The year 2023 is ending, and it's time to publish X-Road 7.4.0! The previous version, 7.3.0, was released in June, and it provided a new Central Server UI and management REST API. Version 7.4.0 includes several improvements for the Central Server, but the Security Server hasn’t been forgotten either.

The beta version is already out, and the official release version will be published in December 2023. The release notes are available here. Please note that the beta version doesn’t include all the changes mentioned in the release notes.

Let’s see what the highlights of the version 7.4.0 are!

Publishing global configuration over HTTPS

Until now, the Central Server and Configuration Proxy have only supported publishing global configuration over HTTP. Since the global configuration is signed, its integrity and authenticity are guaranteed despite lacking HTTPS support. Nevertheless, securing the global configuration download with HTTPS helps to maintain the privacy of the global configuration data.

A new private key and a self-signed TLS certificate are created automatically when installing a new Central Server or upgrading an existing installation from an older version. After the installation or upgrade, the Central Server Administrator must manually apply for a TLS certificate from a trusted Certificate Authority (CA) and then configure the certificate. This step is required because the Security Server does not trust the new automatically generated self-signed certificate by default. The Security Server supports disabling certificate verification, but disabling it in production environments is not recommended.

Starting from version 7.4.0, the global configuration will be available on the Central Server and Configuration Proxy ports 80 and 443. The old HTTP endpoint on port 80 guarantees that older Security Servers not supporting downloading global configuration over HTTPS continue to work normally. Also, the new Security Servers that support downloading global configuration over HTTPS will fall back to HTTP if the TLS certificate of the new HTTPS endpoint is not configured correctly.

Changes in the global configuration download ports may cause changes to firewall configuration on the Central Server, Configuration Proxy and Security Server. Inbound traffic from the Security Servers to port 443 must be allowed on the Central Server and Configuration Proxy. Similarly, outbound traffic to the Central Server and Configuration Proxy port 443 must be allowed on the Security Servers.

When upgrading the Central Server from version < 7.4.0 to version >= 7.4.0, the configuration anchor must be re-generated, distributed to all the Security Server administrators through an external channel (e.g., email) and imported to each Security Server to enable downloading global configuration over HTTPS. Without the new configuration anchor Security Servers will continue to download global configuration over HTTP.

Enforcing new key creation when generating CSR on the Security Server

A good security practice is creating a new key pair when applying for a new authentication or a sign certificate on the Security Server. Starting from version 7.4.0, the Security Server supports enforcing new key creation when generating a certificate sign request (CSR) on the Security Server. The feature is enabled by default, which means that it's not possible to generate a new CSR for a key that already has an existing certificate. The feature can be disabled by setting the “proxy-ui-api.allow-csr-for-key-with-certificate” system property to true on the Security Server.

Configuring a minimum required client Security Server version

From version 7.4.0, service providers can configure a minimum required X-Road software version for client Security Servers. It means that client Security Servers older than the configured version cannot access services anymore.

Service providers can configure the required minimum version using the “proxy.server-min-supported-client-version” system property. The property has no value by default, meaning a minimum version hasn't been set. Instead, when the value is set, all the minor and patch versions starting from the configured version are approved.

X-Road Operators may set this value in the country-specific meta packages, e.g., Estonia and Finland are setting the value to the three latest versions, which means that requests that are originating from client Security Servers older than version 7.2.0 are not accepted anymore in the Estonian and Finnish X-Road ecosystems. The value is rolling, meaning it changes for every X-Road minor version, e.g., when version 7.5.0 is released, the minimum supported version is 7.3.0.

Changes in default client information system communications ports

The default client information system inbound communication ports are changed from 80 to 8080 and from 443 to 8443 on Ubuntu-based Security Servers. In this way, the default ports are consistent regardless of the hosting operating system.

The change is only applied to new installations, and existing ones are unaffected by it. Also, if custom ports have been configured locally by the Security Server administrator, they are unaffected.

X-Road Operators may set the default port values in the country-specific meta packages. The Estonian ecosystem uses ports 80 and 443 by default for new installations after the change. In other words, the Estonian X-Road users organisations are unaffected by the change.

LDAP group mapping support

The Central Server and Security Server administrator user permissions are managed using X-Road-specific Linux groups mapped to X-Road user roles. An administrator must be a member of the X-Road-specific groups to access the management UI.

Starting from version 7.4.0, it’s possible to map additional Linux groups to X-Road user roles using the “proxy-ui-api.complementary-user-role-mappings” and “admin-service.complementary-user-role-mappings” system properties. It enables granting administrators permissions to the management UI using existing Linux groups instead of adding administrators to the X-Road-specific groups. In this way, existing Linux groups can be mapped to the X-Road user roles, and there's no need to change users' groups.

Rotating global configuration sign keys

The Central Server global configuration sign keys are included in the configuration anchor imported to the Security Server. Using the information in the anchor, the Security Server can verify the global configuration signature. Suppose the sign keys are rotated. In that case, a new configuration anchor must be generated on the Central Server, distributed to all the Security Server administrators through an external channel (e.g., email) and imported to each Security Server. Only after that, the changes are applied by each Security Server.

Starting from version 7.4.0, the Central Server global configuration sign keys are included in the global configuration. Thanks to this, rotating the sign keys is possible without importing a new version of the configuration anchor to each Security Server. Instead, the Security Server gets the updated configuration information from the global configuration directly and applies it immediately.

Importing the configuration anchor to the Security Server manually is also possible. It's required when the Security Server is initialised for the first time and when a Security Server has been offline or turned off when the global configuration sign key has been rotated.

Disabling a subsystem temporarily

Disabling a subsystem temporarily enables the Security Server administrator to disable a subsystem so that all the services added under the subsystem cannot receive requests. If the same subsystem is registered on multiple Security Servers, disabling the subsystem on one Security Server doesn’t affect the others. When a subsystem is disabled, the association between the subsystem and the Security Server where the subsystem is disabled is not visible to other Security Servers in the ecosystem. This applies to the local and federated ecosystems.

Instead, disabling a subsystem doesn't change any configuration items regarding the subsystem or its services. It makes the association between the Security Server and subsystem invisible to other Security Servers so that they cannot send requests to it. Similarly, a disabled subsystem cannot be used as a service client either. 

Disabling and enabling a subsystem has a delay of a couple of minutes when the default configuration is used. During the delay, the subsystem may still receive service requests. However, the requests are not forwarded to the service provider information systems by the Security Server. Instead, all received requests will fail and an error message is returned to the service consumer. This is because the subsystem state is maintained on the Central Server, and updating it requires the Security Server to communicate with the Central Server. The length of the delay depends on the global configuration generation interval on the Central Server and the global configuration download interval on the Security Server. Other Security Servers become aware of a change in a subsystem’s state only after they download an updated version of the global configuration. Therefore, they may try to contact services under a disabled subsystem during the delay period.

Changing the Security Server address

The Security Server address is added to the Central Server when the authentication certificate is registered. Before version 7.4.0, updating the address afterwards required the Security Server administrator to contact the Central Server administrator over some external channel, e.g., email. Instead, starting from version 7.4.0, updating the address using the Security Server administrator UI or management REST API is possible.

The Security Server administrator can update the Security Server address by using the Security Server administrator UI and management REST API. The change is approved automatically by the Central Server and doesn't require manual approval from the Central Server administrator. By default, the change becomes visible to all the Security Servers in the ecosystem within a couple of minutes. However, the length of the delay depends on the global configuration generation interval on the Central Server and the global configuration download interval on the Security Server.

Migrate from Akka to gRPC

In September 2022, Lightbend announced that Akka, one of the third-party open-source libraries that X-Road heavily depends on, would change its licensing model. The new licensing model is commercial, but open-source projects meeting specific criteria may apply for an exception. However, the conditions of the license granted to open-source projects differ from the Apache 2.0 open-source license that Akka used before the change. From X-Road's perspective, the new license includes some unfavourable conditions, so Akka has been replaced with gRPC in X-Road.

Because of the change, any Akka-related system properties are not supported anymore starting from version 7.4.0, e.g., “<component>.akka.remote.artery.advanced.maximum-frame-size”. If Akka-related system properties have been used to override Akka’s default configuration values, they should be manually removed from the configuration.

Technical changes and upgrades

Besides functional changes and new features, several more technical changes have also taken place under the hood. The UI framework has been upgraded from Vue 2 to Vue 3, and the Spring Boot backend framework has been upgraded from version 2 to 3.

Also, the supported Java version has been upgraded from Java 11 to Java 17. The new Java version is installed automatically on other supported platforms except Red Hat Enterprise Linux 7 (RHEL7). On RHEL7, the Security Server administrator must manually configure a new package repository. More information about the upgrade process will be available in the release notes.

Other improvements and updates 

Besides the already-mentioned features, version 7.4.0 includes many other minor improvements and updates. For example, a new command line tool to verify message log archive hash chains, remove deprecated rate limiting parameters on the Security Server, improve the Central Server UI, publish REST services using OpenAPI 3.1, replace the SHA-1 hashing algorithm with SHA-256, and much more. To fully understand all the changes, please review the release notes document.

What’s next?

Initially, support for automated certificate management through the Automatic Certificate Management Environment (ACME) protocol was scheduled for version 7.4.0. Unfortunately, support for ACME didn't make it to version 7.4.0, but it will be included in version 7.5.0 instead. Other changes that will be introduced in version 7.5.0 include but are not limited to, support for Ubuntu 24.04 LTS and support for Red Hat Enterprise Linux (RHEL) 9. Version 7.5.0 will be released during Q2 in 2024.

At the same time, when developing X-Road 7, NIIS is already working on the next X-Road major version – X-Road 8. If you’re interested in hearing more about the topic, please check out the talk that I delivered at the X-Road Community Event 2023 in September. More news regarding X-Road 8 will be published soon. Stay tuned!

Data spaces are a hot topic right now in the field of data exchange and interoperability. However, it's not a new concept since its roots date back to 2005. The original definition was somewhat technical, but over the years, the term has expanded to cover all four layers of interoperability defined by the European Interoperability Framework (EIF).

Today, the term data space has several different definitions depending on whom you ask. Multiple international initiatives are working on data spaces to create common governance models, specifications, reference implementations, etc. Let's look at the definitions created by some of those initiatives.

”An infrastructure that enables data transactions between different data ecosystem parties based on the governance framework of that data space. Data space should be generic enough to support the implementation of multiple use cases.”

Source: Data Spaces Support Centre - DSSC Glossary - Version 1.0

”Decentralised, governed and standard-based structure to enable trustworthy data sharing between the data space participants on a voluntary basis. Data spaces may be purpose- or sector-specific, or cross-sectoral. Common European data spaces are a subset of data spaces within the scope of EU policies.”

Source: Gaia-X Glossary

”A Dataspace is a set of technical services that facilitate interoperable asset sharing between entities.”

Source: IDS Dataspace Protocol v0.8

”A data space is a federated data ecosystem within a certain application domain and based on shared policies and rules.”

Source: Sitra Rulebook for a Fair Data Economy

”A common European data space brings together relevant data infrastructures and governance frameworks in order to facilitate data pooling and sharing.”

Source: Commission Staff Working Document on Common European Data Spaces

When looking at the definitions, it’s clear that they are defining the same subject even though they’re approaching it from different angles. Also, it’s evident that data spaces are more than a technology since governance and policies play a significant role in the definitions.

The first version of X-Road was released in Estonia in 2001 – four years before the term data space appeared in an article for the first time. The technical implementation of X-Road has evolved and changed over the years, but the main concept has remained the same since the beginning. Also, X-Road is not only about technology; it also has an organisational model and trust framework. When comparing X-Road to the data space definitions, it’s easy to find many common factors and similarities. In fact, the definitions could very well be used to describe X-Road on a high level. But does that make X-Road a data space technology?

To answer the question, digging deeper into data spaces is necessary. Let's look at more detailed documentation and specifications to see how well X-Road is aligned with them.

The International Data Spaces Association

The International Data Spaces Association (IDSA) is a not-for-profit organisation aiming to create a global standard for international data spaces (IDS) and foster the global data spaces community. IDSA provides several data spaces related assets, for example:

• IDS Rulebook

• IDS Reference Architecture Model (IDS-RAM)

• IDS G

• IDS Dataspace Protocol.

Let’s study some of the assets provided by the IDSA and see how well X-Road is aligned with them. However, this will not be a complete comparison between the IDSA assets and X-Road. Instead, only selected parts of specific assets will be reviewed to highlight similarities and differences. Studying the source materials is recommended if you're interested in the topic in more detail.

Data space fundamentals

The IDS Rulebook defines foundational concepts of data space that seem to apply to X-Road on a high level:

• Establishing trust

• Data discoverability

• Data contract negotiation

• Data sharing & usage

• Observability

• Vocabularies and semantic models.

The IDS Rulebook and X-Road have the same vision of enabling data sovereignty and creating a trusted data-sharing ecosystem. They’re both based on the idea that trust is rooted in one or more trust anchors, trusted participants must meet specific policies that can vary between different ecosystems, and data sharing consists of peer-to-peer interactions between the participants.

Policies play an essential role in any data ecosystem. The IDS Rulebook defines multiple policy groups and the relationships between them. The same policy groups apply to X-Road, too, with the difference that X-Road doesn't define the structure and relationship of the policies or offer tools to express them. For example, the IDS specifications cover defining usage and contract policies and negotiating them as a part of the data exchange process. In X-Road, it’s up to the data exchange parties to agree on those policies using some external channel, e.g., email or service catalogue. Also, X-Road supports managing access to services. Still, the access policies are not technically associated with any other policies since the other policies are created and maintained outside of X-Road.

Operating models

The IDS Rulebook defines three different operating models for data spaces:

• Centralised data space authority

• Federated / distributed data space authority

• Decentralised data space authority.

 In the context of X-Road, the data space authority is equal to the X-Road Governing Authority. X-Road supports centralised and federated authority. Centralised authority is the most typical alternative for X-Road, and it's the model that a single X-Road ecosystem uses. Instead, when two X-Road ecosystems are federated, the responsibility can be considered distributed between the authorities of the federated ecosystems. However, even in a federated setup, the authorities only have control over their ecosystem.

Conceptual model

The conceptual model defined by the IDS Dataspace Protocol is very similar to X-Road’s conceptual model. Doing a mapping between the models is straightforward:

•  Dataspace – X-Road Ecosystem

• Dataspace Authority – X-Road Governing Authority

• Participant – Member

• Participant Agent – Security Server

• Identity Provider – Certificate Authority

• Credential Issuer – N/A

• Dataspace Registry – Central Server, Service Catalogue

The descriptions of the organisational entities (Dataspace Authority, Participant, Identity Provider) are pretty well aligned. Instead, there are differences in the descriptions of the technical entities (Participant Agent, Dataspace Registry). The technical differences are covered in the Components section.

Components

Comparing the components provides a good overview of the similarities and differences between the IDS-RAM and X-Road from a technical perspective. The IDS Identity Provider is not actively involved in the data exchange process, so it's omitted from the illustration.

IDS Identity Provider

The IDS Identity Provider consists of three complementary components:

• Certificate Authorities (CAs) issue and manage technical identity claims.

• The Dynamic Attribute Provisioning Service (DAPS) issues short-lived tokens providing information about Connectors.

• The Participant Information Service (ParIS) provides business-related details on Participants.

The IDS Identity Provider combines X-Road's Certificate Authority and Central Server. In X-Road, the roles of the CA and DAPS are combined since Member and Security Server-related information is included in the certificates. At the same time, the IDS Identity Provider decouples the certificate and the associated information. In that way, it's possible to alter the attributes of a certificate, e.g., attach new attributes to a certificate, without reissuing the certificate.

In X-Road, the Central Server stores some business-related information about Members. In addition, the Service Catalogue is a complementary X-Road component that may provide additional information about Members. Therefore, the Central Server and Service Catalogue are equal to the ParIS.

IDS Metadata Broker

The IDS Metadata Broker is basically a registry of IDS Connectors, their capabilities, characteristics, and metadata of the data they offer. The IDS Metadata Broker provides endpoints for registering, publishing, maintaining, and querying the metadata. The X-Road Central Server has a similar role as a registry of Members and Security Servers, with the difference that the Central Server doesn't store any information about the data or services offered by Security Servers. Instead, the Service Catalogue is an optional X-Road component that provides information about the data and services.

IDS Connector

The IDS Connector is the point of access to a data space, providing standardised data exchange between Participants. The IDS Connector is connected to all the other data space components since it provides data and metadata to them. For example, the IDS Connector provides technical interface description, authentication mechanism, and associated data usage policies to the Metadata Broker and usage contracts to the Clearing House. Also, several other IDS components (App Sore, Metadata Broker, and Clearing House) are based on the IDS Connector architecture.

In X-Road, the component that provides access to an X-Road ecosystem is the Security Server. Like the IDS Connector, the Security Server provides secure and standardised data exchange between Members. The Security Server communicates with all the other components of an X-Road instance – either directly or indirectly.

IDS Clearing House

The IDS Clearing House provides a logging service that records relevant information for clearing, billing and usage control. For example, the information is used to provide a settlement service based on usage contracts which can help to automate payments between the data exchange parties. In addition, the logged usage control data can be used to validate access to resources. Technically, the IDS Clearing House consists of an IDS Connector.

X-Road doesn’t have a component that would be a direct match with the IDS Clearing House. However, the optional X-Road Metrics component provides some similar capabilities, e.g., collecting service usage statistics that can be used to automate payments, collecting service statistics. In addition, the Security Server provides a digitally signed and timestamped log record of each data exchange transaction that can be used to validate the transaction afterwards. However, the data exchange parties store the log records locally, and no third parties have access to them.

IDS App Store

The IDS App Store is a platform to distribute IDS Apps for IDS Connectors. Currently, X-Road doesn’t have a similar component.

IDS Vocabulary Hub

The IDS Vocabulary Hub is a vocabulary management platform for IDS use cases. It’s a platform to host, maintain, publish, and document vocabularies. It gives access to the vocabulary terms and their descriptions. The IDS Information Model is the lowest common denominator and can be extended with additional vocabularies. The IDS Vocabulary Hub communicates with IDS Connectors and infrastructure components.

The X-Road architecture doesn’t include a vocabulary component, but it goes without saying that interoperable data exchange requires semantic interoperability. Therefore, it’s up to the X-Road Governing Authority and data exchange parties to agree on where and how vocabularies are managed and stored. For example, the Finnish Digital Agency has developed an Interoperability Platform that can be used to maintain and publish common terminologies.

Conclusions 

After comparing data spaces and X-Road from various aspects, they have a lot in common on a high level. However, looking into the details shows that they also have many differences.

For example, the IDS specifications cover various aspects of data exchange, e.g., usage conditions and policies, contract negotiation, and data transfer process. They do not set restrictions to the data transfer protocol or wire protocol – the protocol used to transfer the data. In other words, any existing transfer protocol can be used, which enables using existing solutions and supporting many different transfer protocols. This is a big difference compared to X-Road, which has its own transfer protocol. Also, X-Road doesn’t technically cover the before-mentioned aspects (usage conditions and policies, contract negotiation) covered by the IDS specifications.

Let's return to the original question – can X-Road be considered a data space technology? The answer is no if X-Road is strictly compared to the IDS specifications, despite the similarities. The IDSA has a certification scheme for the IDS components, and X-Road would not meet the certification requirements. The IDS Testbed is a platform that can be used to conduct evaluations that ensure that an IDS component is implemented securely and conform to the relevant specifications. Components that pass the evaluation receive certification and are approved in the IDS ecosystems.

On the other hand, the European Commission considers data exchange ecosystems to be data spaces even if they are not based on technologies conforming to the IDS specifications, for example, the Once-Only Technical System (OOTS) and European Health Data Space (EHDS). Those ecosystems align with the common definition and characteristics for data spaces, but the technologies they use in the implementation do not conform to the IDS specifications. With the same logic, an X-Road ecosystem could also be considered a data space.

Multiple organisations and initiatives are developing specifications and standards for data spaces, e.g., International Data Spaces Association (IDSA), Gaia-X, and Fiware. The initiatives work together, aiming to keep the specifications and standards aligned and not create multiple overlapping or competing specifications. However, the work is currently in progress, and not everything is fully ready and aligned yet. Therefore, it might be too early to define what is a data space and what’s not based on the deliverables of a single actor. Nevertheless, in the long-run, common standards and specifications are the only way to achieve interoperability within and between data spaces.