Upgrade Protocol Gateway

The numbering of the handlers has been changed in the file <configroot>/api.properties:

1. If the file is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.

2. If the file has been modified, then do the following:

   1. Open the file <configroot>/api.properties for editing. 

   2. Change the numbers on all configured handlers and their related configuration so that the number corresponds to the following numbering scheme:

      Example: api.properties

      CODE

      handler.0.filter = certificates
      handler.10.filter = certificates/revoke
      handler.11.filter = certificates/reinstate
      handler.20.filter = certificates/[a-z0-9A-Z]+/details
      handler.21.filter = certificates/[a-z0-9A-Z]+/download
      handler.30.filter = certificates/pkcs10
      handler.50.filter = procedures
      

   3. Add the following lines at an appropriate place in the file:

      Example: api.properties

      CODE

      # Process PKCS10 request -> PKCS12 response
      handler.31.filter = certificates/pkcs10-to-pkcs12
      handler.31.format = api/certificates-pkcs10-to-pkcs12
      handler.31.tokenprocedure = Token Procedure Name - must be configured

   4. Save the file.

The settings in c2x.properties have changed:

• If this file exists in your environment, remove it. A new version with default values will appear when restarting Protocol Gateway.

Protocol Gateway has gained the ability to send metrics to InfluxDB.

To use this feature, do the following:

1. Open the file <configroot>/cm-gateway.properties for editing. 

2. Add the following lines after the setting for cmhost:

   Example: cm-gateway.properties

   CODE

   # CM-Connections is the maximum amount of concurrent officer connections to CF
   # to allocate to the officer pool.
   cmconnections = 20

3. Add the following lines at the end of the file:

   Example: cm-gateway.properties

   CODE

   #= Metrics reporter
   #
   # metrics.influxdb.url - If non-empty, PGW will report metrics to an
   # InfluxDB database at this URL.
   #
   #metrics.influxdb.url = http://localhost:8086
   # metrics.influxdb.user - The user name to be used when reporting metrics
   # to InfluxDB.
   #
   #metrics.influxdb.user =
   # metrics.influxdb.password - The password to be used when reporting
   # metrics to InfluxDB.
   #
   #metrics.influxdb.password =
   # metrics.influxdb.dbname - The InfluxDB database name where metrics will
   # be stored. The database must already exist in InfluxDB. Defaults to
   # "cm_metrics" if not specified.
   #
   #metrics.influxdb.dbname = cm_metrics
   # metrics.influxdb.interval - How often metrics should be sent to
   # InfluxDB (in seconds). Defaults to 30s if not specified.
   #
   #metrics.influxdb.interval = 30

4. Save the file. 

The REST API configuration has been extended with additional endpoints.

To use these features, do the following:

1. Open the file <configroot>/api.properties for editing. 

2. Add the following lines at the end of the file:

   Example: api.properties

   CODE

   # Registration Endpoints
   # HTTP GET: search
   # HTTP POST: create
   # HTTP PUT: edit
   # registrations/{procid}
   handler.60.filter = registrations/[a-z0-9A-Z\- ]+
   handler.60.format = api/registrations-list
   handler.60.getformat = api/registrations-list
   handler.60.postformat = api/registrations-create
   handler.60.putformat = api/registrations-update
   # registrations/{procid}/{protocol}
   handler.61.filter = registrations/[a-z0-9A-Z\- ]+/(?i)(est|acme|cmp|scep)
   handler.61.format = api/registrations-list-protocol
   handler.61.getformat = api/registrations-list-protocol
   handler.61.postformat = api/registrations-create-protocol
   handler.61.putformat = api/registrations-update-protocol
   # registrations/certificate/{certid}
   handler.62.filter = registrations/certificate/[0-9]+
   handler.62.format = api/registrations-get-certid
   ################
   # ACME Endpoints
   # registrations/{procid}/acme/accounts
   handler.70.filter = registrations/[a-z0-9A-Z\- ]+/acme/accounts
   handler.70.format = api/registrations-list-acme-accounts

3. Save the file.

The EST configuration has been extended with additional options.

To use these features, do the following:

1. Open the file <configroot>/est.properties for editing. 

2. Replace the description of the parameters to the following:

   Example: est.properties

   CODE

   #- Parameters
   #
   # filter - contains a filter for the handler part of the URL
   # specified as a regular expression. NOTE: If using the CoAP proxy,
   # regular expressions in the filters are not supported.
   #
   # format - contains the name of a format definition file. For regular
   # EST the format definition files with the prefix 'est-' should be used. For
   # EST over CoAPs the files with the prefix 'estcoaps-' should be used instead.
   #
   # tokenprocedure - contains the description or id of a token procedure
   # in the CM server.
   #
   # ra.keyfile - is the token to sign the fullcmc responses.
   # Not required if fullcmc is disabled.
   #
   # ra.password - is the password to the keyfile. It is recommended to
   # obfuscate sensitive data with .encrypted.
   #
   # requiredRoRoles - optional, contains a space or comma separated list
   # of required Registration Officer roles. This requires client
   # authentication to be enabled in Tomcat, and verifies that the
   # client certificate is an officer. If the role "none" is entered,
   # the client certificate must be issued by CM but does not need to
   # be an officer. "/cacerts" must not be protected behind client
   # authentication, and therefore no default role should be set.
   #
   # authtype - optional, enables HTTP Basic/Digest authentication by
   # specificing the desired authentication type. May only be set
   # for filters simpleenroll and simplereenroll.
   # Example:
   # handler.<n>.authtype = Basic
   # handler.<n>.authtype = Digest
   #
   # realm - required if authtype is set, may be empty. Determines which
   # realm the login should occur on. Can only be set for filters
   # simpleenroll and simplereenroll.
   #
   # qop - optional, determines the quality of protection used with
   # Digest authentication. Valid value is 'auth'. If not specified
   # then no Quality of Protection will be required.

3. Save the file.

The REST API configuration has been extended with additional endpoints.

To use these features, do the following:

1. Open the file <configroot>/api.properties for editing. 

2. Add the following lines below the certificate endpoints:

   Example: api.properties

   CODE

   # Process PKCS10 request -> PKCS7 (secure key injection package) response
   handler.32.filter = certificates/skip
   handler.32.format = api/certificates-skip
   handler.32.tokenprocedure = Token Procedure Name - must be configured
   
   # Process X509 certificate import
   handler.33.filter = certificates/import-pki-x509
   handler.33.format = api/certificates-import-pki-x509
   handler.33.importlimit = 100
   handler.33.tokenprocedure = Token Procedure Name - must be configured

3. Save the file.

The SCEP implementation has been updated in the following ways:

• Support for a CA Certificate Only Response has been added, according to https://tools.ietf.org/html/draft-nourse-scep-23#section-5.2.1.1.1 .

• Support for dynamic challenge passwords has been added, complying to Microsoft's Network Device Enrollment Service (NDES) implementation. 

To use these features, do the following:

1. If the file <configroot>/scep.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.

2. If the file has been modified, then do the following: 

   1. Open the file <configroot>/scep.properties for editing. 

   2. Add the following lines below default.racachainlength = 0:

      Example: scep.properties

      CODE

      # Changes the response format for the GetCACert call to return the RA
      # certificate in binary format if set to true.
      # Only works if racachainlength is set to 1.
      default.responseasbinary = false

   3. Add the following lines below default.ra.signature.keyusage = digitalsignature:

      Example: scep.properties

      CODE

      # SCEP INTUNE
      #
      # SCEP Intune allows for integration with Azure AD to automatically
      # enroll and manage iOS, Android, Windows and Mac devices.
      #
      # tenant - is the Tenant which is the fully qualified domain name (FQDN)
      # of the organization configured in Intune.
      #
      # azure_app_id - specifies the azure application id of the app
      # registration.
      #
      # azure_app_key - specifies the client secret of the app registration.
      #
      # certificateAuthority - specifies the name of the CA performing the
      # requests to Intune.

   4. Append the following lines at the end of the file:

      Example: scep.properties

      CODE

      # http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/
      #
      # Handler for SCEP dynamic challenge endpoint (NDES compliant)
      #
      handler.3.filter = ndeschallenge/
      handler.3.format = scep-ndes
      handler.3.ndesUsername = ndesadmin
      handler.3.ndesPassword = ndespassword
      handler.3.ndesChallengeValidity = PT15M
      # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest
      #
      # Handler for SCEP request using dynamic challenge password
      (NDES compliant)
      #
      handler.4.filter = ndesrequest
      handler.4.format = scep
      handler.4.tokenprocedure = SCEP Registration and Enroll Procedure
      with NDES Challenge
      
      # http://<pgwy-host>:<port>/pgwy/scep/intune/pkiclient.exe
      #
      # Handler for requests that should be validated against a Microsoft
      # Intune server.
      handler.5.filter = intune/pkiclient.exe
      handler.5.format = scep-intune
      handler.5.tenant = tenant
      handler.5.azure_app_id = app-id
      handler.5.azure_app_key = app-key
      handler.5.certificateAuthority = CA

   5. Save the file.

Support for CMC revoke request has been added.

To use this feature, do the following:

1. If the file <configroot>/cmc.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.

2. If the file has been modified, then do the following:

   1. Open the file <configroot>/cmc.properties for editing.

   2. Add the following lines below default.tokenprocedure = TLS Web Server Token:

      Example: cmc.properties

      CODE

      # ra.keyfile - is the token to sign the fullcmc responses,
      required for CMC Revoke.
      # Not required if CMC Revoke handler is disabled.
      # ra.password - is the password to the keyfile. It is recommended to
      # obfuscate sensitive data with .encrypted.

   3. Append the following lines at the end of the file:

      Example: cmc.properties

      CODE

      handler.2.filter = revoke
      handler.2.filterContentType = application/pkcs7-mime;\h*smime-type\h*=
      \h*CMC-request
      handler.2.format = cmc-revoke
      # fullcmc responses (required as response to Revocation request) require
      an RA token to be signed with
      handler.2.ra.keyfile = protocol-gateway-ra.p12
      handler.2.ra.password = abcd1234

   4. Save the file.

Support for configuring connection properties to the authorization server has been added.

To use this feature, do the following:

1. If the file <configroot>/c2x.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.

2. If it has been modified, then do the following:

   1. Open the file <configroot>/c2x.properties for editing.

   2. Replace the line #default.authorizationUrl = <authorization-server-url> with the following lines:

      c2x.properties

      CODE

      # Parameters for the AccessTokenVerifier modifier.
      #
      # default.authorizationUrl = <authorization-server-url>
      # default.authKeyCacheLifeSpan = P365D
      # default.authKeyCacheRefreshTime = P1D
      #
      # Timeout values in ms.
      # default.authKeyConnectTimeout = 1000
      # default.authKeyReadTimeout = 1000

   3. Save the file.

The EST configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/est.properties:

• Add the new parameter and description to the simplereenroll handler, default handler 2:

  Example: est.properties

  CODE

  # Controls if the client TLS certificate must match the latest issued certificate
  # for the requested subject. Set to false as default.
  # handler.2.allowRenewalWithOldCertificates = false

This is only relevant if you are upgrading from 8.4.0. This is not needed if you update from 8.4.1 or later. 

The ACME configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/acme.properties:

1. Add the new parameter description to the end of the Parameters section:

   Example: acme.properties

   CODE

   # addAccountContactEmail - If true, adds the contact email address from the
   # requesting account to the Rfc822 name field to the SAN extension in the
   # certificate request.

2. Append the following to the list of default values in the Parameters section:

   Example: acme.properties

   CODE

   #default.addAccountContactEmail = false

This is only relevant if you are upgrading from 8.4.0. This is not needed if you update from 8.4.1 or later. 

The WinEP configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/winep.properties:

• Add the following new parameter descriptions to the Define handlers section: 

  Example: winep.properties

  CODE

  # enrollmentAgent.certs.x - a list of file paths of the X.509 Enrollment Agent certificates.
  
  # enrollmentAgent.allowedGroups - optional, a comma separated list of AD groups
  # that this enrollment agent is able to issue certificates for. If the EOBO
  # target user is in any of the defined groups then the request will pass.
  # If not set then all groups are allowed.
  # Group names are case insensitive.
  
  # enrollmentAgent.blockedGroups - optional, a comma separated list of AD groups
  # that this enrollment agent is blocked from issuing certificates for. If the
  # EOBO target user is in any of the defined groups then the request will be denied.
  # If not set then no groups are blocked.
  # Group names are case insensitive.
  # Blocked groups have a higher precedence than allowed groups. That is, if a user
  # belongs to both an allowed and a blocked group, issuing of certificates will be
  # blocked for that user.

Upgrade from 8.4.0

Do the following updates in <configroot>/api.properties:

• Update the V2x Endpoints to reflect the following:

  Example: api.properties

  CODE

  # V2x Endpoints
  # /registrations/v2x/{vin}
  handler.80.filter = registrations/v2x/[a-z0-9A-Z\- ]+
  handler.80.deleteformat = api/v2x-vin-delete
  handler.80.requiredroroles = dataretention.manage

Upgrade from 8.4.x (later than 8.4.0)

Do the following updates in <configroot>/api.properties:

• Add the certificates Endpoint to reflect the following: 

  Example: api.properties

  CODE

  # List of issuer certificates
   handler.1.filter = certificates/issuers
   handler.1.format = api/issuers-list

This is only relevant if you are upgrading from 8.4.0. This is not needed if you update from 8.4.1 or later. 

If the file itss.properties is unmodified, then remove the file and it will reappear when restarting PGW.

If it has been modified, then do the following updates in <configroot>/itss.properties:

Remove the following endpoint handler configuration:

Example: itss.properties

handler.2.filter = auth-pop
handler.2.tokenprocedure = Token Procedure Name - must be configured

It is now possible in Protocol Gateway to specify CM Host in the protocol handler level. Also added is SNI support, which allows obtaining the correct server certificate by the CM SDK client during TLS handshake.

To use these features, do the following updates in <configroot>/cm-gateway.properties:

1. Replace the description of CM HOST with the following: 

   Example: cm-gateway.properties

   CODE

    # CM Host
    #
    # Note: a CM Host can, if necessary, also be specified in the properties
    # file for a protocol service, with the same parameter as below.
    #
    # CM-Host must be set to the network id of the machine that hosts the CF that
    # should be used by the Protocol Gateway services. 

2. Add the following lines after TLS parameters section:

   Example 2: cm-gateway.properties

   CODE

    # ssl.servernameindication - Holds the SNI (server name indication) host name
    # of CM to be sent in the TLS client hello packet to indicate the name of the
    # CM server to communicate with. This is useful for cases where CM is behind a
    # proxy or load balancer, and the proxy having a different host
    # name hosting a different server certificate by default.
    # Leave commented to disable SNI.
    #ssl.servernameindication = localhost

The SCEP configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/scep.properties:

• Add the following new parameter description at the end of the SCEP INTUNE section: 

  Example: scep.properties

  CODE

   #
   # issuerName - optional, specifies the ca configuration name of the issuing CA,
   #              used to filter requests when polling for revoked certificates.
   #
   # issuerFilter - optional, specifies the distinguished name of the issuing CA,
   # 				used to filter revocations to process after polling and fetching 	
  				the revoked certificates.
   #
   # revocationTaskPeriod - optional, the duration between polling attempts towards
   #                        Intune to fetch revocation data, specified in
   #                        ISO 8601 format.
   #                        Default: PT10M
   #
   # revocationRequestSize - optional, the batch size of fetched revocation
   #                         data, must be set between 1 and 500.
   #                         Default: 100
   #
   # revocationReason - optional, the revocation reason to apply to revocation
   #                    requests received from Intune.
   #                    Possible values are:
   #                    Key compromised: 1
   #                    Affiliation Changed: 3
   #                    Superseded: 4
   #                    Cessation of Operation: 5
   #                    Privilege Withdrawn: 9
   #                    Default: 4
   # intuneProxyHost - optional, if the server hosting PGW does not have the
   #                   internet access required to successfully verify incoming
   #                   requests against intune, you can instead configure a proxy
   #                   to direct the intune requests through.
   #
   # intuneProxyPort - optional, intune proxy port. Must be set if
   #                   'intuneProxyHost' is set.
   #
   # intuneProxyUser - optional, intune proxy user
   #
   # intuneProxyPass - optional, intune proxy password. Must be set if
   #                   'intuneProxyUser' is set.

The REST API has been extended.

To use the latest endpoint, do the following updates in <configroot>/api.properties:

• Add the following lines under Certificate endpoints: 

  Example: api.properties

  CODE

  # Process PKCS10 request -> Attribute Certificate
   handler.34.filter = certificates/[a-z0-9A-Z]+/pkcs10-to-attr-cert
   handler.34.format = api/certificates-pkcs10-to-attr-certificate
   handler.34.tokenprocedure = Token Procedure Name - must be configured

The SCEP configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/scep.properties:

1. Replace the following parameter description in the SCEP INTUNE section: 

   Replace this in scep.properties

   CODE

   # issuerName - optional, specifies the distinguished name of the issuing CA,
   # used to filter requests when polling for revoked certificates.

   with this:

   Replace the previous with this:

   CODE

   # issuerName - optional, specifies the ca configuration name of the issuing CA,
   # used to filter requests when polling for revoked certificates.

2. Add the following new parameter description after the issuerName parameter description in the
   SCEP INTUNE section:

   Add this in scep.properties

   CODE

   # issuerFilter - optional, specifies the distinguished name of the issuing CA,
   # used to filter revocations to process after polling and fetching the revoked 
   # certificates.

The C2X configuration has been extended with additional options.

The cache related settings in c2x.properties have changed.

• If the file is unmodified, remove this file and it will be recreated with new defaults when restarting PGW.

• If it has been modified, then do the following changes:

1. Replace this: 

   Replace this:

   CODE

   default.ectlCilProcedure = <your ECTL CIL procedure >
   default.ectlCache = PT10M

   with this:

   Replace the previous with this:

   CODE

   # The Composite CTL and ECTL procedures are used in initialization
   # and must be specified as default values.
   default.cctlCilProcedure = <your CCTL CIL procedure>
   default.ectlCilProcedure = <your ECTL CIL procedure>
   # default.ectlFile =
   default.cache = PT10M

2. Replace this:

   Replace this:

   CODE

   handler.1.filter = truststore/v1/?
   handler.1.format = c2x_initialization
   handler.1.stsfCilProcedure = <your TSF CIL procedure>
   handler.1.stfsCache = <your cache timeout>

   with this:

   Replace the previous with this:

   CODE

   handler.1.filter = truststore/v1/?
   handler.1.format = c2x_initialization
   handler.1.cilProcedure = <your TSF CIL procedure>

3. Remember to also update the configuration values after these steps are performed.

The following two new parameters must be added to winep.properties after default.requiredRoRoles = cert.issue :

Example: winep.properties

# - allowNullPkcs10Signature, controls whether Null Signature (MS-WCCE v20211006)
# is allowed on the PKCS10 in the received requests. Default: true
# default.allowNullPkcs10Signature = true

# - allowNoSignature, controls whether No-Signature Signature is allowed on the
# received requests. Default: true
# default.allowNoSignature = true

The CM-Gateway configuration has been extended with additional options. To ease use of the latest features, the following steps should be taken on the file <configroot>/cmgateway. properties:

• Add the following new parameters after the cmconnections parameter in the CM Host section:

# cmclientretries - How many times sending a request should be retried
# if the connection to CM is unexpectedly closed. Default value is 0.
#cmclientretries = 0
# cmnopinterval - The number of seconds between each no-operation request to
# the server. This counter is unique for each connection and will only trigger
# if the connection has been idle for longer than the given interval.
# cmnopinterval = 60

A new configuration parameter for Access Token Scope Whitelisting and new V2X V2 endpoints have been added to c2x.properties. If the file is unmodified, remove this file and it will be recreated with new defaults when restarting PGW. If it has been modified, then perform the following changes:

• Add the following new parameters after the default.authKeyReadTimeout parameter in the default parameters section:

# Access Token Scope Whitelist.
# If this parameter is not used all scopes will be accepted.
# Each scope should be separated by a comma sign, like the example below:
# default.whitelistedScopes = scope_1, scope_2
# default.whitelistedScopes =

• Add the following new parameters to the end of the file:

handler.10.filter = truststore/v2/?
handler.10.format = c2x_initialization_v2
handler.10.cilProcedure = V2X VW initialization message
handler.10.tokenprocedure = V2X ECA Enroll enabling registration
handler.11.filter = enrollment/v2/?
handler.11.format = c2x_enrollment_v2
handler.11.tokenprocedure = V2X Enrollment Token V2
handler.12.filter = pseudonym-certificate-batch/v2/?
handler.12.format = c2x_registration_v2
handler.12.tokenprocedure = V2X Registration Request Token V2
# "Registration" endpoint can be configured to save all registration requests
# to a local directory, for debugging purposes. This directory is relative to
# <cm-gateway>. If left empty, the registrations will not be debug dumped.
#handler.12.relativePathToRequestsFolder = c2xRegistrationsv2
handler.13.filter = pseudonym-certificate-batch/v2/(.+)
handler.13.format = c2x_download_v2
# "Download" endpoint requires that the cert zips are pre-produced, and
# available in a local directory or in S3 object storage.
# This directory is relative to <cm-gateway>.
handler.13.relativePathToFilesFolder = c2xCerts
handler.14.filter = crl/v2/?
handler.14.format = c2x_crl_download_v2
handler.14.crlProcedure = V2X VW composite CRL
handler.15.filter = ctl/v2/?
handler.15.format = c2x_ctl_download_v2

• Remove the parameter below from all handlers:

crlCache

The following two new parameters need to be added to winep.properties after default.requiredRoRoles = cert.issue :

# - allowNullPkcs10Signature, controls whether Null Signature (MS-WCCE v20211006)
# is allowed on the PKCS10 in the received requests. Default: true
# default.allowNullPkcs10Signature = true

# - allowNoSignature, controls whether No-Signature Signature is allowed on the
# received requests. Default: true
# default.allowNoSignature = true

With the release of version 8.9.0 of Protocol Gateway the version of Apache Tomcat must be upgraded to Tomcat 10.1. To upgrade from a previous version of Tomcat, first close any running instances of Tomcat and then install Tomcat 10.1.

For more information, see Install Protocol Gateway. 

Make sure 64-bit Java SE 17 is installed and used by Tomcat.

The REST API has been extended. To use the latest endpoint, the following steps should be taken on the file <configroot>/api.properties:

Add the following lines under the Certificate endpoints to enable the procedure details endpoint:

handler.51.filter = procedures/[a-z0-9A-Z\- ]+/details
handler.51.format = api/procedures-details

Add the following lines under the Certificate endpoints to enable downloading multiple certificates in a zip file:

handler.22.filter = certificates/download
handler.22.format = api/certificates-downloads

Add the following lines under the Certificate endpoints to enable the statistics endpoints:

################
# Statistics Endpoints
# /statistics/{StatisticsType}
handler.90.filter = statistics/[a-z0-9A-Z\- ]+
handler.90.format = api/statistics

To prevent unnecessary logging in PGW when running the CM Web UI and Auth servlet the following steps should be taken on the file <configroot>/logging.properties:

Add the following line under org.apache.tomcat.util.net.level:

com.id2tech.net.jsse.level = INFO

Add the following lines under com.nexussafe.cm.pgwy.scep.subject = cn to set the logging level for hazelcast:

# hazelcast logger
com.hazelcast.level = WARNING
com.hazelcast.cp.level = SEVERE

The SCEP configuration has been extended with an additional option. To ease use of the latest features the following steps should be taken on the file <configroot>/scep.properties:

Add the following new parameter after the handler.3.ndesChallengeValidity parameter:

handler.3.ndesChallengeEncoding = UTF-8

The CMP configuration has been extended with additional options. To ease use of the latest features, the following steps should be taken on the file <configroot>/cmp.properties:

Add the following parameter descriptions before the # Define handlers section:

# CMP MODE
#
# CMP is allowed to be in client or RA mode. Client mode requires that all
# incoming requests contain a valid Proof-Of-Possession signature. RA mode
# allows for the raVerified Proof-Of-Possession, where a RA has signed the
# request on behalf of an end-entity.
#
# mode - specifies the mode to run in. Default mode is client. Possible values
# are client, ra, and ra-strict. ra mode allows both client and ra
# requests. ra-strict enforces raVerified Proof-Of-Possession.
#
# CMP RA Mode
#
# When a handler is in RA mode it requires some additional parameters. See
# handler.4.* for example configuration. Using officer validation is the
# recommended way to validate the RA. Either certificate pinning or officer
# validation is required. Both is also possible but not necessary.
#

# ramode.certs.x - a list of file paths of the X.509 RA certificates to validate
# the PKIMessage against. Paths are relative to the location of this file.
#
# ramode.officervalidation - specifies a requirement that the RA signer
# should be forwarded to CF for officer validation. Default: true
#

Add the following example handler after #handler.3.:

# RA mode
#
# handler.4.filter = ra
# handler.4.mode = ra-strict
# handler.4.ramode.certs.1 = cmp-ra-signer-one.cer
# handler.4.ramode.certs.2 = cmp-ra-signer-two.cer
# handler.4.ramode.officervalidation = true

The SCEP configuration has been extended with an additional option. To ease use of the latest features the following steps should be taken on the file <configroot>/scep.properties:

Add the following new parameter description to the end of the SCEP INTUNE section:

# intuneResourceUrl - optional, intune resource url. Must have trailing slash.
# Do not modify unless required.
# Default: https://api.manage.microsoft.com/
#
# intuneGraphUrl - optional, intune graph resource url. Must have trailing slash.
# Do not modify unless required.
# Default: https://graph.windows.net/
#
# intuneMsGraphUrl - optional, intune ms graph resource url. Must have trailing
# slash. Do not modify unless required.
# Default: https://graph.microsoft.com/
#
# intuneAuthUrl - optional, intune auth authority url. Must have trailing slash.
# Do not modify unless required.
# Default: https://login.microsoftonline.com/

To ease log level configuration for REST API servlet and Auth servlet in PGW the following steps should be taken on the file <configroot>/logging.properties:

Add the following lines under section # per protocol level:

com.nexussafe.cm.pgwy.auth.level = FINE
com.nexussafe.cm.pgwy.api.level = FINE

The REST API has been extended. To be able to use the latest endpoints, the following steps should be taken on the file <configroot>/api.properties:

Add the following lines under the /registrations/v2x/{vin} to enable the new v2x endpoints:

handler.81.filter = registrations/v2x/delete
handler.81.postformat = api/v2x-vin-delete-post
handler.81.requiredroroles = dataretention.manage
handler.82.filter = registrations/v2x/reset
handler.82.postformat = api/v2x-vin-reset
handler.82.requiredroroles = dataretention.manage

Add the following lines under handler 34 to enable the new signature endpoint:

handler.40.filter = signatures/[a-z0-9A-Z\- ]+
handler.40.format = api/generate-signature

The new signature endpoint requires the following officer role: Signing Authority Requests

Add the following lines under handler 90 to enable the new officers endpoint:

handler.100.filter = officers
handler.100.format = api/officers-details

Replace the Protocol Gateway .war file: 

• Replace pgwy.war in the webapps folder with the new version.