What's New

The following features are new with this release of PingDataSync Server:

  • Java 7 is now required when setting up a new server or upgrading an existing server.
  • Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This featire does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients that run earlier versions of Java that might start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not compromise the strength of the integrity or the confidentiality protection that is ultimately negotiated between the client and the server.
  • Added a Monitor History plugin that periodically records cn=monitor to timestamped files to aid in isolating intermittent problems. By default, the plugin logs the full cn=monitor branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files is retained to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect some of these files to aid in root-cause analysis.
  • Introduced the Configuration HTTP Servlet Extension, which is used for querying and updating the configuration over a REST API. This feature is currently experimental and is subject to change in the future. Your feedback is welcome.

Resolved Issues

The following issues have been resolved with this release of PingDataSync Server:

Ticket ID Description
DS-8368, DS-12120 Updated the HTTP Connection Handler to return a 404 Not Found response to requests for endpoints that are not handled by a servlet or by web application extensions. Previously, the handler returned a 200 OK with no response body.
DS-10441 Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized.
DS-10460 Fixed the dsconfig tool to suppress stray output when run in batch mode with the --quiet option.
DS-11068, DS-11784, DS-11887 Updated the setup tools to enable the definition of external server instances that are configured to reject unauthenticated requests. Previously, the tools indicated erroneously that such server instances were unavailable.
DS-11453 Reduced the severity of the unrecognized alert type message in the error log from SEVERE_WARNING to NOTICE. The message now states that this event is expected if the server is reverted to a version prior to the implementation of these alert types.
DS-11472 Fixed the gauge-configuration manager to re-initialize only the gauge that was changed, and not any of the other gauges that did not change.
DS-11487 Fixed an issue with the prepare-endpoint-server tool in which the maxChangelogAge argument was not being applied when targeting UnboundID servers.
DS-11541 Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared, and when the alarm manager's generated-alert-types property features the alarm value.
DS-11546 Fixed the alarm manager to exinclude the details of old, cleared alarms in the alarm-cleared alert message.
DS-11624 Updated the Web Console so that a user's previous session is always invalidated when he or she logs on to the system.
DS-11629, DS-11645 Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page.
DS-11637 Updated the alarm manager to not generate an alarm-normal alert when a gauge's condition abates.
DS-11688 Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This issue occurred when a certificate was accepted with the Manually validate option, while using the interactive LDAP connection menu.
DS-11719 Updated the alarm manager to not persist normal alarms.
DS-11719 Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions.
DS-11730 Removed the alarm-normal alert.
DS-11751 Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names.

Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers and for replication communication. The recently discovered POODLE vulnerability could potentially allow a network attacker to determine the plain text behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.

SSLv3 was initially defined in 1996 but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). The newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not adversely affect clients that support the newer TLS protocols. However, if legacy client applications attempt to communicate securely but do not support the newer TLS protocols, update them o support the newer protocols. If known clients do not support a security protocol newer than SSLv3, and if they cannot be updated immediately to support a newer protocol, re-enable SSLv3 support by using the newly introduced allowed-insecure-tls-protocol global configuration property. Because communication using SSLv3 can no longer be considered secure, we recommended that you update all known clients that still use SSLv3.

The server access log can be used to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server generates a SECURITY-NEGOTIATION access log message. The protocol element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and SECURITY-NEGOTIATION messages with a protocol of SSLv3 suggest that the associated client is vulnerable to a POODLE attack. Additionally, if connections are terminated for attempting to use the disallowed SSLv3 protocol, the corresponding access log message for the disconnect must include a message that states the reason for the termination.

DS-11947 Increased the possible parallelism within a Sync Pipe by skipping past the operation at the head of the incoming queue, if it cannot be processed, because it depends on an uncompleted active operation. This approach increases the overall throughput of a Sync Pipe when the stream of incoming changes also includes multiple dependent operations that must be processed in order. Examples of dependent operations include changes to the same entry, as well as changes to entries with a parent-child relationship. With these changes, the Sync Server still guarantees that dependent operations are processed in order.
DS-11993 Added a gauge to the server to track JVM memory usage. An alert is generated when the amount of free memory becomes so low that it might impact server performance.
DS-12147 Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects.