From e1f4451868b21ec55ef090c569494d26bbd60c76 Mon Sep 17 00:00:00 2001
From: RPKI Team at RIPE NCC <rpki@ripe.net>
Date: Fri, 26 Apr 2024 10:16:45 +0000
Subject: [PATCH] RIPE NCC has merged bce9b25a6

* Clean a sonarqube nit [f2c12853c]
* Clean commandaudit in integration tests [0eec93b63]
* Fix getCAStatEvents [360db641a]
* JpaCertificateAuthorityRepository: fix class cast error [a5a732830]
* Add test cases for CaStat methods [9faca1eec]
* SecurityConfig: fix admin UI access when authorization is disabled [52ed3b2ad]
* SecurityConfig: fix provisioning config [cf384d82b]
* SecurityConfig: disable session request cache parameter [c126055eb]
* SecurityConfig: use java method naming conventions [19d678a61]
* OIDC needs to be added in the same chain that it applies to [5401517af]
* Rewrite the SecurityConfig [68edba4c6]
* SonarQube nits [98939469b]
* Fix the disabled test in UpStreamCARequestEntityTest [91937c1d8]
* Build a container with JRE 17 [1c0e6ff2e]
* Truncate instant to ms in ProvisioningCmsSigningTimeStoreTest [543a05e6d]
* Use Instant instead of Timestamp in JpaRoaConfigurationRepository [e69771564]
* Update query in JpaRoaConfigurationRepositoryTest for new types [aee572b62]
* Update shouldFindAllPerCaAndCountPrefixes for new types [9f26fcfc2]
* Two unnecessary imports [cd393d814]
* Adjust ExpireOutgoingResourceCertificateResult to use long [0c401f547]
* Use Instant in PublishedObject(Data|Entry) [1eee1854d]
* Hibernate returns Instant instead of Timestamp [cfe8b4e73]
* Result is a long with Hibernate 6 [2df77ebca]
* Store artefacts for failed builds [b8ca3ff78]
* Use lenient stubbing in UpstreamCaControllerTest [2eed0dc98]
* Use thymeleaf-spring6 and refactor admin tests to Jupiter APIs [3e27c1817]
* Fix incorrect JPQL reference to certificate ids [3edc720ab]
* Use Wiremock for integration test case [1b720adb7]
* CertificationDomainTestCase did not persist KeyPair [a9d90164d]
* Remove usage of RandomUtil [90d284304]
* Use new DefaulTransactionStatus constructor [da9d23a7f]
* Validate.notNull without explanation is deprecated [ec5593ef8]
* Use new Spring Security syntax [eb262c1a3]
* AutoConfigureMetrics is now AutoConfigureObservability [ec51a5ddb]
* Enum is now mapped as tinyint [d62fd4e14]
* Hibernate version specific dialects are deprecated [0c5b01391]
* javax.persistence -> jakarta.persistence [7b805d021]
* Switch back to DBProvider name [8a555792d]
* New jar artifact name [b84fa63c2]
* Test DBProvider 1.6-SNAPSHOT [e2117413f]
* additional .toList changes after rebase [b5371e0ad]
* Update default `JAVA_HOME` to pick java 17 [d90e2186f]
* Fix `toList` derived types [a54d1a8ce]
* Low-handing Java 17 changes [433da1eb1]
* Toolchain is needed once [2f47cb82f]
* Switch to Java 17 [de744b3b9]
* Use postgres 15 in unit tests run on Github actions [de72145a1]
* chore(deps): update plugin com.google.cloud.tools.jib to v3.4.2 [69c6cb91c]
* chore(deps): update dependency org.springdoc:springdoc-openapi-ui to v1.8.0 [59403bcb7]
* chore(deps): update dependency gradle to v8.7 [515ba2e4a]
* Remove commons-text and do not use tomcat dependency [4171caf49]
* chore(deps): update dependency commons-io:commons-io to v2.16.1 [f0512bbc8]
* chore(deps): update dependency org.postgresql:postgresql to v42.7.3 [255ed5d55]
* Remove workaround [b1c3f03b1]
* chore(deps): update dependency net.jqwik:jqwik to v1.8.4 [4eb03d2dc]
---
 .github/workflows/unit-tests.yml              |  10 +-
 .gitlab-ci.yml                                |   3 +-
 build.gradle                                  |  27 ++-
 .../rpki-ripe-ncc.build-conventions.gradle    |   5 +-
 gradle/wrapper/gradle-wrapper.jar             | Bin 43462 -> 43453 bytes
 gradle/wrapper/gradle-wrapper.properties      |   2 +-
 hsm/build.gradle                              |   3 +-
 ...illNonHostedPublisherRepositoryBeanIT.java |   2 +-
 .../impl/RestCustomerServiceClientIT.java     |   6 +-
 .../impl/RestResourceServicesClientIT.java    |   6 +-
 .../net/ripe/rpki/util/ActuatorMetricsIT.java |  10 +-
 src/main/dist/rpki-ripe-ncc.sh                |   2 +-
 .../impl/CommandAuditServiceBean.java         |  13 +-
 .../bgpris/BgpRisEntryRepositoryBean.java     |  15 +-
 .../CertificateAuthorityViewServiceImpl.java  |  42 +++--
 .../ResourceCertificateViewServiceImpl.java   |   8 +-
 .../background/BackgroundTaskRunner.java      |   5 +-
 .../services/command/CommandServiceImpl.java  |  19 +-
 .../AllResourcesCertificateAuthority.java     |   8 +-
 .../rpki/domain/CertificateAuthority.java     |  22 +--
 .../CertificateAuthorityRepository.java       |   2 +-
 .../DownStreamProvisioningCommunicator.java   |   4 +-
 .../EmbeddedInformationAccessDescriptor.java  |   6 +-
 .../domain/EmbeddedResourceExtension.java     |   6 +-
 .../rpki/domain/EmbeddedValidityPeriod.java   |   4 +-
 .../rpki/domain/GenericPublishedObject.java   |  16 +-
 .../domain/HostedCertificateAuthority.java    |   8 +-
 .../domain/IncomingResourceCertificate.java   |  10 +-
 .../IntermediateCertificateAuthority.java     |   4 +-
 .../net/ripe/rpki/domain/KeyPairEntity.java   |   4 +-
 .../rpki/domain/KeyPairStatusHistory.java     |  10 +-
 .../domain/ManagedCertificateAuthority.java   |  21 +--
 .../domain/NonHostedCertificateAuthority.java |  45 +++--
 .../domain/NonHostedPublisherRepository.java  |  16 +-
 .../domain/OutgoingResourceCertificate.java   |  24 +--
 .../ripe/rpki/domain/PersistedKeyPair.java    |   8 +-
 .../ProductionCertificateAuthority.java       |  10 +-
 .../domain/ProvisioningAuditLogEntity.java    |  18 +-
 .../net/ripe/rpki/domain/PublicKeyEntity.java |  11 +-
 .../net/ripe/rpki/domain/PublishedObject.java |   2 +-
 .../ripe/rpki/domain/PublishedObjectData.java |   5 +-
 .../rpki/domain/PublishedObjectEntry.java     |   5 +-
 .../rpki/domain/RequestedResourceSets.java    |   6 +-
 .../ripe/rpki/domain/ResourceCertificate.java |   5 +-
 .../domain/ResourceCertificateRepository.java |   8 +-
 .../domain/TrustAnchorPublishedObject.java    |   6 +-
 .../domain/alerts/RoaAlertConfiguration.java  |  30 ++--
 .../alerts/RoaAlertIgnoredAnnouncement.java   |   4 +-
 .../RoaAlertMaintenanceServiceBean.java       |   3 +-
 .../archive/KeyPairDeletionService.java       |   2 +-
 .../rpki/domain/aspa/AspaConfiguration.java   |   6 +-
 ...paConfigurationMaintenanceServiceBean.java |  10 +-
 .../net/ripe/rpki/domain/aspa/AspaEntity.java |   2 +-
 .../domain/aspa/AspaEntityServiceBean.java    |   5 +-
 .../ripe/rpki/domain/audit/CommandAudit.java  |   2 +-
 .../net/ripe/rpki/domain/crl/CrlEntity.java   |  24 +--
 .../rpki/domain/hsm/HsmCertificateChain.java  |  20 +--
 .../java/net/ripe/rpki/domain/hsm/HsmKey.java |  24 +--
 .../net/ripe/rpki/domain/hsm/HsmKeyStore.java |  20 +--
 .../rpki/domain/manifest/ManifestEntity.java  |  26 +--
 .../rpki/domain/property/PropertyEntity.java  |  14 +-
 .../rpki/domain/roa/RoaConfiguration.java     |  25 ++-
 .../domain/roa/RoaConfigurationPrefix.java    |   7 +-
 .../net/ripe/rpki/domain/roa/RoaEntity.java   |  22 +--
 .../rpki/domain/roa/RoaEntityServiceBean.java |   3 +-
 .../domain/rta/UpStreamCARequestEntity.java   |  18 +-
 ...CertificateRequestCreationServiceBean.java |   3 +-
 .../core/domain/support/AggregateRoot.java    |   4 +-
 .../core/domain/support/EntitySupport.java    |  13 +-
 .../service/TrustAnchorResponseProcessor.java |   6 +-
 ...ileSystemPublicationObjectPersistence.java |   4 +-
 .../server/FSPublicationServer.java           |   2 +-
 .../RequestEntityTooLargeException.java       |   4 +-
 .../RestExceptionControllerAdvice.java        |   4 +-
 .../rpki/rest/json/ObjectMapperProvider.java  |   4 +-
 .../rpki/rest/security/ApiKeySecurity.java    |  17 +-
 .../JsonAuthenticationEntryPoint.java         |   6 +-
 ...RequestEntitySizeLimiterServletFilter.java |  20 +--
 .../rpki/rest/security/SecurityConfig.java    |  97 ++++++-----
 .../rest/security/SpringAuthInterceptor.java  |   4 +-
 .../rest/service/AbstractCaRestService.java   |  10 +-
 .../ripe/rpki/rest/service/AlertService.java  |   5 +-
 .../rest/service/AnnouncementService.java     |   6 +-
 .../service/BackgroundExecutorService.java    |  14 +-
 .../service/CaAspaConfigurationService.java   |   4 +-
 .../service/CaRoaConfigurationService.java    |   8 +-
 .../net/ripe/rpki/rest/service/CaService.java |   4 +-
 .../ripe/rpki/rest/service/CaStatService.java |   2 +-
 .../ripe/rpki/rest/service/GdprService.java   |   2 +-
 .../rpki/rest/service/HistoryService.java     |   5 +-
 .../rest/service/ProductionCaService.java     |  17 +-
 .../service/PublisherRepositoriesService.java |   9 +-
 .../rpki/rest/service/ResourceService.java    |   2 +-
 .../ripe/rpki/rest/service/RestService.java   |   2 +-
 .../java/net/ripe/rpki/rest/service/Roas.java |   4 +-
 .../rpki/rest/service/SystemSetupService.java |   2 +-
 .../rest/service/SystemStatusService.java     |   2 +-
 .../rpki/rest/service/UpstreamCaService.java  |   4 +-
 .../net/ripe/rpki/rest/service/Utils.java     |   4 +-
 .../rest/service/monitoring/AspaService.java  |   3 +-
 .../monitoring/RoaPrefixesService.java        |  10 +-
 .../ripencc/cache/JpaResourceCacheImpl.java   |   4 +-
 .../rpki/ripencc/cache/ResourceCacheLine.java |   6 +-
 .../CertificateIssuanceProcessor.java         |   7 +-
 .../ListResourceClassProcessor.java           |  13 +-
 .../ProvisioningAuditLogServiceBean.java      |  20 +--
 .../ProvisioningCmsResponseGenerator.java     |   4 +-
 .../ProvisioningCmsSigningTimeStore.java      |  23 ++-
 ...ProvisioningCmsValidationStrategyImpl.java |   1 +
 .../ProvisioningRequestProcessorBean.java     |  12 +-
 .../provisioning/ProvisioningServlet.java     |   8 +-
 .../impl/IanaRegistryXmlParserImpl.java       |   2 +-
 ...KrillNonHostedPublisherRepositoryBean.java |  16 +-
 .../services/impl/RestAuthServiceClient.java  |  12 +-
 .../impl/RestCustomerServiceClient.java       |  12 +-
 .../impl/RestResourceServicesClient.java      |  10 +-
 .../impl/RipeNccInternalNamePresenter.java    |   2 +-
 .../impl/RipeNccResourceLookupService.java    |   2 +-
 ...1ObjectIdentifierPersistenceConverter.java |   4 +-
 .../persistence/AsnPersistenceConverter.java  |   4 +-
 .../DateTimePersistenceConverter.java         |   4 +-
 ...utableResourceSetPersistenceConverter.java |   4 +-
 .../persistence/InMemoryRepository.java       |   7 +-
 .../InstantPersistenceConverter.java          |   4 +-
 .../IpResourceSetPersistenceConverter.java    |   4 +-
 .../support/persistence/JpaRepository.java    |  22 +--
 .../PublisherRequestPersistenceConverter.java |   4 +-
 .../support/persistence/Repository.java       |   4 +-
 ...epositoryResponsePersistenceConverter.java |   4 +-
 .../persistence/UriPersistenceConverter.java  |   4 +-
 .../X500PrincipalPersistenceConverter.java    |   4 +-
 .../ui/daemon/health/HealthChecks.java        |   2 +-
 .../ui/daemon/health/HealthService.java       |   2 +-
 .../daemon/health/checks/CryptoChecker.java   |   2 +-
 ...nHostedPublisherRepositoryHealthCheck.java |   2 +-
 .../server/api/dto/AspaConfigurationData.java |   1 -
 .../rpki/server/api/dto/RoaEntityData.java    |   2 +-
 .../services/impl/ActiveNodeServiceBean.java  |   2 +-
 .../rpki/services/impl/AspaServiceBean.java   |   3 +-
 .../ProvisioningIdentityViewServiceBean.java  |   2 +-
 .../RoaAlertConfigurationViewServiceBean.java |   7 +-
 .../rpki/services/impl/RoaServiceBean.java    |  11 +-
 .../AllCaCertificateUpdateServiceBean.java    |   2 +-
 .../impl/background/BackgroundServices.java   |   4 +-
 .../impl/background/CaCleanUpServiceBean.java |   2 +-
 .../CertificateExpirationServiceBean.java     |   2 +-
 ...eyPairActivationManagementServiceBean.java |  11 +-
 ...eyPairRevocationManagementServiceBean.java |   2 +-
 ...ublicRepositoryPublicationServiceBean.java |   4 +-
 .../PublishedObjectCleanUpServiceBean.java    |   2 +-
 .../background/PublisherSyncDelegateImpl.java |   2 +-
 .../impl/background/PublisherSyncService.java |   2 +-
 .../impl/background/ReinitServiceBean.java    |   2 +-
 .../impl/background/ResourceCacheService.java |   2 +-
 ...actCertificateAuthorityCommandHandler.java |   2 +-
 ...tedCertificateAuthorityCommandHandler.java |   2 +-
 ...tedCertificateAuthorityCommandHandler.java |   2 +-
 ...AllResourcesCaResourcesCommandHandler.java |   2 +-
 ...cesCertificateAuthorityCommandHandler.java |   2 +-
 ...ateCertificateAuthorityCommandHandler.java |   2 +-
 ...ootCertificateAuthorityCommandHandler.java |   2 +-
 ...eteCertificateAuthorityCommandHandler.java |   2 +-
 ...eleteNonHostedPublisherCommandHandler.java |   4 +-
 ...flineCARepublishRequestCommandHandler.java |   2 +-
 ...aliseMyIdentityMaterialCommandHandler.java |   2 +-
 ...ueUpdatedManifestAndCrlCommandHandler.java |   2 +-
 ...mentActivatePendingKeysCommandHandler.java |   2 +-
 ...yManagementInitiateRollCommandHandler.java |   2 +-
 ...ManagementRevokeOldKeysCommandHandler.java |  10 +-
 .../LockCertificateAuthorityHandler.java      |   2 +-
 ...gResourceCertificatesInvariantHandler.java |   4 +-
 .../impl/handlers/MessageDispatcher.java      |  10 +-
 ...ityToIntermediateParentCommandHandler.java |   4 +-
 ...cessTrustAnchorResponseCommandHandler.java |   2 +-
 ...isionNonHostedPublisherCommandHandler.java |   2 +-
 ...ningCertificateIssuanceCommandHandler.java |   2 +-
 ...ngCertificateRevocationCommandHandler.java |   2 +-
 .../impl/handlers/PublicationSupport.java     |   8 +-
 .../SubscribeToRoaAlertCommandHandler.java    |   2 +-
 ...UnsubscribeFromRoaAlertCommandHandler.java |   2 +-
 ...ingResourceCertificatesCommandHandler.java |   2 +-
 ...UpdateAspaConfigurationCommandHandler.java |   6 +-
 ...tIgnoredAnnouncedRoutesCommandHandler.java |   2 +-
 .../UpdateRoaConfigurationCommandHandler.java |   5 +-
 .../impl/jpa/JpaAspaEntityRepository.java     |   2 +-
 .../JpaCertificateAuthorityRepository.java    |  96 +++++-----
 .../impl/jpa/JpaCrlEntityRepository.java      |   4 +-
 .../impl/jpa/JpaHsmKeyStoreRepository.java    |   2 +-
 .../impl/jpa/JpaManifestEntityRepository.java |   4 +-
 .../impl/jpa/JpaPropertyEntityRepository.java |   4 +-
 .../jpa/JpaPublishedObjectRepository.java     |   4 +-
 .../jpa/JpaResourceCertificateRepository.java |  13 +-
 .../JpaRoaAlertConfigurationRepository.java   |   4 +-
 .../jpa/JpaRoaConfigurationRepository.java    |  16 +-
 .../impl/jpa/JpaRoaEntityRepository.java      |   2 +-
 ...aTrustAnchorPublishedObjectRepository.java |   4 +-
 .../net/ripe/rpki/util/JdbcDBComponent.java   |   6 +-
 .../net/ripe/rpki/web/AdminController.java    |   4 +-
 .../net/ripe/rpki/web/BaseController.java     |  13 +-
 .../ripe/rpki/web/HealthCheckController.java  |   2 +-
 .../ripe/rpki/web/ProductionCaController.java |   5 +-
 .../rpki/web/ResourceCacheController.java     |   4 +-
 .../ripe/rpki/web/UpstreamCaController.java   |   2 +-
 src/main/resources/application-local.yml      |   4 +
 src/main/resources/application.yml            |   9 +-
 ...xes_hibernate6_enum_mapped_as_smallint.sql |   2 +
 .../impl/CommandAuditServiceBeanTest.java     |   2 +-
 .../bgpris/riswhois/RisWhoisFetcherTest.java  |  64 +++----
 .../ripe/rpki/config/OpenAPIConfigTest.java   |   3 +-
 ...rtificateAuthorityViewServiceImplTest.java |  21 ++-
 ...ateAuthorityViewServiceStatisticsTest.java | 164 ++++++++++++++++++
 ...esourceCertificateViewServiceImplTest.java |   4 +-
 ...uentialBackgroundQueuedTaskRunnerTest.java |   2 +-
 .../command/CommandServiceImplTest.java       |   4 +-
 .../domain/CertificationDomainTestCase.java   |  20 ++-
 .../net/ripe/rpki/domain/TestObjects.java     |  11 +-
 .../RoaAlertMaintenanceServiceBeanTest.java   |  16 +-
 ...nMemoryCertificateAuthorityRepository.java | 101 +++++++++++
 ...oaConfigurationMaintenanceServiceTest.java |  17 +-
 .../rta/UpStreamCARequestEntityTest.java      |  25 ++-
 .../rpki/hsm/db/DatabaseKeyStorageTest.java   |   2 +-
 .../TrustAnchorResponseProcessorTest.java     |   7 +-
 ...ystemPublicationObjectPersistenceTest.java |   9 +-
 .../server/ExternalPublishingServerTest.java  |  14 +-
 .../rpki/rest/service/AlertServiceTest.java   |   2 +-
 .../rest/service/AnnouncementServiceTest.java |   2 +-
 .../BackgroundExecutorServiceTest.java        |   6 +-
 .../CaAspaConfigurationServiceTest.java       |   3 +-
 .../CaRoaConfigurationServiceTest.java        |   2 +-
 .../rpki/rest/service/CaStatServiceTest.java  |   2 +-
 .../rpki/rest/service/HistoryServiceTest.java |   2 +-
 .../PublisherRepositoriesServiceTest.java     |   9 +-
 .../java/net/ripe/rpki/rest/service/Rest.java |   4 +-
 .../rest/service/UpstreamCaServiceTest.java   |   2 +-
 .../service/monitoring/AspaServiceTest.java   |   2 +-
 .../PublishedObjectsServiceTest.java          |   2 +-
 .../monitoring/RoaPrefixesServiceTest.java    |   2 +-
 .../cache/JpaResourceCacheImplTest.java       |   2 +-
 .../ProvisioningAuditLogServiceBeanTest.java  |   4 +-
 .../ProvisioningCmsSigningTimeStoreTest.java  |  35 ++--
 .../ProvisioningRequestProcessorBeanTest.java |   2 +-
 .../provisioning/ProvisioningServletTest.java |   4 +-
 ...lNonHostedPublisherRepositoryBeanTest.java |   4 +-
 .../impl/RestResourceServicesClientTest.java  |   2 +-
 .../ui/daemon/health/HealthChecksTest.java    |   2 +-
 .../services/impl/EmailSenderBeanTest.java    |   3 +-
 .../services/impl/RoaServiceBeanTest.java     |   4 +-
 ...AllCaCertificateUpdateServiceBeanTest.java |   2 +-
 .../BackgroundServiceMetricsTest.java         |   7 +-
 .../background/BackgroundServicesTest.java    |   2 +-
 ...cRepositoryPublicationServiceBeanTest.java |   2 +-
 ...ParentCertificateUpdateSagaHostedTest.java |  26 +--
 ...entCertificateUpdateSagaNonHostedTest.java |  26 +--
 ...eNonHostedPublisherCommandHandlerTest.java |   4 +-
 ...datedManifestAndCrlCommandHandlerTest.java |   4 +-
 ...ourceCertificatesInvariantHandlerTest.java |   2 +-
 ...oIntermediateParentCommandHandlerTest.java |   4 +-
 .../impl/handlers/PublicationSupportTest.java |   6 +-
 .../JpaAspaConfigurationRepositoryTest.java   |   2 +-
 .../impl/jpa/JpaAspaEntityRepositoryTest.java |   2 +-
 ...JpaCertificateAuthorityRepositoryTest.java |   2 +-
 .../jpa/JpaPublishedObjectRepositoryTest.java |   5 +-
 .../JpaResourceCertificateRepositoryTest.java |   4 +-
 ...paRoaAlertConfigurationRepositoryTest.java |   2 +-
 .../JpaRoaConfigurationRepositoryTest.java    |   4 +-
 .../impl/jpa/JpaRoaEntityRepositoryTest.java  |   2 +-
 .../ripe/rpki/util/JdbcDBComponentTest.java   |   2 +-
 .../java/net/ripe/rpki/util/StreamsTest.java  |   2 +-
 .../ripe/rpki/web/AdminControllerTest.java    |  17 +-
 .../rpki/web/HealthCheckControllerTest.java   |  18 +-
 .../rpki/web/ProductionCaControllerTest.java  |  16 +-
 .../rpki/web/SpringWebControllerTestCase.java |   7 +-
 .../rpki/web/UpstreamCaControllerTest.java    |  22 ++-
 src/test/resources/application-test.yml       |   3 +
 274 files changed, 1329 insertions(+), 1101 deletions(-)
 create mode 100644 src/main/resources/db/migration/V131__roaconfiguration_prefixes_hibernate6_enum_mapped_as_smallint.sql
 create mode 100644 src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceStatisticsTest.java
 create mode 100644 src/test/java/net/ripe/rpki/domain/inmemory/InMemoryCertificateAuthorityRepository.java

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 4fc1eed..241f324 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -1,4 +1,4 @@
-name: JUnit Tests 
+name: JUnit Tests
 on:
   pull_request:
   push:
@@ -9,12 +9,12 @@ jobs:
     # runs-on: gradle:7.5.1-jdk8
     services:
       postgres:
-        image: postgres:12.15
+        image: postgres:15
         env:
           POSTGRES_USER: certdb
           POSTGRES_PASSWORD: certdb
           POSTGRES_DB: certdb_test
-        ports:          
+        ports:
           - 5432:5432
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
 
@@ -25,6 +25,6 @@ jobs:
         uses: dorny/test-reporter@v1
         if: success() || failure()    # run this step even if previous step failed
         with:
-          name: JUnit Tests            
+          name: JUnit Tests
           path: 'build/test-results/test/TEST-*.xml'
-          reporter: java-junit
\ No newline at end of file
+          reporter: java-junit
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 74ba496..558df4b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,5 @@
 default:
-  image: gradle:8.6-jdk11
+  image: gradle:8.7-jdk17
 
 # Explicit version of the Mergerequests-Pipelines workflow, with the main branch
 # added.
@@ -67,6 +67,7 @@ build:
     - ./gradlew -i build integrationTest
     - cat build/reports/jacoco/test/html/index.html
   artifacts:
+    when: always
     paths:
       - build
       - scripts/*
diff --git a/build.gradle b/build.gradle
index a93eb97..5fbea8d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,9 +1,9 @@
 plugins {
     id 'rpki-ripe-ncc.build-conventions'
-    id 'org.springframework.boot' version '2.7.18'
+    id 'org.springframework.boot' version "3.2.4"
     id 'distribution'
     id 'jacoco'
-    id "com.google.cloud.tools.jib" version "3.3.2"
+    id "com.google.cloud.tools.jib" version "3.4.2"
     id "com.google.osdetector" version "1.7.3"
 }
 
@@ -41,8 +41,8 @@ dependencies {
     }
     implementation 'org.flywaydb:flyway-core'
 
-    implementation "org.thymeleaf:thymeleaf:3.1.1.RELEASE"
-    implementation "org.thymeleaf:thymeleaf-spring5:3.1.1.RELEASE"
+    implementation "org.thymeleaf:thymeleaf:3.1.2.RELEASE"
+    implementation "org.thymeleaf:thymeleaf-spring6:3.1.2.RELEASE"
 
     implementation platform('io.sentry:sentry-bom:6.34.0')
     implementation 'io.sentry:sentry-spring-boot-starter'
@@ -50,21 +50,20 @@ dependencies {
 
     implementation "net.ripe.rpki:rpki-commons:$rpki_commons_version"
 
-    implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
+    implementation 'org.springdoc:springdoc-openapi-ui:1.8.0'
 
     runtimeOnly 'io.micrometer:micrometer-registry-prometheus'
-    implementation 'org.postgresql:postgresql:42.7.2'
+    implementation 'org.postgresql:postgresql:42.7.3'
     runtimeOnly 'org.springframework.boot:spring-boot-starter-tomcat'
 
     implementation 'com.google.code.gson:gson:2.10.1'
     implementation 'com.jamesmurty.utils:java-xmlbuilder:1.3'
     implementation 'commons-codec:commons-codec:1.16.1'
-    implementation 'commons-io:commons-io:2.15.1'
+    implementation 'commons-io:commons-io:2.16.1'
     implementation 'ch.qos.logback.contrib:logback-json-classic:0.1.5'
     implementation 'ch.qos.logback.contrib:logback-jackson:0.1.5'
     implementation 'net.logstash.logback:logstash-logback-encoder:7.3'
     implementation 'commons-lang:commons-lang:2.6'
-    implementation 'org.apache.commons:commons-text:1.10.0'
 
     testImplementation('org.springframework.boot:spring-boot-starter-test') {
         exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
@@ -73,8 +72,8 @@ dependencies {
         exclude group: 'org.hamcrest', module: 'hamcrest-core'
     }
 
-    testImplementation 'com.github.tomakehurst:wiremock-jre8:2.35.0'
-    testImplementation 'net.jqwik:jqwik:1.8.3'
+    testImplementation "org.wiremock:wiremock-jetty12:3.5.2"
+    testImplementation 'net.jqwik:jqwik:1.8.4'
     testImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version:tests"
     testImplementation 'org.assertj:assertj-core'
 
@@ -87,12 +86,6 @@ dependencies {
 
 }
 
-java {
-    toolchain {
-        languageVersion = JavaLanguageVersion.of(11)
-    }
-}
-
 sourceSets {
     integration {
         java.srcDir 'src/integration/java'
@@ -151,7 +144,7 @@ distributions {
 
 jib {
     from {
-        image = "openjdk:11-jdk-slim"
+        image = "openjdk:17-jdk-slim"
     }
     to {
         image = "docker-registry.ripe.net/rpki/rpki-ripe-ncc"
diff --git a/buildSrc/src/main/groovy/rpki-ripe-ncc.build-conventions.gradle b/buildSrc/src/main/groovy/rpki-ripe-ncc.build-conventions.gradle
index dd43574..5f88a66 100644
--- a/buildSrc/src/main/groovy/rpki-ripe-ncc.build-conventions.gradle
+++ b/buildSrc/src/main/groovy/rpki-ripe-ncc.build-conventions.gradle
@@ -35,11 +35,14 @@ repositories {
     maven {
         url = uri('https://maven.nexus.ripe.net/repository/maven-third-party')
     }
+    maven {
+        url = uri('https://maven.nexus.ripe.net/repository/maven-third-party-snapshots')
+    }
 }
 
 java {
     toolchain {
-        languageVersion = JavaLanguageVersion.of(11)
+        languageVersion = JavaLanguageVersion.of(17)
     }
 }
 
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
index d64cd4917707c1f8861d8cb53dd15194d4248596..e6441136f3d4ba8a0da8d277868979cfbc8ad796 100644
GIT binary patch
delta 34118
zcmY(qRX`kF)3u#IAjsf0xCD212@LM;?(PI<f(@>NyAue(f;$XO2=4Cg1P$=#e%|lo
zKk1`B>Q#GH)wNd-&cJofz}3=WfYndTeo)CyX{fOHsQjGa<{e=jamMNwjda<PyWE6-
zP~B#x7leo3nD`qQ)CqpqLwL&Nv*c_uf@6ZzDxH4Kk*=_Q!1=S4w`ejm#xafRiVQ9K
zD|NMG<SxpdU<&W$m3qe4z`XCn(ZbVn07Ju^@)#`N!0VN6<~T~KDoO4tX0Wnd#9^aG
zzw_kBWvKv8AX+m002<gC-eNM-rZnBB9F6nP%6MQjX4aHBE}ky4v9DAk%X3G|ZVInC
z0sH3o9G@FVA`%%F8RyEFms&lE|8}H=IL>tD={CN3>GNchOE9OGPIqr)3v>RcKWR3Z
zF-guIMjE2UF0Wqk1)21791y#}ciBI*bAenY*B<S7Lsj7;64caBml7(9sSP$#!4bz5
zfe$Y|L&2pF$!`g2EFBw-(C>MW_)AeSuM5}vz_~`+1i!Lo?XAEq{TlK5-efNFgHr6o
zD>^vB&%3ZGEWMS>`?tu!@66|uiDvS5`?bF=gIq3rkK(j<_TybyoaDHg8;Y#`;>tXI
z=tXo~e9{U!*hqTe#nZjW4z0mP8A9UUv1}C#R*@yu9G3k;`Me0-BA2&Aw6f`{Ozan2
z8c8Cs#dA-7V)ZwcGKH}jW!Ja&VaUc@mu5a@CObzNot?b{f+~+212lwF;!QKI16FDS
zodx>XN$sk9;t;)maB^s6sr^L32EbMV(uvW%or=|0@U6cU<cnXKOZI@-_2b|FP!$}s
zAe;S8Mg2+heB}qk71p?*lsuXu#LR?_0T)ujf|bz~>kE`_!<=LHLlRGJx@gQI=B(nn
z-GEjDE}*8>3U$n(t^(b^C$q<Dz5^v_5fDC=_*60>STI;}6q&ypp?-2rGpqg7b}pyT
zOARu2x><t9J4jOACSe7Cla*>0HB{&D(d3sp`+}ka+Pca5glh|c=M)Ujn_$ly^X6&u
z%Q4Y*LtB_>i6(YR!?{Os-(^J`(70lZ&Hp1I^?t@~SFL1!m0x6j|NM!-JTDk)%Q^R<
z@e?23FD&9_W{Bgtr&CG&*Oer3Z(Bu2EbV3T9FeQ|-vo5pwzwQ%g&=zFS7b{n6T2ZQ
z*!H(=z<{D9@c`K<z${~)Mo?=i!8kgh3^kh#gZ+tgX&gTG!eX0?^?c|0?IsnpYDup`
zE@9&nF#>mHO&DbUIzpg`+r5207}4D=_P$ONIc5lsFgn)UB-oUE#{r+|uHc^hzv_df
zV`n<Uy?gf){vC8%ni$H6BLQ|&nNh_JVuc@V<M{j`fPiV3mmYOH;{D(UIYmW$_M(id
zfz>8&qry%jXQ33}Bjqcim~BY1?KZ}x453Oh7G@fA(}+m(f$)TY%7n=MeLi{jJ7LMB
zt(mE*vFnep?YpkT_&WPV9*f>uSi#n#@STJmV&SLZnlLsWYI@y+Bs=gzcqche=&<e&
zH!*BfX&4XuI(sK|M6EWNz&xj!)?<o^!;`2$ksx0>cBH2WL)dkR!a95*Ri)JH_4c*-
zl4pPLl^as5_y&6RDE@@7342DNyF&GLJez#eMJjI}#pZN{Y8io{l*D+|f_Y&RQPia@
zNDL;SBERA|B#cjlNC@V<BMj^PW+*!uB6Kia#Q_k#D<Kdw%NW0h5PShX-Ateg=^YLq
zPqOC>U{2csOvB8$HzU$01Q?y)KEfos>W46VMh>P~oQC8k=26-Ku)@C|n^zDP!hO}Y
z_tF}0@*Ds!JMt>?4y|l3?`v#5*oV-=vL7}zehMON^=s1%q+n=^^Z{^mTs7}*->#YL
z)x-~SWE{e?YCarwU$=cS>VzmUh?Q&7?#Xrcce+jeZ|%0!l|H_=D_`77hBfd4Zqk&!
zq-Dnt_?5*$Wsw8zGd@?woEtfYZ2|9L8b>TO6>oMh%`B7iBb)-aCefM~q|S2Cc0t9T
zlu-ZXmM0wd$!gd-dTtik{bqyx32%f;`XUvbUWWJmpHfk8^PQIEsByJm+@+-aj4J#D
z4#Br3pO6z1eIC>X^yKk|<Bgti^oqrbEGF$Jw^;w14UYT$*kTROuXlF!RjFMV72W^U
zoMllbg+6ow&xKMI7=%s{uAdU)(;XWPXi7!aAo)eS$$~Y>PeVwX_4B+IYJyJyc3B`4
zPrM#raacGIzVOexcVB;fcsxS=s<vwC^XKnl?x{xO@E;np^jTyr6HSfEb6qXiZr9dg
z)?Uhot!j3J`wuMIE#*geg>1e&V;Xe$tw&KQ`YaCkHTKe*Al#velxV{3wxx}`7@isG
zp6{+s)CG%HF#JBAQ_jM%zCX5X;J%-*%&jVI?6KpYyzGbq7qf;&hFprh?E5Wyo=bZ)
z8YNycvMNGp1836!-?nihm6jI`^C`EeGryoNZO1AFTQhzFJOA%Q{X(sMYlzABt!&f{
zoDENSuoJQIg5Q#@BUsNJX2h>jkdx4<+ipUymWKFr;w+s>$laIIkfP6nU}r+?J9bZg
zUIxz>RX$kX=C4m(zh-Eg$BsJ4OL&_J38PbHW&7JmR27%efAkqqdvf)Am)VF$+U3WR
z-E#I9H6^)zHLKCs7|Zs<7Bo9VCS3@CDQ;{UTczoEprCKL3ZZW!ffmZFkcWU-V|_M2
zUA9~8tE9<5`59W-UgUmDFp11YlORl3mS3*2#ZHjv{*-1#uMV_oVTy{PY(}AqZv#wF
zJVks)%N6LaHF$$<6p8S8Lqn+5&t}DmLKiC~lE{jPZ39oj{wR&fe*LX-z0m}9ZnZ{U
z>3-5Bh{KKN^n5i!M79Aw5eY=`6fG#aW1_ZG;fw7JM69qk^*(rmO{|Z6rXy?l=K=#_
zE-zd*P|(sskasO(cZ5L~_{Mz&Y@@@Q)5_8l<6vB$<SnmTz>@226O+pDvkFaK8b>%2
zfMtgJ@+cN@w>3)(_uR;s8$sGONbYvoEZ3-)zZk4!`tNzd<0lwt{RAgplo*f@Z)uO`
zzd`ljSqKfHJOLx<Pf6T=jN-Y)-G`fh^*;28D6YUz?Jn$Qe<sb8Bqa)nI_IHAx#i9Y
z$j}`a&gQX1Vaa!Ea{Z|{=AEw)&>ya4_}T`k5Ok1Mpo#MSqf~&ia3uIy{zyuaF}pV6
z)@$ZG5LYh8Gge*LqM_|GiT1*J*uKes=Oku_gMj&;FS`*sfpM+ygN&yOla-^WtIU#$
zuw(_-?DS?6DY7IbON7J)p^IM?N>7x^3)(7wR4PZJu(teex%l>zKAUSNL@~{czc}bR
z)I{Xz<Lxhu3=iQUmF>XqZBU3a;7UQ~PvAx8g-3q-9AEd}1JrlfS8NdPc+!=HJ6Bs(
zCG!0;e0z-22(Uzw>hkEmC&<fdEY_MO4!XLJs6(n80jtDO!nnCLqs#Y_I0IE~UCPp@
zM_JDqY7&S(Y&QK^-o&47T#3E|`NAlIxvHf3kny;RvvXG3GAWOcnn~MYcAb70=&uwJ
zkt37-cyED3`=cXw-}?~Jre&#~t1kA3Jz_#Bn#jD975Ham#lXmn@!Xe|z!$O^A|8Ja
zxE40Kw#qS@4?x}td&6F5(NIU<?GmP1&i-wkqanUS(~JutQ=}J2g$roe>xj?{0p|kc
zM}MMXCF%RLLa#5jG`+}{pDL3M&|%3BlwOi?dq!)KUdv5__zR>u^o|QkYiqr(m3HxF
z6J*DyN#Jpooc$ok=b7{UAVM@<lCUruKn!C)jTs?G3tF=X?02t9ti$}%_-&Apkmnno
z%fbj!k#YwEr={VibqP-VP5rAcB3fluUzRfi(z01WI?#!N!mLc);E?^+GEin57qXIO
zg8kNfR~-pWXV>nwGsr6kozSddwulf5g1{B=0#2)zv!zLXQup^BZ4sv*sEsn)+MA?t
zEL<g?Ek3W6nR6!O+b*MM+O~eGu_sDZwCnE-jqq7Mvt4JiAYMi&B_$Kb75}|i#Oq?4
z^@)_zxi_9dEszN`mdX;tu;@!Yj!NQXjGcs`B*6!}Q`Xp8$`LBVWzdw?k{MZ=kF0i6
z0u$CdmQDt$g$6JM?JyEA2oW1N)I#|wQ>)}3*R?4(J~CpeSJPM!oZ~8<cg4cY=X|VM
z=^|PC37b4k-X|34t*R-GX&L@u*U|J4q?K3(MG@qFTXx0}+s2jwB%hz+*7-k{2(QHj
zQmM#6vaQDzB)m!b_6aC`nE*p#lagJ>;8s_=@6o`IA%{aEA9!GELRvOuncE`s7sH91
zmF=+T!Q6%){?lJn3`5}oW31(^Of|$r%`~gT{eimT7R~*Mg@x+tWM3KE>=Q>nkMG$U
za7r>Yz2LEaA|PsMafvJ(Y>Xzha?=>#B!sYfVob4k5Orb$INFdL@U0(J8Hj&kgWUlO
zPm+R07E+oq^4f4#HvEPANGWLL_!uF{nkHYE&BCH%l1FL_r(Nj@M)*VOD5S42Gk-yT
z^23oAMvpA57H(fkDGMx86Z}rtQhR^L!T2iS!<mO!Z%ty;Vm%l(OCwBkU1^sK>788E
z+^${W1V}J_NwdwdxpXAW8}#6o1(Uu|vhJvubFvQIH1bDl4J4iDJ+181KuDuHwvM?`
z%1@Tnq+7>p{O&p=@QT}4wT;HCb@i)&7int<0#bj8j0sfN3s6|a(l7Bj#7$hxX@~iP
z1HF8RFH}irky&eCN4T94VyK<n?6cO6O!>qGywEGY{Gt0Xl-`|dOU&{Q;Ao;sL>C6N
zXx1y^RZSaL-pG|JN;j9ADjo^XR}gce#seM4QB1?S`L*aB&QlbBIRegMnTkTCks7JU
z<0(b+^Q?HN1&$M1l&I@>HMS;!&bb()a}hhJzsmB?I`poqTrSoO>m_JE5U4=?o;OV6
zBZjt;*%1P>%2{UL=;a4(aI>PRk|mr&F^=v6Fr&xMj8fRCXE5Z2qdre&;$_RNid5!S
zm^XiLK25G6_j4dWkFqjtU7#s;b8h?BYFxV?OE?c~&ME`n`$ix_`mb^AWr+{<eR?ie
zu^n7F<r|0}4&z!1h-oy{4Bz+F69}Q`VpCh(8k$5~F}&!BM0MdLg4qhh@bV;%4Rw1m
zzqF@FV8+w9w|_OPDgrx*NZebP^m@hq4m*)5tuF1+`%o#G^#zx@w5ZsxZaUE7jzw;N
zhD*<Wl`rn3nq7+Ag+JpPe%(D1QRTS`qM+;}+_^&I$1>M9{^^Rl;~KREplwy2q;&xe
zUR0SjHzKVYzuqQ84w$NKVPGVHL_4I)Uw<$uL2-Ml#+5r2X{LLqc*p13<F6YTV#kWf
zqG&w9QQdWL4?_d~CQnBI;?0D)Qg}{>{;w#E*Kwb*1D|v?e;(<>vl@VjnFB^^Y;;b3
z=R@(uRj6D}-h6CCOxAdqn~_SG=bN%^9(Ac?zfRkO5x2VM0+@_qk?MDXvf<z0O)%s7
zMAFU0$m3HcbC#~2Hc64da@3O%^-=j9undudUI{}zbhknzUL#akDQiL_v_tyrinjEO
zI(3QAK0&1x_y)uNn}57R#|)d${jFV)^rH-I`D9H?s`)o)uI9hKceIT0a|7|+J9G4R
z?^G4wKj6MYf*wobKriuVpvC#r;9ThcHk6^a^xn2ODvRhy6<dTeve8{i!Cu=iTXW7{
z{?H_E?=z!{hGvD8B;Y6V{)tUgB~RL}OZbPv*z!^?TUpHIl7qWjaL~c+st5S>=@q_*
z3IM@)er6-OXyE1Z4sU3{8$Y$>8NcnU-nkyWD&2ZaqX1JF_JYL8y}>@V8A5%lX#U3E
zet5PJM`z79q9u5v(OE~{by|Jzlw2<0h`hKpOefhw=fgLTY9M8h+?37k@TWpzAb2Fc
zQMf^aVf!yXlK?@5d-re}!fuAWu0t57ZKSSacwRGJ$0uC}ZgxCTw>cjRk*xCt%w&hh
zoeiIgdz__&u~8s|_TZsGvJ7sjvBW<(C@}Y%#l_ID2&C`0;Eg2Z+pk;IK}4T@W6X5H
z`s?ayU-iF+aNr5--T-^~K~p;}D<LJ~4Vm)-6?_|)BF5gW4JSY7&(G|Av&E;#AyyV$
zSunlmXPqL`WNNYmTNMzV20flD83AxG;E^Ec8R;(;vdTi$02nI6(4u&=rI7r^2x}@}
zb^h(s^Hv9AwRzcBrk1j8D%Js|d7yM)>(*GWOAYDV9JEw!w8ZYzS3;W6*_`#aZw&9J
ziXhBKU3~zd$kKzCAP-=t&cFDeQR*_e*(excIUxKuD@;-twSlP6>wWQU)$|H3Cy+`=
z-#7OW!ZlYzZxkdQpfqVDFU3V2B_-eJS)Fi{fLtRz!K{~7TR~XilNCu=Z;{GIf9KYz
zf3h=Jo+1#_s>z$lc~e)l93h&RqW1VHYN;Yjwg#Qi0yzjN^M4cuL>Ew`_-_wRhi*!f
zLK6vTpgo^Bz?8AsU%#n}^EGigkG3FXen3M;hm#C38P@Zs4{!QZPAU=m7ZV&xKI<yS
zef9C7IM#)bKApw^nm2P0xPH)?)BN&sFvRw*IK$#0AfO}b<r{uW7o8y}SN)F@&yQm%
zn~nNb7d)eJ2BHvG2FG3z@j=payQlcc`;O$D3XPT3JFukw8Xr%@g@bkhB?@#$+AOw(
z(|@nqsNM;#gS0yC1MWhDA!W&4Ru~!5ks5Q~Pml#jZyfXEak(Em<WRqk+Ush$9swq)
zmPM%H4#Ov0YvR0-8rrI^layyN^pm(_yZ9(@AnNKHRrR<^fYJvzs{G9-d<-PIeZxic
zI!fz70I#*sa*eAVT<99Vxgy-<y1w@xbY}slZ7CHAcKSW+wgZc7BMb2FfqhW}?;;BY
zP!O(w$5_aUKLF$CVvI<PnooNWjt084FOTmh7FT(=9D-a~XGZP;^5(x4>_HWNt90Ef
zxClm)ZY?S|n**2cNYy-xBlLAVZ=~+!|7y`(fh+M$#4zl&T^gV8ZaG(RBD!`3?9xcK
zp2+aD(T%QIgrLx5au&TjG1AazI;`8m{K7^!@m>uGCSR;Ut{&?t%3AsF{>0Cm(Kf)2
z?4?|J+!BUg*P~C{?m<lX{_VAm$p$7Sy5n4)MhYq@8YJpQU2G)^4Cs_N!H_NDI5wLC
zuxU!+I__)7xJYF^Pf|zP9)c{~jt|)Y(3ss;D?4|k?Aspv4X!02;`uMjy{H&7#%Q@o
z<nV(d4I5h&#m8g~O!r&@N38SW3XQ`EjZh!<u+JXC85$B2rn?)m6Y00}q3o2FWUH%+
zxkU_~@oBdV%UzT$+qN=8G&dY}bCZ=N#`=O2mzStcgw{uTG7hdoSCO(-*C<hlyRW_D
zI1Ra`6kd?oLFBA13(Fk<4zU<VtAK2o$FG2w@>wPQ#)gDMmro20YVNsVx5oWQMkzQ?
zsQ<ZZLyAH1!oNzFM}TfglR)=rWx*=M9GIjB?ZFULc>%Y>%7_wkJqnSMuZjB9lBM(o
zWut|B7w48cn}4buUBbdPBW_J@H7g=szrKEpb|aE>!4rLm+sO9K%iI75y~2HkUo^iw
zJ3se$8$|W>3}?JU@3h@M^HEFNmvCp|+$-0M?RQ8SMoZ@38%!tz8f8-Ptb@106heiJ
z^Bx!`0=I<O1KwEC{Zqa_WBh?i$W#4Fd46V<qLHAqFT^%K_=ff(6##B-Ub(l(@oz>m
z1!NUhO=9ICM*+||b3a7w*Y#5*Q}K^ar+oMMtekF0JnO>hzHqZKH0&PZ^^M(j;vwf_
z@^|VMBpcw8;4E-9J{<clOdQ-gLs}yNpT|>(u7sHSyZpQbS&N{VQ%ZCh{c1UA5;?R}
z+52*X_tkDQ(s~#-6`z4|Y}3N#a&dgP4S_^tsV=oZ<Y0d)Rr;arA(GJ}DlJV*pmcys
z*Mk;Dg{B7HD(oM1AgV$?pZ(feakO5tAV~SCs_W%F(?;(4m+NEoby{|2mc0XI>r4A1
zaSoPN1czE(UIBrC_r$0HM?RyBGe#lTBL4~JW#A`P^#0wuK)C-2$B6TvM<GJr3h=;Q
z>i@@%K@JAT_IB^T7Zfqc8?<ppV&KJMBtJ-oMFyu3aJ37qp`YqlHwSWDi``;8R3fKH
z;())3jrugRTov;`f2|96Ol0~`tdom%2YtK*BEp7dW){Z1+eUuiY^^+%IXC`kb4D<x
zHzFJB;p^zZ4`bRwAwzCEy&SFu3-$>{wHcSVG_?{(wUG%zhCm=%qP~EqeqKI$9UivF
zv+5IUOs|%@ypo6b+i=xsZ=^G1yeWe)z6IX-EC`F=(|_GCNbHbNp(CZ*lpSu5n`FRA
zhnrc4w+Vh?r>her@Ba_jv0Omp#-H7avZb=j_A~B%V0&FNi#!S8cwn0(Gg-Gi_LMI{
zCg=<XfJ{>g@m{W@u?GQ|yp^yENd;M=W2s-k7Gw2Z(tsD5fTGF{iZ%Ccgjy6O!AB4x
z%&=6jB7^}pyftW2YQpOY1w@%wZy%}-l0qJlOSKZXnN2wo3|hujU+-U~blRF!^;Tan
z0w;Srh0|Q~6*tXf!5-rCD)OYE(%S|^WTpa1KHtpHZ{!;KdcM^#g8Z^+LkbiBHt85m
z;2xv#83lWB(kplfgqv@ZNDcHizwi4-8+WHA$U-HBN<XXr0~J?$Lai#_;trL)VA8+1
zU!;TqE~}9XS7A@|JfNqKkGav_MPU#1&?e(-M~ysHg+5_(nK1v-W}9=?Zer5AMLpDA
zz5CzT^brYv;fMsP%wz!?lZWTP?W}8@vv2IuVI?tan0C9Y`-Wjik0PN~x7}xCz5j)1
zoSKG<CGs%hfuQ;WLC{xnn)TVIkPvvNhsVT7>qsZ`hKcUI3zV3d1ngJP-AMRET*A{>
zb2A>Fk|L|WYV;Eu4>{a6ESi2r3aZL7x}eRc?cf|~bP)6b7%BnsR{Sa>K^0obn?yiJ
zCVvaZ&;d_6WEk${F1SN0{_`(#TuOOH1as&#&xN~+JDzX(D-WU_nLEI}T_VaeLA=bc
zl_UZS$nu#C1yH}YV>N2^9^zye{rDrn(rS99>Fh&jtNY7PP15q%g=RGnxACdCov47=
zwf^<OLlg}xVjt0)p-rbBn7T~vS^5_Drk~dEL?fU{>9zfJaL{y`R#~tvVL#*<`=`Qe
zj_@Me$6sIK=LMFbBrJps7vdaf_HeX?eC+P^{AgSvbEn?n<}NDWiQGQG4^ZOc|GskK
z$Ve2_n8gQ-KZ=s(f`_X!+vM5)4+QmOP()2Fe#IL2toZBf+)8gTVgDSTN1CkP<}!j7
z0SEl>PBg{MnPHkj4wj$mZ?m5x!1ePVEYI(L_sb0OZ*=M%yQb?L{UL(2_*CTVbRxBe
z@{)COwTK1}!*CK0Vi4~AB;HF(MmQf|dsoy(eiQ><S&flYs}X=qI6%JhOL}c}8ReE6
z>WTKcEQlnKOri5xYsqi61Y=I4kzAjn5~{IWrz_l))|<ryzIgBfLDnKw3JSt*BE7Yk
z@<X1~%_3&{c@EWKT@&!_5{hgsv0*uWq^Ag5&!#`hO30t*Ey!ZHlK~#2TL+u093@m<
zmh@mPLF@+cbRf2&AOJqqsB1zg;bVL&+4p#cS%+M6!rPy}l*roS@+s2E+JcG2%rRTv
z2!(JA6$64oDKq`kHYO({m<UUf<`TtSFw}vw1zYukXby+c34(E)w*pi_qs3N7vw>Ls
zvq7xgQs?Xx@`N?f7+3XKLyD~6DRJw*uj*j?yvT3}a;(j_?YOe%hUFcPGWRVBXzpMJ
zM43g6DLFqS9tcTLSg=^&N-y0dXL816v&-nqC0iXdg7kV|PY+js`<tQ)jQ;9->F8dm
z2PuHw&k+8*&9SPQ6f!^5q0&AH(i+z3I7a?8O+S5`g)>}fG|BM&ZnmL;rk)|u{1!aZ
zEZHpAMmK_v$GbrrWNP|^2^s*!0waLW=-h5PZa-4jWYUt(<b#|Bsx3P3#+uA4`mmgX
z9Kz|`zO$@)@d{sIynMxFy0ta)_!*pZfTlj%)9Ee4zRt~F_6}gJArZ1%_&ds}7FnKN
zT=p-*f9G3aBCWvVUn3v-@ZXvQrHP}1zTx3P<Jhsl2HrSYxUcBQibO?|u3Wl@z}_;u
z86>Hr@EA(m3Mc3^uDxwt-me^55FMA9^>hpp26MhqjLg#^Y7OIJ5%ZLdNx&uDgIIqc
zZRZl|n6TyV)0^DDyVtw*jlWkDY&Gw4q;k!UwqSL6&sW$B*5Rc?&)dt29bDB*b6IBY
z6SY6Unsf6AOQdEf=P1inu6(6hVZ0~v-<>;LAlcQ2u?wRWj5VczBT$Op#8IhppP-1t
zfz5H59Aa~yh7EN;BXJsLyjkjqARS5iIhDVPj<=4AJb}m6M@n{xYj3qsR*Q8;h<IbJ
zd)uk&8m`?q_q1NS{$84>VxDyC4vLI;;?^eENOb5QARj#nII5l$MtBCI@5u~(ylFi$
zw6-+$<K_|-Wlyt+M0?(Bv&pcNNg0svOYzThtqKx!i*Dc5NZvH&F*N23|J~!vMN;d~
z^=H()7fOiv1)6`d`Xlx->$XQ}Ca>FWT>q{k)g{Ml(Yv=6aDfe?m<nPFf#(N8Laf1%
zeJ4>|5|kbGtWS}fKWI+})F6`x@||0oJ<?@*&=4(53;s&f1=p}VJ=CsEx0>^(g|+xi
zqlPdy5;`g*i*C=Q(aGeDw!eQg&w>UUj^{o?PrlFI=34qAU2u@BgwrBiaM8zoDTFJ<
zh7nWpv>dr?q;4ZA?}V}|7qWz4W?6#S&m>hs4IwvCBe@-C>+oohsQZ^JC*RfDRm!?y
zS4$7oxcI|##ga*y5hV>J4a%HHl^t$pjY%caL%-FlRb<$A$E!ws?8hf0@(4HdgQ!@>
zds{&g$ocr9W4I84TMa9-(&^_B*&R%^=@?Ntxi|Ejnh;z=!|uVj&3fiTngDPg=0=P2
zB)3#%HetD84ayj??qrxsd<YW&s^_fNRPJu1Lu~ooseFw$wVknfo;k}<f4``0v~+Y_
zKU_m+@|S(3^pR^^<>9nqrBem(8^_u_UY{1@R_vK-0H9N7lBX5K(^O2=0#TtUUGSz{
z%g>qU8#a$DyZ~EMa|8*@`GOhCW3%DN%xuS91T7~iXRr)SG`%=Lfu%U~Z_<B8YLfje
zenkDPv?7UMn^wh-#5zYOX60}ftn+_;r9>`1b=lSi?qpD4$vLh$?HU6t0MydaowUpb
zQr{>_${AMesCEffZo`}K0^~x>RY_ZIG{(r39MP>@=aiM@C;K)jUcfQV8#?SDvq>9D
zI{XeKM%$$XP5`7p3K0T}x;qn)VMo>2t}Ib(6zui;k}<<~KibAb%p)**e>ln<=qyWU
zrRDy|UXFi9y~PdEFIAXejLA{K)6<)Q`?;Q5!KsuEw({!#Rl8*5_F{TP?u|5(Hijv(
ztAA^I5+$A*+*e0V0R~fc{ET-RAS3suZ}TRk3r)xqj~g_hxB`qIK5z(5wxYboz%46G
zq{izIz^5xW1Vq#%lhXaZL&)FJWp0VZNO%2&ADd?+J%K$fM#T_Eke1{dQsx48dUPUY
zLS+DWMJeUSjYL453f@HpRGU6Dv)rw+-c6xB>(=p4U%}<qNSa;?l%-Qbgo6H=D;<Ac
z37*~61%G;Rk9zKyD{WraYx|9VK1aeUEagvgL(r)WImH;+hu8m^8fk3iQO!R?vp|AU
z#xX(31o5DGMHtXZ9zytcGdR#e9xm`5)!T;H26%a+**oa@WGMf=BFxg~`r&GAS7$4y
z^2|*EV<Mt4fFFPU)O>_p>z^I@Ow9`nkUG21?cMIh9}hN?R-d)*6%pr6d@mcb*ixr7
z)>Lo<&2F}~>WT1ybm^9UO{6P9;m+fU^06_$o9gBWL9_}EMZFD=rLJ~&e?fhDnJNBI
zKM=-WR6g7HY5tHf=V~6~QIQ~rakNv<yXlZw2~R->csamU8m28YE=z8+G7K=h%)l6k
zmCpiDInKL6*e#)#Pt;ANmjf`8h-nEt&d}(SBZMI_A{BI#ck-_V7nx)K9_D9K<wX2&
ztb`!H<{xu+%$XOK7#l;ig9boZT>-p@?Zh81#b@{wS?wCcJ%og)8RF*-0z+~)6f#T`
zWqF7_CBcnn=S-1QykC*F0YTsKMVG49BuKQBH%WuDkEy%E?*x&tt%0m>>5^HCOq|ux
zuvFB)JPR-<R9*qK#QvOEy<g2y->W|%$24eEC^AtG3Gp4qdK%pjRijF5Sg3X}uaKEE
z-L5p5aVR!NTM8T`4|2QA@hXiLXRcJveWZ%YeFfV%mO5q#($TJ`*U>hicS+CMj%Ip#
zivoL;dd*araeJK9EA<(tihD50FHWbITBgF9<S1F59NBB@-km2xgxh^jmVKRZHCzb@
zldh9O@Tx{jgxfxH#W4wy6M0z_-aTt2G@3|Yp>E<33A+eMr2;cgI3Gg6<-2o|_g9|>
zv5}i93<J?21Jwu60De+%9&8yD$M-==IBwP;d{BC=F44-LGWWplT_ESz4ovU#BL|G}
zcmR56^)_SYTt?AM`r&<V0_9alA|EwbVwM(BT3!TE$hsCu`Gm;Rg~8}C&9f4B^0>2(
zYf<!;V`YfO6gj*4fZkUAr?-F@aA9;z9|jbBgt=33h^ojL5J7|FUPfqa-W2^EN+IwG
zyucPVo58FAeHt$Nq*Z0Lz|^v35)f<vIMOX%n{Czoseg>TE9?4#nQhP@a|zm#9FST2
z!y+p3B;p>KkUzH!K;GkBW}bWssz)9b>Ulg^)EDca;jDl+q=243BddS$hY^fC6lbpM
z(q_bo4V8~e<Zs<b7cyyni#U}G!!KTEURDqc{bMpk?5mA1@g$Y$Wx|caEJ@!TvSwmW
zqw6$6_V9}M--vO-=^ZBsJr^(lCyvX*KI4W@0G*bBPEKAYRH$kkkjj{cPznS-d|ZUy
zJ?>VeA?0LFD6ZtKcmOH^75#q$E<Zzyhezvuj?3@d%!~X4ws-!zRzAK#UFhVU?-K@7
z2G)}Z&^k%kMrWcDJ1~9s%Y7B4b*Q5pIQJtR#E8_m=dCI`iz(ByzI1@)w#x&yV;Dmb
zBR*c4ZqzdV6%u1E<qjcp>o%a&qvE8Zsqg=$p}u^|>DSWUP5i{6)LAYF4E2DfGZuMJ
zMwxxmkxQf}Q$V3&2w|$`9_SQS^2NVbTHh;atB>=A%!}k-f4*i$X8m}Ni^ppZXk<vI
zv4b?e{$fL=4CN|)0GXH{ZZE#0qrw?r2yJZjI_c{zf+uDL9gwdN)`!v>5_oYF>Gq(&
z0wy{LjJOu}69}~#UFPc;$7ka+=gl(FZCy4xEsk);+he>Nnl>hb5Ud-lj!CNicgd^2
z_Qgr_-&S7*#nLAI7r()P$`x~fy)+y=W~6aNh_humoZr7MWGSWJPLk}$#<b0qDKzby
zfsF}6hSD25(h&SI*1V<_%OA=AVAytldFr(qeYf$b2GB9jc!!oXb+YO|A>w_1n%(@?
z3FnHf1lbxKJbQ9c&i<$(wd{tUTX6DAKs@cXIOBv~!9i{wD@*|kwfX~sjKASrNFGvN
zrFc=!0Bb^OhR2f`%hrp2ibv#KUxl)Np1aixD9{^o=)*U%n%rTHX?FSWL^UGpHpY@7
z<FJKJ-x}kSNUZ~J=(sQmm|=Hgx6NDTIwxW%&M+qtaTFkwf2nmoB#ib#d`3q#i8x4D
z8SO1)?2${?@9$aGnmIq+`mJ>74U}KoIRwxI#>)Pn4($A`nw1%-D}`sGRZD8Z#lF$6
zOeA5)+W2qvA%m^|$WluUU-O+KtMqd;Pd58?qZj})MbxYGO<{z9U&t4D{S2G>e+J9K
ztFZ?}ya>SVOLp9hpW)}G%kTrg*KXXXsLkGdgHb+R-ZXqdkdQC0_)`?6mqo8(EU#d(
zy;u&aVPe6C=YgCRPV!mJ6R6kdY*`e+VGM~`VtC>{k27!9vAZT)x2~AiX5|m1Rq}_=
z;A9LX^nd$l-9&2%4s~p5r6ad-siV`HtxKF}l&xGSYJmP=z!?Mlwmwef$EQq~7;#OE
z)U5eS6dB~~1pkj#9(}T3j!((8Uf%!W49FfUAozijoxInUE7z`~U3Y^}xc3xp){#9D
z<^Tz2xw}@o@fdUZ@hnW#dX6gDOj4R8dV}Dw`u!h@*K)-NrxT8%2`T}EvOImNF_N1S
zy?uo6_ZS>Qga4Xme3j#aX+1qdFFE{NT0Wfusa$^;eL5xGE_66!5_N8!Z~jCAH2=${
z*goHjl|z|kbmIE{cl-PloSTtD+2=CDm~ZHRgXJ8~1(g4W=1c3=2eF#3tah7ho`zm4
z05P&?nyqq$nC?iJ-nK_iBo=u5l#|Ka3H7{UZ&O`~t-=triw=SE7ynzMAE{Mv-{7E_
zViZtA(0^wD{iCCcg@c{54Ro@U5p1QZq_XlEGtdBAQ9@nT?(zLO0#)q55G8_Ug~Xnu
zR-^1~hp|cy&52iogG@o?-^AD8Jb^;@&Ea5jEicDlze6%>?u$-eE};bQ`T6@(bED0J
zKYtdc?%9*<<$2LCBzVx9CA4<AoGdF)iT9-BV}&@WMK}bKMAdQBHB9zIg~33D9XqBR
zD>YV|q-qg*-{yQ;|0=KIgI6~z0DKTtajw2Oms3<u6JfE3d!7x4=<@msnH0k~j9dW|
zZtZ80d$e)`WiYJI%5C4$o_@ZG+NLyWNO7P{Rii0d%$QNbSHy)#lwN8boUCoV3)k>L
zn{C%{P`duw!(F@*P)lFy11|Z&x`E2<=$Ln38>UR~z6~za(3r;45k<v>QK_^QTX%!s
zNzoIFFH8|Y>YVrUL5#mgA-Jh>j7)n<Zx96$&fzU>)5}iVM4%_@^GSwEIBA2g-;43*
z*)i7u*xc8jo2z8&=8t7qo|B-rsGw)b8UXnu`RgE4u!(J8yIJi(5m3~aYsADcfZ!GG
zzqa7p=sg<o&$HnFk3_PIDT7^R*l|Uy*ErkWh5p!iw%95SEqgx*(#2u}$;yHXwBY|t
z$vJDd#N!Akn_xau{*4y#!iM@tZOc&Rc)@cg)>`V_KjiqI*LA-=T;uiNRB;BZZ)~88
z`C%p8%hIev2rxS12@doqsrjgMg3{<L-IS7j<nG-26~xHYI&`%4j=)ZUR_2Nwyo&s*
zJ_0X{=sXdnBCoNzt%@LBIlEx@{+A&hsZt3nyF&Gtc)9fXv28Q&PU0uzxK5QDQ^0tT
z@ll2`vK+vydWK?7I0;u%diXOvNZ*YxV6uZ=wi~x}imLLs*Slf$SL&G~13D2Praj;n
z{D>A&N8A?%Ui5vSHh7!iC^ltF&HqG~;=16=h0{ygy^@HxixUb1XYcR36SB}}o3nxu
z_IpEmGh_CK<+sUh@2zbK9MqO!S5cao=8LSQg0Zv4?ju%ww^mvc0WU$q@!oo#2bv24
z+?c}14L2vlDn%Y0!t*z=$*a!`*|uAVu&NO!z_arim$=btpUPR5XGCG0U3YU`v>yMr
z^zmTdcEa<e${0lJ(<4$dGj^YwOU!gy-6u%trv^j}K^#M&{&D1UGEa2nS)OMS>!APX
zYF>^Q-TP11;{VgtMqC}7>B^2gN-3KYl33gS-p%f!X<_Hr?`rG8{jb9jmuQA9U;BeG
zHj6Pk(UB5c6zwX%SNi*Py*)gk^?+729$bAN-EUd*RKN7{CM4`Q65a1qF*-QWACA&m
zrT)B(M}yih{2r!Tiv5Y&O&=H_OtaHUz96Npo_k0eN|!*s2mLe!Zkuv>^E8Xa43ZwH
zO<I&Nur7C^JWb9`H||S7lnGT!zTpho2vN69_#Qs?kjYy$`Q0!HKi(a7WFX@;&MNY~
zax>I058AZznYGrRJ+`*GmZzMi6yliFmGMge6^j?|PN%ARns!Eg$ufpcLc#1Ns!1@1
zvC7N8M$mRgnixwEtX{ypBS^n`k@t2cCh#_6L6WtQb8E~*Vu+Rr)YsKZRX~hzLG*BE
zaeU#LPo?RLm(Wzltk79Jd1Y$|6<Tz#Ab3VOQL!oqnu8!3Ev#T)CDpRjo9fjjgw)N!
zErQj*AF93?w7h)pV7lh%{nq{Sh43S}4qRhV$tBKz2Q3F#YC0?apCV-cr-&g)Ta?xA
zc-})no|s-UajuvdSqa3zR2cl82_%nvGFwn23tfy0+-dPTJzZ8#!t6MWix9bj!?+yg
zn$~Be?akwbUV?z=Y{qc>aWz1)wf1K1RtqS;qyQMy@H@B805vQ%wfSJB?m&&=^m4i*
z<RSh9mC|UV(AH!)v4!3^(;(w}isKaD1$r>YVH`zTTFbFtNFkAI`Khe4e^CdGZw;O0
zqkQe2|NG_y6D%h(|EZNf&77_!NU%0y={^E=*gKGQ=)LdKPM3zUlM@otH2X07Awv8o
zY8Y7a1^&Yy%b%m{mNQ5sWNMTIq96Wtr>a(hL>Qi&F(ckgKkyvM0IH<_<ah`2Jtc4H
zzJ5Z$n<rF%>}v~Fv-GqDa<PYPnU!!je;%S69V23AFX{jR^q$cSK5eU!uzK5~_gTvx
z=xC#ygr;Z7l0l}tE!ut;$3u!G=k}WM8nnSovw+>pig=3*ZMOx!%cYY)SKzo7ECyem
z9Mj3C)tCYM?C9YIlt1?zTJXNOo&oVxu&uXKJs7i+j8p*Qvu2PAnY}b`KStdpi`trk
ztAO}T8eOC%x)mu+4ps8sYZ=vYJp16SVWEEgQyFKSfWQ@O5id6GfL`|2<}hMXLPszS
zgK><z_7D{#_0cM38i3?q!q=1kU*<f=E!5q~OGR+n-!$_a1@<av6z8(-tT0T>NWOoR
zBRyKeUPevpqKKShD|MZ`R;~#PdNMB3LWjqFKNvH9k+;(`;-pyXM55?qaji#nl~K8m
z_MifoM*W*X9CQiXAOH{cZcP0;Bn10E1)T@62Um>et2ci!J2$5-_HPy(AGif+BJpJ^
ziHWynC_%-NlrFY+(f7HyVvbDIM$5ci_i3?22ZkF>Y8RPBhgx-7k3M2>6m5R24C|~I
z&RPh9xpMGzhN4b<n_$TKj6;x$6eSY#J<6z8-<<eXD{YGtPeh(eK>ii*ryWaN^d(`0
zTOADlU)g`1p+SVMNLztd)c+;XjXox(VHQwqzu>FROvf0`s&|NEv26}(TAe;@=FpZq
zaVs6mp>W0rM3Qg*6x5f_bPJd!6dQGmh?&v0rpBNfS$DW-{4L7#_~-eA@7<2BsZV=X
zo<jFL%Bl|~iN=_%v|5Y<#Gpc-_nu`zPSa3B)eyzNRYkS_S7#Vl4Sx`|M*FHkF=-_)
z(qT@$sP8*6(;+2_2GrUtq?WVOz@%!47omewB^Cj*+)_Y7c8o#IQ%W|Wg+5PNnR*6U
zqsrE$&lE5UYNkcwa9IkWJQ`K6q;9o~nXTNNt4ypA@SdwPa*k(~yPsQD9A`rvY6hIQ
zbB3Wq3J(Ip%Spgn<@)Zq04$gB8>w){3aATmLZOQrs>uzDkXOD=IiX;Ue*B(^4RF%H
zeaZ^*MWn4tBDj(wj114r(`)P96EHq4th-;tWiHhkp2rDlrklX}I@ib-nel0slFoQO
zOeTc<hn5|jpM}{BL^>;Rh7sMIebO`1%u)=GlEj+7HU;c|Nj>2j)J-kpR)s3#+9AiB
zd$hAk6;3pu9(GCR#)#>aCGPYq%r&i02$<m+xZvsp>0L9=7Al<uiMgWi00$%C&<=p;
z&DJ&!X-+7DOQ<NGx053X=x&OTuveGw;P#7I963O-cntp%n;x3upG6$bSZdIscXKZz
zE26w-ESTe#dx<IxxgOyxd~k92x!}?e7=&}7EIUABcs@v7J^4#tE1Z2`vYo|Zfx#?M
zXxRQAUwIpnrd%x;d2(+0wHKQb5LXCF5FM|~=&cF?)N_xB4Bl|JpPd+>IGY<wi6MrB
zwuAQco(edmX)&f$!qgzbDk@I5RR!7e{<pl6;0q^D9rH)D+xQ^qUHFjiVuuZ(dNLoE
zk610d0D=8c-t>dlUO5%eH&M!ZWD&6^NBAj0Y<LF!W8hneCvn#&X!jeuMxFNL9R6gV
ziYL0E$zuPwu-dNyWbfxdM|kfI7dtb9QzzTE{}sJ=aTD#{Kb((+@c&OeMaT<*ofYbx
z;1%phK@uKkWduA*1(PK@!{WoV6$&w4_0RR0*51~cnd9Q6WRU~~+iD70xHZv5yb^q9
zSl{&Z2jJC&)zq%KFf=>9ZDcPg@r@8Y&-}e!aq0S(`}NuQ({;aigCPnq75U9cBH&Y7
ze)W0aD>muAepOKgm7uPg3Dz7G%)nEqTUm_&^^3(>+eEI;$ia`m<pPp!PnmJ$ax-Ni
zriP82FsWaes>>m0QHEkTt^<h|Kl{fGlDwG;CQ*b4lzdo-V$nC8<LA?4QJ%$e&M1jF
zj4MPd95jth&|E!zZ*d9v(}1-nH2c9uw}SWz(o)!u-C;JXs?Old?KmR?ZVapLr)~kt
z-!pxZ2T4qAqb;DH9;hiuAcN#25{6pE|B@nn@LY@;@6X}9ZRu6|3F2X?Musq<a_n+z
zJMV<b3!3d+o(r5xln5wq$mvr`E9}w25J;Qi>=cx^JsBC68#H(3zc~Z$E9I)oSrF$3
zUClHXhMBZ|^1ikm3nL$Z@v|JRhud*IhOvx!6X<(YSX(9LG#yYuZeB{=7-MyPF;?_8
zy2i3iVKG2q!=JHN>~!#Bl{cwa6-yB@b<;8LSj}`f9pw7#x3yTD>C=>1S@H)~(n_K4
z2-yr{2?|1b#lS`qG@+823j;&UE5|2+EdU4nVw5=m>o_gj#K>>(*t=xI7{R)lJhLU{
z4IO6!x@1f$aDVIE@1a0lraN9!(j~_uGlks)!&davUFRNYHflp<|ENwAxsp~4Hun$Q
z$w>@YzXp#VX~)ZP8`_b_sTg(Gt7?oXJW%^Pf0UW%YM+OGjKS}X`yO~{7WH6nX8S6Z
ztl!5AnM2Lo*_}ZLvo%?iV;D2z>#qdpMx*xY2*GGlRzmHCom`VedAoR=(A1nO)Y>;5
zCK-~a;#g5yDgf7_phlkM@)C8s!xOu)N2UnQhif-v5kL$*t=X}L9EyBRq$V(sI{90>
z=ghTPGswRVbTW@dS2H|)QYTY&I$ljbpNPTc_T|FEJkSW7MV!JM4I(ksRqQ8)V5>}v
z2Sf^Z9_v;dKSp_orZm09jb8;C(vzFFJgoYuWRc|Tt_&3k({wPKiD|*m!<X$9n>+<d
zfwbu(US!ljdxEAm@8L<A)Zh;j$1@#3i1Hba7~+=OxccBV?z(KQ^KiX-VG5F8{s<bz
zFTJ%sXJxQmw1gpd<`@dDaxW+0z@mAqX^!9bM3;Rg{vJ$y`jrFPf<taTjgOUiGo`tq
zU8^ynJ_vtmGeduy1>za$(l*!gNRo{xtmqjy1=kGzFkTH=Nc>EL@1Um0BiN1)wBO$i
z6rG={bRcT|%A3s3xh!Bw?=L&_-X+6}L9i~xRj2}-)7fsoq0|;;PS%mcn%_#oV#kAp
zGw^23c8<Fs8D%<c4(Nre;Oy43eq_*f8CVI6Y}O$7=4|A%Bh)_#+dgnF@9B?PZV+FK
z@D@b4V?}Hxb;mfT&3=fp%aQ_W<BpQFv8~7WceKD?ShRTE&*xP)Rp+|r%gOH<b#|`R
zpMk-?U*1{fo}21TS!!|lrVyo(<X*MXXY2ANSehq$FQcbg%rc;PQLx;F?K=D0V>_0~
ze}v9(p};6HM0+qF5^^>BBEI3<e#!JG>d=2<KmW5$FDhY04Ol??L%ZUPasCO+Pj|h!
zL*;#e7cVT$<F2gg5E8<=1=Y;hH6lJKfJK6P>DW&O#|(;wg}?3?uO=w+{*)+^l_-gE
zSw8GV=4_%U4*OU^hibDV38{Qb7P#Y8zh@BM9pEM_o2FuFc2LWrW2jRRB<+IE)G=Vx
zuu?cp2-`hgqlsn|$nx@I%TC!`>bX^G00_oKboOGGXLgyLKXoo$^@L7v;GWqfUFw3<
zekKMWo0LR;TaFY}T<F_}BWybmURg`OY9TP`)1kkA_VfNgEb>t4!O$3MU@pqcw!0w0
zA}SnJ6Lb597|P5W8$OsEHTku2Kw<?~p>9y4V=hx*K%iSn!#LW9W#~OiWf^dXEP$^2
zaok=UyGwy3GRp)bm6Gqr>8-4h@3=2`Eto2|JE6Sufh?%U6;ut1v1d@#EfcQP2chCt
z+mB{Bk5~()7G>wM3KYf7Xh?LGbwg1uWLotmc_}Z_o;XOUDyfU?{9atAT$={v82^w9
z(MW$gINHt4xB3{bdbhRR%T}L?M<kc`={1@bX$@c}pX`50EN?1djSoIxW|Rhd4u^_G
z>cK?!zkLK3(e>zKyei(yq%Nsijm~LV|9mll-XHavFcc$teX7v);H>=oN-+E_Q{c|!
zp<Ol>JV~-9AH}jxf6IF!PxrB9is{_9s@PYth^`pb%DkwghLdAyDREz(csf9)HcVRq
z+2Vn~>{(S&_;bq_qA{v7XbU?yR7;~JrLfo;g$Lkm#ufO1P`QW_`zWW+4+7xzQZnO$
z5&GyJs4-VGb5MEDBc5=zxZh9xEVoY(|2yRv&!T7LAlIs@tw+4n?v1T8M>;hBv}2n)
zcqi+>M*U@uY>4N3eDSAH2Rg@dsl!1py>kO39GMP#qOHipL~*cCac2_vH^6x@xmO|E
zkWeyvl@P$2Iy*mCgVF+b{&|FY*5Ygi82<omgvyGTqv|QTz=sN}TZ6>37i)9YW#Fp&
z?TJTQW+7U)xCE*`Nsx^yaiJ0KSW}}jc-ub)8Z8x(|K7G>`&l<bpFP+cS)jO`N_V-8
zyz*&criMW3Tge5_hcWP_V8=SvD0*^&JQ8c;z^ZkOK$H-b5$|gm$@;EfT;;o$;h7dL
z>{Y&~W=q#^4Gf{}aJ%6kLXsmv6cr=Hi*uB`V26;dr<aSR^xo%$9+~>4C$WrPnHO>g
zg1@A%DvIWPDtXzll39kY6#%j;aN7grYJP9AlJgs3FnC?crv$wC7S4_Z?<_s0j;MmE
z75yQGul2=bY%`l__1X3jxju2$Ws%hNv75ywfAqjgFO7wFsFDOW^)q2%VIF~WhwEW0
z45z^+r+}sJ{q+>X-w(}OiD(!*&cy4X&yM`!L0Fe+_RUfs@=J{AH#K~gArqT=#DcGE
z<spTPWq%oqdho$J0xh~6Q=^v}j=vBe*gL+|ud>!FwY(h&+&811rVCVoOuK)Z<-$EX
zp`TzcUQC256@YWZ*GkE@P_et4D@qpM92fWA6c$MV=^qTu7&g)U?O~-fUR&xFqNiY1
zRd=|zUs_rmFZhKI|H}dcKhy%Okl(#y#QuMi81zsY56Y@757xBQqDNkd+XhLQhp2BB
zBF^aJ<Yyh7pM5zBvii~t`R`{~RErSl{}-#Xjol7q<MNou@wjO9-e0+&FnPZ^6y4Ll
zv-4#qZasZI63$>__D676wLu|yYo6jNJNw^B+Ce;DYK!f$!dNs1*?D^97u^jKS++7S
z5qE%zG#HY-SMUn^_yru=T6v`)CM%K<>_Z>tPe|js`c<|y7<QPU`KuA=GRt?21}m$3
z)egm^_v+KsYdG<vt|ej|@=R$E;WS|)lq&hvDYqCWcNQVq*yoxejj)Sgjj^Yjl?NcX
zDFDlAtM@eY^eKCIx3Bn3tvI+`G-P!;moJ^4fysp(P&5s?@p7p>?qol&)C=>uLWkg5
zmzNcSAG_sL)E9or;i+O}tY^70@h7+=bG1;YDlX{<4zF_?{)K5B&?^tKZ6<$SD%@>F
zY0cl2H7)%zKeDX%Eo7`ky^mzS)s;842cP{_;dzFuyd~Npb4u!bwkkhf8-^C2e3`<?
zuCMcKb49Z{nlgrGOONk{-i&aq@>q8>MuPhgiv0VxHxvrN9_`rJv&GX0fWz-L-Jg^B
zrTsm>)-~j0F1sV=^V?UUi{L2cp%YwpvHwwLaSsCIrGI#({{QfbgDxLKsUC6w@m?y}
zg?l=7aMX-RnMxvLn_4oSB|9t;)Qf2%m-GKo_07?N1l^ahJ+W<L;$&i*6MJG?J+W=u
zwrv{|+x8@xWb=KyXLo=7Po1iIr>f8C>h5~=-o1BJzV@5HBTB-ACNpsHnGt6_ku37M
z{vIEB^tR=--4SEg{jfF=gEogtGwi&A$mwk7E+SV$$ZuU}#F3Y7t}o{!w<wD={LS;b
zZLz-;o0$Q>4LJh8v4PW%8HfUK@dta#l*z@w*9Xzz(i)r#WXi`r1D#oBPtNM7M?Hkq
zhhS1)ea5(6VY45|)tCTr*@yc$^Zc!<pn44UDZ+IBYjAJ`-ggM&;kb0pvO!s`m^2xQ
zD2Cg>zQzsNXU?aRN6mh7zVu~i=qTrX^>de+f6HYfDsW@6PBlw0CsDBcOWUmt&st>Z
zYNJEsRCP1#g0+Htb=wITvexBY@fOpAmR7<uCg}62o&UsLHP(Phe;7?`HXB?HKdlV$
z;n1V`+Y7~g)l@mcyIJ}uTJ!G<@eKpC>?szQNR~nM)?sPWIj)0)jG-EF8U@nnBaQZy
z)ImpVYQL>lBejMDjlxA$#G4%y+^_>N;}r@Zoe2|u-9-x@vvD^ZWnV>Gm=pZa7REAf
zOnomhCxBaGZgT+4kiE%aS&lH2sI1mSCM<%)Cr*Sli;#!aXcUb&@Z|H<WEuC{@x3F<
zcu=w}m*tw?_*4~yqRvV|o9ns5GNSy=_8IwkLCEw54?sk2a(<Mdh^0{u1T=9t*NInH
zFsLj&_yjHc6;)bz9kl9!kgEUg^82nn>j{VPsJyClqD%>hy`Y7<pRj7bPY9jQyVGWO
zS%<st>z(GAS<aP)Y1uSg%`b@4p69s=<%Tt{igr8{?&jG%;a(i_%-UCF>s8Mqas3!D
zSQE83*%uctlD|p%4)v`arra4y>yP5m25V*_+n)Ry1v>z_Fz!TV6t+N?x?#iH$q=m=
z8&X{uW%LVRO87dVl=$Y*>dabJVq{o|Kx`7(D2$5DVX&}XGbg|Ua(*5b=;5qzW<SoC
zzQ#?BPpCI=6I*c_i^sgOQ>9;|w>m{hIO(Tu-z(ey8H=EMluJNyK4BJmGpX~ZM2O61
zk*O7js{-MBqwq>Urf0igN+6soGGc!Y?SP6hiX<gKeOf#K(fq=b1cjQoa=0h1Uc|1x
zrs@w%$10Lm8HWHTQsEqE(JV%p5=DhOaEnmC%>uJzZ1V4WZqE*?h;PG84gvG~dd<ZH
zbY$=c6i~~+P41czFCy_EI$dg`c<Pyn!p1u1+?ktG?l^rT?wPQ2A8drLUBX$i@QPw|
zqn``t@{_q6YANM!8WD%c{DkVuIAOr;O55VmO-cSXNNJ&(*COQc4ZZm^4K%c3mN$0E
zrov1s*jjy;dRKW=-Unr5Q~DZR{;p;L#!x#C2mnbI-cg1JPiV8@_y)_H7BEWiz!+s)
z0{psz93NN}c(aYN&3g{jLeCy{0X^`+?aBhSW*V;^{S7@L=6)4l+Fy-5Vm@KCM_5?x
z(92sH+oi*?$hATGUM-)1KM)NSn*XULvnqVli`x(wEF2!vUY3O~qogY>s6~484!kPM
zMP87IP?dhdc;%|cS&LxY*Ib6P3%p|9)E3IgRmhhwtUR3eRK6iZ_6fiGW}jnL4(I|t
ze`2yLvmuY42lNwO6>I#Son3$R4NOoP*WUm1R4jl#agtSLE}fSu-Z>{+*?<Ox|0|h?
ziVAXEejmb)TNIL)WMKcfBnN%2`pTyl?}<6Yv7aXa$?4(@S45I<K83!~!85D$T^sNt
z#G2I?J>pQIn7`s3LAz<sUxT1J#To$wq)LLuvyHUwXZGnH5bA&W>F#1pSxCAo?clr9
z9PUj#REq28*ZkJnxs$aK%8^5?P<_Q!#Z?%JH0FKVF;&zH3F#J^fz|a<d2t+(J$r8k
z@gS5dPqSn!bSO@C%)Xy-d?WBwvVYS>hl$Ycs~kFij_XP;U<`Fca<h#1CHf8w@jZxi
z4E}>DYyXYPM~&jEe1Xj1n;wyRdD;lmnq&FEro=;+Z$=v-&fYM9eK*S_D&oTXFW#b0
zRY}Y7R#bLzTfg9i7{s?=P9~qjA?$-U2p5;0?gPPu`1JY|*?*8IPO!eX>oiX=O#F!A
zl`S%e5Y(csR1f)I(iKMf-;5%_rPP7h&}5Fc(<tM)r%wv3LCm#xoQU~A@B|1<`oLmM
zFJo+&#d1H1oV@`@@judX4nHzi7~-Q3%iaTZO>8byKUH1*d7?9%QC<dVX!I)~1Vf#}
zwN9HFJ-qutr_)&Ld#X9pYCw5!Ln<R5Cw|Z|F-c$v`hl=tR{-56UrGfK9_2*yyZ@fO
z8nZ1uLsgGiL>|4aADj3L8yuo6GOv#%HDgU3bN(UHw1+(99&Om%f!DY(RYSf4&Uny%
zH}*&rEXc$W5+eyeEg|I|E-HnkIO0!$1sV7Z&NXxiCZJ@`kH4eEi5}q~!Vv5qQq{MI
zi4^`GYoUN-7Q(jy^SKXL4$G4K+FQXR)B}ee=pS0RyK=YC8c2bGnMA~rrOh&jd3_AT
zxVaq37w^-;OU3+C`Kko-Z%l_2FC^maa=Ae0Fm@PEtXEg@cX*oka1Lt&h@jES<6<l#
z+$g2<Asf=9S1fdM-Zf&z(e6fWKei}lbCaFL*0(Jmb1OHeueb>?o1Oi1C9>}7+U(Ve
zQ$=8RlzcnfCd59CsJ=gG^A!2Bb_PY~K2sSau{)?Ge03G7US&qrgV!3NUi>UHWZ*lo
zS;~0--vn{ot+7UWMV{a(X3rZ8Z06Ps3$-sd|CWE(Y#l`swvcDbMjuReGsoA`rmZ`^
z=AaArdbeU0EtwnOuzq@u5P1rlZ<sl{`#t>jH#gNgh6HIhG(>dX%4m{_!&DNTQE)8=
zXD-vcpcSi|DSm3aUMnrV;DQY?svz?9*#GT$NXb~Hem=24iy>7<t7QQV*?t4jd6F$+
zoVdvlUnbR4c30FRg<e9<@PVR%rHqJUA;fJYA($o}&dnWgkF9ZP7&B+X`n^IHYt(Lf
z2F5n3wJiK|+9K0rQqBtOu&~*tu?)dBq^i>xj367(!#RjnrHtrP-Q`T2W*PEvAR-=j
ztY2|#<|JvHNVnM-tNdoS_yRSo=yFqukTZmB$|>Vclj)o=Y<JL-iyAg07VsydL3{X*
z%2mLNnQsQbJh5(AD4t{|q}=<Sep&lQi`=uoh?ZK7-3Ggm7(e$G$$!eV5RX%BIxMx_
zcZ~)&tjIxU_5Hcg)fpWZ(znGWsvo-$Kg%Yi^j*N+;M7L5ByQ~FpSX7CHVVaMYgQ$F
zLE#|7`dM0nng{OAF}Qcjup5gR2}Yw<aDD&b!H-Me0}~kt6{J6Shasi;%3^mM=_Fj;
zCJmpL_-hPyxj$4N{M|RVj$&&&ZX8z~2^&gzl4o!r2Z8|PlPVdE08_x)A!qpcu0#xY
zXnk?%F^@+%cB0BC7MsbX<)>zC9!ph8)ZOH5X=%Aq|9gNgc}^KFVLht!Lyw54v5u&D
zW%vT%z`H{Ax>Ry+bD&QjHQke_wEA;oj(&E!s4|OURButQKSc7Ar-<s}yde;WAK~$P
z^Gqnxrogbi{lG5aFCO5?K&xA8mnwDs7h<9^6YcR8q^0TexEaqnTnUG7d`^9oo$h?D
zKq5j>PzIiFa8F@ezkaY2J9&PH+VI1!G+{JgsQ7%da*_Gr!exT*<Bi+ppC%q~o7ojT
zw%-XGzS*XV$!)J(aAPAYRAt79+7J$~+w?BI2Q1s93#u0$U9&Ct=DGGT|JFamN<I30
zezX;tHfoBvUeBbp68x?km4lTPls>OgJld)b-?cd)xI+|v_C`h(Cg`N~oj0`SQPTma
z{@vc8L^D-rBXwS#00jT#@=-n1H-C3hvg61r2jx#<RRl|hqSXC@053(FHh{sXK3n-p
z<$eTP-2N28_#nt+&me>ok&cr#BV~9JdPaVihyrGq*lb>bm$H6rIoc}ifaSn6mTD9%
z$FRJxbNozOo6y}!OUci1VBv-7{TYZ4GkOM@46Y9?8%mSH9?l&lU59)T#Fjg(h%6I}
z?ib<r4n}!XkXC&NufL;-hcHF&UUVnNQHeZ=Wv<~uyVX-uR$QEL_l&SGi$i}9x_ul>
zZ(xb8Rwr+vv>@$h{WglT2lL`#V=-9tP^c)cjvnz(g|VL^h8^CPVv12dE(o}WQ@0OP
z^2-&ssBXP^#Oh`X<d4_zj?ko>5@F+~$PCB6kK-T7sFUK|>$lNDSkvAy%{y2qgq-&v
zv}^&gm`wiYztWgMS<{^qQKYNV=>CQaOeglAY~EZvr}n~tW=yg)_+fzqF%~+*V_$3h
z2hDW`e$qR;QMg?(w<b_xzz9GLD(1{PR-OZ8-*QD}x+s!v>KE>%H_6ASS@6bkOi-m-
zg6B7AzD;gBS1%OD7|47a%3BykN{w}P!Wn-nQOfpKUpx8Mk{$IO62D!%U9$kr!e%T>
zlqQih?3(U&5%r!KZFZPd<X|#ogu*zbQE07H>bwZ0laAJCj!c&pEFVzrH&_&i<N3C?
zo@%)1zi#=6wREw)wQ(6!5<Zb2Qvw`@PmV*Wp>5m68Y_*J+-Qjlnz}Q{3oAD)`d14H
zKUGmbwC|beC9Mtp>SbL~NVrlctU3WBpHz(UeIa~_{u^_4OaHs_LQt>bUwcyD`_Bbh
zC=x|1vSjL)JvVHLw|xKynEvq2m)7O-6qdmjht7pZ*z|o%NA17v$9H*(5D5(MXiNo1
z72Tv}QASqr$!mY58s_Q{hHa9MY+QZ`2zX-FT@Kd?`8pczcV^9IeOKDG4WKqiP7N|S
z+O977=VQTk8k5dafK`vd(4?_3pBdB?YG9*Z=R@y|$S+d%1sJf-Ka++I&v9hH)h#}}
zw-MjQWJ?ME<7PR(G<1#*Z-&M?%=yzhQw$Lki(R+Pq$X~Q!9BO=fP9FyCIS8zE3n04
z8ScD%XmJnIv=pMTgt6VSxBXOZucndRE@7^aU0wefJYueY(Cb%?%0rz)zWEnsNsKhQ
z+&o6d^x=R;Pt7fUa_`JVb1HPHYbXg{Jvux|atQ^bV#_|>7QZNC<m56gmQTDz)Sv34
znQxO@_?jSZ-}u2#aunxbjO?K=1UNC4B}tiiM9CZDpDyu{zkOqqjq!7q99sz6e|N}H
zPQo%$KE#d!)5wiR%<;fHk2yH4+dlwL2Rr23RY5vDJ>~P^IKUThB6{kvz2pr2*Cyxj
zy37Nri8za8J!@Iw9rbt~#^<9zOaM8LOi$kPBcAGqPq-DB^-93Qeup{9@9&=zV6KQN
zL)ic5S%n1!F(7b>MQ973$~<0|9MY-G!?wk?j-cQhMQlM2n{&7JoTBGsP;=fC6CBJn
zxlpk^%x=B16rfb-W9pYV#9IRHQL9VG4?Uh>pN>2}0-MST2AB2pQjf*rT+TLCX-+&m
z9I{ic2ogXoh=HwdI#igr(JC>>NUP|M>SA?-ux<2&>Jyx>Iko!B<3vS}{g*dKqxYW7
z0i`&U#*v)jot+keO#G&wowD!VvD(j`Z9a*-_RALKn0b(KnZ37d#Db7royLhBW~*7o
zRa`=1fo9C4dgq;;R)JpP++a9^{xd)8``^fPW9!a%MCDYJc;3yicPs8IiQM>DhUX*;
zeIrxE#JRrr|D$@bKgOm4C9D+e!_hQKj3LC`Js)|Aijx=J!rlgnpKeF>b+QlKhI^4*
zf%Of^RmkW|xU|p#Lad44Y5LvIU<E*FXDgB**mKwp2!mq`hNR)=z0QQMaupuiAd7N|
zo&AY$ODOt<Q38Y^Ii6uZyvYkO%G!LUYf+Tw(6oPEJFUo(I+rIZ?v_|(9>IR>VGH8G
zz7ZEIREG%UOy4)C!$muX6StM4@Fsh&Goa}cj10RL(#>oGtr6<bK`a)SgxmFZVL)U~
z49v!>h~7tZDDQ_J>h)VmYlKK>9ns8w4tdx6LdN5xJQ9t-A<deKX4bX$^Jb$>BtTf_
zf1dKVv!mhhQFSN=ggf(#$)FtN-okyT&o6Ms+*u72Uf$5?4)78EErTECzweDUbbU))
zc*tt+9J~Pt%!M352Y5b`Mwrjn^Orp+)L_U1ORHJ}OUsB78YPcIRh4p5jzoDB7B*fb
z4v`bouQeCAW#z9b1?4(M3dcwNn2F2plwC^RVHl#h&b-8n#5^o+Ll20OlJ^gOYiK2<
z;MQuR!t!>`i}CAOa4a+Rh5IL|@kh4EdEL*O=3oGx4asg?XCTcUOQnmHs^6nLu6WcI
zSt9q7nl*?2TIikKNb?3JZBo$cW6)b#;ZKzi+(~D-%0Ec+QW=bZZm@w|prGiThO3dy
zU#TQ;RYQ+xU~*@Zj;Rf~z~iL8Da`RT!Z)b3ILBhnIl@VX9K0PSj5owH#*FJXX3vZ=
zg_Zyn^G&l!WR6wN9GWvt)sM?g2^CA8&F#&t2z<OchUXqZRy~h=2dtIHh}9X16StjX
zE*X$O$hrKjDx*fT_Kdt~%HxH)(Q<=+n-bsLpy;hW_+>3_MiluRqvNbV{Me6yZ&X-_
zd6#Xdh%+6tCmSNTdCBusV<OLU^zAuj3oC#*62FAg&jRV{eA?56gCxRYk9nH%WWtia
z(L;^ByCp%<7za*^^B&PIjiYnY$Gom{Mk62$4uvORBiduv?$8V_-U*iYK!Is}K=K4!
zRqXL>kRwJ_A~<^Nd6~MNOvS;YDix<nmp2CFVZb7>M43`|8e_bmc*UWi7TLA})`T_F
ztk&Nd=dgFUss#Ol$LXTRzP9l1JOSvAws~^X%(`ct$?2Im?UNpXjBec_-+8YK%rq#P
zT9=h8&gCtgx?<LJXBIGvqMB)2=D#1(E#`Gft|z7B(M_Jurie!W@A&*CdPfK%1_($Q
z&41z76E^&SjZfwJd{?_|K()<UmsT?~p*FNKwP__D#d_feWy|Ge{Dz}bgKej%s3<xl
zL=(7@V%Z6Ls;(9_^N&q~-}$9{nVk@Q(D|jMzcY@#rP>=Oj$Yr2j<c`drr*4eGwnY6
zpou_hH7hY!9S)PMQgqe-l!Y{7*V&uqvM#Fq)W)d?^1IAL-DK&GVzdmu_H<-MCk_GM
zy&hTx7mWj(2fxj^o94>I3`VVuZ`lH>*N+*K11CD&>>F)?(`yr~54vHJftY*z?EorK
zm`euBK<$(!XO%6-1=m>qqp6F`S@Pe3;pK5URT$8!Dd|;`eOWdmn916Ut5;iXWQoXE
z0qtwxlH=m_NONP3EY2eW{Qwr-X1V3;5tV;g7tlL4BRilT#Y&~o_!f;*hWxWmvA;Pg
zRb^Y$#PipnVlLXQIzKCuQP9IER0Ai4jZp+STb1Xq0w(nVn<3j(<#!vuc?7eJEZC<-
zPhM7ObhgabN2`pm($tu^MaBkRLzx&jdh;>BP|^$TyD1UHt9Qvr<czlD@G+^h_RO(*
zD$4@5T5mOOg&QM%!B(9nVM{bT<4ry`1>{ZcBs^l!JI4~d-Py$P5QOYO&8eQOFe)&G
zZm+?jOJioGs7MkkQBCzJSFJV6DiCav#kmdxc@IJ9j5m#&1)dhJt`y8{T!uxpBZ>&z
zD^V~%GEaODak5qGj|@cA7HSH{#jHW;Q0KRdTp@PJO#Q1gGI=((a1o%X*{knz&_`ym
zkRLikN^fQ%Gy1|~6%h^vx>ToJ(#aJDxoD8qyOD{CPbSvR*bC>Nm+mkw>6mD0mlD0X
zGepCc<fcI8GR5U|Yh-F^k<?4h>S_x7+6X7dH;%e`aIfPr-NXSqlu&?$Br1R}3lSF2
zWOXDtG;v#EVLSQ!>4323VX-<G6zshc*}#z*<OCtlCr=7_9N%0P@aw0NW3NYMY?UTk
zv23GF46nFqpVnQb;X)T9o|+e;#c6DHFd+rvvY`*?nmy>|E#qb+x%IxzUBDI~N23x?
zXUHfTTV#_f9T$-2FPG@t)rpc9u9!@h^!4=fL<UA2Sb|t&Ay-N0cvK7#l<pL<Ge|wZ
z<{l=m(jmt{aK61fo4#z+N%`p~HEyEO)J*8(AY!addNzdFY|eI)Y^jThWjX-+2s1gI
zR-J}6pgw5eaN{`!XN-3n?FAT?R1z;uAYmO-(xK(CQ<gbE!uo-ct({xjk-*(K3=4b2
zuZ;EzSTEFKBtAl-Y8l=R*0oyp4c|8Hu<A_TRga2_IR3O)Z#Sv=f)G{j@$4)Q>^kg9
zVv%&KY3!?bU*V4X)wNT%Chr;YK()=~lc%$auOB_|oH`H)Xot@1cmk{^qdt&1C55>k
zYnIkdoiAYW41<U-q!=TqI<2ry9=m3D#)D^9-z8@sblghCY~vfX?X5t$KPF5bE#--%
zE5hxIRaHx0Xj9^l7<qXiyd@3`cU<of!XEaJ1U@*tv-q;5CI7%jj1+;qoyl(u34Kyx
zTwi$K?X7Phe&4^6RRa`$h5KJCs<~Ar*~m>zrRBfqR?9r^cpWIEqfS;|R#bIs4$cqA
zoq~$yl8h{IXTSdSdH?;`ky6i%+Oc?HvwH+IS`%_a!d#CqQob9OTNIuhUnOQsX;nl_
z;1w99qO9lAb|guQ9?p4*9TmIZ5{su!h?v-jpOuShq!{AuHUYtmZ%brpgHl$BKLK_L
z6q5vZodM$)RE^NNO>{ZWPb%Ce111V4wIX}?DHA=uzTu0$1h8zy!SID~m5t)(ov$!6
zB^@fP#vpx3enbrbX=<eanFKywoTJQhG@2(niq0oP7<R5Z?3qzMSy}E7WYo#&>vzol
zj^Bg7V$Qa53#3Lptz<6Dz=!f+FvUBVIBtYPN{(%t(EcveSuxi3DI>XQ*<e7R(p~Iw
z59+#M)uYI&a@UPC1IMUQX*f(>$HX~O{KLK5Dh{H2ir87E^!(ye{9H&2U4kFxtKHkw
zZPOTIa*29KbXx-U4hj&iH<9Z@0wh8B6+>qQJn{>F0mGnrj|0_{nwN}Vw_C!rm0!dC
z>iRlEf}<+z<vi^;1*|;$>&?Z4o3?C>QrLBhXP!MV0L#CgF{>;ydIBd5A{bd-S+VFn
zLqq4a*HD%65IqQ5BxNz~vOGU=JJv|NG{OcW%2PU~MEfy6(bl#^TfT7+az5M-I`i&l
z#g!HUfN}j#adA-21x7jbP6F;`99c8Qt|`_@u@fbhZF+Wkmr;IdVHj+F=pDb4MY?fU
znDe##Hn)<n&2RRZwLB>{D}<>vVhYL#)+6p9eAT3T$?;-~bZU%l7MpPNh_mPc(h@79
z;LPOXk>e3nmIxl9lno5cI5G@Q!pE&hQ`s{$Ae4JhTebeTsj*|!6%0;g=wH?B1-p{P
z`In#EP12q6=xXU)LiD+mLidPrYGHaKbe5%|vzApq9(PI6I5XjlGf<_uyy59iw8W;k
zdLZ|8R8RWDc`#)n2?~}@5)vvksY9UaLW`FM=2s|<qH#E;S20;V52?wL&5dX{o72+Z
z0FywvdTk{!EC;eL4ha(sv&@IG+>vyg>Remm=QGthdNL87$nR&TKB*LB%*B}|HkG64
zZ|O4=Yq?Zwl>_KgIG@<Nm24#{ff*;8vIRUT2g{<33$-hCA*Ib8=7nT4{VJ-HH4MLV
zIT25bC`h^*$P3+Yx*l|$yU`O)`Mbhv0n7XuDy|BiR*M8CJI><8i{Zw#P3q_CVT7Dt
zoMwoI)BkpQj8u(m!>1dfOwin(50}VNiLA>A2OG&TBXcP=H(3I;!Wd<ZETqW($r$}b
zQAfz<3tM=bQ%n$55j+bugZnrB#mmMWnY_~$z$Liaj`bJ38rjM<FDunrR#<^_1JENt
zu+3j^HqtsLHiNherQg9BtTZ6*`5u=2BqRzR-k~&QM}H%8Wtp~yT(x{XA+v{;Lk0T_
z8ZN}a;s?PGwtWpK@H2sUmlJ{<9{&n|P#c&W@4~v-%@c<EWQ?t#KLSmY9bDL{#7T?~
z76PxY&TkxgEcPdAIhcw*XW%cHKY+7+aX(-B-5MrXK50f+^TJP!RT6=!f<geMB`%Fd
zpZqq;(7VECXEvcw|AQDRe)aU3W}r0&1CN{y>PFe?r_e{%>bc6(Zk?6~Ew&;#ZxBJ|
zAd1(sAHqlo_*rP;nTk)kAORe3cF<p$fDY|A3iAZP$ueYIxQXJ+7w98(0U(!3@$IXC
zkArCaQGgWCTUEiE#Ljn4e2+xH8Lo+U&pRkmvSNL+lo$iGII$|wCe1zIC^v<yjtGc?
zbPEkKJ&O*&`bDbHgA@N}y7EOuEceoYIA&k#uEVgi3I3Y=_BkG)yv^|q$IgyV_I#%x
zis#68f%rr`5{z^U5Xvbb15OyZ7n3z;MKelR1ZnQZ?|9dO1LM(y5^1HBHewj8z0X6b
z5ns&>&tj>m&LsvB)`-y9#$4XU=Dd^+CzvoAz%9216#f0cS`;kERxrtjbl^7pmO;_y
zYBGOL7R1ne7%F9<i~hqkED!wXO5LBBco|+$qCFci6|!-WQ>M2~0a7Srciz=MeaMU~
zV%Y#m_KV$XReYHtsraWL<vKnB$+Zz-Psj~gMs%tLbl;djUW;H;u25)lZ~Qm%4FzzV
zfs~u@z?ywI*zMsCG+$x}k+Zt=z;A=9uoFZ0uyjL?unMSF6p`V2w|s^vq37hCdK<*M
zQG4HE?XU*W1jw^vfg9M{L@tofUxN*3g2Z~iPTJR8y3WBJ(gUv}lBzRwS|l?`_FLLt
zDW+p@*L9!&Q{&Zrmi{U_bUOaiNV1ZE_G|QIq57EotA?e^B=gl*)4mnUB{ID2*hS?K
z97*K-A4~i4U^!JB&H{YCj!coICIVY)QNpfeE&d15$&n^iL%ZPcjxr-(h$wToAxn2L
zPRdYf%644lF&Ct8opZ&DwcltfV$?3&sTTr>rdJItLtRiRo98T3J|x~(a>~)#>JHDJ
z|4j!VO^qWQfCm9-$N29SpHUqvz62%#%98;2FNIF<r)HDZh-H_}MwGugFOnYSqd%Sy
zI=YaMecE)Ud_fxgSR<n-(O`=`i9bA1ZwT6qs+cI!LFWB2FCcvPar+8o0PX}9gN%GU
z#oIy=fF~{NHiEcjJAgRPrJ{92E7!?|80I39UP!TZA$bl-0B38>*?c9hZ7GAu$q>=0
zX_igPSK8Et(fmD)V=CvbtA-V(wS?z6WV|RX2`g=w=4D)+H|F_N(^ON!jHf72<2nCJ
z^$hEygTAq7URR{Vq$)BsmFKTZ+i1i(D@SJuTGBN<J^d%g3-SsRr1Zq23^Y<XMk33u
z0YpIow(yh?q_G$W1G9T?O`wbI_&XbT=@+$4lm9L~7k=bD&%`F5G=A^k_|g(QrA7|R
zlKb%Fw^<1ppNM&?|K#tNLnJ^+TYlwL9RC;8+T<k(qy{d2CuhNoF@jMeCRv$p@)2rZ
z>3W8<ub;IgTVJz1Un@p7$E&xFXkfS;|BBLRtyYXByIi)rTxM@Bn`|z3wO{>{JpJ^J
zkF=gBTz|P;Xxo1NIypGzJq8GK^#4tl)S%8$PP6E8c|GkkQ)vZ1OiB%mH#@hO1Z%Hp
zv%2~Mlar^}7TRN-SscvQ*xVv+i1g8CwybQHCi3k;o$K@bmB%^-U8dILX)7b~#iPu@
z&D&W7YY2M3v`s(lNm2#^dCRFd;UYMUw1Rh2mto8laH1m`n0u;>okp5XmbsShOhQwo
z@EYOehg-KNab)Rieib?m&NXls+&31)MB&H-zj_WmJsGjc1sCSOz0!2Cm1vV?y@kkQ
z<1k6O$hvTQnGD*esux*aD3lEm$mUi0td0NiOtz3?7}h;Bt*vIC{tDBr@D)9rjhP^<
zY*uKu^BiuSO%)&FL>C?Ng!HYZHLy`R>`rgq+lJh<d&y2bxU%x2bp&;{EY>dXfo|df
zmkzpQf{6o9%^|7Yb<H9Djj73&=!H<l1fR%V0gHumtd=k;shCSDzmr2~L?7>5v{Tu&
zsP*Y~<#jK$S_}uEisRC;=y{zbq`4Owc@JyvB->nPzb#&vcMKi5n66PVV{Aub>*>q8
z=@u7jYA4Ziw2{fSED#t4QLD7Rt`au^y(Ggp3y(UcwIKtI(OMi@GHxs!bj$v~j(FZK
zbdcP^gExtXQqQ8^Q#rHy1&W8q!@^aL><u!}aGR8PHJwu92JD4JDlbnay+X<Ycn<ki
zD^80O2}kCVUWjex%^O<n@=mW<38)Qu_YK#S=N;)9mm7XNJJECSa=DJ$G|#yLf3~L@
z-HW4z+Cyl}+dB?P4cDZq;7|41V@~U!6UPdEGIJj(3NaGsZl6`hnAr?OX*FX_ttOXb
zsH?UN_o>g1v2R45T(KErWB)1rB@rU`#n&-?g2Ti~xXCrexrLgajgzNy=N9|A6K=RZ
zc3yk>w5sz1zsg~tO~-Ie?%Aplh#)l3`s632mi#CCl^75%i6IY;dzpuxu+2fliEjQn
z&=~U+@fV4>{Fp=kk0oQIvBdqS#yY`Z+>Z|T&K{d;v3}=JqzKx05XU3M&@D<Xziu0j
z$T_QZ!o|grC*e9F1-Dp?WgCQfrKo7wqcyX&!TI}mTs|pg4*U1gOy^7sU?zi1GJ1ue
z?TkG+pTl*xn`gl>5!uPTGydasyeZ5=1~IX-?HlM@AGB9|Mzb{{Dt@bUU8{KUPU@EX
zv0fpQNvG~nD2WiOe{Vn=hE^rQD(5m+!$rs%s{w9;yg9oxRhqi0)rwsd245)igLmv*
zJb@Xlet$+)oS1Ra#qTB@U|lix{Y4lGW-$5*4xOLY{9v9&RK<|K!fTd0wCKYZ)h&2f
zEMcTCd+bj&YVmc#>&|?F!3?br3ChoMPTA{RH@NF(jmGMB2fMyW(<0jUT=8QFYD7-%
zS0ydgp%;?W=>{V9>BOf=p$q5U511~Q0-|C!85)W0ov7eb35%XV;3mdUI@f5|x5C)R
z$t?xLFZOv}A(ZjjSbF+8&%@RChpRvo>)sy>-IO8A@>i1A+8bZd^5J#(lgNH&A=V4V
z*HUa0{zT{u-_FF$978RziwA@@*XkV{<-CE1N=Z!_!7;wq*xt3t((m+^$SZKaPim3K
zO|Gq*w5r&7iqiQ!03SY{@*LKDkzhkHe*TzQaYAkz&jNxf^&A_-40(aGs53&}$dlKz
zsel3=FvHqdeIf!UYwL&Mg3w_H?utbE_(PL9B|VAyaOo8k4qb>EvNYHrVmj^ocJQTf
zL%4vl{qgmJf#@uWL@)WiB>Lm>?ivwB%uO|)i~;#--nFx4Kr6{TruZU0N_t_zqkg`?
zwPFK|WiC4sI%o1H%$!1ANyq6_0OSPQJybh^vFriV=`S;kSsYkExZwB{68$dTODWJQ
z@N57kBhwN(y~OHW_M}rX2W13cl@*i_tjW`TMfa~Y;I}1hzApXgWqag@(*@(|EMOg-
z^qMk(s~dL#ps>>`oWZD=i1XI3(;gs7q#^Uj&L`gVu#4zn$i!BIHMoOZG!YoPO^=Gu
z5`X-(KoSsHL77c<7^Y*IM2bI!dzg5j>;I@2-EeB$LgW|;csQTM&Z|R)q>yEjk@Sw%
z6FQk*&zHWzcXalUJSoa&pgH24n`wKkg=2^ta$b1`(BBpBT2Ah9yQF&<s0t#=CvrrS
zhID}v^bURD{xYt-7G^$r)TW*tHPfwa<MygGIW`SIzn~^mpOlkddrC2QnaKRX^i|}+
ztb9<mhSg<Qxk*l=ZE}+5_uD(mzp&OPh211AXsFW}kd_5%1?CrhNsJe#*Y<ZlnvU3i
z9FSrFY?Dr^Z=A0b%B#l7!s~@FV})h2QE2dq9XU8D;k$CT$b*|~B+ozO*7MGpG-4l_
zHB>Kh+3jTaSE|=vChGz2_R^{$C;D`Ua(_=|OO11uLm;+3k%kO19EA`U065i;fRBoH
z{Hq$cgHKRFPf0#%L?$*KeS@FDD;_TfJ#dwP7zzO5F>xntH(ONK{4)#jYUDQr6N(N<
zp<gr$yEF+Bh<8VMyl!Z~38n3=ExaSY0h2rbMXGGeh?xbO6ZTOM{<7x2ScCLhXP2Ft
z)INnh8dDXY+c;~$2FxS>+fAS9l9)^c4Ss8628Zq5AzMq4zc(In_yJSXAT57Dtl}@=
zvZoD7iq0cx7*#I{{r9m{%~g6@Hdr|*njKBb_5}mobCv=&X^`D9?;x6cHwRcwnlO^h
zl;MiKr#LaoB*PEL<dy!vtQo2cB(_!Lx!l45orL*11H7TM(b>m8+8%btnC)b^E12!^
zMmVA!z>59e7n+^!P{PA?f9M^2FjKVw1%x~<`RY5FcXJE)AE}MTopGFDkyEjGiE|C6
z(ad%<3?v*?p;LJGopSEY18HPu2*}U!Nm|rfewc6(&y(&}B#j85d-5PeQ{}zg>>Rvl
zDQ3H4E%q_P&kjuAQ>!0bqgAj){vzHpnn+h(AjQ6GO9v**l0|aCsCyXVE@uh?DU;Em
zE*+7EU9tDH````D`|rM6WUlzBf1e{ht8$62#ilA6Dcw)qAzSRwu{czZJAcKv8w(Q6
zx)b$aq*=E=b5(UH-5*u)3iFlD;XQyklZrwHy}+=h6=aKtTriguHP@Inf+H@q32_LL
z2tX|+X}4dMYB;*EW9~^5bydv)_!<%q#%Ocyh=1>FwL{rtZ?#2Scp{Q55%Fd-LgLU$
zM2u#|F{%vi%+O2^<ba$kF;<;;Rt95z5<wHL5K(j+Q8k$UbpgxRp3j{Mp^w)B^HfYf
zDA0hRMhNbE2=Vj2YiL~z1)_|?;fh9jerBnuTe?P4hal2R4f7=m$Q(~VOU_C<;|0{Z
z3|u!g6zg=FOiT;#Yow7zlAZMlBeju5?i6<U#@UV0Bb~8OCe{A7Ccmu?Gyqdhjg(s#
z+lg05=w;`87GW>~uK3)?$6<Ii6i|CibK0rXDvO^#;fkTXF9V{wZfQL2cW5uAO1K21
zyr@nFcEG^iu`2#R9oGU;Lq1G%agZl2%SOI7JXztK#Z;$;)Lz*}ur422VHM7@=-v?f
zBlBe`7E*iZpFhhLUcSr4=IECR7@1F_Ml2FfW0MO&eq+fQw8MX@4v0dY1>>9cc7_}F
zWU72eFrzZ~x3ZIBH;~EMtD%51o*bnW;&QuzwWd$<Sv0&$GkytlNUOK6=cE?4aMBme
z1h#{t_Gn%>ds=O>Ev807cu%>Ac^ZK&7bCN;Ftk#eeQL4pG0p!W{Ri@tGw>nhIo`rC
zi!Z6?70nYr<u`@synlh-MYS0<B^dq282OT7OFjP<^MkKg!2Li61nIAG$0&EsmPTPr
zR)}<%a~xy;pP3@S-zf2+&bEh1;6wodY7P24J|Iev;5LQ+!5jDK@1Jw&i1XSXY*mE}
zt$!>Nf92V{Y_i(a4DG=5>RktP=?%GcHEx?aKN$@{w{uj#Cqev$bXefo?yC6KI%Rol
z%~$974WCymg;BBhd9Mv}_MeNro_8IB4!evgo*je4h?B-CAkEW-Wr-Q_V9~ef(znU&
z{f-OHnj>@lZH(EcUb2TpOkc70@1BPiY0B#++1EPY5|UU?&^Vpw|C`k4ZWiB-3oAQM
zgmG%M`2qDw5BMY|tG++34My2fE|^kvMSp(d+~P(Vk*d+RW1833i_bX^RYbg9tDtX`
zox?y^YYfs-#fX|y7i(FN7js)66jN!`p9^r7oildEU#6J1(415H3h>W*p(p9@dI|c7
z&c*Aqzksg}o`D@i+o@WIw&jjvL!(`)JglV5zwMn)praO2M05H&CDeps0Wq8(8AkuE
zPm|8MB6f0kOzg(gw}k>rzhQyo#<#sVdht~Wdk`y`=%0!jbd1&>Kxed8lS{Xq?Zw>*
zU5;dM1tt``JH+A9@>H%-9f=<q<+LVr{M#T<q^Cnc-&?xMZN&ijTkf8?0<(syaVN;&
z(C3Efq5EyyrE~N$#X}_S8c^@i6}!4ZVjtXj?-J{FtLW*bQ{65S1G|KSG!!l69P$zC
z{siN1*3l-kL=tqVq$_mWRT&v!^(EH-d>EnW)UkRJe0+e^iqm0C5Z5?iEn#lbp}Xso
ztleC}hl&*yPFcoCZ@s<vLB4vKL);?UQ8SNsN-4lT7E(h++9yfu0i+RG?zQZ`Vyu!N
z2csF4b4_|Yj8d3fGl192T|jkwza^`sMg!wyzjg4YT*3%R=hCis_KugR){yZ{69#*3
zK<)AFqpKOIQ3(`3fk3V+JNe31%APK*Q^d*1qjD!07S=F+NAlE*3L1Zbd=12fPr9W#
zjsGg@L~A0y+Dv6%JO9(Ta*Ah3uR3g(3z}G`82M)ekyTxF_;RCYSlBdkw<IaMsMQ?e
zbsMfyKpLJ)Okmnzl2(R+c-sy1Ki;aKK-sU-FR6hwy#IRr72%A4)qj-ug11pmglUA^
zU@_5Gw6!(Wdy$iHzby;~7AhGdig(Mkgk1LPjq5QFk0S4Cl+LBU^bzgEux96pNv;KN
zUR+$IJ#$~DWu^%Nz(1&3Se2cJg9EwK1ih4HlD~*P+AU9y9Gh^R$@}B0u-*gkxP!N`
zI`OEtCMx2=OXR>gvvjBA_Ew6msFml$cfLQY_(=h03WS_z+Leeh$M3#-?f9YT^Q($z
z+pgaEv$r<Ugeur|SR*p$+UFDnLL;xoN-%!T43feTdR&aK^iX*=YkAhKCcZGH6=Hc`
zK<f-)!~rlB=sV5y>Ia*9wST`WHASQio=9IaVS7l<87%;83~X*`{BX#@>>p=k`@FYo
ze!K5_h8hOc`m0mK0p}LxsguM}w=9vw6Ku8y@RNrXSRPh&S`t4UQY=e-B8~3YCt1Fc
zU$CtRW%hbcy{6K{>v0F*X<`rXVM3a{!muAeG$zBf`a(^l${EA9w3>J{<NHaZSe3Dx
zY8Dg(e$l6m2U+$Er9e(r#AcIf<kD?-fMtOH$;$Ez#?uh-p(moA2-$e?HZ?d3`gHO^
zLs#=xyRr;&%j-2s;@q4VtWbGT-(B6wwnV|+r>aPwJT?mKVN2ba+v)Mp*~gQ_+Ws6=
zy@D?85!U@VY0z9T=E9LMbe$?7_KIg)-R$tD)9NqIt84fb{B;f7C)n+B8)Cvo*F0t!
zva6LeeC}AK4gL#d#<LpOpPalt`s^?A%fPT!zdEW(FA^EFVBGD5=s#;p_o>N_HvvD&
z0;mdU3@7%d5>h(xX-NBmJAOChtb(pX-qUtR<NGf~8Y({*{Qd2}r;MLZ_vin>LF5f$
z`X<bri1=?cM=8<+71}cIK~u!^Xc=hLQi+++$ZeGh>?Kpu?ENMc88>O&ym_$Jc7LZ>
z#73|xJ|aa@l}PawS4Mpt9n)38w#q^P1w2N|rYKdcG;<tU5_YID!TW~j<gG_D0?bfZ
zAx5SYdUR0;(Qp~TWf)<@H*?|jqIg?jv>nb!_nHMZA_09L!j)pBK~e+j?tb-_A`wF8
zIyh>&%v=|n?+~h}%i1#^9UqZ?E9W!qJ0d0EHmioSt@%v7FzF`eM$X==#oaPESHBm@
zYzTXVo*y|C0~l_)|NF|F(If~YWJVkQAEMf5IbH{}#>PZpbXZU;+b^P8L<V=zh^PmD
zL`7&OcUEqxV0p9pX<02z-THUDhdvEGk97J;t-GBJ<nF(C?^w$|%4@|~DP~oZlYgIl
zuI+NRKR*sNKvHH6R=w{`+FIkv?XA>WmlmDJ%Zu)4CajvRL!g_Faph`g0hpA2)D0|h
zYy0h5+<vXcbvZ!}-Ti2$yE64n^Sfk2I--2XL&qjovG)2_V|^=LBv9V~JglT}?G{~<
z!pmh?-EZ?Hnt@nUC6p23YL!L4k^U?vrZo%<4hyajBFhPn!n$|mWN_#4En32u<1zn!
zu-nPRAo(%8b6>@4T81(s0D=crojdj|dYa{Y=<2zKp@xl&{sHO;#|!uTHtTey25f1U
z#=Nyz{rJy#@SPk3_U|aALcg%vEjwIqSO$LZI59<YMW2T5A_lwnC?F0LTE49h#h(4+
z5@#;o=aOg6Ty^S7NeNEi8BQv>^;Mu~Swb53L+>oxWiN7J{;P*(2b@ao*aU~}-_j10
z@fQiaWnb}fRrHhNKrxKmi{aC#34<Ne?5f?i(t}|X_E14g4c;<RChmG6j68+0n_%a=
z5|bnIjoCZq*qma>BRP(a#0K>-J8D+v_2!~(V-6J%M@L{s?fU5ChwFfqn)2$siOUKw
z?SmIRlbE8ot5P^z0J&G+rQ5}H=JE{FNsg`^jab7g-c}o`s{JS{-#}CRdW@hO`HfEp
z1eR0<hko%0^tlAD{Bs=wlKM5<olTH(jMXi+3-x##vBp{A3eZRJrKN8uvd%5RzMT#n
z68`b?pf9bXk0(J)&vOsl{d9K0)2Cr%Vk3VloUq}n%`ke311Pl4;%DuDh2;4Z>DsN!
zt5xmsYt{Uu;ZM`CgW)VYk=!$}N;w+Ct$Wf!*Z-7}@pA62F^1e$Ojz9O5H;TyT&rV(
zr#<BLuF>IBM8<W03YGL3%?f^4_AqtJpyj#h&p$VI3rl`I`^taW$jxAML<$(BdMwx_
zlLmr$vOaoI0IA<o)>te~-2t2;kv2xm&z%tt3pyt|s#vg2EOx1XkfsB<u=a#QAHFyw
zH^#er(Fasy7e*uyj*LRn;;cw)`8HoCa<6waLzyN|B}26Z?f#|l5{!Lo7xhOuO!}qW
zbC^9ND3VwU&(zUs<yvQCMiiM!;ElHzg2J~V^hj}-Lfwl~SrFWideTJ|+XrQuCDiS<
z)vM6eQf~V@yT)+mzn`+@eTvHTgxq*XAn*5~P%Kpv#89KZUu>*RM;D>ab$W-D6#Jdf
zJ3{yD;P4=pFNk2GL$g~+5x;f9m*U2!ovWMK^U5`mAgBRhGpu)e`?#4vsE1aofu)iT
zDm;aQIK6pNd8MMt@}h|t9c$)FT7PLDvu3e)y`otVe1SU4U=o@d!gn(DB9kC>Ac1wJ
z?`{Hq$Q!rGb9h&VL#z+BKsLciCttdLJe9EmZF)J)c1MdVCrxg~EM80<OYrqK%FS_O
zx}L#|X%K3tWqV@0vzDsnnR3Yz?SjfReMeOp#n1B7DSod$5n^}wbM_)dHEDu_nV)?R
z!c3rf)Of{=$5uKL#I@V1Ws|Z5fZ4NpoMn{Vt{-gR^QY-}n)k?MJLe+(H*DLi@ubuD
zJ>_b3k{ur=jVjrVhDK1GTjd3&t#ORvC0Q_&m|n>&TF1C_>k^8&ylR7oz#rG?mE%V|
zepj0BlD|o?p8~LK_to`GINhGyW{{jZ{xqaO*SPvH)BYy1eH22DL_Kkn28N!0z3fzj
z_+xZ3{ph_Tgkd)D$OjREak$O{F~mODA_D`5VsoobVnpxI<L#y)dT{XZ@6C1AwZkx=
z#&n}Q%H5?TjCQfym&hus3U5BHHIrCx1lCD^^tf!XhezUxy8nw6bXYs))PhzY)EbV~
z3_uarYiYvr3Pwc2$wF1I24aXT5%LN$)?(Q8ezWWgqA6SimfTwJTLp0QrC{lEbrWx)
zJ;3xJ%h9biZ#RRkBdua)Y&WiYHVQr56z{shOIS=w&x(H=87V2*HYE2h0gb!qf{Jvq
z^Y==~Gp_|z$%Yc`0s9OhhH~H)!fwAop3O+L?QQ&)<5x(4oOcNSU`gIBbPz$19h8Vi
z=x{Sq{n8pR)3(2lByb(h#PyQT+r6_RQ~eScAm}hch0nJiuE6tB&ns}cLsxs|ui(=>
zV0F_79%JB!?@jPs=cY73FhGuT!<K$a=G|53e{10$p+byZeKD{oLj89mh@LC}=%NX0
z;*KNX7R-K^!*zxK691T$=ETKR3FMLcQe#X=<6^Ubhq;0af0G`<fK*adOjW173pl<B
z01`*u%;G66RFIDk4yL`Xeck?Ec|CUlA6<`FzY$xfm|b6;?e52Vf1?xaS(4T=peR5I
z`?V%dkA|C!r{l_7!OGwBXtbID_FDLfk@nuPBO#I2YcSR_(&2p~ezLTg$*hJyS9id*
zIVqsN$5(G<j!-p(3x6BVMb~3eT}-TWte&t8Hw$UAjb%!=vt3(V#FxL>?fpVX1W=Wm
zK5}i7(Pfh4o|Z{Ur=Y>bM1BDo2OdXBB(4Y#Z!61A8C6;7`6v-(P{ou1mAETEV?Nt<
zMY&?ucJcJ$NyK0Zf@b;U#3ad?#dp`>zmN<gr`{4O%cMrKxJwRla^p0?!O?&AEgD?v
z+o$qCnnug51;!OM^et<=@e!eMXwUGFJXwg~`R((9W1ml^g2V_H^M~P?j;4e#lHGTQ
z@o$?Z;gOHRYcLSD_PBHaO);T6r9aGw>n=H1&-<Xr>H`Y+)ai-TfyZJX@O&nRB*7j$
zDQF!q#a7VHL3z#Hc?Ca!MRbg<t0CM<jNd$9g{^<cPIWj4e6fx|J;XcBe<*U<nwT?=
z|2dLWm#eObkDu9iqDM9n+dIe!&FvDUWehAEb@;_47iOsYhZJ1`$c&IWG&}fV$2)}H
z$Ag?+n{DXVCqvJ=xR_!Y(QY$HsT4GoXpk@2mNXrU7sE_1ouq{duV;<HzGQ?qpd*wp
z@ZzwS=W7<)0Hr(b4ettbWO2^GYSwO|sWaRtx#Mtwp4TWZlPkdry}8Q423of>L`daF
zW#;L$yiQP|5VvgvRLluk3>-1cS+7MQ1)DC&DpYyS9j;!Rt$HdXK1}tG3G_)ZwXvGH
zG;PB^f@CFrbEK4>3gTVj73~Tny+~k_pEHt|^<lR`mlNFIi9z2bxO*+RL86KeAWH4$
zU4VsFpeQG~WVDSof1UN^o@%PJAewV!QpQH-VHGj;=}0vP`eH{TpWLIqcJqm)jkN53
z<II)B6VMc5@{*J}uF{>eLw{?6NbG&`Ng9diB9XsMr(ztNC!{FhW8Hi!)TI`(Q|F*b
z-z;#*c1T~kN67omP(l7)ZuTlxaC_XI(K8$VPfAzj?R**AMb0*p@$^PsN!LB@RYQ4U
zA^xYY9sX4+;7gY%$i%ddfvneGfzbE4ZTJT5Vk3&1`?ULTy28&D#A&{dr5ZlZH&NTz
zdfZr%Rw*Ukmgu@$C5$}QLOyb|PMA5syQns?iN@F|VFEvFPK321mTW^uv?GGNH6rnM
zR9a2vB`}Y++T3Wumy$6<!67?cC%>`W)_c0PS*L;;0J^(T7<)`s{}lZVp`e)fM^?{$
zLbNw>N&6aw5Hlf_M)h8=)x0$*)V-w-Pw5Kh+EY{^$?#{v)_Y{9p5K{DjLnJ(Z<ay_
zQ|zCgJ7Z<@f^IyT#!w8xRb(NaD!Nm0u%yH}t?$zg)w^&IK4Z`0m)_RSq1QCUJEibT
z7kQvMAXo4U!zLzUk>Ucyk*y(6D8wHB8=>Y)fb_Pw0v)Xybk`Sw@hNEaHP$-n`DtYP
ziJyiauEXtuMpWyQjg$gdJR?e+=8w+=5GO-OT8pRaVFP1k^vI|I&agGjN-O*bJEK!M
z`kt^POhUexh+PA&@And|vk-*MirW?>qB(f<fb}iMf`M1*cE2&^ns<lAgNbe9%8FD$
zwjvM|R2me}U1H(R)#ASROdqw^rZnHr0&f97^OKn&Qj^OAr-J8;B23)_uUb<>%y{ux
z*d44UXxQOs+C`e-x4KSWhPg-!gO~kavIL8X3?!Ac2ih-dkK~Ua2qlcs1b-AIWg*8u
z0QvL~51vS$LnmJSO<hpkIr+#{?3T{F9>nV4JUCUzg&4;bSsR5r_=FD@y|)Y2R_--e
zMWJ;~*r<i!;TA2bZ)HKh8;KT9<ZHJ@A^xz#EfNXNM<Iaxvn=m=sJYOJ@7H!t#H3v1
zI%NsU5_wkr0!QqEEvXG^6jST`^S>=vJssF5_*n?wF0DO_>Mja=g+HvT=Yd^uBU|aw
zRixHUQJX0Pgt-nFV+8&|;-n<aRd<Z#DH?k4n__AwYiBH~b*I+O${aSV!V6<4WmU!Y
zsadZ+r7y_;@eome8lEH+W|l)H7<g)uB&cK=<NbeH>>!jNUj!8Y_YzH*%M!-_uWt6&
z|Ec+lAD``i^do;u_?<(RpzsYZVJ8~}|NjUFgXltofbjhf!v&208g^#0<NyCEi~Rq?
z$PwqiMoc*zc>h-x?`z8cInq!9kfVwJ|HQ;VK>p_-fn@(3q?e51Keq(=U-7C0#as-q
z8Or}Ps07>O2@AAXz_%3bTOh{tKm#uRe}Sqr=w6-Wz$FCdfF3qNabEaj`-OfipxaL-
zPh2R*l&%ZbcV?lv4C3+t2DAVSFaRo20^W_n4|0t(_*`?KmmUHG2sNZ*CRZ<Vl7Sz}
z4RnAGishdzC)X@en*4i_sx;)tVg`me7}2q6vh`wr8N?~M3=EDah6vkFwplEVbilC{
zEBNTu$^DB(nS>lCFIyZbJqLdBCj)~%if)g|4NJr(8!R!E0iBbm$;`m;1n2@(8*E%B
zH!g{hK|WK?1jUfM9zX?hlV#l%!6^p$$P+~rg}OdKg|d^Ed4WTY1$1J@WWHr$Os_(L
z;-Zu1FJqhR4LrCUl<W{I<bh|WpctYa0aa`ugIHt3z@UVpXlgD<(WK=XGQjmCkmV!5
z;MYY_v#}DQ2DB;%lGYKUcMJ>)C~E7gA!^wtA6YIh10In9rX@LGSjnTPtLp+gPGp6u
z3}{?J1!yT~?FwqT;O_-1%37f#4ek&DL){N}MX3RbNfRb-T;U^wXhx#De&QssA$lu~
mWkA_K7-+yz9tH*t6hj_Qg(_m7JaeTomk=)l!_+yTk^le-`GmOu

delta 34176
zcmX7vV`H6d(}mmEwr$(CZQE$vU^m*aZQE(=WXEZ2+l}qF_w)XN>&rEBu9;)4>7EB0
zo(HR^Mh47P)@z^^pH!4#b(O8!;$>N+S+v5K5f8RrQ+Qv0_oH#e!pI2>yt4ij>fI9l
zW&-hsVAQg%dpn3NRy$kb_vbM2sr`>bZ48b35m{D=OqX;p8A${^Dp|W&J5mXvUl#_I
zN!~GCBUzj~C%K?<7<Lh)kN@p@FGCC|S+xWQML0moHteKXeb8wJdQH-gjR&7XH4^`G
z18O**eOiwBMhV|yW}+)H1-qhO2aiyh%|2AVjN^2;YOavpiJ0<eag))8h36*<J}UmM
zh5)@`0psU<7DA@>+UZ_q|L)EGG#_*2Zzko-&Kck)Qd2%CpS3{P1co1?$|Sj1?E;PO
z7alI9$X(MDly9AIEZ-vDLhpAKd1x4U#w$OvBtaA{fW9)iD#|AkMrsSaN<NH{Yj<;r
zJR^3Ei65zvOeKyy368On7xFr|udQdRg!uvBg!o!BMrLO4`R~=WSNU)FX3DN?UiRax
zt1Nc*-cP@`?<QFC2v<*!x!PMc9!`H@mKU%%&E@IsfX5sqlj5iC9s3zUdp-4#$Pj{D
z-ud{50Mow^jMOt&t!;$ig-cEDVcZ_LuIYDHKBg^7I=ypK+jgs5kU>z(69;h1iM1#_
z?u?O_aKa>vk=j;AR&*V-p3SY`CI}Uo%eRO(Dr-Te<99WQhi>y&l%UiS%W2m(d#woD
zW?alFl75!1NiUzVqgqY98fSQNjhX3uZ&orB08Y*DFD;sjIddWoJF;S_@{Lx#SQk+9
zvSQ-620z0D7cy8-u_7u?PqYt?R0m2k%PWj%V(L|MCO(@3%l&pzEy7ijNv(VXU9byn
z@6=4zL|qk*7!@QWd9imT9i%y}1#6+%w=s%WmsHbw@{UVc^?nL*GsnACaLnTbr9A>B
zK)H-$tB`>jt9LSw<e?{;w%G1n2P1|J0yx{P*t9jy^kFBQA#W^mMH}$k)?g@xYa+r6
zlJ|^>aY+4!F1q(YO!E7@?SX3X-Ug4r($QrmJnM8m#;#LN`kE>?<{vbCZbhKOrMpux
zTU=<lXsfLv18QvxbhhA4+*COFL{lUUKwTI^?+b!W)%bL{5ICeYgxi==?r7ml!xm!7
zhdowRK-_IXtccBJOk{G;-<SoBvpq6sZLl$N`1P40zF|?WL@Z|Q9X1BGIgTLA`g8zK
z6>02hy${;n&ikcP8PqufhT9nJU>s;dyl;&~|Cs+o{9pCu{cRF+0{iyuH~6=tIZXVd
zR~pJBC3Hf-g%Y|bhTuGyd~3-sm}kaX5=T?p$V?48h4{h2;_u{<w17YEUL6d7r?`IW
zC*$~_<n<G0=2K)oe-lc+anc79OB&v^xcsx>b}8s~Jar{39PnL7DsXpxcX#3zx@f9K
zkkrw9s2*>)&=fLY{=xeIYVICff2Id5cc*~l7ztSsU@xuXYdV1(lLGZ5)?mXyIDf1-
zA7j3P{C5s?$Y-kg60&XML*y93zrir8CNq*EMx)Kw)XA(N({9t-<qoKDSToyx=0O<F
zcZOoLjIgey#`z<{D=F=|jxIUj7G)oJ<z}l*I|pAYR$!%#pP+(2spDO4`pdL|xx}1{
zoCp>XAdX;rjxk`OF%4-0x?ne@LlBQMJe5+$Ir{Oj`@#qe+_-z!g5qQ2<A}CkiPnG%
z#<9e?dl5B^C&2WW>SxKQy1ex_x^Huj%u+S@Ef<hwN)i9H)8f1HlVw`IOD9pOk3F=2
zUFdA$C*zaFwUQBueYyoochf_SCZNJv(o>EPP-70KeL@7@PBfadCUBt%`huTknOCj{
z;v?wZ2&wsL@-iBa(iFd)7duJTY8z-q5^HR-R9d*ex2m^A-~uCvz9B-1C$2xXL#>ow
z!O<5&jhbM&@m=l_aW3F>vjJyy27gY}!9PSU3kITbrbs#Gm<n97W+KiQNM{Zc)RZRJ
zO9VM|sK^tMcU~i!8>0gD?~Tub8ZFFK$X?pdv-%EeopaGB#$rDQHELW!8bVt`%?&>0
zrZUQ0!yP(uzVK?jWJ8^n915hO$v1SLV_&$-2y(iDIg}GDFRo!JzQF#gJoWu^UW0#?
z*OC-SPMEY!LYY*OO95!sv{#-t!3Z!CfomqgzFJld>~CTFKGcr^sUai5s-y^vI5K={
z)cmQthQuKS07e8nLfaIYQ5f}PJQqcmokx?%yzFH*`%k}RyXCt1C<ET#?;-nOj&O_w
z0RjAX8jLRfx+{_%VvA`D$(8(CLoDsiJS|qdlA=Gf(}R42xBwFy^Y@K2Y2B5F73lIC
z_Y!h7$sAGI9OU(?0{R3(+-fA%SuZuc8k~w~-j=n9^J*)UAglq-zi6`BA?FFqiPk`=
zFg88a>hfv5KAeMWbq^2MNft;@`hMyhWg50(!jdAn;Jyx4Yt)^^DVCSu?xRu^<p^cd
z`AfT9K@W351Yp;%_)?5A+{-Sd(?fRZxF>$*&&=O6#JVShU_N3?D)|$5pyP8A!f)`|
z>t0k&S66T*es5(_cs>0F=twYJUrQMqYa2HQvy)d+XW&rai?m;8nW9tL9Ivp9qi2-`
zOQM<}D*g`<R@=@6xNeyfv+%3f>28wJ54H~1U!+)vQh)(cpuf^&8uteU$G{9BUhOL|
zBX{5E1**;hlc0ZAi(r@)IK{Y*ro_UL8Ztf8n{Xnwn=s=qH;<JNq#i!T6Ol{k1N4b^
z$<%S3ch|aFn`rrM7xp7Akdf|09MH!w#X^*^qWGG{=N4~T_X*vr=<9Sr1u0vsR}sts
z)nFJ(24Ixno*7<(J<m!__?DA*(CbmQp|*(D0(fX(I-?~pJ$dd#K$~K_UvNXKlCI0J
zAi?sKWY{_$3e#h0k$v$pwmR{i3$N!{^!LlUzPj3g^GFVYwXlrd2LlB<R)>fxkK+uL
zY)0pvf6-iHfX+{F8&6LzG;&d%^5g`_&GEEx0GU=cJM*}RecV-AqHSK@{TMi<FO;*^
zVIJ;K`_Wr?eL=2LPxeiG(NZ1XC=-->r1jaFf&R{@?|ieOUnmb?lQxCN!GnAqcii9$
z{a!Y{Vfz)xD!m2VfPH=`bk5m6dG{LfgtA4ITT?Sckn<92rt@pG+sk>3UhTQx9ywF3
z=<e;Zhr+VTogSTRTa`0dZhDEYFlz}iYJ-Ca|IInsl^}*}ws*9OfO%7=435_R)~{jX
z|C))|=(?2={M$D}=%iUpf}~t>$|RgTN<fa5trxoGzi!H8bL1;zwAZzO0dvgcXe@7*
zY^o`jnIo&H5j7~yXg%$-pqf(9s|<SUx!UU?X^UEuJZ$s34K@~hg}#3V7Z`DSr`YnM
zvIU1teWhe~+xESB+c<W5In8tK0k4NOX6yQKGIQC&FBWX~Q<%G1#g|49BQj)83&2%|
zUs<JZ#bIxoeZa-tcILuIpp|3uGrjDI|D_t;j#v#bOj@j6furiEu;aSGahA)d$u{2o
zqNVUdWs5~-2cc><=6-B4+UbYWxfQUOe8cmEDY3QL$;mOw&X2;q9x9qNz3J97)3^jb
zdlzkDYLKm^5?3IV>t3fdWwNpq3qY;hsj<HM2+6N#zwmbwcBhBpw2~<e#bkw}$`!Kn
z1)=dUBB{1-93?8Rgm^nY*tF;B7wJ85X%C|9a*1^ara~8e6Ph?%g(rj#aA~z51%f(0
zrd%qQA0cZ0Z2^@t)yso?$#(rr$H2>=pk9;P!wVmjP|6Dw^ez7_&DH9X33$T=Q{>Nl
zv*a*QMM1-2XQ)O=3n@X+RO~S`N13QM81^ZzljPJIFBh%x<~No?@z_&LAl)ap!AflS
zb{yFXU(Uw(dw%NR_l7%eN2VVX;^Ln{I1G+yPQr1AY+0MapBnJ3k1>Zdrw^3aUig*!
z?xQe8C0LW;EDY(qe_P!Z#Q^jP3u$Z3hQpy^w7?jI;~XTz0ju$DQNc4LUyX}+S5zh>
zGkB%~XU+L?3pw&j!i|x6C+RyP+_XYNm9<?|3Dg4wCcC?VQr<bzeKrSpw8b>`rtH<m
z^q>pqxvoCdV_MXg847oHhYJqO+{t!xxdbsw4Ugn($Cwkm<z&(cEdbmmHs@&T9(Qe{
zY0mG0W~lWDbhWX{<STjlgSTP0kYxL@HoRpRDzEHe(+0b)#tmEv>^+36&goy$vkaFs
zrH6F29eMPXyoBha7X^b+N*a!>VZ<&G<WRC+Em14oermb3Ag6>f3eeE+Bgz7PB-6X7
z_%2M~{sTwC^iQVjH9#fVa3IO6E4b*S%M;#WhHa^L+=DP%arD_`eW5G0<9Tk=Ci?P@
z6tJXhej{ZWF=idj32x7dp{zmQY;;D2*11&-(~wifGXLmD6C-XR=K3c>S^_+x!3OuB
z%D&!EOk;V4Sq6eQcE{UEDsPMtED*;qgcJU^UwLwjE-Ww54d73fQ`<mR8A?eX*vOu(
z;s!AeRF7I0k*#FrPh}Ask{q+pF}CGNj<O)=(?Ka}%Tcfb=@JBbsSO=CT&lP}la&!T
zB*Gtuxukvb<;Db%3gAA$>9Sv%^H>juEKmxN+*aD=0Q+ZFH1_J(*$~9&JyUJ6!>(Nj
zi3Z6zWC%Yz0ZjX>thi~rH+lqv<9nkI3?Ghn7@!u3Ef){G(0Pvwnxc&(YeC=Kg2-7z
zr>a^@b_QClXs?Obplq@Lq-l5>W);Y^JbCYk^n8G`8PzCH^rnY5Zk-AN6|7Pn=oF(H
zxE#8LkI;;}K7I^UK55Z)c=zn7OX_XVgFlEGSO}~H^y|wd7piw*b1$kA!0*X*DQ~O`
z*vFvc5Jy7(fFMRq>XA8Tq`E>EF35{?(_;yAdbO8rrmrlb&LceV%;U3haVV}Koh9C|
zTZnR0a(*yN^Hp9u*h+eAdn)d}vPCo3k?GCz1w>OOeme(Mbo*A7)*nEmmUt?eN_vA;
z=~2}K_}BtDXJM-y5fn^v>QQo+%*FdZQFNz^j&rYhmZHgDA-TH47#Wjn_@iH4?6R{J
z%+C8LYIy>{3~A@|y4kN8YZZp72F8F@dOZWp>N0-DyVb4UQd_t^`P)zsCoygL_>>x|
z2Hyu7;n(4G&?wCB4YVUIVg0K!CALjRsb}&4aLS|}0t`C}orYqhFe7N~h9XQ_bIW*f
zGlDCIE`&wwyFX1U>}g#P0xRRn2q9%FPRfm{-M7;}6cS(V6;kn@6!$y06lO>8AE_!O
z{|W{HEA<ltk<^3&v(zsFX*bwn-7C9ar58A%@T#a2aBXBI3o8y|0%iXyV|l}sg<m!U
zT-k`jQb^8oQ(X_pliK#72^1&??md*<37!Bk(#NKKogWc3``(E}^iGHbqW0g7K=ab9
zUpQLYqhr5^vY&U1qg(xAv~ioY%|o`fES|sX{~Wc{ICx(f+xCyUQrPRZo%C)iUsb?a
zew2`T0vB@=rlln7nHw`MOepMp{ML^Ja1HQ#K5&NkV!sK<&i;~{TAs9+9gJ+;Lz$da
zS};~j46utcwL=M>bI0eD$z9tQvWth7y>qpTKQ0$EDsJkQxAaV2+gE28Al8W%t`Pbh
zP<xNDbl}BXrCZDI-ZIp5KNryWfd5bbbb`{6SD?OqGei3JO+_9Y0^=JD49vHrX%anv
zx});E3Pu1^ut&6#2_NeA4BT3`JGz8npG~rjS&&I~|7dIHW39&8ddY=MbOQ07^K~#4
zAG+`}_`B-xd@Z|;49eO;uCH?5F>l#%_S@a^6Y;lH6BfUfZNRKwS#x_keQ`;Rjg@qj
zZRwQ<VVZO-GvahB#0&T?91+}W8%P`g+CV*WTDcQ*ECFq*EHu?RdUx6LGyt0&7`Ke<
z(79}oUUG8J6UjGrhsg*-n+Rzoc4V@;e92&Fv0kzs^dCx1BLpw}k)lbrZ+!!4b9rh_
z{{2T!5K`M=B=D3khI9L_t!YX2loweH^^dUIKs*I^r|TIqcqitK3=NKDIU!(-Fg-cJ
za`ZI<4s`pPup!z94p%kUdn`lUG3}x)93kQpWvT(t+fqvi%M1$&iX<2wVFk(pY2$hw
z;e()Ntun1;jRBx1Z_weKQ&VAEOVyzxlq3KpHRdO0*!<udc458*N}Tk<yvh(lq)+w`
zFEEJtD{)&$;xqmiHT}}u4L}!;Y0mFCG2c*If`gd*;VV3Vr8aURePSQ2wwxyp-Zg;}
z2y5*0{Ns5&4yo$wW`M$Wj^j~)lpJ%p0cE61bW)~~n2lIIinNG2#<)ly#Dd$&{nJPv
zg4t&sQ>XZd-rWngbYC}r6X)VCJ-=D54A+81%(L*8?+&r7(wOxDSNn!t(U}!;5|sjq
zc5yF5$V!;%C#T+T3*AD+A({T)#p$H_<$nDd#M)KOLbd*KoW~9E19BBd-UwBX1<0h9
z8lNI&7Z_r4bx;`%5&;ky+y7PD9F^;Qk{`J@z!jJKyJ|s@lY^y!r9p^75D)_TJ6S*T
zLA7AA*m}Y|5~)-`cyB+lUE9CS_`iB;MM&0f<l?>X**f;$n($fQ1_Zo=u>|n~r$<Jr
zR^#jf&wU3t7icxNwdO00+#eaU-n3>HvkOUK(gv_L&@DE0b4#ya{HN)8bNQMl9hCva
zi~j0v&plR<c*E(e0zzsewSSCWoYNe#zBz~4gPJgFZQI3UCOBaQQRa$tLad>sp?_zR
zA}uI4n;^_Ko5`N-HCw_1BMLd#OAmmIY#ol4M^UjLL-UAat+xA+zxrFqKc@V5Zqan_
z+L<vzaOW^{oV^!V7EZrt5zgiq1K|N3u8LNf1;g77T|EW9D_#STe{m<8-*ti95##sc
zyGd7O;e|{=b{s4r=uzKM#MLq2_E;Cl(9-pAG6@1SP&CT#ClJkT<QXn*!E+nh?X8yH
zcMM9Cu5gnFv(px!)SJCU0$OR|_#*aP@{anWc1hQYPQ<vIYfp}%E>oVX-Ub2mT7Dk_
z<+_3?XWBEM84@J_F}FDe-hl@}x@v-s1AR{_YD!_fMgagH6s9uyi6pW3gdhauG>+H?
zi<5^{dp*5-9v`|m*ceT&`Hqv77oBQ+Da!=?dDO&9jo;<Pz>=JkzrQKx^o$RqAgzL{
zjK@n)JW~lzxB>(o(21ibI}i|r3e;17zT<i-A5WFI)l0=DfsHm5h*a$|nW5w2Z&g&C
zfIgxfWxL<b7<;2;0#?vaiBe<amMP~Hu(BM=D~XPJ7}ZO*rIjib5G!Hs^`n3(-k2!C
z!UiS)1Z$XWmt$B+Er?b&6mkk#-D8jLY4v(Z+xBe4-ze{3Z8c}rWsNw!vUg{(e_E!O
zGy`+{2}jJyQpV^h@Z#T~xRhsp27NBzs^L@HyvOdwuq!yc4;~zS%a~%ld&pD6w$+^X
z4e>jdEl5c`Cn-KAlR7EPp84M@!8~CywES-`mxKJ@Dsf6B18_!XMIq$Q3rTDeIgJ3X
zB1)voa#V{iY^ju>*Cdg&UCbx?d3UMArPRHZauE}c@<I9zuOvh8{QaF~!8NmT14ZcB
zXDiDmH{)Nqe}et`?!f-+>Fdk;z85OcA&Th>ZN%}=VU%3b9={Q(@M4QaeuGE(BbZ{U
z?WPD<in~-M2H?eVIA^jvfi8U5&YUg%&UM*~ACg=ZhWs!uCP(%s`pq9sl~Rn<t^myp
zyBzUD^1Z%w8~>G+sjJSz1OYFpdImKYHUa@ELn%n&PR9&I7B$<-c3e|{tPH*u@hs<V
z<H3(ufuU6=m@PPl*Z5lGM+(I8E&;iIFkSFjg3169JAkH{U;A7oj2f|AG+4C#qrq+Q
zSEMgDyQI)s?9FfgI&>)Ci>Z@5$M?lP(#d#QIz}~()P7mt`<2PT4oHH}R&#dIx4<lE
zZM@x|FQ}SFXpD?iesWRPGe4;I$q-cmdj*5H_;}S&ml}cX6{lN;Hc9cQTAqNu`75Pu
zm)lpl05-+8mc%^XjQ*+==x*CFMVtN~s|N?yyj?nb@+0b65tp1aoBu<}P|sqT#oxbu
z^9TFiuY0AD1GFwI&Vgx(N@^#!xc>uq943D8gVbaa2&Fygr<d;h^~M>Sk3*whGr~Jn
zR4QnS@83UZ_BUGw<CYZIe2@PKT3-tK{$nVwgnd*Bz&L7Z=B%q|uGZL4XMBC&BC8z`
z)4RakhXH*19!wvlHiX`r;-qnceEtmXoaf9Zp<!_s;6!03b&^hmte9c568Cp_f0FC4
z@(8kb-pvrKkck`L9ixZbpEUWNQ0z@i@*Zn<GA0aPaURQm-ybWQ)C=W4nKD;in<YK)
z$64%N3;kIt{W*W&vFr90Wr=?+S%KEmK=Dy9&+KBnRXYEkzmZq_)xy)7^gtx11&*2l
zFT&6!U^|U`oJ*VvM^5Eh;*~96yk0B!PnHB-7=?Z<!C6~0J+Dn$C3)1UuE9Wd>;?@T
zo5jA#potERcBv+dd8V$xTh)COur`TQ^^Yb&cdBcesjHlA3O8SBeKrVj!-D3+_p6%P
zP@e{|^-G-C(}g+=bAuAy8)wcS{$XB?I=|r=&=TvbqeyXiuG43RR>R72Ry7d6RS;n^
zO5J-QIc@)sz_l6%Lg5zA8cgNK^GK_b-Z+M{RLYk5=O|6c%!1u6YMm3jJg{TfS*L%2
zA<*7$@wgJ(M*gyTzz8+7{iRP_e~(CCbGB}FN-#`&1ntct@`5gB-u6oUp3#QDxyF8v
zOjxr}pS{5RpK1l7+l(bC)0>M;%7L?@<gTpQHS2vT6B!6J&3W7)M@B+Riqg<&33yLj
zDz(l!s5Pz!g$so{@5)~9fIqA36)y?X;K=l3yijdZuqQpxQ-60#B4i){*o9>6t}S&a
zx0gP8^sXi(g2_g8+8-1~hKO;9Nn%_S%9djd*;nCLadHpVx(S0tixw2{Q}vOPCWvZg
zjYc6LQ~nIZ*b0m_uN~l{&2df2*ZmBU8dv`#o+^5p>D5l%9@(Y-g%`|$%nQ|SSRm0c
zLZV)45DS8d#v(z6gj&6|ay@MP23leodS8-GWIMH8_YCScX#Xr)mbuvXqSHo*)cY9g
z#Ea+NvHIA)@`L+)T|f$Etx;-vrE3;Gk^O@IN@1{lpg&XzU5Eh3!w;6l=Q$k|%7nj^
z|HGu}c59-Ilzu^w<93il$cRf@C(4Cr2S!!E&7#)GgUH@py?O;Vl&joXrep=2A|3Vn
zH+e$Ctmdy3B^fh%12D$nQk^j|v=>_3JAdKP<DgTp;^DIt;)F-EZ+0`lzs+uJ77mXF
zKO=n36r1cJ6ZeI&O)*O1QP@8JX7{q1%3ybU`ux1R!~W&-hs|$w8=(7Htli#B52kNC
zQ^VL@u3up6CP>t2YVusbNW&CL?M*?`K1mK*!&-9Ecp~>V1w{EK(429OT>DJAV21fG
z=XP=%m+0vV4LdIi#(~XpaUY$~fQ=xA#5?V%xGRr_|5WWV=uoG_Z&{fae)`2~u{6-p
zG>E>8j({w7njU-5Lai|2HhDPn<YS^8ehQhE5I<iRyh-9mT)mWhU$mn4$2>tQ(X@yB
z9l?NGoKB5N98fWrkdN3g8ox7Vic|gfTF~jIfXkm|9Yuu-p>v3d{5&hC+ZD%mh|_=*
zD5v*u(SuLxzX~owH!mJQi%Z=ALvdjyt9U6baVY<88B>{HApAJ~>`buHVGQd%KUu(d
z5#{NEKk6Vy08_8*E(?hqZe2L?P2$>!0~26N(rVzB9KbF&JQOIaU{SumX!TsYzR%wB
z<5EgJXDJ=1L_SNCNZcBWBNeN+Y`)B%R(wEA?}Wi@mp(jcw9&^1EMSM58?68gwnXF`
zzT0_7>)e<HsEdDR$NlH-Oz4z)4YK4*R4;r~#@Bf-qNf*W7N2rb$7_0t8fk5+&(AR?
zC<bDf1Ag^T@+r>p%6hid-*DZ42eU)tFcFz7@bo=<<wtaeOw^nO{PSb9Z|&*5Akk|K
zT2kaOkz6nI=><d29ZzfLPsac!Z^b$VBXIcmh|xmM@r6)Mz5F3JrGc)HCM;QKXdFn2
zN)F<RDq^r=d;jb2Z_(C<ZvTXP1meFPC<#c8lVpTKloUq~l@!Z@3NZ9Vm&6DNgWy6`
zT}ws|4y{dC<8Z`V4@yo&7N=2Lrz)W}q0uSpoVQq?bXwW`hPgX1VxJc#-*ykw$5f~i
zC|ut1-c`N^gj;icG!hG34qg7q@S4iL%Vod%yqRXM`*vS6e0@J#RM8K8!&}P;Cm)AA
z)coSDZ19_26LgSk3ec~JtbuRjAHdkaY|=S$lB0)roUPH^c%Bj9Hk?JTOI5=(QpBAL
z3sAe_Ulf+sv37C%@|)xs+e!7Qj4K_W!%anrHBA})sm;TbBl+0B6}Z)(%yc<S4D7=h
zfb2Z7*=sa~gIe^IJ52<6s26k2%UEB?h3dcZ_+%c$(i1?60)R)50crnWc*@*MJ7j?m
z+#_q#5p|jLUHhtmm6?Sn8@r$&TZ(yj%-c?;b-Jx|^5Dlk#go9U4yb7#!fULIqQBds
z&2I{W54>~CrLXpNDM}tv*-B(ZF`(9^RiM9W4xC%@ZHv=>w(&~$Wta%)Z;d!{J;e@z
zX1Gkw^XrHOfYHR#<ZxGz&lw$T6G0Nxnpuw>hAU=G`v43E$Iq}*gwqm@-mPac0HOZ0
zVtfu7>CQYS_F@n6n#CGcC5R%4{+P4m7uVlg3axX}B(_kf((>W?EhIO&rQ{iUO$16X
zv{Abj3ZApUrc<F~?Lk!w&f2Xtq>ar7Ck}B1%RvnR%uocMlKsRxV9Qqe^Y_5<iO7aU
zq3dedVPYS67#l$e6weB_b04g?APY5;b;`8Mge$lbj+y6C?EmJGf9^Ws=8R+H6IIt7
zKe|lohcPUhO~ppHQMA6xg5WT0HL*b(&d+ITYX&Vxg_jkc$c~ekjBwTWLMPMT{$RcV
z!!#NM$Q>C$xQW@9QdCcF%W#!zj;!xWc+0#VQ*}u&rJ7)zc+{vpw+nV?{tdd&Xs`NV
zKUp|dV98WbWl*_MoyzM0xv8tTNJChwifP!9WM^GD|Mkc75$F;j$K%Y8K@7?uJjq-w
zz*|>EH5jH&oTKlIzueAN2926Uo1OryC|Cmkyo<gXO1RvR0{t_&+f8HnilyXjJ;i5c
zxvz56DxWcDNyd~<XL{%_niD)o#)a~_BvNhsPHlrS(q>QZABt#FtHz)QmQvSX35o`f
z<^*5XXxexj+Q-a#2h4(?_*|!5Pjph@?Na8Z>K%AAjNr3T!7RN;7c)1SqAJfHY|xAV
z1f;p%lSdE8I}E4~tRH(l*rK?OZ>mB4C{3e%E-bUng2ymerg8?M$rXC!D?3O}_mka?
zm*Y~JMu+_F7O4T;#nFv)?Ru6<Jo9R8v(kHoGs?{2=?i%Iyi}0!42){}rxVvL!pJk>
z92r|old*4ZB$*6M<gaMZQRWjo$?vcL>40B;V&2w->#>4DEu0;#vHSgXdEzm{+VS48
z7U1tVn<u)EUy|Q1O0Ir9Rk;P;jjZ*6(#9^$Kg9d7dC=gOZg$lTVjzn?JP?E=U!^HZ
zZX5_RsBK=U`f|HJ?<gCGcIs3j%>#AnQ3z#gP26$!dmS5&JsXsrR>~rWA}%qd{92+j
zu+wYAqrJYOA%WC9nZ>BKH&;9vMSW_59z5LtzS4Q@o5vcrWjg+<k0<>28#&$*8SMYP
z!l5=|p@x6YnmNq>23sQ(^du5K)TB&K8t{P`@T4J5cEFL@qwtsCmn~p>>*b=37y!kB
zn6x{#KjM{S9O_otGQub*K)iIjtE2NfiV~zD2x{4r)IUD(Y8%r`n;#)ujIrl8Sa+L{
z<QB-&R!kciC=u%_Pu&BK7EGV1yUp_s@Qqpd^*Cf6xOgo*V|4$hGSSKA2WpaB33(Y*
zN`4+3BzbZ%lDtqn<HlZ9zS#|E)QFj}w@z>>ixGoZJ1K@;wTUbRRFgnltN_U*^EOJS
zRo4Y+S`cP}e-zNtdl^S5#%oN#HLjmq$W^(Y6=5tM#RBK-M14RO7X(8Gliy3+&9fO;
zXn{60%0sWh1_g1Z2r0MuGwSGUE;l4TI*M!$5dm&v9pO7@KlW@j_Qboe<WL{+D=0|S
z04rq}Cn#r|Qh`OLI1_QL5U}R{geifFF9P8T)vM{2=Wygi8p}p~9owhqk+?19n*#yM
zj*#{xPp0@cJDT3i?GOww`QWntOHm1f!c}va;b?tOb2%YIGP6RX6g6=_2i^T=N30Lx
zGGxIOD~)lgV;r;otK)h-PN}|RW44>Dd1k9!7S)jIwBza-V#1)(7ht|sjY}a19sO!T
z2VEW7nB0!zP=Sx17-6S$r=A)MZikCjlQHE)%_Ka|OY4+jgGOw=I3CM`3ui^=o0p7u
z?xujpg#dRVZCg|{%!^DvoR*~;QBH8ia6%4pOh<#t+e_u!8gjuk<TWg3Zfj1VT(rT(
z+;cFX>_Aic=|*H24Yq~Wup1dTRQs0nlZOy+30f16;f7EYh*^*i9hTZ`h`015%{i|4
z?$7qC3&kt#(jI#<76B<Zc8_jzF}-jz?c}RJj?}d~o|A$peyx&2tAof6rbF8`JJ<LA
zkx}wt?p2W^anecKr7&{Wp)yE)mY79tNY^xv{LL@QzaTPd04d4;6lK5S1YUv7FN_j~
ztrXYDtR<2@iHMgRaE>iz=bl=k<lj_Eu32rlOy9O^>=&qyaH><ZvCyu=u73u5Amj3Z
zlBLffeJyS(F;wLAij_z7LBu;aGHquG4Ecd?iDly_Tmu`)-}iF7q9@!(siy|rCL-T)
zMJ=;>foM#zA7}N`Ji~<RlOT@^-5)rOA8|yZid=(^iWhCiV9#ueyabSRKG4M!ILEeK
z@}E_xM=5xQ^8{3sm^736?!4juH{#woOSkhU{pHmMs7%U%L{L7L?9}ZSTh126kqS##
z7l>)-f-t&tR4^do)-5t?Hz_Q+X~S2bZx{t+MEjwy3kGfbv(ij^@;<DrdI3T`-v~_9
zcRbkI9fdmuaS>=?H_^FIIu*HP_7mpV)NS{MY-Rr7&rvWo@Wd~{Lt!8|66rq`GdGu%
z@<(<7bYcZKCt%_RmTpAjx=TNvdh+ZiLkMN+hT;=tC?%vQQGc7WrCPIYZwYTW`;x|N
zrlEz1yf95FiloUU^(onr3A3>+96;;6aL?($@!JwiQ2hO|^<dM|7%UlhRzx6gJV9|=
z=NpG%ffNZg)Ud#-8(4E`FwI`_0dIbwuD$x#G#SyFPIa|i#MJAmCx}gJ+(iX-<$2`F
zq$b)!gO0}32UorvmcjGcs0oMXeFUsIgX?OLA?6&a$PuFr{46GnR!g|y(}h#A`6l)i
zpT!HijVb^7e>i)b4pCJ7-y&a~B#J`#FO!3uBp{5GBvM2U@K85&o0q~6#LtppE&cVY
z3Bv{xQ-;i}LN-60B2*1suMd=Fi%Y|7@52axZ|b=Wiwk^5eg{9X4}(q%4D5N5_Gm)`
zg~VyFCwfkIKW(@@ZGAlTra6CO$RA_b*yz#){B82N7AYpQ9)s<e%0{=46^?9=ZEQ-l
zAQWxGXxNdHjc*vyWIT!33B;oq*FC${iQp|GUP9ZdljM~?wy^$O5X<tj{P6elLK%T5
zC#svA*D5wmh9fQFpm0}|k!**l^Nlj<UP85>LQfhOAOMUV7$0|d$=_y&jl>va$3u-H
z_+H*|UXBPLe%N2Uk<CC2<5os`NfNoGP!Ib0m9`%)&9#>wu1*)kt!$Y>(IH3`YbEt;
znb1uB*{UgwG{pQnh>h@vyCE!6B~!k}NxEai#iY{$!_w54s5!6jG9%pr=S~3Km^EEA
z)sCnnau+ZY)(}IK#(3jGGADw8V7#v~<&y5cF=5_Ypkrs3&<giP_=TY>7{}%(4KM7)
zuSHVqo~g#1kzNwXc39%hL8atpa1Wd#V^uL<!G-fTwDKo?kirzAqPxES@VyF*HS5iQ
z6u^SQDo@?kL(sZYU;lwg?P>=W^&E)fvGivt)B!M)?)Y#Ze&zU6O_I?1wj)*M;b*dE
zqlcwgX#eVuZj2GKgBu@QB(#LHMd`qk<08i$hG1@g1;zD*#(9PHjVWl*5!;ER{Q#A9
zyQ%fu<$U?dOW=&_#~{nrq{RRyD8upRi}c-m!n)DZw9P>WGs>o1vefI}ujt_`O@l#Z
z%xnOt4&e}LlM1-0*dd?|EvrAO-$fX8i{aTP^2wsmSDd!Xc9DxJB=x1}6|yM~QQPbl
z0xrJcQNtWHgt*MdGmt<!{59BQ@6R8^J{W0F$k->j%x6SWYd?uGnrx4{m{6A9bYx`m
z$*UAs@9?3s;@Jl19%$!3TxPlCkawEk12FADYJClt0N@O@Pxxhj+Kk(1jK~<na;r+|
zm{2yx7Tja~_uQ<c+6H|8mu<-YUr>laR0*KGAc7%C4nI^v2NShTc4#?!p{0@p<m@p~
zP+-C1vUzlE>0T#HSIRndH;#Ts0YECtlSR}~{Uck+keoJq6iH)(Zc~C!fBe2~4(Wd>
zR<rpD32Yz=|MVv!jF0SQWXAJmWFDV0ka3bIedmZ8+smZ53Ho~&j~&2Ke3DNyKLA+A
zbJ10q_<tT*Npv&sy}xR;{lmk%mN;2WFCXUz0F+vcRuJB#5+NyF41aEUQ~yy+_{tj7
zrTp6j;lWAkEZhiI7QwVMiDXtF6(d<{RD?!c&lT5iMqpaD7bA4G&{!+@%C<d+c70Wi
zU;*do=_MRGv5LZbeY<RwC*Ablvqx17uLc~M%ux><4I1zMeW$<0xww(@09!l?;oDiq
zk8qjS9Lxv$<5m#j(?4VLDgLz;8b$B%XO|9i7^1M;V{aGC#JT)c+L=BgCfO5k>CTlI
zOlf~DzcopV29Dajzt*OcYvaUH{UJPaD$;spv%>{y8goE+bDD$~HQbON>W*~JD`;`-
zZEcCP<ta~{4Akw!C0ePB!7KfHnqyMC?0a{DvplTx4je+~_=&7<z9BH2!>SdlCvANe
z=?|+e{6AW$f(H;BND>uy1MvQ`pri>SafK5bK!YAE>0URAW9RS8#LWUHBOc&BNQ9T+
zJpg~Eky!u!9WBk)!$Z?!^3M~o_VPERYnk1NmzVYaGH;1h+;st==-;jzF~2LTn+x*k
zvywHZg7~=<axHmC^DNM(rrxXXZ+6q8kDUy#Wo11Iv58)OcYVE^Pyh_LpKFMxqfz^m
zX-?%QT4qvLZS`UJtdA|zc7nI&w@Ai(hyYF^v>aiJe=OhS@U>1fYGvT1+jsAaiaM;)
zay2xsMKhO+FIeK?|K{G4SJOEt*eX?!>K8jpsZWW8c!X|JR#v(1+Ey5NM^TB1n|_40
z@Db2gH}PNT+3YEyqXP8U@)`E|Xat<{K5K;eK7O0yV72m|b!o43!e-!P>iW>7-9HN7
zmmc7)JX0^lPz<DsX{e!8YOmOSO*e%?uh^R5cfwUMA1cm{WQM4>F#>$#D~nU^3f!~Q
zQWly&oZEb1847&czU;dg?=dS>z3lJkADL1innNtE(f?~OxM`%A_PBp?Lj;zDDomf$
z;|P=FTmqX|!sHO6uIfCmh4Fbgw@`DOn#`qAPEsYUi<Sw*qR|D%uSTGytX2<>BvUlw
zevH{)YWQu>FPXU$%1!h*2rtk_J}qNkkq+StX8Wc*KgG$yH#p-kcD&)%>)Yctb^JDB
zJe>=!)5nc~?6hrE_3n^_BE<^;2{}&Z>Dr)bX>H{?kK{@R)`R5lnlO6yU&UmWy=d03
z*(jJIwU3l0HRW1PvReOb|MyZT^700rg8eFp#p<3Et%9msiCxR+jefK%x81+iN0=hG
z;<`^RUVU+S)Iv-*5y^MqD@=cp{_cP4`s=z)Ti3!Bf@zCmfpZTwf|>|0t^E8R^s`ad
z5~tA?0x7OM{*D;zb6bvPu|F5XpF11`U<t~+Cx_B1`Z?9!gYQ4&!ts?51b2>5;b*$p
zNAq7E6c=aUnq>}$JAYsO&=L^`M|DdSSp5O4LA{|tO5^8%Hf1lqqo)sj=!aLNKn9(3
zvKk($N`p`f&u+8e^Z-?uc2GZ_6-HDQs@l%+pWh!|S9+y3!jrr3V%cr{FNe&U6(tYs
zLto$0D+2}K_<BSVc4q*O)uySXMPx!L{%pO}$eiT(du2M$spXfHZRz<w6X+6bVU4k9
zN@%hHFXZKrp?pIw&xB@-kL0cNJ>9kuxgFSeQ!EOXjJtZ$Pyl_|$mPQ9#fES=Sw8L%
zO7Jij9cscU)@W+$jeG<B&7|0SBAwFCf%-Zn?fuTSb+p^e@h~60vII8TXxfM|e04Bt
zy@W0cVbw}gVt?ity0Gt&-}Z-&kd+(02DzwKxR8olSYId-ycIO>px&vWP9ZN3fLDTp
zaYM$gJD8ccf&g>n?a56<DwgIK`LkiBKZbuS+^?j{+S7aD;C88gpGwnU|F*rQZag*2
zUg`I<vSR(<ms`C@QZl9<7{O`3#mCATDto?_bb8(LkEVJ4q%*CfZ#+s#!(loq^>X=y
zec%n<x7o9&6f>LN`(dVCpSl9&pJLf2BN;cR5F0Nn{(<Ebul!}s7PIg_pO;G7Fpl=0
z@*Mn6d7fm%|BL90VthiyGnR}>LjGe7RjFe7efp3R_2JmHOY#nWEc2TMhMSj5tBf-L
zlxP3<v`xK)VzhGRzi_HGgaSOoYS>sV`!?@!mRnDTac{35I7<izXnk?f{kA#xa2S3!
z{k7hS;q0Sh7b`M#(tpCk400Lc;D6?CQ^v8;AHXR5eyBE`_v<xTtKe)Mwp#-j^DsjS
zsLKM$h-e&5i>h@WTfRjRiFw*Q*aD8)n)jdkJC@)jD-&mzAdK6Kqdct8P}~dqixq;n
zjnX!pb^;5*Rr?5ycT7>AB9)RED^x+DV<PtA2YVOErZzn~r7$zWHe1`39HIxp#q<lB
zGJt15`R_`Vb@|g>DmIbHKjcDv2lHK;apZOc=O@`4nJ;k|iikKk66v4{zN#lmSn$lh
z_-Y3FC)iV$rFJH!#mNqWHF-DtSNbI)84+VLDWg$ph_tkKn_6+M1RZ!)EKaRhY={el
zG-i@H!fvpH&4~$5Q+zHU(Ub=;Lzcrc3;4Cqqbr$O`c5M#UMtslK<bCBM6b4qP%uu2
zXpMuX2`WDC1lqF`Y$CO^C&>$3r+Cuz>xKl+xW?`t2o=q`1djXC=Q6`3C${*>dm~I{
z(aQH&Qd{{X+&+-4{epSL;q%n$)NOQ7kM}ea9bA++*F+t$2$%F!U!U}(&y7Sd0jQMV
zkOhuJ$+g7^kb<`jqFiq(y1-~JjP13J&uB=hfjH5yAArMZx?VzW1~>tln~d5p<T#Fl
zEVb(Bo{e)Z!MoQ~F^-3jEd3&CO04c*(y4e(v&DYgDaSv=<a!2FuuuIn;dZ$$Ay{KO
z7sdqF?l_u#_)CM+2NYmxY}Ccl0Y%psg1B}Z_hNri;B-leZ>t$uWR~TM!lIg+D)prR
zocU0N2}_WTYpU`@Bsi1z{$le`dO{-pHFQr{M}%iEkX@0fv!AGCTcB90@e|slf#unz
z*w4Cf>(^XI64l|MmWih1g!kwMJiifdt4C<5BHtaS%Ra>~3IFwjdu;_v*7BL|fPu+c
zNp6<j(&v4l8ppxnoKOCUI~><clB|zIt>87`{}e@|%)5g4U*i=0zlSWXzz=YcZ*&Bg
zr$r(SH0V5a%oHh*t&0y%R8&jDI=6VTWS_kJ!^WN!ET@XfEHYG-T1jJsDd`yEgh!^*
z+!P62=v`R2=TBVjt=h}|JIg7N^RevZuyxyS+jsk>=iLA52Ak+7L?2$ZDUaWdi1PgB
z_;*Uae_n&7o27ewV*y(wwK~8~tU<#Np6UUIx}zW6fR&dKiPq|$A{BwG_-wVfkm+EP
zxHU@m`im3cD#fH63>_X`Il-HjZN_hqOVMG;(#7RmI13D-s_>41l|vDH1BglPsNJ+p
zTniY{Hwoief+h%C^|@Syep#722=wmcTR7awIzimAcye?@F~f|n<$%<glynGe@l_#9
z30nmky{?<JKz{){SsGIs*^?U{?(p8<zkVtCHiV|D1BtlXY&|PWhdBFPEJ=ac!<CGF
zDzeno1U+s@ohY`k^InNs;j?P(V=hKzj^=A>=rM+Jkz9<kZJd?(pl-XwbK9uEX7+62
zMb6tu%v|dH9xCO5RX}L!n!qj65W$a-v}tm=>m>PF70$)AK@|h_^(zn?!;={;9Zo7{
zBI7O?6!J2Ixxk;XzS~ScO9{K1U9swGvR_d+SkromF040|Slk%$)M;9O_8h0@WPe4=
z%iWM^ust8w$(NhO)7*8uq+9CycO$3m-l}O70sBi<4=j0CeE_&3iRUWJkDM$FIfrkR
zHG2|hVh3?Nt$fdI$W?<|Qq@#hjDijk@7eUr1&JHYI>(_Q4^3$+Zz&R)Z`WqhBIvjo
zX#EbA8P0Qla-yACvt)%oAVHa#kZi3Y8|(IOp_Z6J-t{)98*OXQ#8^>vTENsV@(M}^
z(>8BXw`{+)BfyZB!&85hT0!$>7$uLgp9hP9M7v=5@H`atsri1^{1VDxDqizj46-2^
z?&eA9udH#BD|QY2B7Zr$l;NJ-$L!u8G{MZoX)~bua5J=0p_JnM`$(D4S!uF}4smWq
zVo%<tG@hoMj@<)H-JgP<Q7M9}m_vBCyCqYX-AdJU@&LEsL`m0haD)<x4J(=(3c|s#
zbn&v-l*)`eo?|iFuk96r?UB%1QXu?v?Njkszif{O!?^mu1lpr2r-OQV&9H@hntG(^
zj|_uj(Vzk+(<<LE1b+=&nd@qy$tcs41*1E26ryDYO9tiLn1xdy13ji(ME+C8#&uuz
zBIDnqWI!p+pkz{ewa6|8Ly~HAiW$WIf_|tUyK#R2a7JuZi2J)_S$l>kQ~C~X?cWCH
zo4s#FqJ)k|D{c_ok+sZ8`m2#-Uk8*o)io`B+WTD0PDA!G`DjtibftJXhPVjLZj~g&
z=MM9nF$7}xvILx}BhM;J-Xnz0=^m1N2`Mhn6@ct+-!ijIcgi6FZ*oIPH(tGYJ2EQ0
z{;cjcc>_GkAlWEZ2zZLA_oa-(vYBp7XLPbHCBcGH$K9AK6nx}}ya%QB2=r$A;11*~
z_wfru1SkIQ0&QUqd)%eAY^FL!G;t@7-prQ|drDn#yDf%Uz8&kGtrPxKv?*TqkC(}g
zUx10<;3Vhn<P(upRheT&3q1!X(bJNsLya$_=t*6hp5+8ZJ+|fGwhh!2S54M5{Z^Ik
zEWCn6ECjbZ;0S?VE83KP;dH@N8NAfvRqx3ALd>x{<Qf_SE}JUOjTetQ0k>gpWXM8H
zKc0kkM~gIAts$E!X-?3DWG&^knj4h(q5(L;V81VWyC@_71oIpXfsb0S(^Js#N_0E}
zJ%|XX&EeVPyu<mLTv8P+%0HPi%$><S@&-Ug3j3&ZjEz64uu4u7(cVJluR3`Mvu>}?
zz~(%slTw+tcY<LfEsDqkG5n$OFpv4hT>3ZMG$+diC8zed=CTN}1fB`RXD_v2;{evY
z@MCG$l9Az+F()8*SqFyrg3jrN7k^x3?;A?L&>y{ZUi$T8!F7Dv8s}}4r9+Wo0h^m=
zAob@CnJ;IR-{|<mV&-EKHX@5=1&om;I{UO+M+*6S+1rH~%#vNH`@gg_)uUaJdy=-_
zt(r+-w@a`jChNk+<Fm9pQ;UiGUjV$D;bb|zan@bWL;-y+;<a~?cC;!wr2>_D;_w)?
zcH@~&V^(}Ag}%A90);X2AhDj(-YB>$>GrW1F4C*1S5`u@N{T|;pYX1;E?gtBbPvS*
zlv3r#rw2KCmLqX0kGT8&%#A6Sc(S>apOHtfn+UdYiN4qPawcL{Sb$>&I)Ie>Xs~ej
z7)a=-92!sv-A{-7sqiG-ysG0k&beq6^<kX#blPuBTLk4nUZLa0Rw?p{JzAbo@#y^A
zDH9Et(b$xVU^HU5S36gthHjgsck-_;Jyj@#E`~oe>nX1L!Fs$JU#fsV*CbsZqBQ|y
z{)}zvtEwO%(&mIG|L?qs2Ou1rqTZHV@H+sm8Nth(+#dp0DW4VXG;;tCh`{BpY)THY
z_10NNWpJuzCG%Q@#Aj>!v7Eq8eI6_JK3g2CsB2jz)2^bWiM{&U8clnV7<2?Qx5*k_
zl9B$P@LV7Sani>Xum{^yJ6uYxM4UHnw4zbPdM|PeppudXe<Dfw0>}+<H|lAF(>OcX
z!nr!xaUA|xYtA~jE|436iL&L={H3e}H`M1;2|pLG)Z~~Ug9X%_#D!DW>w}Es!D{=4
zxRPBf5UWm2{}D>Em;v43miQ~2{>%>O*`wA{7j;yh;*DV=C-bs;3p{AD;>VPcn>E;V
zLgtw|Y{|Beo+_ABz`lofH+cdf33LjIf!RdcW~wWgmsE%2yCQGbst4TS_t%6nS8a+m
zFEr<|9TQzQC@<(yNN9GR4S$H-SA?xiLIK2O2>*w-?cdzNPsG4D3&%$QOK{w)@Dk}W
z|3_Z>U`XBu7j6Vc=es(tz}c7k4al1$cqDW4a~|xgE9zPX(C`IsN(QwNomzsBOHqjd
zi{<R{)|=YTo!0p@cbjBET4CHtzjF)FzZS}wo@ivqa)?dg1(I9m+LTuz^9@^HgJ7x6
zruk6yLp~0QlAd9mMnv(61_Zgfu%Fglg5Jq?%opsVV1y)NRQk$pq7n0k+_>D|jYSv5
zC>6#uB~%#!!*?zXW`!yHWjbjwm!#eo3hm;>nJ!<`ZkJamE6i>>WqkoTpbm(~b%G_v
z`t3Z#ERips;EoA_0c?r@WjEP|ulD+hue5r8946Sd0kuBD$A!=dxigTZn)u3>U;Y8l
zX9j(R*(;;i&HrB&M|Xnitzf@><3#)aKy=bFCf5Hz@_);{nlL?J!U>%fL$Fk~Ocs3&
zB@-Ek%W>h9#$QIYg07&lS_CG3d~LrygXclO!Ws<oAB91#zpSK#Pi1&6uk?}<Ww;*D
zKHhb!yUGj8>-|PxMsn@n{?77wCaq?uj`dd7lllDCGd?ed&%5k{RqUhiN1u&?uz@Fq
zNkv_4xmF<uz?T3Rp6xNF5T%O}(Z;=T72xBIUa=nmY%9x|r@N@*M&qcZo<xtHF_?Oa
zF1a!vjr>cl?vs>;emR1R<$tg;*Ay<V#f!wRQz%qNBZlVHFu*nL9%5U{m0>p@rl=ik
z=x2<DREGik9u=4@Y%Eekt_pE0+QU2oAJ}tFU)uZDF1G-h(D*jZy9JCh@`s8N*i>Hk
zJqsM%++e|*+#camAiem6f;3-khtIgjYmNL0x|Mz|y{r{6<@_&a7^1XDyE>v*uo!qF
zBq^I8PiF#w<-lFvFx9xKoi&0j)4LX~rWsK$%3hr@ebDv^($$T^4m4h#Q-(u*Mbt6F
zE%y0Fvozv=WAaTj6EWZ)cX{|9=AZDvPQuq>2fUkU(!j1GmdgeYLX`B0BbGK(331ME
zu3yZ3jQ@2)WW5!C#~y}=q5Av=_;+hNi!%gmY;}~~e!S&&^{4eJuNQ2kud%Olf8TRI
zW-Dze987<Ep(e1WRKI|@Jy&6ah2?#Q>Il<^!hCO{AR5tLW{F1WLuZ>nhPjke@CSnN
zzoW{m!+PSCb7byUf-1b;`{0GU^zg7b9c!7ueJF`>L;|akVzb&IzoLNNEfxp7b7xMN
zKs9QG6v@t7X)yYN9}3d4>*ROMiK-Ig8(Do$3U<Qx6_~&x4muKM7GIi?xqFM9bm$N9
z#ze4ENG#9H&h^cus4XL3-?GKO9{iJ@&Va8SUG@C6*P0WGjNj5=YpI9rfms4rql;R`
zaDToC?<qV4voyYA2A<Z)IzS$)GMPeQLqyW*S0S%v0iytIX9PpAFOUXkH2lc|+N4iO
z1h5RtQ+&FD@|rHV+H&b20qiLt>I&E}z!vcH2t(VIk-cLyC-Y%`)~>Ce23A=dQsc<(
ziy;8MmHki+5-(CR8$=lRt{(9B9W59Pz|z0^;`C!q<^PyE$KXt!KibFH*xcB9V%xTD
zn;YlZ*tTukwr$(mWMka@|8CW-J8!zCXI{<pR8OBi-_H?FfA)@2XB?(9yoWQ__Z_lr
zeuIIdY}4-^pM-ftYI`S08*}cGCw>P1-&=<B^P5d1)YJk^PW05ogC|Bdkjfg9uR{xP
zHcZUdWCT8bPfNC#O%hKtj9d2Hc0YH&znsX_@_kUDRL2|3x^Fv*tcGwbJzmTYiqoj0
zRfIn+FRhAB9~tuITO69xq_LVntt^TU%&|bRLqEzgavO>wSvZf&%9SZ7m`1&2^nV#D
z6T*)`Mz3wGUC69Fg0Xk!hwY}ykk!TE%mr57TLX*U4ygwvM^!#G`HYKLIN>gT;?mo%
zAxGgzSnm{}vRG}K)8n(XjG#d+I<su=uH~+nz!ctFY7^qIE<|rut@=Lcgc2xFld(*9
zs|yrxP&}#v4{LU8qAk^lu@bX}_!mF={O^YR+|?QD%b%o6xX>yAFnozhk|uwiey(p@
zu>j#n4C|Mhtd=0G?Qn5OGh{{^MWR)V*geNY8d)py)@5a85G&_&OSCx4ASW8g&AEXa
zC}^ET`eORgG*$$Q1L=9_8MCUO4Mr^1IA{^nsB$>#Bi(vN$l8+p(U^0dvN_{Cu-UUm
zQyJc!8>RWp;C3*2dGp49QVW`CRR@no(t+D|@nl138lu@%c1VCy3|v4VoKZ4AwnnjF
z__8f$usTzF)TQ$sQ^|#(M}-#0^3Ag%A0%5vA=KK$37I`RY({kF-z$(P50pf3_<kT*
zu`s$>20YTr%G@w+bxE_V+Tt^YHgrlu$#wjp7igF!=o8e2rqCs|>XM9+M7~TqI&fcx
z=pcX6_MQQ{TIR6a<EerAAlkb)G^0$baC*tO(ycXzU0DmM83ruVs#2~=MFE#!!@jm(
zza|i2_2T@P<~j(R6~06cLW14iRP_SHz{-R%KQd3+A}<-iYz8nW#YK8kur2(c!C1}9
zL6X9`9Wc(<GPrs01Jd(MdV}iM6OieZ64HwmB~*qo(TfICd;&yxM3NTWUkRMO8yxq#
zG_bBGM>0*~xdgFvs<2!yaA1F*4IZgI!)xnzJCwsG&EElg_IpFbrT}nr)UQy}GiK;(
zDlG$cksync34R3J^FqJ=={_y9x_pcd%$B*u&vr7^ItxqWFIAkJgaAQiA)pioK1JQ|
zYB_6IUKc$UM*~f9{Xzw*tY$pUglV*?BDQuhsca*Fx!sm`9y`V&?lVTH%%1eJ74#D_
z7W+@8@7LAu{aq)sPys{MM~;`k>T%-wPA)E2QH7(Z4XEUrQ5YstG`Uf@w{n_Oc!wem
z7=8z;k$N{T74B*zVyJI~4d60M09FYG`33;Wxh=^Ixhs69U_SG_deO~_OUO1s9K-8p
z5{HmcXAaKqHrQ@(t?d@;63;Pnj2Kk<;Hx=kr>*Ko`F*l){%GVDj5nkohSU)B&5Vrc
zo0u%|b%|VITSB)BXTRPQC=Bv=qplloSI#iKV#~z#t#q*jcS`3s&w-z^m--CYDI7n2
z%{LHFZ*(1u4DvhES|Dc*n%JL8%8?h7boNf|qxl8D)np@5t~VORwQn)TuSI07b-T=_
zo8qh+0yf|-6=x;Ra$w&WeVZhUO%3v6Ni*}i&sby3s_(?l5Er{K9%0_dE<`7^>8mLr
zZ|~<y&-g)~txDcjmw~CDXEPUCj(!3kY~@IQaXl0)+%b5&Y?+~Wa*LtayngeKl0gR2
zWSheF+&IbkBG<*mqT`}~I@WLlB@30ju(e^JkaW9W6|<#tM`e^}3);+iAItViV&wB#
zO`W^b1H3h$Hzv(58Ribb-Xh1k%qv7UK2J5l^fgp7_sBjE)_|1fO^WL(vNm6CKEXLc
z?6h^X9|hD1FbuF+;0(pOKIu8jXEKi%ig3C)<$yC6mqD839;oCI6{f?r8h#I)q}7{z
zhdCEvja~GfE&fFAUVvbZM51*`2CP+9d3)CBN9C4Zs6P6Z9~R`mfjXnj{hP08?Qt1g
zLDpcl_8|@m5Xgk|IY;j#AY4Ij2!R9>l#Bi@5}8{<Vy?pt0J|y0{gh3bi6~2-C_tIM
zVh!Pagqv5~mhUyyW>iZ$(d9)!`}@2~#sA~?uH|EbrJQcTw|ssG)MSJJIF96-_gf&*
zy~I&$m6e0nnL<IlXZRPqNxp=jHeJQ42(Z{Y*!;`f3W#rwCyTB1h*-OJ@@e3h&}SQu
zU-t(Z{uSv>z^M2;G|IeUk?s+afSZ){10*P~9W%RtYeSg{Nv5FG<2QaWpj?d`;}<4(
z>V1i|wNTpH`jJtvTD0C3CTws410U9HS_%Ti2HaB~%^h6{+$@5`K9}T=eQL;dMZ?=Y
zX^z?B3ZU_!E^OW%Z*-+t&B-(kLmDw<gr*TZvRf2rfa=KH9`=-+9W9)d*GPjw!lWmR
zNmE-kllByCsai0Tahs#03W>ikb9+F9bj;NFq-XHRB=+L)Rew{w|7p~7ph{#fRT}}K
zWA)F7;kJBCk^aFILnk<BF~6}Ua_B}80{ftECm@?iNgT`lB?3~df1uI+ft9Cw7i;yt
z3<ShU2pmPSJS)Vf*8uEGi-}U9VKstmq^<fVRnV6yeSGxb@aM0~`8;RI!)TH{dMd$T
zS<*v=bgkcnOdnp>V^EMs=B~#qh*RG2&@F|x2$?7QTX_T6qL?i$c6J*-cNQC~E6dro
zR)CGIoz;~V?=>;(NF4dihkz~Koqu}VNPE9^R{L@e6WkL{fK84H?C*uvKkO(!H-&y(
zq|@B~juu*x#J_i3gBrS0*5U*%NDg+Ur9euL*5QaF^?-pxxieMM6k_xAP;S}sfKmIa
zj(T6o{4RfARHz25YWzv=QaJ4P!O$LHE(L~6fB89$`6+olZR!#%y?_v+Cf+g)5#!ZM
zkabT-y%v|ihYuV}Y%-B%pxL264?K%CXlbd_s<<TimgGAnDShiYe)n)%+e)ctIIBiN
zCdyp?(mnu<>GY5BG*`kYQjao$QHiC_qPk5uE~AO+F=eOtTWJ1vm*cU(D5kvs3kity
z$IYG{$L<8|&I>|WwpCWo5K3!On`)9PIx(u<N-i&JsU?~{x!<le*<Cho@L`rVa4ToR
zlqrqoBV>WAq>bSQTvSW`NqgprBIuV^V>C~?+d(w$ZXb39Vs`R=BX;4HISfN^qW!{4
z^amy@Nqw6oqqobiNlxzxU*z2>2Q;9$Cr{K;*&l!;Y??vi^)G|tefJG9utf|~4x<cZ
zX0P0O4txu3=E3GE&U2m@J>h=r3UjmRlADyLC*i`r+m;$7?7*bL!oR4=yU<8<-3XVA
z%sAb<meJ2Y3ySbt6O+x7lG@C4_*@!j6u>`xe&4RV(2vj+1*ktLs<&m~mGJ@RuJ)1c
zLxZyjg~*PfOeAm8R>7e&#FXBsfU<eMU79O%BS@_5qwkw4T7wgygMtxSp&l=ZdEk5B
zBg%Q(1EGMM#TWgrrn6WAtlk?eIn)E68`DMBOB~f=Xt5D?9G8fOPMg)3mJ~jk+$=Dw
zZPEKM1TNUI%fmqSr@^O<v~HmJAfIt9A1nh$j2K$G>_?azU=uxBm=E6z7FSr7J>{XY
z1qUT>dh`X(zHRML_H-7He^P_?148AkDqrb>;~1M-k+xHVy>;D7p!z=XBgxMGQX2{*
z-xMCOwS33&K^~3%#k`eIjKWvNe1f3y#}U4;J+#-{;=Xne^6+eH@eGJK#i|`~dgV5S
zdn%`RHBsC!=9Q=&=wNbV#pDv6rgl?k1wM03*mN`dQBT4K%uRoyoH{e=ZL5E*`~X|T
zbKG9aWI}7NGTQtjc3BYDTY3LbkgBNSHG$5xVx8gc@dEuJqT~QPBD=Scf53#kZzZ6W
zM^$vkvMx+-0$6R^{{hZ2qLju~e85Em>1nDcRN3-Mm7x;87W#@RSIW9G>TT6Q{4e~b
z8DN%n83FvXWdpr|I_8TaMv~MCqq0TA{AXYO-(~l=ug42gpMUvOjG_pWSEdDJ2Bxqz
z!em;9=7y3HW*XUtK+M^)fycd8A6Q@B<4biGAR)r%gQf>lWI%WmMbij;un)qhk$bff
zQxb{&L;`-1uv<!Unl~Y>aCE7Fm*83^0;!QA5-zeSvKY}WjbwE68)jqnOmj^CTBHaD
zvK6}Mc$a39b~Y(AoS|$%ePoHgMjIIux?;*;=Y|3zyfo)^fM=1GBbn7NCuKSxp1J|z
zC>n4!X_w*R8es1ofcPrD>%e=E*@^)7gc?+JC@mJAYsXP;10~gZv0!Egi~){3mjVzs
z^PrgddFewu>Ax_G&tj-!L=TuRl0FAh#X0gtQE#~}(dSyP<a8`o1qYX&B$5>O=@7yd
zNC6l<clAx3O3@a<LB2`9Fw(6kTH2y{(PQ8Xy4XFR0|)dgRB7oTri5>_?zs_u5&x8O
zQ|_JvKf!WHf43F0R%NQwGQi-Dy7~<x)tZ#=V~Be^Zc!Y~@6@<%snVBkQxwTo5x0`E
z#gimVo$wNZs({agM0#vX$3ivZBc#i$E%mb~I-^M+w!gE01e0%}n1qOi9A3Z<ZJe37
z2Z*yG2W+iY2P#c};mhfLc~rFVw)4Je)QnZxDw5wvLup|wd%@P4J*tGP9yF1%Nll-@
zlO1hF2n*2K@2Zu{`CQPt46~lch;D>PGZ@KRKMp?kxlaLAV=X{UkKgaTu2!qzPi8aJ
z-;n$}unR?%uzCkMHwb56T%IUV)h>qS(X<EpfLtJYhILPy8sW%(9OlK128bkhQ-#BL
zVMG_gO7R`(7jS=<1ehw;*`&(cjBT66@$i~b&l@n0xao!&{}w0SC+)|=y8jd%Zy2H@
zWBEqpyS|mllmaeA;dIAUTbBDCP@K?Ji9y)BM*@uV70w6-+JLqNGt$tJxi$dY?2_XL
zx@z%Vb(YkK^=I>i<zZShICE5HaaJv#-(t%csf^j}rnT`qq#k+2M`Xh^Wr?@u%)lO|
z4ZQQR$;A{D>uRLh3fdlr!Cri|{fZf0x9GVYUOlsKgxLA7vHrkpQddcSsg4JfibzpB
zwR!vYiL)7%u8JG7^x@^px(t-c_Xt|9Dm)C@_zGeW_3nMLZBA*9*!fLTV$Uf1a0rDt
zJI@Z6pdB9J(a|&T_&AocM2WLNB;fpLnlOFtC9yE6cb39?*1@wy8UgruTtX?@=<6YW
zF%82|(F7ANWQ`#HPyPqG6~ggFlhJW#R>%p@fzrpL^K)Kbwj(@#7s97r`)iJ{&-ToR
z$7(mQI@~;lwY+8dSKP~0G|#sjL2lS0LQP3Oe=>#NZ|JKKYd6s6qwe#<Anf0<kXN`R
z5lnAdra^vwG(T7cLsTWNRURHI4_OuFP<tc0rV%hLL$|;t?1Z|9Pw@&<N%-9r64fj<
zNinfK&F{Ul6`)k;VjEVt#9IR&P-@C1jy<1Xo=!Z!f||>_6Xz_^L4PJ5TM_|#&~zy=
zabr|kkr3Osj;bPz`B0s;c&kzzQ2C8|tC9tz;es~zr{hom8bT?t$c|t;M0t2F{xI;G
z`0`ADc_nJSdT`#PYCWu4R0Rmbk#PARx(NBfdU>8wxzE(`jA}atMEsaG6zy8^^nCu|
z9_tLj90r-&Xc~+p%1vyt>=q_hQsDYB&-hPj(-OGxFpesWm;A(Lh>UWy4SH9&+mB(A
z2jkTQ2C&o(Q4wC_>|c()M8_kF?qKhNB+PW6__;U+?ZUoDp2GNr<|*j(CC*#v0{L2E
zgVBw6|3c(~V4N*WgJsO(I3o>8)EO5;p7Xg8yU&%rZ3QSRB6Ig6MK7Wn5r+xo2V}fM
z0QpfDB9^xJEi}W*Fv6>=p4%@eP`K5k%kCE0<R2h_PEom0LB7a~l&d1S3a77Hw2%_q
zqH(%vVfZpV_?Y3fF(xKF3+bm0z%8-Lz=1SYxL60R*CBzCSqTVx-`Lb%(u0^@jiL81
z>YF2E<Ezn!7fLCH??-dr?nIFY1<!~lO!ZTqU0)76!oysNs=YTeKF$}l9H5Qod@f10
z!aQmamt|K#Z}Q{gbm7MaqZN;@^eN-4gx^Jw(=2bDOWHR7F{^JWJp+>u5L!D<x34Y+
zc>M1ZY7wh`kgh<M{Gp`d0HdTLKw%XhgHm3=&oCYCnpM*NH+F)MqI##k#3U_iO9`0q
z6eX1$A7~_~dR%;g_==*9=d|P=D;@b~;Q(b^fCex+4qDqp!@y?PN`m^!qd2mod%?QO
zAOHiBwz31qA@k|Dc#@wM_-GEebzK6rovctQS1Yr{ec1A>C^NwxrL}90dRXjQx=H>8
zOWP@<+C!tcw8EL8aCt9{|4aT+x|70i6m*LP<O&^G|2#sCbRkD2k+TMRR0ESMhh$uB
z*bNRR4O)Jlw+XIMt<^OQbKV(NlJC#wAE{$4sZ@z$2JKmkBdnoCpxU|i*#t_vdIxUR
zsrIVZW&8NDF`tgEjviFbbxqyht^v0`uctQnOV7YdieqP92j^|`{@wi!72f2@Wc-yz
zk##%1&ZM-zR~q){3am^@AFF~q)g$JlQcan7O}VDbb9Y1IVj`B__M(Fi^sL;^apGmg
zk5Yf;d|4xJO4lFRfEgmQ^SUc#36*8iZ>*lhp;kGr5f#OwRy`(60LK@rd=to5yk^%N
z6MTSk)7)#!cGDV@pbQ>$N8i2rAD$f{8T{QM+|gaj^sBt%24UJGF4ufrG1_Ag$Rn?c
z<kbZlPrl`GIaLM&F`-vvwlO8^B!`m7qu6<C&$N}X=f&Yaws1}AUo3hgy~3AAtCrm^
z)OL<F1<^A^!C5+1i7c|I+_lBiGw^yRyuztGyCOPS&q|4v2^o4e<-=~2%^f=ub~UF~
zl?&3FNjg@Ye=w{y^o#H(Cg(6t+|Fc3M*pv?vGSIi=o=jbB%1oaQk7aeJ|N#l&E`UP
zgMDC)-A1>zICg9`ICT>9N_2vqvVG#_lf9IEd%G5gJ_!j)1X#d^KUJBkE9?|K03AEe
zo>5Rql|WuUU=LhLRkd&0rH4#!!>sMg@4Wr=z2|}dpOa`4c;_DqN{3Pj`AgSnc;h%#
z{ny1lK%7?@rwZO(ZACq#8mL)|vy8tO0d1^4l;^e?hU+zuH%-8Y^5YqM9}sRzr-XC0
zPzY1l($LC-yyy*1@eoEANoTLQAZ2lVto2r7$|?;PPQX`}rbxPDH-a$8ez@J#v0R5n
z7P*qT3aHj02*cK)WzZmoXkw?e3XNu&DkElGZ0Nk~wBti%yLh+l2DYx&U1lD_NW_Yt
zGN>yOF?u%ksMW?^+~2&p@NoPzk`T)8qifG_owD>@iwI3@u^Y;Mqaa!2DGUKi{?U3d
z|Efe=CBc!_ZDoa~LzZr}%;J|I$dntN24m4|1(#&Tw0R}lP`a`?uT;>szf^0mDJx3u
z6IJvpeOpS$OV!Xw21p>Xu~<j_Of`?i&1Y`>MZ(Nas5Iim-#QSLIYSNhYgx1V!AR>b
zf5b7<W!s$(gS4VH1kyzJoZ^(hV%J?suaCZLpXgV{{xF&BNv#&x4NVE{ARYqj2iU(+
z_h&b$A{cOJBDvz}60OK+U?|+WUp3DacWx;+gK7@=d%%fT3p4_)fGEK?Uq5l2sg}-|
z4>O`ITTvW5z%X8|7>&BeEs8~J1i47l;`7Y#MUMReQ4z!IL1rh8UauKNPG?7rV_;#Y
zG*6Vrt^SsTMOpV7mkui}l_S8UNOBcYi+DzcMF>YKrs3*(q5fwVCr;_zO?gpGx*@%O
zl`KOwYMSUs4e&}<bH2!=YCfBQLA|t^M=$T-j5>eM#FhB3<C>(RIDJ9ZRn6NN{2Nf+
z2jcz%-u6IPq{n7N3wLH{9c+}4G(NyZa`UmDr5c-SPgj0Sy$VN#Vxxr;kF>-P;5k!w
zuAdrP(H+v{Dybn78xM6^*Ym@UGxx?L)m}WY#R>6M2zXnPL_M9#h($ECz^+(4HmKN7
zA>E;`AEqouHJd7pegrq4zkk>kHh`TEb`^(_ea;v{?MW3Sr^FXegkqAQPM-h^)$#Jn
z?bKbnXR@k~%*?q`TPL=sD8C+n^I#08(}d$H(@Y;3*{~nv4RLZLw`v=1M0-%j>CtT(
zTp#U03GAv{RFAtj4vln4#E4eLO<W2JC=!fExpZr3MTUIkw8`fkw=p#&Y_VE{op>vt
zs;=`m&{S@AJbcl1q^39VOtmN^Zm(*x(`(SUgF(=6#&^7oA8T_ojX>V5sJx@*cV|29
z)6_%P6}e}`58Sd;LY2cWv~w}fer&_c1&mlY0`YNNk9q=TRg@Khc5E$N`aYng=!afD
z@ewAv^jl$`U5;q4OxFM4ab%X_Jv>V!98w$8ZN*`D-)0S7Y^6xW$pQ%g3_lEmW9Ef^
zGmFsQw`E!ATjDvy@%mdcqrD-uiKB}!)ZRwpZRmyu+x|RUXS+oQ*_jIZKAD~U=3B|t
zz>9QQr91qJi<sty>hg9j9rWHww{v@+SYBzCfc0kI=4Gr{ZLcC~mft^EkJ`CMl?8fZ
z3G4ix71=2dQ`5QuTOYA0(}f`@`@U<#K?1TI(XO9c*()q!Hf}JUCaUmg#y?ffT9w1g
zc)e=JcF-9J`hK{0##K#A>m^@ZFx!$g09WSBdc8O^IdP&JE@O{i0&G!Ztvt{L4q%x&
zGE2s<zC{NKu8NO}E6}a-)2AXw*VFhsg!|B9v|+S86E+_Sc*Ud^OvwvTfLqQVdOn|@
zN!5IQG|)+M0>!RVi6ZN9)E*(c33HuMf7#X2*VPVThdmrVz-Fyqxcs<k=FMvlffDQ+
z1}^dfltdS*U4kR=<1n-YWaPlaYLEnHy;!@y#i4z>&aI4DvP#bfW={h$9>K0HsBTUf
z2&!G;(<vtQI;LqNW~Xf?xS*27tM?(|+lSBVJBc-TS<Yl{0MOO9mU;e!Mu{ZgP;SH>
z^oOVIYJv~OM=-i`6=r4Z1*hC8Fcf3rI9?;a_rL*nr@zxwKNlxf(-#Kgn@C~4?BdKk
zYvL?QcQeDwwR5_S(`sn&{PL6FYxwb-qSh_rUUo{Yi-GZz5rZotG<e?XQbfL-zzd~}
zQxfAiC<F?(dz{hU)N3muv#7R9aey2eb^k=U<DLpU?#}Y1Ht%&uL~r*Ou+8=~BLl@R
zL8Gi7Ou^b!B4$lJC{-^na|TDZ&C1LADI(lBfr27zJn42_W)bgJ&fLrWWF}nM8obDJ
z22n19%fxa9ike9*iDkC@D6gVRVu4+5RW$uB+DfHJQ`Q|1lS>4R<+!PfsGg`MVtomw
z<EW-Dg15ZwzU<kY&O~_@$Z&${pfnDa5<AY;L26n@f~n{^)0Mp-b7*n=NORAvuWEI`
zSs#}HG0nlMM(&MYTb55ET-gk^92zM(;P^4ZPMYQVg86o?Jv;@`3yG$ydNvTjjVTj_
zU$}ghm{_Gr77AUTR<b;}uu5?lgTo@fi^=YFOhuYvZH&XwqO}eSG!^}5uO8bK+maL}
zB~Ra#jpO(8s!B%@a074GD2+JQ!dWnCQc}1b#KY-lIwrF)5u4ds^|7CU;+r=oEU}z<
z8x1?k;)*8O61_FYU2Z39r7+13>5kzOZJrh(#rMR_87KeP0Q=#^5~r_?y1*kN?3Fq%
zvnzHw$r!w|Soxz8Nbx2d&{!#w$^Hua%fx!xUbc2SI-<{h>e2I;$rJL)4)hnT5cx^*
zIq#+<g_FC1I$r=}e#(WAtb)=04{PCNe37!`vjX&#WcGz#ba}ji2qD!XM{NOIYh}v|
z3H*84VgoU%V3v@1RBj98(_roA0>{3;Leun3Xo=C(XVjt_z)F#PIoAw%SqJ=~DMQeB
zNWQ={d|1qtlDS3xFik}#j*8%DG0<^6fW~|NGL#P_weHnJ(cYEdJtI9#1-Pa8M}(r{
zwnPJB_qB?IqZw5h!hRwW2WIEb?&F<52Ruxpr77O2K>=t*3&Z@=5(c^Uy&JSph}{Q^
z0Tl|}gt=&vK;Rb9Tx{{jUvhtmF>;~k$8T7kp;EV`C!~FKW|r$n^d6=thh`)^uYgBd
zydgnY9&mm$?B@pKK+_QreOm?wnl5l}-wA$RZCZukfC$slx<D0d<J+Cw;}=Cm{CH*G
z3I#Y*VHC++-6WTU13^Tb{+v0A5|5;&p98U>bqv9uKq0o^QeSID96{Rm^084kZ)*`P
zk))V~+<4-_7d6<~)PL%!+%JP`Dn23vUpH47h~xnA=B_a}rLy|7U-f0W+fH`{wnyh2
zD$JYdXuygeP5&OAqpl2)BZ|X){~G;E|7{liYf%AZFmXXyA@32qLA)tuuQz`n^iH1Y
z=)pAzxK$jw0Xq?7`M`=<A}Zu*B(WK%s9cbyOinKSRv#SgfRAEEObC$uiHc$R8I~sX
zE@F(?ZZE*)#ZciBY-TL42=MqJO{IDCL~VDpQIM1-;m<S2{d@ee(h&3E+{D^YQ?(RA
zsaHCU#>kN2<PEl==iW6b{LM*AQAaNkRc7NDXcmslS<B{l8>WeQFhz)p;QhjbKg#SB
zP~_Vqo0SGbc5Q;v4Q7vm6_#iT+p9B>%{s`8H}r|hAL5I8Q|ceJAL*eruzD8~<gkwq
zvx^l#{8v+M0LC~Y2*bE0DEUAXMgh}?JStrO9?u9X(uTZCUYB7X;Xob60c{YKpNb$A
zc;|Fq#0e5sI?RG9K%{SS)-mChed+5|5p)}#T=P?pLne#(u(j=td?xOGQ`h}}XFPh(
zlK+}c-Om4Y60f46T8zD@)L8uQ3`>_m>fg26HvLpik&#{3Zd#|1C_>l&-RW2nBBzSO
zQ3%G{nI*T}jBjr%3fjG*&G#ruH^ioD<PZ?iS!V3_Bib@z*xEykgCY!@q63$4+>M>0
zb0vSM8ML?tPU*y%aoCq;V%x%~!W*HaebuDn9qeT*vk0%X>fq-4zrrQf{Uq5zI1rEy
zjQ@V|Cp~$AoBu=VgnVl@Yiro>ZF{uB=5)~i1rZzmDTIzLBy`8Too!#Z4nE$Z{~uB(
z_=o=gK<S)17$`VnQy;G<3X(el`nw>uhVpy&`}<v<r!A(AB2s5JZ9<#XokF-4(v!Ny
z;aH`__4bm9O+%UZR^53b{n6JWE8A8wcI7wbfOxFQDV1P}HVpO_4(+LolUbk6N;bF_
z(r&2MBvBe-W}0x#>-c&f%**M&(|;2iy+nZy2Su}GOAH_GT9z`!ogwn$+Bi&1ZhtPF
z<FQ)JtUVOSX?C$RHNR}`2=&|1sQ|UQ+>VS&LO5#Bq}cew$kvE7*t8W^{{7&7<g9Jf
z53}%j>WaF{upy0mj*K&xbnXvSP9V$6m6cesHGC!&Us36ld9f*Pn8gbJb3`PPT|<Fb
z|1-Xv{%3qi_m%`Q!Iaxc8q*OBBUcCt*A&~l2e{UH-(u{U=5LEXU9{BLbzpXc&}|;r
z%5*mPUnOBaSvQ#Jb=vE7TC}ohwYt^Tcnc`M3FMOLw3sc}eY~7+-M-Jb_dH}j2*l3T
z`d%ikhFij&rqSo{xLb}U0z|w{l8nrBI&_!^0oMQ=9s!{FiR)}rwdu|bZkl^kR(>ZG
zri2?uIu09i>6Y-0-8sREOU?WaGke0+rHPb^sp;*E{Z5P7kFJ@RiLZTO`cN2mRR#Nz
zxjJ##Nk+Uy-2N-8K_@576L(kJ>$UhP+)|w!SQHkkz+e62*hpzyfmY4eQLZtZUhEdG
zIZluDOoPDlt5#iw+2epC3vEATfok^?SDT`TzBwt<L&)-&a(au{C~U;V4AtmQ>gKjY
z>ZImbO)i~T=IYAfw$3j2mF1Cj*_yqK(qw(U^r-!gcUKvWQrDG@E{lEyWDWOPtA9v{
z5($&mxw{nZWo_Ov??S#Bo1;+YwVfx%M23|o$24Hdf^&4hQeV=Cffa5MMYOu2NZLSC
zQ4UxWvn+8%YVGDg(Y*1iHbUyT^=gP*COcE~QkU|&6_3h<QOP!SXtKnFZ(t6QiNz*>
z-GOS6-@o9+Vd(D7x#N<VZFr-?w0u0<s3ZF(&RZgVV0jd(9Fm@KCZpz*28|E31YxOS
z-V4|fS*}%&$;-03ZgJ||hwgX*MLnYGa5UO=kN(8OrY^6V#T*KLm^4=wz0sdB7=;&t
zhHGp$YQD=Oi@!vD+OIFiqU?nyp>Yt{Bvx2`P&ZuCx#^l0bR89Hr6V<YJ*Pbj)-qkc
zv<0$8-MTLHJoaT@QrzeUztAl!w75-*1p{29x7L$=p8u4M6)2M>m<||c3Waq(KO0eZ
zH(|B;X}{FaZ8_4yyWLdK!G_q9AYZcoOY}Jlf3R;%oR5dwR(rk7NqyF%{r>F4s^>li
z`R~-fh>YIAC1?%!O?mxLx!dq*=%IRCj;vXX628aZ;+^M0CDFUY0Rc<1P5e(OVX8n-
z*1UOrX{J}b2N)6m5&_xw^WSN=L<b&156RUh1DwBDzk$u$#CR}Gk^gq0PISm*L(jv?
zNQiS;LWLg@`(YmKDvhG_H=puK_*;-75WG4Lab`lMg}6)Ro%(e*Z8J5!^pyiCsf(dv
z2on?K8Lxe9Aja=INHwxYl$%EAw={qj+To~1h_M=|`UdS^jCPg&39Y|K3<X{k6`Utq
zu89M{SE(>p$I$T>f8K6|J_bj%ZsIYKNs1$TFt!RuCWF48;98`7D(XPVnk+~~i=U$}
zR#;!ZRo4eVqlDxjDeE^3+8)bzG_o~VRwdxqvD^HNh#@o>1My$0*Y_`wfQ$y}az|Uz
zM47oEaYNTH?J^w9EVNnvfmmbV+GHDe)Kf;$^@6?9DrSHnk@*{PuJ>ra|9KO!qQ-Fp
zNNcZB4ZdAI>jEh@3Mt(E1Fy!^gH-Zx6&lr8%=duIgI^~gC{Q;4yoe;#F7B`w9daIe
z{(I;y)=)anc;C;)#P`8H6~iAG_q-4rPJb(6rn4pjclGi6$_L79sFAj#CTv;t@94S6
zz`Id7?k!#3JItckcwOf?sj=Xr6oKvAyt1=jiWN@XBFoW6dw_+c9O9x2i4or?*~8f&
zm<>yzc6Aw_E-gsGAa`6`cjK~k^TJt(^`E1^_h)5(8)1kzAsBxjd4+!hJ&&T!qklDN
z`?j#za=(^wRCvEI75uE^K#IBe5!5g2XW}|lUqAmdmIQb7xJtP}G9^(=!V`ZS_7#RZ
zjXq#Cekw>fE*YS-?Qea|7~H?)bbLK;G&(~%!B@H`o#LYAuu6;-c~jFfjY7GKZ|9~{
zE!`!d@@rhY_@5fDbuQ8gRI~R_vs4%fR5$?yot4hDPJ28k_Wzmc^0yzwMr#*(OXq@g
zRUgQmJA?E>3GO=5N8iWIfBP{&QM%!Oa*iwTlbd0Fbm*QCX>oRb*2XfG-=Bz1Qz0$v
zn#X!2C!LqE601LEMq;X7`P*5nurdKZAmmsI-zZ|rTH;AFxNDyZ_#hN2m4W(|YB64E
z470#yh$;8QzsdA;6vbNvc95HLvZvyT4{C>F(fwy&izvNDuvfO1<f=DficjH^Ptk=}
zvKKKL1@~P^ao{l`XvpGhd0nnNocBP}t45`-1b1UFhCUXuTeXRN_=Dn&OM_57pS&UM
z<}D_GQ2GngSG{l*c-DGs>Z;`Ss#4a_c6pm*{0t|_i9z{@84^lffQa5zG4<{(+p5-S
z^>lG-^GJR#V>;5f3~y%n=`U_jBp~WgB0cp;Lx5VZYPYCH&(evw#}AYRlGJ>vcoeVr
z3%#-QUBgeH!GB>XLw;rT&<H4u)0+b2gp`B<SS1EU2B<;6FO0V){?53`ii~RP0^+xy
z<G;h8dy{UFKk?BD<-fsiI`+URBzNO}4H3XBa**eIg@56!KOqw&qb?J_tx9{U@N@HC
ztXVt~`#<-JFs+s7Dh@v8f+c_FeOJ(jLRWyj0{dbKP-DdhC!^@mHB<K82)LGN!E9iL
z2t{`qx)ykVE}m6(@)m*bOho;W5Lh5qc_#4D%3<IjyEhf4SO-KM;W}MQ0lG+QaQd;F
z6pPpOTpLpaA)ZX3Y%3n)SqUwMw>oMI9ynP;leDwh4O2uM!oIWo&Qxk{^9#nX&^3GJ
z(U~5{S9aw@yHH^yuQGso=~*JOC9Zdi6(TFP+IddkfK5Eu9q;+F9?PPNAe-O;;P_Aa
zPJ{Dqa1gQb%dZ|0I{#B0(z|r(qq!A4CxlW92-LwXFjYfOzAT1DDK`9rm4AB~l&oVv
zi6_{)M9L1%JP}i52y@`!T9RB~!CRel53wl?amNHqcuElq%hn)|#BPvW5_m51RVb|?
zXQ&B*eAD}}QamG>o{?i~usG5<d^#sT9$FSql@}}40+?obf=&rIT|~3@_jk&b;f8tU
zg^liav>X6IDa3+Xkb8w%7;C8|Cln70biA+ZH}fxkH^Wei$vZPnuqIT!Mmy26;mLfU
z3Bbv4M^vvMlz-I+46=g>0^wWkmA!hlYj*I!%it^x9Kx(d{L|+L{rW?Y#hLHWJfd5X
z>B=Swk8=;mRtIz}Hr3NE_garb5W*!7fnNM{+m2_>!cHZZlNEeof~7M#FBEQ+f&gJ3
z^z<nug~GvKX^YC6t1KJ-As1VD8M(-W&=(T`J@+Nrc5Ym_dy|Eo70Z}P(l@7Y%dQZh
zk7p}j2&d$wI-fgROr|*m;cR+PGJKJk$+9p)oslb16vuOM*TNzmKDAhOa?M~231`L#
zMJ!VZBjBzj7We2@;Ke$w_lpX*ggj5E&yX4*GQ%4_FMjtfv^umnN?Cr7TP=wstL*YY
zQ!TAqEcvdc?V{CRnzORdu|VO6taAYr#G*V9>v*t?XV)jQi%0-Ra|ISiW-fx)DsK->
zI}Fv%uee$#-1PKJwr=lU89eh=M{>Nk7IlJ)U33U)lLW+OOU%A|9-Lf;`@c*+vX{W2
z{{?0QoP!#?8=5%yL=fP%iF+?n$0#iHz`P;1{Ra6iwr=V7v^8<sopg0Y@yZ7NO*6=q
zFFlApm-2#`(9hEp&IVc>;NoLJ5)QxIyIx>ur?lMwV=mBo0BA?28kMow8SX=<Y+)==
z;R=1CQ>Ax5L%S~x4+EQi#Ig`(ht%)D(F#Pa!)SiHy&PvUp32=VtAsR|6|NZR@jkad
zX^aEgojf9(-)rNOZ=NVA&a;6Cljkb=H-bY9m^_I)`p<N16r`XAE_(4fS-+dl!Kd9K
z>BHB16QW)sU27zF13ypefeATJc1Wzy39GrKF{UntHsIU59AdXp?j{eh2R)IbU&omd
zk6(qzvE@hve1yM6dgkbz>5HDR&MD~yi$yymQ}?b;RfL$N-#l7(u?T^Wlu+Q;fo|jd
zBe^jzGMHY(2=5<P2*tw)ntAE!i|kvrfQiOA_7D5amQ`g(2*cXve*N10PW_ErW^V8L
z1MqDEjW6kdkAOC-z}uc?m@V^a5B40*PRN+-f=MjuJ@4}mlCv);PKIt(DEf@zhUnJR
z!oyb^SGMdOXtqePw<6%)O~~F2FTY<jX!>l?bEIh+zgE$1TEQ&!p3fH;AW`P?W<ESK
zH#g7ZdfetwZ2v=9o0mn(AO?csJT~Gn*&Y}OjOpbUo}~Hm@;x|NO+0T%-0Axc&%7lF
zJ1pX`Z^AlfV3?dm5G@PwxK_i|&Of7xpxF?vju^4*EO?%y7Xv=e>5Hkj3eJnT>dqg!
zf~}A*SZU5HHDCbdywQ^l_PqssHRlrySYN=`hAv2sVrtcF!`kyEu%XeeRUTJU7vB%h
zY0*)N$mLo6d=tJfe}IPIeiH~>AKwCpkn&WEfYgl?3anq5#-F$6$v-(G_j0*S9mdsn
zg@ek_ut4(?+JP_9-n`Yqo<vHf2Ir!Nonv)J(3x#DWYX;y3-f=3t|>D(gAz+Ttm1#t
za96D}oQR(o=e8wwes19_(p4g(A1vSGwPAp~Hh3hh!fc>u{1E^+^}AzwilFVf6^vbL
zc&NnRs`u)N-P|Cu4()yTiuE{j_V&=K?iP!IUBf~ei2}<whJD5S_DJ}8lyz{d5e0m^
zXp7wURYpf){TL0trzEJmlx>~_KBvUAlXa;R#Wl`gOBtJ$Y5(L))@`riLB)v*r><aR
zw7qT#lC53m61B>9*8VfmQt<PROW2c<^h*+X1{2yJxbMATtPvxHpc+?jPI+FPnVH_&
zfj7uqK><72?+fdwP{BA@?_qo>mN7yzICUCaeG(+>Rb~8wg~6U(P<nm(X&r_f6obUi
z$dKyG&rI&@a%L*(6>)NlDLuhQgjbC}=)HuZgC}0Z-qLX4lJ7^)8~!!*qP0=~`Y_(A
z{@15*ZevZSI^s|OnpCeCwLXf#tgbq8y~R*GB5anmZ;_N!+-3>!wu@NBFCNJ$#y?{?
zMI!?s*=_xA;V&aX)ROxzVW8*de+&P#2zucA|8mksdgCXBsZ*TM=%{L1Tk5LB<Z!KJ
z;lp910!MJ8J~+1dY_Xn{p8}Y~34%%$3)5agk@iGzX6H!Anv5uUI$ciQvmGcbPG)xv
zdO@rD(K-3Ky;MGnIEtGU{Htp(S893+bn<t9@uj!@5B4gD7du9ZgQn18YO4uo06rZq
z#s2-PcRt)y(275pYB#9Hbw&B>_*^@&S?O=ot{h)1xRVSn27&Tk8>rF|6ruzYb;Nq)
z;qvlmrP^SL$mhe4Ai)xpl6Wx&y;z8o!7-+6$qj;ZLXvfR71I@w(R|6lyuP6v-lP&r
z@KK-TEmGQfMmk1c0^fd7!^si}T%b5a2%>T-Drh|^<Hr=j)=_((p;KuSfKido&LV#J
zFFfl}!<eBhy2#i=6c#ra%kZ1$j(EY7lFC*v8!P_^%qy;W8jQ+Q`Z<xkWskY<0J>Cf
z$}qxIv@zxbm<k^RE-aX~4rCWmq?oKl-EW;PQ_l{3e+jJBhWP}gKtyF&I$%ZeMK`+v
z8e^?6J-`{J<4-qj-Ad~A)|HKBJMM+itDqMD(Et|5n|aQ=z$&Sb7P;n0h5a2h`q=X8
zoL#YBVnHjcM6gYTkYUnp7Y*}nB=Og*ah7+WL}S|s!dTMo_mJp5G)1p4pQo%*M<ul@
zTl*h(Spw1r1ddb%$9LJbAQ>J#qjK6Q_aGDe{ciVT20V1lW52Xs!}x(4_j)sUXYdm4
zwYC9FOa;X*c*LxL;xE5ov?|?^7gWXyALy_D2GvDo-8%0-Y%9TkkO_Tcr2qIUg3(OC
z%3wt?<o?7ws>hyn*+e^z%(~2#!2dvMFa$mzgwk1I1X;naFMjXSbnmZ!zd%7u)=cgi
z*0&@Scrl&BDfU(9Pks8#;!~v~r7<YRA|b+cmZ<O+%qVn;SdwH~C-8G;f`4)Dnc*H4
zz^itXa><D&I>~DN{G6WE&_;7i{{a*?oiCao(l%2ruxX0fAt69e2vLgL%Mf_)!*(Tz
zNKW>sW@YB2vBfP>C&L|-pq)Uq^PsG_THu;8iEcqafO?0k$IQp1KyWyOoTxwmKvlc^
zO9$%Tt8;%qQxwy5;CsJ)V}a7I6}SvQ%0_H53Kcqx=m8<MOsI~Wzc<Q!qbFzwSB`D+
z{D9hC-4#S=>3fIzpLSGgfVe^SPdc*xPdciI5dg}#{Etv$e<)gGD=qm0v=!aN@*?$s
zLhzD%4w{vf-g6FHQjG9XyC+4=bewb?Mz%!u8%oP{G9{UJFTLTcCi3R(=Nm&t&Sl(?
zr>pj?=ECdDVa}-g%`LF^1EY@>7d}%VhYpKFS<Su*wlsyNILeDAmwC&4vcc1^J!Zw#
z1{mO|uomzhkc4n!BQAnn>DPH)D(z<fPLgY#uASJ*Dl<~1S0ksFUXxI*v2|bDYL^Mp
z+uux$8f>B+gPe1m7E}W>TiW=8L0&(D&YG=0<&7G4Bu{;-#Ud;-1%Ta9V}U6fyK1YX
z`Rq|i-X(loPZ)M$H%m@j7bGx>uj~y=0)!t#dc|c}+hT%~Sq>fefez0Ul|jOJHta~u
zx7*mV6~Jpt(FkY(pQN91>aFk7VS%Sa^oLaq$*)W?fy`xuFJgH<2s=!Rz}_(qdmdF~
zlr2f=)q_vpi8X;Jq><kv8yxSR^Y*0XEH>5^$GweJ{iS`Khw2f)fsvKpgh;U~13a+9
zfaw}UuGiBy;q10pI^Avb#X3D=k_r(T{N;-xA)OM}2Py5L##<96NU*Sr7GQqhfrPej
z?;B$Bt_sTxuSAPXfTSC{zr?@$$0iHxC@z*5F52j*PG87hh`0w3At8jPf*rjNE~_Gj
z2)fjeUFJ(#l9uWuw&5#@13|AQ1;pdA?EL4YKq0JDR5T8I?aWGxI=J9}vdyH;gQ@iE
z>+UnC2iwT0f80-VuE^bY!N@(}9?bOXyy%rTqSNDN4rO4Zt#(kZwcGgTp&3((F+nsd
ze~B<vkvAmqZQCN{VT^_3N)dA|5@JD*b^OT9w?DKQKQ;>)%K6oP4WX_w1>|QImC;9q
zy}4p+s%^Too2(gE>yo%+yY#F{)phtmNqsJPVQQ0lGR|H9q>aA&AtU4M+EZ%`xvQLb
zbigBOc`dL}&j3er?EOI`!W)N#>+uwp_!h^5FspaEylq!e(FPY-6T3~WeNmZ<$?Y6y
z-!bM1kD7ZF8xl+Pi6fiv1?)q%`aNxn#pK%)ct||L&Xnf8Gu&3g;Of{B8Pt=u`e+Mn
zA(DmU#3cF#Nr7W;X0V4ksFHMcNDAf4G&D8VjLeZ^|5-f$>_|71>P3xuu)?4NJed*w
z6GR_RB5HQLzT(h+`Y?-3esxeue{-Q%b+!&o>IJ<U{K5n=>!#=}#_&q+h<RCdh)3ad
z3u9U*q-7CzJO1;f{W)bBVeSC|{^P$QIIk-CyR3gi5P7Korq0R)C7=#L)o&^V8kh(x
zNN{4}&7CJN$8L7_)db6<z!w~!{P5^-h7S-wszcjbc^U6D3XVpe@7=4Lshiqe0Y5N7
zsFoi-9bHpq0%4HaycQW`HDSXEoRpZA$r%O8D&^MW(rU(>wJga>fkt(*(WdoN5vSta
z#$mMN6}YzYRpaBZ)j)EL91-oL1(|d(>%UclsTUOyXyWM<i=3tzRhCib5fq2Ef#*;)
z!4K=N!LPQ;#t8R?NIyV<J=&|0SM3GNVDlC9rKZ`^G%|W;P3k6I7uja571~nqmtHor
z`gh1ba^|7r%2g9p-h)}xS-a;H1mn;Lmy(6EFMmKhY12ffmjeU0ZfKOR@8x(I{qJ^q
zWjzyb+f<%IGR(jVuT@@|r|AHvml$9>&(hNqLwqtn`!E<P-d=Tz2P)hWLDtC`SMn-I
zloIV)$+_p$q6pB=3{+T$bt&h5MiRm@f))DR4ajXxL~e~d?aZ7D`BA#RIe#z5AdNuY
z4Mu~W1;T&@$^*+^zTgSBFa_%Z+#!Ex?(l(z&?%r3{UE;C#v+0r-0~JQ95Xz5N?r&y
z*034nI1U7@Q9#B{slBKMiyAtxAI4+f8Y--}xBIB$X;zz`!CSfV2z_$UfxvE>>HJM{
zh>M~xa1@*U^cwx-k5QjePr5=B6u*jpJ)C0{C?f7Yga+I^4$TleyX$x&jm9z@c!?cC
z<2kY7)p^+<iaz~w05^&?q!U1}|D10Ixrw;JZn#OjY5bsrsT0c{MzF*BVSiu=+KAdT
zKQuo-KJJbUw`(m-=2HrjxRrUZ<4T2VI}lY0Ghf>W{AXd@l1C09_yB*TG|yzb96BYk
z8Wpj81vB>zcR+qM4m~A44w1n7$fxB$-?MV}S?Fh}c_|2FXg`cZ?750i;Cdl-_nGK#
zta)h)6!<k-ithudu6LI{`^y6%$8{g&DkiXYPz8(kVsF-P5TW&F<TGk7-`qR&|E4Od
zgJr;N;#RT&P%aaBU_tTM95&<ztJNAH6Be>*AsQ-z8caSh)%5JY>_yCeJs~FpAzdY8
zF@SU_hN#~ip5I;UACFzx1v0yf{j97l&)e-=`d#1Kp6A(Kj&HC!%vK!wEdK3HFJ?|6
za;WwUczZ+&<$g!Td^48@lJtfW@doXL#jY6)dK_RDCQAZ}l&OdD+?Yl5-bqpsHZR^(
zF{u_cR(x>u(c4i5f(^8!h6CV0#ZxRFhLlunWiGDLO6yoRb(wV<(P^8=fOU7Hp{AHE
z;Yg%kg@6&tL3Z*IrbkDeQ$%rbalVP39D@LVrC2xSavnTp%PorXPf1DVzHyqjDsDnS
zL=mv0a2s60bHKGQM)ue>npH0SCp;XtZFUzm?R-x7D*(PxMmuJ4J*K2eY&ebe0yQHe
zVG&*qe{pot{PM^xQv`H_rn2FcYOrEN+I#uX^1`Id%J$;Hi2cNCU!0Hlc0TjxLzkss
zHxmC;hQBu5U4J0XflWM;{uH`_47Sg)QyZ{8D&T0;bdc3{^^<=q7P?C_2E-}PQn>*=
z2T5q^J|Q_2+x%Qt`i3m6=6V$)BxIx{2KAFkMb#q`iMCD|L>+}_dYVA$wBr1Zr}YOF
z^MMGO@PHGGh>g|^yF`PvvtDwN@kxt?ClLcG<+murHMz1Asj!$l=b)4{d}SqOJ}>Y<
zSeAyP@ZEcpx`ayIdp>{--UVLYC_cZZURh_!4u2(*#x@Tk(QJa}4BqqZ$6%LhF-HB~
zAcc?$I6KP}IxANcAteEBX$Ys?T=JB|Fnd3*UAO0mYAXCgWf~?7Z_G7G5`H4;S^QKK
zG*2l75vI@DHQC*es>6&|r^#RHKRQ5rwv_l4`!(!I3%)Z$P1f<pp$a6um{0o<xo1(S
zZ`Q0UjI755S`%%J_bkQdMJX=gQ{yGwHkEGhB^jy#Kdw`Bz|GK-!lL;4BMah}BF+x+
z?HI()zNqsZIGTqA_xWDA=-;C4;b|i|!YxXR_7sk5(v2GtT%3GTmNwkY;US<pe8iMx
z?CMVyA>nZ8N@27zyg}54ElO%<W#-o+m4iU~8Q?$4$|V+p5$&IW7v%jYE2kKCPp*(d
zFu#B%8S=B~N(!;YOU;1OEc3s-B5iV$wBx@k(n04f!GdovshST2rB@sL)o7#C00dbz
zXLs^S+aB?68q$l630l4mcvrwQA6iub28Kfn2K|9b`26o(qj%;Gb~*&bcgMHKOZ}{Y
zpH25NG-g&gW}2EiE*s0bJ7k5r6CL;J<)P?02__GA3^V)q7ZuC)FdRFi4Ui^Hu`+ke
zlP$?ecllVihlR$b$u#yp1B#i7to3FBXsOesoC<RET3TvI{~Xg=|3aNr1q=*+q#7{W
z-Y$TNBqW^r8?8@4K)pJ3Mu3uzqB%>SjQ_4uujX)4ta@Gz2)_>4b~vX|rhRIH-eqdD
zL)xaEpW3K|a>daQRRR*_$W&gtrWOsW-IE4VQl3L$3}=-PFU)s@<aWQn^ePgERyg<~
zi9>XG&9+DFivH-;2&w~$ES_nJZJH!?1mO!CnP)Jb{mW9=f`bDpo^PI6i4|YurK)Q1
z^Ys1oHRdr!$X4RuyR%kgp!a*Lz*_AAoJ$EVAdsNCoPA^VZE1pGO@D3UStACE+%vs6
z<P#Iz;tqZ&(cujrDA6_F?Rn}(1d-gA3k(F0-q!_>$io@E>DmB|3VV~GbOt2oc+K;t
zdn3gaFvYz;vRN-+2+Qk{8|O}e86nVck)fZn3sg$j#dLVham{yGkc$I#!HF7mRS%f*
z!+NdzG49K(qaO^SBlp@K@D?|^rAq;8{*@kRc4sYSNQmoy7@_RS_ksWl2T_38h2A)#
ziU2WXWD03(NqS&Mu*?0-iK8X_Z3w`}c7MPv0qZ7iM|L3xdTnR{y!7{#82$}uJCiGT
z<R=!u#|^6|?wiC#sfCopSzEKCR6U6Bw(Q;@s$H1rn`1g@5SxCRm~1fj@s^zS?<3!C
zifc616*O$TXPDdO5kx`EKMG|B6zm3|2vBezn)24W%c37snNJGF8e>qa=8<9L05hu6
z1N+2n<bYn!L1|(Gqhn$6j9K??r7Po{X_%ib8Rqb7TWs5SRq}=2dXRLIAumPFyfCrC
zDiI||Hbl~nD|ql~>7OzT{NEf?gS@eq7@buCDFe9mAxY%THo^b@BHckKK>jg6{@)>n
z43cPs%$Qi0iwyZ+{C491>FRu5+6baJ{&XXXC@Sp+b!Q<l1VW-1h>E|{7_d?lm5K=B
z)myKEcxjFm74+drF|JCYcxdY%ASig#YoRBRUV7An7f-%<D?52!XFl`Zn^^{ShT;3I
zI<T$g4}e~*gKXa&-QyT9VSr&V{tp%o7Tij&#SziJ(&k5ME%t`kBX71Cwyq<7<3_Q^
zHQr(Xa%dr@sn1-1v9SW^7YS~0`f$$GMn;WvV$Re5WJdJgCv=nq{y&U|*odda3tRIk
zzko?E=~Q~8WW~^B-1Zi0*k}NsJlmR1>rqj%PHECbxh#5476cEq@NQL?dI6gUqvS@w
zq!WmD(<!x6<aoxbqX{?AGp1;={PQ8ebhe#@zB4txI_~4KZH2Rd-MI-}g)&O50No<?
zR1OOz8&~sj1_S9zN|F=cSe`)^cpX(nsSlt>aR0{NxItAZCKDCVw=Zu{9WGDu^i?2g
zLerPiOU*HSaXg^3CdOX^F6c9MiHINP339N%)a96`^Z-c#&EogcxMSYo0Cb4{-}q1(
zRrJine`P|6WRkm8u4Ja1QRYq$AR>b7tugd#EsT-VmXN-t!TYjZy}i!uKi6$u>EJ?w
zvdHZg+hp+5ree?>fdJAX)5#Wtm#2M-{~2jfX2{G`)?D6UD1MevdeeU;;HCi}AtJr(
SGW6ptSs!X7{rG*o_g?|vpSEZK

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index a80b22c..b82aa23 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/hsm/build.gradle b/hsm/build.gradle
index a04c869..1a760c7 100644
--- a/hsm/build.gradle
+++ b/hsm/build.gradle
@@ -31,7 +31,8 @@ dependencies {
         }
     }
     thalesImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version"
-    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.4'
+    // 2024-4-16: Test DBProvider snapshot provided by Entrust
+    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.6-SNAPSHOT'
     // **When using JDK 11** make sure the matching version of nCipherKM is on classpath because DBProvider depends on it.
     thalesImplementation 'com.ncipher.nfast:nCipherKM:13.4.5'
 
diff --git a/src/integration/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanIT.java b/src/integration/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanIT.java
index b619bf4..a9a554a 100644
--- a/src/integration/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanIT.java
+++ b/src/integration/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanIT.java
@@ -14,7 +14,7 @@
 import org.springframework.core.io.Resource;
 import org.springframework.test.context.ActiveProfiles;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.nio.charset.StandardCharsets;
 import java.util.Set;
 import java.util.UUID;
diff --git a/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClientIT.java b/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClientIT.java
index 0d4f74b..abeed8e 100644
--- a/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClientIT.java
+++ b/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClientIT.java
@@ -8,9 +8,9 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.ActiveProfiles;
 
-import javax.inject.Inject;
-import javax.ws.rs.ProcessingException;
-import javax.ws.rs.core.Response;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.ProcessingException;
+import jakarta.ws.rs.core.Response;
 import java.util.List;
 
 import static org.junit.Assert.assertFalse;
diff --git a/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientIT.java b/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientIT.java
index 0a7c66c..0a85123 100644
--- a/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientIT.java
+++ b/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientIT.java
@@ -11,9 +11,9 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.ActiveProfiles;
 
-import javax.inject.Inject;
-import javax.ws.rs.ProcessingException;
-import javax.ws.rs.core.Response;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.ProcessingException;
+import jakarta.ws.rs.core.Response;
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
diff --git a/src/integration/java/net/ripe/rpki/util/ActuatorMetricsIT.java b/src/integration/java/net/ripe/rpki/util/ActuatorMetricsIT.java
index 937b657..0f73611 100644
--- a/src/integration/java/net/ripe/rpki/util/ActuatorMetricsIT.java
+++ b/src/integration/java/net/ripe/rpki/util/ActuatorMetricsIT.java
@@ -4,16 +4,18 @@
 import net.ripe.rpki.TestRpkiBootApplication;
 import net.ripe.rpki.rest.service.Rest;
 import net.ripe.rpki.server.api.services.system.ActiveNodeService;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.actuate.metrics.AutoConfigureMetrics;
+import org.springframework.boot.test.autoconfigure.actuate.observability.AutoConfigureObservability;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 
@@ -23,9 +25,9 @@
 @TestPropertySource(properties = {"management.port="})
 @ComponentScan(value = "net.ripe.rpki", lazyInit = false)
 @ActiveProfiles("test")
-@RunWith(SpringRunner.class)
+@ExtendWith(SpringExtension.class)
 @AutoConfigureMockMvc
-@AutoConfigureMetrics
+@AutoConfigureObservability
 @SpringBootTest(classes = TestRpkiBootApplication.class, properties = "instance.name=unittest.local")
 /**
  * Validate that the metrics can be loaded.
diff --git a/src/main/dist/rpki-ripe-ncc.sh b/src/main/dist/rpki-ripe-ncc.sh
index 0101529..374222a 100755
--- a/src/main/dist/rpki-ripe-ncc.sh
+++ b/src/main/dist/rpki-ripe-ncc.sh
@@ -5,7 +5,7 @@
 #   APPLICATION_ENVIRONMENT=prepdev rpki-ripe-ncc.sh
 #
 
-JAVA_HOME=${JAVA_HOME:-"/usr/lib/jvm/jre-11-openjdk"}
+JAVA_HOME=${JAVA_HOME:-"/usr/lib/jvm/jre-17-openjdk"}
 LANG=${LANG:-"en_US.UTF-8"}
 
 cd "$(dirname "$0")" || exit 1
diff --git a/src/main/java/net/ripe/rpki/application/impl/CommandAuditServiceBean.java b/src/main/java/net/ripe/rpki/application/impl/CommandAuditServiceBean.java
index bffa632..69b7fca 100644
--- a/src/main/java/net/ripe/rpki/application/impl/CommandAuditServiceBean.java
+++ b/src/main/java/net/ripe/rpki/application/impl/CommandAuditServiceBean.java
@@ -15,9 +15,9 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
-import javax.persistence.EntityManager;
-import javax.persistence.PersistenceContext;
-import javax.persistence.Query;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
+import jakarta.persistence.Query;
 import javax.security.auth.x500.X500Principal;
 import java.util.List;
 import java.util.Map;
@@ -59,7 +59,7 @@ public List<CommandAuditData> findMostRecentCommandsForCa(long caId) {
     }
 
     private List<CommandAuditData> convertToData(List<CommandAudit> commandAuditList) {
-        return commandAuditList.stream().map(CommandAudit::toData).collect(Collectors.toList());
+        return commandAuditList.stream().map(CommandAudit::toData).toList();
     }
 
     @SuppressWarnings("unchecked")
@@ -79,8 +79,7 @@ public CommandContext startRecording(CertificateAuthorityCommand command) {
         VersionedId caVersionedId;
         X500Principal caName;
         UUID caUuid;
-        if (command instanceof CertificateAuthorityCreationCommand) {
-            CertificateAuthorityCreationCommand activationCommand = (CertificateAuthorityCreationCommand) command;
+        if (command instanceof CertificateAuthorityCreationCommand activationCommand) {
             caVersionedId = activationCommand.getCertificateAuthorityVersionedId();
             caName = activationCommand.getName();
             caUuid = activationCommand.getUuid();
@@ -104,7 +103,7 @@ public void finishRecording(CommandContext context) {
         CommandAudit commandAudit = context.getCommandAudit();
         CertificateAuthorityCommand command = context.getCommand();
 
-        List<String> events = context.getRecordedEvents().stream().map(Object::toString).collect(Collectors.toList());
+        List<String> events = context.getRecordedEvents().stream().map(Object::toString).toList();
         String commandEvents = events.stream().collect(Collectors.joining("\n    ", "\n    ", ""));
 
         log.info(
diff --git a/src/main/java/net/ripe/rpki/bgpris/BgpRisEntryRepositoryBean.java b/src/main/java/net/ripe/rpki/bgpris/BgpRisEntryRepositoryBean.java
index e0ea09e..2dfd07b 100644
--- a/src/main/java/net/ripe/rpki/bgpris/BgpRisEntryRepositoryBean.java
+++ b/src/main/java/net/ripe/rpki/bgpris/BgpRisEntryRepositoryBean.java
@@ -29,7 +29,7 @@ public class BgpRisEntryRepositoryBean implements BgpRisEntryViewService {
     /*
      * All BgpRisEntries that have enough visibility.
      */
-    private AtomicReference<IntervalMap<IpRange, ArrayList<BgpRisEntry>>> entries = new AtomicReference<>(emptyEntries());
+    private final AtomicReference<IntervalMap<IpRange, ArrayList<BgpRisEntry>>> entries = new AtomicReference<>(emptyEntries());
 
     @Override
     public boolean isEmpty() {
@@ -43,9 +43,8 @@ public Collection<BgpRisEntry> findMostSpecificOverlapping(ImmutableResourceSet
         Collection<BgpRisEntry> result = new HashSet<>();
         for (IpRange prefix : getPrefixes(resources)) {
             final List<BgpRisEntry> exactAndMoreSpecific = current.findExactAndAllMoreSpecific(prefix)
-                .stream()
-                .flatMap(Collection::stream)
-                .collect(Collectors.toList());
+                    .stream()
+                    .flatMap(Collection::stream).toList();
             result.addAll(exactAndMoreSpecific);
 
             final ImmutableResourceSet remaining = findResourcesNotCovered(prefix, exactAndMoreSpecific);
@@ -62,9 +61,8 @@ public Map<Boolean, Collection<BgpRisEntry>> findMostSpecificContainedAndNotCont
         Collection<BgpRisEntry> notContainedEntries = new HashSet<>();
         for (IpRange prefix : getPrefixes(resources)) {
             final List<BgpRisEntry> exactAndMoreSpecific = current.findExactAndAllMoreSpecific(prefix)
-                .stream()
-                .flatMap(Collection::stream)
-                .collect(Collectors.toList());
+                    .stream()
+                    .flatMap(Collection::stream).toList();
             containedEntries.addAll(exactAndMoreSpecific);
             final ImmutableResourceSet remaining = findResourcesNotCovered(prefix, exactAndMoreSpecific);
             addLessSpecificAnnouncements(current, notContainedEntries, remaining);
@@ -133,8 +131,7 @@ private boolean isLargePrefixes(IpRange prefix) {
     private static List<IpRange> getPrefixes(final ImmutableResourceSet resources) {
         List<IpRange> result = new ArrayList<>();
         for (IpResource resource : resources) {
-            if (resource instanceof IpRange) {
-                IpRange range = (IpRange) resource;
+            if (resource instanceof IpRange range) {
                 result.addAll(range.splitToPrefixes());
             } else if (resource instanceof IpAddress) {
                 result.add(IpRange.range((IpAddress) resource, (IpAddress) resource));
diff --git a/src/main/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImpl.java b/src/main/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImpl.java
index 0ec3721..075e852 100644
--- a/src/main/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImpl.java
+++ b/src/main/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImpl.java
@@ -12,11 +12,11 @@
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Inject;
-import javax.persistence.EntityManager;
-import javax.persistence.EntityNotFoundException;
-import javax.persistence.LockModeType;
-import javax.persistence.TypedQuery;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.persistence.LockModeType;
+import jakarta.persistence.TypedQuery;
 import javax.security.auth.x500.X500Principal;
 import java.util.*;
 import java.util.stream.Collectors;
@@ -76,11 +76,11 @@ public CertificateAuthorityData findCertificateAuthority(Long caId) {
     @Override
     public Collection<CertificateAuthorityData> findAllChildrenForCa(X500Principal caName) {
         CertificateAuthority parent = certificateAuthorityRepository.findByTypeAndName(CertificateAuthority.class, caName);
-        return parent instanceof ParentCertificateAuthority
-            ? certificateAuthorityRepository.findAllByParent((ParentCertificateAuthority) parent).stream()
-                .map(this::convertToCaData)
-                .collect(Collectors.toList())
-            : Collections.emptyList();
+        if (parent instanceof ParentCertificateAuthority parentCa) {
+            return certificateAuthorityRepository.findAllByParent(parentCa)
+                .stream().map(this::convertToCaData).toList();
+        }
+        return List.of();
     }
 
     @Override
@@ -91,14 +91,13 @@ public Optional<CertificateAuthorityData> findSmallestIntermediateCa(X500Princip
     @Override
     public Collection<ManagedCertificateAuthorityData> findManagedCasEligibleForKeyRevocation() {
         return entityManager.createQuery(
-                "FROM ManagedCertificateAuthority ca " +
-                    "WHERE EXISTS (FROM ca.keyPairs kp WHERE kp.status = :old)",
-                ManagedCertificateAuthority.class
-            )
-            .setParameter("old", KeyPairStatus.OLD)
-            .getResultStream()
-            .map(ManagedCertificateAuthority::toData)
-            .collect(Collectors.toList());
+                        "FROM ManagedCertificateAuthority ca " +
+                                "WHERE EXISTS (FROM ca.keyPairs kp WHERE kp.status = :old)",
+                        ManagedCertificateAuthority.class
+                )
+                .setParameter("old", KeyPairStatus.OLD)
+                .getResultStream()
+                .map(ManagedCertificateAuthority::toData).toList();
     }
 
     @Override
@@ -124,8 +123,7 @@ public Collection<ManagedCertificateAuthorityData> findManagedCasEligibleForKeyR
             .setParameter("maxKpAge", oldestKpCreationTime);
         batchSize.ifPresent(query::setMaxResults);
         return query.getResultStream()
-            .map(ManagedCertificateAuthority::toData)
-            .collect(Collectors.toList());
+                .map(ManagedCertificateAuthority::toData).toList();
     }
 
     @Override
@@ -178,8 +176,8 @@ public List<CertificateAuthorityData> findAllManagedCertificateAuthoritiesWithPe
             .getResultStream();
         return certificateAuthorities
             .sorted(Comparator.comparingInt(CertificateAuthority::depth))
-            .map(ManagedCertificateAuthority::toData)
-            .collect(Collectors.toList());
+            .map((x) -> (CertificateAuthorityData) x.toData())
+            .toList();
     }
 
     private CertificateAuthorityData convertToCaData(CertificateAuthority ca) {
diff --git a/src/main/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImpl.java b/src/main/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImpl.java
index f1f204b..1708d7a 100644
--- a/src/main/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImpl.java
+++ b/src/main/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImpl.java
@@ -1,5 +1,6 @@
 package net.ripe.rpki.core.read.services.cert;
 
+import jakarta.annotation.Resource;
 import lombok.NonNull;
 import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.rpki.domain.CertificateAuthorityRepository;
@@ -13,10 +14,9 @@
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.annotation.Resource;
-import javax.persistence.EntityManager;
-import javax.persistence.NoResultException;
-import javax.persistence.PersistenceContext;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.PersistenceContext;
 import java.security.PublicKey;
 import java.util.Optional;
 
diff --git a/src/main/java/net/ripe/rpki/core/services/background/BackgroundTaskRunner.java b/src/main/java/net/ripe/rpki/core/services/background/BackgroundTaskRunner.java
index ed3142f..eddc23d 100644
--- a/src/main/java/net/ripe/rpki/core/services/background/BackgroundTaskRunner.java
+++ b/src/main/java/net/ripe/rpki/core/services/background/BackgroundTaskRunner.java
@@ -77,9 +77,8 @@ public interface Task<T> {
     public <T> List<T> runParallel(Stream<Task<T>> tasks) {
         MaxExceptionsTemplate maxExceptionsTemplate = new MaxExceptionsTemplate(20);
         List<T> result = forkJoinPool.submit(
-            () -> tasks.parallel()
-                .flatMap(task -> maxExceptionsTemplate.wrap(task).stream())
-                .collect(Collectors.toList())
+                () -> tasks.parallel()
+                        .flatMap(task -> maxExceptionsTemplate.wrap(task).stream()).toList()
         ).join();
         if (maxExceptionsTemplate.maxExceptionsOccurred()) {
             throw new BackgroundServiceException("Too many exceptions encountered, suspecting problems that affect ALL CAs.");
diff --git a/src/main/java/net/ripe/rpki/core/write/services/command/CommandServiceImpl.java b/src/main/java/net/ripe/rpki/core/write/services/command/CommandServiceImpl.java
index f2f1831..3727808 100644
--- a/src/main/java/net/ripe/rpki/core/write/services/command/CommandServiceImpl.java
+++ b/src/main/java/net/ripe/rpki/core/write/services/command/CommandServiceImpl.java
@@ -24,19 +24,18 @@
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.support.TransactionTemplate;
 
-import javax.inject.Inject;
-import javax.persistence.EntityManager;
-import javax.persistence.FlushModeType;
-import javax.persistence.OptimisticLockException;
-import javax.persistence.PessimisticLockException;
-import javax.persistence.Query;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.FlushModeType;
+import jakarta.persistence.OptimisticLockException;
+import jakarta.persistence.PessimisticLockException;
+import jakarta.persistence.Query;
 import java.math.BigInteger;
 import java.time.Duration;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.TimeUnit;
-import java.util.stream.Collectors;
 
 import static com.google.common.util.concurrent.Uninterruptibles.sleepUninterruptibly;
 
@@ -90,8 +89,8 @@ public CommandServiceImpl(
     public VersionedId getNextId() {
         Query q = entityManager.createNativeQuery("SELECT nextval('seq_all')");
         q.setFlushMode(FlushModeType.COMMIT); // no need to do dirty checking
-        BigInteger next = (BigInteger) q.getSingleResult();
-        return new VersionedId(next.longValue());
+        long next = (long) q.getSingleResult();
+        return new VersionedId(next);
     }
 
     @SuppressWarnings("try")
@@ -155,7 +154,7 @@ private CommandStatus executeCommand(CertificateAuthorityCommand command) {
         transactionTemplate.executeWithoutResult(status -> {
             EventDelegateTracker.get().reset();
             CommandContext commandContext = commandAuditService.startRecording(command);
-            List<EventSubscription> subscriptions = eventVisitors.stream().map(visitor -> ManagedCertificateAuthority.subscribe(visitor, commandContext)).collect(Collectors.toList());
+            List<EventSubscription> subscriptions = eventVisitors.stream().map(visitor -> ManagedCertificateAuthority.subscribe(visitor, commandContext)).toList();
             try (
                 EventSubscription commandAuditSubscription = ManagedCertificateAuthority.EVENTS.subscribe(commandContext::recordEvent)
             ) {
diff --git a/src/main/java/net/ripe/rpki/domain/AllResourcesCertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/AllResourcesCertificateAuthority.java
index f650e7d..0c30edc 100644
--- a/src/main/java/net/ripe/rpki/domain/AllResourcesCertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/AllResourcesCertificateAuthority.java
@@ -10,9 +10,9 @@
 import net.ripe.rpki.server.api.dto.CertificateAuthorityType;
 import net.ripe.rpki.server.api.ports.ResourceLookupService;
 
-import javax.persistence.DiscriminatorValue;
-import javax.persistence.Entity;
-import javax.persistence.OneToOne;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.OneToOne;
 import javax.security.auth.x500.X500Principal;
 import java.util.ArrayList;
 import java.util.List;
@@ -26,7 +26,7 @@ public class AllResourcesCertificateAuthority extends ManagedCertificateAuthorit
 
     @Getter
     @Setter
-    @OneToOne(mappedBy = "certificateAuthority", cascade = {javax.persistence.CascadeType.ALL}, orphanRemoval = true)
+    @OneToOne(mappedBy = "certificateAuthority", cascade = {jakarta.persistence.CascadeType.ALL}, orphanRemoval = true)
     private UpStreamCARequestEntity upStreamCARequestEntity;
 
     protected AllResourcesCertificateAuthority() {
diff --git a/src/main/java/net/ripe/rpki/domain/CertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/CertificateAuthority.java
index 97ee98b..1b554df 100644
--- a/src/main/java/net/ripe/rpki/domain/CertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/CertificateAuthority.java
@@ -9,18 +9,18 @@
 import org.joda.time.DateTimeZone;
 import org.joda.time.Period;
 
-import javax.persistence.Column;
-import javax.persistence.DiscriminatorColumn;
-import javax.persistence.DiscriminatorType;
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.Inheritance;
-import javax.persistence.InheritanceType;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.Table;
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorColumn;
+import jakarta.persistence.DiscriminatorType;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.Inheritance;
+import jakarta.persistence.InheritanceType;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
 import javax.security.auth.x500.X500Principal;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.util.Optional;
 import java.util.UUID;
 
diff --git a/src/main/java/net/ripe/rpki/domain/CertificateAuthorityRepository.java b/src/main/java/net/ripe/rpki/domain/CertificateAuthorityRepository.java
index bd0e22e..6495bd1 100644
--- a/src/main/java/net/ripe/rpki/domain/CertificateAuthorityRepository.java
+++ b/src/main/java/net/ripe/rpki/domain/CertificateAuthorityRepository.java
@@ -5,7 +5,7 @@
 import net.ripe.rpki.server.api.dto.CaStat;
 import org.joda.time.DateTime;
 
-import javax.persistence.LockModeType;
+import jakarta.persistence.LockModeType;
 import javax.security.auth.x500.X500Principal;
 import java.util.Collection;
 import java.util.List;
diff --git a/src/main/java/net/ripe/rpki/domain/DownStreamProvisioningCommunicator.java b/src/main/java/net/ripe/rpki/domain/DownStreamProvisioningCommunicator.java
index 54d33ec..c86e44f 100644
--- a/src/main/java/net/ripe/rpki/domain/DownStreamProvisioningCommunicator.java
+++ b/src/main/java/net/ripe/rpki/domain/DownStreamProvisioningCommunicator.java
@@ -11,9 +11,9 @@
 import net.ripe.rpki.util.SerialNumberSupplier;
 import org.apache.commons.lang.Validate;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import javax.security.auth.x500.X500Principal;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.cert.X509CRL;
diff --git a/src/main/java/net/ripe/rpki/domain/EmbeddedInformationAccessDescriptor.java b/src/main/java/net/ripe/rpki/domain/EmbeddedInformationAccessDescriptor.java
index 4298021..a0f2e67 100644
--- a/src/main/java/net/ripe/rpki/domain/EmbeddedInformationAccessDescriptor.java
+++ b/src/main/java/net/ripe/rpki/domain/EmbeddedInformationAccessDescriptor.java
@@ -6,9 +6,9 @@
 import net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
-import javax.persistence.Column;
-import javax.persistence.Embeddable;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.validation.constraints.NotNull;
 import java.net.URI;
 
 @Embeddable
diff --git a/src/main/java/net/ripe/rpki/domain/EmbeddedResourceExtension.java b/src/main/java/net/ripe/rpki/domain/EmbeddedResourceExtension.java
index 0299db6..a37eb23 100644
--- a/src/main/java/net/ripe/rpki/domain/EmbeddedResourceExtension.java
+++ b/src/main/java/net/ripe/rpki/domain/EmbeddedResourceExtension.java
@@ -7,9 +7,9 @@
 import net.ripe.ipresource.IpResourceType;
 import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtension;
 
-import javax.persistence.Column;
-import javax.persistence.Embeddable;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.validation.constraints.NotNull;
 import java.util.EnumSet;
 
 /**
diff --git a/src/main/java/net/ripe/rpki/domain/EmbeddedValidityPeriod.java b/src/main/java/net/ripe/rpki/domain/EmbeddedValidityPeriod.java
index 0057001..d901144 100644
--- a/src/main/java/net/ripe/rpki/domain/EmbeddedValidityPeriod.java
+++ b/src/main/java/net/ripe/rpki/domain/EmbeddedValidityPeriod.java
@@ -6,8 +6,8 @@
 import net.ripe.rpki.commons.crypto.ValidityPeriod;
 import org.joda.time.DateTime;
 
-import javax.persistence.Column;
-import javax.persistence.Embeddable;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
 
 /**
  * JPA mappable version of a ValidityPeriod
diff --git a/src/main/java/net/ripe/rpki/domain/GenericPublishedObject.java b/src/main/java/net/ripe/rpki/domain/GenericPublishedObject.java
index 4b91adb..1be0fc5 100644
--- a/src/main/java/net/ripe/rpki/domain/GenericPublishedObject.java
+++ b/src/main/java/net/ripe/rpki/domain/GenericPublishedObject.java
@@ -5,14 +5,14 @@
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 import org.joda.time.Instant;
 
-import javax.persistence.Column;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.MappedSuperclass;
-import javax.persistence.SequenceGenerator;
+import jakarta.persistence.Column;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.MappedSuperclass;
+import jakarta.persistence.SequenceGenerator;
 import java.net.URI;
 import java.util.Arrays;
 
diff --git a/src/main/java/net/ripe/rpki/domain/HostedCertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/HostedCertificateAuthority.java
index 96abd99..23296d5 100644
--- a/src/main/java/net/ripe/rpki/domain/HostedCertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/HostedCertificateAuthority.java
@@ -10,13 +10,12 @@
 import net.ripe.rpki.server.api.ports.ResourceInformationNotAvailableException;
 import net.ripe.rpki.server.api.ports.ResourceLookupService;
 
-import javax.persistence.DiscriminatorValue;
-import javax.persistence.Entity;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
 import javax.security.auth.x500.X500Principal;
 import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
-import java.util.stream.Collectors;
 
 /**
  * Locally hosted certificate authority on behalf of a RIPE NCC member.
@@ -41,8 +40,7 @@ public CertificateAuthorityType getType() {
     @Override
     public HostedCertificateAuthorityData toData() {
         final List<KeyPairData> keys = getKeyPairs().stream()
-            .map(KeyPairEntity::toData)
-            .collect(Collectors.toList());
+                .map(KeyPairEntity::toData).toList();
 
         return new HostedCertificateAuthorityData(
             getVersionedId(), getName(), getUuid(),
diff --git a/src/main/java/net/ripe/rpki/domain/IncomingResourceCertificate.java b/src/main/java/net/ripe/rpki/domain/IncomingResourceCertificate.java
index 85d5313..737dab0 100644
--- a/src/main/java/net/ripe/rpki/domain/IncomingResourceCertificate.java
+++ b/src/main/java/net/ripe/rpki/domain/IncomingResourceCertificate.java
@@ -6,8 +6,8 @@
 import net.ripe.rpki.domain.interca.CertificateIssuanceResponse;
 import org.apache.commons.lang3.Validate;
 
-import javax.persistence.*;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.*;
+import jakarta.validation.constraints.NotNull;
 import java.util.Arrays;
 import java.util.Objects;
 
@@ -35,7 +35,7 @@ protected IncomingResourceCertificate() {
 
     public IncomingResourceCertificate(@NonNull CertificateIssuanceResponse issuanceResponse, @NonNull KeyPairEntity subjectKeyPair) {
         super(issuanceResponse.getCertificate());
-        Validate.notNull(issuanceResponse);
+        Validate.notNull(issuanceResponse, "issuance response is required");
         setPublicationUri(issuanceResponse.getPublicationUri());
         this.inheritedResources = issuanceResponse.getInheritedResources();
         this.subjectKeyPair = subjectKeyPair;
@@ -61,8 +61,8 @@ public ImmutableResourceSet getCertifiedResources() {
     }
 
     protected void revalidate() {
-        Validate.notNull(subjectKeyPair);
-        Validate.notNull(inheritedResources);
+        Validate.notNull(subjectKeyPair, "subject keypair is required");
+        Validate.notNull(inheritedResources, "inhereted resources are required");
         revalidateCertificate();
     }
 }
diff --git a/src/main/java/net/ripe/rpki/domain/IntermediateCertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/IntermediateCertificateAuthority.java
index c9ed486..8062190 100644
--- a/src/main/java/net/ripe/rpki/domain/IntermediateCertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/IntermediateCertificateAuthority.java
@@ -5,8 +5,8 @@
 import net.ripe.rpki.server.api.ports.ResourceInformationNotAvailableException;
 import net.ripe.rpki.server.api.ports.ResourceLookupService;
 
-import javax.persistence.DiscriminatorValue;
-import javax.persistence.Entity;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
 import javax.security.auth.x500.X500Principal;
 import java.util.Optional;
 import java.util.UUID;
diff --git a/src/main/java/net/ripe/rpki/domain/KeyPairEntity.java b/src/main/java/net/ripe/rpki/domain/KeyPairEntity.java
index 57d10c5..7c0b24a 100644
--- a/src/main/java/net/ripe/rpki/domain/KeyPairEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/KeyPairEntity.java
@@ -19,8 +19,8 @@
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
-import javax.persistence.*;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.*;
+import jakarta.validation.constraints.NotNull;
 import java.net.URI;
 import java.security.KeyPair;
 import java.security.PrivateKey;
diff --git a/src/main/java/net/ripe/rpki/domain/KeyPairStatusHistory.java b/src/main/java/net/ripe/rpki/domain/KeyPairStatusHistory.java
index 08ea6c6..78fc2ec 100644
--- a/src/main/java/net/ripe/rpki/domain/KeyPairStatusHistory.java
+++ b/src/main/java/net/ripe/rpki/domain/KeyPairStatusHistory.java
@@ -4,11 +4,11 @@
 import net.ripe.rpki.server.api.dto.KeyPairStatus;
 import org.joda.time.DateTime;
 
-import javax.persistence.Column;
-import javax.persistence.Embeddable;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.validation.constraints.NotNull;
 
 @Embeddable
 public class KeyPairStatusHistory {
diff --git a/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java
index 2cc3344..cd8f685 100644
--- a/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java
@@ -35,12 +35,11 @@
 import org.joda.time.DateTimeZone;
 import org.joda.time.Duration;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import javax.security.auth.x500.X500Principal;
 import java.net.URI;
 import java.security.PublicKey;
 import java.util.*;
-import java.util.stream.Collectors;
 
 import static net.logstash.logback.argument.StructuredArguments.v;
 import static net.ripe.rpki.domain.Resources.DEFAULT_RESOURCE_CLASS;
@@ -64,7 +63,7 @@ public static EventSubscription subscribe(final CertificateAuthorityEventVisitor
 
     @OneToMany(orphanRemoval = true, cascade = CascadeType.ALL )
     @JoinColumn(name = "ca_id", nullable = false)
-    private Set<KeyPairEntity> keyPairs = new HashSet<>();
+    private final Set<KeyPairEntity> keyPairs = new HashSet<>();
 
     /**
      * The last time the ASPA or ROA configuration was updated. This can bever be equal to {@link #configurationAppliedAt}.
@@ -101,8 +100,7 @@ public ManagedCertificateAuthorityData toData() {
         TrustAnchorRequest upStreamCARequest = getUpStreamCARequestEntity() != null ? getUpStreamCARequestEntity().getUpStreamCARequest() : null;
 
         final List<KeyPairData> keys = getKeyPairs().stream()
-            .map(KeyPairEntity::toData)
-            .collect(Collectors.toList());
+                .map(KeyPairEntity::toData).toList();
 
         return new ManagedCertificateAuthorityData(
             getVersionedId(), getName(), getUuid(),
@@ -118,7 +116,7 @@ public void removeKeyPair(final KeyPairEntity keyPair) {
 
     @Override
     public Collection<PublicKey> getSignedPublicKeys() {
-        return keyPairs.stream().map(KeyPairEntity::getPublicKey).collect(Collectors.toList());
+        return keyPairs.stream().map(KeyPairEntity::getPublicKey).toList();
     }
 
     public Collection<KeyPairEntity> getKeyPairs() {
@@ -228,8 +226,8 @@ DEFAULT_RESOURCE_CLASS, v("subject", request.getSubjectDN()),
     private boolean subjectInformationAccessChanged(CertificateIssuanceRequest request, OutgoingResourceCertificate currentCertificate) {
         // Sort by key since order across different keys does not matter. If the same key appears multiple times the order does matter,
         // but since the sorting is stable this will be detected.
-        List<X509CertificateInformationAccessDescriptor> a = Arrays.stream(request.getSubjectInformationAccess()).sorted(Comparator.comparing(x -> x.getMethod().getId())).collect(Collectors.toList());
-        List<X509CertificateInformationAccessDescriptor> b = Arrays.stream(currentCertificate.getSia()).sorted(Comparator.comparing(x -> x.getMethod().getId())).collect(Collectors.toList());
+        List<X509CertificateInformationAccessDescriptor> a = Arrays.stream(request.getSubjectInformationAccess()).sorted(Comparator.comparing(x -> x.getMethod().getId())).toList();
+        List<X509CertificateInformationAccessDescriptor> b = Arrays.stream(currentCertificate.getSia()).sorted(Comparator.comparing(x -> x.getMethod().getId())).toList();
         if (Objects.equals(a, b)) {
             return false;
         }
@@ -354,10 +352,9 @@ public boolean activatePendingKeys(Duration minStagingTime) {
      */
     public List<CertificateRevocationRequest> requestOldKeysRevocation(ResourceCertificateRepository resourceCertificateRepository) {
         return getKeyPairs().stream()
-            .filter(KeyPairEntity::isOld)
-            .filter(kp -> !resourceCertificateRepository.existsCurrentOutgoingCertificatesExceptForManifest(kp))
-            .map(kp -> new CertificateRevocationRequest(kp.getPublicKey()))
-            .collect(Collectors.toList());
+                .filter(KeyPairEntity::isOld)
+                .filter(kp -> !resourceCertificateRepository.existsCurrentOutgoingCertificatesExceptForManifest(kp))
+                .map(kp -> new CertificateRevocationRequest(kp.getPublicKey())).toList();
     }
 
     @Override
diff --git a/src/main/java/net/ripe/rpki/domain/NonHostedCertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/NonHostedCertificateAuthority.java
index 045117a..c792064 100644
--- a/src/main/java/net/ripe/rpki/domain/NonHostedCertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/NonHostedCertificateAuthority.java
@@ -27,9 +27,9 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang3.Validate;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import javax.security.auth.x500.X500Principal;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.security.PublicKey;
 import java.util.*;
 import java.util.stream.Collectors;
@@ -69,13 +69,13 @@ public class NonHostedCertificateAuthority extends CertificateAuthority {
 
     @OneToMany(orphanRemoval = true, cascade = CascadeType.ALL)
     @JoinColumn(name = "ca_id", nullable = false)
-    private Set<PublicKeyEntity> publicKeys = new HashSet<>();
+    private final Set<PublicKeyEntity> publicKeys = new HashSet<>();
 
     @Getter
     @OneToMany(orphanRemoval = true, cascade = CascadeType.ALL)
     @JoinColumn(name = "ca_id", nullable = false)
     @MapKey(name = "publisherHandle")
-    private Map<UUID, NonHostedPublisherRepository> publisherRepositories = new HashMap<>();
+    private final Map<UUID, NonHostedPublisherRepository> publisherRepositories = new HashMap<>();
 
     protected NonHostedCertificateAuthority() {
     }
@@ -136,7 +136,7 @@ public NonHostedCertificateAuthorityData toData() {
     }
 
     public Collection<PublicKey> getSignedPublicKeys() {
-        return publicKeys.stream().map(PublicKeyEntity::getPublicKey).collect(Collectors.toList());
+        return publicKeys.stream().map(PublicKeyEntity::getPublicKey).toList();
     }
 
     public Collection<PublicKeyEntity> getPublicKeyEntities() {
@@ -184,25 +184,24 @@ public boolean processCertificateRevocationResponse(CertificateRevocationRespons
     @Override
     public List<? extends CertificateProvisioningMessage> processResourceClassListResponse(ResourceClassListResponse response, CertificateRequestCreationService certificateRequestCreationService) {
         return publicKeys.stream()
-            .flatMap(pk -> {
-                ImmutableResourceSet certifiableResources = response.getResourceExtension().map(ResourceExtension::getResources).orElse(ImmutableResourceSet.empty());
-                ImmutableResourceSet certificateResources = pk.getRequestedResourceSets().calculateEffectiveResources(certifiableResources);
-                if (pk.isRevoked() || certificateResources.isEmpty()) {
-                    if (pk.getOutgoingResourceCertificates().stream().anyMatch(rc -> rc.isCurrent())) {
-                        return Stream.of(new CertificateRevocationRequest(pk.getPublicKey()));
-                    } else {
-                        return Stream.empty();
+                .flatMap(pk -> {
+                    ImmutableResourceSet certifiableResources = response.getResourceExtension().map(ResourceExtension::getResources).orElse(ImmutableResourceSet.empty());
+                    ImmutableResourceSet certificateResources = pk.getRequestedResourceSets().calculateEffectiveResources(certifiableResources);
+                    if (pk.isRevoked() || certificateResources.isEmpty()) {
+                        if (pk.getOutgoingResourceCertificates().stream().anyMatch(rc -> rc.isCurrent())) {
+                            return Stream.of(new CertificateRevocationRequest(pk.getPublicKey()));
+                        } else {
+                            return Stream.empty();
+                        }
                     }
-                }
-
-                return Stream.of(new CertificateIssuanceRequest(
-                    ResourceExtension.ofResources(certificateResources),
-                    pk.getSubjectForCertificateRequest(),
-                    pk.getPublicKey(),
-                    pk.getRequestedSia().toArray(X509CertificateInformationAccessDescriptor[]::new)
-                ));
-            })
-            .collect(Collectors.toList());
+
+                    return Stream.of(new CertificateIssuanceRequest(
+                            ResourceExtension.ofResources(certificateResources),
+                            pk.getSubjectForCertificateRequest(),
+                            pk.getPublicKey(),
+                            pk.getRequestedSia().toArray(X509CertificateInformationAccessDescriptor[]::new)
+                    ));
+                }).toList();
     }
 
     public void addNonHostedPublisherRepository(UUID publisherHandle, PublisherRequest publisherRequest, RepositoryResponse repositoryResponse) {
diff --git a/src/main/java/net/ripe/rpki/domain/NonHostedPublisherRepository.java b/src/main/java/net/ripe/rpki/domain/NonHostedPublisherRepository.java
index 82aeae9..2785218 100644
--- a/src/main/java/net/ripe/rpki/domain/NonHostedPublisherRepository.java
+++ b/src/main/java/net/ripe/rpki/domain/NonHostedPublisherRepository.java
@@ -5,14 +5,14 @@
 import net.ripe.rpki.commons.provisioning.identity.RepositoryResponse;
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 
-import javax.persistence.Basic;
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.Basic;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 import java.util.UUID;
 
 @Entity
diff --git a/src/main/java/net/ripe/rpki/domain/OutgoingResourceCertificate.java b/src/main/java/net/ripe/rpki/domain/OutgoingResourceCertificate.java
index b201f89..5c68cd3 100644
--- a/src/main/java/net/ripe/rpki/domain/OutgoingResourceCertificate.java
+++ b/src/main/java/net/ripe/rpki/domain/OutgoingResourceCertificate.java
@@ -8,17 +8,17 @@
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
-import javax.persistence.CascadeType;
-import javax.persistence.Column;
-import javax.persistence.DiscriminatorValue;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.FetchType;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.OneToOne;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.OneToOne;
+import jakarta.validation.constraints.NotNull;
 import java.net.URI;
 
 import static java.util.Objects.requireNonNull;
@@ -67,7 +67,7 @@ protected OutgoingResourceCertificate() {
         super(certificate);
         Validate.isTrue(embedded || filename != null, "embedded or filename must be set");
         Validate.isTrue(embedded || parentPublicationDirectory != null, "embedded or parentPublicationDirectory must be set");
-        Validate.notNull(signingKeyPair);
+        Validate.notNull(signingKeyPair, "signingKeyPair must be set");
         this.signingKeyPair = signingKeyPair;
         this.embedded = embedded;
         this.status = OutgoingResourceCertificateStatus.CURRENT;
diff --git a/src/main/java/net/ripe/rpki/domain/PersistedKeyPair.java b/src/main/java/net/ripe/rpki/domain/PersistedKeyPair.java
index 830c972..e63edad 100644
--- a/src/main/java/net/ripe/rpki/domain/PersistedKeyPair.java
+++ b/src/main/java/net/ripe/rpki/domain/PersistedKeyPair.java
@@ -3,10 +3,10 @@
 import net.ripe.rpki.commons.crypto.util.KeyPairUtil;
 import net.ripe.rpki.hsm.Keys;
 
-import javax.persistence.Column;
-import javax.persistence.Embeddable;
-import javax.persistence.PostRemove;
-import javax.persistence.Transient;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.persistence.PostRemove;
+import jakarta.persistence.Transient;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;
diff --git a/src/main/java/net/ripe/rpki/domain/ProductionCertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/ProductionCertificateAuthority.java
index 3ed1ee8..f5c62f2 100644
--- a/src/main/java/net/ripe/rpki/domain/ProductionCertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/ProductionCertificateAuthority.java
@@ -10,11 +10,11 @@
 import org.hibernate.annotations.Cascade;
 import org.hibernate.annotations.CascadeType;
 
-import javax.persistence.DiscriminatorValue;
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.JoinColumn;
-import javax.persistence.OneToOne;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.OneToOne;
 import javax.security.auth.x500.X500Principal;
 import java.util.Optional;
 import java.util.UUID;
diff --git a/src/main/java/net/ripe/rpki/domain/ProvisioningAuditLogEntity.java b/src/main/java/net/ripe/rpki/domain/ProvisioningAuditLogEntity.java
index 07c0f0e..9d7295f 100644
--- a/src/main/java/net/ripe/rpki/domain/ProvisioningAuditLogEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/ProvisioningAuditLogEntity.java
@@ -22,15 +22,15 @@
 import org.joda.time.DateTimeUtils;
 import org.joda.time.DateTimeZone;
 
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 import java.sql.Timestamp;
 import java.util.List;
 import java.util.UUID;
diff --git a/src/main/java/net/ripe/rpki/domain/PublicKeyEntity.java b/src/main/java/net/ripe/rpki/domain/PublicKeyEntity.java
index aa31155..6b1cb95 100644
--- a/src/main/java/net/ripe/rpki/domain/PublicKeyEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/PublicKeyEntity.java
@@ -9,16 +9,15 @@
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 import net.ripe.rpki.server.api.dto.NonHostedPublicKeyData;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import javax.security.auth.x500.X500Principal;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.security.PublicKey;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
-import java.util.stream.Collectors;
 
 /**
  * KeyPairs for remote (non-hosted) child CAs.
@@ -42,7 +41,7 @@ public class PublicKeyEntity extends EntitySupport {
 
     @OneToMany(cascade={})
     @JoinColumn(name="subject_public_key_id")
-    private Collection<OutgoingResourceCertificate> outgoingResourceCertificates = new ArrayList<>();
+    private final Collection<OutgoingResourceCertificate> outgoingResourceCertificates = new ArrayList<>();
 
     @Enumerated(EnumType.STRING)
     @Getter
@@ -97,13 +96,13 @@ public RequestedResourceSets getRequestedResourceSets() {
     }
 
     public List<X509CertificateInformationAccessDescriptor> getRequestedSia() {
-        return requestedSia.stream().map(EmbeddedInformationAccessDescriptor::toDescriptor).collect(Collectors.toList());
+        return requestedSia.stream().map(EmbeddedInformationAccessDescriptor::toDescriptor).toList();
     }
 
     public void setLatestIssuanceRequest(RequestedResourceSets requestedResourceSets, List<X509CertificateInformationAccessDescriptor> sia) {
         this.latestProvisioningRequestType = PayloadMessageType.issue;
         this.requestedResourceSets = requestedResourceSets;
-        this.requestedSia = sia.stream().map(EmbeddedInformationAccessDescriptor::of).collect(Collectors.toList());
+        this.requestedSia = sia.stream().map(EmbeddedInformationAccessDescriptor::of).toList();
     }
 
     public void setLatestRevocationRequest() {
diff --git a/src/main/java/net/ripe/rpki/domain/PublishedObject.java b/src/main/java/net/ripe/rpki/domain/PublishedObject.java
index dc3fed7..ad2a4fc 100644
--- a/src/main/java/net/ripe/rpki/domain/PublishedObject.java
+++ b/src/main/java/net/ripe/rpki/domain/PublishedObject.java
@@ -7,7 +7,7 @@
 import org.apache.commons.lang3.Validate;
 import org.joda.time.DateTime;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import java.net.URI;
 import java.util.Objects;
 
diff --git a/src/main/java/net/ripe/rpki/domain/PublishedObjectData.java b/src/main/java/net/ripe/rpki/domain/PublishedObjectData.java
index 0fe04c5..9bbb70e 100644
--- a/src/main/java/net/ripe/rpki/domain/PublishedObjectData.java
+++ b/src/main/java/net/ripe/rpki/domain/PublishedObjectData.java
@@ -4,16 +4,17 @@
 
 import java.net.URI;
 import java.sql.Timestamp;
+import java.time.Instant;
 
 @Value
 public class PublishedObjectData {
-    Timestamp createdAt;
+    Instant createdAt;
 
     URI uri;
 
     byte[] content;
 
-    public PublishedObjectData(Timestamp createdAt, URI uri, byte[] content) {
+    public PublishedObjectData(Instant createdAt, URI uri, byte[] content) {
         this.createdAt = createdAt;
         this.uri = uri;
         this.content = content;
diff --git a/src/main/java/net/ripe/rpki/domain/PublishedObjectEntry.java b/src/main/java/net/ripe/rpki/domain/PublishedObjectEntry.java
index 725eb15..5042be1 100644
--- a/src/main/java/net/ripe/rpki/domain/PublishedObjectEntry.java
+++ b/src/main/java/net/ripe/rpki/domain/PublishedObjectEntry.java
@@ -3,12 +3,13 @@
 import com.google.common.hash.HashCode;
 import lombok.*;
 
+import java.time.Instant;
 import java.util.Date;
 
 @NoArgsConstructor
 @Data
 public class PublishedObjectEntry {
-    private Date updatedAt;
+    private Instant updatedAt;
     private PublicationStatus status;
 
     private String uri;
@@ -21,7 +22,7 @@ public class PublishedObjectEntry {
     /**
      * Constructor that maps the SQL types to the entity
      */
-    public PublishedObjectEntry(Date updatedAt, String status, String uri, byte[] sha256) {
+    public PublishedObjectEntry(Instant updatedAt, String status, String uri, byte[] sha256) {
         this.updatedAt = updatedAt;
         this.status = PublicationStatus.valueOf(status);
         this.uri = uri;
diff --git a/src/main/java/net/ripe/rpki/domain/RequestedResourceSets.java b/src/main/java/net/ripe/rpki/domain/RequestedResourceSets.java
index d071492..bd81114 100644
--- a/src/main/java/net/ripe/rpki/domain/RequestedResourceSets.java
+++ b/src/main/java/net/ripe/rpki/domain/RequestedResourceSets.java
@@ -7,9 +7,9 @@
 import net.ripe.ipresource.IpResourceType;
 import org.apache.commons.lang3.Validate;
 
-import javax.persistence.Column;
-import javax.persistence.Embeddable;
-import javax.persistence.PrePersist;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.persistence.PrePersist;
 import java.io.Serializable;
 import java.util.Optional;
 
diff --git a/src/main/java/net/ripe/rpki/domain/ResourceCertificate.java b/src/main/java/net/ripe/rpki/domain/ResourceCertificate.java
index 3b02c43..10e45da 100644
--- a/src/main/java/net/ripe/rpki/domain/ResourceCertificate.java
+++ b/src/main/java/net/ripe/rpki/domain/ResourceCertificate.java
@@ -1,7 +1,6 @@
 package net.ripe.rpki.domain;
 
 import lombok.Getter;
-import lombok.NonNull;
 import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.rpki.commons.crypto.ValidityPeriod;
 import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtension;
@@ -15,9 +14,9 @@
 import org.apache.commons.lang.Validate;
 import org.joda.time.DateTime;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import javax.security.auth.x500.X500Principal;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.math.BigInteger;
 import java.net.URI;
 import java.security.PublicKey;
diff --git a/src/main/java/net/ripe/rpki/domain/ResourceCertificateRepository.java b/src/main/java/net/ripe/rpki/domain/ResourceCertificateRepository.java
index 4e70eba..f115598 100644
--- a/src/main/java/net/ripe/rpki/domain/ResourceCertificateRepository.java
+++ b/src/main/java/net/ripe/rpki/domain/ResourceCertificateRepository.java
@@ -74,10 +74,10 @@ public interface ResourceCertificateRepository extends Repository<ResourceCertif
 
     @Value
     class ExpireOutgoingResourceCertificatesResult {
-        int expiredCertificateCount;
-        int deletedRoaCount;
-        int deletedAspaCount;
-        int withdrawnObjectCount;
+        long expiredCertificateCount;
+        long deletedRoaCount;
+        long deletedAspaCount;
+        long withdrawnObjectCount;
     }
 
     /**
diff --git a/src/main/java/net/ripe/rpki/domain/TrustAnchorPublishedObject.java b/src/main/java/net/ripe/rpki/domain/TrustAnchorPublishedObject.java
index 07bea58..e85db6b 100644
--- a/src/main/java/net/ripe/rpki/domain/TrustAnchorPublishedObject.java
+++ b/src/main/java/net/ripe/rpki/domain/TrustAnchorPublishedObject.java
@@ -4,9 +4,9 @@
 import lombok.NonNull;
 import org.joda.time.Instant;
 
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.Table;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
 import java.net.URI;
 
 @NoArgsConstructor
diff --git a/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertConfiguration.java b/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertConfiguration.java
index e801a87..c235d66 100644
--- a/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertConfiguration.java
+++ b/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertConfiguration.java
@@ -11,21 +11,21 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
 
-import javax.persistence.Basic;
-import javax.persistence.CollectionTable;
-import javax.persistence.Column;
-import javax.persistence.ElementCollection;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.OneToOne;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.Basic;
+import jakarta.persistence.CollectionTable;
+import jakarta.persistence.Column;
+import jakarta.persistence.ElementCollection;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
diff --git a/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertIgnoredAnnouncement.java b/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertIgnoredAnnouncement.java
index 0c3b8f4..3cb3cae 100644
--- a/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertIgnoredAnnouncement.java
+++ b/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertIgnoredAnnouncement.java
@@ -5,8 +5,8 @@
 import net.ripe.ipresource.IpRange;
 import net.ripe.rpki.commons.validation.roa.AnnouncedRoute;
 
-import javax.persistence.Basic;
-import javax.persistence.Embeddable;
+import jakarta.persistence.Basic;
+import jakarta.persistence.Embeddable;
 
 @Data
 @Embeddable
diff --git a/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBean.java b/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBean.java
index 6b94a68..57e2fb6 100644
--- a/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBean.java
+++ b/src/main/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBean.java
@@ -67,8 +67,7 @@ private void updateRoaAlertsForResources(VersionedId caId, ImmutableResourceSet
         // Update subscriptions, removing subscriptions for resources that do not overlap with the current resources.
         final List<AnnouncedRoute> alertsToRemove = roaAlertConfiguration.getIgnored().stream()
                 .map(RoaAlertIgnoredAnnouncement::toData)
-                .filter(ignoredAnnouncement -> !nowCurrentResources.intersects(ignoredAnnouncement.getPrefix()))
-                .collect(Collectors.toList());
+                .filter(ignoredAnnouncement -> !nowCurrentResources.intersects(ignoredAnnouncement.getPrefix())).toList();
 
         if (!alertsToRemove.isEmpty()) {
             roaAlertConfiguration.update(Collections.emptyList(), alertsToRemove);
diff --git a/src/main/java/net/ripe/rpki/domain/archive/KeyPairDeletionService.java b/src/main/java/net/ripe/rpki/domain/archive/KeyPairDeletionService.java
index 3c16872..5de6ec7 100644
--- a/src/main/java/net/ripe/rpki/domain/archive/KeyPairDeletionService.java
+++ b/src/main/java/net/ripe/rpki/domain/archive/KeyPairDeletionService.java
@@ -9,7 +9,7 @@
 import net.ripe.rpki.domain.roa.RoaEntityRepository;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Component
 public class KeyPairDeletionService {
diff --git a/src/main/java/net/ripe/rpki/domain/aspa/AspaConfiguration.java b/src/main/java/net/ripe/rpki/domain/aspa/AspaConfiguration.java
index 6375b9f..30ed296 100644
--- a/src/main/java/net/ripe/rpki/domain/aspa/AspaConfiguration.java
+++ b/src/main/java/net/ripe/rpki/domain/aspa/AspaConfiguration.java
@@ -4,17 +4,15 @@
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.NonNull;
-import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import net.ripe.ipresource.Asn;
 import net.ripe.rpki.domain.ManagedCertificateAuthority;
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 import net.ripe.rpki.server.api.dto.AspaConfigurationData;
 
-import javax.persistence.*;
-import javax.validation.constraints.NotEmpty;
+import jakarta.persistence.*;
+import jakarta.validation.constraints.NotEmpty;
 import java.util.*;
-import java.util.stream.Collectors;
 
 import static net.ripe.rpki.util.Streams.streamToSortedMap;
 
diff --git a/src/main/java/net/ripe/rpki/domain/aspa/AspaConfigurationMaintenanceServiceBean.java b/src/main/java/net/ripe/rpki/domain/aspa/AspaConfigurationMaintenanceServiceBean.java
index e097e9a..72547cf 100644
--- a/src/main/java/net/ripe/rpki/domain/aspa/AspaConfigurationMaintenanceServiceBean.java
+++ b/src/main/java/net/ripe/rpki/domain/aspa/AspaConfigurationMaintenanceServiceBean.java
@@ -61,18 +61,16 @@ private void updateAspaConfigurationForResources(ManagedCertificateAuthority ca,
         SortedMap<Asn, AspaConfiguration> configuration = aspaConfigurationRepository.findByCertificateAuthority(ca);
 
         List<AspaConfiguration> toBeRemoved = configuration.values().stream()
-            .filter(entry -> !certifiedResources.contains(entry.getCustomerAsn()))
-            .collect(Collectors.toList());
+                .filter(entry -> !certifiedResources.contains(entry.getCustomerAsn())).toList();
         if (toBeRemoved.isEmpty()) {
             return;
         }
 
         context.recordEvent(
             new AspaConfigurationUpdatedDueToChangedResourcesEvent(
-                ca.getVersionedId(),
-                toBeRemoved.stream()
-                    .map(AspaConfiguration::toData)
-                    .collect(Collectors.toList()))
+                    ca.getVersionedId(),
+                    toBeRemoved.stream()
+                            .map(AspaConfiguration::toData).toList())
         );
 
         toBeRemoved.forEach(aspaConfigurationRepository::remove);
diff --git a/src/main/java/net/ripe/rpki/domain/aspa/AspaEntity.java b/src/main/java/net/ripe/rpki/domain/aspa/AspaEntity.java
index a4e5038..0c2e8b1 100644
--- a/src/main/java/net/ripe/rpki/domain/aspa/AspaEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/aspa/AspaEntity.java
@@ -14,7 +14,7 @@
 import net.ripe.rpki.server.api.services.command.UnparseableRpkiObjectException;
 import org.apache.commons.lang.Validate;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import java.net.URI;
 import java.util.List;
 import java.util.SortedMap;
diff --git a/src/main/java/net/ripe/rpki/domain/aspa/AspaEntityServiceBean.java b/src/main/java/net/ripe/rpki/domain/aspa/AspaEntityServiceBean.java
index 893e1d7..d542202 100644
--- a/src/main/java/net/ripe/rpki/domain/aspa/AspaEntityServiceBean.java
+++ b/src/main/java/net/ripe/rpki/domain/aspa/AspaEntityServiceBean.java
@@ -35,7 +35,7 @@
 import org.joda.time.DateTimeZone;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
 import java.net.URI;
 import java.security.KeyPair;
@@ -135,8 +135,7 @@ public Pair<Collection<AspaEntity>, SortedMap<Asn, AspaConfiguration>> validateA
                         difference.entriesOnlyOnRight().keySet().stream(),
                         difference.entriesDiffering().keySet().stream()
                 ).map(validAspaEntitiesByAsn::get)
-            )
-            .collect(Collectors.toList());
+        ).toList();
 
         SortedMap<Asn, AspaConfiguration> unmatchedAspaConfiguration = Stream.concat(
                 difference.entriesOnlyOnLeft().keySet().stream(),
diff --git a/src/main/java/net/ripe/rpki/domain/audit/CommandAudit.java b/src/main/java/net/ripe/rpki/domain/audit/CommandAudit.java
index 9c7f22d..5ec1277 100644
--- a/src/main/java/net/ripe/rpki/domain/audit/CommandAudit.java
+++ b/src/main/java/net/ripe/rpki/domain/audit/CommandAudit.java
@@ -12,7 +12,7 @@
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
-import javax.persistence.*;
+import jakarta.persistence.*;
 import javax.security.auth.x500.X500Principal;
 import java.sql.Timestamp;
 import java.util.UUID;
diff --git a/src/main/java/net/ripe/rpki/domain/crl/CrlEntity.java b/src/main/java/net/ripe/rpki/domain/crl/CrlEntity.java
index c25b4b8..a43ba68 100644
--- a/src/main/java/net/ripe/rpki/domain/crl/CrlEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/crl/CrlEntity.java
@@ -11,18 +11,18 @@
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 
-import javax.persistence.CascadeType;
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.OneToOne;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 import java.math.BigInteger;
 import java.net.URI;
 import java.util.Collection;
diff --git a/src/main/java/net/ripe/rpki/domain/hsm/HsmCertificateChain.java b/src/main/java/net/ripe/rpki/domain/hsm/HsmCertificateChain.java
index 569d0ec..a33e1a2 100644
--- a/src/main/java/net/ripe/rpki/domain/hsm/HsmCertificateChain.java
+++ b/src/main/java/net/ripe/rpki/domain/hsm/HsmCertificateChain.java
@@ -1,15 +1,15 @@
 package net.ripe.rpki.domain.hsm;
 
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
+import jakarta.validation.constraints.NotNull;
 
 @Entity
 @Table(name = "hsm_certificate_chain")
diff --git a/src/main/java/net/ripe/rpki/domain/hsm/HsmKey.java b/src/main/java/net/ripe/rpki/domain/hsm/HsmKey.java
index c305a1d..6982ec7 100644
--- a/src/main/java/net/ripe/rpki/domain/hsm/HsmKey.java
+++ b/src/main/java/net/ripe/rpki/domain/hsm/HsmKey.java
@@ -2,18 +2,18 @@
 
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 
-import javax.persistence.CascadeType;
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.OneToMany;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
+import jakarta.validation.constraints.NotNull;
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
diff --git a/src/main/java/net/ripe/rpki/domain/hsm/HsmKeyStore.java b/src/main/java/net/ripe/rpki/domain/hsm/HsmKeyStore.java
index 4c35879..584cd07 100644
--- a/src/main/java/net/ripe/rpki/domain/hsm/HsmKeyStore.java
+++ b/src/main/java/net/ripe/rpki/domain/hsm/HsmKeyStore.java
@@ -2,16 +2,16 @@
 
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 
-import javax.persistence.CascadeType;
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.OneToMany;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
-import javax.validation.constraints.NotNull;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
+import jakarta.validation.constraints.NotNull;
 import java.util.ArrayList;
 import java.util.List;
 
diff --git a/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java b/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java
index 36d89ad..47d904e 100644
--- a/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java
@@ -16,19 +16,19 @@
 import org.joda.time.DateTime;
 import org.joda.time.Period;
 
-import javax.persistence.CascadeType;
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.OneToMany;
-import javax.persistence.OneToOne;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 import javax.security.auth.x500.X500Principal;
 import java.math.BigInteger;
 import java.security.KeyPair;
diff --git a/src/main/java/net/ripe/rpki/domain/property/PropertyEntity.java b/src/main/java/net/ripe/rpki/domain/property/PropertyEntity.java
index 84cfe66..abde488 100644
--- a/src/main/java/net/ripe/rpki/domain/property/PropertyEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/property/PropertyEntity.java
@@ -3,13 +3,13 @@
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 import org.apache.commons.lang.Validate;
 
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 
 @Entity
 @Table(name="property")
diff --git a/src/main/java/net/ripe/rpki/domain/roa/RoaConfiguration.java b/src/main/java/net/ripe/rpki/domain/roa/RoaConfiguration.java
index f9c4b90..b4a8870 100644
--- a/src/main/java/net/ripe/rpki/domain/roa/RoaConfiguration.java
+++ b/src/main/java/net/ripe/rpki/domain/roa/RoaConfiguration.java
@@ -12,17 +12,17 @@
 import net.ripe.rpki.ncc.core.domain.support.EntitySupport;
 import net.ripe.rpki.server.api.dto.RoaConfigurationData;
 
-import javax.persistence.CollectionTable;
-import javax.persistence.ElementCollection;
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.OneToOne;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.CollectionTable;
+import jakarta.persistence.ElementCollection;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -81,8 +81,7 @@ public ManagedCertificateAuthority getCertificateAuthority() {
 
     public RoaConfigurationData convertToData() {
         return new RoaConfigurationData(prefixes.stream()
-                .map(RoaConfigurationPrefix::toData)
-                .collect(Collectors.toList()));
+                .map(RoaConfigurationPrefix::toData).toList());
     }
 
     public final void addPrefix(Collection<? extends RoaConfigurationPrefix> roaPrefixes) {
diff --git a/src/main/java/net/ripe/rpki/domain/roa/RoaConfigurationPrefix.java b/src/main/java/net/ripe/rpki/domain/roa/RoaConfigurationPrefix.java
index 9241347..1cce290 100644
--- a/src/main/java/net/ripe/rpki/domain/roa/RoaConfigurationPrefix.java
+++ b/src/main/java/net/ripe/rpki/domain/roa/RoaConfigurationPrefix.java
@@ -9,12 +9,11 @@
 import org.apache.commons.lang.builder.ToStringBuilder;
 import org.apache.commons.lang.builder.ToStringStyle;
 
-import javax.persistence.Column;
-import javax.persistence.Embeddable;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
 import java.math.BigInteger;
 import java.time.Instant;
 import java.util.List;
-import java.util.stream.Collectors;
 
 import static com.google.common.base.Objects.*;
 
@@ -111,6 +110,6 @@ public String toString() {
     }
 
     public static List<RoaConfigurationPrefix> fromData(List<? extends RoaConfigurationPrefixData> data) {
-        return data.stream().map(RoaConfigurationPrefix::new).collect(Collectors.toList());
+        return data.stream().map(RoaConfigurationPrefix::new).toList();
     }
 }
diff --git a/src/main/java/net/ripe/rpki/domain/roa/RoaEntity.java b/src/main/java/net/ripe/rpki/domain/roa/RoaEntity.java
index f927669..96c4a19 100644
--- a/src/main/java/net/ripe/rpki/domain/roa/RoaEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/roa/RoaEntity.java
@@ -12,17 +12,17 @@
 import net.ripe.rpki.server.api.services.command.UnparseableRpkiObjectException;
 import org.apache.commons.lang.Validate;
 
-import javax.persistence.CascadeType;
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.OneToOne;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
-import javax.persistence.Transient;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
+import jakarta.persistence.Transient;
 import java.net.URI;
 
 /**
diff --git a/src/main/java/net/ripe/rpki/domain/roa/RoaEntityServiceBean.java b/src/main/java/net/ripe/rpki/domain/roa/RoaEntityServiceBean.java
index f42ae25..158f908 100644
--- a/src/main/java/net/ripe/rpki/domain/roa/RoaEntityServiceBean.java
+++ b/src/main/java/net/ripe/rpki/domain/roa/RoaEntityServiceBean.java
@@ -145,8 +145,7 @@ private boolean isValidRoaEntity(IncomingResourceCertificate incomingResourceCer
     private List<RoaSpecification> getUnsatisfiedSpecifications(List<RoaEntity> validRoas, Map<Asn, RoaSpecification> specifications) {
         Map<Asn, List<RoaEntity>> validRoasByAsn = validRoas.stream().collect(Collectors.groupingBy(RoaEntity::getAsn));
         return specifications.values().stream()
-            .filter(specification -> isUnsatisfiedSpecification(validRoasByAsn, specification))
-            .collect(Collectors.toList());
+                .filter(specification -> isUnsatisfiedSpecification(validRoasByAsn, specification)).toList();
     }
 
     private boolean isUnsatisfiedSpecification(Map<Asn, List<RoaEntity>> validRoasByAsn, RoaSpecification specification) {
diff --git a/src/main/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntity.java b/src/main/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntity.java
index bbff183..a10102b 100644
--- a/src/main/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntity.java
@@ -6,15 +6,15 @@
 import net.ripe.rpki.commons.xml.XStreamXmlSerializerBuilder;
 import net.ripe.rpki.domain.ManagedCertificateAuthority;
 
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.OneToOne;
-import javax.persistence.SequenceGenerator;
-import javax.persistence.Table;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
 
 
 @Entity
diff --git a/src/main/java/net/ripe/rpki/domain/signing/CertificateRequestCreationServiceBean.java b/src/main/java/net/ripe/rpki/domain/signing/CertificateRequestCreationServiceBean.java
index 29555cc..8059336 100644
--- a/src/main/java/net/ripe/rpki/domain/signing/CertificateRequestCreationServiceBean.java
+++ b/src/main/java/net/ripe/rpki/domain/signing/CertificateRequestCreationServiceBean.java
@@ -94,8 +94,7 @@ public List<SigningRequest> requestAllResourcesCertificate(AllResourcesCertifica
     @Override
     public List<CertificateRevocationRequest> createCertificateRevocationRequestForAllKeys(ManagedCertificateAuthority ca) {
         return ca.getKeyPairs().stream()
-            .map(keyPair -> new CertificateRevocationRequest(keyPair.getPublicKey()))
-            .collect(Collectors.toList());
+                .map(keyPair -> new CertificateRevocationRequest(keyPair.getPublicKey())).toList();
     }
 
     @Override
diff --git a/src/main/java/net/ripe/rpki/ncc/core/domain/support/AggregateRoot.java b/src/main/java/net/ripe/rpki/ncc/core/domain/support/AggregateRoot.java
index ede5bbc..0da4822 100644
--- a/src/main/java/net/ripe/rpki/ncc/core/domain/support/AggregateRoot.java
+++ b/src/main/java/net/ripe/rpki/ncc/core/domain/support/AggregateRoot.java
@@ -2,8 +2,8 @@
 
 import net.ripe.rpki.commons.util.VersionedId;
 
-import javax.persistence.Id;
-import javax.persistence.MappedSuperclass;
+import jakarta.persistence.Id;
+import jakarta.persistence.MappedSuperclass;
 
 @MappedSuperclass
 public abstract class AggregateRoot extends EntitySupport {
diff --git a/src/main/java/net/ripe/rpki/ncc/core/domain/support/EntitySupport.java b/src/main/java/net/ripe/rpki/ncc/core/domain/support/EntitySupport.java
index f131d5e..2a878b0 100755
--- a/src/main/java/net/ripe/rpki/ncc/core/domain/support/EntitySupport.java
+++ b/src/main/java/net/ripe/rpki/ncc/core/domain/support/EntitySupport.java
@@ -5,15 +5,10 @@
 import org.apache.commons.lang.builder.ToStringStyle;
 import org.joda.time.Instant;
 
-import javax.persistence.Column;
-import javax.persistence.MappedSuperclass;
-import javax.persistence.PreUpdate;
-import javax.persistence.Version;
-import javax.validation.ConstraintViolation;
-import javax.validation.Validation;
-import javax.validation.Validator;
-import javax.validation.ValidatorFactory;
-import java.util.Set;
+import jakarta.persistence.Column;
+import jakarta.persistence.MappedSuperclass;
+import jakarta.persistence.PreUpdate;
+import jakarta.persistence.Version;
 
 @MappedSuperclass
 public abstract class EntitySupport implements Entity {
diff --git a/src/main/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessor.java b/src/main/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessor.java
index 1e4bf59..766072c 100644
--- a/src/main/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessor.java
+++ b/src/main/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessor.java
@@ -24,9 +24,9 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
-import javax.persistence.EntityManager;
-import javax.persistence.PersistenceContext;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
 import javax.security.auth.x500.X500Principal;
 import java.net.URI;
 import java.util.ArrayList;
diff --git a/src/main/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistence.java b/src/main/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistence.java
index 788b542..03d74ba 100644
--- a/src/main/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistence.java
+++ b/src/main/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistence.java
@@ -14,7 +14,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.io.File;
 import java.io.IOException;
 import java.io.UncheckedIOException;
@@ -137,7 +137,7 @@ private Path writeObjectsToNewTargetDirectory(long now, Path baseDirectory, List
                     Path file = temporaryLocation(temporaryDirectory, object.getUri());
                     Files.write(file, object.getContent());
                     // rsync relies on the correct timestamp for fast synchronization
-                    Files.setLastModifiedTime(file, FileTime.fromMillis(object.getCreatedAt().getTime()));
+                    Files.setLastModifiedTime(file, FileTime.fromMillis(object.getCreatedAt().toEpochMilli()));
                 } catch (IOException e) {
                     throw new UncheckedIOException(e);
                 }
diff --git a/src/main/java/net/ripe/rpki/publication/server/FSPublicationServer.java b/src/main/java/net/ripe/rpki/publication/server/FSPublicationServer.java
index 540e36d..fbf7dec 100644
--- a/src/main/java/net/ripe/rpki/publication/server/FSPublicationServer.java
+++ b/src/main/java/net/ripe/rpki/publication/server/FSPublicationServer.java
@@ -11,7 +11,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.util.List;
diff --git a/src/main/java/net/ripe/rpki/rest/exception/RequestEntityTooLargeException.java b/src/main/java/net/ripe/rpki/rest/exception/RequestEntityTooLargeException.java
index 79aad7d..798034a 100644
--- a/src/main/java/net/ripe/rpki/rest/exception/RequestEntityTooLargeException.java
+++ b/src/main/java/net/ripe/rpki/rest/exception/RequestEntityTooLargeException.java
@@ -2,12 +2,12 @@
 
 import net.ripe.rpki.rest.security.RequestEntitySizeLimiterServletFilter;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 /**
  * Thrown by the {@link RequestEntitySizeLimiterServletFilter request body size limiter filter} when the
- * {@link javax.servlet.ServletInputStream input stream} of the {@link javax.servlet.http.HttpServletRequest request}
+ * {@link jakarta.servlet.ServletInputStream input stream} of the {@link jakarta.servlet.http.HttpServletRequest request}
  * is too large.
  *
  * Translated by {@link RestExceptionControllerAdvice#exceptionsResultingInRequestEntityTooLargeHandler(HttpServletRequest, RequestEntityTooLargeException)
diff --git a/src/main/java/net/ripe/rpki/rest/exception/RestExceptionControllerAdvice.java b/src/main/java/net/ripe/rpki/rest/exception/RestExceptionControllerAdvice.java
index a414602..c8c6acb 100644
--- a/src/main/java/net/ripe/rpki/rest/exception/RestExceptionControllerAdvice.java
+++ b/src/main/java/net/ripe/rpki/rest/exception/RestExceptionControllerAdvice.java
@@ -12,8 +12,8 @@
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.validation.ConstraintViolationException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.validation.ConstraintViolationException;
 import java.time.Instant;
 import java.util.Map;
 
diff --git a/src/main/java/net/ripe/rpki/rest/json/ObjectMapperProvider.java b/src/main/java/net/ripe/rpki/rest/json/ObjectMapperProvider.java
index 372ceb4..ce354ee 100644
--- a/src/main/java/net/ripe/rpki/rest/json/ObjectMapperProvider.java
+++ b/src/main/java/net/ripe/rpki/rest/json/ObjectMapperProvider.java
@@ -15,8 +15,8 @@
 import org.joda.time.format.DateTimeFormatter;
 import org.springframework.stereotype.Component;
 
-import javax.ws.rs.ext.ContextResolver;
-import javax.ws.rs.ext.Provider;
+import jakarta.ws.rs.ext.ContextResolver;
+import jakarta.ws.rs.ext.Provider;
 import java.io.IOException;
 
 import static com.fasterxml.jackson.core.JsonToken.VALUE_STRING;
diff --git a/src/main/java/net/ripe/rpki/rest/security/ApiKeySecurity.java b/src/main/java/net/ripe/rpki/rest/security/ApiKeySecurity.java
index d156ecb..d186b1c 100644
--- a/src/main/java/net/ripe/rpki/rest/security/ApiKeySecurity.java
+++ b/src/main/java/net/ripe/rpki/rest/security/ApiKeySecurity.java
@@ -3,16 +3,21 @@
 import lombok.extern.slf4j.Slf4j;
 import net.ripe.rpki.application.CertificationConfiguration;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.stereotype.Component;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Properties;
+import java.util.function.Supplier;
 
 @Slf4j
 @Component
-public class ApiKeySecurity {
+public class ApiKeySecurity implements AuthorizationManager<RequestAuthorizationContext> {
     public static final String API_KEY_HEADER = "ncc-internal-api-key";
     public static final String USER_ID_HEADER = "user-id";
 
@@ -32,8 +37,10 @@ public ApiKeySecurity(CertificationConfiguration certificationConfiguration) {
         }
     }
 
-    public boolean check(HttpServletRequest request) {
-        final String apikey = request.getHeader(API_KEY_HEADER);
-        return apikey != null && apiKeys.containsKey(apikey);
+    @Override
+    public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext ctx) {
+        final String apikey = ctx.getRequest().getHeader(API_KEY_HEADER);
+        var granted = apikey != null && apiKeys.containsKey(apikey);
+        return new AuthorizationDecision(granted);
     }
 }
diff --git a/src/main/java/net/ripe/rpki/rest/security/JsonAuthenticationEntryPoint.java b/src/main/java/net/ripe/rpki/rest/security/JsonAuthenticationEntryPoint.java
index 9c87877..d39010c 100644
--- a/src/main/java/net/ripe/rpki/rest/security/JsonAuthenticationEntryPoint.java
+++ b/src/main/java/net/ripe/rpki/rest/security/JsonAuthenticationEntryPoint.java
@@ -5,9 +5,9 @@
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.stereotype.Component;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 @Component
diff --git a/src/main/java/net/ripe/rpki/rest/security/RequestEntitySizeLimiterServletFilter.java b/src/main/java/net/ripe/rpki/rest/security/RequestEntitySizeLimiterServletFilter.java
index 385a710..0079a87 100644
--- a/src/main/java/net/ripe/rpki/rest/security/RequestEntitySizeLimiterServletFilter.java
+++ b/src/main/java/net/ripe/rpki/rest/security/RequestEntitySizeLimiterServletFilter.java
@@ -4,16 +4,16 @@
 import net.ripe.rpki.rest.exception.RequestEntityTooLargeException;
 import org.springframework.stereotype.Component;
 
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.ReadListener;
-import javax.servlet.ServletException;
-import javax.servlet.ServletInputStream;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ReadListener;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletInputStream;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequestWrapper;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
diff --git a/src/main/java/net/ripe/rpki/rest/security/SecurityConfig.java b/src/main/java/net/ripe/rpki/rest/security/SecurityConfig.java
index d8e71a6..c97fe17 100644
--- a/src/main/java/net/ripe/rpki/rest/security/SecurityConfig.java
+++ b/src/main/java/net/ripe/rpki/rest/security/SecurityConfig.java
@@ -1,26 +1,32 @@
 package net.ripe.rpki.rest.security;
 
+import com.google.common.base.Verify;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.core.env.Environment;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
+import static org.springframework.security.config.Customizer.withDefaults;
+
 @Configuration
 @EnableWebSecurity
 @ComponentScan
 @Slf4j
 public class SecurityConfig {
-
     private static final RequestMatcher API_REQUEST_MATCHER = new OrRequestMatcher(
         new AntPathRequestMatcher("/api/**"),
         new AntPathRequestMatcher("/prod/ca/**")
@@ -29,57 +35,70 @@ public class SecurityConfig {
     private static final RequestMatcher WEB_REQUEST_MATCHER =
         new NegatedRequestMatcher(new OrRequestMatcher(API_REQUEST_MATCHER, PROVISIONING_REQUEST_MATCHER));
 
+    @Order(1)
     @Bean
-    public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http, JsonAuthenticationEntryPoint jsonAuthenticationEntryPoint) throws Exception {
+    public SecurityFilterChain webSecurityFilterChainRequireApiKey(HttpSecurity http, JsonAuthenticationEntryPoint jsonAuthenticationEntryPoint, ApiKeySecurity apiKeySecurity) throws Exception {
         return http
-            .requestMatcher(API_REQUEST_MATCHER)
-            .csrf(c -> c.disable())
-            .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-            .exceptionHandling(e -> e.authenticationEntryPoint(jsonAuthenticationEntryPoint))
-            .authorizeRequests(r -> r
-                // allow all to /api/monitoring/ endpoints
-                .antMatchers("/api/monitoring/**").permitAll()
-                .antMatchers("/api/public/**").permitAll()
-                // All other paths matching initial .requestMatcher require API key
-                .anyRequest().access("@apiKeySecurity.check(request)")
-            )
-            .build();
+                .securityMatcher(API_REQUEST_MATCHER)
+                .csrf(c -> c.disable())
+                .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .exceptionHandling(e -> e.authenticationEntryPoint(jsonAuthenticationEntryPoint))
+                .authorizeHttpRequests(r -> r
+                        // allow all to /api/monitoring/ endpoints
+                        .requestMatchers(new AntPathRequestMatcher("/api/monitoring/**")).permitAll()
+                        .requestMatchers(new AntPathRequestMatcher("/api/public/**")).permitAll()
+                        // All other paths matching initial .requestMatcher require API key
+                        .anyRequest().access(apiKeySecurity)
+                )
+                .build();
     }
 
+    @Order(2)
     @Bean
-    public SecurityFilterChain provisioningSecurityFilterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain webSecurityFilterChainAllowProvisioningEndpoint(HttpSecurity http) throws Exception {
         return http
-            .requestMatcher(PROVISIONING_REQUEST_MATCHER)
-            .csrf(c -> c.disable())
-            .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-            .authorizeRequests(r -> r.anyRequest().permitAll())
-            .build();
+                .securityMatcher(PROVISIONING_REQUEST_MATCHER)
+                .csrf(c -> c.disable())
+                .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests(r -> r.anyRequest().permitAll())
+                .build();
     }
 
+    @Order(3)
     @Bean
-    public SecurityFilterChain webSecurityFilterChain(
+    public SecurityFilterChain webSecurityFilterChainAllowPublicUrls(
         HttpSecurity http,
-        @Value("${authorization.admin.role}") String adminRole
+        @Value("${admin.authorization.enabled:true}") boolean adminAuthEnabled,
+        Environment environment
     ) throws Exception {
-        http.requestMatcher(WEB_REQUEST_MATCHER)
-            .authorizeRequests(r -> r
-                .antMatchers(
-                    "/login",
-                    "/actuator/active-node/",
-                    "/actuator/prometheus",
-                    "/monitoring/healthcheck"
-                    ).permitAll()
-                .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
-                .anyRequest().hasAuthority(adminRole)
-            );
+        http
+                .securityMatcher(WEB_REQUEST_MATCHER)
+                .authorizeHttpRequests(r -> r
+                        .requestMatchers(
+                                new AntPathRequestMatcher("/login"),
+                                new AntPathRequestMatcher("/actuator/active-node"),
+                                new AntPathRequestMatcher("/actuator/prometheus"),
+                                new AntPathRequestMatcher("/monitoring/healthcheck")
+                        ).permitAll()
+                        .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
+                );
 
-        if ("ROLE_ANONYMOUS".equals(adminRole)) {
-            log.warn("NOT enabling OAuth2 security, only for use in development mode!");
-        } else {
-            log.info("enabling OAuth2 security using administrator role {}", adminRole);
-            http.oauth2Login();
+        if (adminAuthEnabled) {
+            log.info("enabling OAuth2 and authentication");
+            return http
+                    .authorizeHttpRequests(r -> r.anyRequest().authenticated())
+                    .oauth2Login(withDefaults())
+                    .requestCache((cache) -> {
+                            var requestCache = new HttpSessionRequestCache();
+                            requestCache.setMatchingRequestParameterName(null);
+                            cache.requestCache(requestCache);
+                    })
+                    .build();
         }
+        log.warn("NOT enabling authentication, only for use in development mode!");
+        // Defense in depth:
+        Verify.verify(environment.matchesProfiles("local | test"), "Admin authorization is disabled, but the local or test profile is not active.");
 
-        return http.build();
+        return http.authorizeHttpRequests(r -> r.anyRequest().permitAll()).build();
     }
 }
diff --git a/src/main/java/net/ripe/rpki/rest/security/SpringAuthInterceptor.java b/src/main/java/net/ripe/rpki/rest/security/SpringAuthInterceptor.java
index 18ed506..26e5f49 100644
--- a/src/main/java/net/ripe/rpki/rest/security/SpringAuthInterceptor.java
+++ b/src/main/java/net/ripe/rpki/rest/security/SpringAuthInterceptor.java
@@ -10,8 +10,8 @@
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 @Component
 public class SpringAuthInterceptor implements HandlerInterceptor {
diff --git a/src/main/java/net/ripe/rpki/rest/service/AbstractCaRestService.java b/src/main/java/net/ripe/rpki/rest/service/AbstractCaRestService.java
index 44fc4e3..93ab17f 100644
--- a/src/main/java/net/ripe/rpki/rest/service/AbstractCaRestService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/AbstractCaRestService.java
@@ -1,5 +1,6 @@
 package net.ripe.rpki.rest.service;
 
+import jakarta.annotation.PostConstruct;
 import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
 import net.ripe.ipresource.ImmutableResourceSet;
@@ -19,14 +20,13 @@
 import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.InitBinder;
 
-import javax.annotation.PostConstruct;
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.Produces;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.Produces;
 import java.net.URI;
 import java.util.*;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.security.ApiKeySecurity.USER_ID_HEADER;
 import static net.ripe.rpki.rest.security.SpringAuthInterceptor.USER_ID_REQ_ATTR;
 
diff --git a/src/main/java/net/ripe/rpki/rest/service/AlertService.java b/src/main/java/net/ripe/rpki/rest/service/AlertService.java
index 710bede..ae94deb 100644
--- a/src/main/java/net/ripe/rpki/rest/service/AlertService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/AlertService.java
@@ -28,7 +28,7 @@
 import java.util.*;
 import java.util.stream.Collectors;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 
 @Slf4j
@@ -139,8 +139,7 @@ private ResponseEntity<?> processMuteOrUnMute(final HostedCertificateAuthorityDa
 
     private Collection<AnnouncedRoute> getAnnouncedRoutes(List<BgpAnnouncement> announcements) {
         return announcements.stream()
-            .map(bgp -> new AnnouncedRoute(Asn.parse(bgp.getAsn()), IpRange.parse(bgp.getPrefix())))
-            .collect(Collectors.toList());
+                .map(bgp -> new AnnouncedRoute(Asn.parse(bgp.getAsn()), IpRange.parse(bgp.getPrefix()))).toList();
     }
 
 }
diff --git a/src/main/java/net/ripe/rpki/rest/service/AnnouncementService.java b/src/main/java/net/ripe/rpki/rest/service/AnnouncementService.java
index 17cd8aa..04f7ffe 100644
--- a/src/main/java/net/ripe/rpki/rest/service/AnnouncementService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/AnnouncementService.java
@@ -45,7 +45,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.commons.validation.roa.RouteOriginValidationPolicy.allowedRoutesToNestedIntervalMap;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 
@@ -91,9 +91,9 @@ public ResponseEntity<List<BgpAnnouncement>> getResourcesForCa(@PathVariable("ca
                 ar -> new BgpAnnouncement(ar.getOriginAsn().toString(), ar.getPrefix().toString(),
                         0, RouteOriginValidationPolicy.validateAnnouncedRoute(currentRouteMap, ar),
                         true)
-        ).collect(Collectors.toList());
+        ).toList();
 
-        return ok(Stream.concat(announcedAnnouncements.stream(), notSeenAnnouncements.stream()).collect(Collectors.toList()));
+        return ok(Stream.concat(announcedAnnouncements.stream(), notSeenAnnouncements.stream()).toList());
     }
 
     private Set<AnnouncedRoute> bgpRisMapToAnnouncedRoutes(Map<Boolean, Collection<BgpRisEntry>> announcements) {
diff --git a/src/main/java/net/ripe/rpki/rest/service/BackgroundExecutorService.java b/src/main/java/net/ripe/rpki/rest/service/BackgroundExecutorService.java
index 34c4468..5b212d0 100644
--- a/src/main/java/net/ripe/rpki/rest/service/BackgroundExecutorService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/BackgroundExecutorService.java
@@ -17,9 +17,8 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.stream.Collectors;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static org.springframework.http.HttpStatus.BAD_REQUEST;
 import static org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR;
 import static org.springframework.http.HttpStatus.OK;
@@ -74,12 +73,11 @@ public ResponseEntity<String> executeInBackground(@PathVariable("serviceName") S
             // Restrict parameter names to known values and parameter values to short, simple strings to avoid
             // potential injection attacks.
             List<Map.Entry<String, String>> badParameters = parameters.entrySet().stream()
-                .filter(entry ->
-                    !supportedParameters.contains(entry.getKey())
-                        || entry.getValue().length() > 100
-                        || !entry.getValue().matches("[0-9a-zA-Z_:-]*")
-                )
-                .collect(Collectors.toList());
+                    .filter(entry ->
+                            !supportedParameters.contains(entry.getKey())
+                                    || entry.getValue().length() > 100
+                                    || !entry.getValue().matches("[0-9a-zA-Z_:-]*")
+                    ).toList();
             if (!badParameters.isEmpty()) {
                 return logAndReturnResponse(BAD_REQUEST, "incorrect job parameter(s) - " + badParameters);
             }
diff --git a/src/main/java/net/ripe/rpki/rest/service/CaAspaConfigurationService.java b/src/main/java/net/ripe/rpki/rest/service/CaAspaConfigurationService.java
index 564be62..0d65d9f 100644
--- a/src/main/java/net/ripe/rpki/rest/service/CaAspaConfigurationService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/CaAspaConfigurationService.java
@@ -28,10 +28,10 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.validation.Valid;
+import jakarta.validation.Valid;
 import java.util.List;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 
 @Slf4j
diff --git a/src/main/java/net/ripe/rpki/rest/service/CaRoaConfigurationService.java b/src/main/java/net/ripe/rpki/rest/service/CaRoaConfigurationService.java
index 18546cb..608cb95 100644
--- a/src/main/java/net/ripe/rpki/rest/service/CaRoaConfigurationService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/CaRoaConfigurationService.java
@@ -34,7 +34,7 @@
 import java.util.stream.Collectors;
 
 import static java.util.Map.of;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.commons.validation.roa.RouteOriginValidationPolicy.allowedRoutesToNestedIntervalMap;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 import static org.springframework.http.HttpStatus.BAD_REQUEST;
@@ -139,8 +139,7 @@ public ResponseEntity<List<ROAWithAnnouncementStatus>> getAffectingROAsForCA(@Pa
                     final ApiRoaPrefix roa = new ApiRoaPrefix(routeAsn, certifiedRoute.getPrefix().toString(), certifiedRoute.getMaximumLength());
                     final RouteValidityState validityState = determineValidityState(announcedPrefix, announcementAsn, certifiedRoute);
                     return new ROAWithAnnouncementStatus(roa, validityState);
-                })
-                .collect(Collectors.toList());
+                }).toList();
 
         return ok(affectingROAs);
     }
@@ -319,8 +318,7 @@ private Collection<RoaConfigurationPrefixData> getRoaConfigurationPrefixDatas(fi
                 .map(roa -> new RoaConfigurationPrefixData(
                         Asn.parse(roa.getAsn()),
                         IpRange.parse(roa.getPrefix()),
-                        roa.getMaxLength()))
-                .collect(Collectors.toList());
+                        roa.getMaxLength())).toList();
     }
 
     private static Set<AnnouncedRoute> getIgnoredAnnouncement(RoaAlertConfigurationViewService service, Long caId) {
diff --git a/src/main/java/net/ripe/rpki/rest/service/CaService.java b/src/main/java/net/ripe/rpki/rest/service/CaService.java
index 49ffdd7..6d8eeb2 100644
--- a/src/main/java/net/ripe/rpki/rest/service/CaService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/CaService.java
@@ -40,7 +40,7 @@
 import org.springframework.web.multipart.MultipartFile;
 
 import javax.security.auth.x500.X500Principal;
-import javax.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MediaType;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.Charset;
@@ -50,7 +50,7 @@
 import java.util.Optional;
 
 import static com.google.common.collect.ImmutableMap.of;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 import static org.springframework.http.HttpStatus.*;
 import static org.springframework.http.MediaType.TEXT_XML;
diff --git a/src/main/java/net/ripe/rpki/rest/service/CaStatService.java b/src/main/java/net/ripe/rpki/rest/service/CaStatService.java
index 19e3b57..58fb061 100644
--- a/src/main/java/net/ripe/rpki/rest/service/CaStatService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/CaStatService.java
@@ -28,7 +28,7 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MediaType;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
diff --git a/src/main/java/net/ripe/rpki/rest/service/GdprService.java b/src/main/java/net/ripe/rpki/rest/service/GdprService.java
index fb8ee9f..000cdf2 100644
--- a/src/main/java/net/ripe/rpki/rest/service/GdprService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/GdprService.java
@@ -14,7 +14,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MediaType;
 import java.util.*;
 import java.util.concurrent.atomic.AtomicBoolean;
 
diff --git a/src/main/java/net/ripe/rpki/rest/service/HistoryService.java b/src/main/java/net/ripe/rpki/rest/service/HistoryService.java
index 8d3309b..415d2a3 100644
--- a/src/main/java/net/ripe/rpki/rest/service/HistoryService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/HistoryService.java
@@ -18,9 +18,8 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
-import java.util.stream.Collectors;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 
 @Slf4j
@@ -48,7 +47,7 @@ public ResponseEntity<List<HistoryItem>> getHistoryForCa(@PathVariable("caName")
                 .map(caHistoryItem -> {
                     final String humanizedUserPrincipal = getHumanizedUserPrincipal(caHistoryItem);
                     return new HistoryItem(humanizedUserPrincipal, caHistoryItem);
-                }).collect(Collectors.toList());
+                }).toList();
 
         return ok(items);
     }
diff --git a/src/main/java/net/ripe/rpki/rest/service/ProductionCaService.java b/src/main/java/net/ripe/rpki/rest/service/ProductionCaService.java
index 1ccfa7d..6b80687 100644
--- a/src/main/java/net/ripe/rpki/rest/service/ProductionCaService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/ProductionCaService.java
@@ -25,16 +25,16 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import javax.security.auth.x500.X500Principal;
-import javax.validation.Valid;
-import javax.validation.constraints.Max;
-import javax.validation.constraints.Positive;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.Max;
+import jakarta.validation.constraints.Positive;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_FORM_URLENCODED;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_FORM_URLENCODED;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 
 @Slf4j
 @Scope("prototype")
@@ -100,16 +100,15 @@ public ResponseEntity<Object> migrateMemberCasToIntermediateCas(@RequestParam(na
         try {
             final X500Principal productionCaName = certificationConfiguration.getProductionCaPrincipal();
             Collection<CertificateAuthorityData> productionCaChildren = certificateAuthorityViewService.findAllChildrenForCa(productionCaName);
-            List<CertificateAuthorityData> intermediateCas = productionCaChildren.stream().filter(ca -> ca.getType() == CertificateAuthorityType.INTERMEDIATE).collect(Collectors.toList());
+            List<CertificateAuthorityData> intermediateCas = productionCaChildren.stream().filter(ca -> ca.getType() == CertificateAuthorityType.INTERMEDIATE).toList();
             if (intermediateCas.isEmpty()) {
                 log.error("No intermediate CAs found");
                 return Utils.badRequestError("no intermediate CAs found");
             }
 
             List<CertificateAuthorityData> memberCasToMigrate = productionCaChildren.stream()
-                .filter(ca -> ca.getType() == CertificateAuthorityType.HOSTED || ca.getType() == CertificateAuthorityType.NONHOSTED)
-                .limit(count)
-                .collect(Collectors.toList());
+                    .filter(ca -> ca.getType() == CertificateAuthorityType.HOSTED || ca.getType() == CertificateAuthorityType.NONHOSTED)
+                    .limit(count).toList();
 
             if (memberCasToMigrate.isEmpty()) {
                 log.info("No member CAs to migrate found");
diff --git a/src/main/java/net/ripe/rpki/rest/service/PublisherRepositoriesService.java b/src/main/java/net/ripe/rpki/rest/service/PublisherRepositoriesService.java
index 0aff3f3..0d61a58 100644
--- a/src/main/java/net/ripe/rpki/rest/service/PublisherRepositoriesService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/PublisherRepositoriesService.java
@@ -36,20 +36,19 @@
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
 
-import javax.persistence.EntityNotFoundException;
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.MediaType;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.ws.rs.core.MediaType;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
-import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.Optional;
 import java.util.UUID;
 import java.util.stream.Collectors;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 import static org.springframework.http.HttpStatus.*;
 import static org.springframework.http.MediaType.TEXT_XML;
diff --git a/src/main/java/net/ripe/rpki/rest/service/ResourceService.java b/src/main/java/net/ripe/rpki/rest/service/ResourceService.java
index a880527..03d9be2 100644
--- a/src/main/java/net/ripe/rpki/rest/service/ResourceService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/ResourceService.java
@@ -16,7 +16,7 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import static com.google.common.collect.ImmutableMap.of;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 
 @Slf4j
diff --git a/src/main/java/net/ripe/rpki/rest/service/RestService.java b/src/main/java/net/ripe/rpki/rest/service/RestService.java
index 0acde17..5d7eb22 100644
--- a/src/main/java/net/ripe/rpki/rest/service/RestService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/RestService.java
@@ -3,7 +3,7 @@
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 public class RestService {
     public static final String API_URL_PREFIX = "/api/ca";
diff --git a/src/main/java/net/ripe/rpki/rest/service/Roas.java b/src/main/java/net/ripe/rpki/rest/service/Roas.java
index d083e4c..5bd2ba3 100644
--- a/src/main/java/net/ripe/rpki/rest/service/Roas.java
+++ b/src/main/java/net/ripe/rpki/rest/service/Roas.java
@@ -21,7 +21,7 @@ public static Optional<String> validateUniqueROAs(String prefix, Map<AnnouncedRo
         for (var e : newOnes.entrySet()) {
             var maxLengths = e.getValue();
             if (maxLengths.size() > 1) {
-                var sorted = maxLengths.stream().sorted().collect(Collectors.toList());
+                var sorted = maxLengths.stream().sorted().toList();
                 return Optional.of(String.format("%s: there are more than one pair (%s, %s), max lengths: %s",
                         prefix, e.getKey().getOriginAsn(), e.getKey().getPrefix(), sorted));
             }
@@ -53,7 +53,7 @@ public static <T extends RoaPrefixData> Optional<String> validateRoaUpdate(Set<T
         var futureMap = futureRoutes.stream().collect(Collectors.toMap(
                 r -> new AnnouncedRoute(r.getAsn(), r.getPrefix()),
                 r -> Collections.singletonList(r.getMaximumLength()),
-                (a, b) -> Streams.concat(a.stream(), b.stream()).collect(Collectors.toList())));
+                (a, b) -> Streams.concat(a.stream(), b.stream()).toList()));
 
         return validateUniqueROAs("Error in future ROAs", futureMap);
     }
diff --git a/src/main/java/net/ripe/rpki/rest/service/SystemSetupService.java b/src/main/java/net/ripe/rpki/rest/service/SystemSetupService.java
index 8e23790..34f37dd 100644
--- a/src/main/java/net/ripe/rpki/rest/service/SystemSetupService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/SystemSetupService.java
@@ -20,7 +20,7 @@
 
 import javax.security.auth.x500.X500Principal;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 
 @AllArgsConstructor
 @Slf4j
diff --git a/src/main/java/net/ripe/rpki/rest/service/SystemStatusService.java b/src/main/java/net/ripe/rpki/rest/service/SystemStatusService.java
index 3ef8b7c..0f1c554 100644
--- a/src/main/java/net/ripe/rpki/rest/service/SystemStatusService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/SystemStatusService.java
@@ -15,7 +15,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MediaType;
 import java.util.HashMap;
 import java.util.Map;
 
diff --git a/src/main/java/net/ripe/rpki/rest/service/UpstreamCaService.java b/src/main/java/net/ripe/rpki/rest/service/UpstreamCaService.java
index 468b706..e17dfa3 100644
--- a/src/main/java/net/ripe/rpki/rest/service/UpstreamCaService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/UpstreamCaService.java
@@ -24,13 +24,13 @@
 import org.springframework.web.multipart.MultipartFile;
 
 import javax.security.auth.x500.X500Principal;
-import javax.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MediaType;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.concurrent.CompletableFuture;
 
 import static com.google.common.collect.ImmutableMap.of;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR;
 
 @Slf4j
diff --git a/src/main/java/net/ripe/rpki/rest/service/Utils.java b/src/main/java/net/ripe/rpki/rest/service/Utils.java
index 6b72606..b3d0b89 100644
--- a/src/main/java/net/ripe/rpki/rest/service/Utils.java
+++ b/src/main/java/net/ripe/rpki/rest/service/Utils.java
@@ -44,7 +44,7 @@ static <T extends RoaPrefixData> List<BgpAnnouncement> makeBgpAnnouncementList(M
                         announcement.getVisibility(), currentValidityState,
                         isSuppressed, verifiedOrNot);
                 }))
-            .collect(Collectors.toList());
+            .toList();
     }
 
     static Set<AnnouncedRoute> getIgnoredAnnouncements(RoaAlertConfigurationViewService roaAlertConfigurationViewService, long caId) {
@@ -121,7 +121,7 @@ static boolean maxLengthIsValid(IpRange prefix, int maxLength) {
     }
 
     public static List<String> toStringList(ImmutableResourceSet resources) {
-        return resources.stream().map(Object::toString).collect(Collectors.toList());
+        return resources.stream().map(Object::toString).toList();
     }
 
     /**
diff --git a/src/main/java/net/ripe/rpki/rest/service/monitoring/AspaService.java b/src/main/java/net/ripe/rpki/rest/service/monitoring/AspaService.java
index 8add5fd..07b3466 100644
--- a/src/main/java/net/ripe/rpki/rest/service/monitoring/AspaService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/monitoring/AspaService.java
@@ -33,8 +33,7 @@ public class AspaService {
     public ResponseEntity<ValidatedObjectsResponse<AspaConfigurationData>> listAspaConfigs() {
         final Collection<AspaConfiguration> aspaConfigurations = aspaConfigurationRepository.findAll();
         final List<AspaConfigurationData> aspas = aspaConfigurations.stream()
-            .map(AspaConfiguration::toData)
-            .collect(Collectors.toList());
+                .map(AspaConfiguration::toData).toList();
         return ResponseEntity.ok(ValidatedObjectsResponse.of(aspas, Collections.singletonMap("origin", "rpki-core")));
     }
 
diff --git a/src/main/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesService.java b/src/main/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesService.java
index 65d318c..8ff32c0 100644
--- a/src/main/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesService.java
+++ b/src/main/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesService.java
@@ -50,11 +50,11 @@ public ResponseEntity<ValidatedObjectsResponse<RoaConfigurationPrefixData>> list
         }
 
         List<RoaConfigurationPrefixData> roas = roaConfigurationRepository.findAll()
-                        .stream()
-                        .flatMap(rc -> rc.getPrefixes().stream())
-                        .map(RoaConfigurationPrefix::toData)
-                        .sorted(RoaPrefixData.ROA_PREFIX_DATA_COMPARATOR)
-                        .collect(Collectors.toList());
+                .stream()
+                .flatMap(rc -> rc.getPrefixes().stream())
+                .map(RoaConfigurationPrefix::toData)
+                .sorted(RoaPrefixData.ROA_PREFIX_DATA_COMPARATOR)
+                .toList();
         return ResponseEntity.ok(ValidatedObjectsResponse.of(roas, Collections.singletonMap("origin", "rpki-core")));
     }
 
diff --git a/src/main/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImpl.java b/src/main/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImpl.java
index 51c8a75..fd337a6 100644
--- a/src/main/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImpl.java
+++ b/src/main/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImpl.java
@@ -13,8 +13,8 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
-import javax.persistence.EntityManager;
-import javax.persistence.PersistenceContext;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
 import java.time.Instant;
 import java.time.format.DateTimeParseException;
 import java.util.Map;
diff --git a/src/main/java/net/ripe/rpki/ripencc/cache/ResourceCacheLine.java b/src/main/java/net/ripe/rpki/ripencc/cache/ResourceCacheLine.java
index 73983c1..b16bba6 100644
--- a/src/main/java/net/ripe/rpki/ripencc/cache/ResourceCacheLine.java
+++ b/src/main/java/net/ripe/rpki/ripencc/cache/ResourceCacheLine.java
@@ -4,9 +4,9 @@
 import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.rpki.server.api.support.objects.CaName;
 
-import javax.persistence.Entity;
-import javax.persistence.Id;
-import javax.persistence.Table;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Table;
 
 @Entity
 @Table(name = "resource_cache")
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/CertificateIssuanceProcessor.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/CertificateIssuanceProcessor.java
index c5701d9..c6eef06 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/CertificateIssuanceProcessor.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/CertificateIssuanceProcessor.java
@@ -28,8 +28,8 @@
 import org.joda.time.DateTime;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
-import javax.validation.constraints.Null;
+import jakarta.inject.Inject;
+
 import java.math.BigInteger;
 import java.net.URI;
 import java.security.PublicKey;
@@ -232,8 +232,7 @@ private RpkiCaCertificateRequestParser parseCertificateRequest(CertificateIssuan
         try {
             PKCS10CertificationRequest pkc10Request = requestElement.getCertificateRequest();
             return new RpkiCaCertificateRequestParser(pkc10Request);
-            // TODO: NPE can be removed after rpki-commons 1.38/2.0.0 is removed.
-        } catch (NullPointerException | RpkiCaCertificateRequestParserException e) {
+        } catch (RpkiCaCertificateRequestParserException e) {
             log.error("Failed to parse certificate request", e);
             throw new NotPerformedException(NotPerformedError.REQ_BADLY_FORMED_CERTIFICATE_REQUEST);
         }
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ListResourceClassProcessor.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ListResourceClassProcessor.java
index 0aa0be5..cd8cfdd 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/ListResourceClassProcessor.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/ListResourceClassProcessor.java
@@ -55,13 +55,12 @@ public ResourceClassListResponsePayload process(NonHostedCertificateAuthorityDat
                 .buildResourceClassListResponseClassElement();
 
             final List<CertificateElement> certificateElements = nonHostedCertificateAuthority.getPublicKeys().stream()
-                .filter(publicKeyData -> publicKeyData.getCurrentCertificate() != null)
-                .map(publicKeyData -> createClassElement(
-                    publicKeyData.getCurrentCertificate().getCertificate(),
-                    publicKeyData.getRequestedResourceSets(),
-                    publicKeyData.getCurrentCertificate().getPublicationUri()
-                ))
-                .collect(Collectors.toList());
+                    .filter(publicKeyData -> publicKeyData.getCurrentCertificate() != null)
+                    .map(publicKeyData -> createClassElement(
+                            publicKeyData.getCurrentCertificate().getCertificate(),
+                            publicKeyData.getRequestedResourceSets(),
+                            publicKeyData.getCurrentCertificate().getPublicationUri()
+                    )).toList();
 
             classElement.setCertificateElements(certificateElements);
             responsePayloadBuilder.addClassElement(classElement);
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBean.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBean.java
index 2d78fcd..2033719 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBean.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBean.java
@@ -1,5 +1,6 @@
 package net.ripe.rpki.ripencc.provisioning;
 
+import com.google.common.xml.XmlEscapers;
 import lombok.AccessLevel;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
@@ -8,8 +9,6 @@
 import net.ripe.rpki.commons.provisioning.payload.PayloadMessageType;
 import net.ripe.rpki.domain.ProvisioningAuditLogEntity;
 import net.ripe.rpki.server.api.dto.ProvisioningAuditData;
-import org.apache.tomcat.util.codec.binary.Base64;
-import org.apache.commons.text.StringEscapeUtils;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.joda.time.format.DateTimeFormat;
@@ -19,13 +18,13 @@
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.persistence.EntityManager;
-import javax.persistence.PersistenceContext;
-import javax.persistence.TypedQuery;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
+import jakarta.persistence.TypedQuery;
+import java.util.Base64;
 import java.util.List;
 import java.util.Objects;
 import java.util.UUID;
-import java.util.stream.Collectors;
 
 import static net.logstash.logback.argument.StructuredArguments.kv;
 
@@ -72,8 +71,7 @@ public List<ProvisioningAuditData> findRecentMessagesForCA(UUID caUUID) {
         query.setMaxResults(CommandAuditServiceBean.MAX_HISTORY_ENTRIES_RETURNED);
         List<ProvisioningAuditLogEntity> messages = query.getResultList();
         return messages.stream()
-            .map(ProvisioningAuditLogEntity::toData)
-            .collect(Collectors.toList());
+                .map(ProvisioningAuditLogEntity::toData).toList();
     }
 
     @Getter
@@ -93,15 +91,15 @@ public static LogEntry make(ProvisioningAuditLogEntity entry, byte[] request) {
             final DateTime utcDate = new DateTime(entry.getExecutionTime().getTime(), DateTimeZone.UTC);
             return new LogEntry(
                 entry.getRequestMessageType().toString(),
-                Base64.encodeBase64String(entry.getProvisioningCmsObject()),
+                Base64.getEncoder().encodeToString(entry.getProvisioningCmsObject()),
                 entry.getPrincipal(),
                 Objects.toString(entry.getNonHostedCaUUID(), null),
                 // Escape all non-printable characters to avoid problems with user input in our logs
-                StringEscapeUtils.escapeJava(entry.getSummary()),
+                XmlEscapers.xmlAttributeEscaper().escape(entry.getSummary()),
                 Objects.toString(entry.getEntryUuid(), null),
                 dateFormat.print(utcDate),
                 // since request is a DER binary, encode it as base64 as well
-                Base64.encodeBase64String(request));
+                Base64.getEncoder().encodeToString(request));
         }
     }
 }
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsResponseGenerator.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsResponseGenerator.java
index a57f459..8e2261f 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsResponseGenerator.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsResponseGenerator.java
@@ -1,6 +1,5 @@
 package net.ripe.rpki.ripencc.provisioning;
 
-import net.ripe.rpki.commons.crypto.util.KeyPairFactory;
 import net.ripe.rpki.commons.provisioning.cms.ProvisioningCmsObject;
 import net.ripe.rpki.commons.provisioning.payload.AbstractProvisioningResponsePayload;
 import net.ripe.rpki.domain.CertificateAuthorityRepository;
@@ -9,8 +8,7 @@
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Named;
-import javax.persistence.LockModeType;
+import jakarta.persistence.LockModeType;
 import java.util.UUID;
 
 /**
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStore.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStore.java
index e84418c..34d9a87 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStore.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStore.java
@@ -1,14 +1,13 @@
 package net.ripe.rpki.ripencc.provisioning;
 
-import net.ripe.rpki.ripencc.support.persistence.DateTimePersistenceConverter;
 import net.ripe.rpki.server.api.dto.NonHostedCertificateAuthorityData;
 import org.joda.time.DateTime;
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.persistence.EntityManager;
-import javax.persistence.NoResultException;
-import java.sql.Timestamp;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.NoResultException;
+import java.time.Instant;
 import java.util.Optional;
 
 /**
@@ -18,21 +17,20 @@
 @Component
 @Transactional
 class ProvisioningCmsSigningTimeStore {
-    private static final DateTimePersistenceConverter DATE_TIME_PERSISTENCE_CONVERTER = new DateTimePersistenceConverter();
     private final EntityManager entityManager;
 
     public ProvisioningCmsSigningTimeStore(EntityManager entityManager) {
         this.entityManager = entityManager;
     }
 
-    public Optional<DateTime> getLastSeenProvisioningCmsSignedAt(NonHostedCertificateAuthorityData nonHostedCertificateAuthority) {
+    public Optional<Instant> getLastSeenProvisioningCmsSignedAt(NonHostedCertificateAuthorityData nonHostedCertificateAuthority) {
         try {
             Object result = entityManager.createNativeQuery(
                     "SELECT last_seen_signed_at FROM provisioning_request_signing_time WHERE ca_id = :caId"
                 )
                 .setParameter("caId", nonHostedCertificateAuthority.getId())
                 .getSingleResult();
-            return Optional.of(DATE_TIME_PERSISTENCE_CONVERTER.convertToEntityAttribute((Timestamp) result));
+            return Optional.of((Instant) result);
         } catch (NoResultException notFound) {
             return Optional.empty();
         }
@@ -43,7 +41,7 @@ public Optional<DateTime> getLastSeenProvisioningCmsSignedAt(NonHostedCertificat
      * @return true if the signing time was updated, false if the provided signing time is earlier than the currently
      * stored signing time.
      */
-    public boolean updateLastSeenProvisioningCmsSeenAt(NonHostedCertificateAuthorityData nonHostedCertificateAuthority, DateTime cmsSigningTime) {
+    public boolean updateLastSeenProvisioningCmsSeenAt(NonHostedCertificateAuthorityData nonHostedCertificateAuthority, Instant cmsSigningTime) {
         int count = entityManager.createNativeQuery(
                 "INSERT INTO provisioning_request_signing_time AS t (ca_id, last_seen_signed_at) " +
                     "     VALUES (:caId, :cmsSigningTime) " +
@@ -51,8 +49,15 @@ public boolean updateLastSeenProvisioningCmsSeenAt(NonHostedCertificateAuthority
                     "      WHERE t.last_seen_signed_at < EXCLUDED.last_seen_signed_at"
             )
             .setParameter("caId", nonHostedCertificateAuthority.getId())
-            .setParameter("cmsSigningTime", DATE_TIME_PERSISTENCE_CONVERTER.convertToDatabaseColumn(cmsSigningTime))
+            .setParameter("cmsSigningTime", cmsSigningTime)
             .executeUpdate();
         return count > 0;
     }
+
+    /**
+     * Wrap for joda-time DateTime
+     */
+    public boolean updateLastSeenProvisioningCmsSeenAt(NonHostedCertificateAuthorityData nonHostedCertificateAuthority, DateTime cmsSigningJodaTime) {
+        return updateLastSeenProvisioningCmsSeenAt(nonHostedCertificateAuthority, Instant.ofEpochMilli(cmsSigningJodaTime.getMillis()));
+    }
 }
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsValidationStrategyImpl.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsValidationStrategyImpl.java
index 94b55c8..237baf7 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsValidationStrategyImpl.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsValidationStrategyImpl.java
@@ -10,6 +10,7 @@
 import org.joda.time.DateTime;
 import org.springframework.stereotype.Component;
 
+import java.time.Instant;
 import java.util.Optional;
 
 import static net.ripe.rpki.commons.validation.ValidationString.SIGNING_TIME_GREATER_OR_EQUAL;
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBean.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBean.java
index f2d9a3e..b695d2e 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBean.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBean.java
@@ -24,9 +24,10 @@
 import org.springframework.dao.TransientDataAccessException;
 import org.springframework.stereotype.Component;
 
-import javax.persistence.LockTimeoutException;
-import javax.persistence.OptimisticLockException;
-import javax.persistence.PessimisticLockException;
+import jakarta.persistence.LockTimeoutException;
+import jakarta.persistence.OptimisticLockException;
+import jakarta.persistence.PessimisticLockException;
+
 import java.util.Optional;
 import java.util.UUID;
 
@@ -170,8 +171,9 @@ private NonHostedCertificateAuthorityData getNonHostedCertificateAuthorityWithPr
         if (ca instanceof NonHostedCertificateAuthorityData) {
             NonHostedCertificateAuthorityData result = (NonHostedCertificateAuthorityData) ca;
 
-            Optional<DateTime> lastSigningTimeForCA = provisioningCmsSigningTimeStore.getLastSeenProvisioningCmsSignedAt(result);
-            provisioningValidator.validateProvisioningCmsAndIdentityCertificate(unvalidatedProvisioningObject, lastSigningTimeForCA, result.getProvisioningIdentityCertificate());
+            Optional<DateTime> lastSigningJodaTimeForCA = provisioningCmsSigningTimeStore.getLastSeenProvisioningCmsSignedAt(result)
+                    .map(st -> new org.joda.time.Instant(st.toEpochMilli()).toDateTime());
+            provisioningValidator.validateProvisioningCmsAndIdentityCertificate(unvalidatedProvisioningObject, lastSigningJodaTimeForCA, result.getProvisioningIdentityCertificate());
 
             return result;
         }
diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServlet.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServlet.java
index 76f476c..71c1cc2 100644
--- a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServlet.java
+++ b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServlet.java
@@ -4,10 +4,10 @@
 import net.ripe.rpki.rest.exception.RequestEntityTooLargeException;
 import org.apache.commons.io.IOUtils;
 
-import javax.servlet.ServletOutputStream;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.ServletOutputStream;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 @Slf4j
diff --git a/src/main/java/net/ripe/rpki/ripencc/services/impl/IanaRegistryXmlParserImpl.java b/src/main/java/net/ripe/rpki/ripencc/services/impl/IanaRegistryXmlParserImpl.java
index b089e24..ff106d4 100644
--- a/src/main/java/net/ripe/rpki/ripencc/services/impl/IanaRegistryXmlParserImpl.java
+++ b/src/main/java/net/ripe/rpki/ripencc/services/impl/IanaRegistryXmlParserImpl.java
@@ -10,7 +10,7 @@
 import org.w3c.dom.Document;
 import org.w3c.dom.NodeList;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpression;
 import javax.xml.xpath.XPathExpressionException;
diff --git a/src/main/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBean.java b/src/main/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBean.java
index e1503ef..e47313f 100644
--- a/src/main/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBean.java
+++ b/src/main/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBean.java
@@ -20,14 +20,14 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
-import javax.ws.rs.client.Client;
-import javax.ws.rs.client.ClientBuilder;
-import javax.ws.rs.client.Entity;
-import javax.ws.rs.client.Invocation;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.client.ClientBuilder;
+import jakarta.ws.rs.client.Entity;
+import jakarta.ws.rs.client.Invocation;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import java.net.URI;
 import java.util.*;
 import java.util.stream.Collectors;
diff --git a/src/main/java/net/ripe/rpki/ripencc/services/impl/RestAuthServiceClient.java b/src/main/java/net/ripe/rpki/ripencc/services/impl/RestAuthServiceClient.java
index 1378c39..6575059 100644
--- a/src/main/java/net/ripe/rpki/ripencc/services/impl/RestAuthServiceClient.java
+++ b/src/main/java/net/ripe/rpki/ripencc/services/impl/RestAuthServiceClient.java
@@ -10,16 +10,16 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
-import javax.ws.rs.client.Client;
-import javax.ws.rs.client.ClientBuilder;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.client.ClientBuilder;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import java.util.Optional;
 import java.util.UUID;
 import java.util.concurrent.atomic.AtomicBoolean;
 
-import static javax.ws.rs.core.Response.Status.Family.SUCCESSFUL;
+import static jakarta.ws.rs.core.Response.Status.Family.SUCCESSFUL;
 import static net.ripe.rpki.rest.security.ApiKeySecurity.API_KEY_HEADER;
 
 @Component
diff --git a/src/main/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClient.java b/src/main/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClient.java
index d663cc4..905ec08 100644
--- a/src/main/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClient.java
+++ b/src/main/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClient.java
@@ -7,12 +7,12 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
-import javax.ws.rs.client.Client;
-import javax.ws.rs.client.ClientBuilder;
-import javax.ws.rs.client.Invocation;
-import javax.ws.rs.client.WebTarget;
-import javax.ws.rs.core.Response;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.client.ClientBuilder;
+import jakarta.ws.rs.client.Invocation;
+import jakarta.ws.rs.client.WebTarget;
+import jakarta.ws.rs.core.Response;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
diff --git a/src/main/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClient.java b/src/main/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClient.java
index 9e6b75c..590f162 100644
--- a/src/main/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClient.java
+++ b/src/main/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClient.java
@@ -11,11 +11,11 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
-import javax.ws.rs.client.Client;
-import javax.ws.rs.client.ClientBuilder;
-import javax.ws.rs.client.WebTarget;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.client.ClientBuilder;
+import jakarta.ws.rs.client.WebTarget;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 
 @Slf4j
 @Component
diff --git a/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccInternalNamePresenter.java b/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccInternalNamePresenter.java
index ffc435b..7b427d7 100644
--- a/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccInternalNamePresenter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccInternalNamePresenter.java
@@ -11,7 +11,7 @@
 import org.joda.time.Instant;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
 import java.util.List;
 import java.util.Optional;
diff --git a/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccResourceLookupService.java b/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccResourceLookupService.java
index 7e15310..76026a6 100644
--- a/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccResourceLookupService.java
+++ b/src/main/java/net/ripe/rpki/ripencc/services/impl/RipeNccResourceLookupService.java
@@ -10,7 +10,7 @@
 import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
 import java.util.Optional;
 
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/ASN1ObjectIdentifierPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/ASN1ObjectIdentifierPersistenceConverter.java
index 23bfd3e..cb7c386 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/ASN1ObjectIdentifierPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/ASN1ObjectIdentifierPersistenceConverter.java
@@ -2,8 +2,8 @@
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 
 @Converter(autoApply = true)
 public class ASN1ObjectIdentifierPersistenceConverter implements AttributeConverter<ASN1ObjectIdentifier, String> {
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/AsnPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/AsnPersistenceConverter.java
index a930acb..cd84407 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/AsnPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/AsnPersistenceConverter.java
@@ -2,8 +2,8 @@
 
 import net.ripe.ipresource.Asn;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 import java.math.BigInteger;
 
 @Converter(autoApply = true)
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/DateTimePersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/DateTimePersistenceConverter.java
index d0a0f51..835a204 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/DateTimePersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/DateTimePersistenceConverter.java
@@ -3,8 +3,8 @@
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 import java.sql.Timestamp;
 
 @Converter(autoApply = true)
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/ImmutableResourceSetPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/ImmutableResourceSetPersistenceConverter.java
index 4d92b8c..1c55a6d 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/ImmutableResourceSetPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/ImmutableResourceSetPersistenceConverter.java
@@ -2,8 +2,8 @@
 
 import net.ripe.ipresource.ImmutableResourceSet;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 
 @Converter(autoApply = true)
 public class ImmutableResourceSetPersistenceConverter implements AttributeConverter<ImmutableResourceSet, String> {
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/InMemoryRepository.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/InMemoryRepository.java
index e4d9c80..06b923b 100755
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/InMemoryRepository.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/InMemoryRepository.java
@@ -3,13 +3,12 @@
 import net.ripe.rpki.ncc.core.domain.support.Entity;
 import org.apache.commons.lang.Validate;
 
-import javax.persistence.EntityNotFoundException;
-import javax.persistence.LockModeType;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.persistence.LockModeType;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 public abstract class InMemoryRepository<T extends Entity> implements Repository<T> {
 
@@ -48,7 +47,7 @@ public <U extends T> U find(Class<U> type, Object id) {
 
     @Override
     public Collection<? extends T> findByIds(Collection<?> ids, LockModeType lockModeType) {
-        return ids.stream().map(this::find).filter(Objects::nonNull).collect(Collectors.toList());
+        return ids.stream().map(this::find).filter(Objects::nonNull).toList();
     }
 
     public T get(Object id) throws EntityNotFoundException {
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/InstantPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/InstantPersistenceConverter.java
index 27016f8..926d129 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/InstantPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/InstantPersistenceConverter.java
@@ -2,8 +2,8 @@
 
 import org.joda.time.Instant;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 import java.sql.Timestamp;
 
 @Converter(autoApply = true)
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/IpResourceSetPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/IpResourceSetPersistenceConverter.java
index 3963991..5e5b0b8 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/IpResourceSetPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/IpResourceSetPersistenceConverter.java
@@ -2,8 +2,8 @@
 
 import net.ripe.ipresource.IpResourceSet;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 
 @Converter(autoApply = true)
 public class IpResourceSetPersistenceConverter implements AttributeConverter<IpResourceSet, String> {
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/JpaRepository.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/JpaRepository.java
index e202934..2601c7f 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/JpaRepository.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/JpaRepository.java
@@ -2,17 +2,17 @@
 
 import net.ripe.rpki.ncc.core.domain.support.Entity;
 
-import javax.persistence.EntityManager;
-import javax.persistence.EntityNotFoundException;
-import javax.persistence.LockModeType;
-import javax.persistence.NoResultException;
-import javax.persistence.PersistenceContext;
-import javax.persistence.Query;
-import javax.persistence.TypedQuery;
-import javax.validation.ConstraintViolation;
-import javax.validation.Validation;
-import javax.validation.Validator;
-import javax.validation.ValidatorFactory;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.persistence.LockModeType;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.PersistenceContext;
+import jakarta.persistence.Query;
+import jakarta.persistence.TypedQuery;
+import jakarta.validation.ConstraintViolation;
+import jakarta.validation.Validation;
+import jakarta.validation.Validator;
+import jakarta.validation.ValidatorFactory;
 import java.util.Collection;
 import java.util.Set;
 
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/PublisherRequestPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/PublisherRequestPersistenceConverter.java
index d393c31..ef96e98 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/PublisherRequestPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/PublisherRequestPersistenceConverter.java
@@ -3,8 +3,8 @@
 import net.ripe.rpki.commons.provisioning.identity.PublisherRequest;
 import net.ripe.rpki.commons.provisioning.identity.PublisherRequestSerializer;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 
 @Converter(autoApply = true)
 public class PublisherRequestPersistenceConverter implements AttributeConverter<PublisherRequest, String> {
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/Repository.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/Repository.java
index f9679e6..cda9ff5 100755
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/Repository.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/Repository.java
@@ -2,8 +2,8 @@
 
 import net.ripe.rpki.ncc.core.domain.support.Entity;
 
-import javax.persistence.EntityNotFoundException;
-import javax.persistence.LockModeType;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.persistence.LockModeType;
 import java.util.Collection;
 
 public interface Repository<T extends Entity> {
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/RepositoryResponsePersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/RepositoryResponsePersistenceConverter.java
index a3be2e2..aea1ac5 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/RepositoryResponsePersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/RepositoryResponsePersistenceConverter.java
@@ -3,8 +3,8 @@
 import net.ripe.rpki.commons.provisioning.identity.RepositoryResponse;
 import net.ripe.rpki.commons.provisioning.identity.RepositoryResponseSerializer;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 
 @Converter(autoApply = true)
 public class RepositoryResponsePersistenceConverter implements AttributeConverter<RepositoryResponse, String> {
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/UriPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/UriPersistenceConverter.java
index 3971f7b..e1c9a35 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/UriPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/UriPersistenceConverter.java
@@ -1,7 +1,7 @@
 package net.ripe.rpki.ripencc.support.persistence;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 import java.net.URI;
 
 @Converter(autoApply = true)
diff --git a/src/main/java/net/ripe/rpki/ripencc/support/persistence/X500PrincipalPersistenceConverter.java b/src/main/java/net/ripe/rpki/ripencc/support/persistence/X500PrincipalPersistenceConverter.java
index 9b9245c..e32581c 100644
--- a/src/main/java/net/ripe/rpki/ripencc/support/persistence/X500PrincipalPersistenceConverter.java
+++ b/src/main/java/net/ripe/rpki/ripencc/support/persistence/X500PrincipalPersistenceConverter.java
@@ -1,7 +1,7 @@
 package net.ripe.rpki.ripencc.support.persistence;
 
-import javax.persistence.AttributeConverter;
-import javax.persistence.Converter;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
 import javax.security.auth.x500.X500Principal;
 
 @Converter(autoApply = true)
diff --git a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecks.java b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecks.java
index b1c6754..fae4b55 100644
--- a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecks.java
+++ b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecks.java
@@ -2,7 +2,7 @@
 
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.List;
 
 @Component
diff --git a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthService.java b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthService.java
index 5b7a2e1..97bba81 100644
--- a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthService.java
+++ b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthService.java
@@ -12,7 +12,7 @@
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
diff --git a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/CryptoChecker.java b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/CryptoChecker.java
index f864470..1920471 100644
--- a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/CryptoChecker.java
+++ b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/CryptoChecker.java
@@ -21,7 +21,7 @@
 import org.springframework.stereotype.Component;
 
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.math.BigInteger;
 import java.net.URI;
 import java.net.URISyntaxException;
diff --git a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/KrillNonHostedPublisherRepositoryHealthCheck.java b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/KrillNonHostedPublisherRepositoryHealthCheck.java
index c5c24b7..bb3844a 100644
--- a/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/KrillNonHostedPublisherRepositoryHealthCheck.java
+++ b/src/main/java/net/ripe/rpki/ripencc/ui/daemon/health/checks/KrillNonHostedPublisherRepositoryHealthCheck.java
@@ -5,7 +5,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Component
 @ConditionalOnBean(KrillNonHostedPublisherRepositoryBean.class)
diff --git a/src/main/java/net/ripe/rpki/server/api/dto/AspaConfigurationData.java b/src/main/java/net/ripe/rpki/server/api/dto/AspaConfigurationData.java
index 2d014f7..262c87e 100644
--- a/src/main/java/net/ripe/rpki/server/api/dto/AspaConfigurationData.java
+++ b/src/main/java/net/ripe/rpki/server/api/dto/AspaConfigurationData.java
@@ -6,7 +6,6 @@
 import net.ripe.ipresource.Asn;
 import net.ripe.rpki.util.Streams;
 
-import javax.validation.constraints.NotEmpty;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.SortedMap;
diff --git a/src/main/java/net/ripe/rpki/server/api/dto/RoaEntityData.java b/src/main/java/net/ripe/rpki/server/api/dto/RoaEntityData.java
index da5c889..ff13632 100644
--- a/src/main/java/net/ripe/rpki/server/api/dto/RoaEntityData.java
+++ b/src/main/java/net/ripe/rpki/server/api/dto/RoaEntityData.java
@@ -3,7 +3,7 @@
 import net.ripe.rpki.commons.crypto.cms.roa.RoaCms;
 import net.ripe.rpki.server.api.support.objects.ValueObjectSupport;
 
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 
 /**
  * DTO object for actual ROA objects (as opposed to specification objects)
diff --git a/src/main/java/net/ripe/rpki/services/impl/ActiveNodeServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/ActiveNodeServiceBean.java
index bb1d2ef..ff9e80b 100644
--- a/src/main/java/net/ripe/rpki/services/impl/ActiveNodeServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/ActiveNodeServiceBean.java
@@ -9,7 +9,7 @@
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 
 @Service
diff --git a/src/main/java/net/ripe/rpki/services/impl/AspaServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/AspaServiceBean.java
index 23c1325..e1a6a95 100644
--- a/src/main/java/net/ripe/rpki/services/impl/AspaServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/AspaServiceBean.java
@@ -34,7 +34,6 @@ public List<AspaConfigurationData> findAspaConfiguration(long caId) {
             return Collections.emptyList();
         }
         return aspaConfigurationRepository.findByCertificateAuthority(ca).values().stream()
-            .map(AspaConfiguration::toData)
-            .collect(Collectors.toList());
+                .map(AspaConfiguration::toData).toList();
     }
 }
diff --git a/src/main/java/net/ripe/rpki/services/impl/ProvisioningIdentityViewServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/ProvisioningIdentityViewServiceBean.java
index 98c0fc8..7daff96 100644
--- a/src/main/java/net/ripe/rpki/services/impl/ProvisioningIdentityViewServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/ProvisioningIdentityViewServiceBean.java
@@ -15,7 +15,7 @@
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.transaction.support.TransactionOperations;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
 import java.net.URI;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/RoaAlertConfigurationViewServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/RoaAlertConfigurationViewServiceBean.java
index c1ef749..b06339e 100644
--- a/src/main/java/net/ripe/rpki/services/impl/RoaAlertConfigurationViewServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/RoaAlertConfigurationViewServiceBean.java
@@ -8,9 +8,8 @@
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.List;
-import java.util.stream.Collectors;
 
 @Component
 @Transactional
@@ -31,11 +30,11 @@ public RoaAlertConfigurationData findRoaAlertSubscription(long caId) {
 
     @Override
     public List<RoaAlertConfigurationData> findAll() {
-        return repository.findAll().stream().map(RoaAlertConfiguration::toData).collect(Collectors.toList());
+        return repository.findAll().stream().map(RoaAlertConfiguration::toData).toList();
     }
 
     @Override
     public List<RoaAlertConfigurationData> findByFrequency(RoaAlertFrequency frequency) {
-        return repository.findByFrequency(frequency).stream().map(RoaAlertConfiguration::toData).collect(Collectors.toList());
+        return repository.findByFrequency(frequency).stream().map(RoaAlertConfiguration::toData).toList();
     }
 }
diff --git a/src/main/java/net/ripe/rpki/services/impl/RoaServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/RoaServiceBean.java
index 3309dce..fc080e9 100644
--- a/src/main/java/net/ripe/rpki/services/impl/RoaServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/RoaServiceBean.java
@@ -12,20 +12,19 @@
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.persistence.NoResultException;
+import jakarta.persistence.NoResultException;
 import java.util.Collection;
 import java.util.List;
-import java.util.stream.Collectors;
 
 @Component
 @Transactional(readOnly = true)
 public class RoaServiceBean implements RoaViewService {
 
-    private CertificateAuthorityRepository caRepository;
+    private final CertificateAuthorityRepository caRepository;
 
-    private RoaConfigurationRepository roaConfigurationRepository;
+    private final RoaConfigurationRepository roaConfigurationRepository;
 
-    private RoaEntityRepository roaEntityRepository;
+    private final RoaEntityRepository roaEntityRepository;
 
     public RoaServiceBean(CertificateAuthorityRepository caRepository,
                           RoaConfigurationRepository roaConfigurationRepository,
@@ -42,7 +41,7 @@ private Collection<RoaEntity> findAllRoas(ManagedCertificateAuthority ca) {
     @Override
     public List<RoaEntityData> findAllRoasForCa(Long caId) {
         ManagedCertificateAuthority ca = caRepository.findManagedCa(caId);
-        return findAllRoas(ca).stream().map(this::convertToRoaEntityData).collect(Collectors.toList());
+        return findAllRoas(ca).stream().map(this::convertToRoaEntityData).toList();
     }
 
     @Override
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBean.java
index 1e900fd..fc2a958 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBean.java
@@ -14,7 +14,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
-import javax.persistence.EntityNotFoundException;
+import jakarta.persistence.EntityNotFoundException;
 import javax.security.auth.x500.X500Principal;
 import java.util.Collection;
 import java.util.Collections;
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/BackgroundServices.java b/src/main/java/net/ripe/rpki/services/impl/background/BackgroundServices.java
index 7c28054..4b40057 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/BackgroundServices.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/BackgroundServices.java
@@ -1,5 +1,6 @@
 package net.ripe.rpki.services.impl.background;
 
+import jakarta.annotation.PostConstruct;
 import lombok.extern.slf4j.Slf4j;
 import net.ripe.rpki.server.api.services.background.BackgroundService;
 import org.quartz.JobDataMap;
@@ -18,8 +19,7 @@
 import org.springframework.core.env.Profiles;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.PostConstruct;
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Map;
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/CaCleanUpServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/CaCleanUpServiceBean.java
index 129035b..fce3280 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/CaCleanUpServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/CaCleanUpServiceBean.java
@@ -12,7 +12,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collection;
 import java.util.Map;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/CertificateExpirationServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/CertificateExpirationServiceBean.java
index 6cdfb25..c26f85c 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/CertificateExpirationServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/CertificateExpirationServiceBean.java
@@ -9,7 +9,7 @@
 import org.joda.time.DateTime;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Map;
 
 @Slf4j
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/KeyPairActivationManagementServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/KeyPairActivationManagementServiceBean.java
index c8cbbe2..d87668a 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/KeyPairActivationManagementServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/KeyPairActivationManagementServiceBean.java
@@ -63,12 +63,11 @@ protected void runService(Map<String, String> parameters) {
             log.info("checking {} certificate authorities with pending keys for activation", casWithPendingKeys.size());
 
             List<CertificateAuthorityData> casWithActivatedKeys = casWithPendingKeys.parallelStream()
-                .filter(ca -> {
-                    CommandStatus status =
-                        commandService.execute(KeyManagementActivatePendingKeysCommand.plannedActivationCommand(ca.getVersionedId(), configuration.getStagingPeriod()));
-                    return status.isHasEffect();
-                })
-                .collect(Collectors.toList());
+                    .filter(ca -> {
+                        CommandStatus status =
+                                commandService.execute(KeyManagementActivatePendingKeysCommand.plannedActivationCommand(ca.getVersionedId(), configuration.getStagingPeriod()));
+                        return status.isHasEffect();
+                    }).toList();
             log.info("activated keys for {} certificate authorities", casWithActivatedKeys.size());
 
             casWithActivatedKeys.forEach(parentCA -> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/KeyPairRevocationManagementServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/KeyPairRevocationManagementServiceBean.java
index 5106eaf..f074d79 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/KeyPairRevocationManagementServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/KeyPairRevocationManagementServiceBean.java
@@ -7,7 +7,7 @@
 import net.ripe.rpki.server.api.services.read.CertificateAuthorityViewService;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import java.util.Map;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java
index 967f99b..e666b34 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java
@@ -14,8 +14,8 @@
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.support.TransactionTemplate;
 
-import javax.inject.Inject;
-import javax.persistence.EntityNotFoundException;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityNotFoundException;
 import java.util.*;
 import java.util.stream.Collectors;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/PublishedObjectCleanUpServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/PublishedObjectCleanUpServiceBean.java
index 5b846a1..6eacced 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/PublishedObjectCleanUpServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/PublishedObjectCleanUpServiceBean.java
@@ -14,7 +14,7 @@
 import org.springframework.transaction.PlatformTransactionManager;
 import org.springframework.transaction.support.TransactionTemplate;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import java.util.Map;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncDelegateImpl.java b/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncDelegateImpl.java
index 64ef8d8..0c29241 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncDelegateImpl.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncDelegateImpl.java
@@ -11,7 +11,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncService.java b/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncService.java
index f8b0120..473e72d 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncService.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/PublisherSyncService.java
@@ -5,7 +5,7 @@
 import net.ripe.rpki.core.services.background.ConcurrentBackgroundServiceWithAdminPrivilegesOnActiveNode;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import java.util.Map;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/ReinitServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/ReinitServiceBean.java
index bb81999..f174b3b 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/ReinitServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/ReinitServiceBean.java
@@ -15,7 +15,7 @@
 import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
 import java.util.Map;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java b/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java
index f828447..d1a8384 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java
@@ -136,7 +136,7 @@ public boolean updateFullResourceCache(Optional<String> forceUpdateCode) {
             final Update membersUpdate = memberResourcesUpdate(allResources.getAllMembersResources());
 
             final List<Update> updates = List.of(productionUpdate, membersUpdate);
-            final List<Update> rejected = updates.stream().filter(Update::isRejected).collect(Collectors.toList());
+            final List<Update> rejected = updates.stream().filter(Update::isRejected).toList();
 
             String expectedForceUpdateVerificationCode = resourceStats.get().expectedForceUpdateVerificationCode();
             boolean forceUpdate = forceUpdateCode.stream().anyMatch(code -> Objects.equals(code, expectedForceUpdateVerificationCode));
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/AbstractCertificateAuthorityCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/AbstractCertificateAuthorityCommandHandler.java
index 52643a5..4766f84 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/AbstractCertificateAuthorityCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/AbstractCertificateAuthorityCommandHandler.java
@@ -7,7 +7,7 @@
 import net.ripe.rpki.server.api.commands.CertificateAuthorityCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.persistence.EntityNotFoundException;
+import jakarta.persistence.EntityNotFoundException;
 import java.util.Objects;
 
 public abstract class AbstractCertificateAuthorityCommandHandler<T extends CertificateAuthorityCommand> implements CertificateAuthorityCommandHandler<T> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateHostedCertificateAuthorityCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateHostedCertificateAuthorityCommandHandler.java
index d9d408c..bb67da0 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateHostedCertificateAuthorityCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateHostedCertificateAuthorityCommandHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.commands.ActivateHostedCertificateAuthorityCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 public class ActivateHostedCertificateAuthorityCommandHandler extends AbstractCertificateAuthorityCommandHandler<ActivateHostedCertificateAuthorityCommand> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateNonHostedCertificateAuthorityCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateNonHostedCertificateAuthorityCommandHandler.java
index c23910e..058f0df 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateNonHostedCertificateAuthorityCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/ActivateNonHostedCertificateAuthorityCommandHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.commands.ActivateNonHostedCertificateAuthorityCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 public class ActivateNonHostedCertificateAuthorityCommandHandler extends AbstractCertificateAuthorityCommandHandler<ActivateNonHostedCertificateAuthorityCommand> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/AllResourcesCaResourcesCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/AllResourcesCaResourcesCommandHandler.java
index 63d6e52..f918c1a 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/AllResourcesCaResourcesCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/AllResourcesCaResourcesCommandHandler.java
@@ -7,7 +7,7 @@
 import net.ripe.rpki.server.api.commands.AllResourcesCaResourcesCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 public class AllResourcesCaResourcesCommandHandler extends AbstractCertificateAuthorityCommandHandler<AllResourcesCaResourcesCommand> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/CreateAllResourcesCertificateAuthorityCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/CreateAllResourcesCertificateAuthorityCommandHandler.java
index fc46886..0557dc0 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/CreateAllResourcesCertificateAuthorityCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/CreateAllResourcesCertificateAuthorityCommandHandler.java
@@ -7,7 +7,7 @@
 import net.ripe.rpki.server.api.commands.CreateAllResourcesCertificateAuthorityCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 public class CreateAllResourcesCertificateAuthorityCommandHandler extends AbstractCertificateAuthorityCommandHandler<CreateAllResourcesCertificateAuthorityCommand> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/CreateIntermediateCertificateAuthorityCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/CreateIntermediateCertificateAuthorityCommandHandler.java
index 422e740..7a7c42c 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/CreateIntermediateCertificateAuthorityCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/CreateIntermediateCertificateAuthorityCommandHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 @ConditionalOnProperty(prefix="intermediate.ca", value="enabled", havingValue = "true")
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/CreateRootCertificateAuthorityCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/CreateRootCertificateAuthorityCommandHandler.java
index ece24cf..78c0f0e 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/CreateRootCertificateAuthorityCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/CreateRootCertificateAuthorityCommandHandler.java
@@ -10,7 +10,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import org.apache.commons.lang.Validate;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 public class CreateRootCertificateAuthorityCommandHandler extends AbstractCertificateAuthorityCommandHandler<CreateRootCertificateAuthorityCommand> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteCertificateAuthorityCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteCertificateAuthorityCommandHandler.java
index 643216b..43b82e6 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteCertificateAuthorityCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteCertificateAuthorityCommandHandler.java
@@ -12,7 +12,7 @@
 import net.ripe.rpki.server.api.commands.DeleteCertificateAuthorityCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Slf4j
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandler.java
index 3b02a9e..66ee4ad 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandler.java
@@ -8,8 +8,8 @@
 import org.apache.commons.lang.Validate;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 
-import javax.inject.Inject;
-import javax.persistence.EntityNotFoundException;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityNotFoundException;
 import java.util.UUID;
 
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/GenerateOfflineCARepublishRequestCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/GenerateOfflineCARepublishRequestCommandHandler.java
index cd9989f..28c034d 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/GenerateOfflineCARepublishRequestCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/GenerateOfflineCARepublishRequestCommandHandler.java
@@ -10,7 +10,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import org.apache.commons.lang.Validate;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.ArrayList;
 
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/InitialiseMyIdentityMaterialCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/InitialiseMyIdentityMaterialCommandHandler.java
index 09497a4..195bfb4 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/InitialiseMyIdentityMaterialCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/InitialiseMyIdentityMaterialCommandHandler.java
@@ -6,7 +6,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import org.apache.commons.lang.NotImplementedException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandler.java
index 6f1e468..791c0fa 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandler.java
@@ -10,7 +10,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementActivatePendingKeysCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementActivatePendingKeysCommandHandler.java
index c76721d..aff2048 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementActivatePendingKeysCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementActivatePendingKeysCommandHandler.java
@@ -6,7 +6,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementInitiateRollCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementInitiateRollCommandHandler.java
index 713a8b4..e44e2fb 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementInitiateRollCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementInitiateRollCommandHandler.java
@@ -15,7 +15,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementRevokeOldKeysCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementRevokeOldKeysCommandHandler.java
index 9490c42..440e992 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementRevokeOldKeysCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementRevokeOldKeysCommandHandler.java
@@ -15,9 +15,8 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.List;
-import java.util.stream.Collectors;
 
 import static net.ripe.rpki.domain.Resources.DEFAULT_RESOURCE_CLASS;
 
@@ -71,10 +70,7 @@ public void handle(KeyManagementRevokeOldKeysCommand command, CommandStatus comm
 
     private List<TaRequest> toTaRequests(List<CertificateRevocationRequest> requests) {
         return requests.stream()
-            .map(request -> new RevocationRequest(DEFAULT_RESOURCE_CLASS,
-                KeyPairUtil.getEncodedKeyIdentifier(request.getSubjectPublicKey())))
-            .collect(Collectors.toList());
+            .map(request -> (TaRequest) new RevocationRequest(DEFAULT_RESOURCE_CLASS, KeyPairUtil.getEncodedKeyIdentifier(request.getSubjectPublicKey())))
+            .toList();
     }
-
-
 }
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/LockCertificateAuthorityHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/LockCertificateAuthorityHandler.java
index 89886cc..754edae 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/LockCertificateAuthorityHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/LockCertificateAuthorityHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.util.DBComponent;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.ArrayList;
 import java.util.List;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandler.java
index db052c1..08591b3 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandler.java
@@ -17,8 +17,8 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 
-import javax.inject.Inject;
-import javax.persistence.EntityManager;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityManager;
 import java.util.Set;
 import java.util.stream.Collectors;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/MessageDispatcher.java b/src/main/java/net/ripe/rpki/services/impl/handlers/MessageDispatcher.java
index ec14ec9..3f1d3a9 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/MessageDispatcher.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/MessageDispatcher.java
@@ -1,5 +1,6 @@
 package net.ripe.rpki.services.impl.handlers;
 
+import jakarta.annotation.PostConstruct;
 import lombok.Setter;
 import net.ripe.rpki.server.api.commands.CertificateAuthorityCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
@@ -10,14 +11,12 @@
 import org.springframework.dao.TransientDataAccessException;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.PostConstruct;
-import javax.persistence.OptimisticLockException;
-import javax.persistence.PessimisticLockException;
+import jakarta.persistence.OptimisticLockException;
+import jakarta.persistence.PessimisticLockException;
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
-import java.util.stream.Collectors;
 
 @Component
 public class MessageDispatcher {
@@ -41,8 +40,7 @@ protected List<CertificateAuthorityCommandHandler<CertificateAuthorityCommand>>
         final Map<String, Object> beansWithAnnotation = applicationContext.getBeansWithAnnotation(Handler.class);
         return beansWithAnnotation.values().stream()
                 .map(bean -> (CertificateAuthorityCommandHandler<CertificateAuthorityCommand>) bean)
-                .sorted(Comparator.comparingInt(MessageDispatcher::orderOf))
-                .collect(Collectors.toList());
+                .sorted(Comparator.comparingInt(MessageDispatcher::orderOf)).toList();
     }
 
     private static int orderOf(Object bean) {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandler.java
index fd9f009..0021806 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandler.java
@@ -9,8 +9,8 @@
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 import net.ripe.rpki.util.DBComponent;
 
-import javax.inject.Inject;
-import javax.persistence.EntityNotFoundException;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityNotFoundException;
 import java.security.PublicKey;
 import java.util.Objects;
 
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/ProcessTrustAnchorResponseCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/ProcessTrustAnchorResponseCommandHandler.java
index 0f87fc9..e784c76 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/ProcessTrustAnchorResponseCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/ProcessTrustAnchorResponseCommandHandler.java
@@ -5,7 +5,7 @@
 import net.ripe.rpki.server.api.commands.ProcessTrustAnchorResponseCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 public class ProcessTrustAnchorResponseCommandHandler extends AbstractCertificateAuthorityCommandHandler<ProcessTrustAnchorResponseCommand> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisionNonHostedPublisherCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisionNonHostedPublisherCommandHandler.java
index d90d3a6..2457b1d 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisionNonHostedPublisherCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisionNonHostedPublisherCommandHandler.java
@@ -11,7 +11,7 @@
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.UUID;
 
 import static net.ripe.rpki.domain.NonHostedCertificateAuthority.PUBLISHER_REPOSITORIES_LIMIT;
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateIssuanceCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateIssuanceCommandHandler.java
index 7c1e637..d18b36b 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateIssuanceCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateIssuanceCommandHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.security.PublicKey;
 
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateRevocationCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateRevocationCommandHandler.java
index d0db108..8da3902 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateRevocationCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/ProvisioningCertificateRevocationCommandHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 public class ProvisioningCertificateRevocationCommandHandler extends AbstractCertificateAuthorityCommandHandler<ProvisioningCertificateRevocationCommand> {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/PublicationSupport.java b/src/main/java/net/ripe/rpki/services/impl/handlers/PublicationSupport.java
index a99b92a..73626dc 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/PublicationSupport.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/PublicationSupport.java
@@ -17,7 +17,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.net.URI;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -56,8 +56,7 @@ public PublicationSupport(
         log.info("Interfacing with {} external publication servers: {}", publicationServerUris.size(), publicationServerUris);
 
         externalPublishingServers = publicationServerUris.stream()
-            .map(uri -> new ExternalPublishingServer(publishingServerClient, meterRegistry, uri))
-            .collect(Collectors.toList());
+                .map(uri -> new ExternalPublishingServer(publishingServerClient, meterRegistry, uri)).toList();
         forkJoinPool = new ForkJoinPool(Math.max(1, externalPublishingServers.size()));
 
         rrdpPublicationSuccesses = Counter.builder("rpkicore.publication.total")
@@ -175,8 +174,7 @@ private List<ListReply> getObjectsFromServer(ExternalPublishingServer externalPu
         final List<ListRequest> messages = Collections.singletonList(new ListRequest());
         return externalPublishingServer.execute(messages, clientId).stream()
                 .filter(PublicationMessage.isListReply)
-                .map(x -> (ListReply) x)
-                .collect(Collectors.toList());
+                .map(x -> (ListReply) x).toList();
     }
 
     public static String objectHash(byte[] bytes) {
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/SubscribeToRoaAlertCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/SubscribeToRoaAlertCommandHandler.java
index f69f339..32184cc 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/SubscribeToRoaAlertCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/SubscribeToRoaAlertCommandHandler.java
@@ -11,7 +11,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.services.impl.EmailSender;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collections;
 import java.util.Set;
 import java.util.stream.Collectors;
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/UnsubscribeFromRoaAlertCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/UnsubscribeFromRoaAlertCommandHandler.java
index 8b6481d..6e5997f 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/UnsubscribeFromRoaAlertCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/UnsubscribeFromRoaAlertCommandHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.services.impl.EmailSender;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collections;
 
 import static net.ripe.rpki.domain.alerts.RoaAlertConfiguration.normEmail;
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAllIncomingResourceCertificatesCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAllIncomingResourceCertificatesCommandHandler.java
index f7ac412..fbaf5d3 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAllIncomingResourceCertificatesCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAllIncomingResourceCertificatesCommandHandler.java
@@ -8,7 +8,7 @@
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 @Handler
 @Slf4j
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAspaConfigurationCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAspaConfigurationCommandHandler.java
index c174d89..8633573 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAspaConfigurationCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateAspaConfigurationCommandHandler.java
@@ -22,9 +22,8 @@
 import net.ripe.rpki.server.api.services.command.PrivateAsnsUsedException;
 import org.springframework.beans.factory.annotation.Value;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.*;
-import java.util.stream.Collectors;
 
 
 @Handler
@@ -145,7 +144,6 @@ private void validateProviderAsns(SortedMap<Asn, SortedSet<Asn>> configuration)
     private List<Asn> findAddedPrivateAsns(SortedMap<Asn, SortedSet<Asn>> configuration) {
         return configuration.values().stream()
                 .flatMap(Collection::stream)
-                .filter(privateAsns::contains)
-                .collect(Collectors.toList());
+                .filter(privateAsns::contains).toList();
     }
 }
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaAlertIgnoredAnnouncedRoutesCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaAlertIgnoredAnnouncedRoutesCommandHandler.java
index ca3cb1a..064bbb0 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaAlertIgnoredAnnouncedRoutesCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaAlertIgnoredAnnouncedRoutesCommandHandler.java
@@ -7,7 +7,7 @@
 import net.ripe.rpki.server.api.commands.UpdateRoaAlertIgnoredAnnouncedRoutesCommand;
 import net.ripe.rpki.server.api.services.command.CommandStatus;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 
 @Handler
diff --git a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaConfigurationCommandHandler.java b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaConfigurationCommandHandler.java
index bbd5c6c..dff6fc7 100644
--- a/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaConfigurationCommandHandler.java
+++ b/src/main/java/net/ripe/rpki/services/impl/handlers/UpdateRoaConfigurationCommandHandler.java
@@ -19,7 +19,7 @@
 import net.ripe.rpki.services.impl.background.RoaMetricsService;
 import org.springframework.beans.factory.annotation.Value;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
@@ -97,8 +97,7 @@ private void validateEntityTag(UpdateRoaConfigurationCommand command, RoaConfigu
 
     private void validateAsns(UpdateRoaConfigurationCommand command) {
         List<Asn> privateAsns = command.getAdditions().stream().map(RoaConfigurationPrefixData::getAsn)
-            .filter(privateAsnRanges::contains)
-            .collect(Collectors.toList());
+                .filter(privateAsnRanges::contains).toList();
         if (!privateAsns.isEmpty()) {
             throw new PrivateAsnsUsedException("ROA configuration", privateAsns);
         }
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepository.java
index b48bb43..292a3e1 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepository.java
@@ -38,7 +38,7 @@ public List<AspaEntity> findCurrentByCertificateAuthority(ManagedCertificateAuth
     @Override
     public int deleteByCertificateSigningKeyPair(KeyPairEntity certificateSigningKeyPair) {
         return manager
-            .createQuery("DELETE FROM AspaEntity WHERE certificate_id IN (SELECT id FROM OutgoingResourceCertificate orc WHERE orc.signingKeyPair = :cskp)")
+            .createQuery("DELETE FROM AspaEntity WHERE certificate.id IN (SELECT id FROM OutgoingResourceCertificate orc WHERE orc.signingKeyPair = :cskp)")
             .setParameter("cskp", certificateSigningKeyPair)
             .executeUpdate();
     }
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepository.java
index 48ea175..473890a 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepository.java
@@ -2,7 +2,7 @@
 
 import net.ripe.rpki.domain.*;
 import net.ripe.rpki.ripencc.support.persistence.JpaRepository;
-import net.ripe.rpki.server.api.commands.CertificateAuthorityCommandGroup;
+import net.ripe.rpki.server.api.commands.*;
 import net.ripe.rpki.server.api.dto.CaStat;
 import net.ripe.rpki.server.api.dto.CaStatCaEvent;
 import net.ripe.rpki.server.api.dto.CaStatEvent;
@@ -16,12 +16,13 @@
 import org.joda.time.format.DateTimeFormatter;
 import org.springframework.stereotype.Repository;
 
-import javax.persistence.EntityNotFoundException;
-import javax.persistence.LockModeType;
-import javax.persistence.NoResultException;
-import javax.persistence.PersistenceException;
-import javax.persistence.Query;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.persistence.LockModeType;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.PersistenceException;
+import jakarta.persistence.Query;
 import javax.security.auth.x500.X500Principal;
+import java.time.Instant;
 import java.util.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -150,27 +151,26 @@ public Collection<CaStat> getCAStats() {
         return rowStream.map(row -> {
             String caName = toStr(row[0]);
             int roaCount = toInt(row[1]);
-            Date createdAt = (Date) row[2];
-            return new CaStat(caName, roaCount, ISO_DATE_FORMAT.print(new DateTime(createdAt)));
-        }).collect(Collectors.toList());
+            Instant createdAt = (Instant) row[2];
+            return new CaStat(caName, roaCount, ISO_DATE_FORMAT.print(new DateTime(createdAt.toEpochMilli())));
+        }).toList();
     }
 
     @Override
     public Collection<CaStatEvent> getCAStatEvents() {
-        final String updateRoaConf = "UpdateRoaConfigurationCommand";
+        // Two legacy command types that _may_ be present
         final String createRoaSpec = "CreateRoaSpecificationCommand";
         final String deleteRoaSpec = "DeleteRoaSpecificationCommand";
-        final String activateCaSpec = "ActivateHostedCertificateAuthorityCommand";
-        final String activateNonHostedCaSpec = "ActivateNonHostedCertificateAuthorityCommand";
-        final String deleteCaSpec = "DeleteCertificateAuthorityCommand";
-        final String deleteNonHostedCaSpec = "DeleteNonHostedCertificateAuthorityCommand";
 
-        final List<String> commandTypes = Arrays.asList(updateRoaConf, createRoaSpec, deleteRoaSpec,
-                activateCaSpec, activateNonHostedCaSpec, deleteCaSpec, deleteNonHostedCaSpec);
-
-        final Pattern updateConfPattern = Pattern.compile("Updated ROA configuration. Additions: (.+). Deletions: (.+)\\.");
-        final Pattern createSpecPattern = Pattern.compile("Created ROA specification '.+' (.+).");
-        final Pattern deleteSpecPattern = Pattern.compile("Deleted ROA specification '.+' (.+).");
+        // recall: prefix/suffix for Collectors.joining are not in between elements, so it can not be
+        final var commandTypesSqlList = Stream.of(
+                createRoaSpec, deleteRoaSpec,
+                UpdateRoaConfigurationCommand.class.getSimpleName(),
+                ActivateHostedCertificateAuthorityCommand.class.getSimpleName(),
+                ActivateNonHostedCertificateAuthorityCommand.class.getSimpleName(),
+                DeleteCertificateAuthorityCommand.class.getSimpleName(),
+                DeleteNonHostedCertificateAuthorityCommand.class.getSimpleName()
+            ).map(s -> "'" + s + "'").collect(Collectors.joining(","));
 
         final Query q = manager.createNativeQuery("SELECT " +
                 "ca.name, " +
@@ -179,18 +179,23 @@ public Collection<CaStatEvent> getCAStatEvents() {
                 "au.commandsummary " +
                 "FROM commandAudit au " +
                 "LEFT JOIN certificateAuthority ca ON ca.id = au.ca_id " +
-                "WHERE commandtype IN (" + inClause(commandTypes) + ")" +
+                "WHERE commandtype IN (" + commandTypesSqlList + ") " +
                 "ORDER BY au.executiontime ASC, ca.name");
 
+        final Pattern updateConfPattern = Pattern.compile("Updated ROA configuration. Additions: (.+). Deletions: (.+)\\.");
+        final Pattern createSpecPattern = Pattern.compile("Created ROA specification '.+' (.+).");
+        final Pattern deleteSpecPattern = Pattern.compile("Deleted ROA specification '.+' (.+).");
+
         final List<?> resultList = q.getResultList();
         final List<CaStatEvent> result = new ArrayList<>();
         for (final Object r : resultList) {
             final Object[] columns = (Object[]) r;
             final String caName = toStr(columns[0]);
             final String type = toStr(columns[1]);
-            final String date = ISO_DATE_FORMAT.print(new DateTime(columns[2]));
+            final String date = ISO_DATE_FORMAT.print(new DateTime(((Instant)columns[2]).toEpochMilli()));
             final String summary = toStr(columns[3]);
-            if (updateRoaConf.equals(type)) {
+
+            if (UpdateRoaConfigurationCommand.class.getSimpleName().equals(type)) {
                 final Matcher m = updateConfPattern.matcher(summary);
                 if (m.matches()) {
                     final String additions = m.group(1);
@@ -213,9 +218,9 @@ public Collection<CaStatEvent> getCAStatEvents() {
                     if (deleted > 0)
                         result.add(new CaStatRoaEvent(caName, date, 0, deleted));
                 }
-            } else if (activateCaSpec.equals(type) || activateNonHostedCaSpec.equals(type)) {
+            } else if (ActivateHostedCertificateAuthorityCommand.class.getSimpleName().equals(type) || ActivateNonHostedCertificateAuthorityCommand.class.getSimpleName().equals(type)) {
                 result.add(CaStatCaEvent.created(caName, date));
-            } else if (deleteCaSpec.equals(type) || deleteNonHostedCaSpec.equals(type)) {
+            } else if (DeleteCertificateAuthorityCommand.class.getSimpleName().equals(type) || DeleteNonHostedCertificateAuthorityCommand.class.getSimpleName().equals(type)) {
                 result.add(CaStatCaEvent.deleted(date));
             }
         }
@@ -268,25 +273,24 @@ public Collection<ManagedCertificateAuthority> findAllWithOutdatedManifests(bool
     @Override
     public List<ManagedCertificateAuthority> findAllWithManifestsExpiringBefore(DateTime notValidAfterCutoff, int maxResult) {
         return manager.createQuery(
-                "SELECT DISTINCT ca, MIN(po.validityPeriod.notValidAfter) " +
-                    "  FROM ManagedCertificateAuthority ca" +
-                    "  JOIN ca.keyPairs kp," +
-                    "       ManifestEntity mft" +
-                    "  JOIN mft.publishedObject po" +
-                    "  JOIN mft.certificate crt" +
-                    " WHERE kp.status IN :publishable" +
-                    "   AND crt.signingKeyPair = kp" +
-                    "   AND po.validityPeriod.notValidAfter < :notValidAfterCutoff" +
-                    " GROUP BY ca" +
-                    " ORDER BY MIN(po.validityPeriod.notValidAfter) ASC",
-                Object[].class)
-            // See KeyPairEntity.isPublishable for the next two parameters
-            .setParameter("publishable", Arrays.asList(KeyPairStatus.PENDING, KeyPairStatus.CURRENT, KeyPairStatus.OLD))
-            .setParameter("notValidAfterCutoff", notValidAfterCutoff)
-            .setMaxResults(maxResult)
-            .getResultStream()
-            .map(row -> (ManagedCertificateAuthority) row[0])
-            .collect(Collectors.toList());
+                        "SELECT DISTINCT ca, MIN(po.validityPeriod.notValidAfter) " +
+                                "  FROM ManagedCertificateAuthority ca" +
+                                "  JOIN ca.keyPairs kp," +
+                                "       ManifestEntity mft" +
+                                "  JOIN mft.publishedObject po" +
+                                "  JOIN mft.certificate crt" +
+                                " WHERE kp.status IN :publishable" +
+                                "   AND crt.signingKeyPair = kp" +
+                                "   AND po.validityPeriod.notValidAfter < :notValidAfterCutoff" +
+                                " GROUP BY ca" +
+                                " ORDER BY MIN(po.validityPeriod.notValidAfter) ASC",
+                        Object[].class)
+                // See KeyPairEntity.isPublishable for the next two parameters
+                .setParameter("publishable", Arrays.asList(KeyPairStatus.PENDING, KeyPairStatus.CURRENT, KeyPairStatus.OLD))
+                .setParameter("notValidAfterCutoff", notValidAfterCutoff)
+                .setMaxResults(maxResult)
+                .getResultStream()
+                .map(row -> (ManagedCertificateAuthority) row[0]).toList();
     }
 
     @Override
@@ -342,10 +346,6 @@ public Optional<IntermediateCertificateAuthority> findSmallestIntermediateCA(X50
         }
     }
 
-    private static String inClause(final Collection<String> items) {
-        return items.stream().collect(Collectors.joining(",", "'", "'"));
-    }
-
     private static int countRoasUpdateSpecPattern(String summary) {
         int c = summary.replaceFirst("\\[asn=AS[0-9]+, ", "").split("maximumLength=").length - 1;
         return Math.max(c, 0);
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCrlEntityRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCrlEntityRepository.java
index f364882..4553bdf 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCrlEntityRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaCrlEntityRepository.java
@@ -7,8 +7,8 @@
 import org.apache.commons.lang.Validate;
 import org.springframework.stereotype.Component;
 
-import javax.persistence.NoResultException;
-import javax.persistence.Query;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.Query;
 
 @Component
 public class JpaCrlEntityRepository extends JpaRepository<CrlEntity> implements CrlEntityRepository {
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaHsmKeyStoreRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaHsmKeyStoreRepository.java
index 150f371..8a26b45 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaHsmKeyStoreRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaHsmKeyStoreRepository.java
@@ -7,7 +7,7 @@
 import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.persistence.TypedQuery;
+import jakarta.persistence.TypedQuery;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.Optional;
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaManifestEntityRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaManifestEntityRepository.java
index f8311a3..e8441fc 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaManifestEntityRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaManifestEntityRepository.java
@@ -7,8 +7,8 @@
 import org.apache.commons.lang.Validate;
 import org.springframework.stereotype.Repository;
 
-import javax.persistence.NoResultException;
-import javax.persistence.Query;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.Query;
 
 @Repository
 public class JpaManifestEntityRepository extends JpaRepository<ManifestEntity> implements ManifestEntityRepository {
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPropertyEntityRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPropertyEntityRepository.java
index 3ebee33..989277a 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPropertyEntityRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPropertyEntityRepository.java
@@ -8,8 +8,8 @@
 import org.springframework.stereotype.Component;
 
 import javax.annotation.Nullable;
-import javax.persistence.NoResultException;
-import javax.persistence.Query;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.Query;
 
 @Component
 public class JpaPropertyEntityRepository extends JpaRepository<PropertyEntity> implements PropertyEntityRepository {
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepository.java
index a11bcc2..6ece5ac 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepository.java
@@ -62,10 +62,10 @@ public List<PublishedObjectData> findCurrentlyPublishedObjects() {
             .getResultStream()
             .map((o) -> {
                 Object[] row = (Object[]) o;
-                return new PublishedObjectData((Timestamp) row[0], URI.create((String) row[1]), (byte[]) row[2]);
+                return new PublishedObjectData((java.time.Instant) row[0], URI.create((String) row[1]), (byte[]) row[2]);
             });
 
-        return stream.collect(Collectors.toList());
+        return stream.toList();
     }
 
     @SuppressWarnings("unchecked")
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepository.java
index aa4eabe..294288d 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepository.java
@@ -16,9 +16,9 @@
 import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.persistence.NoResultException;
-import javax.persistence.Query;
-import javax.persistence.TypedQuery;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.Query;
+import jakarta.persistence.TypedQuery;
 import javax.security.auth.x500.X500Principal;
 import java.math.BigInteger;
 import java.security.PublicKey;
@@ -133,12 +133,7 @@ public ExpireOutgoingResourceCertificatesResult expireOutgoingResourceCertificat
             .setParameter("toBeWithdrawn", PublicationStatus.TO_BE_WITHDRAWN.name())
             .setParameter("withdrawn", PublicationStatus.WITHDRAWN.name())
             .getSingleResult();
-        return new ExpireOutgoingResourceCertificatesResult(
-            ((BigInteger) counts[0]).intValueExact(),
-            ((BigInteger) counts[1]).intValueExact(),
-            ((BigInteger) counts[2]).intValueExact(),
-            ((BigInteger) counts[3]).intValueExact()
-        );
+        return new ExpireOutgoingResourceCertificatesResult((long)counts[0], (long)counts[1], (long)counts[2], (long)counts[3]);
     }
 
     @Override
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepository.java
index bb23b05..99c878a 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepository.java
@@ -7,8 +7,8 @@
 import org.apache.commons.lang.Validate;
 import org.springframework.stereotype.Component;
 
-import javax.persistence.NoResultException;
-import javax.persistence.Query;
+import jakarta.persistence.NoResultException;
+import jakarta.persistence.Query;
 import java.util.List;
 
 @Component
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepository.java
index a5bf80a..c9f4c2c 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepository.java
@@ -13,7 +13,7 @@
 import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.persistence.NoResultException;
+import jakarta.persistence.NoResultException;
 import javax.security.auth.x500.X500Principal;
 import java.math.BigDecimal;
 import java.math.BigInteger;
@@ -22,7 +22,6 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
-import java.util.stream.Collectors;
 
 @Repository
 @Transactional
@@ -66,19 +65,18 @@ public List<RoaConfigurationPerCa> findAllPerCa() {
                 .stream()
                 .map(o -> {
                     final Object[] row = (Object[]) o;
-                    final Long caId = ((BigInteger) row[0]).longValue();
+                    final Long caId = ((Long) row[0]);
                     final X500Principal principal = new X500Principal((String) row[1]);
                     final CaName caName = CaName.of(principal);
                     final Asn asn = new Asn(((BigDecimal) row[2]).longValue());
-                    final Integer prefixType = (Integer) row[3];
+                    final Short prefixType = (Short) row[3];
                     final BigInteger begin = ((BigDecimal) row[4]).toBigInteger();
                     final BigInteger end = ((BigDecimal) row[5]).toBigInteger();
                     final Integer maximumLength = (Integer) row[6];
                     final IpResourceType resourceType = IpResourceType.values()[prefixType];
                     final IpResourceRange range = resourceType.fromBigInteger(begin).upTo(resourceType.fromBigInteger(end));
                     return new RoaConfigurationPerCa(caId, caName, asn, range, maximumLength);
-                })
-                .collect(Collectors.toList());
+                }).toList();
     }
 
     @Override
@@ -104,7 +102,7 @@ public void logRoaPrefixDeletion(RoaConfiguration configuration, Collection<? ex
     @Override
     public int countRoaPrefixes() {
         String sql = "SELECT count(*) from roaconfiguration_prefixes";
-        return ((BigInteger)createNativeQuery(sql).getSingleResult()).intValue();
+        return ((Long)createNativeQuery(sql).getSingleResult()).intValue();
     }
 
     @Override
@@ -115,8 +113,8 @@ public Optional<Instant> lastModified() {
                 "SELECT max(deleted_at) as last from deleted_roaconfiguration_prefixes" +
                 ") last_changes";
         // empty table -> null.
-        Timestamp res = (Timestamp) createNativeQuery(sql).getSingleResult();
-        return Optional.ofNullable(res).map(t -> t.toInstant());
+        var res = (Instant) createNativeQuery(sql).getSingleResult();
+        return Optional.ofNullable(res);
     }
 
     @Override
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepository.java
index 263f0e1..08c1a92 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepository.java
@@ -37,7 +37,7 @@ public List<RoaEntity> findCurrentByCertificateAuthority(ManagedCertificateAutho
     @Override
     public int deleteByCertificateSigningKeyPair(KeyPairEntity certificateSigningKeyPair) {
         return manager
-            .createQuery("DELETE FROM RoaEntity WHERE certificate_id IN (SELECT id FROM OutgoingResourceCertificate orc WHERE orc.signingKeyPair = :cskp)")
+            .createQuery("DELETE FROM RoaEntity WHERE certificate.id IN (SELECT id FROM OutgoingResourceCertificate orc WHERE orc.signingKeyPair = :cskp)")
             .setParameter("cskp", certificateSigningKeyPair)
             .executeUpdate();
     }
diff --git a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaTrustAnchorPublishedObjectRepository.java b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaTrustAnchorPublishedObjectRepository.java
index 6536a02..dccc1db 100644
--- a/src/main/java/net/ripe/rpki/services/impl/jpa/JpaTrustAnchorPublishedObjectRepository.java
+++ b/src/main/java/net/ripe/rpki/services/impl/jpa/JpaTrustAnchorPublishedObjectRepository.java
@@ -6,8 +6,8 @@
 import org.joda.time.Instant;
 import org.springframework.stereotype.Component;
 
-import javax.persistence.EntityManager;
-import javax.persistence.PersistenceContext;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
 import java.util.List;
 
 @Component
diff --git a/src/main/java/net/ripe/rpki/util/JdbcDBComponent.java b/src/main/java/net/ripe/rpki/util/JdbcDBComponent.java
index 645ae99..6c049ee 100644
--- a/src/main/java/net/ripe/rpki/util/JdbcDBComponent.java
+++ b/src/main/java/net/ripe/rpki/util/JdbcDBComponent.java
@@ -12,9 +12,9 @@
 import org.springframework.transaction.support.TransactionSynchronization;
 import org.springframework.transaction.support.TransactionSynchronizationManager;
 
-import javax.persistence.EntityManager;
-import javax.persistence.LockModeType;
-import javax.persistence.NoResultException;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.LockModeType;
+import jakarta.persistence.NoResultException;
 import java.util.Objects;
 
 @Primary
diff --git a/src/main/java/net/ripe/rpki/web/AdminController.java b/src/main/java/net/ripe/rpki/web/AdminController.java
index 4693ab9..53089af 100644
--- a/src/main/java/net/ripe/rpki/web/AdminController.java
+++ b/src/main/java/net/ripe/rpki/web/AdminController.java
@@ -21,8 +21,8 @@
 import org.springframework.web.servlet.view.RedirectView;
 
 import javax.annotation.Nullable;
-import javax.inject.Inject;
-import javax.validation.Valid;
+import jakarta.inject.Inject;
+import jakarta.validation.Valid;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
diff --git a/src/main/java/net/ripe/rpki/web/BaseController.java b/src/main/java/net/ripe/rpki/web/BaseController.java
index 373be8d..8f41613 100644
--- a/src/main/java/net/ripe/rpki/web/BaseController.java
+++ b/src/main/java/net/ripe/rpki/web/BaseController.java
@@ -12,12 +12,11 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.web.bind.annotation.ModelAttribute;
 
-import javax.validation.constraints.NotBlank;
-import javax.validation.constraints.Pattern;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
-import java.util.stream.Collectors;
 
 public class BaseController {
 
@@ -42,8 +41,7 @@ public GitInfo getGitInfo() {
 
     @ModelAttribute(name = "currentUser", binding = false)
     public UserData currentUser(@AuthenticationPrincipal Object user) {
-        if (user instanceof OAuth2User) {
-            OAuth2User oAuth2User = (OAuth2User) user;
+        if (user instanceof OAuth2User oAuth2User) {
             return new UserData(oAuth2User.getName(), oAuth2User.getAttribute("name"), oAuth2User.getAttribute("email"));
         } else {
             String id = String.valueOf(user);
@@ -108,9 +106,8 @@ public static class BackgroundServiceData {
 
         static List<BackgroundServiceData> fromBackgroundServices(Map<String, BackgroundService> backgroundServiceMap) {
             return backgroundServiceMap.entrySet().stream()
-                .map(entry -> new BackgroundServiceData(entry.getKey(), entry.getValue()))
-                .sorted(Comparator.comparing(s -> s.name))
-                .collect(Collectors.toList());
+                    .map(entry -> new BackgroundServiceData(entry.getKey(), entry.getValue()))
+                    .sorted(Comparator.comparing(s -> s.name)).toList();
         }
     }
 
diff --git a/src/main/java/net/ripe/rpki/web/HealthCheckController.java b/src/main/java/net/ripe/rpki/web/HealthCheckController.java
index 99cdbbd..2aca329 100644
--- a/src/main/java/net/ripe/rpki/web/HealthCheckController.java
+++ b/src/main/java/net/ripe/rpki/web/HealthCheckController.java
@@ -11,7 +11,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Map;
 
 @Controller
diff --git a/src/main/java/net/ripe/rpki/web/ProductionCaController.java b/src/main/java/net/ripe/rpki/web/ProductionCaController.java
index 9057ba7..255f4fe 100644
--- a/src/main/java/net/ripe/rpki/web/ProductionCaController.java
+++ b/src/main/java/net/ripe/rpki/web/ProductionCaController.java
@@ -17,10 +17,9 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.List;
 import java.util.Optional;
-import java.util.stream.Collectors;
 
 @Controller
 @RequestMapping(ProductionCaController.PRODUCTION_CA_HISTORY)
@@ -52,7 +51,7 @@ public List<HistoryItem> historySummary() {
                 .map(caHistoryItem -> {
                     final String humanizedUserPrincipal = getHumanizedUserPrincipal(caHistoryItem);
                     return new HistoryItem(humanizedUserPrincipal, caHistoryItem);
-                }).collect(Collectors.toList());
+                }).toList();
     }
 
     private String getHumanizedUserPrincipal(CertificateAuthorityHistoryItem historyItem) {
diff --git a/src/main/java/net/ripe/rpki/web/ResourceCacheController.java b/src/main/java/net/ripe/rpki/web/ResourceCacheController.java
index 408324e..1758c1a 100644
--- a/src/main/java/net/ripe/rpki/web/ResourceCacheController.java
+++ b/src/main/java/net/ripe/rpki/web/ResourceCacheController.java
@@ -13,8 +13,8 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.inject.Inject;
-import javax.inject.Named;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
 import java.time.Instant;
 import java.util.*;
 
diff --git a/src/main/java/net/ripe/rpki/web/UpstreamCaController.java b/src/main/java/net/ripe/rpki/web/UpstreamCaController.java
index 867e181..940a294 100644
--- a/src/main/java/net/ripe/rpki/web/UpstreamCaController.java
+++ b/src/main/java/net/ripe/rpki/web/UpstreamCaController.java
@@ -24,7 +24,7 @@
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 import org.springframework.web.servlet.view.RedirectView;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
 import java.util.*;
 import java.util.function.Function;
diff --git a/src/main/resources/application-local.yml b/src/main/resources/application-local.yml
index 760dd55..971648d 100644
--- a/src/main/resources/application-local.yml
+++ b/src/main/resources/application-local.yml
@@ -10,6 +10,10 @@ keystore:
 instance.name: local
 system.setup.and.testing.api.enabled: true
 
+# **Disable** authentication for the administration web UI.
+admin.authorization.enabled: false
+
+
 # local setup should not be able to deliver mail by default.
 mail:
     host: localhost
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 1ba1aa5..978f15e 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -16,11 +16,8 @@ server:
         context-path: /certification
     shutdown: graceful
 
-# The role required for the administration web UI. Use
-# `ROLE_ANONYMOUS` if no authorization is required (development),
-# otherwise use ROLE_USER. Ensure the RPKI application is assigned to
-# the user/group so in the Oauth2 provider.
-authorization.admin.role: ROLE_USER
+# Enable authentication for the administration web UI.
+admin.authorization.enabled: true
 
 spring:
     main.banner-mode: 'off'
@@ -37,7 +34,7 @@ spring:
             connection-timeout: 5000
             transaction-isolation: TRANSACTION_REPEATABLE_READ
     jpa:
-        database-platform: org.hibernate.dialect.PostgreSQL10Dialect
+        database-platform: org.hibernate.dialect.PostgreSQLDialect
         generate-ddl: false
         hibernate.ddl-auto: validate
         open-in-view: false
diff --git a/src/main/resources/db/migration/V131__roaconfiguration_prefixes_hibernate6_enum_mapped_as_smallint.sql b/src/main/resources/db/migration/V131__roaconfiguration_prefixes_hibernate6_enum_mapped_as_smallint.sql
new file mode 100644
index 0000000..8091ed1
--- /dev/null
+++ b/src/main/resources/db/migration/V131__roaconfiguration_prefixes_hibernate6_enum_mapped_as_smallint.sql
@@ -0,0 +1,2 @@
+--- https://github.com/hibernate/hibernate-orm/blob/6.1/migration-guide.adoc#enum-mapping-changes
+ALTER TABLE roaconfiguration_prefixes ALTER COLUMN prefix_type_id TYPE smallint;
\ No newline at end of file
diff --git a/src/test/java/net/ripe/rpki/application/impl/CommandAuditServiceBeanTest.java b/src/test/java/net/ripe/rpki/application/impl/CommandAuditServiceBeanTest.java
index 5dd8b29..127a14b 100644
--- a/src/test/java/net/ripe/rpki/application/impl/CommandAuditServiceBeanTest.java
+++ b/src/test/java/net/ripe/rpki/application/impl/CommandAuditServiceBeanTest.java
@@ -12,7 +12,7 @@
 import org.junit.Test;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
diff --git a/src/test/java/net/ripe/rpki/bgpris/riswhois/RisWhoisFetcherTest.java b/src/test/java/net/ripe/rpki/bgpris/riswhois/RisWhoisFetcherTest.java
index d3fa63f..9ae1aff 100644
--- a/src/test/java/net/ripe/rpki/bgpris/riswhois/RisWhoisFetcherTest.java
+++ b/src/test/java/net/ripe/rpki/bgpris/riswhois/RisWhoisFetcherTest.java
@@ -1,53 +1,39 @@
 package net.ripe.rpki.bgpris.riswhois;
 
-import org.apache.commons.io.IOUtils;
-import org.eclipse.jetty.server.Handler;
-import org.eclipse.jetty.server.Request;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.handler.AbstractHandler;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
+import com.github.tomakehurst.wiremock.junit5.WireMockRuntimeInfo;
+import com.github.tomakehurst.wiremock.junit5.WireMockTest;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 
-import static org.junit.Assert.assertTrue;
+import java.io.IOException;
 
+import static com.github.tomakehurst.wiremock.client.WireMock.*;
+import static org.assertj.core.api.Assertions.assertThat;
 
-public class RisWhoisFetcherTest {
 
-    private RisWhoisFetcher subject;
+@WireMockTest
+class RisWhoisFetcherTest {
+    byte[] risDumpContent;
 
-    private Server server;
+    RisWhoisFetcher subject;
 
-    @Before
-    public void setupJetty() throws Exception {
+    @BeforeEach
+    void setup() throws Exception {
         subject = new RisWhoisFetcher();
-        server = new Server(39443);
-        Handler handler = new AbstractHandler() {
-            @Override
-            public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException {
-                response.setContentType("application/x-gzip");
-                response.setStatus(HttpServletResponse.SC_OK);
-                IOUtils.copy(RisWhoisFetcherTest.class.getResourceAsStream("/static/riswhois/riswhoisdump-head-1000.IPv4.gz"), response.getOutputStream());
-                ((Request) request).setHandled(true);
-            }
-        };
-        server.setHandler(handler);
-        server.start();
-    }
 
-    @After
-    public void cleanup() throws Exception {
-        server.stop();
+        risDumpContent = RisWhoisFetcherTest.class.getResourceAsStream("/static/riswhois/riswhoisdump-head-1000.IPv4.gz").readAllBytes();
     }
-
     @Test
-    public void test() throws Exception {
-        String data = subject.fetch("http://localhost:39443/");
-        assertTrue(data, data.contains("45528\t1.22.52.0/23\t99"));
-    }
+    void testFetch(WireMockRuntimeInfo wmRuntimeInfo) throws IOException {
+        var path = "/" + RandomStringUtils.randomAlphanumeric(16) + ".gz";
+
+        stubFor(
+                get(urlEqualTo(path))
+                .willReturn(aResponse().withBody(risDumpContent))
+        );
 
+        String data = subject.fetch(wmRuntimeInfo.getHttpBaseUrl() + path);
+        assertThat(data).contains("45528\t1.22.52.0/23\t99");
+    }
 }
diff --git a/src/test/java/net/ripe/rpki/config/OpenAPIConfigTest.java b/src/test/java/net/ripe/rpki/config/OpenAPIConfigTest.java
index 76001bb..f9c9050 100644
--- a/src/test/java/net/ripe/rpki/config/OpenAPIConfigTest.java
+++ b/src/test/java/net/ripe/rpki/config/OpenAPIConfigTest.java
@@ -2,7 +2,6 @@
 
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.info.Contact;
-import io.swagger.v3.oas.models.info.Info;
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import lombok.Data;
 import org.junit.jupiter.api.Test;
@@ -11,7 +10,7 @@
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import static net.ripe.rpki.RpkiBootApplication.API_KEY_REFERENCE;
 import static net.ripe.rpki.RpkiBootApplication.USER_ID_REFERENCE;
diff --git a/src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImplTest.java b/src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImplTest.java
index 0477351..897a774 100644
--- a/src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImplTest.java
+++ b/src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImplTest.java
@@ -3,15 +3,16 @@
 import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.rpki.commons.provisioning.x509.ProvisioningIdentityCertificateBuilderTest;
 import net.ripe.rpki.domain.*;
+import net.ripe.rpki.server.api.commands.*;
 import net.ripe.rpki.server.api.services.read.CertificateAuthorityViewService;
 import org.joda.time.Duration;
 import org.joda.time.Instant;
 import org.junit.Test;
 
-import javax.inject.Inject;
-import javax.persistence.EntityNotFoundException;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityNotFoundException;
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.util.Optional;
 import java.util.UUID;
 
@@ -105,4 +106,18 @@ public void findNonHostedPublisherRepositoriesFailed() {
                 .hasMessageContaining("non-hosted CA '" + principal.getName() + "' not found");
 
     }
+
+    /**
+     * The {@link CertificateAuthorityViewService#getCaStats()} function makes assumptions about a number of constant
+     * strings in the audit log. Check this invariant.
+     */
+
+    @Test
+    public void testGetCaEventStatsMagicConstants() {
+        assertThat(UpdateRoaConfigurationCommand.class.getSimpleName()).isEqualTo("UpdateRoaConfigurationCommand");
+        assertThat(ActivateHostedCertificateAuthorityCommand.class.getSimpleName()).isEqualTo("ActivateHostedCertificateAuthorityCommand");
+        assertThat(ActivateNonHostedCertificateAuthorityCommand.class.getSimpleName()).isEqualTo("ActivateNonHostedCertificateAuthorityCommand");
+        assertThat(DeleteCertificateAuthorityCommand.class.getSimpleName()).isEqualTo("DeleteCertificateAuthorityCommand");
+        assertThat(DeleteNonHostedCertificateAuthorityCommand.class.getSimpleName()).isEqualTo("DeleteNonHostedCertificateAuthorityCommand");
+    }
 }
diff --git a/src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceStatisticsTest.java b/src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceStatisticsTest.java
new file mode 100644
index 0000000..ce004d9
--- /dev/null
+++ b/src/test/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceStatisticsTest.java
@@ -0,0 +1,164 @@
+package net.ripe.rpki.core.read.services.ca;
+
+import com.google.common.collect.Lists;
+import net.ripe.ipresource.Asn;
+import net.ripe.ipresource.IpRange;
+import net.ripe.rpki.commons.util.VersionedId;
+import net.ripe.rpki.domain.CertificationDomainTestCase;
+import net.ripe.rpki.domain.HostedCertificateAuthority;
+import net.ripe.rpki.domain.ProductionCertificateAuthority;
+import net.ripe.rpki.domain.roa.RoaConfigurationPrefix;
+import net.ripe.rpki.domain.roa.RoaConfigurationRepository;
+import net.ripe.rpki.ripencc.cache.JpaResourceCacheImpl;
+import net.ripe.rpki.server.api.commands.UpdateAllIncomingResourceCertificatesCommand;
+import net.ripe.rpki.server.api.commands.UpdateRoaConfigurationCommand;
+import net.ripe.rpki.server.api.dto.CaStatRoaEvent;
+import net.ripe.rpki.server.api.services.read.CertificateAuthorityViewService;
+import net.ripe.rpki.server.api.support.objects.CaName;
+import org.apache.commons.lang3.tuple.Pair;
+import org.assertj.core.api.InstanceOfAssertFactories;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.transaction.annotation.Transactional;
+
+import javax.security.auth.x500.X500Principal;
+import java.security.SecureRandom;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+
+import static net.ripe.ipresource.ImmutableResourceSet.parse;
+import static org.assertj.core.api.Assertions.as;
+import static org.assertj.core.api.Assertions.assertThat;
+
+@Transactional
+public class CertificateAuthorityViewServiceStatisticsTest extends CertificationDomainTestCase {
+    private static final long HOSTED_CA_ID = 8L;
+
+    private static final X500Principal CHILD_CA_NAME = new X500Principal("CN=child");
+
+    // Needs to contain non-private ASNs because command is validated
+    private static final List<RoaConfigurationPrefix> ALL_ROA_CONFIGURATIONS = Lists.newArrayList(
+            // The allocation
+            new RoaConfigurationPrefix(Asn.parse("1"), IpRange.parse("fc00::/8")),
+            // And two for the same AS in the first half
+            new RoaConfigurationPrefix(Asn.parse("2"), IpRange.parse("fc20::/11")),
+            new RoaConfigurationPrefix(Asn.parse("3"), IpRange.parse("fc20::/11")),
+            // As well as in the latter half
+            new RoaConfigurationPrefix(Asn.parse("4"), IpRange.parse("fc80::/11")),
+            new RoaConfigurationPrefix(Asn.parse("5"), IpRange.parse("fc80::/11"))
+    );
+
+    @Autowired
+    private JpaResourceCacheImpl resourceCache;
+
+    @Autowired
+    private RoaConfigurationRepository roaConfigurationRepository;
+
+    @Autowired
+    private CertificateAuthorityViewService subject;
+    private ProductionCertificateAuthority parent;
+    private HostedCertificateAuthority child;
+
+    @Before
+    public void setUp() {
+        clearDatabase();
+
+        parent = createInitializedAllResourcesAndProductionCertificateAuthority();
+
+        child = new HostedCertificateAuthority(HOSTED_CA_ID, CHILD_CA_NAME, UUID.randomUUID(), parent);
+        certificateAuthorityRepository.add(child);
+
+        // Add the ROA configuration
+        var ca = certificateAuthorityRepository.findManagedCa(HOSTED_CA_ID);
+        var roaConfiguration = roaConfigurationRepository.getOrCreateByCertificateAuthority(ca);
+        roaConfiguration.addPrefix(ALL_ROA_CONFIGURATIONS);
+
+        resourceCache.updateEntry(CaName.of(CHILD_CA_NAME), parse("fc00::/8"));
+        execute(new UpdateAllIncomingResourceCertificatesCommand(new VersionedId(HOSTED_CA_ID, VersionedId.INITIAL_VERSION), Integer.MAX_VALUE));
+    }
+
+    private Pair<X500Principal, Long> createAnotherCa(int roaCount) {
+        var randomId = HOSTED_CA_ID + new SecureRandom().nextLong(1<<60);
+        // Add another CA with ROAs
+        final var secondChildCaName = new X500Principal("CN=" + randomId);
+
+        var secondChild = new HostedCertificateAuthority(randomId, secondChildCaName, UUID.randomUUID(), parent);
+        certificateAuthorityRepository.add(secondChild);
+
+        // Add the ROA configuration
+        var ca = certificateAuthorityRepository.findManagedCa(randomId);
+        var roaConfiguration = roaConfigurationRepository.getOrCreateByCertificateAuthority(ca);
+
+        var randomRoas = IntStream.range(0, roaCount)
+                .mapToObj(i -> new RoaConfigurationPrefix(Asn.parse(Integer.toString(65443 + i)), IpRange.parse("192.0.2.0/24"))
+                ).collect(Collectors.toList());
+
+        roaConfiguration.addPrefix(randomRoas);
+
+        resourceCache.updateEntry(CaName.of(secondChildCaName), parse("192.0.2.0/24"));
+        execute(new UpdateAllIncomingResourceCertificatesCommand(new VersionedId(randomId, VersionedId.INITIAL_VERSION), Integer.MAX_VALUE));
+
+        return Pair.of(secondChildCaName, randomId);
+    }
+
+    @Test
+    public void testGetCaStat() {
+        assertThat(subject.getCaStats())
+                .hasSize(1)
+                .allMatch(ca -> ca.caName.equals(CHILD_CA_NAME.getName()));
+
+        var second = createAnotherCa(42);
+        // Should have two CAs, one of which as 42 ROAs
+        assertThat(subject.getCaStats())
+                .hasSize(2)
+                .anyMatch(thatCa -> second.getKey().getName().equals(thatCa.caName) && thatCa.roas == 42);
+
+        var third = createAnotherCa(0);
+        assertThat(subject.getCaStats())
+                .hasSize(3)
+                .anyMatch(thatCa -> third.getKey().getName().equals(thatCa.caName) && thatCa.roas == 0);
+
+        // Clear -> 0
+        clearDatabase();
+        assertThat(subject.getCaStats()).isEmpty();
+    }
+
+    @Test
+    public void testGetCaStatEvents() {
+        // Initially we have the all resources CA
+        assertThat(subject.getCaStatEvents())
+                .hasSize(0);
+
+        // Deletion is tracked
+        commandService.execute(new UpdateRoaConfigurationCommand(
+                child.getVersionedId(), Optional.empty(),
+                List.of(),
+                ALL_ROA_CONFIGURATIONS.stream().map(ca -> ca.toData()).collect(Collectors.toList()))
+        );
+
+        assertThat(subject.getCaStatEvents())
+                .asInstanceOf(InstanceOfAssertFactories.list(CaStatRoaEvent.class))
+                .hasSize(1)
+                // recall: DTO uses a nullable integer
+                .anyMatch(elem -> child.getName().getName().equals(elem.caName) && Integer.valueOf(ALL_ROA_CONFIGURATIONS.size()).equals(elem.roasDeleted));
+
+        // (Re-addition) is tracked
+        commandService.execute(new UpdateRoaConfigurationCommand(
+                child.getVersionedId(), Optional.empty(),
+                ALL_ROA_CONFIGURATIONS.stream().map(ca -> ca.toData()).collect(Collectors.toList()),
+                List.of())
+        );
+        assertThat(subject.getCaStatEvents())
+                .asInstanceOf(InstanceOfAssertFactories.list(CaStatRoaEvent.class))
+                .hasSize(2)
+                .anyMatch(elem -> child.getName().getName().equals(elem.caName) && Integer.valueOf(ALL_ROA_CONFIGURATIONS.size()).equals(elem.roasAdded));
+
+        // Clear -> 0
+        clearDatabase();
+        assertThat(subject.getCaStats()).isEmpty();
+    }
+}
\ No newline at end of file
diff --git a/src/test/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImplTest.java b/src/test/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImplTest.java
index bddb9ff..5880c71 100644
--- a/src/test/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImplTest.java
+++ b/src/test/java/net/ripe/rpki/core/read/services/cert/ResourceCertificateViewServiceImplTest.java
@@ -5,8 +5,8 @@
 import net.ripe.rpki.server.api.services.read.ResourceCertificateViewService;
 import org.junit.Test;
 
-import javax.inject.Inject;
-import javax.transaction.Transactional;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
diff --git a/src/test/java/net/ripe/rpki/core/services/background/SequentialBackgroundQueuedTaskRunnerTest.java b/src/test/java/net/ripe/rpki/core/services/background/SequentialBackgroundQueuedTaskRunnerTest.java
index 016032e..2ec447e 100644
--- a/src/test/java/net/ripe/rpki/core/services/background/SequentialBackgroundQueuedTaskRunnerTest.java
+++ b/src/test/java/net/ripe/rpki/core/services/background/SequentialBackgroundQueuedTaskRunnerTest.java
@@ -98,7 +98,7 @@ public void should_run_many_tasks_sequentially() throws InterruptedException {
 
         start.countDown();
         assertThat(done.await(1, TimeUnit.SECONDS)).isTrue();
-        assertThat(data).isEqualTo(Stream.iterate(0, x -> x + 1).limit(threadCount).collect(Collectors.toList()));
+        assertThat(data).isEqualTo(Stream.iterate(0, x -> x + 1).limit(threadCount).toList());
     }
 
     @Test
diff --git a/src/test/java/net/ripe/rpki/core/write/services/command/CommandServiceImplTest.java b/src/test/java/net/ripe/rpki/core/write/services/command/CommandServiceImplTest.java
index c1f23b9..4d607a4 100644
--- a/src/test/java/net/ripe/rpki/core/write/services/command/CommandServiceImplTest.java
+++ b/src/test/java/net/ripe/rpki/core/write/services/command/CommandServiceImplTest.java
@@ -21,7 +21,7 @@
 import org.springframework.transaction.support.TransactionCallback;
 import org.springframework.transaction.support.TransactionTemplate;
 
-import javax.persistence.OptimisticLockException;
+import jakarta.persistence.OptimisticLockException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -59,7 +59,7 @@ public void setUp() {
         final TransactionTemplate transactionTemplate = new TransactionTemplate() {
             @Override
             public <T> T execute(TransactionCallback<T> action) throws TransactionException {
-                transactionStatuses.add(new DefaultTransactionStatus(null,true,true,true,true,null));
+                transactionStatuses.add(new DefaultTransactionStatus("CommandServiceImplTest", null,true,true, false, true,true,null));
                 return action.doInTransaction(transactionStatuses.get(transactionStatuses.size()-1));
             }
         };
diff --git a/src/test/java/net/ripe/rpki/domain/CertificationDomainTestCase.java b/src/test/java/net/ripe/rpki/domain/CertificationDomainTestCase.java
index 095a2d7..0867df8 100644
--- a/src/test/java/net/ripe/rpki/domain/CertificationDomainTestCase.java
+++ b/src/test/java/net/ripe/rpki/domain/CertificationDomainTestCase.java
@@ -10,10 +10,12 @@
 import net.ripe.rpki.domain.manifest.ManifestEntityRepository;
 import net.ripe.rpki.domain.manifest.ManifestPublicationService;
 import net.ripe.rpki.domain.signing.CertificateRequestCreationService;
+import net.ripe.rpki.server.api.commands.CertificateAuthorityCommand;
 import net.ripe.rpki.server.api.configuration.Environment;
 import net.ripe.rpki.server.api.configuration.RepositoryConfiguration;
 import net.ripe.rpki.server.api.ports.ResourceCache;
 import net.ripe.rpki.server.api.services.command.CommandService;
+import net.ripe.rpki.server.api.services.command.CommandStatus;
 import net.ripe.rpki.server.api.support.objects.CaName;
 import org.junit.Before;
 import org.junit.runner.RunWith;
@@ -23,8 +25,8 @@
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.transaction.support.TransactionTemplate;
 
-import javax.inject.Named;
-import javax.persistence.EntityManager;
+import jakarta.inject.Named;
+import jakarta.persistence.EntityManager;
 import java.util.Map;
 import java.util.UUID;
 import java.util.function.Supplier;
@@ -105,7 +107,7 @@ public void setupTest() {
 
     protected void clearDatabase() {
         // Clean the test database. Note that this is not transactional, but the test database should be empty anyway.
-        entityManager.createNativeQuery("TRUNCATE TABLE certificateauthority, ta_published_object, resource_cache CASCADE").executeUpdate();
+        entityManager.createNativeQuery("TRUNCATE TABLE certificateauthority, commandaudit, ta_published_object, resource_cache CASCADE").executeUpdate();
         resourceCache.populateCache(Map.of(CaName.of(repositoryConfiguration.getProductionCaPrincipal()), ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES));
     }
 
@@ -144,13 +146,13 @@ protected KeyPairEntity issueCertificateForNewKey(ManagedCertificateAuthority pa
     }
 
     public ProductionCertificateAuthority createInitialisedProdCaWithRipeResources() {
-        ProductionCertificateAuthority ca = TestObjects.createInitialisedProdCaWithRipeResources(resourceCertificateRepository, repositoryConfiguration);
+        ProductionCertificateAuthority ca = TestObjects.createInitialisedProdCaWithRipeResources(certificateAuthorityRepository, resourceCertificateRepository, repositoryConfiguration);
         certificateAuthorityRepository.add(ca);
         return ca;
     }
 
     public KeyPairEntity createInitialisedProductionCaKeyPair(ProductionCertificateAuthority ca, String keyPairName) {
-        return TestObjects.createInitialisedKeyPair(resourceCertificateRepository, repositoryConfiguration, ca, keyPairName);
+        return TestObjects.createInitialisedKeyPair(certificateAuthorityRepository, resourceCertificateRepository, repositoryConfiguration, ca, keyPairName);
     }
 
     protected void inTx(Runnable r) {
@@ -169,4 +171,12 @@ protected CertificateAuthority createCaIfDoesntExist(CertificateAuthority ca) {
         }
         return existing;
     }
+
+    protected CommandStatus execute(CertificateAuthorityCommand command) {
+        try {
+            return commandService.execute(command);
+        } finally {
+            entityManager.flush();
+        }
+    }
 }
diff --git a/src/test/java/net/ripe/rpki/domain/TestObjects.java b/src/test/java/net/ripe/rpki/domain/TestObjects.java
index c72cea6..346b617 100644
--- a/src/test/java/net/ripe/rpki/domain/TestObjects.java
+++ b/src/test/java/net/ripe/rpki/domain/TestObjects.java
@@ -6,6 +6,7 @@
 import net.ripe.rpki.commons.crypto.util.KeyPairFactoryTest;
 import net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor;
 import net.ripe.rpki.commons.provisioning.x509.pkcs10.RpkiCaCertificateRequestBuilder;
+import net.ripe.rpki.domain.inmemory.InMemoryCertificateAuthorityRepository;
 import net.ripe.rpki.domain.inmemory.InMemoryResourceCertificateRepository;
 import net.ripe.rpki.domain.interca.CertificateIssuanceResponse;
 import net.ripe.rpki.hsm.Keys;
@@ -178,19 +179,21 @@ public static ResourceCertificateBuilder createBuilder(KeyPairEntity signingKeyP
     public static ProductionCertificateAuthority createInitialisedProdCaWithRipeResources() {
         RepositoryConfiguration certificationConfiguration = mock(RepositoryConfiguration.class);
         when(certificationConfiguration.getPublicRepositoryUri()).thenReturn(BASE_URI);
-        return createInitialisedProdCaWithRipeResources(new InMemoryResourceCertificateRepository(), certificationConfiguration);
+        return createInitialisedProdCaWithRipeResources(new InMemoryCertificateAuthorityRepository(), new InMemoryResourceCertificateRepository(), certificationConfiguration);
     }
 
-    public static ProductionCertificateAuthority createInitialisedProdCaWithRipeResources(ResourceCertificateRepository resourceCertificateRepository, RepositoryConfiguration certificationConfiguration) {
+    public static ProductionCertificateAuthority createInitialisedProdCaWithRipeResources(CertificateAuthorityRepository certificateAuthorityRepository, ResourceCertificateRepository resourceCertificateRepository, RepositoryConfiguration certificationConfiguration) {
         ProductionCertificateAuthority ca = new ProductionCertificateAuthority(CA_ID, PRODUCTION_CA_NAME, UUID.randomUUID(), null);
-        createInitialisedKeyPair(resourceCertificateRepository, certificationConfiguration, ca, "TEST-KEY");
+        createInitialisedKeyPair(certificateAuthorityRepository, resourceCertificateRepository, certificationConfiguration, ca, "TEST-KEY");
         Validate.isTrue(ca.hasCurrentKeyPair());
         return ca;
     }
 
-    static KeyPairEntity createInitialisedKeyPair(ResourceCertificateRepository resourceCertificateRepository, RepositoryConfiguration certificationConfiguration, ProductionCertificateAuthority ca, String name) {
+    static KeyPairEntity createInitialisedKeyPair(CertificateAuthorityRepository certificateAuthorityRepository, ResourceCertificateRepository resourceCertificateRepository, RepositoryConfiguration certificationConfiguration, ProductionCertificateAuthority ca, String name) {
         KeyPairEntity kp = createTestKeyPair(name);
         ca.addKeyPair(kp);
+        // Implicitly persists the keypair before it is used in a outgoing resource certificate
+        certificateAuthorityRepository.add(ca);
         issueSelfSignedCertificates(resourceCertificateRepository, certificationConfiguration, ca);
         return kp;
     }
diff --git a/src/test/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBeanTest.java b/src/test/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBeanTest.java
index 2a62fb9..f603cb9 100644
--- a/src/test/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBeanTest.java
+++ b/src/test/java/net/ripe/rpki/domain/alerts/RoaAlertMaintenanceServiceBeanTest.java
@@ -21,9 +21,8 @@
 import org.springframework.beans.factory.annotation.Autowired;
 
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.util.*;
-import java.util.stream.Collectors;
 
 import static net.ripe.ipresource.ImmutableResourceSet.parse;
 import static net.ripe.rpki.commons.validation.roa.RouteValidityState.*;
@@ -37,7 +36,7 @@ public class RoaAlertMaintenanceServiceBeanTest extends CertificationDomainTestC
     private static final X500Principal CHILD_CA_NAME = new X500Principal("CN=child");
     public static final ImmutableResourceSet INITIAL_CHILD_RESOURCES = parse("fc00::/8");
 
-    private static List<AnnouncedRoute> ALL_ROUTES = Lists.newArrayList(
+    private static final List<AnnouncedRoute> ALL_ROUTES = Lists.newArrayList(
             // The /7 private use resource - less specific than allocation
             new AnnouncedRoute(Asn.parse("64496"), IpRange.parse("fc00::/7")),
             // The allocation
@@ -128,8 +127,7 @@ public void should_remove_alerts_out_of_resources_when_resources_contract() {
                 .map(ig -> ig.toData())
                 .containsExactlyInAnyOrderElementsOf(
                         ALL_ROUTES.stream()
-                                .filter(r -> !IpRange.parse("fc80::/9").contains(r.getPrefix()))
-                                .collect(Collectors.toList())
+                                .filter(r -> !IpRange.parse("fc80::/9").contains(r.getPrefix())).toList()
                 )
                 .hasSize(4);
 
@@ -150,12 +148,4 @@ public void should_remove_alerts_out_of_resources_when_resources_are_removed() {
                 .extracting(RoaAlertConfiguration::getIgnored, InstanceOfAssertFactories.ITERABLE)
                 .isEmpty();
     }
-
-    private CommandStatus execute(CertificateAuthorityCommand command) {
-        try {
-            return subject.execute(command);
-        } finally {
-            entityManager.flush();
-        }
-    }
 }
diff --git a/src/test/java/net/ripe/rpki/domain/inmemory/InMemoryCertificateAuthorityRepository.java b/src/test/java/net/ripe/rpki/domain/inmemory/InMemoryCertificateAuthorityRepository.java
new file mode 100644
index 0000000..ca66be0
--- /dev/null
+++ b/src/test/java/net/ripe/rpki/domain/inmemory/InMemoryCertificateAuthorityRepository.java
@@ -0,0 +1,101 @@
+package net.ripe.rpki.domain.inmemory;
+
+import jakarta.persistence.LockModeType;
+import net.ripe.rpki.domain.*;
+import net.ripe.rpki.ripencc.support.persistence.InMemoryRepository;
+import net.ripe.rpki.server.api.dto.CaStat;
+import net.ripe.rpki.server.api.dto.CaStatEvent;
+import org.joda.time.DateTime;
+
+import javax.security.auth.x500.X500Principal;
+import java.util.Collection;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+public class InMemoryCertificateAuthorityRepository  extends InMemoryRepository<CertificateAuthority> implements CertificateAuthorityRepository {
+    @Override
+    public CertificateAuthority findByName(X500Principal name) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public <T extends CertificateAuthority> T findByTypeAndName(Class<T> type, X500Principal name) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public <T extends CertificateAuthority> T findByTypeAndUuid(Class<T> type, UUID uuid, LockModeType lockModeType) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public ProductionCertificateAuthority findRootCAByName(X500Principal name) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public AllResourcesCertificateAuthority findAllResourcesCAByName(X500Principal name) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Collection<CertificateAuthority> findAllByParent(ParentCertificateAuthority parent) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public ManagedCertificateAuthority findManagedCa(Long id) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public NonHostedCertificateAuthority findNonHostedCa(Long id) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Collection<CaStat> getCAStats() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Collection<CaStatEvent> getCAStatEvents() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public List<ManagedCertificateAuthority> findAllWithManifestsExpiringBefore(DateTime notValidAfterCutoff, int maxResult) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Collection<ManagedCertificateAuthority> findAllWithOutdatedManifests(boolean includeUpdatedConfiguration, DateTime nextUpdateCutoff, int maxResults) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public int deleteNonHostedPublicKeysWithoutSigningCertificates() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Collection<ManagedCertificateAuthority> getCasWithoutKeyPairsAndRoaConfigurationsAndUserActivityDuringTheLastYear() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Optional<IntermediateCertificateAuthority> findSmallestIntermediateCA(X500Principal productionCaName) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Class<CertificateAuthority> getEntityClass() {
+        return CertificateAuthority.class;
+    }
+
+    @Override
+    public void removeAll() {
+        throw new UnsupportedOperationException();
+    }
+}
diff --git a/src/test/java/net/ripe/rpki/domain/roa/RoaConfigurationMaintenanceServiceTest.java b/src/test/java/net/ripe/rpki/domain/roa/RoaConfigurationMaintenanceServiceTest.java
index cc926df..4807542 100644
--- a/src/test/java/net/ripe/rpki/domain/roa/RoaConfigurationMaintenanceServiceTest.java
+++ b/src/test/java/net/ripe/rpki/domain/roa/RoaConfigurationMaintenanceServiceTest.java
@@ -19,12 +19,11 @@
 import org.springframework.beans.factory.annotation.Autowired;
 
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
-import java.util.stream.Collectors;
 
 import static net.ripe.ipresource.ImmutableResourceSet.parse;
 import static org.assertj.core.api.Assertions.assertThat;
@@ -51,9 +50,6 @@ public class RoaConfigurationMaintenanceServiceTest extends CertificationDomainT
     @Autowired
     private JpaResourceCacheImpl resourceCache;
 
-    @Autowired
-    private CommandService subject;
-
     @Autowired
     private RoaConfigurationRepository roaConfigurationRepository;
 
@@ -122,8 +118,7 @@ public void should_remove_roa_configurations_out_of_resources_when_resources_con
         assertThat(roaConfiguration.getPrefixes())
                 .containsExactlyInAnyOrderElementsOf(
                         ALL_ROA_CONFIGURATIONS.stream()
-                        .filter(r -> IpRange.parse("fc00::/9").contains(r.getPrefix()))
-                        .collect(Collectors.toList())
+                                .filter(r -> IpRange.parse("fc00::/9").contains(r.getPrefix())).toList()
                 )
                 .hasSize(2);
 
@@ -142,12 +137,4 @@ public void should_remove_roa_prefixes_when_resources_are_removed() {
         assertThat(roaConfigurationRepository.findByCertificateAuthority(child))
                 .hasValueSatisfying(config -> assertThat(config.getPrefixes()).isEmpty());
     }
-
-    private CommandStatus execute(CertificateAuthorityCommand command) {
-        try {
-            return subject.execute(command);
-        } finally {
-            entityManager.flush();
-        }
-    }
 }
diff --git a/src/test/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntityTest.java b/src/test/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntityTest.java
index 9948335..6972495 100644
--- a/src/test/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntityTest.java
+++ b/src/test/java/net/ripe/rpki/domain/rta/UpStreamCARequestEntityTest.java
@@ -6,8 +6,7 @@
 import net.ripe.rpki.commons.ta.domain.request.SigningRequest;
 import net.ripe.rpki.commons.ta.domain.request.TaRequest;
 import net.ripe.rpki.commons.ta.domain.request.TrustAnchorRequest;
-import org.junit.Ignore;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.springframework.util.ReflectionUtils;
 
 import java.lang.reflect.Field;
@@ -16,13 +15,12 @@
 import java.util.List;
 import java.util.UUID;
 
-import static org.junit.Assert.*;
+import static org.assertj.core.api.Assertions.assertThat;
 
 
 public class UpStreamCARequestEntityTest {
 
     @Test
-    @Ignore ("the test should not look at the instance")
     public void shouldUnderstandRevokeKey() {
         RevocationRequest revokeRequest = new RevocationRequest("test resource class", "CN=whoevah");
         List<TaRequest> requests = new ArrayList<>();
@@ -32,8 +30,8 @@ public void shouldUnderstandRevokeKey() {
 
         UpStreamCARequestEntity subject = new UpStreamCARequestEntity(null, trustAnchorRequest);
 
-        TrustAnchorRequest actual = subject.getUpStreamCARequest();
-        assertEquals(trustAnchorRequest, actual);
+        // No equals on TrustAnchorRequest
+        assertThat(subject.getUpStreamCARequest()).usingRecursiveComparison().isEqualTo(trustAnchorRequest);
     }
 
     @Test
@@ -52,14 +50,13 @@ public void shouldParseOldStoredUpstreamCARequest() {
                 "</net.ripe.rpki.offline.requests.TrustAnchorRequest>";
 
         UpStreamCARequestEntity subject = mkUpstreamCARequestWithXML(request);
-        assertNotNull("Invalid UpStreamCARequest", subject.getUpStreamCARequest());
+        assertThat(subject.getUpStreamCARequest()).isNotNull().withFailMessage("Invalid UpStreamCARequest");
         TaRequest taRequest = subject.getUpStreamCARequest().getTaRequests().get(0);
-        assertEquals(requestId, taRequest.getRequestId().toString());
-        assertTrue("Parsed TA request should be a 'SigningRequest'", taRequest instanceof SigningRequest);
+        assertThat(requestId).isEqualTo(taRequest.getRequestId().toString());
+        assertThat(taRequest).isInstanceOf(SigningRequest.class).withFailMessage("Parsed TA request should be a 'SigningRequest'");
         SigningRequest signingRequest = (SigningRequest) taRequest;
-        assertTrue(
-                "Signing request should container IP resource set 193.0.0.0/8",
-                signingRequest.getResourceCertificateRequest().getIpResourceSet().contains(IpResource.parse("193.0.0.0/8"))
+        assertThat(signingRequest.getResourceCertificateRequest().getIpResourceSet()).contains(IpResource.parse("193.0.0.0/8")).withFailMessage(
+                "Signing request should container IP resource set 193.0.0.0/8"
         );
     }
 
@@ -79,7 +76,7 @@ public void shouldSerializeParsedUpstreamCARequest() {
 
         UpStreamCARequestEntity entity = mkUpstreamCARequestWithXML(request);
         UpStreamCARequestEntity subject = new UpStreamCARequestEntity(null, entity.getUpStreamCARequest());
-        assertEquals(request, getUpstreamCARequestXML(subject));
+        assertThat(request).isEqualTo(getUpstreamCARequestXML(subject));
     }
 
     private static UpStreamCARequestEntity mkUpstreamCARequestWithXML(String caRequestXml) {
@@ -97,7 +94,7 @@ private static String getUpstreamCARequestXML(UpStreamCARequestEntity entity) {
 
     private static Field upstreamCARequestField() {
         Field upStreamCARequest = ReflectionUtils.findField(UpStreamCARequestEntity.class, "upStreamCARequest", String.class);
-        assertNotNull("Field 'upStreamCARequest' of type String not found in class UpStreamCARequestEntity", upStreamCARequest);
+        assertThat(upStreamCARequest).isNotNull().withFailMessage("Field 'upStreamCARequest' of type String not found in class UpStreamCARequestEntity");
         ReflectionUtils.makeAccessible(upStreamCARequest);
         return upStreamCARequest;
     }
diff --git a/src/test/java/net/ripe/rpki/hsm/db/DatabaseKeyStorageTest.java b/src/test/java/net/ripe/rpki/hsm/db/DatabaseKeyStorageTest.java
index 9221dfb..6d78468 100644
--- a/src/test/java/net/ripe/rpki/hsm/db/DatabaseKeyStorageTest.java
+++ b/src/test/java/net/ripe/rpki/hsm/db/DatabaseKeyStorageTest.java
@@ -19,7 +19,7 @@
 import org.springframework.test.context.junit4.SpringRunner;
 
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.cert.Certificate;
diff --git a/src/test/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessorTest.java b/src/test/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessorTest.java
index 7e1a3c3..b975082 100644
--- a/src/test/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessorTest.java
+++ b/src/test/java/net/ripe/rpki/offline/ra/service/TrustAnchorResponseProcessorTest.java
@@ -4,8 +4,6 @@
 import net.ripe.rpki.commons.FixedDateRule;
 import net.ripe.rpki.commons.crypto.CertificateRepositoryObject;
 import net.ripe.rpki.commons.crypto.UnknownCertificateRepositoryObject;
-import net.ripe.rpki.commons.crypto.crl.CrlLocator;
-import net.ripe.rpki.commons.crypto.crl.X509Crl;
 import net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor;
 import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
 import net.ripe.rpki.commons.ta.domain.request.*;
@@ -13,9 +11,6 @@
 import net.ripe.rpki.commons.ta.domain.response.RevocationResponse;
 import net.ripe.rpki.commons.ta.domain.response.SigningResponse;
 import net.ripe.rpki.commons.ta.domain.response.TrustAnchorResponse;
-import net.ripe.rpki.commons.validation.ValidationOptions;
-import net.ripe.rpki.commons.validation.ValidationResult;
-import net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext;
 import net.ripe.rpki.domain.*;
 import net.ripe.rpki.domain.archive.KeyPairDeletionService;
 import net.ripe.rpki.domain.interca.CertificateIssuanceResponse;
@@ -29,7 +24,7 @@
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 
-import javax.persistence.EntityManager;
+import jakarta.persistence.EntityManager;
 import javax.security.auth.x500.X500Principal;
 import java.net.URI;
 import java.util.*;
diff --git a/src/test/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistenceTest.java b/src/test/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistenceTest.java
index d142634..abde3e5 100644
--- a/src/test/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistenceTest.java
+++ b/src/test/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistenceTest.java
@@ -16,6 +16,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.sql.Timestamp;
+import java.time.Instant;
 import java.util.Collections;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
@@ -32,7 +33,7 @@ public class FileSystemPublicationObjectPersistenceTest {
 
     private static final URI TA_REPOSITORY_BASE_URI = URI.create("rsync://repository/ta/");
     private File taRepositoryBaseDirectory;
-    private static final Timestamp CREATED_AT = new Timestamp(System.currentTimeMillis());
+    private static final Instant CREATED_AT = Instant.now();
 
     private FileSystemPublicationObjectPersistence subject;
 
@@ -49,6 +50,7 @@ public void setUp(@TempDir File onlineRepositoryBaseDirectory, @TempDir File taR
         this.taRepositoryBaseDirectory = taRepositoryBaseDirectory;
 
         // fix the current time while a test is running
+        // this time is used for the naming of the target directories
         DateTimeUtils.setCurrentMillisFixed(new DateTime().getMillis());
 
         subject = new FileSystemPublicationObjectPersistence(
@@ -77,7 +79,7 @@ public void should_set_last_modification_time_of_published_object() {
 
         subject.writeAll(Collections.singletonList(new PublishedObjectData(CREATED_AT, uri, CONTENTS)));
 
-        assertThat(new File(onlineRepositoryBaseDirectory, "published/foo/bar.cer").lastModified() / 1000).isEqualTo(CREATED_AT.getTime() / 1000);
+        assertThat(new File(onlineRepositoryBaseDirectory, "published/foo/bar.cer").lastModified() / 1000).isEqualTo(CREATED_AT.toEpochMilli() / 1000);
     }
 
     @Test
@@ -214,8 +216,7 @@ public void should_not_keep_old_objects() {
         assertThat(new File(onlineRepositoryBaseDirectory, "published/foo/old.cer")).exists();
 
         DateTimeUtils.setCurrentMillisFixed(DateTimeUtils.currentTimeMillis() + 100);
-
-        subject.writeAll(Collections.singletonList(new PublishedObjectData(new Timestamp(System.currentTimeMillis()), newUri, CONTENTS)));
+        subject.writeAll(Collections.singletonList(new PublishedObjectData(CREATED_AT.plusSeconds(100), newUri, CONTENTS)));
 
         assertThat(new File(onlineRepositoryBaseDirectory, "published/foo/new.cer")).exists();
         assertThat(new File(onlineRepositoryBaseDirectory, "published/foo/old.cer")).doesNotExist();
diff --git a/src/test/java/net/ripe/rpki/publication/server/ExternalPublishingServerTest.java b/src/test/java/net/ripe/rpki/publication/server/ExternalPublishingServerTest.java
index 28d2da9..40e606d 100644
--- a/src/test/java/net/ripe/rpki/publication/server/ExternalPublishingServerTest.java
+++ b/src/test/java/net/ripe/rpki/publication/server/ExternalPublishingServerTest.java
@@ -143,13 +143,13 @@ public void should_update_publication_metrics() throws Exception {
         String clientId = RandomStringUtils.randomAlphanumeric(8);
         String reply = "<msg type=\"reply\" version=\"3\" xmlns=\"http://www.hactrn.net/uris/rpki/publication-spec/\"></msg>";
         when(publishingServerClient.publish(eq(PUBLICATION_SERVER_URL), anyString(), eq(clientId))).thenReturn(Mono.just(reply));
-        List<PublicationMessage> messages = Stream.of(
-            new PublicationMessage.PublishRequest(new URI("rsync://blabla.com/xxx.cer"), new byte[]{1, 2, 3}, Optional.empty()),
-            new PublicationMessage.PublishRequest(new URI("rsync://blabla.com/xxx2.cer"), new byte[]{1, 2, 3, 4}, Optional.empty()),
-            new PublicationMessage.WithdrawRequest(new URI("rsync://blabla.com/yyy.cer"), "not important"),
-            new PublicationMessage.PublishRequest(new URI("rsync://blabla.com/xxx.roa"), new byte[]{1, 2, 3}, java.util.Optional.of("aHash")),
-            new PublicationMessage.WithdrawRequest(new URI("rsync://blabla.com/zzz.weird-extension"), "not important")
-        ).collect(Collectors.toList());
+        List<? extends PublicationMessage> messages = Stream.of(
+                new PublicationMessage.PublishRequest(new URI("rsync://blabla.com/xxx.cer"), new byte[]{1, 2, 3}, Optional.empty()),
+                new PublicationMessage.PublishRequest(new URI("rsync://blabla.com/xxx2.cer"), new byte[]{1, 2, 3, 4}, Optional.empty()),
+                new PublicationMessage.WithdrawRequest(new URI("rsync://blabla.com/yyy.cer"), "not important"),
+                new PublicationMessage.PublishRequest(new URI("rsync://blabla.com/xxx.roa"), new byte[]{1, 2, 3}, Optional.of("aHash")),
+                new PublicationMessage.WithdrawRequest(new URI("rsync://blabla.com/zzz.weird-extension"), "not important")
+        ).toList();
         externalPublishingServer.execute(messages, clientId);
         assertEquals(2.0, meterRegistry.get("rpkicore.publication.operations").tag("operation", "publish").tag("type", "cer").counter().count(), 0.1);
         assertEquals(1.0, meterRegistry.get("rpkicore.publication.operations").tag("operation", "publish").tag("type", "roa").counter().count(), 0.1);
diff --git a/src/test/java/net/ripe/rpki/rest/service/AlertServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/AlertServiceTest.java
index eeb047e..0f834eb 100644
--- a/src/test/java/net/ripe/rpki/rest/service/AlertServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/AlertServiceTest.java
@@ -40,7 +40,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
diff --git a/src/test/java/net/ripe/rpki/rest/service/AnnouncementServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/AnnouncementServiceTest.java
index 26c00dc..a613b2c 100644
--- a/src/test/java/net/ripe/rpki/rest/service/AnnouncementServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/AnnouncementServiceTest.java
@@ -45,7 +45,7 @@
 import java.util.Set;
 import java.util.UUID;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.security.ApiKeySecurity.API_KEY_HEADER;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 import static net.ripe.rpki.rest.service.Rest.TESTING_API_KEY;
diff --git a/src/test/java/net/ripe/rpki/rest/service/BackgroundExecutorServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/BackgroundExecutorServiceTest.java
index 014a838..f28dd03 100644
--- a/src/test/java/net/ripe/rpki/rest/service/BackgroundExecutorServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/BackgroundExecutorServiceTest.java
@@ -16,13 +16,13 @@
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 
-import javax.servlet.http.Cookie;
-import javax.ws.rs.core.MediaType;
+import jakarta.servlet.http.Cookie;
+import jakarta.ws.rs.core.MediaType;
 import java.util.Collections;
 import java.util.Map;
 import java.util.UUID;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.security.ApiKeySecurity.API_KEY_HEADER;
 import static net.ripe.rpki.rest.security.ApiKeySecurity.USER_ID_HEADER;
 import static net.ripe.rpki.rest.service.Rest.TESTING_API_KEY;
diff --git a/src/test/java/net/ripe/rpki/rest/service/CaAspaConfigurationServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/CaAspaConfigurationServiceTest.java
index 00562b0..034e42c 100644
--- a/src/test/java/net/ripe/rpki/rest/service/CaAspaConfigurationServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/CaAspaConfigurationServiceTest.java
@@ -111,8 +111,7 @@ public void shouldUpdateAspaConfigurationForCa_with_provider() throws Exception
     @Test
     public void shouldUpdateAspaConfigurationForCa_with_multiple_provider() throws Exception {
         var providers = IntStream.range(1000, 1100)
-                .mapToObj(i -> "AS"+i)
-                .collect(Collectors.toList());
+                .mapToObj(i -> "AS" + i).toList();
 
         mockMvc.perform(Rest.put(API_URL_PREFIX + "/123/aspa")
                         .header(HttpHeaders.IF_MATCH, ASPA_CONFIGURATION_ETAG)
diff --git a/src/test/java/net/ripe/rpki/rest/service/CaRoaConfigurationServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/CaRoaConfigurationServiceTest.java
index 51d083c..a8c88ad 100644
--- a/src/test/java/net/ripe/rpki/rest/service/CaRoaConfigurationServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/CaRoaConfigurationServiceTest.java
@@ -29,7 +29,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 import javax.security.auth.x500.X500Principal;
-import javax.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.HttpHeaders;
 import java.util.*;
 
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
diff --git a/src/test/java/net/ripe/rpki/rest/service/CaStatServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/CaStatServiceTest.java
index 14e9a7d..d8b88ec 100644
--- a/src/test/java/net/ripe/rpki/rest/service/CaStatServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/CaStatServiceTest.java
@@ -17,7 +17,7 @@
 import java.util.Arrays;
 import java.util.Collection;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
diff --git a/src/test/java/net/ripe/rpki/rest/service/HistoryServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/HistoryServiceTest.java
index 5804a10..f752ebb 100644
--- a/src/test/java/net/ripe/rpki/rest/service/HistoryServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/HistoryServiceTest.java
@@ -26,7 +26,7 @@
 import java.util.List;
 
 import static java.util.Arrays.asList;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.service.AbstractCaRestService.API_URL_PREFIX;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
diff --git a/src/test/java/net/ripe/rpki/rest/service/PublisherRepositoriesServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/PublisherRepositoriesServiceTest.java
index 7ad64bd..e4d0a7b 100644
--- a/src/test/java/net/ripe/rpki/rest/service/PublisherRepositoriesServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/PublisherRepositoriesServiceTest.java
@@ -2,7 +2,6 @@
 
 import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.rpki.TestRpkiBootApplication;
-import net.ripe.rpki.commons.provisioning.identity.PublisherRequest;
 import net.ripe.rpki.commons.provisioning.identity.PublisherRequestSerializer;
 import net.ripe.rpki.commons.provisioning.identity.RepositoryResponse;
 import net.ripe.rpki.commons.provisioning.identity.RepositoryResponseSerializer;
@@ -21,7 +20,6 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
-import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureWebMvc;
@@ -31,13 +29,12 @@
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 
-import javax.persistence.EntityNotFoundException;
+import jakarta.persistence.EntityNotFoundException;
 import javax.security.auth.x500.X500Principal;
-import javax.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MediaType;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
@@ -52,10 +49,8 @@
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
-import static org.springframework.test.web.client.match.MockRestRequestMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.web.servlet.function.RequestPredicates.contentType;
 
 @ActiveProfiles("test")
 @ExtendWith(SpringExtension.class)
diff --git a/src/test/java/net/ripe/rpki/rest/service/Rest.java b/src/test/java/net/ripe/rpki/rest/service/Rest.java
index 6b15119..040a9dc 100644
--- a/src/test/java/net/ripe/rpki/rest/service/Rest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/Rest.java
@@ -5,10 +5,10 @@
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import javax.servlet.http.Cookie;
+import jakarta.servlet.http.Cookie;
 import java.util.UUID;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.rest.security.ApiKeySecurity.API_KEY_HEADER;
 import static net.ripe.rpki.rest.security.ApiKeySecurity.USER_ID_HEADER;
 
diff --git a/src/test/java/net/ripe/rpki/rest/service/UpstreamCaServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/UpstreamCaServiceTest.java
index 44018de..96e1422 100644
--- a/src/test/java/net/ripe/rpki/rest/service/UpstreamCaServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/UpstreamCaServiceTest.java
@@ -14,7 +14,7 @@
 
 import java.nio.charset.StandardCharsets;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_XML;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_XML;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
diff --git a/src/test/java/net/ripe/rpki/rest/service/monitoring/AspaServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/monitoring/AspaServiceTest.java
index 0b9308f..cbf92ee 100644
--- a/src/test/java/net/ripe/rpki/rest/service/monitoring/AspaServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/monitoring/AspaServiceTest.java
@@ -20,7 +20,7 @@
 
 import java.util.*;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.nullValue;
 import static org.mockito.Mockito.mock;
diff --git a/src/test/java/net/ripe/rpki/rest/service/monitoring/PublishedObjectsServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/monitoring/PublishedObjectsServiceTest.java
index 84a945f..0a364cf 100644
--- a/src/test/java/net/ripe/rpki/rest/service/monitoring/PublishedObjectsServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/monitoring/PublishedObjectsServiceTest.java
@@ -19,7 +19,7 @@
 
 import java.util.List;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
diff --git a/src/test/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesServiceTest.java b/src/test/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesServiceTest.java
index 1758798..b4ca370 100644
--- a/src/test/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesServiceTest.java
+++ b/src/test/java/net/ripe/rpki/rest/service/monitoring/RoaPrefixesServiceTest.java
@@ -26,7 +26,7 @@
 import java.util.Arrays;
 import java.util.Optional;
 
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static org.hamcrest.Matchers.hasSize;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
diff --git a/src/test/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImplTest.java b/src/test/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImplTest.java
index cc8c273..9065961 100644
--- a/src/test/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImplTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/cache/JpaResourceCacheImplTest.java
@@ -7,7 +7,7 @@
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import javax.persistence.EntityManager;
+import jakarta.persistence.EntityManager;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
diff --git a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBeanTest.java b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBeanTest.java
index 51c9452..acf2ca9 100644
--- a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBeanTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBeanTest.java
@@ -11,8 +11,8 @@
 import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
 
-import javax.persistence.EntityManager;
-import javax.persistence.TypedQuery;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.TypedQuery;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.List;
diff --git a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStoreTest.java b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStoreTest.java
index 8f35d07..07a6b6e 100644
--- a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStoreTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningCmsSigningTimeStoreTest.java
@@ -5,14 +5,15 @@
 import net.ripe.rpki.domain.NonHostedCertificateAuthority;
 import net.ripe.rpki.domain.ProductionCertificateAuthority;
 import net.ripe.rpki.server.api.dto.NonHostedCertificateAuthorityData;
-import org.joda.time.DateTime;
-import org.joda.time.DateTimeZone;
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -42,23 +43,37 @@ public void setUp() {
 
     @Test
     public void should_track_last_seen_signing_time() {
-        DateTime cmsSigningTime = DateTime.now(DateTimeZone.UTC);
+        // Truncate to milliseconds due to the JVM dependant precision of Instant
+        Instant cmsSigningTime = Instant.now().truncatedTo(ChronoUnit.MILLIS);
 
         assertThat(subject.getLastSeenProvisioningCmsSignedAt(nonHostedCa)).isEmpty();
 
         boolean updated = subject.updateLastSeenProvisioningCmsSeenAt(nonHostedCa, cmsSigningTime);
         assertThat(updated).isTrue();
         assertThat(subject.getLastSeenProvisioningCmsSignedAt(nonHostedCa))
-            .get().isEqualTo(cmsSigningTime);
+            .hasValue(cmsSigningTime);
 
-        updated = subject.updateLastSeenProvisioningCmsSeenAt(nonHostedCa, cmsSigningTime.plusMinutes(1));
+        updated = subject.updateLastSeenProvisioningCmsSeenAt(nonHostedCa, cmsSigningTime.plus(1, ChronoUnit.MINUTES));
         assertThat(updated).isTrue();
         assertThat(subject.getLastSeenProvisioningCmsSignedAt(nonHostedCa))
-            .get().isEqualTo(cmsSigningTime.plusMinutes(1));
+            .hasValue(cmsSigningTime.plus(1, ChronoUnit.MINUTES));
 
-        updated = subject.updateLastSeenProvisioningCmsSeenAt(nonHostedCa, cmsSigningTime.minusMinutes(1));
+        updated = subject.updateLastSeenProvisioningCmsSeenAt(nonHostedCa, cmsSigningTime.minus(1, ChronoUnit.MINUTES));
         assertThat(updated).isFalse();
         assertThat(subject.getLastSeenProvisioningCmsSignedAt(nonHostedCa))
-            .get().isEqualTo(cmsSigningTime.plusMinutes(1));
+            .hasValue(cmsSigningTime.plus(1, ChronoUnit.MINUTES));
+    }
+
+    @Test
+    public void should_track_last_seen_signing_time_jodatime() {
+        Instant cmsSigningTime = Instant.now();
+
+        assertThat(subject.getLastSeenProvisioningCmsSignedAt(nonHostedCa)).isEmpty();
+        boolean updated = subject.updateLastSeenProvisioningCmsSeenAt(nonHostedCa, org.joda.time.Instant.ofEpochMilli(cmsSigningTime.toEpochMilli()).toDateTime());
+        assertThat(updated).isTrue();
+
+        // Java instant has microsecond precision while the conversion has millisecond precision
+        assertThat(subject.getLastSeenProvisioningCmsSignedAt(nonHostedCa).map(st -> st.truncatedTo(ChronoUnit.MILLIS)))
+                .hasValue(cmsSigningTime.truncatedTo(ChronoUnit.MILLIS));
     }
 }
diff --git a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBeanTest.java b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBeanTest.java
index 5721c9f..e6ed534 100644
--- a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBeanTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningRequestProcessorBeanTest.java
@@ -33,7 +33,7 @@
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 
-import javax.persistence.LockTimeoutException;
+import jakarta.persistence.LockTimeoutException;
 import javax.security.auth.x500.X500Principal;
 import java.security.InvalidKeyException;
 import java.security.PublicKey;
diff --git a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServletTest.java b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServletTest.java
index dad74a7..ff38ff2 100644
--- a/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServletTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/provisioning/ProvisioningServletTest.java
@@ -10,8 +10,8 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
diff --git a/src/test/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanTest.java b/src/test/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanTest.java
index 01e502b..f93ed5a 100644
--- a/src/test/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanTest.java
@@ -14,7 +14,7 @@
 import org.springframework.core.io.Resource;
 import org.springframework.http.HttpStatus;
 
-import javax.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.HttpHeaders;
 import java.nio.charset.StandardCharsets;
 import java.util.Set;
 import java.util.UUID;
@@ -26,7 +26,7 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.post;
 import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.ripencc.services.impl.KrillNonHostedPublisherRepositoryBean.MONITORING_TARGET;
 import static net.ripe.rpki.ripencc.services.impl.KrillNonHostedPublisherRepositoryBean.PUBD_PUBLISHERS;
 import static org.assertj.core.api.Assertions.assertThat;
diff --git a/src/test/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientTest.java b/src/test/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientTest.java
index 2a5201d..85db4b4 100644
--- a/src/test/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientTest.java
@@ -14,7 +14,7 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.head;
 import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
-import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static net.ripe.rpki.server.api.ports.ResourceServicesClient.*;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
diff --git a/src/test/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecksTest.java b/src/test/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecksTest.java
index 7ce4e7b..15a8ed8 100644
--- a/src/test/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecksTest.java
+++ b/src/test/java/net/ripe/rpki/ripencc/ui/daemon/health/HealthChecksTest.java
@@ -7,7 +7,7 @@
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.junit4.SpringRunner;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/EmailSenderBeanTest.java b/src/test/java/net/ripe/rpki/services/impl/EmailSenderBeanTest.java
index 4d747b4..19ff649 100644
--- a/src/test/java/net/ripe/rpki/services/impl/EmailSenderBeanTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/EmailSenderBeanTest.java
@@ -24,6 +24,7 @@
 import org.springframework.mail.SimpleMailMessage;
 
 import javax.security.auth.x500.X500Principal;
+import java.security.SecureRandom;
 import java.util.*;
 
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
@@ -85,7 +86,7 @@ private Map<String, Object> variablesFor(EmailSender.EmailTemplates template) {
                     new VersionedId(42L),
                     new X500Principal("CN=org.example"),
                     UUID.randomUUID(),
-                    RandomUtils.nextLong(),
+                    new SecureRandom().nextLong(),
                     ImmutableResourceSet.empty(),
                     List.of()
             );
diff --git a/src/test/java/net/ripe/rpki/services/impl/RoaServiceBeanTest.java b/src/test/java/net/ripe/rpki/services/impl/RoaServiceBeanTest.java
index a314bee..cbbfa91 100644
--- a/src/test/java/net/ripe/rpki/services/impl/RoaServiceBeanTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/RoaServiceBeanTest.java
@@ -4,7 +4,6 @@
 import net.ripe.ipresource.IpRange;
 import net.ripe.rpki.commons.crypto.ValidityPeriod;
 import net.ripe.rpki.domain.CertificateAuthorityRepository;
-import net.ripe.rpki.domain.KeyPairEntity;
 import net.ripe.rpki.domain.ManagedCertificateAuthority;
 import net.ripe.rpki.domain.TestObjects;
 import net.ripe.rpki.domain.roa.RoaConfiguration;
@@ -19,7 +18,7 @@
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.persistence.NoResultException;
+import jakarta.persistence.NoResultException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -27,7 +26,6 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.mockito.ArgumentMatchers.isA;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBeanTest.java b/src/test/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBeanTest.java
index 14fdc79..7fb25a0 100644
--- a/src/test/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBeanTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/background/AllCaCertificateUpdateServiceBeanTest.java
@@ -22,7 +22,7 @@
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 
-import javax.persistence.EntityNotFoundException;
+import jakarta.persistence.EntityNotFoundException;
 import javax.security.auth.x500.X500Principal;
 import java.util.*;
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServiceMetricsTest.java b/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServiceMetricsTest.java
index 122e04b..c7b187e 100644
--- a/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServiceMetricsTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServiceMetricsTest.java
@@ -7,6 +7,9 @@
 import org.apache.commons.lang3.RandomUtils;
 import org.junit.Test;
 
+import java.security.SecureRandom;
+import java.util.Random;
+
 import static net.ripe.rpki.services.impl.background.BackgroundServiceMetrics.SERVICE_RESULT_COUNTER_METRIC;
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 
@@ -25,7 +28,9 @@ public void shouldTrackServiceExecutionStart() {
     @Test
     public void shouldTrackSuccessfulServiceExecution() {
         String service = RandomStringUtils.randomAlphanumeric(16);
-        BackgroundServiceExecutionResult job = new BackgroundServiceExecutionResult(RandomUtils.nextLong(), RandomUtils.nextLong(), BackgroundServiceExecutionResult.Status.SUCCESS);
+        var random = new SecureRandom();
+
+        BackgroundServiceExecutionResult job = new BackgroundServiceExecutionResult(random.nextLong(), random.nextLong(), BackgroundServiceExecutionResult.Status.SUCCESS);
         subject.trackStartTime(service);
         subject.trackResult(service, job);
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServicesTest.java b/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServicesTest.java
index 7196829..7bb24e3 100644
--- a/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServicesTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/background/BackgroundServicesTest.java
@@ -9,7 +9,7 @@
 import org.junit.jupiter.api.TestInstance;
 import org.springframework.beans.factory.support.DefaultListableBeanFactory;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collections;
 import java.util.Map;
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBeanTest.java b/src/test/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBeanTest.java
index 86a9dd6..8620fdb 100644
--- a/src/test/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBeanTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBeanTest.java
@@ -8,7 +8,7 @@
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.EnumSet;
diff --git a/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaHostedTest.java b/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaHostedTest.java
index dac6de1..6849fd2 100644
--- a/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaHostedTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaHostedTest.java
@@ -21,9 +21,9 @@
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.net.URI;
 import java.security.PublicKey;
 import java.util.*;
@@ -358,15 +358,13 @@ private void assertChildParentInvariants(HostedCertificateAuthority child, Manag
             .collect(Collectors.toSet());
 
         Collection<OutgoingResourceCertificate> outgoingResourceCertificates = parent.getKeyPairs().stream()
-            .filter(KeyPairEntity::isPublishable)
-            .flatMap(kp -> resourceCertificateRepository.findAllBySigningKeyPair(kp).stream())
-            .filter(c -> c.isCurrent() && PublicationStatus.ACTIVE_STATUSES.contains(c.getPublishedObject().getStatus()))
-            .filter(c -> childPublicKeys.contains(c.getSubjectPublicKey()))
-            .collect(Collectors.toList());
+                .filter(KeyPairEntity::isPublishable)
+                .flatMap(kp -> resourceCertificateRepository.findAllBySigningKeyPair(kp).stream())
+                .filter(c -> c.isCurrent() && PublicationStatus.ACTIVE_STATUSES.contains(c.getPublishedObject().getStatus()))
+                .filter(c -> childPublicKeys.contains(c.getSubjectPublicKey())).toList();
         Collection<IncomingResourceCertificate> incomingResourceCertificates = child.getKeyPairs().stream()
-            .filter(KeyPairEntity::isPublishable)
-            .flatMap(kp -> kp.findCurrentIncomingCertificate().stream())
-            .collect(Collectors.toList());
+                .filter(KeyPairEntity::isPublishable)
+                .flatMap(kp -> kp.findCurrentIncomingCertificate().stream()).toList();
 
         assertThat(childPublicKeys).hasSize(outgoingResourceCertificates.size());
         assertThat(outgoingResourceCertificates).hasSize(incomingResourceCertificates.size());
@@ -380,12 +378,4 @@ private void assertChildParentInvariants(HostedCertificateAuthority child, Manag
             assertThat(outgoing.getCertificate()).isEqualTo(incoming.getCertificate());
         });
     }
-
-    private CommandStatus execute(CertificateAuthorityCommand command) {
-        try {
-            return subject.execute(command);
-        } finally {
-            entityManager.flush();
-        }
-    }
 }
diff --git a/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaNonHostedTest.java b/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaNonHostedTest.java
index 43178c6..6e1db2f 100644
--- a/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaNonHostedTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/handlers/ChildParentCertificateUpdateSagaNonHostedTest.java
@@ -19,9 +19,9 @@
 import org.junit.Test;
 import org.opentest4j.AssertionFailedError;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.net.URI;
 import java.security.PublicKey;
 import java.util.Arrays;
@@ -279,15 +279,13 @@ private void assertChildParentInvariants(NonHostedCertificateAuthority child, Ma
             .collect(Collectors.toSet());
 
         Collection<OutgoingResourceCertificate> outgoingResourceCertificates = parent.getKeyPairs().stream()
-            .filter(KeyPairEntity::isPublishable)
-            .flatMap(kp -> resourceCertificateRepository.findAllBySigningKeyPair(kp).stream())
-            .filter(c -> c.isCurrent() && PublicationStatus.ACTIVE_STATUSES.contains(c.getPublishedObject().getStatus()))
-            .filter(c -> childPublicKeys.contains(c.getSubjectPublicKey()))
-            .collect(Collectors.toList());
+                .filter(KeyPairEntity::isPublishable)
+                .flatMap(kp -> resourceCertificateRepository.findAllBySigningKeyPair(kp).stream())
+                .filter(c -> c.isCurrent() && PublicationStatus.ACTIVE_STATUSES.contains(c.getPublishedObject().getStatus()))
+                .filter(c -> childPublicKeys.contains(c.getSubjectPublicKey())).toList();
         Collection<OutgoingResourceCertificate> incomingResourceCertificates = child.getPublicKeyEntities().stream()
-            .filter(x -> !x.isRevoked())
-            .flatMap(x -> x.findCurrentOutgoingResourceCertificate().stream())
-            .collect(Collectors.toList());
+                .filter(x -> !x.isRevoked())
+                .flatMap(x -> x.findCurrentOutgoingResourceCertificate().stream()).toList();
 
         // Not all non-hosted public keys will have a certificate after a certificate revocation request,
         // so number of keys could be greater.
@@ -307,12 +305,4 @@ private void assertChildParentInvariants(NonHostedCertificateAuthority child, Ma
     private Optional<OutgoingResourceCertificate> findCurrentResourceCertificate(NonHostedCertificateAuthority ca) {
         return ca.getPublicKeyEntities().iterator().next().findCurrentOutgoingResourceCertificate();
     }
-
-    private CommandStatus execute(CertificateAuthorityCommand command) {
-        try {
-            return commandService.execute(command);
-        } finally {
-            entityManager.flush();
-        }
-    }
 }
diff --git a/src/test/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandlerTest.java b/src/test/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandlerTest.java
index 34e7b2a..0200aa6 100644
--- a/src/test/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandlerTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/handlers/DeleteNonHostedPublisherCommandHandlerTest.java
@@ -11,9 +11,9 @@
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.persistence.EntityNotFoundException;
+import jakarta.persistence.EntityNotFoundException;
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.net.URI;
 import java.util.Optional;
 import java.util.UUID;
diff --git a/src/test/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandlerTest.java b/src/test/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandlerTest.java
index 297047c..37f1261 100644
--- a/src/test/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandlerTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/handlers/IssueUpdatedManifestAndCrlCommandHandlerTest.java
@@ -12,8 +12,8 @@
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.inject.Inject;
-import javax.transaction.Transactional;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
 
 import java.util.Collections;
 import java.util.List;
diff --git a/src/test/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandlerTest.java b/src/test/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandlerTest.java
index 5b797d7..b3c066a 100644
--- a/src/test/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandlerTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/handlers/ManagedCertificateAuthorityOutgoingResourceCertificatesInvariantHandlerTest.java
@@ -15,7 +15,7 @@
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 
-import javax.persistence.EntityManager;
+import jakarta.persistence.EntityManager;
 import java.util.Arrays;
 
 import static net.ripe.rpki.domain.TestObjects.CA_ID;
diff --git a/src/test/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandlerTest.java b/src/test/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandlerTest.java
index e08edb7..4be8243 100644
--- a/src/test/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandlerTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/handlers/MigrateMemberCertificateAuthorityToIntermediateParentCommandHandlerTest.java
@@ -15,9 +15,9 @@
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.net.URI;
 import java.util.Map;
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/handlers/PublicationSupportTest.java b/src/test/java/net/ripe/rpki/services/impl/handlers/PublicationSupportTest.java
index 765d0dc..d813295 100644
--- a/src/test/java/net/ripe/rpki/services/impl/handlers/PublicationSupportTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/handlers/PublicationSupportTest.java
@@ -18,6 +18,7 @@
 import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
 import java.sql.Timestamp;
+import java.time.Instant;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -55,8 +56,9 @@ public class PublicationSupportTest extends TestCase {
 
     @Before
     public void setUp() throws SecurityException, URISyntaxException {
-        published1 = new PublishedObjectData(new Timestamp(System.currentTimeMillis()), BASE_URI.resolve("object.cer"), new byte[]{4, 5, 6});
-        published2 = new PublishedObjectData(new Timestamp(System.currentTimeMillis()), BASE_URI.resolve("manifest.mft"), new byte[]{1, 2, 3});
+        var now = Instant.now();
+        published1 = new PublishedObjectData(now, BASE_URI.resolve("object.cer"), new byte[]{4, 5, 6});
+        published2 = new PublishedObjectData(now, BASE_URI.resolve("manifest.mft"), new byte[]{1, 2, 3});
 
         when(publishedObjectRepository.findCurrentlyPublishedObjects()).thenReturn(Arrays.asList(published1, published2));
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaConfigurationRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaConfigurationRepositoryTest.java
index e4cd76e..c2916e3 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaConfigurationRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaConfigurationRepositoryTest.java
@@ -9,7 +9,7 @@
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.util.SortedMap;
 import java.util.SortedSet;
 import java.util.TreeSet;
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepositoryTest.java
index a19087d..c4d7348 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaAspaEntityRepositoryTest.java
@@ -5,7 +5,7 @@
 import org.junit.Test;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepositoryTest.java
index 9b20225..c1ed90f 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepositoryTest.java
@@ -13,7 +13,7 @@
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 
 import java.util.UUID;
 
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepositoryTest.java
index d2de0d9..12b05ea 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaPublishedObjectRepositoryTest.java
@@ -14,13 +14,12 @@
 import org.assertj.core.api.Condition;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
-import org.joda.time.Instant;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import javax.persistence.PersistenceException;
-import javax.transaction.Transactional;
+import jakarta.persistence.PersistenceException;
+import jakarta.transaction.Transactional;
 import java.net.URI;
 import java.util.Arrays;
 import java.util.Collections;
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepositoryTest.java
index 49be0fd..54f33af 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaResourceCertificateRepositoryTest.java
@@ -17,9 +17,9 @@
 import org.junit.Before;
 import org.junit.Test;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import javax.security.auth.x500.X500Principal;
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepositoryTest.java
index d9db012..654cd46 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaAlertConfigurationRepositoryTest.java
@@ -9,7 +9,7 @@
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepositoryTest.java
index a0c641c..75f28c7 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaConfigurationRepositoryTest.java
@@ -11,7 +11,7 @@
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import javax.transaction.Transactional;
+import jakarta.transaction.Transactional;
 import java.math.BigInteger;
 import java.time.Instant;
 import java.util.Arrays;
@@ -120,7 +120,7 @@ public void shouldInsertDeletedPrefixesToSeparateTable() {
     }
 
     long countQuery(String sql) {
-        final BigInteger count = (BigInteger) entityManager
+        final var count = (Long) entityManager
             .createNativeQuery(sql)
             .getSingleResult();
         return count.longValue();
diff --git a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepositoryTest.java b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepositoryTest.java
index 3a665d8..03869cb 100644
--- a/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepositoryTest.java
+++ b/src/test/java/net/ripe/rpki/services/impl/jpa/JpaRoaEntityRepositoryTest.java
@@ -5,7 +5,7 @@
 import org.junit.Test;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
diff --git a/src/test/java/net/ripe/rpki/util/JdbcDBComponentTest.java b/src/test/java/net/ripe/rpki/util/JdbcDBComponentTest.java
index 414a04a..630b461 100644
--- a/src/test/java/net/ripe/rpki/util/JdbcDBComponentTest.java
+++ b/src/test/java/net/ripe/rpki/util/JdbcDBComponentTest.java
@@ -15,7 +15,7 @@
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.junit4.SpringRunner;
 
-import javax.persistence.LockModeType;
+import jakarta.persistence.LockModeType;
 import javax.security.auth.x500.X500Principal;
 import javax.sql.DataSource;
 import java.sql.Connection;
diff --git a/src/test/java/net/ripe/rpki/util/StreamsTest.java b/src/test/java/net/ripe/rpki/util/StreamsTest.java
index ec9db6a..aa033c1 100644
--- a/src/test/java/net/ripe/rpki/util/StreamsTest.java
+++ b/src/test/java/net/ripe/rpki/util/StreamsTest.java
@@ -23,7 +23,7 @@ public void shouldGroup(@ForAll @Size(min= 3) List<Integer> s, @ForAll @Positive
         grouped.stream().limit(grouped.size() - 1).forEach(g -> assertThat(g).hasSize(chunk));
         assertThat(grouped).last().satisfies(last -> assertThat(last.size()).isLessThanOrEqualTo(chunk));
 
-        final List<Integer> concatenated = grouped.stream().flatMap(Collection::stream).collect(Collectors.toList());
+        final List<Integer> concatenated = grouped.stream().flatMap(Collection::stream).toList();
         assertThat(s).isEqualTo(concatenated);
     }
 }
diff --git a/src/test/java/net/ripe/rpki/web/AdminControllerTest.java b/src/test/java/net/ripe/rpki/web/AdminControllerTest.java
index dc3123b..8caeb6e 100644
--- a/src/test/java/net/ripe/rpki/web/AdminControllerTest.java
+++ b/src/test/java/net/ripe/rpki/web/AdminControllerTest.java
@@ -1,6 +1,7 @@
 package net.ripe.rpki.web;
 
 import lombok.NonNull;
+import net.ripe.rpki.TestRpkiBootApplication;
 import net.ripe.rpki.commons.provisioning.x509.ProvisioningIdentityCertificate;
 import net.ripe.rpki.commons.provisioning.x509.ProvisioningIdentityCertificateBuilderTest;
 import net.ripe.rpki.server.api.configuration.RepositoryConfiguration;
@@ -8,16 +9,17 @@
 import net.ripe.rpki.server.api.services.read.ProvisioningIdentityViewService;
 import net.ripe.rpki.server.api.services.system.ActiveNodeService;
 import net.ripe.rpki.services.impl.background.BackgroundServices;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Answers;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.boot.info.GitProperties;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.HttpStatus;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MvcResult;
 
 import java.net.URI;
@@ -35,8 +37,9 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
-@SpringBootTest
-@RunWith(MockitoJUnitRunner.class)
+@ActiveProfiles("test")
+@SpringBootTest(classes = TestRpkiBootApplication.class)
+@ExtendWith(MockitoExtension.class)
 public class AdminControllerTest extends SpringWebControllerTestCase {
 
     @Mock(answer = Answers.RETURNS_DEEP_STUBS)
@@ -57,7 +60,7 @@ protected AdminController createSubjectController() {
         return new AdminController(repositoryConfiguration, activeNodeService, backgroundServiceMap, backgroundServices, provisioningIdentityViewService, new GitProperties(new Properties()));
     }
 
-    @Before
+    @BeforeEach
     public void setUp() {
         when(repositoryConfiguration.getPublicRepositoryUri()).thenReturn(URI.create("rsync://example.com/rpki/repository"));
         when(activeNodeService.getActiveNodeName()).thenReturn("active-node");
diff --git a/src/test/java/net/ripe/rpki/web/HealthCheckControllerTest.java b/src/test/java/net/ripe/rpki/web/HealthCheckControllerTest.java
index 814445e..fd2679a 100644
--- a/src/test/java/net/ripe/rpki/web/HealthCheckControllerTest.java
+++ b/src/test/java/net/ripe/rpki/web/HealthCheckControllerTest.java
@@ -1,20 +1,22 @@
 package net.ripe.rpki.web;
 
 import lombok.NonNull;
+import net.ripe.rpki.TestRpkiBootApplication;
 import net.ripe.rpki.ripencc.ui.daemon.health.Health;
 import net.ripe.rpki.ripencc.ui.daemon.health.HealthService;
 import net.ripe.rpki.server.api.configuration.RepositoryConfiguration;
 import net.ripe.rpki.server.api.services.system.ActiveNodeService;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Answers;
 import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.boot.info.GitProperties;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MvcResult;
 
 import java.net.URI;
@@ -26,8 +28,10 @@
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 
-@SpringBootTest
-@RunWith(MockitoJUnitRunner.class)
+
+@ActiveProfiles("test")
+@SpringBootTest(classes = TestRpkiBootApplication.class)
+@ExtendWith(MockitoExtension.class)
 public class HealthCheckControllerTest extends SpringWebControllerTestCase {
     @Mock(answer = Answers.RETURNS_DEEP_STUBS)
     private RepositoryConfiguration repositoryConfiguration;
@@ -46,7 +50,7 @@ protected HealthCheckController createSubjectController() {
         );
     }
 
-    @Before
+    @BeforeEach
     public void setUp() {
         when(repositoryConfiguration.getPublicRepositoryUri()).thenReturn(URI.create("rsync://example.com/rpki/repository"));
         when(activeNodeService.getActiveNodeName()).thenReturn("active-node");
diff --git a/src/test/java/net/ripe/rpki/web/ProductionCaControllerTest.java b/src/test/java/net/ripe/rpki/web/ProductionCaControllerTest.java
index 1e4eb41..d488f69 100644
--- a/src/test/java/net/ripe/rpki/web/ProductionCaControllerTest.java
+++ b/src/test/java/net/ripe/rpki/web/ProductionCaControllerTest.java
@@ -1,6 +1,7 @@
 package net.ripe.rpki.web;
 
 import lombok.NonNull;
+import net.ripe.rpki.TestRpkiBootApplication;
 import net.ripe.rpki.commons.util.VersionedId;
 import net.ripe.rpki.server.api.commands.CertificateAuthorityCommandGroup;
 import net.ripe.rpki.server.api.configuration.RepositoryConfiguration;
@@ -13,15 +14,17 @@
 import net.ripe.rpki.server.api.services.system.ActiveNodeService;
 import net.ripe.rpki.server.api.services.system.CaHistoryService;
 import org.joda.time.DateTime;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Answers;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.boot.info.GitProperties;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.HttpStatus;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MvcResult;
 
 import javax.security.auth.x500.X500Principal;
@@ -37,8 +40,9 @@
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 
-@SpringBootTest
-@RunWith(MockitoJUnitRunner.class)
+@ActiveProfiles("test")
+@SpringBootTest(classes = TestRpkiBootApplication.class)
+@ExtendWith(MockitoExtension.class)
 public class ProductionCaControllerTest extends SpringWebControllerTestCase {
     @Mock(answer = Answers.RETURNS_DEEP_STUBS)
     private CertificateAuthorityViewService certificateAuthorityViewService;
@@ -65,7 +69,7 @@ protected ProductionCaController createSubjectController() {
         );
     }
 
-    @Before
+    @BeforeEach
     public void setUp() {
         CertificateAuthorityData ca = mock(CertificateAuthorityData.class);
 
diff --git a/src/test/java/net/ripe/rpki/web/SpringWebControllerTestCase.java b/src/test/java/net/ripe/rpki/web/SpringWebControllerTestCase.java
index 366a340..15df555 100644
--- a/src/test/java/net/ripe/rpki/web/SpringWebControllerTestCase.java
+++ b/src/test/java/net/ripe/rpki/web/SpringWebControllerTestCase.java
@@ -2,17 +2,18 @@
 
 import lombok.NonNull;
 import org.junit.Before;
+import org.junit.jupiter.api.BeforeEach;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-import org.thymeleaf.spring5.SpringTemplateEngine;
-import org.thymeleaf.spring5.view.ThymeleafViewResolver;
+import org.thymeleaf.spring6.SpringTemplateEngine;
+import org.thymeleaf.spring6.view.ThymeleafViewResolver;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 
 public abstract class SpringWebControllerTestCase {
 
     protected MockMvc mockMvc;
 
-    @Before
+    @BeforeEach
     public void setUpMockMvc() {
         this.mockMvc = MockMvcBuilders
             .standaloneSetup(createSubjectController())
diff --git a/src/test/java/net/ripe/rpki/web/UpstreamCaControllerTest.java b/src/test/java/net/ripe/rpki/web/UpstreamCaControllerTest.java
index 51a3a08..18936c9 100644
--- a/src/test/java/net/ripe/rpki/web/UpstreamCaControllerTest.java
+++ b/src/test/java/net/ripe/rpki/web/UpstreamCaControllerTest.java
@@ -1,6 +1,7 @@
 package net.ripe.rpki.web;
 
 import lombok.NonNull;
+import net.ripe.rpki.TestRpkiBootApplication;
 import net.ripe.rpki.commons.ta.domain.request.TrustAnchorRequest;
 import net.ripe.rpki.commons.util.VersionedId;
 import net.ripe.rpki.server.api.commands.AllResourcesCaResourcesCommand;
@@ -15,14 +16,17 @@
 import net.ripe.rpki.server.api.services.read.CertificateAuthorityViewService;
 import net.ripe.rpki.server.api.services.system.ActiveNodeService;
 import net.ripe.rpki.services.impl.background.AllCaCertificateUpdateServiceBean;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Answers;
 import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.boot.info.GitProperties;
+import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.HttpStatus;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MvcResult;
 
 import java.net.URI;
@@ -44,7 +48,9 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
 
-@RunWith(MockitoJUnitRunner.class)
+@ActiveProfiles("test")
+@SpringBootTest(classes = TestRpkiBootApplication.class)
+@ExtendWith(MockitoExtension.class)
 public class UpstreamCaControllerTest extends SpringWebControllerTestCase {
 
     @Mock(answer = Answers.RETURNS_DEEP_STUBS)
@@ -67,14 +73,14 @@ protected UpstreamCaController createSubjectController() {
             certificateAuthorityViewService, commandService, allCaCertificateUpdateServiceBean, Collections.emptyMap(),  new GitProperties(new Properties()));
     }
 
-    @Before
+    @BeforeEach
     public void setUp() {
         when(repositoryConfiguration.getPublicRepositoryUri()).thenReturn(URI.create("rsync://example.com/rpki/repository"));
         when(activeNodeService.getActiveNodeName()).thenReturn("active-node");
 
         aca = mock(ManagedCertificateAuthorityData.class);
-        when(aca.getVersionedId()).thenReturn(new VersionedId(1));
-        when(aca.getType()).thenReturn(CertificateAuthorityType.ALL_RESOURCES);
+        Mockito.lenient().when(aca.getVersionedId()).thenReturn(new VersionedId(1));
+        Mockito.lenient().when(aca.getType()).thenReturn(CertificateAuthorityType.ALL_RESOURCES);
         when(certificateAuthorityViewService.findCertificateAuthorityByName(any())).thenReturn(aca);
     }
 
diff --git a/src/test/resources/application-test.yml b/src/test/resources/application-test.yml
index 3a7fc4b..9664a8e 100644
--- a/src/test/resources/application-test.yml
+++ b/src/test/resources/application-test.yml
@@ -22,6 +22,9 @@ background-services:
   schedule.enable: false
 system.setup.and.testing.api.enabled: true
 
+# **Disable** authentication for the administration web UI.
+admin.authorization.enabled: false
+
 #
 # Integrations
 #