. In the window that opens, locate and select a subject (a subsystem, or a local or global group) whose access rights you want to change and click Access Rights.

  3. In the window that opens, a list of services opened in the security server to the selected subject is displayed.

  • To remove access rights to a service from the service client, select one or more services from the table and click Remove Selected, then click Confirm.

  • To remove all access rights from the service client, click Remove All and then click Confirm.

  • Removing service level access rights from the service client also removes all REST API endpoint level access rights to the endpoints of the service. In other words, removing access rights from the service client removes all access rights to a service and its endpoints.

  • To add access rights to a service client, start by clicking Add Service. In the window that opens, select the service(s) that you wish to grant to the subject (already granted services are displayed in gray) and click Add Selected to ACL. To add all services found by the search, click Add All to ACL. Note that access rights to REST API endpoints can not be added using this view, those need to be added on Services tab as described in 7.1.

Caution: If you refresh the page, all service clients that do not have access rights to any services are removed from the service clients’ view.

8 Local Access Right Groups

A local access rights group can be created for a security server client in order to facilitate the management of service access rights for a group of X-Road subsystems that use the same services. The access rights granted for a group apply for all the members of the group. Local groups are client-based, that is, a local group can only be used to manage the service access rights of one security server client in one security server.

8.1 Adding a Local Group

Access rights: Service Administrator

To create a local group for a security server client, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client and click the Local Groups icon on that row. In the window that opens, a list of the client's local groups is displayed.

  2. To create a new group, click Add Group. In the window that opens, enter the code and description for the new group and click OK.

8.2 Displaying and Changing the Members of a Local Group

Access rights: Service Administrator

To view the members of a local group, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client and click the Local Groups icon on that row.

  2. In the window that opens, select a group whose members you want to view or change, and click Details to open the detail view.

To add one or more members to a local group, follow these steps in the group’s detail view.

  1. Click Add Members.

  2. In the window that opens, locate and select the subsystems that you wish to add to the group and click Add Selected to Group. To add all subsystems found by the search function to the group, click Add All to Group.

To remove members from a local group, select the members to be deleted in the group’s detail view and click Remove Selected Members. To remove all group members from the group, click Remove All Members.

8.3 Changing the description of a Local Group

Access rights: Service Administrator

To change the description of a local group, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Local Groups icon on that row.

  2. Select a group from the local groups table and click Details.

  3. In the group detail view, click Edit to change the description.

  4. Enter the group description and click OK.

8.4 Deleting a Local Group

Access rights: Service Administrator

Warning: When a local group is deleted, all the group members' access rights, which were granted through belonging to the group, are revoked.

To delete a local group, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Local Groups icon on that row.

  2. Select a group from the local groups table and click Details.

  3. In the group detail view, click Delete Group and confirm the deletion by clicking Confirm in the window that opens.

9 Communication with the Client Information Systems

Access rights: Registration Officer, Service Administrator

A security server can use either the HTTP, HTTPS, or HTTPS NOAUTH protocol to communicate with information system servers which provide and use services.

  • The HTTP protocol should be used if the information system server and the security server communicate in a private network segment where no other computers are connected to. Furthermore, the information system server must not allow interactive log-in.

  • The HTTPS protocol (default for new clients) should be used if it is not possible to provide a separate network segment for the communication between the information system server and the security server. In that case, cryptographic methods are used to protect their communication against potential eavesdropping and interception. Before HTTPS can be used, internal TLS certificates must be created for the information system server(s) and uploaded to the security server.

  • The HTTPS NOAUTH protocol should be used if you want the security server to skip the verification of the information system TLS certificate.

Note: If the HTTP connection method is selected, but the information system connects to the security server over HTTPS, then the connection is accepted, but the client’s internal TLS certificate is not verified (same behavior as with HTTPS NOAUTH).

By default the connection type for all the security server clients is set to HTTPS to prevent unauthorised use of the clients.

It is strongly recommended to keep the connection type of the security server owner as HTTPS to prevent security server clients from making operational monitoring data requests as a security server owner.

To set the connection method for internal network servers in the service consumer role, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a security server owner or a client from the table and click the Internal Servers icon on that row.

  2. On the Connection Type drop-down, select the connection method and click Save.

Depending on the configured connection method, the request URL for information system is http://SECURITYSERVER/ or https://SECURITYSERVER/. When making the request, the address SECURITYSERVER must be replaced with the actual address of the security server.

The connection method for internal network servers in the service provider role is determined by the protocol in the URL. To change the connection method, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a client from the table and click the Services icon on that row.

  2. Select a service from the table and click Edit.

  3. Change the protocol in the service URL to HTTP or HTTPS. If the HTTPS protocol was selected, select the Verify TLS certificate checkbox if needed (see section 6.6). According to the service parameters, the connection with the internal network server is created using one the following protocols:

  • HTTP – the service/adapter URL begins with “http://...”.

  • HTTPS – the service/adapter URL begins with “https://” and the Verify TLS certificate checkbox is selected.

  • HTTPS NOAUTH – the service/adapter URL begins with "https://" and the Verify TLS certificate checkbox is not selected.

To add an internal TLS certificate for a security server owner or security server client (for HTTPS connections), follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a security server owner or a client from the table and click the Internal Servers icon on that row.

  2. To add a certificate, click Add in the Internal TLS Certificates section, select a certificate file from the local file system and click OK. The certificate fingerprint appears in the “Internal TLS Certificates” table.

To display the detailed information of an internal TLS certificate, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a security server owner or a client from the table and click the Internal Servers icon on that row.

  2. Select a certificate from the “Internal TLS Certificates” table and click Details.

To delete an internal TLS certificate, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a security server owner or a client from the table and click the Internal Servers icon on that row.

  2. Select a certificate from the “Internal TLS Certificates” table and click Delete.

  3. Confirm the deletion by clicking Confirm in the window that opens.

To export the security server's internal TLS certificate, follow these steps.

  1. On the Configuration menu, select Security Server Clients, select a security server owner or a client from the table and click the Internal Servers icon on that row.

  2. Click Export and save the prompted file to the local file system.

10 System Parameters

The security server system parameters are:

  • Configuration anchor's information. The configuration anchor contains data that is used to periodically download signed configuration from the central server and to verify the signature of the downloaded configuration.

  • Timestamping service information. Timestamping is used to preserve the evidential value of messages exchanged over X-Road.

  • Approved Certificate Authorities. A read-only list of approved certificate authorities (defined in the global configuration). The security server trusts authentication and signing certificates signed by the listed authorities.

  • The internal TLS key and certificate. The internal TLS certificate is used to establish a TLS connection with the security server client's information system if the "HTTPS" connection method is chosen for the client's servers.

10.1 Managing the Configuration Anchor

Access rights

To upload the configuration anchor, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. In the Configuration Anchor section, click Upload.

  3. Find the anchor file from the local file system and click Upload.

  4. Ensure that the anchor file you are uploading is valid by comparing the hash value of the uploaded file with the hash value of the currently valid anchor published by the X-Road governing authority. If the hash values match, confirm the upload by clicking Confirm.

To download the configuration anchor, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. On the Configuration Anchor section, click Download and save the prompted file.

10.2 Managing the Timestamping Services

Access rights: Security Officer

To add a timestamping service, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. In the Timestamping Services section, click Add.

  3. In the window that opens, select a service and click OK.

To delete a timestamping service, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. In the Timestamping Services section, select the service to be deleted and click Delete.

Note: If more than one timestamping service is configured, the security server will try to get a timestamp from the topmost service in the table, moving down to the next service if the try was unsuccessful. The failover covers both connection and timestamp response verification issues. For example, security server is not able to establish a connection to a timestamping service because of a misconfigured firewall, or verification of a timestamp response fails because of the sign certificate of the timestamping service is changed.

10.3 Changing the Internal TLS Key and Certificate

Access rights: Security Officer, System Administrator

To change the security server’s internal TLS key and certificate, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. In the Internal TLS Certificate section, click Generate New TLS Key and in the window that opens, click Confirm.

    The security server generates a key used for communication with the client information systems, and the corresponding self-signed certificate. The security server's certificate fingerprint will also change. The security server's domain name is saved to the certificate's Common Name field, and the internal IP address to the subjectAltName extension field.

To generate a new certificate request, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. In the “Internal TLS Certificate” section, click Generate Certificate Request, input the Distinguished Name and save the certificate request file to the local file system.

    The security server generates a certificate request using the current key and the provided Distinguished Name.

To import a new TLS certificate, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. In the “Internal TLS Certificate” section, click Import Certificate and point to the file to be imported.

    The imported certificate must be in PEM-format to be accepted. Certificate chains are supported; concatenate possible intermediate certificate(s) to the server certificate before importing the file.

    Note that the Internal TLS Key and Certificate are cached by default for 60 seconds (default cache period for serverconf) so generating a new key and importing a new certificate might affect providing services from the security server for the caching period. The caching period can be changed with System Parameters [UG-SYSPAR]

To export the security server’s internal TLS certificate, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.

  2. In the Internal TLS Certificate section, click Export and save the prompted file to the local file system.

    Note that only the internal server certificate is exported, not the possible intermediate certificates.

To view the detailed information of the security server’s internal TLS certificate, follow these steps.

  1. On the Configuration menu, select System Parameters. The system parameters view is opened.
  2. In the Internal TLS Certificate section, click Certificate Details.

10.4 Approved Certificate Authorities

Lists approved certificate authorities. The listing contains the following information:

  • CA certificate subject distinguished name. Top-level CAs are emphasized.
  • OCSP response status (not applicable to top-level CAs, shown as N/A). See 5.3 Validity States of Certificates for explanation, with the following exceptions:
    • Disabled status is not used
    • Additional status "not available" if the OCSP response is not available at all, e.g. due to an error.
  • Certificate expiration date.

11 Message Log

The purpose of the message log is to provide means to prove the reception of a regular request or response message to a third party. Messages exchanged between security servers are signed and encrypted. For every regular request and response, the security server produces a complete signed and timestamped document (Associated Signature Container [ASiC]).

Message log data is stored to the database of the security server during message exchange. According to the configuration (see 11.1), the timestamping of the signatures of the exchanged messages is either synchronous to the message exchange process or is done asynchronously using the time period set by the X-Road governing agency.

In case of synchronous timestamping, the timestamping is an integral part of the message exchange process (one timestamp is taken for the request and another for the response). If the timestamping fails, the message exchange fails as well and the security server responds with an error message.

In case of asynchronous timestamping, all the messages (maximum limit is determined in the configuration, see 11.1) stored in the message log since the last periodical timestamping event are timestamped with a single (batch) timestamp. By default, the security server uses asynchronous timestamping for better performance and availability.

The security server periodically composes signed (and timestamped) documents from the message log data and archives them in the local file system. Archive files are ZIP containers containing one or more signed documents and a special linking information file for additional integrity verification purpose.

11.1 Changing the Configuration of the Message Log

Configuration parameters are defined in INI files [INI], where each section contains the parameters for a particular security server component. The default message log configuration is located in the file

/etc/xroad/conf.d/addons/message-log.ini

In order to override default values, create or edit the file

/etc/xroad/conf.d/local.ini

Create the [message-log] section (if not present) in the file. Below the start of the section, list the values of the parameters, one per line.

For example, to configure the parameters archive-path and archive-max-filesize, the following lines must be added to the configuration file:

[message-log]
archive-path=/my/arhcive/path/
archive-max-filesize=67108864

11.1.1 Common parameters

  1. hash-algo-id – the hash algorithm that is used for hashing in the message log. Possible choices are SHA-256, SHA-384, SHA-512. Defaults to SHA-512.

11.1.2 Timestamping parameters

  1. timestamp-immediately – if set to true, the timestamps are created synchronously with the message exchange, i.e., one timestamp is created for a request and another for a response. This is a security policy to guarantee the timestamp at the time of logging the message, but if the timestamping fails, the message exchange fails as well, and if load to the security server increases, then the load to the timestamping service increases as well. The value of this parameter defaults to false for better performance and availability. In case the value of the parameter is false then the timestamping is performed as a periodic background process (the time period is determined in the X-Road governing agency and propagated to the security servers by global configuration) and signatures stored during the time period (see parameter timestamp-records-limit) are timestamped in one batch.

  2. timestamp-records-limit – maximum number of signed messages that can be timestamped in one batch. The message exchanging load (messages per minute) and the timestamping interval of the security server must be taken into account when changing the default value of this parameter. Do not modify this parameter without a good reason. Defaults to 10000.

  3. acceptable-timestamp-failure-period – time period in seconds, for how long the asynchronous timestamping is allowed to fail before message exchange between security servers is stopped. Set to 0 to disable this check. Defaults to 14400.

11.1.3 Archiving parameters

  1. keep-records-for – time in days for which to keep timestamped and archived records in the database. Defaults to 30.

  2. archive-max-filesize – maximum size for archived files in bytes. Reaching the maximum value triggers the file rotation. Defaults to 33554432 (32 MB).

  3. archive-interval – time interval as Cron expression [CRON] for archiving timestamped records. Defaults to 0 0 0/6 1/1 * ? * (fire every 6 hours).

  4. archive-path – the directory where the timestamped log records are archived. Defaults to /var/lib/xroad/.

  5. clean-interval – time interval as Cron expression [CRON] for cleaning archived records from the database. Defaults to 0 0 0/12 1/1 * ? * (fire every 12 hours).

  6. archive-transfer-command – the command executed after the (periodic) archiving process. This enables one to configure an external script to transfer archive files automatically from the security server. Defaults to no operation.

11.2 Transferring the Archive Files from the Security Server

In order to save hard disk space, it is recommended to transfer archive files periodically from the security server (manually or automatically) to an external location.

Archive files (ZIP containers) are located in the directory specified by the configuration parameter archive-path. File names are in the format mlog-X-Y-Z.zip, where X is the timestamp (UTC time in the format YYYYMMDDHHmmss) of the first message log record, Y is the timestamp of the last message log record (records are processed in chronological order) and Z is 10 characters long alphanumeric random. An example of an archive file name is:

mlog-20150504152559-20150504152559-a7JS05XAJC.zip

The message log package provides a helper script /usr/share/xroad/scripts/archive-http-transporter.sh for transferring archive files. This script uses the HTTP/HTTPS protocol (the POST method, the form name is file) to transfer archive files to an archiving server.

Usage of the script:

Options:  
-d, --dir DIR Archive directory. Defaults to '/var/lib/xroad'
-r, --remove Remove successfully transported files form the archive directory.
-k, --key KEY Private key file name in PEM format (TLS). Defaults to '/etc/xroad/ssl/internal.key'
-c, --cert CERT Client certificate file in PEM format (TLS). Defaults to '/etc/xroad/ssl/internal.crt'
-cacert FILE CA certificate file to verify the peer (TLS). The file may contain multiple CA certificates. The certificate(s) must be in PEM format.
-h, --help This help text.

The archive file has been successfully transferred when the archiving server returns the HTTP status code 200.

Override the configuration parameter archive-transfer-command (create or edit the file etc/xroad/conf.d/local.ini) to set up a transferring script. For example:

[message-log]
archive-transfer-command=/usr/share/xroad/scripts/archive-http-transporter.sh -r http://my-archiving-server/cgi-bin/upload

The message log package contains the CGI script /usr/share/doc/xroad-addon-messagelog/archive-server/demo-upload.pl for a demo archiving server for the purpose of testing or development.

11.3 Using a Remote Database

The message log database can be located outside of the security server. The following guide describes how to configure and populate a remote database schema for the message log. It is assumed that access to the database from the security server has been configured. For detailed information about the configuration of database connections, refer to [JDBC].

  1. Create a database user at remote database host:

    postgres@db_host:~$ createuser -P messagelog_user
Enter password for new role: <messagelog_password>
Enter it again: <messagelog_password>

  2. Create a database owned by the message log user at remote database host:

    postgres@db_host:~$ createdb messagelog_dbname -O messagelog_user -E UTF-8

  3. Verify connectivity from security server to the remote database:

    user@security_server:~$ psql -h db_host -U messagelog_user messagelog_dbname
Password for user messagelog_user: <messagelog_password>
psql (9.3.9)
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
messagelog_dbname=>

  4. Stop xroad-proxy service for reconfiguration:

    root@security_server:~# service xroad-proxy stop

  5. Configure the database connection parameters to achieve encrypted connections, in /etc/xroad/db.properties:

    messagelog.hibernate.jdbc.use_streams_for_binary = true
messagelog.hibernate.dialect = ee.ria.xroad.common.db.CustomPostgreSQLDialect
messagelog.hibernate.connection.driver_class = org.postgresql.Driver
messagelog.hibernate.connection.url = jdbc:postgresql://db_host:5432/messagelog_dbname?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
messagelog.hibernate.connection.username = messagelog_user
messagelog.hibernate.connection.password = messagelog_password

  6. Populate database schema by reinstalling messagelog addon package and start xroad-proxy

    Ubuntu: apt-get install --reinstall xroad-addon-messagelog
    RHEL: yum reinstall xroad-addon-messagelog

    service xroad-proxy start

12 Audit Log

The security server keeps an audit log. The audit log events are generated by the user interface when the user changes the system’s state or configuration. The user actions are logged regardless of whether the outcome was a success or a failure. The complete list of the audit log events is described in [SPEC-AL].

Actions that change the system state or configuration but are not carried out using the user interface are not logged (for example, X-Road software installation and upgrade, user creation and permission granting, and changing the configuration files).

An audit log record contains correlation-id, which can be used to link the record to other log messages about the same request.

An audit log record also contains

  • the description of the user action,

  • the date and time of the event,

  • the username of the user performing the action

  • the authentication type used for this request (Session, ApiKey or HttpBasicPam)

    • Session – session based authentication (web application)
    • ApiKey - direct API call using API key authentication
    • HttpBasicPam – HTTP basic authentication with PAM login (for api key management API operations)

  • the API url for this request, and

  • the data related to the event.

For example, registering a new client in the security server produces the following log record:

2020-06-03T11:00:51+00:00 my-security-server-host correlation-id: [24b47d04dc6e1c49] INFO [X-Road Proxy Admin REST API] 2020-06-03T11:00:51.944Z - {"event":"Register client","user":"admin1","auth":"Session","url":"/api/clients/LXD:GOV:M1:audit-test/register","data":{"clientIdentifier":{"xRoadInstance":"LXD","memberClass":"GOV","memberCode":"M1","subsystemCode":"audit-test","clientStatus":"registration in progress"}}}

The event is present in JSON [JSON] format, in order to ensure machine processability. The field event represents the description of the event, the field user represents the user name of the performer, and the field data represents data related with the event. Field auth represents the authentication type, and url represents the API url. The failed action event record contains additional fields reason for the error message, and boolean warning to document whether failure was due to an unhandled warning. For example:

2020-06-03T10:57:46+00:00 my-security-server-host correlation-id: [49458d51a0bbe9ed] INFO [X-Road Proxy Admin REST API] 2020-06-03T10:57:46.417Z - {"event":"Log in to token failed","user":"admin1","reason":"org.niis.xroad.restapi.service.TokenService$PinIncorrectException: Signer.PinIncorrect: PIN incorrect","warning":false,"auth":"Session","url":"/api/tokens/0/login","data":{"tokenId":"0","tokenSerialNumber":null,"tokenFriendlyName":"softToken-0"}}

By default, audit log is located in the file

/var/log/xroad/audit.log

12.1 Changing the Configuration of the Audit Log

The X-Road software writes the audit log to the syslog (rsyslog) using UDP interface (default port is 514). Corresponding configuration is located in the file

/etc/rsyslog.d/90-udp.conf

The audit log records are written with level INFO and facility LOCAL0. By default, log records of that level and facility are saved to the X-Road audit log file

/var/log/xroad/audit.log

The default behavior can be changed by editing the rsyslog configuration file

/etc/rsyslog.d/40-xroad.conf

Restart the rsyslog service to apply the changes made to the configuration file

service rsyslog restart

The audit log is rotated monthly by logrotate. To configure the audit log rotation, edit the logrotate configuration file

/etc/logrotate.d/xroad-proxy

12.2 Archiving the Audit Log

In order to save hard disk space and avoid loss of the audit log records during security server crash, it is recommended to archive the audit log files periodically to an external storage or a log server.

The X-Road software does not offer special tools for archiving the audit log. The rsyslog can be configured to redirect the audit log to an external location.

13 Back up and Restore

13.1 Back up and Restore in the User Interface

Access rights: System Administrator

The backup and restore view can be accessed from the Management menu by selecting Back Up and Restore.

To back up configuration, follow these steps.

  1. Click Back Up Configuration.

  2. A window opens displaying the output of the backup script; click OK to close it. The configuration backup file appears in the list of configuration backup files.

  3. To save the configuration backup file to the local file system, click Download on the configuration file’s row and save the prompted file.

To restore configuration, follow these steps.

  1. Click Restore on the appropriate row in the list of configuration backup files and click Confirm.

  2. A window opens displaying the output of the restore script; click OK to close it.

If something goes wrong while restoring the configuration it is possible to revert back to the old configuration. Security Server stores so called pre-restore configuration automatically to /var/lib/xroad/conf_prerestore_backup.tar. Either move it to /var/lib/xroad/backup/ folder and utilize the user interface to restore it or use the command line interaface described in the next chapter.

To delete a configuration backup file, click Delete on the appropriate row in the configuration backup file list and then click Confirm.

To upload a configuration backup file from the local file system to the security server, click Upload Backup File, select a file and click OK. The uploaded configuration file appears in the list of configuration files.

13.2 Restore from the Command Line

To restore configuration from the command line, the following data must be available:

  • The X-Road ID of the security server

It is expected that the restore command is run by the xroad user.

In order to restore configuration, the following command should be used:

/usr/share/xroad/scripts/restore_xroad_proxy_configuration.sh \
-s <security server ID> -f <path + filename>

For example (all on one line):

/usr/share/xroad/scripts/restore_xroad_proxy_configuration.sh \
-s AA/GOV/TS1OWNER/TS1 \
–f /var/lib/xroad/backup/conf_backup_20140703-110438.tar

If it is absolutely necessary to restore the system from a backup made on a different security server, the forced mode of the restore command can be used with the –F option. For example (all on one line):

/usr/share/xroad/scripts/restore_xroad_proxy_configuration.sh \
-F –f /var/lib/xroad/backup/conf_backup_20140703-110438.tar

13.3 Automatic Backups

By default the Security Server backs up its configuration automatically once every day. Backups older than 30 days are automatically removed from the server. If needed, the automatic backup policies can be adjusted by editing the /etc/cron.d/xroad-proxy file.

14 Diagnostics

14.1 Examine security server services status information

Access rights: System Administrator

Open the Management menu and select Diagnostics.

On this page you can examine the statuses of the following services:

Service Status Message Previous Update Next Update
Global configuration Green/yellow/red Status message The time of the global configuration client’s last run The estimated time of the global configuration client’s next run
Timestamping Green/yellow/red Status message The time of the last timestamping operation Not used
OCSP-responders Green/yellow/red Status message The time of the last contact with the OCSP-responder The latest possible time for the next OCSP-refresh

To refresh the service statuses click the Diagnostics item on the Management menu.

The status colors indicate the following:

  • Red indicator – service cannot be contacted or is not operational
  • Yellow indicator – service has been contacted but is yet to have been used to verify its status
  • Green indicator – service has been successfully contacted and used to verify it is operational

The status message offers more detailed information on the current status.

If a section of the diagnostics view appears empty, it means that there either is no configured service available or that checking the service status has failed. If sections are empty, try refreshing the diagnostics view or check the service configuration.

15 Operational Monitoring

Operational monitoring data contains data about request exchange (such as the ID-s of the client and the service, various attributes of the message read from the message header, request and response timestamps, SOAP sizes etc.) of the X-Road security server(s).

The operational monitoring daemon collects and shares operational monitoring data of the X-Road security server(s) as part of request exchange, shares this data, calculates and shares health statistics (the timestamps and number of successful/unsuccessful requests, various metrics of the duration and the SOAP message size of the requests, etc.). The data fields that are stored and shared are described in [PR-OPMON].

The security server caches operational monitoring data in the operational monitoring buffer. One operational data record is created for each request during the message exchange. Security server forwards operational data cached in the operational monitoring buffer to the operational monitoring daemon. Successfully forwarded records are removed from the operational monitoring buffer.

The operational monitoring daemon makes operational and health data available to the owner of the security server, regular clients and the central monitoring client via the security server. Local health data are available for external monitoring systems (e.g. Zabbix) over the JMXMP interface described in [PR-OPMONJMX].

The owner of the security server and the central monitoring client are able to query the records of all clients. For a regular client, only the records associated with that client are available. The internal IP of the security server is included in the response only for the owner of the security server and central monitoring client.

NOTE: All the commands in the following sections must be carried out using root permissions.

15.1 Operational Monitoring Buffer

In general, the operational monitoring buffer is an internal component of the security server and thus being not directly used by the end user.

The configuration parameters available for configuring the operational monitoring buffer have been documented in [UG-OPMONSYSPAR].

The default values of the parameters have been chosen to be sufficient under expected average load using the minimum hardware recommended.

All overrides to the default configuration values must be made in the file /etc/xroad/conf.d/local.ini, in the [op-monitor-buffer] section.

15.1.1 Stopping the Collecting of Operational Data

If, for any reason, operational data should not be collected and forwarded to the operational monitoring daemon, the parameter size can be set to 0:

[op-monitor-buffer]
size = 0

After the configuration change, the xroad-proxy service must be restarted:

service xroad-proxy restart

In addition, the operational monitoring daemon should be stopped:

service xroad-opmonitor stop

For the service to stay stopped after reboot the following command should be run:

echo manual > /etc/init/xroad-opmonitor.override

15.2 Operational Monitoring Daemon

The configuration parameters available for configuring the operational monitoring daemon have been documented in [UG-OPMONSYSPAR].

Similarly to the operational monitoring buffer, the default values of the parameters have been chosen to be sufficient under expected average load using the minimum recommended hardware.

All overrides to the default configuration values must be made in the file /etc/xroad/conf.d/local.ini, in the [op-monitor] section.

In the following sections, some parameters are described which may be required to be changed more likely.

15.2.1 Configuring the Health Statistics Period

By default, health statistics are provided for a period of 600 seconds (10 minutes). This means that if no request exchange has taken place for 10 minutes, all the statistical metrics are reset. Please refer to [PR-OPMON] for a detailed overview of the health metrics available.

To change the health statistics period, the value of the parameter health-statistics-period-seconds should be set or edited in the [op-monitor] section of the file /etc/xroad/conf.d/local.ini.

15.2.2 Configuring the Parameters Related to Database Cleanup

Depending on the load and resources of the system, it may be necessary to change the interval of the removal of old database records.

The following parameters must be placed in the [op-monitor] section of the file /etc/xroad/conf.d/local.ini.

The parameter keep-records-for-days should be edited, for instance if the disk fills up before cleanup occurs, or alternatively, if the default period of 7 days is too short. The parameter clean-interval (a Cron expression [CRON]) defines how often the system checks whether cleanup should be done. If the default period of 12 hours is too long or short it should be edited according to your needs.

15.2.3 Configuring the Parameters related to the HTTP Endpoint of the Operational Monitoring Daemon

For configuring the endpoint of the operational monitoring daemon, the following parameters are available in the [op-monitor] section of the configuration:

host – listening host of the daemon (by default the value is set to localhost).

port – listening port (by default the value is set to 2080).

scheme – connection type (by default the value is set to HTTP).

If any of these values are changed, both the proxy and the operational monitoring daemon services must be restarted:

service xroad-proxy restart
service xroad-opmonitor restart

15.2.4 Installing an External Operational Monitoring Daemon

Technically, the operational monitoring daemon can be installed on a separate host from the security server. It is possible to configure several security servers to use that external operational monitoring daemon, but this setup is correct only if the security servers are identical clones installed behind a load balancer.

NOTE: The setup of clustered security servers is not officially supported yet and has been implemented for future compatibility.

NOTE: It is strongly advised to use HTTPS for requests between a security server and the associated external operational monitoring daemon.

For running a separate operational monitoring daemon, the xroad-opmonitor package must be installed. Please refer to [IG-SS] for general instructions on obtaining X-Road packages.

As a result of installation, the following services will be running:

xroad-confclient
xroad-signer
xroad-opmonitor

15.2.5 Configuring an External Operational Monitoring Daemon and the Corresponding Security Server

To make a security server communicate with an external operational monitoring daemon, it is necessary to configure both the daemon and the security server.

By default, the operational monitoring daemon listens on localhost. To make the daemon available to security servers on other hosts, the listening address must be set to the IP address that is relevant in the particular network, as described in the previous section.

As advised, the scheme parameter should be set to “https”. For communication over HTTPS, the security server and the operational monitoring daemon must know each other’s TLS certificates to enable the security server to authenticate to the monitoring daemon successfully.

NOTE: If an external operational monitoring daemon is used, the host, scheme (and optionally, port) parameters must be changed at both hosts.

The internal TLS certificate of the security server is used for authenticating the security server to the operational monitoring daemon. This certificate has been generated beforehand, during the installation process of the security server, and is available in PEM format in the file /etc/xroad/ssl/internal.crt. Please refer to Section 10.3 for the instructions on exporting the internal TLS certificate from UI. The file must be copied to the host running the operational monitoring daemon. The system user xroad must have permissions to read this file.

In the configuration of the external daemon, the corresponding path must be set in /etc/xroad/conf.d/local.ini:

[op-monitor]
client-tls-certificate = <path/to/security/server/internal/cert>

Next, a TLS key and the corresponding certificate must be generated on the host of the external monitoring daemon as well, using the command

generate-opmonitor-certificate

The script will prompt you for standard fields for input to TLS certificates and its output (key files and the certificate) will be generated to the directory /etc/xroad/ssl.

The generated certificate, in the file opmonitor.crt, must be copied to the corresponding security server. The system user xroad must have permissions to read this file. Its path at the security server must be written to the configuration (note the name of the section, although it is the proxy service that will read the configuration):

[op-monitor]
tls-certificate = <path/to/external/daemon/tls/cert>

For the external operational daemon to be used, the proxy service at the security server must be restarted:

service xroad-proxy restart

In addition, on the host running the corresponding security server, the operational monitoring daemon must be stopped:

service xroad-opmonitor stop

For the service to stay stopped after reboot the following command should be run:

echo manual > /etc/init/xroad-opmonitor.override

The configuration anchor (renamed as configuration-anchor.xml) file must be manually copied into the directory /etc/xroad of the external monitoring daemon in order for configuration client to be able to download the global configuration (by default configuration download interval is 60 seconds). The system user xroad must have permissions to read this file.

15.2.6 Monitoring Health Data over JMXMP

The operational monitoring daemon makes health data available over the JMXMP protocol. The Zabbix monitoring software can be configured to gather that data periodically, using its built in JMX interface type.

By default, the operational monitoring daemon JMXMP is disabled. JMXMP must be enabled for external tools such as Zabbix to be able to access the data. Please refer to the documentation at [JMX] for instructions on configuring access to the JMX interface of the operational monitoring daemon.

For Zabbix to be able to gather data over JMX, the Zabbix Java gateway must be installed. See [ZABBIX-GATEWAY] for instructions.

The JMX interface must be configured to each host item in Zabbix, for which health data needs to be obtained. See [ZABBIX-JMX] for instructions.

Please refer to [PR-OPMONJMX] for a specification of the names and attributes of the JMX objects exposed by the operational monitoring daemon.

The xroad-opmonitor package comes with sample host data that can be imported to Zabbix, containing a JMX interface, applications related to sample services and health data items under these services. Also, a script is provided for importing health data related applications and items to several hosts using the Zabbix API. Please find the example files in the directory /usr/share/doc/xroad-opmonitor/examples/zabbix/. Please refer to [ZABBIX-API] for information on the Zabbix API.

16 Environmental Monitoring

Environmental monitoring provides details of the security servers such as operating system, memory, disk space, CPU load, running processes and installed packages, etc.

16.1 Usage via SOAP API

Environmental monitoring provides SOAP API via X-Road message protocol extension. SOAP messages are described in [PR-ENVMONMES].

Monitoring extension schema is defined in [MONITORING_XSD].

16.2 Usage via JMX API

Environmental monitoring provides also a standard JMX endpoint which can be accessed with any JMX client (for example Java's jconsole application). See [ARC-ENVMON] for details.

JMX is disabled on default. JMX is enabled by adding standard JMX-related options to the executable java process as in example by [ZABBIX-JMX].

16.3 Limiting environmental monitoring remote data set

It is possibility to limit what allowed non-owners can request via environmental monotiring data request by changing monitor-env limit-remote-data-set parameter. By changing flag to be true non-owners who are allowed to query environmental monitoring data will get only certificate, operating system and xroad version information. This parameters is set by default false. Security server owner will always get full data set as requested.

17 Logs and System Services

To read logs, a user must have root user's rights or belong to the xroad and/or adm system group.

17.1 System Services

The most important system services of a security server are as follows.

Service Purpose Log
xroad-confclient Client process for the global configuration distributor /var/log/xroad/configuration_client.log
xroad-jetty Application server running the user interface /var/log/xroad/jetty/
xroad-proxy Message exchanger /var/log/xroad/proxy.log
xroad-signer Manager process for key settings /var/log/xroad/signer.log
xroad-proxy-ui-api Management UI and REST API /var/log/xroad/proxy_ui_api.log and
/var/log/xroad/proxy_ui_api_access.log
nginx Web server that exchanges the services of the user interface's application server and the message exchanger /var/log/nginx/

System services are managed through the systemd facility.

To start a service, issue the following command as a root user:

service <service> start

To stop a service, enter:

service <service> stop

Services use the default unit start rate limits. An exception to this is xroad-proxy-ui-api, which uses a longer start rate limit (5 starts / 40 seconds) to prevent infinite restart-loop in some specific error situations.

17.2 Logging configuration

For logging, the Logback system is used. Logback configuration files are stored in the directory /etc/xroad/conf.d/.

Default settings for logging are the following:

  • logging level: INFO;

  • rolling policy: whenever the file size reaches 100 MB.

17.3 Fault Detail UUID

In case a security server encounters an error condition during the message exchange, the security server returns a SOAP Fault message [PR-MESS] containing a UUID (a universally unique identifier, e.g. 1328e974-4fe5-412c-a4c4-f1ac36f20b14) as the fault detail to the service client's information system. The UUID can be used to find the details of the occurred error from the xroad-proxy log.

18 Federation

Federation allows security servers of two different X-Road instances to exchange messages with each other. The instances are federated at the central server level. After this, security servers can be configured to opt-in to the federation. By default, federation is disabled and configuration data for other X-Road instances will not be downloaded.

The federation can be allowed for all X-Road instances that the central server offers, or a list of specific (comma-separated) instances. The default is to allow none. The values are case-insensitive.

To override the default value, edit the file /etc/xroad/conf.d/local.ini and add or change the value of the system parameter allowed-federations for the server component configuration-client. To restore the default, either remove the system parameter entirely or set the value to none. X-Road services xroad-confclient and xroad-proxy need to be restarted (in that order) for any setting changes to take effect.

Below are some examples for /etc/xroad/conf.d/local.ini.

To allow federation with all offered X-Road instances:

[configuration-client]
allowed-federations=all

To allow federation with specific instances xe-test and ee-test:

[configuration-client]
allowed-federations=xe-test,ee-test

To disable federation, just remove the allowed-federations system parameter entirely or use:

[configuration-client]
allowed-federations=none

Please note that if the keyword all is present in the comma-separated list, it will override the single allowed instances. The keyword none will override all other values. This means that the following setting will allow all federations:

[configuration-client]
allowed-federations=xe-test, all, ee-test

And the following will allow none:

[configuration-client]
allowed-federations=xe-test, all, none, ee-test

19 Management REST APIs

Security server has REST APIs that can be used to do all the same server configuration operations that can be done using the web UI.

Management REST APIs are protected with an API key based authentication. To execute REST calls, API keys need to be created.

All REST APIs are protected by TLS. Since server uses self signed certificate, the caller needs to accept this (for example with curl you need to use --insecure or -k option.

Request sent to REST APIs have a limit for maximum size. If a too large request is sent to REST API, it will not be processed, and http status 413 Payload too large will be returned. There is a different limit for binary file uploads, and for other requests.

Limits are

  • 10MB for file uploads
  • 50KB for other requests

REST APIs are also rate limited. Rate limits apply per each calling IP. If the number of calls from one IP address exceeds the limit, REST APIs return http status 429 Too Many Requests.

Limits are

  • 600 requests per minute
  • 20 requests per second

If the default limits are too restricting (or too loose), they can be overridden with command line arguments. Limits are set with application properties

  • request.sizelimit.regular
  • request.sizelimit.binary.upload
  • ratelimit.requests.per.second
  • ratelimit.requests.per.minute

Size limit parameters support formats from Formats from DataSize, for example 5MB.

Command line arguments can be modified using configuration file local.conf. Example from /etc/xroad/services/local.conf with modifications:

PROXY_UI_API_PARAMS=" $PROXY_UI_API_PARAMS -Dratelimit.requests.per.second=100"
PROXY_UI_API_PARAMS=" $PROXY_UI_API_PARAMS -Drequest.sizelimit.binary.upload=1MB"

19.1 API key management operations

Access rights: System Administrator

An API key is linked to a role or roles, and grants access to the operations that are allowed for that role/roles. A separate REST api exists for API key management. API key management API is authenticated to with HTTP basic authentication (username and password) or with session authentication (for admin web application). Basic authentication access is limited to localhost by default, but this can be changed using System Parameters [UG-SYSPAR].

19.1.1 Creating new API keys

A new API key is created with a POST request to /api/api-keys. Message body must contain the roles to be associated with the key. Server responds with data that contains the actual API key. After this point the key cannot be retrieved, as it is not stored in plaintext.

curl -X POST -u <user>:<password> https://localhost:4000/api/api-keys --data '["XROAD_SECURITYSERVER_OBSERVER","XROAD_REGISTRATION_OFFICER"]' --header "Content-Type: application/json" -k
{
  "roles": [
    "XROAD_REGISTRATION_OFFICER",
    "XROAD_SECURITYSERVER_OBSERVER"
  ],
  "id": 61,
  "key": "23bc57cd-b1ba-4702-9657-8d53e335c843"
}

In this example the created key was 23bc57cd-b1ba-4702-9657-8d53e335c843.

19.1.2 Listing API keys

Existing API keys can be listed with a GET request to /api/api-keys. This lists all keys, regardless of who has created them.

curl -X GET -u <user>:<password> https://localhost:4000/api/api-keys -k
[
  {
    "id": 59,
    "roles": [
      "XROAD_REGISTRATION_OFFICER",
      "XROAD_SECURITYSERVER_OBSERVER",
      "XROAD_SERVICE_ADMINISTRATOR"
    ]
  },
  {
    "id": 60,
...

19.1.3 Updating API keys

An existing API key is updated with a PUT request to /api/api-key/{id}. Message body must contain the roles to be associated with the key. Server responds with data that contains the key id and roles associated with the key.

curl -X PUT -u <user>:<password> https://localhost:4000/api/api-key/60 --data '["XROAD_SECURITYSERVER_OBSERVER","XROAD_REGISTRATION_OFFICER"]' --header "Content-Type: application/json" -k
{
  "id": 60,
  "roles": [
    "XROAD_REGISTRATION_OFFICER",
    "XROAD_SECURITYSERVER_OBSERVER"
  ]
}

19.1.4 Revoking API keys

An API key can be revoked with a DELETE request to /api/api-keys/{id}. Server responds with HTTP 200 if revocation was successful and HTTP 404 if key did not exist.

curl -X DELETE -u <user>:<password> https://localhost:4000/api/api-keys/60  -k

19.1.5 API key caching

API keys are cached in memory. In typical security server configurations this does not create problems. However, if you have configured a setup where multiple security servers share the same serverconf database, and use multiple nodes to access REST APIs and execute API key management operations, the caches of different nodes can become out of sync.

For example, you may revoke an API key from node 1 but node 2 is not aware of this, and still grants access to REST APIs with this API key.

If you operate such a configuration, you need to target all REST API operations to the same security server node, or otherwise ensure that caching will not create problems (for example, always restart REST API modules when API key operations are executed).

19.2 Executing REST calls

Access rights: Depends on the API.

Once a valid API key has been created, it is used by providing an Authorization: X-Road-ApiKey token=<api key> HTTP header in the REST calls. For example

curl --header "Authorization: X-Road-apikey token=ff6f55a8-cc63-4e83-aa4c-55f99dc77bbf" "https://localhost:4000/api/clients" -k
[
  {
    "id": "XRD2:GOV:999:foobar",
    "member_name": Foo Name,
    "member_class": "GOV",
    "member_code": "999",
    "subsystem_code": "SUBS_1",
    "status": "saved
...

The available APIs are documented in OpenAPI specification (TBD). Access rights for different APIs follow the same rules as the corresponding UI operations. Access to regular APIs is allowed from all IP addresses by default, but this can be changed using System Parameters [UG-SYSPAR].

19.3 Correlation ID HTTP header

The REST APIs return an X-Road-UI-Correlation-ID HTTP header. This header is also logged in proxy_ui_api.log, so it can be used to find the log messages related to a specific API call.

The correlation ID header is returned for all requests, both successful and failed ones.

For example, these log messages are related to an API call with correlation ID 3d5f193102435242:

2019-08-26 13:16:23,611 [https-jsse-nio-4000-exec-10] correlation-id:[3d5f193102435242] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - The HttpSession is currently null, and the HttpSessionSecurityContextRepository is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request
2019-08-26 13:16:23,611 [https-jsse-nio-4000-exec-10] correlation-id:[3d5f193102435242] WARN  o.s.w.s.m.m.a.ExceptionHandlerExceptionResolver - Resolved [org.niis.xroad.restapi.exceptions.ConflictException: local group with code koodi6 already added]
2019-08-26 13:16:23,611 [https-jsse-nio-4000-exec-10] correlation-id:[3d5f193102435242] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally

19.4 Validation errors

An error response from the REST API can include validation errors if an unsupported parameter was provided with the request.

In addition to the validation messages declared in Java Validation API, the following validation errors are possible:

Normalized
NoColons
NoSemicolons
NoForwardslashes
NoBackslashes
NoPercents

20 Migrating to Remote Database Host

Since version 6.22.0 Security Server supports using remote databases. In case you have an already running Security Server with local database, it is possible to migrate it to use remote database host instead. The instructions for this process are listed below.

  1. Shutdown X-Road processes.

    systemctl stop "xroad*"

  2. Dump the local databases to be migrated. You can find the passwords of users serverconf, messagelog and opmonitor in /etc/xroad/db.properties. Notice that the versions of the local PostgreSQL client and remote PostgreSQL server must match. Also take into account that on a busy system the messagelog database can be quite large and therefore dump and restore can take considerable amount of time and disk space.

    pg_dump -F t -h 127.0.0.1 -p 5432 -U serverconf -f serverconf.dat serverconf
pg_dump -F t -h 127.0.0.1 -p 5432 -U messagelog -f messagelog.dat messagelog
pg_dump -F t -h 127.0.0.1 -p 5432 -U opmonitor_admin -f op-monitor.dat op-monitor

  3. Shut down and mask local postgresql so it won't start when xroad-proxy starts.

    systemctl stop postgresql
systemctl mask postgresql

  4. Connect to the remote database server as the superuser postgres and create roles, databases and access permissions as follows. Note that the line GRANT serverconf to postgres is AWS RDS specific and not necessary if the postgres user is a true super-user.

    psql -h <remote-db-url> -p <remote-db-port> -U postgres
CREATE ROLE serverconf LOGIN PASSWORD '<serverconf-password>';
GRANT serverconf to postgres;
CREATE DATABASE serverconf OWNER serverconf ENCODING 'UTF-8';
\c serverconf
CREATE EXTENSION IF NOT EXISTS hstore;
\c postgres

CREATE ROLE messagelog LOGIN PASSWORD '<messagelog-password>';
GRANT messagelog to postgres;
CREATE DATABASE messagelog OWNER messagelog ENCODING 'UTF-8';

CREATE ROLE opmonitor_admin LOGIN PASSWORD '<opmonitor_admin-password>';
CREATE ROLE opmonitor LOGIN PASSWORD '<opmonitor-password>';
GRANT opmonitor_admin to postgres;
CREATE DATABASE "op-monitor" OWNER opmonitor_admin ENCODING "UTF-8";
grant usage on schema public to opmonitor;

  5. Restore the database dumps on the remote database host.

    pg_restore -h <remote-db-url> -p <remote-db-port> -U serverconf -O -n public -1 -d serverconf serverconf.dat
pg_restore -h <remote-db-url> -p <remote-db-port> -U messagelog -O -n public -1 -d messagelog messagelog.dat
pg_restore -h <remote-db-url> -p <remote-db-port> -U opmonitor_admin -O -n public -1 -d op-monitor op-monitor.dat

  6. Create properties file /etc/xroad.properties containing the superuser password.

    sudo touch /etc/xroad.properties
sudo chown root:root /etc/xroad.properties
sudo chmod 600 /etc/xroad.properties

  7. Edit /etc/xroad.properties.

    postgres.connection.password = <postgres-password>
op-monitor.database.admin_password = <opmonitor_admin-password>
serverconf.database.initialized = true
messagelog.database.initialized = true
op-monitor.database.initialized = true

  8. Update /etc/xroad/db.properties contents with correct database host URLs and passwords.

    serverconf.hibernate.connection.url = jdbc:postgresql://<remote-db-url>:<remote-db-port>/serverconf
messagelog.hibernate.connection.url = jdbc:postgresql://<remote-db-url>:<remote-db-port>/messagelog
op-monitor.hibernate.connection.url = jdbc:postgresql://<remote-db-url>:<remote-db-port>/op-monitor
serverconf.hibernate.connection.password = <serverconf-password>
messagelog.hibernate.connection.password = <messagelog-password>
op-monitor.hibernate.connection.password = <opmonitor-password>

  9. Start again the X-Road services.

    systemctl start "xroad*"