Upgrade Considerations

Important considerations for upgrading to this version of PingDataGovernance Server:

  • If you are upgrading from PingDataGovernance 7.3.0.0 to 7.3.0.1 or 7.3.0.2, an updated version of the Policy Administration GUI is required.

  • The Allow Attributes and Prohibit Attributes advices have been deprecated. If a deployment requires the behavior that these advices provided, use a Server SDK to implement the appropriate behavior.

  • API Endpoints, which were introduced in 7.3.0.0, have been renamed to Gateway API endpoints.

    Warning: When performing an update, existing API Endpoint configuration objects are migrated automatically. To reflect this change, manually update your dsconfig scripts and other automated deployments or configurations.
  • If you are updating a multi-server topology from PingDataGovernance 7.0.x to 7.3.0.2, you must use the --skipMirroredSubtreeUpdateTask option for the updater or the update fails. Alternatively, you can uninstall all but one of the servers to retain the base configuration, update the standalone server, install fresh servers on the new version, and add them back to the topology with the peer options. However, using the --skipMirroredSubtreeUpdateTask option is the recommended path.

What's New

As a gateway, PingDataGovernance Server functions as a reverse proxy while in deployment mode. With 7.3.0.2, the Sideband API introduces an alternate deployment mode in which PingDataGovernance Server uses a plugin to connect to an existing API Lifecycle Gateway. In sideband deployment, the API Lifecycle Gateway handles requests between API clients and backend API services. The integration plugin intercepts all request data and passes it through PingDataGovernance Server, which authorizes requests and responses, and modifies request and response data.

Resolved Issues

The following table identifies issues that have been resolved with this release of PingDataGovernance Server.

Ticket ID Description
DS-38832

Added a property to Advice types that limits their application to PERMIT or DENY decisions.

DS-39037

The provided PingDataGovernance policies and deployment packages now apply access token validation policies only to the following requests:

  • Inbound
  • SCIM
  • OpenBanking
DS-39490, DS-39616

The API Endpoint configuration type has been renamed to Gateway API Endpoint.

Update any existing dsconfig scripts that reference an API Endpoint. For example, a dsconfig command of create-api-endpoint must be changed to create-gateway-api-endpoint.

DS-39592

HTTP External Servers feature a new attribute, certificate-alias, which defines the alias of a specific certificate within the keystore to be used as a client certificate.

DS-39681

When PingDataGovernance Server receives a 401 – Unauthorized response from an external policy decision server, it converts the status to 503 – Service Unavailable for the upstream client.

DS-40234

The Open Banking account request endpoint no longer requires a value for x-fapi-financial-id. Instead, it now includes the configured fapi-financial-id value in policy requests through the Gateway.FapiFinancialId attribute. A policy can deny account requests based on the presence and value of this attribute.