PingDataGovernance Server 8.1.0.0 Release Notes - PingDataGovernance - 8.2

Added support for remotely invoking the collect-support-data tool using an administrative task and for invoking the tool on a regular basis as a recurring task. The tool has also been updated to add an outputPath argument to allow specifying the path or name to use for the output file.

The create-systemd-script tool now creates a "forking" service file because Ping services are started by a process (the start-server script) that is different than the actual service process.

Added support for an extended operation that can be used to invoke the collect-support-data tool from a remote system and stream the output and resulting support data archive back to the client. The collect-support-data command-line tool has been updated to support this capability through the new --useRemoteServer argument.

Fixed an issue that could cause the server to generate an administrative alert about an uncaught exception when trying to send data on a TLS-encrypted connection that is no longer valid.

The Policy Decision Service's decision-response-view configuration property now accepts more options to configure the level of detail of records in the policy decision log. For information about the options, see the Configuration Reference Guide in the server's docs directory.

The payload formats of the include-attributes and exclude-attributes advices are more permissive. If only one path is needed, you can enter a JSONPath directly; previously, you had to enter an array of strings. For example, both the payload '$.secret' and the payload '["$.secret"]' now remove the "secret" attribute from the response.

A new advice type, modify-headers, has been added which can modify both the request headers before the request to the upstream server is made, and the response headers before the response is returned to the client.

The advice type regex-replace-attributes is now available. With this advice type, you can search for attribute values based on a regular expression and replace the values in place.

The "service" value used in policy requests for SCIM 2 operations now includes the SCIM resource type, using the format "SCIM2.<resource type>". For example, if the current operation targets the "Users" resource type, then the service value used in the corresponding policy request will be "SCIM2.Users". This allows policy writers to easily match SCIM 2 requests by resource type.

Fixed a bug in which SEMI_AGGRESSIVE and AGGRESSIVE JVM Tuning Parameters were previously allowed to both be selected.

Fixed an issue where the SCIM attributes id, schemas, and meta could be removed using the Exclude Attributes Advice.

Updated the manage-profile tool to prevent displaying warnings about offline config changes when starting the server.

Previously, the HttpRequest policy request attribute used by DataGovernance to represent an HTTP request or response to the policy engine was serialized as a single JSON object. Each field of HttpRequest is now submitted to the policy engine as a distinct policy request attribute. This can improve the policy engine's policy request parsing performance and should also allow policy administrators to more effectively cache and test HttpRequest attributes.

Fixed an issue that could prevent some tools from running properly with an encrypted tools.properties file.

A license is now always required when using the manage-profile replace-profile tool.

The PingDataGovernance Gateway no longer retains the changes that policy advice performs on hop-by-hop, resource versioning, or other HTTP headers intended for proxy use.

The Sideband API now accepts prevalidated access token claims provided by an API gateway plugin. This prevents PingDataGovernance Server from duplicating work already performed by the API gateway, potentially improving overall performance in some scenarios. For information about configuring this feature, see the PingDataGovernance Server Administration Guide.

Updated the logic that the server uses to select an appropriate default set of TLS cipher suites.

Also, the Policy Decision Logger now records external policy decisions to the policy decision log as a single line for easier use with the Policy Administration GUI Decision Visualizer.

Server SDK extensions for PingDataGovernance Server no longer support the use of an internal ScimInterface. This was previously available using the getInternalScimInterface() method of the BrokerContext class.

Fixed an issue that could cause the shutdown process to stall if the server is configured to use TCP to communicate with a StatsD endpoint that has become unresponsive.

The PingDataGovernance Policy Administration GUI setup tool now uses relative paths when configuring the Advice JSON schema files.

Fixed an issue with recurring exec tasks where the working-directory attribute was ignored.

All policy files, including snapshots, deployment packages, and upgrade snapshots, are now bundled with both PingDataGovernance Server and the PingDataGovernance Policy Administration GUI in the resource/policies directory.

You can now specify a custom OpenID Connect client ID when setting up the Policy Administration GUI.

PingDataGovernance Server no longer prevents a server with an expired license from restarting.

Fixed an issue that stopped new extensions from being installed.

Fixed an issue with the way the server reports memory usage after completing an explicitly requested garbage collection.

Updated the StatsD monitoring endpoint to replace any spaces, commas, or colons with underscores, and remove and single quotes or double quotes in sent metric lines. This simplifies parsing of the produced metrics.

The Policy Administration GUI now includes decision evaluation details in decision-audit.log by default. With this change, policy writers can visualize decisions by copying and pasting the JSON into the Decision Visualizer.

Setup no longer supports adding servers to a topology with mirrored configuration when run interactively.

PingDataGovernance now provides a gauge called HTTP Processing (Percent) that measures the capacity that the server has to process new incoming HTTP requests.

Updated the server to make the general monitor entry available to JMX clients.

The XACML-JSON PDP API now requires a different request format. With this new format, you can make multiple decisions using a single HTTP request. In addition, the response format is now compliant with the XACML-JSON specification. For more information, see the PingDataGovernance Server Administration Guide.

Improved debugging support for Server SDK extensions. If debugging is enabled, the server will now generate a debug message whenever it invokes an extension. For some extension methods that return a value, the server will also generate a debug message with that return value.

Updated the PingDataGovernance setup process to support joining an existing PingDirectory topology in noninteractive mode.

To view the noninteractive arguments for joining a PingDirectory topology, in the output of setup --help, look in the "Join an Existing Directory Server Topology Options" section.

Alternatively, after setup is complete, you can run the manage-topology add-server command to join a PingDirectory topology.

Updated the cn=Cluster subtree to prevent clustered configuration changes when servers in the cluster have mixed versions. To make clustered configuration changes, either update all servers in the cluster to the same version, or temporarily create separate clusters by server version by changing the cluster-name property on the server instance configuration objects.

To avoid inconsistencies, changing a clustered configuration now requires all servers in the cluster to be on the same product version. Servers will not pull any clustered configuration from the master of the cluster if they are on a different product version.

The Policy Administration GUI setup now allows users to define policy configuration keys, trust store details, and other settings in a YAML file using the --optionsFile command-line option. For more information, see the PingDataGovernance Server Administration Guide.

Fixed an issue with manage-profile replace-profile where certain configuration changes for recurring task chains were not being applied.

Fixed an issue where the SCIM Impacted Attributes Provider would return all the attributes of a SCIM PUT request instead of only those that have been modified.

The embedded PDP now automatically loads new, updated, or deleted policy configuration keys. Previously, any policy configuration key change required you to restart the embedded PDP.

The PingDataGovernance Policy Administration GUI setup tool now stores certain configuration values, including their default values, as environment variables. For example, the configuration property server.applicationConnectors[0].port has the value ${PING_PORT:-443}. An administrator can override this value by setting a PING_PORT environment variable before starting the Policy Administration GUI. If the environment variable is not present, then the GUI uses the default value of 443.

Fixed an issue that prevented password changes for topology administrators unless their password policy was configured to allow pre-encoded passwords.

Fixed an issue that could cause the PingDataGovernance license to be deleted when joining a PingDirectory topology using manage-topology add-server.

Critical: Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.

When setting up the Policy Administration GUI in noninteractive mode, you can now specify the base URL of an OpenID Connect provider instead of a hostname and port. With this change, you can use the Policy Administration GUI with OpenID Connect providers that include a customer-specific ID in their URLs, such as PingOne.

PingDataGovernance Server now requires a Trust Framework version to be explicitly specified in the Policy Decision Service configuration. The Trust Framework version configuration determines the format used by the server to generate policy requests and must be compatible with the actual Trust Framework used by your policies. For more information about Trust Framework versions, see the PingDataGovernance Server Administration Guide.

PingDataGovernance Server will now also raise an alarm and mark the server as UNAVAILABLE if the Policy Decision Service is not ready to evaluate policies and requires further configuration. This will happen, for example, after installing the server for the first time.

Services in the Trust Framework now support more flexible handling of TLS connection security: A service can use a client certificate provided by a key store to handle mutual TLS authentication with an external server; also, a service can use a custom trust store to determine whether the certificate presented by an external server should be accepted. For embedded PDP mode, you can configure the Policy Decision Service with any necessary key stores or trust stores using the service-key-store and service-trust-store properties, respectively.

Updated the base monitor entry to include locationName and locationDN attributes if the server is configured with a location.

Updated the Server SDK to add ClientContext and OperationContext methods for obtaining the name and DN of the associated client connection policy.

Updated the file servlet HTTP servlet extension to add support for requiring authentication to access the content. You can limit access to members of a specified set of groups.

Added the HttpRequest.IPAddress and HttpRequest.AccessToken.access_token attributes to the default Trust Framework. The HttpRequest.IPAddress attribute contains the client IP address, while the HttpRequest.AccessToken.access_token attribute contains the raw access token provided by the client. The latter can be useful when authenticating to HTTP services from the Trust Framework. Please note that these attributes are only available when using Trust Framework v2.

DataGovernance will now enter an UNAVAILABLE state when all of the LDAP external servers backing the UserStoreAdapter are unavailable.

Fixed an issue that could prevent setup from generating a self-signed certificate for systems with non-ASCII hostnames.

The values of Trust Framework attributes marked as secret are now recorded to the policy decision log in encrypted form when using embedded PDP mode.

In addition, the trace logger now supports two new options for the pdp-message-type property, "info" and "warning". When these options are enabled, the trace log will record additional details about embedded PDP processing, such as summary information about policy information provider invocations.

The Policy Administration GUI setup tool now automatically upgrades the policy database if an older version is detected.

The Policy Administration GUI now allows users to override additional configuration values at runtime using UNIX environment variables for the policy database credentials (PING_DB_APP_USERNAME, PING_DB_APP_PASSWORD) and the file location (PING_H2_FILE). For more information, see the PingDataGovernance Server Administration Guide.

Fixed an issue where mirrored subtree polling could produce config archive files that were identical or ignored the configured insignificant attributes list.

Added the --zip argument to the manage-profile generate-profile subcommand, which you can use to generate a zipped server profile.

Added an administrative task that you can use to generate a server profile. Also added a corresponding recurring task that you can use to invoke the task on a regular basis.

Added an instance root file servlet to the default configuration. HTTPS requests to /instance-root by authenticated users with the file-servlet-access privilege will be granted access to files within the server instance root.

Fixed an issue where using the modify-query advice would cause special characters to be percent-encoded twice.

Servers running on Linux will now log a warning about possible performance impacts if the current memory control group has memory.swappiness set to a nonzero value.

Fixed an issue in which the Sideband API would respond with an HTTP 500 error if a request to /sideband/response was missing required subfields of the request field.

Added a disable-response-processing property to SCIM Resource Types. Use this property to prevent policy calls for "retrieve" after a "create", "modify", or "replace". Also use it to prevent policy calls for "retrieve" or "search-results" after a "search".

Added a disable-response-processing property to Gateway API Endpoints. Use this property to prevent outbound policy calls and advice processing for Gateway requests.

The server now warns the administrator at startup if there are multiple versions of the same jar listed in the classpath and the first one in the classpath is not the newest one.

• The Library has been promoted to a separate subsection of the Policy Manager.
• The previous selected entity is now selected when switching back from tabs in Trust Framework.
• The use of language in the UI has been cleaned up. Toolbox is now Components, and editor screens are no longer postfixed with Editor.
• The GUI can now parse testing responses with failed value processing.

The Policy Administration GUI now maintains a buffer of recent policy decision requests that you can view in the Decision Visualizer. This view provides useful details about policy decision requests and responses, attribute resolution, and service calls that would otherwise only be available in the server's policy decision log.

HTTP services you define in the Trust Framework no longer perform hostname validation if server certificate validation is set to No Validation.

When you define a new policy in the Policy Administration GUI, the default combining algorithm for the new policy is now The first applicable will be the final decision. This algorithm stops evaluating as soon as a decision other than NOT_APPLICABLE is reached. The previous default combining algorithm was Unless One Decision is Deny, the Decision will be Permit.

Fixed an issue in which the Policy Administration GUI login page could fail to behave correctly when loaded directly from a URL or through the web browser history.

Fixed an issue in the Policy Administration GUI in which importing a snapshot would fail with the error message "Unable to decode object".

Fixed various drag-and-drop issues in the Policy Administration GUI.

Fixed a policy engine issue in which a validation exception could be thrown if an attribute containing a processor with named attributes was interpolated in an advice payload.

Fixed an issue in which multiple uses of the system "Current DateTime" attribute resolver in a single decision request or batch of requests did not yield the same value.

Fixed an issue in the policy engine in which Zoned Date Time values were not represented in textual form using the correct ISO-8601 encoding.

Fixed a policy engine issue in which converting the string "-1" to a boolean would yield a result of False. This will now cause a type conversion error.

Fixed a policy engine issue in which converting the number -1 to a boolean would yield a result of False. This will now return True.