Critical Fixes

This release of PingAuthorize Server addresses critical issues from earlier versions. Update all affected servers appropriately.

No critical issues have been identified.

Resolved Issues

The following issues have been resolved with this release of PingAuthorize Server.

Ticket ID Description


Updated Log4j2 from 2.14.1 to 2.16.0 to address CVE-2021-44228.

DS-45480, DS-45636

  • Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server's certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain may be trusted if either the peer certificate or any of its issuers is found in the topology registry.

  • Updated the replace-certificate tool to add new list-topology-registry-listener-certificates and list-topology-registry-inter-server-certificates subcommands, which can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry.

  • Updated the replace-certificate tool to add a new add-topology-registry-listener-certificate subcommand, which can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store; it may be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server.

  • Updated the replace-certificate replace-listener-certificate subcommand to add --topology-registry-update-type and --trust-store-update-type arguments, which allow you to indicate which types of certificates to include in the topology registry and trust store, respectively. Available options include suppressing the update, only adding the listener certificate itself, only adding the listener certificate's issuers, or adding both the listener certificate and its issuers.

  • Updated the replace-certificate replace-listener-certificate subcommand to add an --ignore-current-listener-certificate-validity-window argument, which allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid, so that a non-valid certificate can be replaced.


Added support for new extended operations that can be used to help manage the server's listener and inter-server certificates. Updated the replace-certificate tool to add support for replacing and purging certificates in a remote instance and to allow skipping validation for the new certificate chain.


Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate has been replaced.


Fixed an issue where SCIM POST requests that violated a unique attribute constraint received an internal error instead of the expected SCIM error response.


The collect-support-data (CSD) tool now correctly displays the name and version of PingAuthorize.


Changed the LDAP SDK service behavior to fix an issue that may have caused LDAP threads to hang on class initialization.