Release Notes

This page provides the latest information about the ActivID Validation Authority.

What's New

  • Empty CRLs Management

    ActivID Validation Authority now supports managing empty CRLs. This will help validate the certificate status when the CRL is empty.

  • Notification for Maximum Proof list entries

    ActivID Validation Authority now can be configured to get an email notification whenever the proof list entries in the proof file reaches 90% of the configured “Maximum proof list entries” value.

  • HSM Product name Changes

    HSM product names in the keystore configuration page are changed to align with the HSM vendor name changes.

    • Gemalto SafeNet Luna is changed to Thales Luna

    • Thales nShield is changed to Entrust nShield

  • Platform and Software Upgrades

    ActivID Validation Authority now supports the following:

    • OpenJDK 11.0.2/15.0.2/17.0.2 (from OpenJDK.org)

    • Oracle JDK 11.0.12/15.0.2/17.0.2

    • Microsoft® Windows Server 2022

    • Microsoft Windows Server 2019 Certificate Authority

    • PostgreSQL 15 Database

    • Tomcat minor version upgrade

    • Log4j2 version upgrade

  • Advanced Logging

    ActivID Validation Authority now provides advance logging capabilities through Log4j2. Now users can configure log retention periods and log files can be configured to, labeled, zipped and stored at different locations automatically.

  • Include Issuer's SKI

    ActivID Validation Authority now provides configurable option to include issuer's SKI in each of proof file name regardless of issuer holds single certificate or multiple certificates.

  • Status Page for Direct OCSP

    ActivID Validation Authority now allows you to view the status reports of Direct OCSP requests served by the Validation Authority. It provides information about total number of OCSP requests with its request resolution (success/error), recent OCSP requests, and generated proof files.

  • Enable Printable String for DN

    ActivID Validation Authority now provides configurable option to generate CSR with encoding of DN as PrintableString format rather than the default UTF8String format.

  • ECDSA Algorithm for SSL Key

    ActivID Validation Authority now supports EC and DSA algorithm for SSL key with Oracle Keystore.

  • RESTful APIs

    In order to support eIDAS requirements OCSP responses can only answer with a valid response if the certificate information exists in the database. ActivID Validation Authority can now allow certificate import, update existing certificate status and request current status through REST APIs.

  • PKI Logon

    ActivID Validation Authority now supports PKI logon to support Homeland Security Presidential Directive HSPD-12 to implement two-factor authentication.

  • Automatic Key Renewal

    ActivID Validation Authority now supports automatic replacement of Asymmetric Signature Key which is used for signing OCSP responses.

  • nextUpdate field for Expiring Certificates

    ActivID Validation Authority now supports the "nextUpdate" field set to "99991231235959Z" as it referred in EN 319 411-1 (section 6.3.10: CSS-6.3.10-11).

    To enable this feature, enter the positive integer value in the Issuer Certificate Expiry duration field, the entered value specifies the number of days prior to the certificate expiry, from which the nextUpdate field will change in the OCSP response.

  • Archive Cutoff Date

    ActivID Validation Authority now allows to add archive cutoff date in the OCSP responses as referred in the IETF RFC6960[i.9]. To enable archiveCutOff date field in OCSP response, a positive integer value in the Retention Period field. System will subtract produced at time from the entered value and show archiveCutoff date. If the desired behavior is to have archiveCutoff date as same as issuer's valid from date then select the Issuer's notBefore check box.

  • Latest Environment Support

    ActivID Validation Authority now supports Microsoft SQL Server 2019, Postgre SQL 9 and 12, Oracle 12c R1, R2 and 19c. It also leverages the latest Apache Tomcat® 9.

Hotfix Information

Tomcat upgraded through the hotfixes (FIXS2312000 and FIXS2405000) to fix the vulnerabilities. For details on the Tomcat upgrade and how to install these hotfixes, refer to the readme file that comes with the hotfix zip package.

Important:

  • If you have freshly installed Validation Authority 7.4, then apply the latest hotfix FIXS2405000.

  • If you have already installed Validation Authority 7.4 and applied the hotfix FIXS2312000, then apply the latest hotfix FIXS2405000.

  • If you have already installed Validation Authority 7.4 and not yet applied the hotfix FIXS2312000, then you can directly apply the latest hotfix FIXS2405000.

List of Tested Configuration

For this release, HID Global has tested the following configurations on the listed operating systems. For details, see the environment information listed in the Configuration Requirements section.

Operating System Java Version Database HSM
Windows 10 OpenJDK 11.0.2 PostgreSQL 15 Entrust nShield (formerly Thales nShield) Connect XC (FIPS mode, firmware version 12.72.1) with client software version 12.70.4 (x64)
Windows Server 2016 OpenJDK 11.0.2/15.0.2/17.0.2

PostgreSQL 12

SQL Server 2016

 Oracle SunJCE keystore (Soft HSM)
Windows Server 2019 OpenJDK 11.0.2/15.0.2/17.0.2 SQL Server 2019 Thales Luna HSM (formerly Gemalto SafeNet Luna) Network HSM A 700 (Firmware version 7.2.0-220) with client software vtl version: 10.1.0-32 (x64)
Windows Server 2022 OpenJDK 11.0.2/15.0.2/17.0.2

PostgreSQL 15

Oracle 19c

 Oracle SunJCE keystore (Soft HSM)
RHEL 7 OpenJDK 11.0.2/15.0.2 PostgreSQL 12 Thales Luna HSM (formerly Gemalto SafeNet Luna) Network HSM A 700 (Firmware version 7.2.0-220) with client software vtl version: 10.1.0-32 (x64)
RHEL 8 OpenJDK 11.0.2

SQL Server 2019

Oracle 19c

 Oracle SunJCE keystore (Soft HSM)

Special Notes for HSM Users

For HSM-specific client configuration, please carefully read the appropriate section corresponding to your HSM type in the Installation and Configuration guide provided with the release.

  • Thales Luna (formerly Gemalto SafeNet Luna)

    Tested client software version: 10.1.0-32 (firmware version 7.2.0-220):

    Using firmware version 7.2.0-220, SSL handshakes do not work. Use the Oracle SunJCE keystore (software-only keystore) for SSL keys.

  • Entrust nShield (formerly Thales nShield)

    Tested client software version:

    • Connect XC: 12.70.4 (firmware version 12.72.1)

    • Thales technical support has informed HID Global that Java 8 support is available starting with client version 12.70.

SSL Ciphers

Validation Authority is configured by default with the following list of ciphers – used with TLS 1.2 protocol.

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES128-SHA256

  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA256

  • SSL_DHE_DSS_WITH_AES_256_CBC_SHA256

  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA256

  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

  • SSL_DHE_RSA_WITH_AES_256_GCM_SHA384

  • SSL_DHE_DSS_WITH_AES_256_GCM_SHA384

  • SSL_DHE_RSA_WITH_AES_128_GCM_SHA256

  • SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

HID Global has tested the following browsers using Entrust nShield (formerly Thales nShield) Connect XC HSM:

  • Google® Chrome

  • Firefox®

  • Microsoft Edge®

Read carefully the previous “Special Notes for HSM Users” section, as each HSM provider has issues in implementing SSL ciphers.

Consider using the Oracle SunJCE keystore (software-only key store) for SSL keys if the HSM of your choice does not support ciphers of your interest.

Note: You might need to adjust the cipher list during the configuration to make sure SSL handshake negotiations end up with the cipher of your choice.

Known Problems and Limitations

  • ActivID Validation Authority does not support EC algorithm for SSL key with HSMs.

  • Logging configuration from Validation Authority 7.3 are not retained. It is required to configure the logging again in Validation Authority 7.4 as mentioned in the Configure System Settings - Logging section.