UnboundID Identity Broker Release Notes

UnboundID Logo
  Return to Documentation Index

Identity Broker

Following are notes for version of the UnboundID Identity Broker. Notes for the following versions of the Identity Broker are also available in this document:

Resolved Issues

The following issues have been resolved with this release of the Identity Broker:

  • Addressed an issue where SCIM filter processing may not handle date literals properly when converting to an LDAP filter. This may have produced incorrect search results with date-based filtering. Issue:DS-12344 SF#:00002612

Identity Broker

New Features

These features were added for version of the Identity Broker:

  • Update product help documentation, including a new FAQ-based help section for the Broker Console.

  • Improved the policy editor.

  • Added support for multiple resource owners in a XACML request.

  • Added experimental support for streaming search.

  • Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients running older versions of Java that may start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not in any way compromise the strength of the integrity and/or confidentiality protection that is ultimately negotiated between the client and the server.

  • Added a Monitor History plugin that periodically records cn=monitor to timestamped files to aid in isolating intermittent problems. By default, it logs the full cn=monitor branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files are kept to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect a few of these files to aid in root cause analysis.

  • New REST Server Configuration API. (experimental) This new servlet extension matches the capabilities of the dsconfig command line tool, simplifying the automation of deployment and configuration tasks for all UnboundID server products. This feature is currently experimental and is subject to change in the future. Your feedback is welcome -- contact Professional Services or support@unboundid.com

  • Updated the HTTP/HTTPS connection handler to Jetty 8.1.16.v20140903.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Identity Broker:

  • Java 7 is now required when setting up a new server or upgrading an existing server. Java 8 support is planned for a future release. (Java 6 is no longer supported.) Before running update against a target server using Java 6, make sure the JAVA_HOME environment variable is set to the path of a supported version of Java 7. Issues:DS-11744,DS-11793,DS-11846

  • Migration from previous releases of the Identity Broker is not supported.

  • Any clients using SSLv3 will no longer be able to connect. Please refer to the full release note in the resolved issues section below for more details. Issue:DS-11782

Resolved Issues

These issues were resolved with version of the Identity Broker:

  • Fixed an issue where deleting values of a multi-valued attribute using SCIM PATCH could silently fail. Modifications in SCIM PATCH are now mapped directly to LDAP modifications to take advantage of the matching rules configured in the Identity Data Store, when matching deleted values. Since the SCIM PATCH is now applied by the Data Store, the Permissive Modify Request Control (1.2.840.113556.1.4.1413) is now required by the SCIM component. This will ensure that adding an existing value or deleting a non-existent value in the PATCH request will not result in an error.

    To continue using SCIM component after an upgrade of the Identity Data Store or Identity Proxy, access controls and configuration may need to be updated to allow access to the Permissive Modify Request Control.

    Identity Data Store:

    dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 ||")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

    dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

    Identity Proxy:

    dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 ||")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

    dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

    dsconfig set-request-processor-prop --processor-name dc_example_dc_com-req-processor --add supported-control-oid:1.2.840.113556.1.4.1413

    Note that "dc_example_dc_com-req-processor" is the default processor name and it may be different depending on your configuration.

    Identity Broker: For each Identity Data Store used as an user store, the following configuration changes are required:

    dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="||||||1.2.840.113556.1.4.1413||||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319")(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'

    dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="||||||1.2.840.113556.1.4.1413||||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319||1.2.840.113556.1.4.1413”)(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'

    Note that the user DN "cn=Broker User,cn=Root DNs,cn=config" is default user name created when the external store is prepared. It may be different depending on your configuration. Issue:DS-11138

  • Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.

    SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.

    It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination. Issue:DS-11782

  • Fixed the gauge configuration manager to only re-initialize the gauge that was changed, and not any of the other gauges that did not change. Issue:DS-11472

  • Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared and the alarm manager's generated-alert-types property has the "alarm" value. Issue:DS-11541 SF#:2421

  • Removed the -hostname argument when running create-initial-broker-config from within setup, which was causing a deprecation warning during broker setup even when it was run with no arguments. Issue:DS-11513

  • Fixed the alarm manager to not include the details of the old alarm, (the alarm being cleared), in the "alarm-cleared" alert message. Issue:DS-11546

  • Fixed the dsconfig tool to suppress all stray output when run in batch mode with the --quiet option. Issue:DS-10460

  • Updated the status tool to use the host name specified at setup in URLs listed in the Active HTTP Extensions table. Issue:DS-11574

  • Updated the uninstall tool so that it unregisters the local server from any configured peer servers. Issue:DS-11564

  • Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This occurred when a certificate was accepted with the 'Manually validate' option, while using the interactive LDAP connection menu. Issue:DS-11688

  • Updated the Velocity HTTP Servlet Extension and Velocity Context Providers to enable adding header fields to responses for pages and static content, such as images and scripts. Some default headings have been added to direct user agents on caching and frame display policies. Issue:DS-11649

  • Updated the alarm manager to not generate "alarm-normal" alert when a gauge's condition abates Issue:DS-11637

  • Reduced the severity of the "unrecognized alert type" message in the error log from SEVERE_WARNING to NOTICE. The message now states that this is expected if the server is reverted to a version prior to the implementation of these alert types. Issue:DS-11453

  • Removed the "alarm-normal" alert. Issue:DS-11730

  • Improved the Velocity Context Provider interface for HTTP method-specific requests. Context providers must now handle specific HTTP methods by overriding provider class methods. Provider implementations that handle HTTP methods, other than GET, must now be configured to handle them by updating the http-method configuration properties as well as overriding the appropriate handleXXX methods. Issue:DS-11650

  • Updated the alarm manager to not persist normal alarms. Issue:DS-11719

  • Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions. Issue:DS-11719

  • Add an HTTP Configuration element with property include-stack-traces-in-error-pages that can be disabled in order to suppress stack traces included in web application and servlet error pages. Stack traces are helpful when diagnosing application errors, but in production they may reveal sensitive information. Issue:DS-11651

  • Updated the Web Console so that upon login, the user's old session is always invalidated. Issue:DS-11624

  • Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page. Issues:DS-11629,DS-11645

  • Updated the HTTP Detailed Access logger to use timestamps with millisecond precision. Issue:DS-11755

  • Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names. Issue:DS-11751

  • Return 409 from the linking service if the external identity is already linked to one or more other users. However all existing links will be removed before linking to the newly authenticated user during the link on login flow. Issue:DS-11802

  • Updated the setup tools to enable definition of external server instances that are configured to reject unauthenticated requests. Previously the tools would erroneously indicate these servers were unavailable. Issues:DS-11068,DS-11784,DS-11887

  • Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized. Issue:DS-10441

  • Added a gauge to the server to track JVM memory usage and alert if the amount of free memory gets low enough that it could impact server performance. Issue:DS-11993

  • Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects. Issue:DS-12147

  • The Identity Broker now uses TLS server validation to authenticate OpenID Connect Providers instead of validating ID token signatures. This enables the Identity Broker to support OpenID Connect providers, regardless of the algorithm used to sign ID tokens. Identity Broker deployers should not use the Blind Trust trust manager provider when configuring the Open ID Connect identity provider adapter. Issue:DS-11398

  • Fixed an issue in which a data view would become inoperable after updating an associated store adapter configuration. Configuration changes to a store adapter require a server restart before taking effect. Issue:DS-11460

  • Updated the HTTP Connection Handler to return a 404 Not Found response to requests for endpoints not handled by any servlet or web application extensions. Previously the hander would return a 200 OK with no response body. Issues:DS-12120,DS-8368

  • Fixed an issue where external Identity Provider login will fail when using an OpenID Connect Provider that omits the expires_in parameter in the token response. Issue:DS-12168

  • XACML policies, policy sets, and policy templates are now validated against the XACML schema definition during import. Issues:DS-12042,DS-12046

  • The data view lookthroughLimit property now has a maximum value of 100000. Administrators should carefully consider the Identity Broker’s JVM configuration and the characteristics of its expected data set when configuring the lookthrough limit. Issue:DS-11803

  • Updated the governance tag and trust level behavior of resources. If a resource has no tags or trust levels, they will now be inherited from the parent resource. Issue:DS-11582

  • The NewUserCreation policy has been replaced by the UserCreateAndUpdate policy, which governs user creation and updates via the Identity Broker’s SCIM endpoint. Issue:DS-11481

Identity Broker

New Features

These features were added for version of the Identity Broker:

  • New Profile Manager and Sign-In reference applications, which supersede the previously existing Privacy Preferences application.

  • OpenJDK 7 is now supported on Linux.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Identity Broker:

  • Migration from previous releases of the Identity Broker is not supported.

  • JDK 6 is currently deprecated and will not be supported in the next major release.

  • UnboundID products are not supported on JDK 8.

Resolved Issues

These issues were resolved with version of the Identity Broker:

  • Updated the server preparation tools to use secure communication when setting up a Data Store for access over TLS. Previously the tools may fail when the server is configured to reject insecure requests. Issues:DS-11058,DS-6200

  • Added a result code tracker that maintains a monitor entry with counts and response times of results. Each result is categorized by operation type, post-response result code, and whether it is a failure or non-failure. Issue:DS-3270

  • Fixed an issue with HTTP Connection Handlers that allowed them to be configured with ports that were already in use. Now the server will not start if an HTTP Connection Handler is configured to use a port that is in use. Issue:DS-11202

  • The create-initial-broker-config and prepare-external-store tools now allow for non-OU base DNs for User Store and Broker Store configuration. Issue:DS-11286

  • Fixed a problem that prevented the server from starting if a TLS-enabled connection handler was configured with a certificate nickname that referenced a non-RSA certificate. Issue:DS-10949

  • Updated the dsjavaproperties tool so that the INCREASE_PERM_SPACE JVM tuning parameter is is always included. This will prevent accidental misconfiguration that may harm performance. Issue:DS-11388

Identity Broker

New Features

These features were added for version of the Identity Broker:

  • Identity Broker as Relying Party

    • Customers can support social login to their applications, from Facebook, Google and OIDC-compliant external Identity Providers.
    • Customers can deploy solutions that include both consent and social login.
    • Attributes can be captured from a consumer's social profile and stored in the user store.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Identity Broker:

  • Using the manage_links scope, an application cannot delete all link values from the 'urn:unboundid:schemas:broker:1.0.links' attribute by using the meta.attributes sub-attribute during a PATCH operation. Instead, each link value must be removed individually by adding an "operation" sub-attribute with the value "delete". For example:

    "schemas": ["urn:unboundid:schemas:broker:1.0"],
    "urn:unboundid:schemas:broker:1.0": {
    "links": [
    "providerId": "DF81",
    "providerName": "oidc-vm-small-83",
    "providerUserId": "9f8a23-b72ecd4b-34ac-3340-99fa-d0efacaf5d65",
    "operation": "delete"

  • UnboundID products, Java SE, and the JVM do not use OpenSSL libraries and are therefore not vulnerable to OpenSSL issues. Oracle has provided a statement on the April 2014 OpenSSL Heartbleed vulnerability at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html. Issue:DS-10807

  • The Relying Party feature cannot be used if the HTTP Session Manager Configuration session-tracking-mode property is set to "url." This is an advanced setting in dsconfig. Use of HTTP Session Managers is experimental and not supported. Issue:DS-10833

  • A SCIM request from a client application cannot contain null JSON elements in request bodies to represent attributes that have no values. Instead, the request should not include the attributes. Issue:DS-9048

  • If an application that was used in a consent operation is deleted, the Identity Broker's /privacy/v1/histories/{ownerCompositeKey}/accessHistory resource will show that application as null in its responses. This causes the following error with the Privacy Preferences application when requesting access history:
    An error occurred: "Unexpected AJAX error message format." Issue:DS-10203

  • Migration from previous releases of the Identity Broker is not supported.

Resolved Issues

These issues were resolved with version of the Identity Broker:

  • Updated the validate-file-signature tool to ensure that it will always display a final summary message to indicate whether any warnings or errors were encountered during processing. Issue:DS-10333

  • Updated the signed logging implementation to better handle any problems that may arise during cryptographic processing. If any such problem is encountered, the server will now include a message with information about the error in the signature block rather than suspending the logger with an exception recorded in the server.out log file. Issue:DS-10310

  • Fixed an issue in the Periodic Stats Logger, where no logging would occur when suppress-if-idle=true was configured, even when the server was not idle. Issue:DS-10387 SF#:2170

  • Metadata can now be retrieved from a modifies-as-creates store adapter if no entry exists. Issue:DS-10483

  • Added a new sanitize-log tool that can be used to remove sensitive information from server log files, including the file-based access log, the operation timing access log, the file-based error log, the file-based sync log, the file-based resync log, and the detailed HTTP operation log.

    The sanitization process operates on fields that consist of name-value pairs. The field name and equal sign will always be retained, but in cases where the value may contain sensitive data, that value may either be replaced with the string "---REDACTED---", or it may be tokenized. If the tokenized value is a DN or filter, then attribute names in that DN or filter will be preserved while the values will be replaced with a string consisting of a number inside curly braces. If the tokenized value is not a DN or filter, then the entire value will be replaced with a number inside curly braces. If a string to be tokenized appears multiple times in the log, the same replacement token will be used for each occurrence of that string to make it possible to correlate occurrences of that string without revealing the actual content.

    The sanitize-log tool has a default configuration that should be sufficient for many environments, allowing it to tokenize or redact sensitive information while preserving non-sensitive content for use in diagnosing problems or understanding usage patterns. However, this behavior can be customized using command-line arguments by indicating whether to preserve, tokenize, or redact a given log field. Issue:DS-10472

  • Custom Velocity templates should be updated to use Bootstrap 3.1.1 if they are using any of the shared original (shipped with the product) templates or scripts (such as _header.vm or dashboard.js). Issue:DS-10372

  • Fixed issues with the JDBC Access Logger that were related to Oracle Thin Client, where column values were "null" and disabling the logger resulted in losing a connection to the server when using the dsconfig command. Issue:DS-10485

  • Fixed an issue where calls to the /userinfo and /Self endpoints could fail when the user store contains consent for a deleted application. Issue:DS-10474

  • Fixed an issue so that collect-support-data now generates filename entries correctly. Previously, the tool would hang if the archiving of files following a symbolic link required generating a non-duplicating filename entry. Issue:DS-10582

  • Enabled the Host System Monitor Provider by default so that system CPU and memory utilization will be reported automatically through the server's monitoring framework. Disk and network monitoring can be enabled by configuring values for the disk-devices and network-devices configuration properties. Issue:DS-10562

  • Fixed an issue where replacing an expired consent with a new consent would retain the old timestamp. Issue:DS-10627

  • Fixed an issue where the Identity Broker could return an invalid SCIM ID when a SCIM resource was requested by its ID. This problem occurred when there were multiple store adapters with an ID attribute mapping, and the authoritative mapping was not associated with the first store adapter listed for the data view. Issue:DS-10516

  • The default timeout period for smtp-timeout was changed from none to two minutes to prevent non-responsive mail servers from disrupting administrative functions. Issue:DS-10230

  • To prevent corruption of the Broker Store, the Identity Broker now requires that the Broker Store be prepared by a current or later version of the Identity Broker installation. A Broker Store that is a version older than the current Identity Broker installation is not supported. Issues:DS-10093,DS-10563,DS-10613

  • Added ability to retrieve either owner or actor's attributes using the DataViewPolicyInformationProvider by using the attribute category.

    The following are valid attribute categories to use with the PIP:

    urn:unboundid:names:1.0:attribute-category:resource-owner - Retrieve attribute from the owner resource. urn:unboundid:names:1.0:attribute-category:actor - Retrieve attribute from the actor resource. urn:oasis:names:tc:xacml:3.0:attribute-category:resource - Retrieve attribute from the owner if available and the actor if not. (previous behavior) Issue:DS-10779

  • The setup command no longer saves user-provided key store and trust store passwords in PIN files. Passwords provided during setup are encrypted with the configuration data. If the administrator chooses to use PIN files to supply the passwords, the files are referenced in the server configuration by the key manager and trust manager. Issue:DS-10787

  • Updated the Periodic Stats Logger to include an empty value in the output rather than "infinity" in certain circumstances. This avoids problems plotting the output in a spreadsheet. Issue:DS-8842

  • Updated dsconfig to treat tabs as whitespace in batch files. Issue:DS-10549

  • Added Metrics Collection Size Limit Retention Policy to the metrics backend to allow up to two GB of metric data to be buffered locally, which allows the Metrics Engine to be offline for a longer time without missing collected data. Issue:DS-10156

  • Removed deprecated "lshal" command from Linux-specific processes performed by the collect-support-data tool and added similar command, "udevadm info --export-db" Issue:DS-10713

  • Updated the Replication Servers table produced by the dsreplication tool to omit unnecessary "Security" column. Issue:DS-10442

Identity Broker

New Features

These features were added for version of the Identity Broker:

  • A new sample sign in application is now included with the Identity Broker. This application provides a template for how create an authentication UI with the Identity Broker's OpenID connect service.

  • The collect-support-data tool now refers to tools.properties for default command-line options.

  • The collect-support-data tool now supports an option to encrypt the data archive, to ensure protection of customer data while in transit, and an option to reduce the amount of potentially sensitive data that is collected.

  • Cross-origin Resource sharing (CORS) support is now included for HTTP Servlet Extensions, including the SCIM RESTful APIs.

  • Add support for SCIM resource versioning.

    • As required by the SCIM 1.1 REST API specification, bulk requests using the PUT, PATCH, or DELETE methods must include an operations.version value; existing client code may therefore need to be updated prior to enabling this feature.
    • Non-bulk modification requests (PUT and PATCH) must also specify the expected resource version via an If-Match header, according to the SCIM specification. However, the server does not enforce this.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Identity Broker:

  • The SCIM REST client, included with the SCIM SDK, may hang while waiting for responses from the UnboundID SCIM implementation when using Java 6. This is due to a JDK issue, which was fixed in Java 7. If this condition is encountered, the latest version of Java 7 can be used with the client application to work around the issue. Issue:DS-10104

  • A SCIM request from a client application cannot contain null JSON elements in request bodies to represent attributes that have no values. Instead, the request should not include the attributes. Issue:DS-10105

  • If an application that was used in a consent operation is deleted, the Identity Broker's /privacy/v1/histories/{ownerCompositeKey}/accessHistory resource will show that application as null in its responses. This causes the following error with the Privacy Preferences application when requesting access history:
    An error occurred: "Unexpected AJAX error message format." Issue:DS-10203

  • When the Velocity servlet receives CORS-enabled requests and has a cross-origin policy in effect, it will return multiple Access-Control-* headers with duplicate values. This will cause cross-origin requests issued by web browsers to fail. Issue:DS-10205

Resolved Issues

These issues were resolved with version of the Identity Broker:

  • The setup tool's --aggressiveJVMTuning and --verboseGC command-line options have been deprecated. Instead, use --jvmTuningParameter AGGRESSIVE and --jvmTuningParameter VERBOSE_GC respectively. Issue:DS-9079

  • Update the server configuration to use a new default limit for duplicate alert suppression. The previous default imposed a maximum of 100 alerts of the same type per hour. The new default imposes a maximum of 10 alerts of the same type every ten minutes. This is more likely to suppress bursts in which the same alert is repeatedly generated over a short time without interfering with multiple occurrences of alerts of the same type over a longer period of time. Issue:DS-9259

  • Add a new load-balancing algorithm monitor entry that reports on the health of the load-balancing algorithm, including the aggregate state of the load-balancing algorithm, the number of AVAILABLE, DEGRADED, and UNAVAILABLE servers associated with the load-balancing algorithm, and the individual health check states of each server associated with the load-balancing algorithm. The status command has also been updated to report this information. Issue:DS-9026

  • Update the Velocity framework to better support customization out of the box. In order to customize Velocity templates or static content (CSS, Javascript files etc.) you should copy the original file from the config/velocity directory to the root velocity directory and modify the copied file. Files in the root velocity directory will override those in config/velocity. Issue:DS-9273

  • Update the server to improve the caching behavior for PIN files as used by key and trust manager providers. In the case that the keystore or truststore file has been updated to require a new PIN and the existing PIN file is updated without a configuration change to the associated key or trust manager provider, the server would previously keep trying to use the old PIN. It will now look for and use an updated PIN if a failure is encountered while using the old PIN. Issue:DS-10113 SF#:2123

  • Update the collect-support-data tool so that it can encrypt the data that is captured to protect it from unauthorized third parties. The encryption key is generated from a passphrase which may be read from a file, interactively provided by the user, or dynamically generated by the tool. This passphrase must be provided to support personnel (ideally over a different communication channel than the encrypted support data archive itself) for them to be able to access the information it contains.

    There is also a new option to decrypt an encrypted collect-support-data archive when provided with the encryption passphrase. Issue:DS-10129

  • Update the collect-support-data tool so that it is possible to configure default values for most arguments in the tools.properties file. Issue:DS-10178

  • Update the collect-support-data tool to further reduce the possibility of gathering sensitive information. Potentially sensitive data will be replaced with ---REDACTED--- in the output. A new "--securityLevel maximum" option can also be specified that redacts DNs and search filters, which might include personally identifiable information. Issue:DS-10115

Identity Broker

New Features

These features were added for version of the Identity Broker:

  • The 4.5 Identity Broker, functioning as a Resource Server, can be configured to retrieve data from the UnboundID Identity Data Store and/or multiple back-end data stores in response to SCIM API requests. This means that the Broker's policy and consent enforcement can be applied to client requests, so that the returned data contains only those entries and attributes that pass the authorization rules.

  • When configured for multiple data stores, the Identity Broker can combine attributes into a single response, making the separate data stores look like a single one from the point of view of the client application. For each attribute, a specific data store can be marked as "authoritative" for read operations. Attribute-level control over write operations is provided also.

  • The Broker now supports the OpenID Connect protocol for incoming AuthN requests. These are checked against the credentials stored in the UnboundID Identity Data Store.

  • A new config-diff command line utility can compare two server configurations and produce the difference as a dsconfig batch file. The file can then be used to bring the source configuration in line with the target. Comparisons can be done between live servers or configuration files, and between current or legacy configurations. Run 'config-diff --help' to get more information including example use cases.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Identity Broker:

  • Migration from 4.1 Identity Broker to 4.5 Identity Broker is NOT supported.

  • Java 1.7 has a synchronization bottleneck in HashMap that severely impacts performance. Use update 1.7u40, if possible, to avoid this issue. Issue:DS-9477

Resolved Issues

These issues were resolved with version of the Identity Broker:

  • Update SCIM and the Identity Access API to return a 400 status code when the id attribute is included in a PATCH request, as the id attribute is read-only. Issue:DS-9195

  • Update the OAuth authorization endpoint to require that the presented redirect URI exactly match one of the registered values for the client application. The previous behavior was to require that the presented redirect URI start with one of the registered values, and this behavior can still be obtained by issuing the following command followed by a server restart.

    dsconfig set-oauth-service-prop --set "redirect-resolver:Prefix Match Redirect Resolver" Issue:DS-8412

  • Add a --batch-file option to the broker-admin and consent-admin tools to allow multiple commands to be run with a single invocation of the tool. Issue:DS-8422

  • Fix a bug in the JDBC Access Logger that could cause incompatibility with some database versions and display a "Cannot commit when autoCommit is enabled" error message. Issue:DS-8750

  • Update the server startup process so that if no messages have been logged for at least five minutes, the server will generate and log a message about the current phase of startup processing. This can help reassure administrators that the server is still starting and provide information about what phase of startup may be taking so long. Issue:DS-7450

  • Update java.properties generation so that comments related to alternative JVM tunings are no longer present in the file. In most cases, rather than updating java.properties by hand you should use the dsjavaproperties tool to generate JVM options. Issue:DS-8339

  • Add an allow-insecure-local-jmx-access option to the global config that will expose JMX data via insecure local JVM connection Issue:DS-4300

  • Add a new alert handler that can use the Twilio service to deliver administrative alerts via SMS. Long alerts may be either truncated or split into multiple SMS messages. Issue:DS-5587

  • Update the configuration schema to make the ds-cfg-inherit-default-root-privileges attribute mandatory for object class ds-cfg-root-dn-user which is used to define Root User DNs. When this attribute is not present on Root DN User entries, the effect is for the root user to inherit default privileges. It has been made mandatory to make this behavior more explicit. During an update of the server, root DN user entries that do not explicitly declare a value for this attribute will be updated with a value of 'true'. Issue:DS-8450

  • Fix an issue that required create-initial-broker-config to be run independently of setup when using an external trust store. Issue:DS-8623

  • Add a WebLogic specific descriptor file for the web console to help with deployment compatibility. Issue:DS-8925 SF#:1915

  • The trust store password options have been deprecated for most tools that do not require read-write access to a trust store. Issue:DS-8789

  • Make a number of criteria-related improvements:

    - Add Server SDK support for creating custom connection, request, result, search entry, and search reference criteria implementations.

    - Update the simple request criteria type to make it possible to consider the search scope in determining whether a search operation matches the criteria.

    - Update the simple result criteria type to make it possible to consider the indexed/unindexed status in determining whether a search operation matches the criteria.

    - Add a new type of request criteria that may be used to more easily identify operations that target the server root DSE.

    - Add a new type of result criteria that may be used to classify operations based on replication assurance requirements and/or whether those requirements were satisfied.

    - Add a new allowed-insecure-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an insecure connection and the server is configured to reject insecure requests.

    - Add a new allowed-unauthenticated-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an unauthenticated connection and the server is configured to reject unauthenticated requests. Issues:DS-5079,DS-8168,DS-8770

  • Update the Broker's default approval page to add a section for optional scopes (scopes that have the 'required' property set to 'false'). Optional scopes appear in the approval form in a separate section from required scopes, accompanied by inline help that mentions that they can be unchecked to withhold approval. Issue:DS-8307

  • Configuration of many of the common beans used in spring-security-config.xml are now done via the configuration framework. The spring-security-config.xml file should only be modified for advanced use cases. Issue:DS-9027

  • Update error messages returned by the Identity Broker to distinguish between different types of authentication failures: - An authentication failure due to an incorrect client ID or client secret results in the following error message: Authentication client session failure: Bad credentials - An authentication failure due to an incorrect resource owner ID or password results in the following error message: Access token denied: Bad credentials Note that authentication failure error messages do not allow the client to distinguish between a failure due to an incorrect ID/username and a failure due to an incorrect secret/password. Issues:DS-8405,DS-8622

  • Add a new sign-log configuration property to file-based loggers that may be used to cause the server to digitally sign messages written by that logger. A new validate-file-signature tool may be used to verify signature information in signed log files, as well as LDIF files generated by signed LDIF exports. Issue:DS-8662

  • Conform to the OpenID Connect standard method for obtaining refresh tokens by using the "offline_access" scope. The access_type authorization parameter is no longer supported. Issue:DS-8792

  • The broker-admin tool now accepts and displays durations in the form "32w 12h" for application validity settings. The properties accessTokenValiditySeconds, refreshTokenValiditySeconds and consentValiditySeconds have been renamed accordingly to accessTokenValidityDuration, refreshTokenValidityDuration and consentValidityDuration. Issue:DS-9090

  • Remove the --offlineAccess option from the oauth2-request tool. To request a refresh token, include offline_access as one of the requested scopes. Issue:DS-9098

  • Add support for two new extended operations. A list configurations extended operation may be used to obtain information about the configurations that are available within to the server, including the currently-active configuration, the baseline configuration (i.e., the base configuration for an out-of-the-box installation of the current version), and all archived configurations that reflect configuration changes over time. A get configuration extended operation may be used to retrieve a specific configuration from the server. Issue:DS-9149

  • Update setup to fix a bug in which file path options specified as relative to the current directory may cause the server to be configured incorrectly or cause setup failure. Issue:DS-8389

  • Update the HTTP Connection handler to support configuration for tracking sessions either through HTTP cookies or by URL rewriting. Issues:DS-8639,DS-9128

  • Expose the Plugin type in the Server SDK, which is primarily useful for this server to have custom code run at server startup or shutdown using the 'startup' and 'shutdown' plugin types. Issue:DS-9165

  • Update the server to provide a degree of sandboxing around Server SDK extensions so that an unexpected exception thrown by an extension will be caught and result in an administrative alert rather than being caught further up in the stack and potentially causing other problems. Issue:DS-9247

  • In the rare cases where it is necessary to forcefully terminate the JVM from within the server itself, ensure that any files marked for deletion when the JVM shuts down are manually deleted before the JVM is terminated. This can help avoid problems like server shutdown not being detected properly because the server PID file hasn't been removed. Issue:DS-9267

  • Provide improved schema validation to detect additional cases in which certain misspelled tokens in the definition for a schema token could be silently interpreted as an extra property for that schema element. The server will now log a warning message about these unexpected tokens so that administrators can either correct them or prefix them with "X-" to indicate that they are an extra property provided for informational purposes. Issue:DS-9236

  • Reduce the time it takes the server to shut down in certain situations. Background threads sometimes missed a signal to wake up and had to wait for their next polling interval to see that a shut down had been requested. Issue:DS-9334

  • Update the default behavior of all file-based loggers to have include-thread-id=true. This will include a compact thread ID in all log messages. This can make it easier to correlate log messages generated by the same thread within a single log file or across different types of log files. Issue:DS-9352

  • Remove -XX:+UseMembar from the default set of generated JVM properties except on early JVM versions where this setting was required to work around a threading bug in the JVM.

  • Update the server JVM arguments generated by setup and dsjavaproperties to explicitly define -XX:MaxNewSize and -XX:NewSize for JVM's 1GB in size and larger. Also, add a comment to the generated java.properties file directing the administrator to use dsjavaproperties for making memory-related changes to this file rather than editing it directly. Issue:DS-9227

  • Add password file arguments to the scripts used to prepare external servers. Issue:DS-9406

  • Provide an example consumer-centric starter schema. This includes an LDAP schema, a make-ldif template for generating sample data, and a broker-admin batch file for mapping between the LDAP schema and a Data View. See resource/example-starter-schema/README.txt for more information. Issues:DS-8659,DS-9017

  • Update the setup and dsjavaproperties tools to permit maximum heap size values for memory that is not currently available on the host, though the value must still be less than the total amount of memory present on the host. Issue:DS-9111

  • Update the setup and dsjavapropeties tools to permit JVM heap size values to be as large as the amount of memory present on the system would permit. Issue:DS-9494

  • Update the Server SDK to provide the ability to run command line utilities within the server process. A ToolExecutor can be retrieved from the ServerContext. Currently, only the config-diff command is supported, but additional commands might be supported in the future. Issue:DS-9537 SF#:00001858

  • Enhance dsconfig to write to the config audit log when in offline mode. Issue:DS-1495

  • On Linux, issue a warning on startup and after a JVM pause if the kernel setting vm.swappiness is not zero as this can cause the server to become unresponsive for several seconds when memory is paged back from disk during a garbage collection. Issue:DS-9070

  • Automatically record server monitor data at shutdown, as it may be useful for debugging purposes in cases where a problem was experienced within the server that was resolved by a restart. Issue:DS-9777

  • Improve the performance of certain monitor entry searches that target specific monitor entries by object class. In particular, this includes searches with AND or OR filters, as well as filters that target object classes not defined in the server schema. Issue:DS-9772

Identity Broker

New Features

These features were added for version of the Identity Broker:

  • The UnboundID Identity Broker is the first of a new class of components for consumer and subscriber identity management architectures.

    As a stand-alone server, it provides authorization decisions for client applications, provisioning systems, API gateways, and analytical tools in any architecture involving personal, account, or sensitive identity data.

    Working together with the UnboundID Identity Data Store and Identity Proxy, the Identity Broker is designed to make high-volume and high-speed authorization decisions based on ever-changing consumer profile and consent data. Functionally, the Identity Broker is both the Policy Decision Point and the OAuth2 provider for externalized authorization. Performance-wise, the Identity Broker can support the request volumes driven by the complex, real-time interactions necessary to support today's consumer-facing mobile, social, and cloud ecosystems.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Identity Broker:

Resolved Issues

These issues were resolved with version of the Identity Broker:

  • Fix a bug where under certain error conditions the start server scripts could prompt user to overwrite existing file. Issue:DS-7268

  • Update the JMX connection handler to infer an appropriate Java type (e.g. Boolean, Long, Float, Date, or String) for JMX attributes from the underlying LDAP attribute type and value. The legacy behavior to return all JMX attributes as String values can be set if desired through the advanced global configuration property 'jmx-value-behavior'. Issue:DS-7635

  • Add the --noPropertiesFile option to the status command so that it does not fail when the option is provided to collect-support-data. Issue:DS-8390

  • Update setup to add a masters/peers trust-all argument so that the deployer must explicitly indicate that they trust the master/peer as well as any other masters/peers that are accessed during setup. In addition, if this argument is not specified a prompting trust store manager will be used instead of the previous behavior of using a trust-all manager all the time. If setup is in non-interactive mode and neither the trust-all argument nor the JKS trust store has been specified, and setup is accessing the master/peer over SSL or StartTLS setup will fail. Issue:DS-8381