Added support for policy deployment from Microsoft Azure blob storage
Enabled configuration of the SpEL allow list in PDP mode
String
,
Date
, Random
, UUID
,
Integer
, Long
, Double
,
Byte
, Math
, Boolean
,
LocalDate
, DayOfWeek
,
Instant
, ChronoUnit
, and
SimpleDateFormat
. When configuring a policy deployment
package containing SpEL expressions that reference additional Java classes,
administrators must use dsconfig or the administrative
console to add spel-allowlisted-class attributes to the Policy Decision Service.
The class must also be available on the server classpath at server start. For
non-standard Java classes, place the .jar file in the
server lib folder.Expanded Policy Editor database support to include PostgreSQL
--dbConnectionString
- The JDBC connection string (for example,
"jdbc:postgresql://localhost:5432/policy_db"
)
- The JDBC connection string (for example,
--dbAppUsername
- The PostgreSQL user
--dbAppPassword
- The user's password
Added support for the MuleSoft API Gateway in a sideband architecture
OpenID Connect (OIDC) Authorization Code with Proof Key for Code Exchange (PKCE)
Upgrading from early access to general availability
Server profiles replace peer setup
Upgrading from earlier versions of PingAuthorize
For more considerations, see Upgrade considerations.
Added support for password storage schemes
Added redaction capability for dsconfig
Mirrored configuration change logging
Added support for obtaining secrets from CyberArk Conjur
Added support for obtaining secrets from Azure Key Vault
Added a PKCS #11 cipher stream provider
Runtime server problem-status handling
Added administrative console PIN support
oidc-trust-store-pin-passphrase-provider
and
trust-store-pin-passphrase-provider
settings. This means
trust store types that require passphrases (for example, PKCS12 or BCFKS) are
now properly supported.Administrative console file retrieval with SSO
Added file servlet support for OIDC and OAuth 2.0
manage-profile generate-profile argument validation
includePath
argument validation
performed by the manage-profile generate-profile tool. The
tool will only use relative paths that exist below the server root, and it
previously silently ignored absolute paths or relative paths that referenced
files outside of the server root. It will now exit with an error if the
includePath
argument is used to provide an absolute path or
a path outside the server root. It will accept—but warn about—paths that
reference files that do not exist.Expanded ldap-diff capabilities
- Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.
- Added the ability to use a properties file to obtain default values for command-line arguments.
- Improved the ability to use different TLS-related settings for the source and target servers.
- Improved support for SASL authentication.
Added TLS protocol configuration to the crypto manager
Added JDK support
Added certificate management support
Secret key loss when removing a server from the topology
Fixed an issue introduced in version 7.0.0.0 where secret keys under
cn=Topology,cn=config
could be lost when removing a
server from the topology. When a server is removed via the
dsreplication disable or
remove-defunct-server tools, its secret keys will now
be distributed among the remaining members of the topology. The keys from
the rest of the topology will also be copied to the server being removed.
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Since this change only applies to the most recent version of remove-defunct-server and dsreplication disable, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past, dsreplication disable and remove-defunct-server could only be run from an older version. Now, when removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you might lose access to secret keys from servers that are removed from the topology.
Shutting down PingAuthorize Server with an invalid package store
remove-defunct-server attribute removal
Policy Editor batch scripts refer to non-existent Java files
JVM segmentation faults during start-server
-XX:RefDiscoveryPolicy=1
from the default
start-server Java arguments. In rare cases, this argument
was related to segmentation faults in the Java virtual machine, especially when
used with the G1 garbage collector.Configuration keys and values in the Policy Editor Test Suite
OIDC authentication to the Policy Editor for PingOne users with TLS 1.3 might limit functionality
Deployment package store detection
Can't use an existing persistent database with Docker volumes
root
. For more information, see Installing PingAuthorize Policy Editor using Docker.Can't persist the database in /opt/db with Docker volumes
Reconfiguring the Policy Editor in a Docker volume
- You start the container with a command like the
following:
$ docker run --network=<network_name> --name pap -p 8443:1443 \ --env-file ~/.pingidentity/config \ --volume /home/developer/pap/server-profile:/opt/in/ \ --env PING_OPTIONS_FILE=custom-options.yml \ --volume /home/developer/pap/Symphonic.mv.db:/opt/out/Symphonic.mv.db \ --env PING_H2_FILE=/opt/out/Symphonic \ pingidentity/pingauthorizepap:<TAG>
Note:This example command bind mounts a customized options.yml file named custom-options.yml to the server root using the server profile capability. The host system server-profile folder must contain instance/custom-options.yml for this example to work correctly. The Docker image
<TAG>
is only a placeholder. See https://devops.pingidentity.com/reference/config/. - You decide to change the configuration, so you edit the custom-options.yml file.
- You create the empty file with a command like
this:
docker exec -it pap /bin/sh -c "touch /opt/out/instance/delete-after-setup"
- With that file in place, you can now restart the Policy Editor with the following
commands:
$ docker stop pap $ docker start --attach pap
Upgrading multi-server topologies from earlier versions
Using the Periodic Stats Logger
Policy Editor snapshot import error
Using the administrative console with Tomcat 9.0.31
Harmless failure message when stopping the PingAuthorize service
Active: failed (Result: exit-code)
. This
error has to do with the way the service exits. It is
harmless.