Critical Fixes

This release of the PingDataMetrics Server addresses critical issues from earlier versions. Update all affected servers appropriately.

  • Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.

    • Fixed in:
    • Introduced in:
    • Support identifiers: DS-41301
  • Fixed a memory leak when performing SCIM queries on the Directory Server.

    • Fixed in:
    • Introduced in:
    • Support identifiers: DS-41206 SF#00681395

Upgrade Considerations

Important considerations for upgrading to this version of the PingDataMetrics Server:

  • If you have upgraded a server that is in a cluster (i.e., has a cluster name set in the Server Instance configuration object) to version 8.1, you will not be able to make cluster configuration changes until all servers with the same cluster name have been upgraded to version 8.1. If needed, you could create temporary clusters based on server versions and modify each of the servers' cluster name appropriately to minimize the impact while you are upgrading.

What's New

These are new features for this release of the PingDataMetrics Server:

  • In an ongoing effort to improve the use of containers for PingDirectory, several features have been implemented:

    - The --outputFile option has been added to the collect-support-data tool. You can now specify either a path, a file name, or a path and file name for the resulting CSD file. This means an administrator can run the collect-support-data tool and put the output file into a directory outside of the container, allowing access to the file without having to actually connect to the container.

    - The collect-support-data tool can now be run as a recurring task. Recurring tasks can be created using the Administration console which means that administrators do not have to connect to the container in order to run the tool.

    - A Collect Support Tool Extended Operation has been added allowing LDAP clients to initiate the collect-support-data tool and to receive the output of the request. The LDAP SDK has been updated to support this, and the --remoteServer added to the collect-support-data tool can be used to send the request to another server. In other words, you can now run collect-support-data on the command line and reference another server, possibly in a container, and retrieve the output file remotely.

  • PingDirectory has a Consent REST API that allows users to create and store consents. A new feature now allows users to search for consents that have been granted to them by another party.

Known Issues/Workarounds

The following are known issues in the current version of the PingDataMetrics Server:

  • Several known issues can occur when you use the Administrative Console with Tomcat 9.0.31. You can resolve these issues by upgrading to Tomcat 9.0.33 or later.

Resolved Issues

The following issues have been resolved with this release of the PingDataMetrics Server:

Ticket ID Description

Added support for remotely invoking the collect-support-data tool using an administrative task, and for invoking the tool on a regular basis as a recurring task. The tool has also been updated to add an outputPath argument to allow specifying the path or name to use for the output file.


The "create-systemd-script" CLI now creates a "forking" service file since Ping services are started by a process (the "start-server" script) that is different than the actual service process.


Added support for an extended operation that can be used to invoke the collect-support-data tool from a remote system and stream the output and resulting support data archive back to the client. The collect-support-data command-line tool has been updated to support this capability through the new --useRemoteServer argument.


Fixed an issue that could cause the server to generate an administrative alert about an uncaught exception when trying to send data on a TLS-encrypted connection that is no longer valid.


Fixed a bug in which SEMI_AGGRESSIVE and AGGRESSIVE JVM Tuning Parameters were previously allowed to both be selected.


Updated the manage-profile tool to prevent displaying warnings about offline config changes when starting the server.


Added a logging-error-behavior property to the log publisher, periodic stats logger plugin, and monitor history plugin configuration that can be used to specify the behavior the server should exhibit if an error occurs while attempting logging-related processing. By default, the server will preserve its previous behavior of writing a message to standard error, but it can be configured to enter lockdown mode on a logging error, in which the server will report itself as unavailable and will only accept requests from accounts with the lockdown-mode privilege and only from clients communicating over a loopback interface.


Fixed an issue that could prevent some tools from running properly with an encrypted file.


A license is now always required when using the manage-profile replace-profile tool.


Updated the logic that the server uses to select an appropriate default set of TLS cipher suites.


Fixed an issue that could cause the shutdown process to stall if the server is configured to use TCP to communicate with a StatsD endpoint that has become unresponsive.


Fixed an issue with recurring exec tasks where the working-directory attribute was ignored.


Fixed an issue with the way the server reports memory usage after completing an explicitly requested garbage collection.


Updated the StatsD monitoring endpoint to replace any spaces, commas, or colons with underscores, and remove and single quotes or double quotes in sent metric lines. This simplifies parsing of the produced metrics.


A gauge called HTTP Processing (Percent) is now available. This gauge measures the server's capacity to process new incoming HTTP requests.


Updated the server to make the general monitor entry available to JMX clients.


Improved debugging support for Server SDK extensions. If debugging is enabled, the server will now generate a debug message whenever it invokes an extension. For some extension methods that return a value, the server will also generate a debug message with that return value.


Fixed a memory leak when performing SCIM queries on the Directory Server.


Updated the cn=Cluster subtree to prevent clustered configuration changes when servers in the cluster have mixed versions. To make clustered configuration changes, either update all servers in the cluster to the same version, or temporarily create separate clusters by server version by changing the cluster-name property on the server instance configuration objects.


To avoid inconsistencies, changing clustered configuration will now require all servers in the cluster to be on the same product version. Servers will not pull any clustered configuration from the master of the cluster if they are on a different product version.


Fixed an issue with manage-profile replace-profile where certain configuration changes for recurring task chains were not being applied.


Fixed an issue that prevented password changes for topology administrators unless their password policy was configured to allow pre-encoded passwords.


Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.


Added an ssl-client-auth-policy configuration property to the HTTP connection handler to provide support for mutual TLS authentication.


Updated the base monitor entry to include locationName and locationDN attributes if the server is configured with a location.


Updated the Server SDK to add ClientContext and OperationContext methods for obtaining the name and DN of the associated client connection policy.


Updated the file servlet HTTP servlet extension to add support for requiring authentication in order to access the content. Access may optionally be limited to members of a specified set of groups.


Fixed an issue that could prevent setup from generating a self-signed certificate for systems with non-ASCII hostnames.


Fixed an issue where mirrored subtree polling could produce config archive files that were identical or ignored the configured insignificant attributes list.


Added the --zip argument to the manage-profile generate-profile subcommand, which can be used to generate a zipped server profile.


Added an administrative task that may be used to generate a server profile and a corresponding recurring task that may be used to invoke the task on a regular basis.


Added an instance root file servlet to the default configuration. HTTPS requests to /instance-root by authenticated users with the file-servlet-access privilege will be granted access to files within the server instance root.


Servers running on Linux will now log a warning about possible performance impacts if the current memory control group has memory.swappiness set to a nonzero value.


The server now warns the administrator at startup if there are multiple versions of the same jar listed in the classpath, and the first one in the classpath is not the newest one.


Addressed an issue where some tools would throw a NullPointerException if a server was configured with a custom global result code map.