What's New
The following features are new with this release of PingDataSync Server:
- Java 7 is now required when setting up a new server or upgrading an existing server.
- Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This featire does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients that run earlier versions of Java that might start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not compromise the strength of the integrity or the confidentiality protection that is ultimately negotiated between the client and the server.
- Added a Monitor History plugin that periodically records
cn=monitor
to timestamped files to aid in isolating intermittent problems. By default, the plugin logs the fullcn=monitor
branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files is retained to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect some of these files to aid in root-cause analysis. - Introduced the Configuration HTTP Servlet Extension, which is used for querying and updating the configuration over a REST API. This feature is currently experimental and is subject to change in the future. Your feedback is welcome.
Resolved Issues
The following issues have been resolved with this release of PingDataSync Server:
Ticket ID | Description |
---|---|
DS-8368, DS-12120 | Updated the HTTP Connection Handler to return a 404 Not Found
response to requests for endpoints that are not handled by a servlet or by web
application extensions. Previously, the handler returned a 200 OK
with no response body. |
DS-10441 | Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized. |
DS-10460 | Fixed the dsconfig tool to suppress stray output when run in batch mode with the --quiet option. |
DS-11068, DS-11784, DS-11887 | Updated the setup tools to enable the definition of external server instances that are configured to reject unauthenticated requests. Previously, the tools indicated erroneously that such server instances were unavailable. |
DS-11453 | Reduced the severity of the unrecognized alert type message in the
error log from SEVERE_WARNING to NOTICE . The message
now states that this event is expected if the server is reverted to a version prior to
the implementation of these alert types. |
DS-11472 | Fixed the gauge-configuration manager to re-initialize only the gauge that was changed, and not any of the other gauges that did not change. |
DS-11487 | Fixed an issue with the prepare-endpoint-server tool in which the maxChangelogAge argument was not being applied when targeting UnboundID servers. |
DS-11541 | Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared, and when the alarm manager's generated-alert-types property features the alarm value. |
DS-11546 | Fixed the alarm manager to exinclude the details of old, cleared alarms in the
alarm-cleared alert message. |
DS-11624 | Updated the Web Console so that a user's previous session is always invalidated when he or she logs on to the system. |
DS-11629, DS-11645 | Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page. |
DS-11637 | Updated the alarm manager to not generate an alarm-normal alert when
a gauge's condition abates. |
DS-11688 | Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This issue occurred when a certificate was accepted with the Manually validate option, while using the interactive LDAP connection menu. |
DS-11719 | Updated the alarm manager to not persist normal alarms. |
DS-11719 | Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions. |
DS-11730 | Removed the alarm-normal alert. |
DS-11751 | Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names. |
DS-11782 | Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers and for replication communication. The recently discovered POODLE vulnerability could potentially allow a network attacker to determine the plain text behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption. SSLv3 was initially defined in 1996 but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). The newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not adversely affect clients that support the newer TLS protocols. However, if legacy client applications attempt to communicate securely but do not support the newer TLS protocols, update them o support the newer protocols. If known clients do not support a security protocol newer than SSLv3, and if they cannot be updated immediately to support a newer protocol, re-enable SSLv3 support by using the newly introduced allowed-insecure-tls-protocol global configuration property. Because communication using SSLv3 can no longer be considered secure, we recommended that you update all known clients that still use SSLv3. The server access log can be used to identify LDAP clients that use SSLv3 to
communicate with the server. Whenever an LDAP client establishes
a secure connection to the server, or whenever a client uses the
StartTLS extended operation to secure an existing plaintext
connection, the server generates a |
DS-11947 | Increased the possible parallelism within a Sync Pipe by skipping past the operation at the head of the incoming queue, if it cannot be processed, because it depends on an uncompleted active operation. This approach increases the overall throughput of a Sync Pipe when the stream of incoming changes also includes multiple dependent operations that must be processed in order. Examples of dependent operations include changes to the same entry, as well as changes to entries with a parent-child relationship. With these changes, the Sync Server still guarantees that dependent operations are processed in order. |
DS-11993 | Added a gauge to the server to track JVM memory usage. An alert is generated when the amount of free memory becomes so low that it might impact server performance. |
DS-12147 | Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects. |