--- title: PingAccess 8.0 (December 2023) description: Info PA-15358 component: pingaccess version: 8.2 page_id: pingaccess:release_notes:pa_rn_80 canonical_url: https://docs.pingidentity.com/pingaccess/8.2/release_notes/pa_rn_80.html llms_txt: https://docs.pingidentity.com/pingaccess/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: March 15, 2025 section_ids: pingaccess-8-0-upgrade-notice-removed-h2-dependency: PingAccess 8.0 upgrade notice - removed H2 dependency implement-device-profiling-for-pingone-protect: Implement device profiling for PingOne Protect use-and-validate-oauth-2-0-dpop-bound-access-tokens: Use and validate OAuth 2.0 DPoP-bound access tokens configure-microsoft-azure-ad-as-a-common-token-provider-when-protecting-an-api-application: Configure Microsoft Azure AD as a common token provider when protecting an API application filter-applications-by-spa-support-status: Filter applications by SPA support status configure-static-signing-keys-for-private-key-jwt: Configure static signing keys for Private Key JWT use-microsoft-sql-server-2022-for-audit-event-storage: Use Microsoft SQL Server 2022 for audit event storage use-server-sent-events-sse-to-push-information-from-protected-resource-servers-to-web-clients: Use Server-Sent Events (SSE) to push information from protected resource servers to web clients configure-microsoft-azure-ad-as-the-token-provider-for-administrative-api-oauth: Configure Microsoft Azure AD as the token provider for administrative API OAuth map-saml-tokens-as-http-request-headers: Map SAML tokens as HTTP request headers choose-a-case-matching-strategy-for-admin-sso-and-oauth-roles: Choose a case-matching strategy for Admin SSO and OAuth roles updated-pingaccess-documentation-link-to-be-version-specific: Updated PingAccess documentation link to be version-specific improved-error-message-for-configuring-a-risk-policy-with-invalid-data: Improved error message for configuring a risk policy with invalid data removed-non-system-fonts: Removed non-system fonts fixed-inaccurate-oauth-endpoint-description-in-the-pingaccess-administrative-api-documentation: Fixed inaccurate OAuth endpoint description in the PingAccess administrative API documentation fixed-snihandlerconfigbuilder-parameter-keystore-type-declaration: Fixed SniHandlerConfigBuilder parameter keystore type declaration fixed-ui-rendering-issue-when-optional-field-is-missing-from-plugin: Fixed UI rendering issue when optional field is missing from plugin fixed-a-race-condition-resulting-in-null-values-for-replication-data: Fixed a race condition resulting in null values for replication data fixed-ui-rendering-breakage-when-using-groovy-script-fields-in-composite-plugin-fields: Fixed UI rendering breakage when using Groovy script fields in composite plugin fields fixed-form-data-registration-of-list-fields-in-composite-plugin-fields: Fixed form data registration of list fields in composite plugin fields fixed-object-id-override-of-key-pairs-and-certificates-imported-through-the-administrative-api: Fixed object ID override of key pairs and certificates imported through the administrative API fixed-log-category-preferences-not-sticking-on-restart: Fixed log category preferences not sticking on restart fixed-early-expiration-of-cached-pingone-protect-risk-evaluation-results: Fixed early expiration of cached PingOne Protect risk evaluation results fixed-azure-ad-access-token-validation-issue: Fixed Azure AD access token validation issue fixed-replication-configuration-identifiers-updating-before-configuration-changes-were-applied: Fixed replication configuration identifiers updating before configuration changes were applied fixed-exclusion-of-admin-api-oauth-configuration-from-bulk-export: Fixed exclusion of admin API OAuth configuration from bulk export fixed-import-failure-caused-by-multiple-trusted-certificates-in-configuration: Fixed import failure caused by multiple trusted certificates in configuration spurious-errors-when-installing-pingaccess-as-a-windows-service: Spurious errors when installing PingAccess as a Windows service zero-downtime-upgrade-limitation: Zero downtime upgrade limitation tls-1-3-limitation: TLS 1.3 limitation ipv6-limitation: IPv6 limitation request-preservation-not-supported-with-safari-private-browsing: Request preservation not supported with Safari private browsing engine-and-admin-replica-connection-issue: Engine and Admin Replica connection issue token-processor-issue: Token processor issue unread-message-body-handling: Unread message body handling firefox-limitation-for-time-range-rules: Firefox limitation for time range rules risk-based-authorization-rule-issue-during-upgrade: Risk-based authorization rule issue during upgrade virtual-hosts-with-shared-hostnames-retention-issue: Virtual hosts with shared hostnames retention issue asynchronous-front-channel-logout-issue: Asynchronous front-channel logout issue invalid-special-characters-permitted-in-identity-mappings: Invalid special characters permitted in identity mappings ui-failure-when-assigning-new-key-pair: UI failure when assigning new key pair slow-restarts-in-fips-mode: Slow restarts in FIPS mode cloudhsm-limited-in-java8u261: CloudHSM limited in Java8u261 kong-api-limitation: Kong API limitation certificate-revocation-list-memory-issue: Certificate revocation list memory issue java-17-limitation: Java 17 limitation spurious-warning-after-upgrade-or-startup-on-windows: Spurious warning after upgrade or startup on Windows hibernate-deadlock-errors: Hibernate deadlock errors deadlock-when-importing-applications-with-significant-reuse: Deadlock when importing applications with significant reuse console-log-settings-page-doesnt-immediately-reflect-changes-made-in-the-api: Console Log Settings page doesn't immediately reflect changes made in the API mutual-tls-with-tls-1-3-might-not-work-with-some-target-servers: Mutual TLS with TLS 1.3 might not work with some target servers sni-isnt-set-up-for-virtual-hosts-only-used-in-redirects: SNI isn't set up for virtual hosts only used in redirects --- # PingAccess 8.0 (December 2023) ## PingAccess 8.0 upgrade notice - removed H2 dependency Info PA-15358 If you have PingAccess 6.2 or below, you cannot upgrade directly to PingAccess 8.0. You must upgrade to a version above 6.2 first, and then upgrade to 8.0. This is because in PingAccess 8.0, an outdated H2 JAR file was removed, and PingAccess 6.2 and below use an H2 embedded database. ## Implement device profiling for PingOne Protect New PA-15374 If you're using the [PingOne Protect integration](../agents_and_integrations/pa_p1risk_policy_eval_integration.html), you can now enable device profiling to implement attribute-based access control (ABAC) and enforce a complete zero trust strategy with PingAccess and PingOne Protect. You can: * Set stricter constraints around when to perform a new risk evaluation. * Automatically perform a new device profile collection and risk evaluation when an end user's IP address changes. * Include device-related predictor types in the PingOne risk policy that you use for risk evaluation, including user and event behavior analytics and bot detection risk predictors. This enables you to use the default PingOne risk policy without needing to make any modifications and to trigger enforcement strategies like step-up authentication if abnormal device settings are detected. Learn more about enabling device profiling in PingAccess in [Risk policy field descriptions](../pingaccess_user_interface_reference_guide/pa_risk_policy_field_descriptions.html). Learn more about PingOne predictor types in [Risk policies](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_risk_policies.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Device profile collection adds the device profile to the user's browser as cookies, which are sent to PingAccess during subsequent requests. These cookies are usually 8192 bytes in size. Before enabling device profiling, you should increase the `pa.default.maxHttpHeaderSize` property in the `/conf/run.properties` file to ensure a smooth transition. | ## Use and validate OAuth 2.0 DPoP-bound access tokens New PA-15517 Added the ability to use OAuth 2.0 Demonstrating Proof of Possession (DPoP) capabilities in a resource server role. This enables you to meet potential [FAPI 2.0 Advanced Profile](https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Advanced_Profile.md) authorization server requirements in the future and prevent fraudulent access token usage. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You won't be able to use DPoP with PingAccess unless both the OAuth API client and the token provider support DPoP as well.As a security best practice, keep the value of the **DPoP Proof Lifetime (SEC.)** field low and consistent with the DPoP implementation of your API client anywhere that you configure DPoP settings in PingAccess. | Enable DPoP-bound access tokens in your token provider or admin token provider configuration. You can also override the global DPoP settings in your API authentication settings, or at the application or resource level for an `API` or `Web + API` application. For more information, see: * If you're using PingFederate as the token provider, see [Configuring OAuth resource servers](../pingaccess_user_interface_reference_guide/pa_configuring_oauth_resource_servers.html). You must use PingFederate 11.3 or later. * If you're using PingOne as the token provider, see [Configuring PingOne](../pingaccess_user_interface_reference_guide/pa_configuring_p1.html). * If you're using a common token provider, see [Configuring OAuth authorization servers](../pingaccess_user_interface_reference_guide/pa_configuring_oauth_authz_servers.html). * To configure DPoP in your admin token provider settings, see [Configuring an admin token provider](../pingaccess_user_interface_reference_guide/pa_configuring_an_admin_token_provider.html). * To override the global DPoP settings for API authentication, see [Configuring API authentication](../pingaccess_user_interface_reference_guide/pa_configuring_api_authn.html). * To override the global DPoP settings at the application level, see [Application field descriptions](../pingaccess_user_interface_reference_guide/pa_application_field_descriptions.html). * To override the global DPoP settings at the resource level, see [Adding application resources](../pingaccess_user_interface_reference_guide/pa_adding_application_resources.html). ## Configure Microsoft Azure AD as a common token provider when protecting an API application New PA-15369 PingAccess has made common token provider configuration more flexible: * When you're [configuring the OAuth authorization server](../pingaccess_user_interface_reference_guide/pa_configuring_oauth_authz_servers.html) for a common token provider, the **Introspection Endpoint** field is now required only if you configure a remote access token validator on your PingAccess application. * When you're [configuring an application](../pingaccess_user_interface_reference_guide/pa_application_field_descriptions.html), before you can select a remote access token validator from the **Access Validation** list, you must configure an **Introspection Endpoint** on the **OAuth Authorization Server** tab. This increased flexibility enables you to configure Azure AD as the common token provider for protected API applications. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Because Azure AD doesn't have an `introspection` endpoint and doesn't include a client ID value in tokens that they create, you must use a key from the `JWKS` endpoint to validate tokens locally when you're protecting an API application. For more information, see [Configuring Azure AD as the common token provider when PingAccess is protecting an API application](../pingaccess_user_interface_reference_guide/pa_azure_ad_api_access_token_validation.html). | ## Filter applications by SPA support status New PA-15375 * Added the ability to filter your [applications](../pingaccess_user_interface_reference_guide/pa_applications_operations.html) by their SPA support status. For more information, see [Editing an application](../pingaccess_user_interface_reference_guide/pa_editing_an_app.html). * Added the `SPA Support` property to the **Properties** tab on PingAccess applications. You can now check whether an application has SPA support enabled by expanding the application instead of having to expand and open it. ## Configure static signing keys for **Private Key JWT** New PA-15376 By default, private key JWT OIDC code flow uses dynamic keys managed automatically by PingAccess. You can now opt to use static keys instead if you want to control key rotation yourself. For more information, see [Configuring static signing keys](../pingaccess_user_interface_reference_guide/pa_configuring_static_keys.html). | | | | - | ------------------------------------------------------------------------------------------------------------ | | | PingAccess currently only supports JWT signing with static keys, but might support encryption in the future. | You can: * Enable static keys and select a signing key from your list of configured key pairs on a new page in the administrative console, **Static OAuth/OIDC Keys**. Then select a **Signing Algorithm** on the associated [web session](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html). * Complete your static key configuration at the token provider. Click **View Metadata** on the **Static OAuth/OIDC Keys** page to retrieve your JWKS information and submit this information to your token provider. Alternately, use the PingAccess admin API endpoint `GET /staticKeys/JWKS` to retrieve your JWKS information. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must update your JWKS information at the token provider because static and dynamic keys use different JWKS endpoints in PingAccess.For example, if you're using PingFederate as the token provider, you must update the **JWKS URL** field in your configured [OAuth client](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_oauthclientsmanagementtasklet_oauthclientsmanagementstate.html). | ## Use Microsoft SQL Server 2022 for audit event storage New PA-15510 Added support for Microsoft SQL Server 2022 to enable migration to SQL server versions included in Microsoft's mainstream support policy. ## Use Server-Sent Events (SSE) to push information from protected resource servers to web clients New PA-15511 Qualified support for server-sent events (SSE) in PingAccess. You can use WebSockets or SSE to facilitate communication between the requesting client and a protected site. SSE pushes real-time updates in one direction, from server to client, whereas WebSockets uses bidirectional communication. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Follow the defined standards to signal PingAccess to establish an SSE connection to the backend server and listen for real-time events, such as:1) Configure the backend server to send the header `Content-Type: text/event-stream` through PingAccess. 2) Or set the client's request header as `Accept: text/event-stream`.After it receives the appropriate header from either the backend server or the client request, PingAccess establishes an SSE connection to the backend server when it grants a user access to a protected resource. PingAccess processes and acts on each event it receives from the backend server, then pushes an update to the client through a separate SSE connection. | ## Configure Microsoft Azure AD as the token provider for administrative API OAuth New PA-15518 Added support for OAuth tokens created by Microsoft Azure AD for [administrative API OAuth](../pingaccess_user_interface_reference_guide/pa_configuring_api_authn.html). This improves account security for administrators with Microsoft Azure AD configured as the token provider and enables administrators to use their own accounts to make PingAccess API changes. Relaxed the following PingAccess requirements: * If you're using either a common token provider or administrative token provider configuration, you can now use a local access token validator to bypass administrative API OAuth validation that checks whether the token provider supports the introspection endpoint. This is necessary because Microsoft Azure AD does not have an introspection endpoint. * If the administrative token is validated by a local access validator, the administrative API OAuth no longer enforces whether an administrative token contains a `scope` claim with a configurable value, because Microsoft Azure AD uses a `scp` claim instead. ## Map SAML tokens as HTTP request headers New PA-15525 Added the ability to map the SAML token received from a SAML token mediator site authenticator to an HTTP request header that you specify instead of mapping the token as a request cookie. For more information, see the [Logged In Header Name](../pingaccess_user_interface_reference_guide/pa_saml_token_mediator_site_authn.html) field. ## Choose a case-matching strategy for Admin SSO and OAuth roles New PA-15527 You can now choose a case-matching strategy for administrative single sign-on and OAuth roles, not just [web session attribute rules](../pingaccess_user_interface_reference_guide/pa_adding_web_session_attribute_rules.html). Selection options are: * Case-sensitive * Case-insensitive * DN matching For more information, see [Configuring API authentication](../pingaccess_user_interface_reference_guide/pa_configuring_api_authn.html) and [Configuring admin UI SSO authentication](../pingaccess_user_interface_reference_guide/pa_configuring_admin_ui_sso_authn_task.html). ## Updated PingAccess documentation link to be version-specific Improved PA-15378 Updated the **Help** icon link in the administrative console that takes you to the PingAccess documentation. In PingAccess 8.0 forward, this link will now take you to the version of the documentation that matches the version of PingAccess that you're using. ![Screen capture showing the location of the help icon in the PingAccess administrative console.](_images/ngh1694802651623.png) ## Improved error message for configuring a risk policy with invalid data Improved PA-15399 Improved an error message caused by sending an admin API request to create or update a risk policy with invalid or missing data. The error message no longer returns a `NullPointerException` error. ## Removed non-system fonts Improved PA-15529 Removed old fonts from the PingAccess administrative console to improve user experience. ## Fixed inaccurate OAuth endpoint description in the PingAccess administrative API documentation Fixed PA-15241 Fixed inaccurate reference to the OAuth authorization server as the OpenID Connect provider in the `DELETE` method of the `oauth/authServer` endpoint. ## Fixed `SniHandlerConfigBuilder` parameter keystore type declaration Fixed PA-15270 Fixed an issue that caused the `SniHandlerConfigBuilder` to fail to declare a specific keystore type for the PingAccess `SslContext` server, which could result in PingAccess taking longer to start up if the target JVM's default keystore type was PKCS#12. The `SniHandlerConfigBuilder` now specifically declares JKS as the keystore type to prevent unexpected performance losses. ## Fixed UI rendering issue when optional field is missing from plugin Fixed PA-15273 Fixed an issue that caused the PingAccess administrative console UI to fail to render if a newly added configuration field was missing from the plugin data that was saved previously. For more information, see [create your own plugins](../agents_and_integrations/pa_create_your_own_plugins.html). ## Fixed a race condition resulting in null values for replication data Fixed PA-15380 Fixed an issue that caused unexpected behavior in PingAccess if you deleted an entity while a clustered console node was preparing a replication payload to share with other nodes in the cluster. Some examples of this unexpected behavior included: * Hibernate throwing `EntityNotFoundExceptions` errors. * PingAccess adding null objects to the replication payload. This behavior didn't always register as an error in the administrative console, but could still cause the replication data readers to throw exception errors. ## Fixed UI rendering breakage when using Groovy script fields in composite plugin fields Fixed PA-15381 Fixed an issue that caused the PingAccess administrative console UI to display a blank page if you attempted to configure a Groovy script field within a plugin entity in a composite field. For more information, see [create your own plugins](../agents_and_integrations/pa_create_your_own_plugins.html). ## Fixed form data registration of list fields in composite plugin fields Fixed PA-15382 Fixed an issue that caused list fields embedded in composite plugin fields to register improperly in the form data for the PingAccess administrative console UI. For more information, see [create your own plugins](../agents_and_integrations/pa_create_your_own_plugins.html). ## Fixed object ID override of key pairs and certificates imported through the administrative API Fixed PA-15386 Fixed an issue that caused PingAccess to replace object IDs defined on key pairs or certificates imported through the administrative API with an auto-generated object ID. Additionally, the `POST /keyPairs/import` and `POST /certificates` API models have been updated to include more information on how to assign an ID for these object types. ## Fixed log category preferences not sticking on restart Fixed PA-15390 Fixed an issue that caused PingAccess to reset an environment's configured [log setting categories](../pingaccess_user_interface_reference_guide/pa_log_settings.html) on startup. ## Fixed early expiration of cached PingOne Protect risk evaluation results Fixed PA-15396 Fixed an issue with the [PingOne Protect integration](../agents_and_integrations/pa_p1risk_policy_eval_integration.html) that caused PingAccess to calculate expiration values for cached risk evaluation results in milliseconds instead of seconds. This unexpected input value was disabling token caching after making a risk evaluation because PingAccess was receiving a false positive result that the risk evaluation cache data had expired. ## Fixed Azure AD access token validation issue Fixed PA-15496 Azure AD creates a `Application (Client) ID` value that exceeds 36 characters and automatically assigns that value as the `Audience` value in the access token. This prevented PingAccess from validating Azure AD access tokens because PingAccess previously accepted a maximum of 32 characters for an `Audience` value. PingAccess can now accept a longer `Audience` value. ## Fixed replication configuration identifiers updating before configuration changes were applied Fixed PA-15506 Fixed an issue that caused PingAccess engine or replica admin nodes to update their replication configuration identifier before they had finished integrating changes into their runtime configuration. This would result in nodes using stale configuration information until a new configuration change event happened. ## Fixed exclusion of admin API OAuth configuration from bulk export Fixed PA-15537 Fixed an issue that caused admin API OAuth settings to be excluded from bulk export operations if you configure admin API OAuth with an access token validator but haven't set client credentials. ## Fixed import failure caused by multiple trusted certificates in configuration Fixed PA-15568 Fixed an issue that could cause PingAccess configuration imports to fail if you had multiple trusted certificates configured in your environment. ## Spurious errors when installing PingAccess as a Windows service Issue When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message `Could not find or load main class` can be safely ignored. ## Zero downtime upgrade limitation Issue PAPQ-1034 PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment. ## TLS 1.3 limitation Issue STAGING-8707 PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of [a defect](https://bugs.openjdk.java.net/browse/JDK-8212885) in those versions. This might cause upgrades to fail on systems using these versions. ## IPv6 limitation Issue PA-1894 Incorrect handling for IPv6 literals in host header. Note that IPv6 is not currently supported. ## Request preservation not supported with Safari private browsing Issue PA-2896 Request Preservation is not supported with Safari Private Browsing. ## Engine and Admin Replica connection issue Issue PA-4888 Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used. ## Token processor issue Issue PA-6262 The token processor can't connect to a JWKS endpoint via SSL when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair. ## Unread message body handling Issue PA-7068 In custom PingAccess plugins, using `com.pingidentity.pa.sdk.http.Message#setBody` or `com.pingidentity.pa.sdk.http.Message#setBodyContent` directly on an exchange's Response object to modify content from the backend can put PingAccess connections into indeterminate states. The workaround is to: 1. Either make a new instance or a copy of the Response object and modify body content in the copy. 2. Call `com.pingidentity.pa.sdk.http.Exchange#setResponse` with the new or copied request and response objects. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | `com.pingidentity.pa.sdk.http.Exchange#setResponse` discards the pending response body from the backend immediately. In a future release, a fix will be added to discard the response body only when PingAccess writes the response to the frontend. | ## Firefox limitation for time range rules Issue PA-8651 Firefox does not correctly support the HTML5 time tag. When using the [time range rule](../pingaccess_user_interface_reference_guide/pa_adding_time_range_rules.html), enter time in 24-hour format. ## Risk-based authorization rule issue during upgrade Issue PA-10505 Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule. ## Virtual hosts with shared hostnames retention issue Issue PA-11390 If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association. ## Asynchronous front-channel logout issue Issue PA-12647 Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See for browser-specific workarounds. ## Invalid special characters permitted in identity mappings Issue PA-13214 Invalid special characters (`(),/;<⇒?@[\]\{}"`) can be added to the certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause `400` errors when the application is accessed. ## UI failure when assigning new key pair Issue PA-13500 Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate. ## Slow restarts in FIPS mode Issue PA-14239 If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh `/dev/random` and make more entropy available faster. For example: ``` sudo yum install rng-tools sudo rngd -b ``` ## CloudHSM limited in Java8u261 Issue PA-14414 CloudHSM functionality works in FIPS mode but not in regular mode for `Java8u261` and later. `RSASSA-PSS` signing algorithms fail with `Java8u261` or later, and HSM vendors and core Java use different naming conventions for the `RSASSA-PSS` algorithm. There is a documented workaround in [Adding an AWS CloudHSM provider](../pingaccess_user_interface_reference_guide/pa_adding_an_aws_cloudhsm_provider.html). ## Kong API limitation Issue PA-14466 Due to an outstanding defect in the Kong API Gateway, the `ping-auth` plugin currently does not support requests that utilize the `Transfer-Encoding` header. If PingAccess is used as the external authorization server, the [rewrite content rule](../pingaccess_user_interface_reference_guide/pa_adding_rewrite_content_rules.html) can prevent the page from displaying. ## Certificate revocation list memory issue Issue PA-14621 If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions. ## Java 17 limitation Issue PA-14863 BCFIPS and HSMs are not supported when using Java 17. ## Spurious warning after upgrade or startup on Windows Issue PA-14907 After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the `pa.jwk` file was not made non-executable. This message can be ignored. ## Hibernate deadlock errors Issue PA-14985 There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message `Recovered from database deadlock with transaction retry.` ## Deadlock when importing applications with significant reuse Issue PA-14978 A race condition caused by importing applications with significant reuse of virtual hosts or context roots can deadlock the Apache Derby DB. [PA-14974](https://docs.pingidentity.com/pingaccess/7.3/release_notes/pa_release_notes.html#fixed-potential-deadlock-issue) added systematic deadlock handling to reattempt operations that lead to a deadlock condition in Apache Derby, but a specific fix for this deadlock scenario will be added in a future release to reduce wasted cycles and warning or error log messages. ## Console **Log Settings** page doesn't immediately reflect changes made in the API Issue PA-15351 If you have the administrative console and API open at the same time and you're on a console page that isn't **Log Settings**, the **Log Settings** page won't immediately populate any log changes that you make in the API. To work around this issue, go to the **Log Settings** page. Perform a hard refresh, or go to another page and then return to **Log Settings**. ## Mutual TLS with TLS 1.3 might not work with some target servers Issue PA-15449 Mutual TLS with a backend site that requires post-handshake authentication is not supported when using TLS 1.3. Current workaround options are to remove the requirement for post-handshake authentication from the backend site or to disable TLS 1.3. ## SNI isn't set up for virtual hosts only used in redirects Issue PA-15559 Currently, SNI is only set up for virtual hosts that are actively configured in an application. This can prevent PingAccess from presenting an expected certificate for a given redirect host. The workaround is to configure the source host in a redirect as the virtual host for a disabled PingAccess application.