PingAuthorize Server 8.3.0.0 Release Notes - PingAuthorize - 8.3

The Administrative Console now shows a dsconfig command to create the current object from scratch on the edit page.

Fixed an issue in the Policy Editor where an entity deletion in a child branch could cause entity relationship deletions in related branches.

Fixed an intermittent issue where a branch selection drop-down list in the Policy Editor appeared as blank for Windows users. This occurred on newer versions of Firefox when the branch names included special characters.

Added a passphrase provider mechanism, which can be used to obtain clear-text passphrases, API keys, or other types of secrets that are needed by server components like those that interact with external servers or certificate key stores. Available passphrase provider implementations include:

* A provider that stores an obscured representation of the passphrase directly in the server configuration.

* A provider that reads the passphrase from a file on the server filesystem. The file may optionally be encrypted with a key from the server's encryption settings database.

* A provider that can obtain the passphrase from an environment variable set in the server's process.

* A provider that can obtain the passphrase from a HashiCorp Vault instance.

Components of the server that have been updated to support using passphrase providers include:

* LDAP, JDBC, SCIM, and SMTP external servers. * File-based key and trust manager providers. * The PKCS #11 key manager provider. * The changelog password encryption plugin. * The Twilio alert handler and OTP delivery mechanism. * The UNBOUNDID-YUBIKEY-OTP SASL mechanism handler.

The Server SDK has been updated to provide support for creating custom passphrase provider implementations and to allow extensions to retrieve secrets from passphrase providers configured in the server.

The Server SDK ServerContext class has been updated to provide a new set of methods for writing messages to the server's trace log publishers using various log severity levels. These methods replace an existing API that only supported recording debug messages, which should not be enabled in production environments.

Administrators can configure the server's trace log publishers to enable or disable message types on a per-severity basis using a trace log publisher's extension-message-type property.

You can now download either a collect-support-data file or a server profile from the managed server using the administrative console’s Status page. These operations require that a 'csd-files/' and a 'profile-files/' directory be present in the server root by default, but you can customize this through the ldap.csd-destination-folder and ldap.profile-destination-folder settings. These settings can be found in the console's application.yml configuration file.

Downloading collect-support-data files is disabled by default when using the PingDataConsole Docker image. It also strongly recommended to avoid downloading collect-support-data files from servers that are running in a container.

Fixed an issue with the copy/paste functionality in the Administrative Console.

In order to reduce the time it takes for "setup" to run the testing of Java options that "setup" does will now be cached and stored in a directory. By default the directory is "logs/option-cache" relative to the server root, but an alternative directory can be specified via setup option "--optionCacheDirectory". If a directory is specified it must be created prior to running setup.

The PingAuthorize Server now presents general status information for the Policy Decision Service in both the Administrative Console Status page and the status command-line tool. This includes the Policy Decision Service's availability state, the current PDP mode, and the currently configured trust framework version.

Fixed a problem where the server would respond with a 400 or 404 HTTP status code if the Policy External Server was misconfigured with a nonexistent decision node ID or policy branch. In these cases, the server will now respond with the 503 HTTP status code to clearly indicate that the PingAuthorize server is misconfigured.

Updated the manage-profile replace-profile subcommand to detect changes to files referenced in setup-arguments.txt when those files are outside of the server profile

The Administrative Console now allows users to specify the LDAP server they wish to bind to using the query parameters 'ldap-hostname' and 'ldaps-port' when the console is configured for SSO. This allows a single console instance to administer multiple PingData servers. Note that an LDAPS scheme is always assumed because an encrypted connection is always required for SSO.

Made a generic OpenID Connect ID token validator available. This change allows single sign-on to the Administrative Console with OIDC providers other than just PingOne.

When operating in OpenID Connect (OIDC) mode, customers can now configure the PingAuthorize Policy Editor to accept self-signed SSL certificates from the OIDC provider and skip hostname verification by setting the PING_OIDC_TLS_VALIDATION environment variable to "NONE".

Fix a bug that prevented offline changes to mirrored configuration with manage-profile replace-profile.

Fixed "Reverse DNS resolution" warning during setup. This warning was a result of performing a reverse DNS lookup on link local addresses, which is now avoided. This is mostly only relevant to IPv6.

Fixed an issue where the "format" field is omitted from the list of operational attribute schemas in the Directory REST API.

Added the capability to filter JSON field values in constructed values. Including a JSON object filter in parentheses after a JSON field name will indicate that for each attribute value, the named field value will only be extracted if the attribute value matches the provided filter. This allows, for example, when used in a Constructed Attribute Mapping's value-pattern property, for a given field value to only be mapped for values that match a given filter. For information about the syntax and use of this capability, see the config reference guide for Constructed Attribute Mappings.

Added the ability to implement custom SCIM Sub-Resource Type Handlers using the Server SDK. A SCIM Sub-Resource Type Handler defines a child type of a SCIM resource type that you can use to offer extended features not defined by the SCIM 2.0 standard.

Fixed an issue where Directory Server sometimes reports erroneous warnings about duplicate jar files.

PingAuthorize now supports deployment package stores, which allow for hot deployment of policies without needing to manually reconfigure the server. For more information, see the PingAuthorize Server Administration Guide.

Added a new service, the Governance Engine, to allow PingDataGovernance to act as an external Policy Decision Point for other applications acting as Policy Enforcement Points. This service provides a simple JSON-based API which directly maps to entities used by the Trust Framework and Policies defined in the Policy Administration GUI.

Fixed an issue with dsjavaproperties --initialize that prevented changing the JVM tuning parameter using the --jvmTuningParameter command line argument.

Added cipher stream provider and passphrase provider implementations with support for the Amazon AWS Secrets Manager service. The Amazon Secrets Manager cipher stream provider can be used to protect the contents of the encryption settings with a key derived from a secret retrieved from the Secrets Manager service. The Amazon Secrets Manager passphrase provider can be used to obtain clear-text secrets needed for processing within the server from the Secrets Manager service.

PingDataGovernance has been renamed to PingAuthorize.

Updated manage-profile replace-profile to run a shorter process when applying dsconfig changes that require administrative actions.

You can now specify that the Administrative Console use a custom truststore when evaluating OIDC provider certificates by using the oidc-trust-store-file and oidc-trust-store-type settings. Also, you can set the console to skip hostname and/or certification verification through the oidc-strict-hostname-verification and oidc-trust-all configuration settings.

Fixed an issue where Directory Server failed to install on JDKs that lack support for AES-256 encryption.

Updated the server to allow obtaining client secrets from a passphrase provider as an alternative to storing an obscured representation of the secret directly in the configuration. Updated components include:

* The OpenID Connect client secret needed for single sign-on to the admin console

* The OAuth client secret needed to connect to the PingOne service

* The client secret needed in conjunction with the PingFederate access token validator

Addressed an issue where the server was incorrectly displaying an "Unknown vendor" warning when using JDKs obtained on Red Hat and Ubuntu systems.

Improved the behavior that the server exhibits for attempts to configure it with an invalid set of TLS cipher suites.

Previously, if a connection handler was configured with an explicit set of TLS cipher suites, and if none of those cipher suites was supported by the underlying JVM, the server would log a message for each unsupported suite and would fall back to using a default set of suites. This could lead to cases in which the server ran with a different set of cipher suites than expected, and the warning log messages might be overlooked.

The server will now reject an attempted configuration change that would leave it without any valid cipher suites. For the sake of preserving backward compatibility, and helping to avoid issues around upgrading the server or JVM version, it will still allow attempts to configure the set of cipher suites using one or more invalid suite names as long as the server would still be able to offer at least one valid suite, and it will still log a warning message about each invalid cipher suite referenced in the configuration.

Fixed a NullPointerException that could occur when using manage-profile replace-profile with a server profile that configured a StatsD monitoring endpoint.

Updated the StatsD Monitoring Endpoint to support sending custom tags with each metric message. Custom tags will be appended at the end of each StatsD message as comma-separated key-value pairs.

Included the Bouncy Castle library with the server, which is needed to support certain cryptographic functionality, like the Argon2, bcrypt, and scrypt password storage schemes. It was not previously not included with the server over concerns around compliance with U.S. export control regulations around strong encryption, but those concerns have been alleviated. You no longer need to obtain the library for yourself if you wish to use any of the functionality that requires it, and the Argon2, bcrypt, and scrypt password storage schemes are now enabled by default in the out-of-the-box configuration.

Updated the default set of TLS protocols and cipher suites that the server will support. As TLSv1 and TLSv1.1 are no longer considered secure (see RFC 8996 for additional information), the server will only support TLSv1.2 and TLSv1.3 (if supported by the JVM) by default. The server will also no longer enable support for TLS cipher suites that use the SHA-1 digest algorithm (which is also no longer considered secure and is not needed for TLSv1.2 or TLSv1.3) or that use the RSA key exchange algorithm (which does not support forward secrecy).

If you need to enable support for legacy TLS protocols or cipher suites, you may do so through the server configuration. This can be enabled on a per-connection-handler basis using the ssl-protocol and ssl-cipher-suite configuration properties. Alternatively, you may use the ssl-protocol and ssl-cipher-suite properties in the crypto manager configuration to set default values that will be used by connection handlers that do not explicitly specify values for those properties.

The 8.2.0.0 release introduced a defect where signed deployment packages produced by the Policy Editor were unusable by the PingAuthorize Server without additional configuration in options.yml. The sample signed deployment package in the options.yml file now includes the additional configuration by default.

Reduced the JVM memory requirements for many command line tools. This avoids memory pressure when multiple tools, such as a scheduled collect-support-data task, are run concurrently to the server process. For most tools, the initial heap size has been reduced to 128 MB, and for certain tools the maximum heap size has capped at 512 MB. On systems with larger amounts of memory, these tools previously were allotted unnecessarily large heaps. The maximum heap size has not been reduced for any tool that especially benefits from having more memory.

Fixed an issue where logs from setting up a new server could be lost when running the manage-profile replace-profile subcommand.

When deployed to a web application server such as Apache Tomcat, the Administrative Console will now write log messages to the application server's console output by default.

Addressed an issue in which attempting to add a member that already existed in a non-default server group would cause an error. Adds of duplicate members are now ignored and no errors are thrown.

Updated the manage-profile replace-profile command to avoid printing warnings for offline config changes from the new server profile.