Critical fixes

This release of the DataSync Server addresses critical issues from earlier versions. Update all affected servers appropriately.

No critical issues have been identified.

Resolved issues

The following issues have been resolved with this release of PingDataSync Server.

Ticket ID Description

DS-41468

Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced.

DS-45162

Added support for new extended operations that can be used to help manage the server's listener and inter-server certificates. Updated the replace-certificate tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.

DS-45480, DS-45636

  • Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server's certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain may be trusted if either the peer certificate or any of its issuers is found in the topology registry.

  • Updated the replace-certificate tool to add new list-topology-registry-listener-certificates and list-topology-registry-inter-server-certificates subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry.

  • Updated the replace-certificate tool to add a new add-topology-registry-listener-certificate subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it may be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server.

  • Updated the replace-certificate replace-listener-certificate subcommand to add --topology-registry-update-type and --trust-store-update-type arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options include suppressing the update, only adding the listener certificate itself, only adding the listener certificate's issuers, or adding both the listener certificate and its issuers.

  • Updated the replace-certificate replace-listener-certificate subcommand to add an --ignore-current-listener-certificate-validity-window argument that will allow the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.

DS-45815

Updated PingDirectory products to use Kafka v2.8.1 which resolves CVE-2021-38153.