DS-45300
|
Updated Log4j2 from 2.14.1 to 2.16.0 to address CVE-2021-44228.
|
DS-45480, DS-45636
|
-
Updated the topology registry to allow using issuer
certificates when determining whether to trust the
certificate chain presented by another server in the
topology. Previously, a server's certificate chain would
only be trusted if the server certificate itself was
found in the topology registry. Now, a certificate chain
may be trusted if either the peer certificate or any of
its issuers is found in the topology registry.
-
Updated the replace-certificate tool
to add new
list-topology-registry-listener-certificates
and
list-topology-registry-inter-server-certificates
subcommands, which can be used to display a list of the
listener or inter-server certificates for a specified
server instance in the topology registry.
-
Updated the replace-certificate tool
to add a new
add-topology-registry-listener-certificate
subcommand, which can be used to add one or more
certificates to the set of listener certificates for an
instance in the topology registry. This subcommand does
not alter the contents of any key store; it may be used
to add an issuer certificate to the topology registry or
to add a new peer listener certificate in advance of
actually activating that certificate on the server.
-
Updated the replace-certificate
replace-listener-certificate subcommand to
add --topology-registry-update-type
and --trust-store-update-type
arguments, which allow you to indicate which types of
certificates to include in the topology registry and
trust store, respectively. Available options include
suppressing the update, only adding the listener
certificate itself, only adding the listener
certificate's issuers, or adding both the listener
certificate and its issuers.
-
Updated the replace-certificate
replace-listener-certificate subcommand to
add an
--ignore-current-listener-certificate-validity-window
argument, which allows the tool to establish a
connection to the server even if its certificate has
expired or is not yet valid, so that a non-valid
certificate can be replaced.
|
DS-45162
|
Added support for new extended operations that can be used to help manage the server's
listener and inter-server certificates. Updated the
replace-certificate tool to add support
for replacing and purging certificates in a remote instance and
to allow skipping validation for the new certificate chain.
|
DS-41468
|
Fixed an issue that prevented the server from refreshing the monitor data used to detect
and warn about an upcoming certificate expiration. This could
cause the server to continue to warn about an expiring
certificate even after that certificate has been replaced.
|
DS-45647
|
Fixed an issue where SCIM POST requests that
violated a unique attribute constraint received an internal
error instead of the expected SCIM error response.
|
DS-45280
|
The collect-support-data (CSD) tool now correctly displays the name
and version of PingAuthorize.
|
DS-45746
|
Changed the LDAP SDK service behavior to fix an issue that may
have caused LDAP threads to hang on class initialization.
|