PingDirectory, PingDirectoryProxy, and PingDataSync
Consider the following when upgrading the PingDirectory suite of products.
After reviewing the following considerations, for upgrades of PingDirectory or PingDirectoryProxy, review these additional upgrade considerations. |
Considerations when upgrading to 9.3.0.0 or later
For service accounts that use password storage schemes with high computational processing costs (for example, PBKDF2, bcrypt, scrypt, or Argon2), the server could process bind requests much slower than in previous versions.
The default root password policy for the PingDirectory suite of products uses the PBKDF2 password storage scheme. |
Storing a password encoded with the PBKDF2 scheme can make it many times more expensive for an adversary to crack, but you can get even better protection by creating a very strong password stored with SSHA256.
You should create a separate password policy for your service account. Choose a fast but cryptographically strong password storage scheme, such as SSHA256, and set a very strong password according to NIST guidelines.
Considerations when upgrading to 9.0.0.0 or later
Because of major updates to Spring dependencies, Spring configuration properties in the administrative console configuration files for the PingDirectory suite of products earlier than version 9.0.0.0 are not compatible with the administrative console bundled with 9.0.0.0 and later versions. Attempting to use these older configuration files will result in the console failing to start.
If you are using older admin console configuration files, you must update them. Replace the following excerpt in the old application.yml
file:
spring: profiles.active: default main.show-banner: false thymeleaf.cache: true thymeleaf.prefix: classpath:/public/app/
with the following:
spring: profiles.active: default web.resources: # 1 year. Update the corresponding value in MvcConfig if this changes. cache.period: 31536000 add-mappings: false # use our custom mappings instead of the defaults main: banner-mode: "OFF" thymeleaf: prefix: classpath:/public/app/
Considerations when upgrading to 8.2.0.0
This upgrade moves to Jetty 9.4. As a result, the HTTPS connection handler will no longer support TLS_RSA ciphers by default. If you use any legacy HTTPS clients that still require TLS_RSA ciphers, modify the ssl-cipher-suite
property of the HTTPS Connection Handler to include them.