SMP v3.0 RC2

This page collects the resources for Service Metadata Publisher version 3.0-RC2, released in May 2017.

Description

We are happy to announce the second release candidate of the sample implementation of the eDelivery Service Metadata Publisher (SMP).

This release is conformant with the e-SENS SMP profile based on the OASIS Service Metadata Publishing (BDX SMP) specifications. It is a candidate version that is potentially ready to be released unless significant bugs emergence as results of the tests executed by the future clients of the service before the release of the final version.

All necessary functionality is available to make the SMP fully operational; i.e. all necessary operations to manage Service Groups (structures that represent a set of services associated with a specific Participant identifier) and their Service Metadata (structures that represent Metadata about a specific electronic service):

• Creation, update and deletion of Service Groups.
• Creation, update and deletion of Service Metadata.
• SML integration.
• Security, including:
• support of https for simple users (BlueCoat);
• mutual TLS authentication for administrators of metadata;
• authorisation for administrators' service operations;
• user management;
• data validation;
• data integrity validation;
• stored hashed password;
• secured against XXE attacks;
• Logging;
• Welcome page.

Migration from 3.0-RC1 to 3.0-RC2

1. Encrypt passwords in database

SMP Administrators must use BCrypt algorithm to encrypt users' passwords. Old plain-text passwords must be migrated in that purpose.

BCrypt-hashing tool is bundled into SMP WAR file. To calculate apply the following steps:

1. 1. Download SMP WAR file (see above)
      
      
   2. Explode the war file using the following command: 
      $ jar -xvf cipa-smp-full-webapp.war

   3. Multiple hashes can be calculated at once using the following command:
      $ java -cp "WEB-INF/lib/*" eu.europa.ec.cipa.smp.server.security.BCryptPasswordHash password_to_be_hashed_1 password_to_be_hashed_2 $2a$10$6nYTSUSh2BQfbOLIyCXn8eUViBcnn.WcjUrWOtJlMNDOdAtI85zMa $2a$107zNzSeZpxiHeqY2BRKkHE.HknfIe3aiu6XzU.qHHnnPbUHKtfcmDG

2. Authentication with BlueCoat reverse-proxy

In order to allow BlueCoat authentication, the following property was introduced :

authentication.blueCoat.enabled=true

Be careful when switching this switch to 'true' - do it only if you know what you are doing.

When activated, BlueCoat authentication will cause all HTTP requests populated with 'Client-Cert' header to be authenticated with the username placed in the header.

WARNING: SMP may never be exposed to the WEB without having previously properly configured the reverse-proxy and actived blue coat.

3. Pattern of user's certificate stored for BlueCoat authentication in DB has changed.

eMail address was removed from the SMP_USER.USERNAME column of the datase.

All usernames should be migrated manually.

Example in the previous versions :

CN=SMP/emailAddress\=CEF-EDELIVERY-SUPPORT@ec.europa.eu,O=European Commission,C=BE:0000000000001234

Usernames have to be migrated manually to the format corresponding to this example:

CN=SMP,O=European Commission,C=BE:0000000000001234

4. Comparison of Participant and Document Identifiers are still by default CASE-INSENSITIVE. Configuration allows now to apply CASE SENSITIVE comparisons.

Leaving the configuration as it was in the previous version will keep case-sensitive comparison behaviour.

Two new properties were introduced to allow case sensitive comparison also :

identifiersBehaviour.caseSensitive.ParticipantIdentifierSchemes=case-sensitive-participant-scheme-1|case-sensitive-participant-scheme-2

identifiersBehaviour.caseSensitive.DocumentIdentifierSchemes=case-sensitive-doc-scheme-1|case-sensitive-doc-scheme-2

These properties specify schemes of participant and document identifiers that must be considered CASE-SENSITIVE. The items of these lists should be delimited by pipe characters "|".

5. Allow slash characters ("/") in URL's

Slash characters ("/") are usually forbidden as parameters in the URL (even if they are encoded).

OASIS specification allows though, which required the addition of some configuration parameter to the SMP configuration file:

encodedSlashesAllowedInUrl=false

WebLogic by default allows encoded slash characters in URL, but to make them working on Tomcat additionally this property must be set

Tomcat

Tomcat requires the following change in the configuration to allow this:

<TOMCAT>/conf/catalina.properties:

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

Weblogic

WebLogic allows it by default, so no changes are required for this type of application servers.

6. Database migration

SQL migration scripts can be found here:

https://ec.europa.eu/digital-building-blocks/code/projects/EDELIVERY/repos/smp/browse/smp-server-library/database

MySQL

Migration of MySQL databases from SMP version 3.0-RC1 to 3.0-RC2 requires the following script to be applied:

upgrade-MYSQL_06.sql

This script allows new case-sensitive handling of Participant and Document identifiers.

Oracle

Oracle databases do not need any migration.

Documentation

Release note

Please find below the list of the improvements and limitations.

Improvements and new features

• [EDELIVERY-1744] User passwords hashing in DB
• [DELIVERY-1949] Added SoapUI integration tests compliant with 3.0 spec
• [EDELIVERY-1898] Added JUnit tests for ServiceMetadata signing algorithm
• [EDELIVERY-1947] Updated welcome-page, added detail version and build timestamp
• [EDELIVERY-1977] Reimplemented BlueCoat authentication to make it working with HTTPS
• [EDELIVERY-1952] Enabled HTTPS SMP access for internal Commission's network
• [DELIVERY-364] Allowed encoded slash character as url param
• [EDELIVERY-2101] Made SMP working on Tomcat - Migrated Jersey version from 1 to 2
• [EDELIVERY-2112] Made build process working for anonymous users from outside of Commission's network (Oracle OJDBC driver issue)
• [EDELIVERY-1759] Added 2-way-SSL authentication without reverse proxy (truststore configured in J2EE container)

Fixed bugs

• [EDELIVERY-1833] Document Identifier case insensitive
• [EDELIVERY-1834] Participant Identifier case insensitive
• [EDELIVERY-1835] Fixed case-sensitivity issue in returned ServiceGroup references
• [EDELIVERY-2056] Secured application from XXE attacks

Known issues and limitations

• [EDELIVERY-1900] Put serviceGroup, ServiceGroup-Owner certificate is not registered gives wrong error code
• [EDELIVERY-1817] ServiceGroup - Bad Request
• EDELIVERY-1927] Resolve discrepancies between validation rules that are applied for Participant Identifiers' scheme - between SMP and SML