PingAuthorize 9.0 (December 2021)
Added support for policy deployment from Microsoft Azure blob storage
New
The PingAuthorize Server can now consume deployment packages published to Microsoft Azure blob storage. This enables policy writers to deploy new policies to a central Azure deployment package store read by the PingAuthorize Server running in embedded mode. For more information, see Adding an Azure deployment package store, Configuring the Policy Editor to publish to a deployment package store, and Using the Deployment Manager.
Enabled configuration of the SpEL allow list in PDP mode
New
Now you can configure the SpEL allow list when the Policy Decision Service is running in embedded policy decision point (PDP) mode. An out-of-the-box PingAuthorize installation adds the following classes to the default allow list: String
, Date
, Random
, UUID
, Integer
, Long
, Double
, Byte
, Math
, Boolean
, LocalDate
, DayOfWeek
, Instant
, ChronoUnit
, and SimpleDateFormat
. When configuring a policy deployment package containing SpEL expressions that reference additional Java classes, administrators must use dsconfig
or the administrative console to add spel-allowlisted-class attributes to the Policy Decision Service. The class must also be available on the server classpath at server start. For non-standard Java classes, place the .jar
file in the server lib
folder.
Expanded Policy Editor database support to include PostgreSQL
New
The PingAuthorize Policy Editor can now persist its policies, Trust Framework, and versioning data in a PostgreSQL policy database instead of the default H2 file-based database. To initialize the database, use the instructions at https://github.com/pingidentity/pingauthorize-contrib/tree/main/sql/postgresql. To configure the Policy Editor for PostgreSQL, use the following setup options:
-
--dbConnectionString
-
The JDBC connection string (for example,
"jdbc:postgresql://localhost:5432/policy_db"
)
-
-
--dbAppUsername
-
The PostgreSQL user
-
-
--dbAppPassword
-
The user’s password
-
Added support for the MuleSoft API Gateway in a sideband architecture
New
Now you can deploy PingAuthorize in a sideband configuration with the MuleSoft API Gateway. With a sideband deployment, your organization can quickly set up an environment for fine-grained, dynamic authorization that integrates with existing identity management infrastructure and requires minimal changes to your network configuration. For more information about our custom MuleSoft policy, see MuleSoft API gateway integration.
OpenID Connect (OIDC) Authorization Code with Proof Key for Code Exchange (PKCE)
New
Policy Editor setup in OpenID Connect (OIDC) authentication mode now uses the Authorization Code with Proof Key for Code Exchange (PKCE) grant type by default, instead of the implicit grant type. For information about configuring the Policy Editor in OIDC authentication mode, see Installing the PingAuthorize Policy Editor noninteractively.
Upgrading from early access to general availability
Info
If you are upgrading from PingAuthorize 9.0.0.0 Early Access to 9.0.0.0 General Availability, you must upgrade both the PingAuthorize Server and the Policy Editor before you use the Policy Decision Service in external mode. Upgrading only one component results in this error: Please upgrade to PingAuthorize Policy Editor version '9.0.0.0'
.
Server profiles replace peer setup
Info
Peer server setup and clustered configuration have been removed from setup
. To manage server configuration, use server profiles instead of peer setup. Server profiles support deployment best practices such as automation and Infrastructure-as-Code (IaC). For more information about server profiles, see Deployment automation and server profiles.
Upgrading from earlier versions of PingAuthorize
Info
For more considerations, see Upgrade considerations.
Added support for password storage schemes
Improved
Added support for password storage schemes that allow users to authenticate with passwords stored in the Amazon AWS Secrets Manager service, the Microsoft Azure Key Vault service, a CyberArk Conjur instance, or a HashiCorp Vault instance.
Added redaction capability for dsconfig
Improved
Added a global configuration property that can be used to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig
representation for a configuration change, given that these values might be included in the server’s configuration audit log or administrative alerts whenever a configuration change is applied. By default, the values of configuration properties that are defined as sensitive get obscured rather than redacted, which allows the change to be replayed without revealing the actual value of the property. However, it is now possible to redact such values rather than obscuring them, which provides stronger protection against exposing those values but might interfere with the ability to replay the configuration audit log if it contains changes involving sensitive properties.
Mirrored configuration change logging
Improved
Updated the server to record the original requester’s DN and IP address in access log and configuration audit log messages for mirrored configuration changes.
Added support for obtaining secrets from CyberArk Conjur
Improved
The Conjur cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Conjur passphrase provider can be used in other cases where the server might need a clear-text secret, including PINs for accessing certificate key stores or credentials for authenticating to external services. The server can authenticate to Conjur with a username and password or an API key.
Added support for obtaining secrets from Azure Key Vault
Improved
The Azure Key Vault cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Azure Key Vault passphrase provider can be used in other cases where the server might need a clear-text secret, including PINs for accessing certificate key stores or credentials for authenticating to external services.
Added a PKCS #11 cipher stream provider
Improved
Added a PKCS #11 cipher stream provider that can require access to a certificate in a PKCS #11 token to unlock the server’s encryption settings database. Only certificates with RSA key pairs can be used because JVMs do not currently provide adequate key wrapping support for elliptic curve key pairs.
Runtime server problem-status handling
Improved
When the Policy Decision Service is unable to handle requests due to misconfiguration or problems with the runtime environment, the PingAuthorize Server status is now DEGRADED instead of UNAVAILABLE. Orchestration systems like Kubernetes now remove such servers from pools instead of restarting them, allowing server administrators to investigate and correct the issue.
Added administrative console PIN support
Improved
The administrative console can now be configured to supply PINs to its trust stores through the oidc-trust-store-pin-passphrase-provider
and trust-store-pin-passphrase-provider
settings. This means trust store types that require passphrases (for example, PKCS12 or BCFKS) are now properly supported.
Administrative console file retrieval with SSO
Improved
The administrative console can now retrieve files created from collect-support-data
or server-profile
tasks when using single sign-on (SSO) to authenticate with the managed server.
Added file servlet support for OIDC and OAuth 2.0
Improved
Updated the file servlet to add support for token-based authentication using an OAuth 2.0 access token or an OpenID Connect ID token. The servlet previously only supported basic authentication.
manage-profile generate-profile
argument validation
Improved
Improved includePath
argument validation performed by the manage-profile generate-profile
tool. The tool will only use relative paths that exist below the server root, and it previously silently ignored absolute paths or relative paths that referenced files outside of the server root. It will now exit with an error if the includePath
argument is used to provide an absolute path or a path outside the server root. It will accept—but warn about—paths that reference files that do not exist.
Expanded ldap-diff
capabilities
Improved
Made several improvements to the ldap-diff
tool:
-
Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.
-
Added the ability to use a properties file to obtain default values for command-line arguments.
-
Improved the ability to use different TLS-related settings for the source and target servers.
-
Improved support for SASL authentication.
Added TLS protocol configuration to the crypto manager
Improved
Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites that will be used for outbound connections, as well as properties for controlling whether to enable TLS cipher suites that rely on the SHA-1 digest algorithm or the RSA key exchange algorithm.
Added JDK support
Improved
Added support for the use of JDKs obtained through Eclipse Foundation and BellSoft.
Added certificate management support
Improved
Added support for new extended operations that can be used to help manage the server’s listener and inter-server certificates. Updated the replace-certificate
tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.
Secret key loss when removing a server from the topology
Fixed DS-44591
Fixed an issue introduced in version 7.0.0.0 where secret keys under cn=Topology,cn=config
could be lost when removing a server from the topology. When a server is removed via the dsreplication disable
or remove-defunct-server
tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Since this change only applies to the most recent version of |
Shutting down PingAuthorize Server with an invalid package store
Fixed DS-44770
An invalid deployment package store no longer prevents the PingAuthorize Server from shutting down.
remove-defunct-server
attribute removal
Fixed DS-44793
Fixed an issue in which remove-defunct-server
would remove attributes from config.ldif
if they were identical apart from case.
Policy Editor batch scripts refer to non-existent Java files
Fixed DS-45105
The PingAuthorize Policy Editor start-server.bat
and stop-server.bat
scripts no longer output messages referring to non-existent java.properties
or dsjavaproperties
files.
JVM segmentation faults during start-server
Fixed DS-45124
Removed -XX:RefDiscoveryPolicy=1
from the default start-server
Java arguments. In rare cases, this argument was related to segmentation faults in the Java virtual machine, especially when used with the G1 garbage collector.
Configuration keys and values in the Policy Editor Test Suite
Fixed PAZ-1481
The Policy Editor now uses policy configuration keys and values correctly in Test Suite tests. For details about configuring policy configuration keys, see Environment-specific Trust Framework attributes.
OIDC authentication to the Policy Editor for PingOne users with TLS 1.3 might limit functionality
Issue PAZ-5312
When PingOne users authenticate with OIDC to the Policy Editor, environments using OpenJDK versions older than 11.0.3 might run into an intermittent TLS 1.3 issue preventing them from loading test scenarios. The issue appears in the logs as com.symphonicsoft.authentication.OidcAuthenticator: Could not retrieve jwks information from '<ping-one-url>/as/jwks'
and includes the following message: javax.net.ssl.SSLException: No PSK available. Unable to resume
. This is an OpenJDK bug that has been fixed in version 11.0.3. To circumvent this issue, you can upgrade to OpenJDK 11.0.3 or newer. Disabling TLS 1.3 also prevents this issue.
Deployment package store detection
Issue DS-44549
If the configured deployment package store is not available when the PingAuthorize Server starts, it will not be able to detect when the store becomes available again. To ensure that the PingAuthorize Server begins using the deployment package store when the store is available again, you must restart the server or change the Policy Decision Service configuration.
Can’t use an existing persistent database with Docker volumes
Issue DS-44206
The pingdatagovernancepap
and pingauthorizepap
Docker images now run as unprivileged (non-root) users by default. If you have existing pingdatagovernancepap
policy databases, configure the containers to run as root
. For more information, see Deploying PingAuthorize Policy Editor using Docker.
Can’t persist the database in /opt/db
with Docker volumes
Issue DS-44206
To persist a policy database in a Docker volume, create a new Docker volume with a mount target of /opt/out
instead of /opt/db
. For more information, see Deploying PingAuthorize Policy Editor using Docker.
Reconfiguring the Policy Editor in a Docker volume
Issue DS-44207
When you use the Policy Editor in a Docker volume, changing the configuration using an options.yml
file also requires that you create an empty file such as /opt/out/instance/delete-after-setup
before you restart pingauthorizepap
. Consider this example:
-
You start the container with a command like the following:
$ docker run --network=<network_name> --name pap -p 8443:1443 \ --env-file ~/.pingidentity/config \ --volume /home/developer/pap/server-profile:/opt/in/ \ --env PING_OPTIONS_FILE=custom-options.yml \ --volume /home/developer/pap/Symphonic.mv.db:/opt/out/Symphonic.mv.db \ --env PING_H2_FILE=/opt/out/Symphonic \ pingidentity/pingauthorizepap:<TAG>
This example command bind mounts a customized
options.yml
file namedcustom-options.yml
to the server root using the server profile capability. The host systemserver-profile
folder must containinstance/custom-options.yml
for this example to work correctly. The Docker image<TAG>
is only a placeholder. See https://devops.pingidentity.com/reference/config/. -
You decide to change the configuration, so you edit the
custom-options.yml
file. -
You create the empty file with a command like this:
docker exec -it pap /bin/sh -c "touch /opt/out/instance/delete-after-setup"
-
With that file in place, you can now restart the Policy Editor with the following commands:
$ docker stop pap $ docker start --attach pap
Upgrading multi-server topologies from earlier versions
Issue DS-44165
Upgrading multi-server topologies that contain PingDataGovernance 6.x or 7.x to PingAuthorize is not supported.
Using the Periodic Stats Logger
Issue DS-43622
Published throughput and latency stats for SCIM, sideband, and gateway requests for the Periodic Stats Logger are not recorded until the requests are made and the logger is reset.
Policy Editor snapshot import error
Issue DS-41741
The Policy Editor produces an error when a user attempts to import an exported snapshot that contains references to named value processors.
Using the administrative console with Tomcat 9.0.31
Issue DS-41836
Several known issues can occur when you use the administrative console with Tomcat 9.0.31. You can resolve these issues by upgrading to Tomcat 9.0.33 or later.
Harmless failure message when stopping the PingAuthorize service
Issue DS-42365
If you use the create-systemd-script
tool to create a forking systemd
service, the service is stopped by the systemctl stop ping-authorize.service
command. At that time, you can see the status using the systemctl status ping-authorize.service
command. That status might contain an indication of failure: Active: failed (Result: exit-code)
. This error has to do with the way the service exits. It is harmless.