Skip to main content
Skip table of contents

Upgrade Protocol Gateway

This article describes how to upgrade Protocol Gateway.

Prerequisites

The following prerequisites apply: 

Step-by-step instruction

1. Stop the Tomcat service

2. Back up Protocol Gateway folder

Back up files

Back up the Protocol Gateway folder: 

  1. Navigate to the Tomcat /webapps folder.
  2. Make a backup of the existing /pgwy folder for reference and delete the original.

3. Upgrade from a specific version

Sequential upgrade process

To upgrade from older versions to newer versions, you must upgrade each version step-by-step. 

Example: Starting from 8.5.0, you must upgrade to 8.6.x and thereafter to 8.7.1.  

The following configurations are done in configuration files in <configroot>

About <configroot>

<configroot> corresponds to the following paths: 

Windows <configroot>

CODE
%ALLUSERSPROFILE%/Nexus/cm-gateway/

Linux <configroot>

CODE
/var/cm-gateway/

From 7.18 to 8.0

Configure REST API

The numbering of the handlers has been changed in the file <configroot>/api.properties:

  1. If the file is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
  2. If the file has been modified, then do the following:
    1. Open the file <configroot>/api.properties for editing. 
    2. Change the numbers on all configured handlers and their related configuration so that the number corresponds to the following numbering scheme:

      Example: api.properties

      CODE
      handler.0.filter = certificates
      handler.10.filter = certificates/revoke
      handler.11.filter = certificates/reinstate
      handler.20.filter = certificates/[a-z0-9A-Z]+/details
      handler.21.filter = certificates/[a-z0-9A-Z]+/download
      handler.30.filter = certificates/pkcs10
      handler.50.filter = procedures
      
    3. Add the following lines at an appropriate place in the file:

      Example: api.properties

      CODE
      # Process PKCS10 request -> PKCS12 response
      handler.31.filter = certificates/pkcs10-to-pkcs12
      handler.31.format = api/certificates-pkcs10-to-pkcs12
      handler.31.tokenprocedure = Token Procedure Name - must be configured
    4. Save the file.

Configure V2X API

The settings in c2x.properties have changed:

  • If this file exists in your environment, remove it. A new version with default values will appear when restarting Protocol Gateway.

From 8.0 to 8.1

Configure Protocol Gateway properties

Protocol Gateway has gained the ability to send metrics to InfluxDB.

To use this feature, do the following:

  1. Open the file <configroot>/cm-gateway.properties for editing. 
  2. Add the following lines after the setting for cmhost:

    Example: cm-gateway.properties

    CODE
    # CM-Connections is the maximum amount of concurrent officer connections to CF
    # to allocate to the officer pool.
    cmconnections = 20
  3. Add the following lines at the end of the file:

    Example: cm-gateway.properties

    CODE
    #= Metrics reporter
    #
    # metrics.influxdb.url - If non-empty, PGW will report metrics to an
    # InfluxDB database at this URL.
    #
    #metrics.influxdb.url = http://localhost:8086
    # metrics.influxdb.user - The user name to be used when reporting metrics
    # to InfluxDB.
    #
    #metrics.influxdb.user =
    # metrics.influxdb.password - The password to be used when reporting
    # metrics to InfluxDB.
    #
    #metrics.influxdb.password =
    # metrics.influxdb.dbname - The InfluxDB database name where metrics will
    # be stored. The database must already exist in InfluxDB. Defaults to
    # "cm_metrics" if not specified.
    #
    #metrics.influxdb.dbname = cm_metrics
    # metrics.influxdb.interval - How often metrics should be sent to
    # InfluxDB (in seconds). Defaults to 30s if not specified.
    #
    #metrics.influxdb.interval = 30
  4. Save the file. 
Configure REST API

The REST API configuration has been extended with additional endpoints.

To use these features, do the following:

  1. Open the file <configroot>/api.properties for editing. 
  2. Add the following lines at the end of the file:

    Example: api.properties

    CODE
    # Registration Endpoints
    # HTTP GET: search
    # HTTP POST: create
    # HTTP PUT: edit
    # registrations/{procid}
    handler.60.filter = registrations/[a-z0-9A-Z\- ]+
    handler.60.format = api/registrations-list
    handler.60.getformat = api/registrations-list
    handler.60.postformat = api/registrations-create
    handler.60.putformat = api/registrations-update
    # registrations/{procid}/{protocol}
    handler.61.filter = registrations/[a-z0-9A-Z\- ]+/(?i)(est|acme|cmp|scep)
    handler.61.format = api/registrations-list-protocol
    handler.61.getformat = api/registrations-list-protocol
    handler.61.postformat = api/registrations-create-protocol
    handler.61.putformat = api/registrations-update-protocol
    # registrations/certificate/{certid}
    handler.62.filter = registrations/certificate/[0-9]+
    handler.62.format = api/registrations-get-certid
    ################
    # ACME Endpoints
    # registrations/{procid}/acme/accounts
    handler.70.filter = registrations/[a-z0-9A-Z\- ]+/acme/accounts
    handler.70.format = api/registrations-list-acme-accounts
  3. Save the file.

Configure EST

The EST configuration has been extended with additional options.

To use these features, do the following:

  1. Open the file <configroot>/est.properties for editing. 
  2. Replace the description of the parameters to the following:

    Example: est.properties

    CODE
    #- Parameters
    #
    # filter - contains a filter for the handler part of the URL
    # specified as a regular expression. NOTE: If using the CoAP proxy,
    # regular expressions in the filters are not supported.
    #
    # format - contains the name of a format definition file. For regular
    # EST the format definition files with the prefix 'est-' should be used. For
    # EST over CoAPs the files with the prefix 'estcoaps-' should be used instead.
    #
    # tokenprocedure - contains the description or id of a token procedure
    # in the CM server.
    #
    # ra.keyfile - is the token to sign the fullcmc responses.
    # Not required if fullcmc is disabled.
    #
    # ra.password - is the password to the keyfile. It is recommended to
    # obfuscate sensitive data with .encrypted.
    #
    # requiredRoRoles - optional, contains a space or comma separated list
    # of required Registration Officer roles. This requires client
    # authentication to be enabled in Tomcat, and verifies that the
    # client certificate is an officer. If the role "none" is entered,
    # the client certificate must be issued by CM but does not need to
    # be an officer. "/cacerts" must not be protected behind client
    # authentication, and therefore no default role should be set.
    #
    # authtype - optional, enables HTTP Basic/Digest authentication by
    # specificing the desired authentication type. May only be set
    # for filters simpleenroll and simplereenroll.
    # Example:
    # handler.<n>.authtype = Basic
    # handler.<n>.authtype = Digest
    #
    # realm - required if authtype is set, may be empty. Determines which
    # realm the login should occur on. Can only be set for filters
    # simpleenroll and simplereenroll.
    #
    # qop - optional, determines the quality of protection used with
    # Digest authentication. Valid value is 'auth'. If not specified
    # then no Quality of Protection will be required.
  3. Save the file.

From 8.1 to 8.2

Configure REST API

The REST API configuration has been extended with additional endpoints.

To use these features, do the following:

  1. Open the file <configroot>/api.properties for editing. 
  2. Add the following lines below the certificate endpoints:

    Example: api.properties

    CODE
    # Process PKCS10 request -> PKCS7 (secure key injection package) response
    handler.32.filter = certificates/skip
    handler.32.format = api/certificates-skip
    handler.32.tokenprocedure = Token Procedure Name - must be configured
    
    # Process X509 certificate import
    handler.33.filter = certificates/import-pki-x509
    handler.33.format = api/certificates-import-pki-x509
    handler.33.importlimit = 100
    handler.33.tokenprocedure = Token Procedure Name - must be configured
  3. Save the file.

From 8.2 to 8.3

Configure SCEP

The SCEP implementation has been updated in the following ways:

To use these features, do the following:

  1. If the file <configroot>/scep.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
  2. If the file has been modified, then do the following: 
    1. Open the file <configroot>/scep.properties for editing. 
    2. Add the following lines below default.racachainlength = 0:

      Example: scep.properties

      CODE
      # Changes the response format for the GetCACert call to return the RA
      # certificate in binary format if set to true.
      # Only works if racachainlength is set to 1.
      default.responseasbinary = false
      
    3. Add the following lines below default.ra.signature.keyusage = digitalsignature:

      Example: scep.properties

      CODE
      # SCEP INTUNE
      #
      # SCEP Intune allows for integration with Azure AD to automatically
      # enroll and manage iOS, Android, Windows and Mac devices.
      #
      # tenant - is the Tenant which is the fully qualified domain name (FQDN)
      # of the organization configured in Intune.
      #
      # azure_app_id - specifies the azure application id of the app
      # registration.
      #
      # azure_app_key - specifies the client secret of the app registration.
      #
      # certificateAuthority - specifies the name of the CA performing the
      # requests to Intune.
      
    4. Append the following lines at the end of the file:

      Example: scep.properties

      CODE
      # http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/
      #
      # Handler for SCEP dynamic challenge endpoint (NDES compliant)
      #
      handler.3.filter = ndeschallenge/
      handler.3.format = scep-ndes
      handler.3.ndesUsername = ndesadmin
      handler.3.ndesPassword = ndespassword
      handler.3.ndesChallengeValidity = PT15M
      # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest
      #
      # Handler for SCEP request using dynamic challenge password
      (NDES compliant)
      #
      handler.4.filter = ndesrequest
      handler.4.format = scep
      handler.4.tokenprocedure = SCEP Registration and Enroll Procedure
      with NDES Challenge
      
      # http://<pgwy-host>:<port>/pgwy/scep/intune/pkiclient.exe
      #
      # Handler for requests that should be validated against a Microsoft
      # Intune server.
      handler.5.filter = intune/pkiclient.exe
      handler.5.format = scep-intune
      handler.5.tenant = tenant
      handler.5.azure_app_id = app-id
      handler.5.azure_app_key = app-key
      handler.5.certificateAuthority = CA
    5. Save the file.

Configure CMC

Support for CMC revoke request has been added.

To use this feature, do the following:

  1. If the file <configroot>/cmc.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
  2. If the file has been modified, then do the following:
    1. Open the file <configroot>/cmc.properties for editing.
    2. Add the following lines below default.tokenprocedure = TLS Web Server Token:

      Example: cmc.properties

      CODE
      # ra.keyfile - is the token to sign the fullcmc responses,
      required for CMC Revoke.
      # Not required if CMC Revoke handler is disabled.
      # ra.password - is the password to the keyfile. It is recommended to
      # obfuscate sensitive data with .encrypted.
    3. Append the following lines at the end of the file:

      Example: cmc.properties

      CODE
      handler.2.filter = revoke
      handler.2.filterContentType = application/pkcs7-mime;\h*smime-type\h*=
      \h*CMC-request
      handler.2.format = cmc-revoke
      # fullcmc responses (required as response to Revocation request) require
      an RA token to be signed with
      handler.2.ra.keyfile = protocol-gateway-ra.p12
      handler.2.ra.password = abcd1234
    4. Save the file.
Configure V2X API

Support for configuring connection properties to the authorization server has been added.

To use this feature, do the following:

  1. If the file <configroot>/c2x.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
  2. If it has been modified, then do the following:
    1. Open the file <configroot>/c2x.properties for editing.
    2. Replace the line #default.authorizationUrl = <authorization-server-url> with the following lines:

      c2x.properties

      CODE
      # Parameters for the AccessTokenVerifier modifier.
      #
      # default.authorizationUrl = <authorization-server-url>
      # default.authKeyCacheLifeSpan = P365D
      # default.authKeyCacheRefreshTime = P1D
      #
      # Timeout values in ms.
      # default.authKeyConnectTimeout = 1000
      # default.authKeyReadTimeout = 1000
    3. Save the file.

From 8.3 to 8.4.x

Configure EST

The EST configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/est.properties:

  • Add the new parameter and description to the simplereenroll handler, default handler 2:

    Example: est.properties

    CODE
    # Controls if the client TLS certificate must match the latest issued certificate
    # for the requested subject. Set to false as default.
    # handler.2.allowRenewalWithOldCertificates = false

From 8.4.x to 8.5.x

Configure ACME

Only relevant if upgrading from 8.4.0. Not needed if you update from 8.4.1 or later. 

The ACME configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/acme.properties:

  1. Add the new parameter description to the end of the Parameters section:

    Example: acme.properties

    CODE
    # addAccountContactEmail - If true, adds the contact email address from the
    # requesting account to the Rfc822 name field to the SAN extension in the
    # certificate request.
  2. Append the following to the list of default values in the Parameters section:

    Example: acme.properties

    CODE
    #default.addAccountContactEmail = false
Configure WinEP

Only relevant if upgrading from 8.4.0. Not needed if you update from 8.4.1 or later. 

The WinEP configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/winep.properties:

  • Add the following new parameter descriptions to the Define handlers section: 

    Example: winep.properties

    CODE
    # enrollmentAgent.certs.x - a list of file paths of the X.509 Enrollment Agent certificates.
    
    # enrollmentAgent.allowedGroups - optional, a comma separated list of AD groups
    # that this enrollment agent is able to issue certificates for. If the EOBO
    # target user is in any of the defined groups then the request will pass.
    # If not set then all groups are allowed.
    # Group names are case insensitive.
    
    # enrollmentAgent.blockedGroups - optional, a comma separated list of AD groups
    # that this enrollment agent is blocked from issuing certificates for. If the
    # EOBO target user is in any of the defined groups then the request will be denied.
    # If not set then no groups are blocked.
    # Group names are case insensitive.
    # Blocked groups have a higher precedence than allowed groups. That is, if a user
    # belongs to both an allowed and a blocked group, issuing of certificates will be
    # blocked for that user.
Configure REST API

Upgrade from 8.4.0

Do the following updates in <configroot>/api.properties:

  • Update the V2x Endpoints to reflect the following:

    Example: api.properties

    CODE
    # V2x Endpoints
    # /registrations/v2x/{vin}
    handler.80.filter = registrations/v2x/[a-z0-9A-Z\- ]+
    handler.80.deleteformat = api/v2x-vin-delete
    handler.80.requiredroroles = dataretention.manage

Upgrade from 8.4.x (later than 8.4.0)

Do the following updates in <configroot>/api.properties:

  • Add the certificates Endpoint to reflect the following: 

    Example: api.properties

    CODE
    # List of issuer certificates
     handler.1.filter = certificates/issuers
     handler.1.format = api/issuers-list
Configure ITSS

Only relevant if upgrading from 8.4.0. Not needed if you update from 8.4.1 or later. 

If the file itss.properties is unmodified, then remove the file and it will reappear when restarting PGW.

  • If it has been modified, then do the following updates in <configroot>/itss.properties:
    • Remove the following endpoint handler configuration:

      Example: itss.properties

      CODE
      handler.2.filter = auth-pop
      handler.2.tokenprocedure = Token Procedure Name - must be configured
Configure CM-Gateway

It is now possible in Protocol Gateway to specify CM Host in the protocol handler level. Also added is SNI support, which allows obtaining the correct server certificate by the CM SDK client during TLS handshake.

To use these features, do the following updates in <configroot>/cm-gateway.properties:

  1. Replace the description of CM HOST with the following: 

    Example: cm-gateway.properties

    CODE
     # CM Host
     #
     # Note: a CM Host can, if necessary, also be specified in the properties
     # file for a protocol service, with the same parameter as below.
     #
     # CM-Host must be set to the network id of the machine that hosts the CF that
     # should be used by the Protocol Gateway services. 
  2. Add the following lines after TLS parameters section:

    Example 2: cm-gateway.properties

    CODE
     # ssl.servernameindication - Holds the SNI (server name indication) host name
     # of CM to be sent in the TLS client hello packet to indicate the name of the
     # CM server to communicate with. This is useful for cases where CM is behind a
     # proxy or load balancer, and the proxy having a different host
     # name hosting a different server certificate by default.
     # Leave commented to disable SNI.
     #ssl.servernameindication = localhost
Configure SCEP

The SCEP configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/scep.properties:

  • Add the following new parameter description at the end of the SCEP INTUNE section: 

    Example: scep.properties

    CODE
     #
     # issuerName - optional, specifies the ca configuration name of the issuing CA,
     #              used to filter requests when polling for revoked certificates.
     #
     # issuerFilter - optional, specifies the distinguished name of the issuing CA,
     # 				used to filter revocations to process after polling and fetching 	
    				the revoked certificates.
     #
     # revocationTaskPeriod - optional, the duration between polling attempts towards
     #                        Intune to fetch revocation data, specified in
     #                        ISO 8601 format.
     #                        Default: PT10M
     #
     # revocationRequestSize - optional, the batch size of fetched revocation
     #                         data, must be set between 1 and 500.
     #                         Default: 100
     #
     # revocationReason - optional, the revocation reason to apply to revocation
     #                    requests received from Intune.
     #                    Possible values are:
     #                    Key compromised: 1
     #                    Affiliation Changed: 3
     #                    Superseded: 4
     #                    Cessation of Operation: 5
     #                    Privilege Withdrawn: 9
     #                    Default: 4
     # intuneProxyHost - optional, if the server hosting PGW does not have the
     #                   internet access required to successfully verify incoming
     #                   requests against intune, you can instead configure a proxy
     #                   to direct the intune requests through.
     #
     # intuneProxyPort - optional, intune proxy port. Must be set if
     #                   'intuneProxyHost' is set.
     #
     # intuneProxyUser - optional, intune proxy user
     #
     # intuneProxyPass - optional, intune proxy password. Must be set if
     #                   'intuneProxyUser' is set.

From 8.5.x to 8.6.x

Configure REST API

The REST API has been extended.

To use the latest endpoint, do the following updates in <configroot>/api.properties:

  • Add the following lines under Certificate endpoints

    Example: api.properties

    CODE
    # Process PKCS10 request -> Attribute Certificate
     handler.34.filter = certificates/[a-z0-9A-Z]+/pkcs10-to-attr-cert
     handler.34.format = api/certificates-pkcs10-to-attr-certificate
     handler.34.tokenprocedure = Token Procedure Name - must be configured

From 8.6.x to 8.7.1

Configure SCEP

The SCEP configuration has been extended with additional options.

To use these features, do the following updates in <configroot>/scep.properties:

  1. Replace the following parameter description in the SCEP INTUNE section: 

    Replace this in scep.properties

    CODE
    # issuerName - optional, specifies the distinguished name of the issuing CA,
    # used to filter requests when polling for revoked certificates.

    with this:

    Replace the previous with this:

    CODE
    # issuerName - optional, specifies the ca configuration name of the issuing CA,
    # used to filter requests when polling for revoked certificates.
  2. Add the following new parameter description after the issuerName parameter description in the
    SCEP INTUNE section:

    Add this in scep.properties

    CODE
    # issuerFilter - optional, specifies the distinguished name of the issuing CA,
    # used to filter revocations to process after polling and fetching the revoked 
    # certificates.
Configure C2X

The C2X configuration has been extended with additional options.

The cache related settings in c2x.properties have changed.

  • If the file is unmodified, remove this file and it will be recreated with new defaults when restarting PGW.
  • If it has been modified, then do the following changes:
  1. Replace this: 

    Replace this:

    CODE
    default.ectlCilProcedure = <your ECTL CIL procedure >
    default.ectlCache = PT10M

    with this:

    Replace the previous with this:

    CODE
    # The Composite CTL and ECTL procedures are used in initialization
    # and must be specified as default values.
    default.cctlCilProcedure = <your CCTL CIL procedure>
    default.ectlCilProcedure = <your ECTL CIL procedure>
    # default.ectlFile =
    default.cache = PT10M
  2. Replace this:

    Replace this:

    CODE
    handler.1.filter = truststore/v1/?
    handler.1.format = c2x_initialization
    handler.1.stsfCilProcedure = <your TSF CIL procedure>
    handler.1.stfsCache = <your cache timeout>

    with this:

    Replace the previous with this:

    CODE
    handler.1.filter = truststore/v1/?
    handler.1.format = c2x_initialization
    handler.1.cilProcedure = <your TSF CIL procedure>
  3. Remember to also update the configuration values after these steps are performed.

From 8.7.0 to 8.7.1

Certificate Manager v8.7.0

Certificate Manager version 8.7.0 is no longer available on Nexus support portal. 

Configure WinEP

The following two new parameters must be added to winep.properties after default.requiredRoRoles = cert.issue :

Example: winep.properties

CODE
# - allowNullPkcs10Signature, controls whether Null Signature (MS-WCCE v20211006)
# is allowed on the PKCS10 in the received requests. Default: true
# default.allowNullPkcs10Signature = true

# - allowNoSignature, controls whether No-Signature Signature is allowed on the
# received requests. Default: true
# default.allowNoSignature = true

From 8.7.x to 8.8.x

CM-Gateway configuration

The CM-Gateway configuration has been extended with additional options. To ease use of the latest features, the following steps should be taken on the file <configroot>/cmgateway. properties:

  • Add the following new parameters after the cmconnections parameter in the CM Host section:
CODE
# cmclientretries - How many times sending a request should be retried
# if the connection to CM is unexpectedly closed. Default value is 0.
#cmclientretries = 0
# cmnopinterval - The number of seconds between each no-operation request to
# the server. This counter is unique for each connection and will only trigger
# if the connection has been idle for longer than the given interval.
# cmnopinterval = 60


C2X configuration

A new configuration parameter for Access Token Scope Whitelisting and new V2X V2 endpoints have been added to c2x.properties. If the file is unmodified, remove this file and it will be recreated with new defaults when restarting PGW. If it has been modified, then perform the following changes:

  • Add the following new parameters after the default.authKeyReadTimeout parameter in the default parameters section:
CODE
# Access Token Scope Whitelist.
# If this parameter is not used all scopes will be accepted.
# Each scope should be separated by a comma sign, like the example below:
# default.whitelistedScopes = scope_1, scope_2
# default.whitelistedScopes =
  • Add the following new parameters to the end of the file:
CODE
handler.10.filter = truststore/v2/?
handler.10.format = c2x_initialization_v2
handler.10.cilProcedure = V2X VW initialization message
handler.10.tokenprocedure = V2X ECA Enroll enabling registration
handler.11.filter = enrollment/v2/?
handler.11.format = c2x_enrollment_v2
handler.11.tokenprocedure = V2X Enrollment Token V2
handler.12.filter = pseudonym-certificate-batch/v2/?
handler.12.format = c2x_registration_v2
handler.12.tokenprocedure = V2X Registration Request Token V2
# "Registration" endpoint can be configured to save all registration requests
# to a local directory, for debugging purposes. This directory is relative to
# <cm-gateway>. If left empty, the registrations will not be debug dumped.
#handler.12.relativePathToRequestsFolder = c2xRegistrationsv2
handler.13.filter = pseudonym-certificate-batch/v2/(.+)
handler.13.format = c2x_download_v2
# "Download" endpoint requires that the cert zips are pre-produced, and
# available in a local directory or in S3 object storage.
# This directory is relative to <cm-gateway>.
handler.13.relativePathToFilesFolder = c2xCerts
handler.14.filter = crl/v2/?
handler.14.format = c2x_crl_download_v2
handler.14.crlProcedure = V2X VW composite CRL
handler.15.filter = ctl/v2/?
handler.15.format = c2x_ctl_download_v2
  • Remove the parameter below from all handlers:
CODE
crlCache


Configure WinEP

The following two new parameters need to be added to winep.properties after default.requiredRoRoles = cert.issue :

CODE
# - allowNullPkcs10Signature, controls whether Null Signature (MS-WCCE v20211006)
# is allowed on the PKCS10 in the received requests. Default: true
# default.allowNullPkcs10Signature = true

# - allowNoSignature, controls whether No-Signature Signature is allowed on the
# received requests. Default: true
# default.allowNoSignature = true

From 8.8.x to 8.9.x

Tomcat 10.1

With the release of version 8.9.0 of Protocol Gateway the version of Apache Tomcat must be upgraded to Tomcat 10.1. To upgrade from a previous version of Tomcat, first close any running instances of Tomcat and then install Tomcat 10.1.

For more information, see Install Protocol Gateway

Java 17

Make sure 64-bit Java SE 17 is installed and used by Tomcat.

API configuration

The REST API has been extended. To use the latest endpoint, the following steps should be taken on the file <configroot>/api.properties:

Add the following lines under the Certificate endpoints to enable the procedure details endpoint:

CODE
handler.51.filter = procedures/[a-z0-9A-Z\- ]+/details
handler.51.format = api/procedures-details

Add the following lines under the Certificate endpoints to enable downloading multiple certificates in a zip file:

CODE
handler.22.filter = certificates/download
handler.22.format = api/certificates-downloads

Add the following lines under the Certificate endpoints to enable the statistics endpoints:

CODE
################
# Statistics Endpoints
# /statistics/{StatisticsType}
handler.90.filter = statistics/[a-z0-9A-Z\- ]+
handler.90.format = api/statistics


logging.properties configuration

To prevent unnecessary logging in PGW when running the CM Web UI and Auth servlet the following steps should be taken on the file <configroot>/logging.properties:

Add the following line under org.apache.tomcat.util.net.level:

CODE
com.id2tech.net.jsse.level = INFO

Add the following lines under com.nexussafe.cm.pgwy.scep.subject = cn to set the logging level for hazelcast:

CODE
# hazelcast logger
com.hazelcast.level = WARNING
com.hazelcast.cp.level = SEVERE


SCEP configuration

The SCEP configuration has been extended with an additional option. To ease use of the latest features the following steps should be taken on the file <configroot>/scep.properties:

Add the following new parameter after the handler.3.ndesChallengeValidity parameter:

CODE
handler.3.ndesChallengeEncoding = UTF-8


CMP configuration

The CMP configuration has been extended with additional options. To ease use of the latest features, the following steps should be taken on the file <configroot>/cmp.properties:

Add the following parameter descriptions before the # Define handlers section:

CODE
# CMP MODE
#
# CMP is allowed to be in client or RA mode. Client mode requires that all
# incoming requests contain a valid Proof-Of-Possession signature. RA mode
# allows for the raVerified Proof-Of-Possession, where a RA has signed the
# request on behalf of an end-entity.
#
# mode - specifies the mode to run in. Default mode is client. Possible values
# are client, ra, and ra-strict. ra mode allows both client and ra
# requests. ra-strict enforces raVerified Proof-Of-Possession.
#
# CMP RA Mode
#
# When a handler is in RA mode it requires some additional parameters. See
# handler.4.* for example configuration. Using officer validation is the
# recommended way to validate the RA. Either certificate pinning or officer
# validation is required. Both is also possible but not necessary.
#

# ramode.certs.x - a list of file paths of the X.509 RA certificates to validate
# the PKIMessage against. Paths are relative to the location of this file.
#
# ramode.officervalidation - specifies a requirement that the RA signer
# should be forwarded to CF for officer validation. Default: true
#


Add the following example handler after #handler.3.:

CODE
# RA mode
#
# handler.4.filter = ra
# handler.4.mode = ra-strict
# handler.4.ramode.certs.1 = cmp-ra-signer-one.cer
# handler.4.ramode.certs.2 = cmp-ra-signer-two.cer
# handler.4.ramode.officervalidation = true


4. Replace .war file

Replace .war file

Replace the Protocol Gateway .war file: 

  • Replace pgwy.war in the webapps folder with the new version.

5. Restart the Tomcat service

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.