- Created by Josefin Klang on Mar 20, 2023
This article describes how to upgrade Protocol Gateway.
Prerequisites
The following prerequisites apply:
- Protocol Gateway is installed. See Install Protocol Gateway.
Step-by-step instruction
1. Stop the Tomcat service
2. Back up Protocol Gateway folder
Back up the Protocol Gateway folder:
- Navigate to the Tomcat /webapps folder.
- Make a backup of the existing /pgwy folder for reference and delete the original.
3. Upgrade from a specific version
Sequential upgrade process
To upgrade from older versions to newer versions, you must upgrade each version step-by-step.
Example: Starting from 8.5.0, you must upgrade to 8.6.x and thereafter to 8.7.0.
The following configurations are done in configuration files in <configroot>.
<configroot> corresponds to the following paths:
%ALLUSERSPROFILE%/Nexus/cm-gateway/
/var/cm-gateway/
The numbering of the handlers has been changed in the file <configroot>/api.properties:
- If the file is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
- If the file has been modified, then do the following:
- Open the file <configroot>/api.properties for editing.
Change the numbers on all configured handlers and their related configuration so that the number corresponds to the following numbering scheme:
Example: api.propertieshandler.0.filter = certificates handler.10.filter = certificates/revoke handler.11.filter = certificates/reinstate handler.20.filter = certificates/[a-z0-9A-Z]+/details handler.21.filter = certificates/[a-z0-9A-Z]+/download handler.30.filter = certificates/pkcs10 handler.50.filter = procedures
Add the following lines at an appropriate place in the file:
Example: api.properties# Process PKCS10 request -> PKCS12 response handler.31.filter = certificates/pkcs10-to-pkcs12 handler.31.format = api/certificates-pkcs10-to-pkcs12 handler.31.tokenprocedure = Token Procedure Name - must be configured
Save the file.
The settings in c2x.properties have changed:
- If this file exists in your environment, remove it. A new version with default values will appear when restarting Protocol Gateway.
Protocol Gateway has gained the ability to send metrics to InfluxDB.
To use this feature, do the following:
- Open the file <configroot>/cm-gateway.properties for editing.
Add the following lines after the setting for
cmhost:Example: cm-gateway.properties# CM-Connections is the maximum amount of concurrent officer connections to CF # to allocate to the officer pool. cmconnections = 20
Add the following lines at the end of the file:
Example: cm-gateway.properties#= Metrics reporter # # metrics.influxdb.url - If non-empty, PGW will report metrics to an # InfluxDB database at this URL. # #metrics.influxdb.url = http://localhost:8086 # metrics.influxdb.user - The user name to be used when reporting metrics # to InfluxDB. # #metrics.influxdb.user = # metrics.influxdb.password - The password to be used when reporting # metrics to InfluxDB. # #metrics.influxdb.password = # metrics.influxdb.dbname - The InfluxDB database name where metrics will # be stored. The database must already exist in InfluxDB. Defaults to # "cm_metrics" if not specified. # #metrics.influxdb.dbname = cm_metrics # metrics.influxdb.interval - How often metrics should be sent to # InfluxDB (in seconds). Defaults to 30s if not specified. # #metrics.influxdb.interval = 30
- Save the file.
The REST API configuration has been extended with additional endpoints.
To use these features, do the following:
- Open the file <configroot>/api.properties for editing.
Add the following lines at the end of the file:
Example: api.properties# Registration Endpoints # HTTP GET: search # HTTP POST: create # HTTP PUT: edit # registrations/{procid} handler.60.filter = registrations/[a-z0-9A-Z\- ]+ handler.60.format = api/registrations-list handler.60.getformat = api/registrations-list handler.60.postformat = api/registrations-create handler.60.putformat = api/registrations-update # registrations/{procid}/{protocol} handler.61.filter = registrations/[a-z0-9A-Z\- ]+/(?i)(est|acme|cmp|scep) handler.61.format = api/registrations-list-protocol handler.61.getformat = api/registrations-list-protocol handler.61.postformat = api/registrations-create-protocol handler.61.putformat = api/registrations-update-protocol # registrations/certificate/{certid} handler.62.filter = registrations/certificate/[0-9]+ handler.62.format = api/registrations-get-certid ################ # ACME Endpoints # registrations/{procid}/acme/accounts handler.70.filter = registrations/[a-z0-9A-Z\- ]+/acme/accounts handler.70.format = api/registrations-list-acme-accountsSave the file.
The EST configuration has been extended with additional options.
To use these features, do the following:
- Open the file <configroot>/est.properties for editing.
Replace the description of the parameters to the following:
Example: est.properties#- Parameters # # filter - contains a filter for the handler part of the URL # specified as a regular expression. NOTE: If using the CoAP proxy, # regular expressions in the filters are not supported. # # format - contains the name of a format definition file. For regular # EST the format definition files with the prefix 'est-' should be used. For # EST over CoAPs the files with the prefix 'estcoaps-' should be used instead. # # tokenprocedure - contains the description or id of a token procedure # in the CM server. # # ra.keyfile - is the token to sign the fullcmc responses. # Not required if fullcmc is disabled. # # ra.password - is the password to the keyfile. It is recommended to # obfuscate sensitive data with .encrypted. # # requiredRoRoles - optional, contains a space or comma separated list # of required Registration Officer roles. This requires client # authentication to be enabled in Tomcat, and verifies that the # client certificate is an officer. If the role "none" is entered, # the client certificate must be issued by CM but does not need to # be an officer. "/cacerts" must not be protected behind client # authentication, and therefore no default role should be set. # # authtype - optional, enables HTTP Basic/Digest authentication by # specificing the desired authentication type. May only be set # for filters simpleenroll and simplereenroll. # Example: # handler.<n>.authtype = Basic # handler.<n>.authtype = Digest # # realm - required if authtype is set, may be empty. Determines which # realm the login should occur on. Can only be set for filters # simpleenroll and simplereenroll. # # qop - optional, determines the quality of protection used with # Digest authentication. Valid value is 'auth'. If not specified # then no Quality of Protection will be required.
Save the file.
The REST API configuration has been extended with additional endpoints.
To use these features, do the following:
- Open the file <configroot>/api.properties for editing.
Add the following lines below the certificate endpoints:
Example: api.properties# Process PKCS10 request -> PKCS7 (secure key injection package) response handler.32.filter = certificates/skip handler.32.format = api/certificates-skip handler.32.tokenprocedure = Token Procedure Name - must be configured # Process X509 certificate import handler.33.filter = certificates/import-pki-x509 handler.33.format = api/certificates-import-pki-x509 handler.33.importlimit = 100 handler.33.tokenprocedure = Token Procedure Name - must be configured
- Save the file.
The SCEP implementation has been updated in the following ways:
- Support for a CA Certificate Only Response has been added, according to https://tools.ietf.org/html/draft-nourse-scep-23#section-5.2.1.1.1.
- Support for dynamic challenge passwords has been added, complying to Microsoft's Network Device Enrollment Service (NDES) implementation.
To use these features, do the following:
- If the file <configroot>/scep.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
- If the file has been modified, then do the following:
- Open the file <configroot>/scep.properties for editing.
Add the following lines below
default.racachainlength = 0:Example: scep.properties# Changes the response format for the GetCACert call to return the RA # certificate in binary format if set to true. # Only works if racachainlength is set to 1. default.responseasbinary = false
Add the following lines below
default.ra.signature.keyusage = digitalsignature:Example: scep.properties# SCEP INTUNE # # SCEP Intune allows for integration with Azure AD to automatically # enroll and manage iOS, Android, Windows and Mac devices. # # tenant - is the Tenant which is the fully qualified domain name (FQDN) # of the organization configured in Intune. # # azure_app_id - specifies the azure application id of the app # registration. # # azure_app_key - specifies the client secret of the app registration. # # certificateAuthority - specifies the name of the CA performing the # requests to Intune.
Append the following lines at the end of the file:
Example: scep.properties# http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/ # # Handler for SCEP dynamic challenge endpoint (NDES compliant) # handler.3.filter = ndeschallenge/ handler.3.format = scep-ndes handler.3.ndesUsername = ndesadmin handler.3.ndesPassword = ndespassword handler.3.ndesChallengeValidity = PT15M # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest # # Handler for SCEP request using dynamic challenge password (NDES compliant) # handler.4.filter = ndesrequest handler.4.format = scep handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge # http://<pgwy-host>:<port>/pgwy/scep/intune/pkiclient.exe # # Handler for requests that should be validated against a Microsoft # Intune server. handler.5.filter = intune/pkiclient.exe handler.5.format = scep-intune handler.5.tenant = tenant handler.5.azure_app_id = app-id handler.5.azure_app_key = app-key handler.5.certificateAuthority = CA
Save the file.
Support for CMC revoke request has been added.
To use this feature, do the following:
- If the file <configroot>/cmc.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
- If the file has been modified, then do the following:
- Open the file <configroot>/cmc.properties for editing.
Add the following lines below
default.tokenprocedure = TLS Web Server Token:Example: cmc.properties# ra.keyfile - is the token to sign the fullcmc responses, required for CMC Revoke. # Not required if CMC Revoke handler is disabled. # ra.password - is the password to the keyfile. It is recommended to # obfuscate sensitive data with .encrypted.
Append the following lines at the end of the file:
Example: cmc.propertieshandler.2.filter = revoke handler.2.filterContentType = application/pkcs7-mime;\h*smime-type\h*= \h*CMC-request handler.2.format = cmc-revoke # fullcmc responses (required as response to Revocation request) require an RA token to be signed with handler.2.ra.keyfile = protocol-gateway-ra.p12 handler.2.ra.password = abcd1234
- Save the file.
Support for configuring connection properties to the authorization server has been added.
To use this feature, do the following:
- If the file <configroot>/c2x.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
- If it has been modified, then do the following:
- Open the file <configroot>/c2x.properties for editing.
Replace the line
#default.authorizationUrl = <authorization-server-url>with the following lines:c2x.properties# Parameters for the AccessTokenVerifier modifier. # # default.authorizationUrl = <authorization-server-url> # default.authKeyCacheLifeSpan = P365D # default.authKeyCacheRefreshTime = P1D # # Timeout values in ms. # default.authKeyConnectTimeout = 1000 # default.authKeyReadTimeout = 1000
Save the file.
The EST configuration has been extended with additional options.
To use these features, do the following updates in <configroot>/est.properties:
Add the new parameter and description to the simplereenroll handler, default handler 2:
Example: est.properties# Controls if the client TLS certificate must match the latest issued certificate # for the requested subject. Set to false as default. # handler.2.allowRenewalWithOldCertificates = false
Only relevant if upgrading from 8.4.0. Not needed if you update from 8.4.1 or later.
The ACME configuration has been extended with additional options.
To use these features, do the following updates in <configroot>/acme.properties:
Add the new parameter description to the end of the Parameters section:
Example: acme.properties# addAccountContactEmail - If true, adds the contact email address from the # requesting account to the Rfc822 name field to the SAN extension in the # certificate request.
Append the following to the list of default values in the Parameters section:
Example: acme.properties#default.addAccountContactEmail = false
Only relevant if upgrading from 8.4.0. Not needed if you update from 8.4.1 or later.
The WinEP configuration has been extended with additional options.
To use these features, do the following updates in <configroot>/winep.properties:
Add the following new parameter descriptions to the Define handlers section:
Example: winep.properties# enrollmentAgent.certs.x - a list of file paths of the X.509 Enrollment Agent certificates. # enrollmentAgent.allowedGroups - optional, a comma separated list of AD groups # that this enrollment agent is able to issue certificates for. If the EOBO # target user is in any of the defined groups then the request will pass. # If not set then all groups are allowed. # Group names are case insensitive. # enrollmentAgent.blockedGroups - optional, a comma separated list of AD groups # that this enrollment agent is blocked from issuing certificates for. If the # EOBO target user is in any of the defined groups then the request will be denied. # If not set then no groups are blocked. # Group names are case insensitive. # Blocked groups have a higher precedence than allowed groups. That is, if a user # belongs to both an allowed and a blocked group, issuing of certificates will be # blocked for that user.
Upgrade from 8.4.0
Do the following updates in <configroot>/api.properties:
Update the V2x Endpoints to reflect the following:
Example: api.properties# V2x Endpoints # /registrations/v2x/{vin} handler.80.filter = registrations/v2x/[a-z0-9A-Z\- ]+ handler.80.deleteformat = api/v2x-vin-delete handler.80.requiredroroles = dataretention.manage
Upgrade from 8.4.x (later than 8.4.0)
Do the following updates in <configroot>/api.properties:
Add the certificates Endpoint to reflect the following:
Example: api.properties# List of issuer certificates handler.1.filter = certificates/issuers handler.1.format = api/issuers-list
Only relevant if upgrading from 8.4.0. Not needed if you update from 8.4.1 or later.
If the file itss.properties is unmodified, then remove the file and it will reappear when restarting PGW.
- If it has been modified, then do the following updates in <configroot>/itss.properties:
Remove the following endpoint handler configuration:
Example: itss.propertieshandler.2.filter = auth-pop handler.2.tokenprocedure = Token Procedure Name - must be configured
It is now possible in Protocol Gateway to specify CM Host in the protocol handler level. Also added is SNI support, which allows obtaining the correct server certificate by the CM SDK client during TLS handshake.
To use these features, do the following updates in <configroot>/cm-gateway.properties:
Replace the description of CM HOST with the following:
Example: cm-gateway.properties# CM Host # # Note: a CM Host can, if necessary, also be specified in the properties # file for a protocol service, with the same parameter as below. # # CM-Host must be set to the network id of the machine that hosts the CF that # should be used by the Protocol Gateway services.
Add the following lines after TLS parameters section:
Example 2: cm-gateway.properties# ssl.servernameindication - Holds the SNI (server name indication) host name # of CM to be sent in the TLS client hello packet to indicate the name of the # CM server to communicate with. This is useful for cases where CM is behind a # proxy or load balancer, and the proxy having a different host # name hosting a different server certificate by default. # Leave commented to disable SNI. #ssl.servernameindication = localhost
The SCEP configuration has been extended with additional options.
To use these features, do the following updates in <configroot>/scep.properties:
Add the following new parameter description at the end of the SCEP INTUNE section:
Example: scep.properties# # issuerName - optional, specifies the ca configuration name of the issuing CA, # used to filter requests when polling for revoked certificates. # # issuerFilter - optional, specifies the distinguished name of the issuing CA, # used to filter revocations to process after polling and fetching the revoked certificates. # # revocationTaskPeriod - optional, the duration between polling attempts towards # Intune to fetch revocation data, specified in # ISO 8601 format. # Default: PT10M # # revocationRequestSize - optional, the batch size of fetched revocation # data, must be set between 1 and 500. # Default: 100 # # revocationReason - optional, the revocation reason to apply to revocation # requests received from Intune. # Possible values are: # Key compromised: 1 # Affiliation Changed: 3 # Superseded: 4 # Cessation of Operation: 5 # Privilege Withdrawn: 9 # Default: 4 # intuneProxyHost - optional, if the server hosting PGW does not have the # internet access required to successfully verify incoming # requests against intune, you can instead configure a proxy # to direct the intune requests through. # # intuneProxyPort - optional, intune proxy port. Must be set if # 'intuneProxyHost' is set. # # intuneProxyUser - optional, intune proxy user # # intuneProxyPass - optional, intune proxy password. Must be set if # 'intuneProxyUser' is set.
The REST API has been extended.
To use the latest endpoint, do the following updates in <configroot>/api.properties:
Add the following lines under Certificate endpoints:
Example: api.properties# Process PKCS10 request -> Attribute Certificate handler.34.filter = certificates/[a-z0-9A-Z]+/pkcs10-to-attr-cert handler.34.format = api/certificates-pkcs10-to-attr-certificate handler.34.tokenprocedure = Token Procedure Name - must be configured
The SCEP configuration has been extended with additional options.
To use these features, do the following updates in <configroot>/scep.properties:
Replace the following parameter description in the SCEP INTUNE section:
Replace this in scep.properties# issuerName - optional, specifies the distinguished name of the issuing CA, # used to filter requests when polling for revoked certificates.
with this:
Replace the previous with this:# issuerName - optional, specifies the ca configuration name of the issuing CA, # used to filter requests when polling for revoked certificates.
Add the following new parameter description after the
issuerNameparameter description in the
SCEP INTUNE section:Add this in scep.properties# issuerFilter - optional, specifies the distinguished name of the issuing CA, # used to filter revocations to process after polling and fetching the revoked # certificates.
The C2X configuration has been extended with additional options.
The cache related settings in c2x.properties have changed.
- If the file is unmodified, remove this file and it will be recreated with new defaults when restarting PGW.
- If it has been modified, then do the following changes:
Replace this:
Replace this:default.ectlCilProcedure = <your ECTL CIL procedure > default.ectlCache = PT10M
with this:
Replace the previous with this:# The Composite CTL and ECTL procedures are used in initialization # and must be specified as default values. default.cctlCilProcedure = <your CCTL CIL procedure> default.ectlCilProcedure = <your ECTL CIL procedure> # default.ectlFile = default.cache = PT10M
Replace this:
Replace this:handler.1.filter = truststore/v1/? handler.1.format = c2x_initialization handler.1.stsfCilProcedure = <your TSF CIL procedure> handler.1.stfsCache = <your cache timeout>
with this:
Replace the previous with this:handler.1.filter = truststore/v1/? handler.1.format = c2x_initialization handler.1.cilProcedure = <your TSF CIL procedure>
- Remember to also update the configuration values after these steps are performed.
4. Replace .war file
Replace the Protocol Gateway .war file:
- Replace pgwy.war in the webapps folder with the new version.
5. Restart the Tomcat service
- No labels