--- title: PingAccess 8.2.1 (April 2025) description: New PA-15943 component: pingaccess version: 8.3 page_id: pingaccess:release_notes:pa_821_rn canonical_url: https://docs.pingidentity.com/pingaccess/8.3/release_notes/pa_821_rn.html llms_txt: https://docs.pingidentity.com/pingaccess/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: April 1, 2025 section_ids: configure-pingaccess-to-retry-failed-target-site-connections-immediately: Configure PingAccess to retry failed target site connections immediately bcfips-library-upgraded-to-version-2-0: BCFIPS library upgraded to version 2.0 authenticate-pingaccess-agents-with-bearer-tokens-only: Authenticate PingAccess agents with bearer tokens only fixed-an-issue-with-post-authentication-method-type-expectations: Fixed an issue with post-authentication method type expectations fixed-inability-to-change-a-default-csp: Fixed inability to change a default CSP fixed-issues-starting-pingaccess-in-fips-mode-when-using-aws-cloudhsm: Fixed issues starting PingAccess in FIPS mode when using AWS CloudHSM --- # PingAccess 8.2.1 (April 2025) ## Configure PingAccess to retry failed target site connections immediately New PA-15943 The minimum value for the **Failed Retry Timeout (S)** field in PingAccess availability profile configurations is now `0` instead of `1`. This lets you to remove the delay before PingAccess retries establishing a connection to a failed target site. Learn more in [Creating availability profiles](../pingaccess_user_interface_reference_guide/pa_creating_availability_profiles.html). ## BCFIPS library upgraded to version 2.0 Improved PA-15938 Upgraded to BCFIPS 2.0 for FIPS 140-3 compliance, resulting in the following changes: * Two new properties are available in the `run.properties` file, `pa.trust.keystore.type` and `pa.trust.keystore.path`. Learn more about these properties in the **Configuration database and key store settings** section of the [Configuration file reference](../reference_guides/pa_config_file_ref.html). * PingAccess no longer supports SHA-1 while running in FIPS mode. Learn more about PingAccess features that operate differently or are unavailable in FIPS mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). For example, PKCS#12 isn't a supported keystore type in FIPS mode. ## Authenticate PingAccess agents with bearer tokens only Improved PA-15967 PingAccess engine nodes can now authenticate bearer tokens sent by a PingAccess agent without requiring the shared secret to be sent as well. By default, agents continue to send both the shared secret and the bearer token when the **Require Token Authentication** checkbox is selected. To prevent an agent from sending a shared secret, remove the `agent.engine.configuration.shared.secret` property from the `agent.properties` file you download. Learn more about bearer token authentication in [Configuring PingAccess agents to use bearer token authentication](../pingaccess_user_interface_reference_guide/pa_configuring_pa_agents_to_use_bearer_token_authn.html) and [Agent field descriptions](../pingaccess_user_interface_reference_guide/pa_agent_field_descriptions.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The PingAccess agent for Apache (Windows) hasn't yet been updated to support bearer token authentication. You can configure the agents with the new `agent.properties` file with no performance impact, but leave the **Require Token Authentication** checkbox cleared until both:- Agent compatibility is added - You've upgraded all agents to the supported version | ## Fixed an issue with post-authentication method type expectations Fixed PA-15762 We've fixed an issue that caused requests to fail because of resource method enforcement. PingAccess disables request preservation for the [templated, redirect, and PF Authentication API challenge response generators](../pingaccess_user_interface_reference_guide/pa_acr_generator_descriptions.html), expecting the frontend SPA to maintain any data that requires preservation. As a result, PingAccess was expecting a `GET` request after authentication instead of a `POST` request because PingAccess only maintains post-authentication requests as a `POST` if request preservation is enabled. ## Fixed inability to change a default CSP Fixed PA-16035 We've fixed an issue that prevented changing the default content security policy when using the **HTML OIDC Authentication Request** [authentication challenge response generator](../../9.1/pingaccess_user_interface_reference_guide/pa_acr_generator_descriptions.html). We've also added the `pf.redirect.use.default.csp` property to the `run.properties` file. Learn more in the **Security headers properties** section of the [Configuration file reference](../reference_guides/pa_config_file_ref.html). ## Fixed issues starting PingAccess in FIPS mode when using AWS CloudHSM Fixed PA-15924 We've fixed an issue that caused a `Null Pointer Exception` error when starting PingAccess in Federal Information Processing Standards (FIPS) mode if you had any AWS CloudHSM key pairs configured. This issue was also applicable if you tried to configure a new CloudHSM key pair while in FIPS mode. * Learn more about FIPS mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). * Learn more about AWS CloudHSM in [Adding an AWS CloudHSM provider](../pingaccess_user_interface_reference_guide/pa_adding_an_aws_cloudhsm_provider.html).