Critical Fixes

This release of the PingDirectoryProxy Server addresses critical issues from earlier versions. Update all affected servers appropriately.

What's New

These are new features for this release of the PingDirectoryProxy Server:

  • Better insight to server health and the performance of connected applications. Administrators can now push metrics to application insight and monitoring applications such as Splunk using two new methods. A new StatsD monitoring endpoint pushes metrics to StatsD-compatible services. Also, the periodic stats logger has been updated to use JSON-format log files, greatly simplifying the use of log forwarding tools like Splunk's Universal Forwarder or Elastic's FileBeats.
  • Better support by Directory Proxy Server for orchestrated Directory Server clusters in automated environments like Kubernetes or AWS EC2 Auto Scaling. Administrators can connect the topology of a PingDirectoryProxy Server cluster to the topology of a PingDirectory Server cluster in order to automatically adapt to cluster changes within the PingDirectory Server cluster. This greatly simplifies the configuration management of PingDirectoryProxy Server when PingDirectory Server clusters are being added, removed, or replaced by automated infrastructure orchestrators.
  • Use Server Profiles to reduce risk and improve consistency following the DevOps principle of infrastructure-as-code. Administrators can export the configuration of the PingDirectoryProxy Server server to a directory of text files called a Server Profile, track changes to these files in version control like Git, and install new instances of PingDirectoryProxy Server or update existing instances of Directory Proxy Server from a Server Profile. Server Profiles support variable substitution in order to remove the settings unique to each pre-production or production environment from the Server Profile that is stored in version control.

Known Issues/Workarounds

The following are known issues in the current version of the PingDirectoryProxy Server:

  • The following are suggested solutions for problems with slow DNS:
    • Maintain a connection pool in the client app rather than opening new connections for each bind.
    • Add appropriate records, including PTR records, to DNS.
    • Add options timeout:1 in the /etc/resolv.conf file and/or options single-request
    • If IPv6 requests specifically are causing issues, add to the line in Directory Server’s config/ file, run bin/dsjavaproperties, and restart the server to stop the issuance of IPv6 PTR requests.
  • Some server tools, such as dsreplication, collect-support-data, and rebuild-index, will fail with errors if they are run with an encrypted file.

    Workaround: Add the --noPropertiesFile argument to the server tools to prevent them from pulling information from the encrypted file.

  • The working directory value used by exec tasks is not implemented for recurring exec tasks.
  • Deploying the Admin Console to an external container using JDK 11 requires downloading the following dependencies and making them available at runtime (for example, by copying them to the WEB-INF/lib directory of the exploded WAR file).
    • groupId:jakarta.xml.bind, artifactId:jakarta.xml.bind-api, version:2.3.2
    • groupId:org.glassfish.jaxb, artifactId:jaxb-runtime, version:2.3.2
    Workaround: Deploy the Console in an external container using JDK 8.

Resolved Issues

The following issues have been resolved with this release of the PingDirectoryProxy Server:

Ticket ID Description
DS-17278 Added a cn=Server Status Timeline,cn=monitor monitor entry to track a history of the local server's last 100 status changes and their timestamps. Updated the LDAP external server monitor to include attributes tracking health check state changes for external servers. The new attributes include the number of times a health check transition has occurred, timestamps of the most recent transitions, and messages associated with the most recent transitions.
DS-37881 The PingFederate Access Token Validator will now refresh its cached value of the PingFederate server's token introspection endpoint. A new attribute, endpoint-cache-refresh, has been added to the PingFederate Access Token Validator, which will determine how often this refresh occurs.
DS-37955 To support multiple trace loggers, each trace logger now has its own resource key, which is shown in the Resource column in the output of status. This key allows multiple alarms, due to sensitive message types for multiple trace loggers.
DS-38053 The JWT Access Token Validator no longer requires a restart after a change to one of its signing certificates.
DS-38560 Updated manage-profile replace-profile to apply configuration changes directly, when possible. If the new server profile used by replace-profile has changed only the dsconfig batch files from the original profile, then only the dsconfig files are applied. If no changes are detected between profiles, replace-profile takes no action. If changes other than dsconfig are detected, the full replace-profile process is followed.
DS-38777 Added support for updating the server version during manage-profile replace-profile. The server must have been originally set up with a server profile.
DS-38832 Fixed an issue that could cause the server to leak a small amount of memory each time it failed to establish an LDAP connection to another server.
DS-38863 Updated the manage-profile setup subcommand to set a server's cluster name to match its instance name by default. This prevents servers in the same replication topology from being in the same cluster, reducing the risk of unintentionally overwriting parts of an existing server's configuration in a DevOps environment. The --useDefaultClusterName argument can be used to leave the cluster name unchanged.

Updated the PBKDF2 password storage scheme to add support for variants that use the 256-bit, 384-bit, and 512-bit SHA-2 digest algorithms. At present, the SHA-1 variant remains the default to preserve backward compatibility with older versions.

Also, in accordance with the recommendations in NIST SP 800-63B, we have increased the default iteration count from 4096 to 10,000, and the default salt length from 64 bits to 128 bits.

DS-38869 Updated the remove-defunct-server tool's --ignoreOnline option. When using --ignoreOnline in a mixed-version environment, all servers must support the option.
DS-39155 Updated the default value for maximum-degraded-missing-changes to 1000000, and for minimum-unavailable-missing-changes to 100000. Servers that used the previous default values became unavailable prematurely, leading to outages.
DS-39176, DS-39308

Updated the Groovy scripting language version to 2.5.7. For a list of changes, visit and view the Groovy 2.5 release notes.

As of this release, only the core Groovy runtime and the groovy-json module are bundled with the server. To deploy a Groovy-scripted Server SDK extension that requires a Groovy module not bundled with the server, such as groovy-xml or groovy-sql, download the appropriate jar file from and place it in the server's lib/extensions directory.

DS-39253 Added a replace-certificate tool, which can help an administrator replace the listener or inter-server certificate for a server instance.
DS-39321 Added support for PingDirectoryProxy Server to the manage-profile tool and its subcommands.
Removed the legacy product-specific scripts for starting and stopping the server. These include:
  • start-ds and stop-ds for Directory Server
  • start-proxy and stop-proxy for Directory Proxy Server
  • start-sync and stop-sync for Data Sync Server
  • start-metrics-engine and stop-metrics-engine for Data Metrics Server

These legacy scripts had been deprecated for several releases in favor of the more general start-server and stop-server scripts, and they displayed a warning message about their upcoming removal if they were invoked.

If you still have dependencies on these legacy product-specific scripts, you will need to update them to reference the general start-server and stop-server scripts instead. If it is not feasible to update these references immediately, you may create symbolic links that use the legacy script names and point at the start-server and stop-server scripts.

DS-39347 Fixed an issue where Delegated Admin would not work properly if the name of the REST Resource Type was not the same as the resource endpoint.
DS-39373 Preserve the privileges that are explicitly set on the admin user when migrating from the admin backend to the topology registry.
DS-39518 Fixed an issue in which escaped characters in schema extensions may not be handled properly. If used in attribute type constraints (such as X-VALUE-REGEX), this could cause unexpected or incorrect behavior.
DS-39525, DS-39526
Delegated Admin enhancements for constructed attributes.
  • Allow a required attribute to be read-only if it is constructed.
  • Add a configured list of "Update Constructed Attributes" on the REST resource type, similar to the "Post Create Constructed Attributes", so that constructed attributes can be updated when dependent attributes change.
  • Handle constructed attributes which reference other constructed attributes.
DS-39592 HTTP External Servers have a new attribute, ssl-cert-nickname, which defines the alias of a specific certificate within their keystore to be used as a client certificate.
DS-39603 Fixed an issue where Server SDK extensions could not be configured by dsconfig batch files in the manage-profile tool.
DS-39626, DS-40357 The trace log publisher will now record an access token's scopes after the token is successfully validated.
DS-39654 Added support for the --topologyFilePath argument to the manage-topology add-server subcommand.
DS-39671 Updated the manage-topology add-server subcommand to require being run from the older server in a mixed-version environment.
DS-39693 Fixed an issue where Delegated Admin search results were truncated and invalid upon encountering a Directory entry containing a Boolean or Integer syntax attribute whose values were invalid because they did not conform to the appropriate syntax. With this fix, the offending values are omitted from the results and a warning message is logged to the server errors log.
DS-39715 Updated the Server SDK to add support for sending email messages.
DS-39762 Added support for a "generate password" extended operation that can be used to request that the server generate one or more passwords that may be suggested as possible values when creating a new user or changing the password for an existing user.
DS-39857 Added the StatsD monitoring endpoint. When the Stats Collector Plugin is enabled, this endpoint sends metric data from the server in StatsD format to the configured destination.
DS-39908 Added a new JVM-default trust manager provider that can be used to automatically trust any certificate signed by an authority included in the JVM's default set of trusted issuers. Also, updated other trust manager providers to offer an option to use the JVM-default trust addition to the trust that they normally provide.
DS-40114 Added a new cn=Status Health Summary,cn=monitor monitor entry that provides a summary of the server's current assessment of its health. This simplifies monitoring with third party tools that support retrieving monitoring data over JMX. The Periodic Stats Logger has also been updated to allow some of this monitoring information to be logged. No new information is logged by default.
DS-40249 Fixed an issue where an LDAP search across entry-balanced server sets sometimes returned 0 (success) even though all servers in one of the sets failed with a timeout. The search should return 52 (unavailable) in this situation.
DS-40252 Update the PingDirectoryProxy Server setup process to support joining an existing PingData Platform topology.
DS-40255, DS-40256, DS-40257 Updated the fewest operations and failover load-balancing algorithms to support automatically discovering the set of backend Directory Server instances from the topology registry.
DS-40274 Updated the proxy to check if the proxy's backend has been sufficiently initialized prior to performing a health check.
DS-40354 Fixed a problem with config-diff when writing properties that span multiple lines using the --prettyPrint argument.
DS-40366 Fixed an issue where the server was attempting to connect by an IP address rather than a hostname when DNS lookup was successful.
DS-40377 Added support for logging to a JSON file in the Periodic Stats Logger Plugin.
DS-40517 Added metrics for status summary, replication database, and LDAP changelog to the Stats Collector Plugin.
DS-40543 Updated manage-profile replace-profile to copy the tool log file to the server being updated.
DS-40556 Added support for specifying a working directory for exec tasks.
DS-40730 Updated the encrypt-file tool to prevent using the same path for both the input file and the output file.
DS-40771 Added a --duration argument to collect-support-data. When used, only the log files covering the specified duration before the current time will be collected.