The following enhancements and resolved issues are included in this release.
Enhancements
These are new features for this release of PingDataGovernance Server:
- The Policy Administration GUI now provides integrated testing capability where policy writers can define tests, scenarios, and assertions to use to verify most Policy Manager and Trust Framework entities. Using a test-driven development approach and regression test suites, policy writers can increase the quality of their policies and decrease the risk of policy changes.
- The Policy Administration Guide now includes step-by-step solutions to common use cases. Use these tutorials to learn common patterns of policy administration and to accelerate the development of new use cases.
- Added new Value Processor types that simplify handling of collections in the Trust Framework. With Collection Filters, you can extract a subset of a collection by defining a boolean expression that determines which items to keep. With Collection Transforms, you can apply one or more processors to each item, producing a new value for each item.
- The official Policy Administration GUI Docker image has been improved for easier configuration. New environment variables have been added to enable Single-Sign On, periodic database backup, and administrative roles and permissions.
- The Administrative Console now supports using OpenID Connect for admin SSO, allowing you to set up the PingOne administration console to have one-click SSO access without typing a password.
- PingDataGovernance now periodically logs operational performance metrics for improved observability, capacity planning, and elastic scaling. Per-resource transaction counts and latency are logged for the Gateway API, Sideband API, and SCIM service.
- PingDataGovernance supports signed deployment packages. With this feature, a customer who has multiple PingDataGovernance environments can ensure that the policies developed in the Policy Administration GUI of one environment are only deployed to the PingDataGovernance runtime servers of the same environment.
- PingDataGovernance now provides a better way to perform a sorted search on a large dataset using SCIM 2.0. In this version of PingDataGovernance, SCIM searches with the proper search parameters can be returned in pages if the backend server is a PingDirectory server.
- PingDataGovernance now generates Swagger documentation for SCIM resource type configuration. Developers can use the Swagger documentation and specifications to learn and develop SCIM-based services more quickly.
Upgrade considerations
Upgrade considerations are no longer part of the release notes. That information is now in "Upgrading PingDataGovernance Server" in Upgrade considerations.
Resolved issues
The following issues have been resolved with this release of PingDataGovernance Server.
Ticket ID | Description |
---|---|
DS-5143, DS-11035 |
Updated support for logging access and error log messages to a syslog server. While the server previously supported logging these messages to a syslog server (through the "syslog-based access log publisher" and "syslog-based error log publisher" logger implementations), these loggers used an older version of the syslog protocol (described in RFC 3164) and only offered support for communicating over UDP. These loggers are still available for legacy backward compatibility, but we now also offer new "syslog text access log publisher" and "syslog text error log publisher" implementations that use a newer version of the syslog protocol (syslog version 1, described in RFC 5424) and support communicating over UDP or the more reliable TCP. When using TCP, it is also possible to encrypt communication with TLS, and it is possible to configure multiple servers for better redundancy. These loggers use the same space-delimited text format as the former loggers. We also offer new "syslog JSON access log publisher" and "syslog JSON error log publisher" implementations that offer the same set of capabilities, but that format the message text as JSON objects, which can be more easily parsed by third-party software. |
DS-10320, DS-12550, DS-12551, DS-12552, DS-42116, DS-42162, DS-42179, DS-42222, DS-42223, DS-42224, DS-42225, DS-42416, DS-42437 |
Added a config/sample-dsconfig-batch-files directory with set of well-commented dsconfig batch files to help you understand enabling or configuring a variety of features in the server. |
DS-11524, DS-41860, DS-42112 |
Added support for new administrative alert types:
|
DS-13853 | Added support for the OAUTHBEARER SASL mechanism (as described in RFC 7628) to allow LDAP clients to authenticate with OAuth 2.0 bearer tokens. |
DS-15864 |
Replaced the ldappasswordmodify tool with a new version that offers more functionality, including support for additional controls, support for multiple password change methods (the password modify extended operation, a regular LDAP modify operation, or an Active Directory-specific modify operation), and the ability to generate the new password on the client. |
DS-17903 |
Updated setup to provide a
|
DS-36088 |
Updated the crypto manager to make it possible to augment the set of enabled TLS cipher suites with specific suites to add to or remove from the default set of enabled suites. To enable one or more suites in addition to those in the default set, prefix the names of those suites with the "+" symbol. To disable one or more suites in the default set of enabled suites, prefix the names of those suites with the "-" symbol. This was already possible when configuring cipher suites for the LDAP and HTTP connection handlers, but it was not an option for the crypto manager. |
DS-36845, DS-42458 |
The SCIM 2 service now automatically generates a Swagger 2 specification document based on the server's SCIM 2 configuration. View this documentation by visiting the URL https://<your-server>/api-docs in a web browser. |
DS-38110 |
Updated the System Information monitor with an
|
DS-38118, DS-42495 |
Made several updates related to the server's handling of data
written to standard output and standard error.
|
DS-38868 |
Updated setup to create a second encryption settings definition if data encryption is enabled. The tool continues to create a definition for 128-bit AES encryption for use as the preferred definition to preserve backward compatibility with existing servers in the topology, but it now also generates a definition for 256-bit AES encryption. The 256-bit AES definition might become the preferred definition in a future release, but you can use it now by first ensuring that any existing instances are updated to contain the new definition (with the encryption-settings export and encryption-settings import commands) and then making it the preferred definition (with encryption-settings set-preferred) in all instances. |
DS-39376 |
The PingDataGovernance Policy Administration GUI
start-server and
stop-server tools are now more consistent
with other Ping Identity products. In addition, users can now
pass the |
DS-39789 |
Updated the JVM memory usage monitor provider to fix an issue that could prevent the monitor from reporting the total amount of memory held by all memory consumers. Also, fixed an issue that could cause the memory-consumer attribute to use an incomplete message for consumers without a defined maximum size and added an additional memory-consumer-json attribute whose values are JSON objects with data that can be more easily extracted by automated processes. |
DS-40296 |
Fixed an issue in which mapping a path parameter in
|
DS-40310, DS-40311 |
PingDataGovernance Server now validates path parameters used in
Gateway API Endpoints and Sideband API Endpoints more strictly.
The configuration properties |
DS-40650 |
Updated the collect-support-data tool so that you can specify how much data to capture from the beginning and end of each log file to include in the support data archive. You can also specify the capture size when invoking the tool through an administrative task, recurring task, or extended operation. |
DS-40828 |
Fixed an issue where some state associated with a JMX connection was not freed after the connection was closed. This led to a slow memory leak in servers that were monitored by an application that created a new JMX connection each polling interval. |
DS-40903, DS-41075, DS-43083 |
Fixed an issue in which PingDataGovernance formatted the following policy request
attributes using a date/time format that the policy engine could
not parse: |
DS-40967 |
Eliminated a misleading error message that could be logged at startup if the server was configured with one or more ACIs that only apply when using specific SASL mechanisms. |
DS-41308 |
PingDataGovernance Server now provides more information about the current policy request to custom advice implementations written using the Server SDK. The additional information includes the service name, the token owner, and the access token claims. |
DS-41350 |
Fixed an issue where disabling certain backends (such as 'alarms') caused an internal monitor to log unnecessary error messages every few seconds, about not being able to gather data from that backend. Note that deliberately disabling the 'alarms' backend is not recommended in normal operation, but might occur during backup/restore operations. |
DS-41774 |
Users can now start the PingDataGovernance Policy Administration
GUI in the foreground by passing the |
DS-41866 |
PingDataGovernance can now perform SCIM 2 paged searches on result sets greater than the configured lookthrough limit. This feature is only available when using an LDAP Store Adapter and requires configuring a VLV index on the backend PingDirectory Server first. For more information, see Using paged SCIM searches. |
DS-41870, DS-42660, DS-42677, DS-42802 |
The Sideband API includes a number of improvements to ease API gateway integration and
troubleshooting.
|
DS-41964 |
Fixed an issue with the manage-profile tool where files in a server profile's dsconfig/ directory without a .dsconfig extension could cause failures in manage-profile replace-profile when validating updated dsconfig files. |
DS-41989 |
Fixed an issue that could result in duplicate column headers
being produced by the Periodic Stats Logger, even when the
|
DS-42045 |
Updated the Stats Collector Plugin with a new
When using the plugin exclusively for providing metrics to one or more StatsD Monitoring Endpoints, set this property to false to prevent unnecessary I/O. |
DS-42059, DS-42060 |
Updated setup to add options for improving
communication security.
You can use the |
DS-42061 |
Updated the interactive command-line tool framework to prefer establishing secure LDAP connections over insecure connections. Previously, when prompting for the information needed to establish a connection, the default option was to create an unencrypted LDAP connection. Now, tools will default to creating an SSL-encrypted connection if the server supports it, or to creating a StartTLS-encrypted connection if that is available but SSL is not. Tools will also default to using streamlined settings when establishing secure connections. Previously, they would always prompt about how to determine whether the server's certificate chain should be trusted. When using the streamlined settings, the tools will only prompt about certificates that cannot automatically be considered trusted using information in the JVM's default trust store, the server's default trust store (config/truststore), or the server's topology registry. |
DS-42062 |
Updated the root password policy so that LDAP bind responses for root users and topology administrators are delayed by one second after five consecutive failed authentication attempts. |
DS-42063 |
Updated the "delay bind response" failure lockout action to provide an option to delay the response to bind requests initiated by non-LDAP clients (for example, when using HTTP basic authentication). This option is disabled by default because delaying the bind response for non-LDAP clients might require temporarily blocking the thread used to process the request, which could increase the risk of a denial-of-service attack. To help mitigate this risk, if you enable delayed bind responses for non-LDAP clients, we recommend that you also increase the number of request handler threads for all enabled HTTP connection handlers. |
DS-42115 |
Updated the server's command-line tool framework to make it easier and more convenient to communicate with the server over a secure connection when no trust-related arguments are provided. Most noninteractive tools now check the server's default trust store, the topology registry, and the JVM's default trust store to see if the presented certificate chain can be automatically trusted without the need to prompt the user. If the presented chain cannot be automatically trusted, the user might be interactively prompted to determine whether it should be trusted. |
DS-42166 |
The advice type |
DS-42199 |
Optimized some searches commonly used by the status tool. This should improve the performance of the tool in more complex or large-scale environments. |
DS-42276 |
Fixed an issue where using the |
DS-42279 |
Updated the server to require a minimum key size of 2048 bits when negotiating a TLS cipher suite that uses ephemeral Diffie-Hellman key exchange. |
DS-42298 | Replaced the ldifsearch, ldifmodify, and ldif-diff command-line tools with more full-featured and robust implementations. |
DS-42331 |
Replaced the ldapcompare tool with a new version that offers more functionality, including support for multiple compare assertions, following referrals, additional controls, and multiple output formats (including tab-delimited text, CSV, and JSON). |
DS-42347 |
Updated the server to use /dev/urandom (on non-Windows systems where that path exists and is readable) instead of /dev/random as the primary source for secure random data. Attempts to read from /dev/random can block if the underlying system does not have sufficient entropy, which can have a severe adverse effect on performance. Reads from /dev/urandom do not block, and the data that it provides is no less secure than data from /dev/random in any way that matters for the server. |
DS-42402 |
The Policy Administration GUI now uses the MAX_HEAP_SIZE environment variable to set its minimum and maximum heap size. If there is no value available, the Policy Administration GUI uses a default value of 2g. |
DS-42456 |
Fixed an issue where |
DS-42461 |
The Policy Administration GUI command-line tools now produce execution logs in tool-specific log files. |
DS-42504 |
Updated manage-profile replace-profile to set encryption settings definitions defined in the newer server profile as preferred in the encryption settings db. |
DS-42518 |
The PingDataGovernance Policy Administration GUI setup tool now
provides the |
DS-42521 |
The Policy Administration GUI now adds JAR files placed in the lib/extensions folder to the server runtime classpath, for use during SpEL evaluation. |
DS-42547 | Fixed an issue where manage-profile generate-profile would print null as the generated profile directory when writing to an existing directory. |
DS-42605 |
Previously, when evaluating a policy rule with multiple conditions, the policy engine would evaluate every condition in the group. The policy engine now stops evaluating conditions as soon as the overall result can be deduced. For example, given a group condition of the form "X AND Y", the policy engine will not evaluate Y if X is false. This change is applicable to both embedded PDP mode and external PDP mode. |
DS-42607 |
You can now configure the Policy Administration GUI to cryptographically sign deployment packages. You can configure PingDataGovernance Server in turn to only accept deployment packages signed by a trusted source. For information about configuring both the Policy Administration GUI and PingDataGovernance Server to use signed deployment packages, see Use signed deployment packages. |
DS-42609 |
Fixed an issue in which the Directory REST API could fail to decode certain credentials when using basic authentication. |
DS-42632 |
Added support for creating or importing a key pair configuration object using an elliptic curve (EC) key algorithm. You can use this to designate the encryption key pair for a JWT access token validator that handles EC-encrypted access tokens. |
DS-42634 |
The JWT Access Token Validator can now validate JWT access tokens signed using the elliptic curve digital signature algorithms ES256, ES384, and ES512. |
DS-42635 |
The JWT Access Token Validator can now validate JWT access tokens encrypted using elliptic curve cryptographic algorithms. The following key encryption algorithms are now supported in addition to RSA-OAEP: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, and ECDH-ES+A256KW. To support best practices for JWT security, you must now also configure the JWT Access Token Validator with explicit allow lists for key encryption and content encryption algorithms. For backward compatibility, the key encryption allow list defaults to RSA-OAEP, while the content encryption allow list defaults to A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512. We recommend setting both allow lists to the strict minimum set of algorithms needed by the Access Token Validator. |
DS-42651 |
Updated the |
DS-42661 |
Fixed an issue in which a request to /sideband/request with a "body" value of "" (an empty string) would result in a response with a "body" value of "null". Now the Sideband API will always omit null or empty values from responses. |
DS-42667 |
Updated the server to set a unique cluster name when started for the first time. |
DS-42669, DS-42748 |
Updated the online dsconfig step of the manage-profile replace-profile subcommand to support getting LDAP connection arguments from a tools.properties file on the server being updated. Fixed an issue where boolean LDAP connection arguments like
|
DS-42673 | Updated the manage-profile setup subcommand to fail if the start-server command has a non-zero exit code. |
DS-42681, DS-42684 |
The Periodic Stats Logger can now publish performance statistics
generated by the Sideband API. To enable this, use the
|
DS-42682 |
The Periodic Stats Logger can now publish performance statistics that the SCIM 2 service
generates. To enable this, use the
|
DS-42683 |
The Periodic Stats Logger can now publish performance statistics that the Gateway service
generates. To enable this, use the
|
DS-42687 |
Upgraded to Jetty 9.4.30. |
DS-42740 |
Fixed an issue where the dsconfig list subcommand would not display requested properties. |
DS-42749 |
To support best practices for JWT security, you must now configure the JWT Access Token Validator with an explicit list of the JWT signing algorithms that it accepts. For backward compatibility, this list defaults to the RSA signing algorithms RS256, RS384, and RS512, but we recommend setting this list to the strict minimum set of signing algorithms needed by the Access Token Validator. |
DS-42751 |
Added new |
DS-42794 |
The PingDataGovernance Policy Administration GUI now provides the Test Suite capability, allowing policy writers to store and re-run test scenarios. |
DS-42802, DS-41870, DS-42677, DS-42660 |
The Sideband API includes a number of improvements to ease API
gateway integration and troubleshooting.
|
DS-42819 | Fixed an issue in which a Sideband API request with a "body"
value of "" (an empty string) could cause PingDataGovernance Server
to generate a policy request with an
HttpRequest.RequestBody or
HttpRequest.ResponseBody value of
"null". |
DS-42850 |
Fixed a typo in the password-expiring template that caused
|
DS-42861 |
Updated the manage-profile tool logs to include the duration of each
step the tool takes. The new |
DS-42872 |
Added a JSON-formatted stats logger to the server's default configuration. The stats logger is disabled by default. |
DS-42886 |
Updated noninteractive setup (including manage-profile setup) to allow the password for the initial root user to be provided in pre-encoded form using the PBKDF2, SSHA256, SSHA384, or SSHA512 password storage scheme. This eliminates the need to have access to the clear-text password when setting up the server. |
DS-42926 |
Fixed an issue where PingDataGovernance Server was sometimes unable to automatically restart following an unplanned reboot. This happened if it was configured to run as a Microsoft Windows service and was due to a corrupted server status file. |
DS-42939 |
The Administrative Console configuration settings have been updated to account for the new SSO functionality. |
DS-42943 |
Fixed an issue where the PingDataGovernance Gateway rejected requests with methods such
as GET or DELETE if a message body was included. The Gateway now
allows these, unless advanced setting
|
DS-42952 |
For Windows only, there can be a hang on start when global
configuration property
|
DS-42963 |
Updated the manage-profile generate-profile subcommand to ignore files larger than 100 megabytes when generating a server profile. Fixed an issue where many large files in the server root could cause the tool to run out of memory. |
DS-43027 |
Added the |
DS-43065 |
Fixed an issue where the PingDataGovernance Gateway API used status code 500 Internal Server Error when responding to gateway requests with invalid query syntax. The API now responds with status code 400 Bad Request. |
DS-43073, DS-43198 |
Added support for ID Token Validators, which validate the integrity and content of ID tokens issued by OpenID Connect providers. Use these validators with the OAuth Bearer SASL Mechanism Handler to enable single sign-on (SSO) for the Administrative Console using an OpenID Connect provider such as PingOne. Currently, only PingOne is supported for SSO. |
DS-43074 |
Added three built-in identity mappers that you can use to look up administrative accounts stored in the server configuration: Root DN Users, Topology Admin Users, and All Admin Users. |
DS-43288 |
Updated setup and replace-certificate to improve the way we generate self-signed certificates and certificate signing requests to make them more palatable to clients. To reduce the frequency with which administrators had to replace self-signed certificates, we previously used a very long lifetime for self-signed certificates generated by setup or replace-certificate. However, some clients (especially web browsers and other HTTP clients) have started more strenuously objecting to certificates to long lifetimes, so we now generate self-signed certificates with a one-year validity period. The inter-server certificate (which is used internally within the server and does not get exposed to normal clients) is still created with a twenty-year lifetime. Also, the replace-certificate tool's interactive mode has an improved
process to obtain information to include in the subject DN and
subject alternative name extension for self-signed certificates
and certificate signing requests. The following changes have
been made in accordance with CA/Browser Forum guidelines:
|
DS-43305 |
Increased the maximum number of RDN components that a DN can have from 50 to 100. |
DS-43376 |
Updated log publisher logic to reduce the amount of CPU that the server consumes when it is idle. |
DS-43425 |
The Policy Administration GUI setup and start-server tools now use the PING_EXTERNAL_BASE_URL environment variable, if it is present, to set the hostname and port of the Policy Administration GUI's OpenID Connect redirect URI. The PING_EXTERNAL_BASE_URL environment variable should contain the server's public hostname and port in the form "hostname:port" or "hostname" (if using the default HTTPS port of 443). |
DS-43480 |
Updated the system information monitor provider to restrict the set of environment variables that can be included. Previously, the monitor entry included information about all defined environment variables, as that information can be useful for diagnostic purposes. However, some deployments might include credentials, secret keys, or other sensitive information in environment variables, and that should not be exposed in the monitor. The server will now only include values from a predefined set of environment variables that are expected to be the most useful for troubleshooting problems, and that are not expected to contain sensitive information. |
DS-43517 |
Updated the jose4j library used for JWT signing and encryption to version 0.7.2. |
No ID | Added new Value Processor types that simplify handling of collections in the Trust Framework. With Collection Filters, you can extract a subset of a collection by defining a boolean expression that determines which items to keep. With Collection Transforms, you can apply one or more processors to each item, producing a new value for each item. |
No ID | Policy rules can now use the new Is In and Is Not In comparisons. These are similar to the existing Contains and Does Not Contain comparisons, but the comparison works in reverse. Whereas Contains and Does Not Contain are used to determine whether a policy request attribute contains or does not contain a value specified by the rule, Is In and Is Not In are used to determine whether a set of values specified by the rule contains the value of a policy request attribute. |
No ID |
For use with collections, added repeatable policies and attributes to apply to each item in a collection to provide more fine-grained decision making. You can test repeatable attributes during policy development. Added the Current Repetition Value resolver type to allow resolution against each collection value in a collection attribute. |
No ID | You can now configure the Policy Administration GUI during setup to periodically back up its H2 database. |
No ID | Improved merge conflict and snapshot comparison handling. |
No ID | Improved audit logging of policy node deletion and cleanup of orphaned policy manager entities in the Policy Administration GUI. |
No ID | Trust Framework LDAP Services now use UnboundID LDAP SDK. |
No ID |
You can now configure the values that the Policy Administration
GUI sets in its responses for these HTTP security headers:
You configure these values in an options file. For an example, see the config/options.yml file. |
No ID | The Policy Administration GUI includes numerous accessibility improvements, such as enhanced screen reader support and better keyboard navigation. |
No ID | The Policy Administration GUI now automatically switches to a new branch upon creation. |
No ID | The Policy Administration GUI now supports the OAuth 2 state and
OpenID Connect nonce request parameters. These
provide better protection against certain classes of security
attacks. |
No ID | To improve UI performance, the Policy Administration GUI now shows only the last 100 new deployment packages. You can still access older deployment packages using the REST API. |
No ID | To avoid potentially incorrect results or other unexpected behavior, the Contains operator now uses stricter comparisons. It no longer supports implicit conversions on the right-hand side of the comparison. |
No ID | The policy engine now converts Collection values to their native Java type when interpolated within a SpEL expression. |
No ID | Fixed a policy engine issue in which decision responses would not be correctly constructed if there was an unresolved attribute interpolation in a service's settings. |
No ID | Attribute values in test scenarios are no longer limited to 4000 characters. |
No ID | You can no longer generate deployment packages with invalid processing expressions. |
No ID | Fixed a reporting conflict for identical services when merging a snapshot. |
No ID | In the Policy Administration GUI, when you drag the last condition of a group outside of the group, the condition is no longer duplicated. |
No ID | Fixed an issue in the Policy Administration GUI where you were not prompted to save changes when navigating away from the new entity creation page with an unsaved entity. |
No ID | Fixed an issue that restricted the number of root entities in an exported snapshot. |