Upgrade Considerations
Important considerations for upgrading to this version of PingDataSync Server are as follows:
- If you are upgrading a server that was running an earlier version of the JDK, run the dsjavaproperties --initialize command after the software upgrade to compare the settings of the earlier JDK with the requirements for the new server software. Apply necessary changes to the upgraded server, based on the previous performance settings.
The 6.0 release makes the following changes to supported platforms:
- CentOS 7.2 and RedHat 7.2 are now supported operating system versions.
- SUSE 11 SP4 is now supported, and support for SUSE 11 SP2 has been retired.
- Linux KVM and VMWare ESXi 6.x have been added as supported virtual machine environments.
- Deprecation of JDKs 7.x. Customers are strongly advised to use JDK 8 with this release.
- WildFly 9.x, which is renamed from JBoss, is now a supported application server for all web applications, including the Administrative Console and sample applications. Support for JBoss 7.x has been retired. Tomcat support remains unchanged in this release.
- PBKDF2 is now the default encoding for root passwords. This change affects only new installations.
- In addition to changing the default password-storage scheme for root users to PBKDF2, the default password-storage scheme for regular users has been changed to salted 256-bit SHA-2.
- HTTPS defaults to ON, and servers now default to use HTTPS for console and API connections, including the SCIM API. This change might affect automation scripts and development environments in which HTTPS has not previously been in use.
- Generated user passwords, like those created by the server during a password reset sequence, are now created as passphrases instead of as random character strings. This change makes such passwords easier to type and remember but does not affect upgrades.
- The /config directory file permissions have been changed so that only the server user can access them.
- Customers who use the optional encryption algorithms that the BouncyCastle library provides are encouraged to upgrade to BouncyCastle 1.54.
What's New
The following features are new with this release of PingDataSync Server:
- PingDataSync Server now recognizes and handles changes from Active Directory
sources, including the non-standard
range=n-m
suffixes for multi-valued attributes. - Added the ability to apply attribute maps programmatically in Server Extensions so that specific maps can be applied to a cascading set of changes that the extension generates.
- For Java developers whose tools and workflows make use of Maven, the Server SDK .jar file has been deployed to Maven Central. To add the Server SDK as a project dependency, developers need only to add a few lines to a project's pom.xml. Also, developers can now generate a Server SDK project that Maven-aware IDEs, such as IntelliJ IDEA, can package into an extension bundle that requires no special configuration. This benefit extends to continuous integration systems, such as Jenkins.
- The dsconfig tool provides the ability to search for and quickly navigate to configuration objects and properties in which the name, synopsis, or description matches a provided pattern.
- A new rotate-log tool and task have been added, which can be used to trigger the rotation of one or more log files.
- The Configuration API is now fully supported for all servers. In this release, the API was changed to match SCIM conventions for attribute naming, resource modeling, and the standard HTTP verbs. The UnboundID SCIM 2 SDK, which is available through GitHub, can now be used with the Configuration API.
All servers have an updated web Administrative Console, which includes the following changes:
- New layouts for operational statistics, processing time, queues, monitors, and installed extensions.
- Alert and alarm displays that summarize the data in
cn=alerts
andcn=alarms
, based on the configured gauges, as well as filtering and searching for them. - A new LDAP Schema Editor for importing schema files, validitating, and creating and editing object classes and attribute types. The editor also supports the viewing of the attribute syntaxes, inheritance, and indexes that exist for each attribute, and the dependencies between object classes and attributes.
- The new Administrative Console can be deployed to independent application servers instead of being co-hosted by the servers. This approach simplifies deployment models and increases the separation between the data and application layers.
- To assist with situations in which a large number of changes might decrease the amount of available disk space, or might increase memory usage or the time required to start the server, alerting and gauge features have been added to the Recent Changes Database.
- Servers can now trigger events whenever log files are rotated. This change includes copy on rotate and summarize on rotate listeners, as well as Server SDK support for creating custom log file rotation listeners.
- Root user accounts can now be created, changed, and removed across the topology by using the dsconfig tool or the Administrative Console.
Known Issues and Workarounds
The following issues are known in the current version of PingDataSync Server:
When deploying the Administrative Console in Tomcat 8 and accessing the Administrative Console application by using Tomcat's Web Application Manager, some browsers, including Safari and Firefox, generate a path URL that encodes the dash in ubid-console. This issue results in a path such as http://localhost:8888/ubid%2Dconsole/, which causes session-management errors.
Workaround: Copy and paste the generated link into a browser, and replace the encoded dash with a dash (
-
) character.The PermSize and MaxPermSize JVM properties are no longer supported in JDK 8, and can be ignored.
Workaround: To remove these properties, modify the config/java.properties file and run bin/dsjavaproperties while the server is offline.
The dsconfig tool and the Administrative Console enable the creation and management of new Root DN users in this release. However, the ability to change the password of a currently logged-on administrator is limited.
Workaround: To change the administrator's password, use the ldappasswordmodify command, and provide the current and new password.
Resolved Issues
The following issues have been resolved with this release of PingDataSync Server:
Ticket ID | Description |
---|---|
DS-979 | Added the ability to search for configuration objects and their properties by name with the dsconfig tool. |
DS-4235 | Added support for the following log file rotation listeners, which allow for custom processing whenever a log file is rotated out of service so that a server can no longer write to it:
The Server SDK also includes an API for creating custom log file rotation listeners. |
DS-7505, DS-13571, DS-13860 | Updated the default file permissions for new installations on UNIX-based systems. By default, the files and directories that are included in the .zip file are accessible only to the user who extracted the file's contents. Newly created files and directories are also assigned permissions that can be accessed only by the account that is used to run the server. Existing configuration options for setting file permissions, such as the log-file-permissions and db-directory-permissions properties, continue to behave as before. The new config/server.umask file controls the default permissions for all other newly created files and directories. |
DS-9407, DS-15183, DS-15220 | Updated the initial server configuration to improve security and usability. These changes apply only to new installations and are not applied when an existing installation is updated. The following changes are included:
|
DS-10312 | Added the server's process ID to the output of the status tool. |
DS-10464 | Added a new rotate-log tool to request the rotation of one or more log files. |
DS-10466, DS-10765, DS-14479, DS-15318, DS-16154 | Addressed issues associated with config-diff. In some situations, for example, config-diff could not generate commands in an order that respected all dependencies. This issue is now fixed. Most expected warnings are excluded by default, but can be included in the output by using the --includeAllWarnings option. Additionally, the --sourceBindPasswordFile and --targetBindPassword options are now applied in conjunction with the --targetConfigGroup and --sourceConfigGroup options. |
DS-10946 | Added a --dry-run option to dsconfig, which can be used in batch mode to validate the configuration changes in a batch file without applying them. |
DS-12191 | Added support for setting the request header size in the Jetty HTTP configuration server properties. |
DS-13401 | Improved the collect-support-data tool to include information that systemd provides on platforms that support it. |
DS-13700 | Updated command-line tools based on the LDAP SDK tool APIs to add the following features:
|
DS-13823 | The collect-support-data tool now captures Kerberos configuration and logging information. |
DS-14213 | Added the ability to create local constants in LDIF template files by using the new local keyword. |
DS-14298 | To apply Sync maps programmatically, a new API, applyMaps(), is available for PingDataSync Server plugins. |
DS-14430 | Updated the Apache commons collections library to address the security vulnerability that CVE 2015-4852 describes. |
DS-14548 | Added a monitor entry for each Server SDK extension. |
DS-14606 | The resync tool now supports sync pipes that use Notification mode. |
DS-14694 | Added a --prettyPrint option to the config-diff tool to make the output more human-readable. |
DS-14704 | Updated the restore command so that it can no longer be used to restore a backup of the configuration backend. The command now points the administrator toward safer ways for reverting configuration changes, including using the config-diff command. |
DS-14749 | Updated the server's support for the Twilio Messaging Service so that it uses the newer Messages API, instead of the earlier SMS API, when sending SMS messages. The earlier API has been deprecated, and Twilio now imposes a 120-character limit for messages sent through that API. The Messages API allows the server to take advantage of the full 160 characters per SMS message. |
DS-14765 | Updated the Active Directory PingDataSync Source so that it correctly handles the range options on attributes that are returned with the DirSync control. |
DS-14807 | Tools that prepare a server for access by another server, such as prepare-external-server, now validate base DN entries before modifications are performed on the prepared server. |
DS-14857 | Fixed an issue with the dsjavaproperties tool, in which java properties for PermSize and MaxPermSize could be added when using JDK 8, which no longer supports these options. |
DS-14878 | To prevent the possible retention of data in memory, memory utilization has been improved when processing entries with large attributes. |
DS-14923 | Updated the bcrypt , crypt , PBKDF2 ,
and scrypt password-storage schemes so that they can be used to create
new instances. |
DS-14979 | Fixed a case in which changes to attribute syntax configurations did not apply to undefined attributes, which rely on default attribute types. |
DS-15015 | Server SDK extensions are now built with a Java source version of 1.7 by default. |
DS-15087 | Fixed an issue in which destination attributes wth hard-coded values were excluded inappropriately during a resync, when the --excludeSourceAttr option was used. |
DS-15088 | The former suite of Administrative Console applications, each of which was tied to a particular product (for example the dsconsole.war for PingDirectory Server) are no longer available, and have been superseded by a new version of the Administrative Console that can manage any server product. You can choose to access the Administrative Console by hosting it within a server or by deploying it in an external servlet container. For the former option, enable an HTTP Connection Handler and add the Administrative Console Web Application Extension to the handler. For the latter option, download and extract the management-console-[version].zip file, and install the ubid-console.war file according to your container's instructions. |
DS-15108 | Replaced the scramble-ldif tool with a more powerful transform-ldif tool with support for several additional transformation types. The new transform-ldif tool is backward-compatible with the former scramble-ldif tool, and the scramble-ldif shell script and batch file are still included with the server to ensure compatibility with scripts that depend on that tool. |
DS-15175 | The Configuration API now returns unquoted, native Javascript values for integer, real number, and Boolean properties. Duration and size property values, such as 1 w or 100 G, continue to be represented as JavaScript string types. |
DS-15178 | Improved the error messages and examples for create-rc-script and create-systemd-script by explicitly suggesting the use of sudo so that the scripts can modify protected files. |
DS-15187 | Literal curly brackets ({} ) can now be included in value patterns
and conditional value patterns of constructed attribute mappings by doubling them.
Literal { and } } are specified by {{ {{
and }} , respectively. |
DS-15221 | Changed interactive setup default value for HTTPS enablement. |
DS-15337 | Improved the error messages for create-rc-script and create-systemd-script when the directory in which the script will be created does not exist. |
DS-15361, DS-15363, DS-15434 | Updated interactive setup to display default values. Also improved the overall layout and appearance. |
DS-15400 | Addressed an issue in which dsconfig incorrectly permitted the deletion of certain configuration objects. |
DS-15412 | Improved the error messages that the manage-extensions tool generates when attempting to install invalid extensions. |
DS-15417 | Updated the global ACIs that ship with the server to use a separate ACI for each control or extended request to allow by default, rather than grouping all desired controls together in one ACI and all desired extended requests together in a second ACI. This change is reflected only in new installations, and not when updating an existing deployment. |
DS-15422 | Root DN User configuration entries can now be managed fully through the configuration management interfaces, such as dsconfig and the Administrative Console. |
DS-15437 | Provided a graphical tool, watch-entry, that is intended to demonstrate replication or synchronization latency by watching an LDAP entry for changes. If the entry changes, the background of modified attributes temporarily becomes red. Attributes can also be directly modified. |
DS-15466 | Added logging information when initializing web application and servlet extensions in case an extension causes conflicts or delays. |
DS-15513 | PingDataSync Server now uses the max-connection-age configuration property to limit the age of LDAP connections to external servers. |
DS-15521 | Updated setup to encode the root password with the PBKDF2 password-storage scheme instead of SSHA512. |
DS-15522 | To prevent Java JVM pauses, the updater tool now increases the PermSize and MaxPermSize parameters to the recommended values. |
DS-15571 | To accommodate the Administrative Console, increased the minimum memory requirements for the server process from 256MB to 384MB. |
DS-15592 | Fixed an error that could occur during upgrade when a missing custom schema prevented the configuration from loading. |
DS-15621 | Updated the Groovy Scripting Language version to 2.4.6. |
DS-15622 | Fixed an issue that prevented the deletion of disabled debug loggers. |
DS-15670 | The prepare-endpoint-server CLI that is included with PingDataSync Server correctly sets permissions when the Synchronization user already exists. |
DS-15753 | The Data Services Markup Language (DSML) client and gateway components have been discontinued and are no longer available. |
DS-16224 | Updated the sanitize-log tool to add support for JSON-formatted access and error log files. |
DS-16728 | Sensitive attribute values can now be redacted in the sync and sync-failed-ops log files. By default, the values of encoded passwords are redacted. The redaction can be configured with the log-redaction-regex property in the global Sync configuration. |