Ping Identity Data Metrics Server Release Notes

Ping Identity Logo
  Return to Documentation Index

Notes for the following versions of the Ping Identity Data Metrics Server are available in this document:

Critical Fixes

Updating to the latest version of the Data Metrics Server addresses the following critical issues from previous versions. Affected servers should be updated.

Data Metrics Server 6.0.0.2

Following are notes for version 6.0.0.2 of the Data Metrics Server.

Resolved Issues

The following issues have been resolved with this release of the Data Metrics Server:

No information is available

Data Metrics Server 6.0.0.1

Resolved Issues

These issues were resolved with version 6.0.0.1 of the Data Metrics Server:

  • Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend. Issue:DS-16906 SF#:3556

Data Metrics Server 6.0.0.0

Important Upgrade Considerations

Important upgrade considerations for version 6.0.0.0 of the Data Metrics Server:

  • Note: The product names have been updated to reflect the UnboundID acquisition by Ping Identity. This is a naming and branding change only; the code base is the same as in prior releases and will continue to be maintained into the future.

  • If upgrading the server that was running an older version of the JDK, run the dsjavaproperties --initialize command after the software upgrade to compare the settings of the older JDK with requirements for the new server software. Apply any necessary changes to the upgraded server based on previous performance settings.

  • Due to licensing considerations, the Metrics API no longer supports output of the bitmap charts formats .jpg and .png; data is still available as CSV, XML, and JSON. This does not affect the Data Metrics Server dashboards and does not affect the Query Builder.

  • The 6.0 release makes these changes to supported platforms:

    • CentOS 7.2 and RedHat 7.2 are now supported operating system versions.
    • SUSE 11 SP4 is now supported; SUSE 11 SP2 support has been retired.
    • Linux KVM and VMWare ESXi 6.x have been added as supported virtual machine environments.
    • Deprecation of JDKs 7.x. Customers are strongly advised to use JDK 8 with this release. A later release of the platform will remove support for JDK versions 7.x. At that time customers will be required to upgrade to JDK 8.x when upgrading servers. This will apply to all of our JDK flavors (OpenJDK, OracleJDK, IBM JDK) on all platforms.
    • WildFly 9.x (renamed from JBoss) is now a supported application server for all web applications, including the Administrative Console and sample applications. Support for JBoss 7.x has been retired. Tomcat support remains unchanged in this release.

  • PBKDF2 is now the default encoding for root passwords. This only affects new installations.

  • In addition to changing the default password storage scheme for root users to PBKDF2, the default password storage scheme for regular users has been changed to salted 256-bit SHA-2.

  • HTTPS defaults to ON: servers now default to use HTTPS for console and API connections including the SCIM API. This may affect automation scripts and development environments where HTTPS has not been in use before.

  • Generated user passwords, for example those created by the server during a password reset sequence, are now created as pass-phrases instead of random character strings. This makes them them easier to type and remember. This change will not affect upgrades.

  • The /config directory file permissions have been changed so that they are only accessible by the server user.

  • Customers who choose to use the optional encryption algorithms provided by the third-party BouncyCastle library are encouraged to upgrade to BouncyCastle 1.54.

New Features

These features were added for version 6.0.0.0 of the Data Metrics Server:

  • For Java developers whose tools and workflows make use of Maven, the Server SDK jar has been deployed to Maven Central so that a developer can now add the Server SDK as a project dependency by adding a few lines to a project's pom.xml. Also, developers can now generate a Server SDK project that Maven-aware IDEs such as IntelliJ IDEA can package into an extension bundle with no special configuration needed. This benefit extends similarly to continuous integration systems such as Jenkins.

  • The dsconfig tool provides the ability to search for and quickly navigate to configuration objects and properties in which the name, synopsis, or description matches a provided pattern.

  • A new rotate-log tool and task have been added, which can be used to trigger rotation of one or more log files.

  • The Configuration API is now fully supported for all servers. In this release, the API was changed to match SCIM conventions for attribute naming, resource modeling, and the standard HTTP verbs. The UnboundID SCIM 2 SDK (available through GitHub) can now be used with the Configuration API.

  • All servers have an updated web Administrative Console, which includes:

    • New layouts for operational statistics, processing time, queues, all monitors, and the list of installed extensions.
    • Alert and alarm displays, summarizing the data in cn=alerts and cn=alarms and based on the configured gauges. Plus, filtering and searching for these.
    • A new LDAP Schema Editor for importing schema files, validity checking, creation and editing of object classes and attribute types. The editor also supports viewing of the attribute syntaxes, inheritance, and indexes that exist for each attribute and the dependencies between object classes and attributes.

  • The new Administrative Console can also be deployed to independent application servers instead of being co-hosted by the servers. This simplifies deployment models and increases separation between data and application layers.

  • To assist with situations where a very large number of changes may cause disk, memory, and server start time to increase unexpectedly, alerting and gauge features have been added to the Recent Changes Database.

  • Servers can now trigger events whenever log file rotation occurs. This includes "copy on rotate" and "summarize on rotate" listeners, as well as Server SDK support for creating custom log file rotation listeners.

  • It is now possible to create, change, and remove root user accounts across the topology using the dsconfig tool and Administrative Console.

Known Issues and Workarounds

These were known issues at the time of the release of version 6.0.0.0 of the Data Metrics Server:

  • When deploying the Administrative Console in Tomcat 8, and accessing the Administrative Console application using Tomcat's Web Application Manager, some browsers (including Safari and Firefox) will generate a path URL that encodes the dash in ubid-console. This results in a path such as http://localhost:8888/ubid%2Dconsole/, which causes session management errors. To workaround this issue, copy and paste the generated link into a browser, and replace the encoded dash with a dash (-) character.

  • The PermSize and MaxPermSize JVM properties are no longer supported in JDK 8, and will safely be ignored. These properties can be removed by modifying the config/java.properties file and running "bin/dsjavaproperties" while the server is offline.

  • Security criteria for root passwords with the default configuration will be increased in a future release. This might affect automated installation scripts that currently use less secure passwords. This will not affect existing root accounts.

  • The dsconfig tool and the Administrative Console enables creating and managing new Root DN users in this release. However, there is a limitation with changing the password of the currently logged in administrator. The ldappasswordmodify command can be used to change the administrator's password by providing the current and new password.

Resolved Issues

These issues were resolved with version 6.0.0.0 of the Data Metrics Server:

  • Updated command-line tools based on the LDAP SDK tool APIs to add the following features:

    • Tools can obtain default values for any arguments not provided on the command line from a properties file. If it exists, the server's config/tools.properties file will be used by default. Command-line arguments can be used to specify an alternate properties file or to indicate that no properties file should be used.

    • Tools can be launched in an interactive mode, in which the user is prompted for arguments used to establish and authenticate the connection, and for any other required arguments. The user can then use an interactive menu to specify values for any remaining arguments.
    Issue:DS-13700

  • The Data Metrics Server REST API servlet has a new authentication timeout property to allow a configurable session timeout. Previously, the authentication session timeout was 15 minutes. Issue:DS-13901

  • Added a --prettyPrint option to the config-diff tool to make the output more human-readable. Issue:DS-14694

  • Fixed an issue with the dsjavaproperties tool where java properties for PermSize and MaxPermSize could be added when using JDK 8, which no longer supports these options. Issue:DS-14857 SF#:3187

  • Updated the bcrypt, crypt, PBKDF2 and scrypt password storage schemes so they can be used to create new instances. Issue:DS-14923

  • Updated the Apache commons collections library to address the security vulnerability described by CVE 2015-4852. Issue:DS-14430 SF#:00003216

  • Fixed a case where attribute syntax configuration changes would not apply to undefined attributes, which rely on default attribute types. Issue:DS-14979

  • Collect-support-data tool now captures Kerberos config and log information. Issue:DS-13823

  • Updated the server's support for the Twilio Messaging Service so that it uses the newer "Messages" API when sending SMS messages instead of the older "SMS" API. The older API has been deprecated, and Twilio now imposes a 120-character limit for messages sent via that API. The messages API allows the server to take advantage of the full 160 characters per SMS message. Issue:DS-14749

  • The setup tool now creates the Postgres database directory under the server root, instead of the user's current directory. The data directory location can be changed by specifying the --databaseDataDir option when invoking setup. Issue:DS-12546

  • Server SDK extensions are now built with a Java source version of 1.7 by default. Issue:DS-15015

  • Changed interactive setup default value for HTTPS enablement. Issue:DS-15221

  • Updated the initial server configuration to improve security and usability. These changes apply only to new installations and will not be applied when updating an existing installation. Changes include:

    • Updated the default password policy to use a default password storage scheme that uses a salted 256-bit SHA-2 digest rather than a salted SHA-1 digest.

    • Updated the root password policy to use a default password storage scheme of PBKDF2 rather than salted 512-bit SHA-2.

    • Updated the secure password policy to use a default password storage scheme of PBKDF2 rather than a CRYPT variant that uses multiple rounds of 256-bit SHA-2.

    • Updated the password policy import plugin so that it will attempt to use the default password policy to select the password storage scheme(s) to use for entries that do not explicitly specify a password policy. The plugin will also fall back to using a salted 256-bit SHA-2 scheme instead of a salted SHA-1 scheme.

    • A number of weaker password storage schemes have been disabled by default, including base64, clear, unsalted MD5, salted MD5, 3DES, RC4, and unsalted SHA-1.

    • The default password policy has been updated to use a password generator that generates very strong yet memorable passphrases rather than a shorter and less-memorable string of randomly-selected characters.

    • Many of the server loggers have been updated to include additional log elements by default, including the instance name, requester DN, requester IP address, and request controls.

    • The exact match identity mapper has been updated to look at the mail attribute in addition to the uid attribute. When targeting a user with an authentication ID value (as when using SASL authentication or the proxied authorization v2 request control), it is now possible to specify an email address as an alternative to a user ID.

    • The UNBOUNDID-TOTP SASL mechanism handler has been updated to prevent TOTP password reuse by default.

    • Added new request criteria that make it possible to identify requests that target the root DSE or the subschema subentry. The global configuration has been updated so that requests targeting these entries will be in the default exceptions lists if the server is configured to reject insecure or unauthenticated requests.

    • Updated the template that setup generates for creating sample data to use a more logical and user-friendly numeric range. When the user requests N entries, setup would previously number the entries 0 through N-1 (for example, if the user requested 1000 entries, they would be numbered 0 through 999). It is logical for a user to expect them to be numbered 1 through 1000, but this change could break things that expecting to find an entry numbered with zero. To address this, if the user requests the server be populated with sample data, setup will create one more entry than actually requested so the numbering will go from 0 to N.
    Issues:DS-15183,DS-15220,DS-9407

  • Updated the default file permissions for new installations on UNIX-based systems. Files and directories included in the zip file will be only be accessible to their owner (the user that unzipped the file) by default.

    Newly-created files and directories will also be assigned permissions that allow them to be accessed only by the account used to run the server. Existing configuration options for setting file permissions (the log-file-permissions and db-directory-permissions properties) will continue to behave as before. The new config/server.umask file will control the default permissions for all other newly-created files and directories. Issues:DS-13571,DS-13860,DS-7505 SF#:2703

  • Updated the global ACIs that ship with the server to use a separate ACI for each control or extended request to allow by default, rather than grouping all desired controls together in one ACI and all desired extended requests together in a second ACI. This change will only be reflected in new installations, and not when updating an existing deployment. Issue:DS-15417

  • Addressed an issue where dsconfig incorrectly allowed certain configuration objects to be deleted. Issue:DS-15400

  • Updated interactive setup to display default values, and improved the overall layout and appearance. Issues:DS-15361,DS-15363,DS-15434

  • Added more logging information when initializing web application and servlet extensions in case an extension causes conflicts or delays. Issue:DS-15466

  • Updated setup to encode the root password with the PBKDF2 password storage scheme instead of SSHA512. Issue:DS-15521

  • Updater tool will increase PermSize and MaxPermSize parameters to recommended value to prevent Java JVM pauses. Issue:DS-15522 SF#:00003324

  • Fixed an error that could occur during upgrade when the configuration can not be loaded due to missing custom schema. Issue:DS-15592 SF#:3340

  • Updated the Groovy Scripting Language version to 2.4.6. Issue:DS-15621

  • Updated the version of the XML serialization library XStream from 1.3.1 to 1.4.9 to address a security vulnerability in the prior version. Issue:DS-15679

  • Added a new rotate-log tool to request the rotation of one or more log files. Issue:DS-10464

  • Improved the error messages produced by the manage-extensions tool when attempting to install invalid extensions. Issue:DS-15412

  • Improved the error messages and examples for create-rc-script and create-systemd-script by explicitly suggesting the use of sudo so that the scripts can modify protected files. Issue:DS-15178

  • The former suite of Administrative Console applications, each of which were tied to a particular product (for example the dsconsole.war for the Directory Server) are no longer available, and have been superceded by a new version of the Administrative Console capable of managing any server product. You can choose to access the Administrative Console by hosting it within a server, or by deploying it in an external servlet container. For the former, enable an HTTP Connection Handler and add the Administrative Console Web Application Extension to the handler. For the latter, download and unzip the management-console-[version].zip file, and install the ubid-console.war file according to your container's instructions. Issue:DS-15088

  • Root DN User configuration entries can now be fully managed through the configuration management interfaces such as dsconfig and the Administrative Console. Issue:DS-15422

  • Added support for log file rotation listeners, which allow for custom processing whenever a log file is rotated out of service so that the server will no longer write to it. A copy listener (which will copy the rotated log file to an alternate location, optionally compressing it in the process), and a summarize listener (which will invoke the summarize-access-log tool on the rotated log file) are included. The Server SDK also includes an API for creating custom log file rotation listeners. Issue:DS-4235

  • The monitored-servers tool now enables specifying a monitoring user bind DN when adding servers. Issue:DS-15336 SF#:00003294

  • The ability to request server-generated charts from the Metrics Engine has been removed in this release. Issue:DS-9591

  • Improved the collect-support-data tool to include information provided by systemd on platforms that support it. Issue:DS-13401

  • Improved the error messages for create-rc-script and create-systemd-script when the directory in which the script will be created does not exist. Issue:DS-15337

  • Added the server's process ID to the output of the status tool. Issue:DS-10312

  • Added a monitor entry for each Server SDK extension. Issue:DS-14548

  • The Configuration API now returns unquoted, native Javascript values for integer, real number, and boolean properties. Duration and size property values, for example '1 w' or '100 G', continue to be represented as Javascript string types. Issue:DS-15175

  • Added the ability to create local constants in LDIF template files using the new 'local' keyword. Issue:DS-14213

  • Addressed a few issues in config-diff. In some situations, config-diff would not generate commands in an order that respected all dependencies. This has been fixed. Most expected warnings are now excluded by default but can be included in the output with the --includeAllWarnings option. The --sourceBindPasswordFile and --targetBindPassword are now applied in conjunction with the --targetConfigGroup and --sourceConfigGroup options. Issues:DS-10466,DS-10765,DS-14479,DS-15318,DS-16154

  • Added support for setting the request header size in the Jetty http configuration server properties. Issue:DS-12191 SF#:00002580

  • Updated the restore command so that it can no longer be used to restore a backup of the config backend. The command now points the administrator for safer ways to revert configuration changes, including using config-diff. Issue:DS-14704

  • Updated the sanitize-log tool to add support for JSON-formatted access and error log files. Issue:DS-16224

  • Added the ability to search for configuration objects and their properties by name with the dsconfig tool. Issue:DS-979

  • Added a --dry-run option to dsconfig, which can be used in batch mode to validate the configuration changes in a batch file without applying them. Issue:DS-10946

  • Fixed an issue that prevented the deletion of disabled debug loggers. Issue:DS-15622

Data Metrics Server 5.2.0.0

New Features

These features were added for version 5.2.0.0 of the Data Metrics Server:

  • New Landing Page

    The Metrics Engine has a new web landing page, available after installation that provides links to all of the dashboard templates, the chart builder tool, and online documentation.

Known Issues and Workarounds

These were known issues at the time of the release of version 5.2.0.0 of the Data Metrics Server:

  • When deploying a .war file through the Web Application HTTP Servlet Extension, dependencies bundled in the file may conflict with the server's own dependencies if the server version differs from the version in the .war file. This may cause the Web Application HTTP Servlet Extension or the server itself to not start correctly. For reference, all server dependencies are available in /lib.

Resolved Issues

These issues were resolved with version 5.2.0.0 of the Data Metrics Server:

  • The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182

  • Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287

  • Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123

  • Added support for running on Oracle Java 8 and OpenJDK 8 platforms. Issue:DS-12483

  • The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage. Issue:DS-12245

  • Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors. Issue:DS-12496

  • The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655

  • Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints. Issue:DS-12576

  • Addressed an issue where the Metrics Engine embedded database may fail to start on Red Hat Enterprise Linux or CentOS 7. Issue:DS-12481

  • Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart. Issue:DS-12285

  • Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status. Issue:DS-12969 SF#:2717

  • Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage. Issue:DS-12880

  • Added a gauge to monitor the number of available file descriptors. This Available File Descriptors gauge can detect if a server if running out of file descriptors and degrade the server appropriately. Issue:DS-12727

  • Addressed an issue where data definition language (DDL) log field mappings for the JDBC error log were not previously documented. Issue:DS-13163

  • Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads. Issue:DS-10010

  • Updated the server's JVM arguments to always log garbage collection information to a rotating set of log files stored within logs/jvm/gc.log.N. The file system usage is limited to 300MB. If the server had previously been configured with VERBOSE_GC, then garbage collection logging information will no longer be logged to logs/server.out. Issue:DS-11522

  • The following UnboundID product names have changed: - Identity Data Store to Data Store - Identity Proxy to Proxy Server - Identity Data Sync Server to Data Sync Server - Identity Broker to Data Broker Issue:DS-12799

  • Fixed a bug where using the advanced arguments of some tools would result in changing the saved complexity settings for the dsconfig tool. Issue:DS-12897

  • Added a new search-logs tool. Similar to the command line tool 'grep,' this tool searches across log files to extract lines matching the provided pattern(s). The search-logs tool can handle multi-line log messages, extract log messages within a given time range, and include rotated log files. Issue:DS-3095

  • Updated the create-systemd-script tool by adding resource limits for available open file descriptors (NOFILE), and shared memory reservations (MEMLOCK). The generated script lists the recommended file descriptors limit and the resource limit setting for enabling large page support. The settings in the create-systemd-script output supersedes prior documentation for setting the number of open file descriptors on non-systemd systems. Issue:DS-13678

  • Updated interactive dsconfig to include an option to toggle between sorting similar properties together or sorting them alphabetically. Issue:DS-1706

  • Fixed an issue with the Metrics Engine monitored-servers add-servers command that could result in a cryptic failure when the server being added has a custom instance name. Issue:DS-13762

  • The collect-support-data tool now has the option to collect logging information within a specified time range via the '--timeRange' argument. Issue:DS-1261

  • Improved the server's support for selecting TLS cipher suites. When the server is configured to use a specific set of cipher suites, it will now always validate that all of the configured suites are supported by the JVM. When the server is not configured to use a specific set of cipher suites, it will now customize the set of default suites to prioritize those using strong cryptography (especially those that offer forward secrecy), and exclude suites with known weaknesses. Issues:DS-12681,DS-13475

  • Updated the alert handler configuration to indicate whether the alert handler should be invoked asynchronously in a background thread rather than by the thread that generated the alert. For alerts generated during the course of processing an operation, invoking potentially time-consuming alert handlers in a background thread can avoid adversely impacting the response time for that operation while still ensuring that administrators are made aware of the issue that arose. Issue:DS-12833

  • Updated the server to provide support for SMTP connection pooling. When sending an email message, the server will attempt to reuse an existing SMTP connection rather than establishing a new connection for each message. Issue:DS-12833

  • Deprecated the INCREASE_PERM_SPACE jvmTuningParameter in the setup and dsjavaproperties tools, which was used to increase the size of the permanent generation in memory allocated for the server. Now PermGen is set to 256M whenever the heap allocated for the server is 1g or greater. If less than 1g, the PermGen is set to 128M with a maximum of 256M. Issues:DS-14020,DS-14066

  • Added the ability to protect Velocity templates using the basic authentication scheme. Issue:DS-14074

  • Updated the prepare-* tools to avoid unnecessary confirmation for trust of the prepared server's certificate when the --trustStorePath argument specifies a trust store that establishes trust. Issue:DS-12616

  • Fixed a log publisher defect that would result in an unreadable file when both compression and signing were enabled at the same time. Issue:DS-13552

  • The ldifsearch command now supports the option "---isCompressed" for LDIF files that have been compressed with gzip. Issue:DS-14140

  • Added properties to the task backend for limiting the number of log messages retained in task entries, in order to limit the size of the in-memory representation of those entries. All log messages generated by a task will still be recorded in the server error log, even if they are not all retained in the corresponding entry in the task backend. Issue:DS-11067 SF#:2282

Data Metrics Server 5.1.5.2

Resolved Issues

These issues were resolved with version 5.1.5.2 of the Data Metrics Server:

  • Added the ability to protect Velocity templates using the basic authentication scheme. Issue:DS-14074

Data Metrics Server 5.1.5.0

Resolved Issues

These issues were resolved with version 5.1.5.0 of the Data Metrics Server:

  • Added a gauge to monitor the number of available file descriptors. This Available File Descriptors gauge can detect if a server if running out of file descriptors and degrade the server appropriately. Issue:DS-12727

Data Metrics Server 5.1.0.0

Important Upgrade Considerations

Important upgrade considerations for version 5.1.0.0 of the Data Metrics Server:

  • The summarize-config tool is deprecated, and will be removed in future versions of the product. Use the config-diff tool with the "sourceBaseline" argument to list a summary of changes to the local server configuration.

Resolved Issues

These issues were resolved with version 5.1.0.0 of the Data Metrics Server:

  • The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182

  • Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287

  • Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123

  • Added support for running on Oracle Java 8 and OpenJDK 8 platforms. Issue:DS-12483

  • Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors. Issue:DS-12496

  • Critical: The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655

  • Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints. Issue:DS-12576

  • The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage. Issue:DS-12245

  • Addressed an issue where the Metrics Engine embedded database may fail to start on Red Hat Enterprise Linux or CentOS 7. Issue:DS-12481

  • Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart. Issue:DS-12285

  • Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage. Issue:DS-12880

  • Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status. Issue:DS-12969 SF#:2717

  • Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads. Issue:DS-10010

Data Metrics Server 5.0.1.0

Resolved Issues

These issues were resolved with version 5.0.1.0 of the Data Metrics Server:

  • The setup tool has been updated to use HTTPS when configuring the HTTP Connection Handler(s). Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182

  • Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287

  • Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123

  • The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655

Data Metrics Server 5.0.0.0

New Features

These features were added for version 5.0.0.0 of the Data Metrics Server:

  • Java 7 is now required when setting up a new server or upgrading an existing server.

  • Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients running older versions of Java that may start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not in any way compromise the strength of the integrity and/or confidentiality protection that is ultimately negotiated between the client and the server.

  • Added a Monitor History plugin that periodically records cn=monitor to timestamped files to aid in isolating intermittent problems. By default, it logs the full cn=monitor branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files are kept to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect a few of these files to aid in root cause analysis.

  • Introduced the Configuration HTTP Servlet Extension, which can be used for querying and updating the configuration over a REST API. This feature is currently experimental and is subject to change in the future. Your feedback is welcome.

Known Issues and Workarounds

These were known issues at the time of the release of version 5.0.0.0 of the Data Metrics Server:

Resolved Issues

These issues were resolved with version 5.0.0.0 of the Data Metrics Server:

  • Fixed the gauge configuration manager to only re-initialize the gauge that was changed, and not any of the other gauges that did not change. Issue:DS-11472

  • Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared and the alarm manager's generated-alert-types property has the "alarm" value. Issue:DS-11541 SF#:2421

  • Fixed the alarm manager to not include the details of the old alarm, (the alarm being cleared), in the "alarm-cleared" alert message. Issue:DS-11546

  • Fixed the dsconfig tool to suppress all stray output when run in batch mode with the --quiet option. Issue:DS-10460

  • Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This occurred when a certificate was accepted with the 'Manually validate' option, while using the interactive LDAP connection menu. Issue:DS-11688

  • Updated the Velocity HTTP Servlet Extension and Velocity Context Providers to enable adding header fields to responses for pages and static content, such as images and scripts. Some default headings have been added to direct user agents on caching and frame display policies. Issue:DS-11649

  • Updated the alarm manager to not generate "alarm-normal" alert when a gauge's condition abates Issue:DS-11637

  • Updated the API authenticator to fail authentication for empty username Issue:DS-11598

  • Reduced the severity of the "unrecognized alert type" message in the error log from SEVERE_WARNING to NOTICE. The message now states that this is expected if the server is reverted to a version prior to the implementation of these alert types. Issue:DS-11453

  • Removed the "alarm-normal" alert. Issue:DS-11730

  • The Velocity Servlet now HTML escapes all template substitutions by default. To substitute unescaped content, a variable name ending with "WithHtml" must be used. Issue:DS-11648

  • Improved the Velocity Context Provider interface for HTTP method-specific requests. Context providers must now handle specific HTTP methods by overriding provider class methods. Provider implementations that handle HTTP methods, other than GET, must now be configured to handle them by updating the http-method configuration properties as well as overriding the appropriate handleXXX methods. Issue:DS-11650

  • Updated the alarm manager to not persist normal alarms. Issue:DS-11719

  • Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions. Issue:DS-11719

  • Added an omit-error-message-details Monitoring Configuration property to the Metrics Engine API. When enabled, this property restricts error messages to the typical reason phrase associated with the HTTP return code (such as, 'Not Found' for an HTTP 404 error). This prevents the server from inadvertently revealing information about itself or its data in verbose error messages. Issue:DS-11759

  • Add an HTTP Configuration element with property include-stack-traces-in-error-pages that can be disabled in order to suppress stack traces included in web application and servlet error pages. Stack traces are helpful when diagnosing application errors, but in production they may reveal sensitive information. Issue:DS-11651

  • Critical: Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.

    SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.

    It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination. Issue:DS-11782

  • Updated the Web Console so that upon login, the user's old session is always invalidated. Issue:DS-11624

  • Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page. Issues:DS-11629,DS-11645

  • Updated the HTTP Detailed Access logger to use timestamps with millisecond precision. Issue:DS-11755

  • Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names. Issue:DS-11751

  • The Metrics API has been updated to include cache-control headers in HTTP responses. Issue:DS-11799

  • Updated the default HTTP Cache-Control headers to correct an invalid multi-value delimiter. Issues:DS-11888,DS-11890

  • Updated the setup tools to enable definition of external server instances that are configured to reject unauthenticated requests. Previously the tools would erroneously indicate these servers were unavailable. Issues:DS-11068,DS-11784,DS-11887

  • The Metrics Engine dashboard views now invalidate the browser's cached Basic authentication API credentials after a 15 minute timeout. Issue:DS-11922

  • Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized. Issue:DS-10441

  • The configuration properties omit-error-message-details and require-api-authentication of the Monitoring Configuration have been deprecated, and analogous properties are now available for the Metrics HTTP Servlet Extension. This was done to consolidate configuration and make options consistent across products. Previously configured properties values will be migrated automatically by the update tool. Any new configuration should be done through the Metrics HTTP Servlet Extension. Issue:DS-12135

  • Added a gauge to the server to track JVM memory usage and alert if the amount of free memory gets low enough that it could impact server performance. Issue:DS-11993

  • Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects. Issue:DS-12147

  • Updated the HTTP Connection Handler to return a 404 Not Found response to requests for endpoints not handled by any servlet or web application extensions. Previously the hander would return a 200 OK with no response body. Issues:DS-12120,DS-8368

  • Updated the HTTP/HTTPS connection handler to Jetty 8.1.16.v20140903. Issue:DS-11959

Data Metrics Server 4.7.0.0

New Features

These features were added for version 4.7.0.0 of the Data Metrics Server:

  • Updated the server to support Alarms. An alarm represents a stateful condition of the server that might indicate a problem, such as low disk space or external server unavailability. The status command line utility and the monitoring page of the web console have been updated to expose the active alarms. Many existing alert types have been updated to be treated as alarms. When the condition associated with an alarm abates, the alarm is cleared.

  • Added support for Gauges. A gauge examines specific server monitoring data, and raises an alarm when a configured threshold is crossed. The server has out-of-the-box gauges such as CPU Usage and Disk Busy, and new ones can be added through the Gauge Data Source and Gauge configuration object types.

  • OpenJDK 7 is now supported on Linux.

Known Issues and Workarounds

These were known issues at the time of the release of version 4.7.0.0 of the Data Metrics Server:

  • JDK 6 is currently deprecated and will not be supported in the next major release.

  • UnboundID products are not supported on JDK 8.

Resolved Issues

These issues were resolved with version 4.7.0.0 of the Data Metrics Server:

  • Added a result code tracker that maintains a monitor entry with counts and response times of results. Each result is categorized by operation type, post-response result code, and whether it is a failure or non-failure. Issue:DS-3270

  • Exposed LDAP extended operation throughput and response time data in the Periodic Stats Logger and the Metrics Engine to expand upon the set of tracked operation types. Issue:DS-10369

  • Fixed a problem that prevented the server from starting if a TLS-enabled connection handler was configured with a certificate nickname that referenced a non-RSA certificate. Issue:DS-10949

Data Metrics Server 4.6.0.0

New Features

These features were added for version 4.6.0.0 of the Data Metrics Server:

  • Improved out of the box Dashboards included for Directory and Proxy

  • Support for Windows OS

Known Issues and Workarounds

These were known issues at the time of the release of version 4.6.0.0 of the Data Metrics Server:

  • UnboundID products, Java SE, and the JVM do not use OpenSSL libraries and are therefore not vulnerable to OpenSSL issues. Oracle has provided a statement on the April 2014 OpenSSL Heartbleed vulnerability at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html. Issue:DS-10807

  • When the Metrics Engine setup.bat program is launched by double-clicking it, the setup runs interactively in a command window, but may complete and close without an indication of whether it was ultimately successful. If this happens, run the 'status' command to verify that the Metrics Engine is running. Issue:DS-10430

Resolved Issues

These issues were resolved with version 4.6.0.0 of the Data Metrics Server:

  • Fix an issue to enable the "monitored-servers add-servers" command to work with servers that do not allow unauthenticated access to the root DSE. Issue:DS-10181 SF#:2138

  • Updated the metrics schema to allow for longer alert notification messages. Error handling was improved to handle unexpectedly long messages added to the database. Issue:DS-10268 SF#:2149

  • Updated the validate-file-signature tool to ensure that it will always display a final summary message to indicate whether any warnings or errors were encountered during processing. Issue:DS-10333

  • Updated the signed logging implementation to better handle any problems that may arise during cryptographic processing. If any such problem is encountered, the server will now include a message with information about the error in the signature block rather than suspending the logger with an exception recorded in the server.out log file. Issue:DS-10310

  • Fixed an issue in the Periodic Stats Logger, where no logging would occur when suppress-if-idle=true was configured, even when the server was not idle. Issue:DS-10387 SF#:2170

  • Renamed the metric-engine-schema tool to manage-metrics-db-schema, and added usability enhancements to make schema upgrades easier to apply. Issues:DS-10266,DS-10285

  • Added a new sanitize-log tool that can be used to remove sensitive information from server log files, including the file-based access log, the operation timing access log, the file-based error log, the file-based sync log, the file-based resync log, and the detailed HTTP operation log.

    The sanitization process operates on fields that consist of name-value pairs. The field name and equal sign will always be retained, but in cases where the value may contain sensitive data, that value may either be replaced with the string "---REDACTED---", or it may be tokenized. If the tokenized value is a DN or filter, then attribute names in that DN or filter will be preserved while the values will be replaced with a string consisting of a number inside curly braces. If the tokenized value is not a DN or filter, then the entire value will be replaced with a number inside curly braces. If a string to be tokenized appears multiple times in the log, the same replacement token will be used for each occurrence of that string to make it possible to correlate occurrences of that string without revealing the actual content.

    The sanitize-log tool has a default configuration that should be sufficient for many environments, allowing it to tokenize or redact sensitive information while preserving non-sensitive content for use in diagnosing problems or understanding usage patterns. However, this behavior can be customized using command-line arguments by indicating whether to preserve, tokenize, or redact a given log field. Issue:DS-10472

  • Custom Velocity templates should be updated to use Bootstrap 3.1.1 if they are using any of the shared original (shipped with the product) templates or scripts (such as _header.vm or dashboard.js). Issue:DS-10372

  • Fixed issues with the JDBC Access Logger that were related to Oracle Thin Client, where column values were "null" and disabling the logger resulted in losing a connection to the server when using the dsconfig command. Issue:DS-10485

  • Fixed an issue so that collect-support-data now generates filename entries correctly. Previously, the tool would hang if the archiving of files following a symbolic link required generating a non-duplicating filename entry. Issue:DS-10582

  • Enabled the Host System Monitor Provider by default so that system CPU and memory utilization will be reported automatically through the server's monitoring framework. Disk and network monitoring can be enabled by configuring values for the disk-devices and network-devices configuration properties. Issue:DS-10562

  • The default timeout period for smtp-timeout was changed from none to two minutes to prevent non-responsive mail servers from disrupting administrative functions. Issue:DS-10230

  • Added a new topology-level dashboard to the Metrics Engine that can be used to monitor Data Store, Proxy, and Sync Server instances. The dashboard adapts to the set of servers and the metrics that are configured to be monitored. It is available at the http://metrics-host:8080/view/ldap-dashboard URL. Issue:DS-9864

  • The setup command no longer saves user-provided key store and trust store passwords in PIN files. Passwords provided during setup are encrypted with the configuration data. If the administrator chooses to use PIN files to supply the passwords, the files are referenced in the server configuration by the key manager and trust manager. Issue:DS-10787

  • Updated the Periodic Stats Logger to include an empty value in the output rather than "infinity" in certain circumstances. This avoids problems plotting the output in a spreadsheet. Issue:DS-8842

  • Addressed an issue with the Metrics Engine where some metric queries would return results with false spikes. The issue was caused by aggregation of samples that did not divide evenly into the requested number of points. Issue:DS-10904

  • Updated dsconfig to treat tabs as whitespace in batch files. Issue:DS-10549

  • Added Metrics Collection Size Limit Retention Policy to the metrics backend to allow up to 2 GB of metric data to be buffered locally, which allows the Metrics Engine to be offline for a longer time without missing collected data. Issue:DS-10156

  • Removed deprecated "lshal" command from Linux-specific processes performed by the collect-support-data tool and added similar command, "udevadm info --export-db" Issue:DS-10713

  • Updated the Replication Servers table produced by the dsreplication tool to omit unnecessary "Security" column. Issue:DS-10442

Data Metrics Server 4.5.1.0

New Features

These features were added for version 4.5.1.0 of the Data Metrics Server:

  • The collect-support-data tool now refers to tools.properties for default command-line options.

  • The collect-support-data tool now supports an option to encrypt the data archive, to ensure protection of customer data while in transit, and an option to reduce the amount of potentially sensitive data that is collected.

  • Cross-origin Resource sharing (CORS) support is now included for HTTP Servlet Extensions, including the SCIM RESTful APIs.

Known Issues and Workarounds

These were known issues at the time of the release of version 4.5.1.0 of the Data Metrics Server:

  • When the Velocity servlet receives CORS-enabled requests and has a cross-origin policy in effect, it will return multiple Access-Control-* headers with duplicate values. This will cause cross-origin requests issued by web browsers to fail. Issue:DS-10205

Resolved Issues

These issues were resolved with version 4.5.1.0 of the Data Metrics Server:

  • The setup tool's --aggressiveJVMTuning and --verboseGC command-line options have been deprecated. Instead, use --jvmTuningParameter AGGRESSIVE and --jvmTuningParameter VERBOSE_GC respectively. Issue:DS-9079

  • Update the server configuration to use a new default limit for duplicate alert suppression. The previous default imposed a maximum of 100 alerts of the same type per hour. The new default imposes a maximum of 10 alerts of the same type every ten minutes. This is more likely to suppress bursts in which the same alert is repeatedly generated over a short time without interfering with multiple occurrences of alerts of the same type over a longer period of time. Issue:DS-9259

  • Update the Velocity framework to better support customization out of the box. In order to customize Velocity templates or static content (CSS, Javascript files etc.) you should copy the original file from the config/velocity directory to the root velocity directory and modify the copied file. Files in the root velocity directory will override those in config/velocity. Issue:DS-9273

  • Update the server to improve the caching behavior for PIN files as used by key and trust manager providers. In the case that the keystore or truststore file has been updated to require a new PIN and the existing PIN file is updated without a configuration change to the associated key or trust manager provider, the server would previously keep trying to use the old PIN. It will now look for and use an updated PIN if a failure is encountered while using the old PIN. Issue:DS-10113 SF#:2123

  • Update the collect-support-data tool so that it can encrypt the data that is captured to protect it from unauthorized third parties. The encryption key is generated from a passphrase which may be read from a file, interactively provided by the user, or dynamically generated by the tool. This passphrase must be provided to support personnel (ideally over a different communication channel than the encrypted support data archive itself) for them to be able to access the information it contains.

    There is also a new option to decrypt an encrypted collect-support-data archive when provided with the encryption passphrase. Issue:DS-10129

  • Update the collect-support-data tool so that it is possible to configure default values for most arguments in the tools.properties file. Issue:DS-10178

  • Update the collect-support-data tool to further reduce the possibility of gathering sensitive information. Potentially sensitive data will be replaced with ---REDACTED--- in the output. A new "--securityLevel maximum" option can also be specified that redacts DNs and search filters, which might include personally identifiable information. Issue:DS-10115

Data Metrics Server 4.5.0.0

New Features

These features were added for version 4.5.0.0 of the Data Metrics Server:

  • The Metrics Engine now collects Identity Broker metrics and can report on data that is of interest to the business, such as consent rates, most active clients, or most requested data. Sample dashboards are included in the Identity Broker Console and as separate configuration files.

  • The Metrics Engine package now includes the embedded PostgreSQL distribution to simplify deployment and support.

  • A new config-diff command line utility can compare two server configurations and produce the difference as a dsconfig batch file. The file can then be used to bring the source configuration in line with the target. Comparisons can be done between live servers or configuration files, and between current or legacy configurations. Run 'config-diff --help' to get more information including example use cases.

Known Issues and Workarounds

These were known issues at the time of the release of version 4.5.0.0 of the Data Metrics Server:

  • Java 1.7 has a synchronization bottleneck in HashMap that severely impacts performance. Use update 1.7u40, if possible, to avoid this issue. Issue:DS-9477

  • Installing the Metrics Engine as root is not supported. Issue:DS-9374

Resolved Issues

These issues were resolved with version 4.5.0.0 of the Data Metrics Server:

  • Fix a bug in the JDBC Access Logger that could cause incompatibility with some database versions and display a "Cannot commit when autoCommit is enabled" error message. Issue:DS-8750

  • Update the server startup process so that if no messages have been logged for at least five minutes, the server will generate and log a message about the current phase of startup processing. This can help reassure administrators that the server is still starting and provide information about what phase of startup may be taking so long. Issue:DS-7450

  • Update java.properties generation so that comments related to alternative JVM tunings are no longer present in the file. In most cases, rather than updating java.properties by hand you should use the dsjavaproperties tool to generate JVM options. Issue:DS-8339

  • Add an allow-insecure-local-jmx-access option to the global config that will expose JMX data via insecure local JVM connection Issue:DS-4300

  • Add a new alert handler that can use the Twilio service to deliver administrative alerts via SMS. Long alerts may be either truncated or split into multiple SMS messages. Issue:DS-5587

  • Update the configuration schema to make the ds-cfg-inherit-default-root-privileges attribute mandatory for object class ds-cfg-root-dn-user which is used to define Root User DNs. When this attribute is not present on Root DN User entries, the effect is for the root user to inherit default privileges. It has been made mandatory to make this behavior more explicit. During an update of the server, root DN user entries that do not explicitly declare a value for this attribute will be updated with a value of 'true'. Issue:DS-8450

  • Add a WebLogic specific descriptor file for the web console to help with deployment compatibility. Issue:DS-8925 SF#:1915

  • The trust store password options have been deprecated for most tools that do not require read-write access to a trust store. Issue:DS-8789

  • Make a number of criteria-related improvements:

    - Add Server SDK support for creating custom connection, request, result, search entry, and search reference criteria implementations.

    - Update the simple request criteria type to make it possible to consider the search scope in determining whether a search operation matches the criteria.

    - Update the simple result criteria type to make it possible to consider the indexed/unindexed status in determining whether a search operation matches the criteria.

    - Add a new type of request criteria that may be used to more easily identify operations that target the server root DSE.

    - Add a new type of result criteria that may be used to classify operations based on replication assurance requirements and/or whether those requirements were satisfied.

    - Add a new allowed-insecure-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an insecure connection and the server is configured to reject insecure requests.

    - Add a new allowed-unauthenticated-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an unauthenticated connection and the server is configured to reject unauthenticated requests. Issues:DS-5079,DS-8168,DS-8770

  • Add a new sign-log configuration property to file-based loggers that may be used to cause the server to digitally sign messages written by that logger. A new validate-file-signature tool may be used to verify signature information in signed log files, as well as LDIF files generated by signed LDIF exports. Issue:DS-8662

  • Add support for two new extended operations. A list configurations extended operation may be used to obtain information about the configurations that are available within to the server, including the currently-active configuration, the baseline configuration (i.e., the base configuration for an out-of-the-box installation of the current version), and all archived configurations that reflect configuration changes over time. A get configuration extended operation may be used to retrieve a specific configuration from the server. Issue:DS-9149

  • Update setup to fix a bug in which file path options specified as relative to the current directory may cause the server to be configured incorrectly or cause setup failure. Issue:DS-8389

  • Update the HTTP Connection handler to support configuration for tracking sessions either through HTTP cookies or by URL rewriting. Issues:DS-8639,DS-9128

  • Expose the Plugin type in the Server SDK, which is primarily useful for this server to have custom code run at server startup or shutdown using the 'startup' and 'shutdown' plugin types. Issue:DS-9165

  • Update the server to provide a degree of sandboxing around Server SDK extensions so that an unexpected exception thrown by an extension will be caught and result in an administrative alert rather than being caught further up in the stack and potentially causing other problems. Issue:DS-9247

  • In the rare cases where it is necessary to forcefully terminate the JVM from within the server itself, ensure that any files marked for deletion when the JVM shuts down are manually deleted before the JVM is terminated. This can help avoid problems like server shutdown not being detected properly because the server PID file hasn't been removed. Issue:DS-9267

  • Provide improved schema validation to detect additional cases in which certain misspelled tokens in the definition for a schema token could be silently interpreted as an extra property for that schema element. The server will now log a warning message about these unexpected tokens so that administrators can either correct them or prefix them with "X-" to indicate that they are an extra property provided for informational purposes. Issue:DS-9236

  • Reduce the time it takes the server to shut down in certain situations. Background threads sometimes missed a signal to wake up and had to wait for their next polling interval to see that a shut down had been requested. Issue:DS-9334

  • Update the default behavior of all file-based loggers to have include-thread-id=true. This will include a compact thread ID in all log messages. This can make it easier to correlate log messages generated by the same thread within a single log file or across different types of log files. Issue:DS-9352

  • Remove -XX:+UseMembar from the default set of generated JVM properties except on early JVM versions where this setting was required to work around a threading bug in the JVM.

  • Update the server JVM arguments generated by setup and dsjavaproperties to explicitly define -XX:MaxNewSize and -XX:NewSize for JVM's 1GB in size and larger. Also, add a comment to the generated java.properties file directing the administrator to use dsjavaproperties for making memory-related changes to this file rather than editing it directly. Issue:DS-9227

  • Add password file arguments to the scripts used to prepare external servers. Issue:DS-9406

  • Update the setup and dsjavaproperties tools to permit maximum heap size values for memory that is not currently available on the host, though the value must still be less than the total amount of memory present on the host. Issue:DS-9111

  • Update the setup and dsjavapropeties tools to permit JVM heap size values to be as large as the amount of memory present on the system would permit. Issue:DS-9494

  • Update the Server SDK to provide the ability to run command line utilities within the server process. A ToolExecutor can be retrieved from the ServerContext. Currently, only the config-diff command is supported, but additional commands might be supported in the future. Issue:DS-9537 SF#:00001858

  • Enhance dsconfig to write to the config audit log when in offline mode. Issue:DS-1495

  • On Linux, issue a warning on startup and after a JVM pause if the kernel setting vm.swappiness is not 0 as this can cause the server to become unresponsive for several seconds when memory is paged back from disk during a garbage collection. Issue:DS-9070

  • Automatically record server monitor data at shutdown, as it may be useful for debugging purposes in cases where a problem was experienced within the server that was resolved by a restart. Issue:DS-9777

  • Improve the performance of certain monitor entry searches that target specific monitor entries by object class. In particular, this includes searches with AND or OR filters, as well as filters that target object classes not defined in the server schema. Issue:DS-9772

  • Fix an issue where the Metrics Engine was not correctly parsing the query API's start and end time parameters when no time zone offset was included. The time had been interpreted as GMT, but it should have been interpreted as the local time zone (from the server's point of view). Issue:DS-9765

Data Metrics Server 4.1.0.0

New Features

These features were added for version 4.1.0.0 of the Data Metrics Server:

  • The UnboundID Identity Broker is the first of a new class of components for consumer and subscriber identity management architectures.

    As a stand-alone server, it provides authorization decisions for client applications, provisioning systems, API gateways, and analytical tools in any architecture involving personal, account, or sensitive identity data.

    Working together with the UnboundID Identity Data Store and Identity Proxy, the Identity Broker is designed to make high-volume and high-speed authorization decisions based on ever-changing consumer profile and consent data. Functionally, the Identity Broker is both the Policy Decision Point and the OAuth2 provider for externalized authorization. Performance-wise, the Identity Broker can support the request volumes driven by the complex, real-time interactions necessary to support today's consumer-facing mobile, social, and cloud ecosystems.

Known Issues and Workarounds

These were known issues at the time of the release of version 4.1.0.0 of the Data Metrics Server:

Resolved Issues

These issues were resolved with version 4.1.0.0 of the Data Metrics Server:

  • Update the names of the UnboundID-branded products which are now: - Identity Data Store (formerly Directory Server) - Identity Proxy (formerly Proxy Server) - Identity Data Sync Server (formerly Synchronization Server) - Metrics Engine (name unchanged) Issues:DS-7514,DS-7515,DS-7516,DS-7518

  • Fix a bug where under certain error conditions the start server scripts could prompt user to overwrite existing file. Issue:DS-7268

  • Introduce an "include-thread-id" configuration property on many of the file-based loggers that when enabled adds a threadID field to logging output. This makes it possible to know exactly which thread logged a message, which can simplify correlating errors between log messages and separate logs. This ID can be correlated to a thread name using the cn=JVM Stack Trace,cn=monitor entry. Issue:DS-8212

  • Change stop-*.bat to attempt a soft server shutdown before terminating the process. Issue:DS-408

  • Addressed an issue in the monitoring pages of the web console where they incorrectly listed directory server replication related information. Issue:DS-7289

  • Update the JMX connection handler to infer an appropriate Java type (e.g. Boolean, Long, Float, Date, or String) for JMX attributes from the underlying LDAP attribute type and value. The legacy behavior to return all JMX attributes as String values can be set if desired through the advanced global configuration property 'jmx-value-behavior'. Issue:DS-7635

  • Add the --noPropertiesFile option to the status command so that it does not fail when the option is provided to collect-support-data. Issue:DS-8390

Data Metrics Server 4.0.0.0

New Features

These features were added for version 4.0.0.0 of the Data Metrics Server:

  • Update the names of the UnboundID-branded products, which are now:

    • Identity Data Store (formerly Directory Server)
    • Identity Proxy (formerly Proxy Server)
    • Identity Data Sync (formerly Synchronization Server)
    • Metrics Engine (name unchanged)

  • The Metrics Engine can now be configured to monitor and alert on Service Level Agreements. For information about Service Level Agreements and how to configure them, please refer to the "Monitoring Service Level Agreements" section of the UnboundID Metrics Engine Administration Guide.

  • Provide API for accessing Metrics Engine SLAs and Threshold Alerts. For API documentation, please refer to the "Accessing the Metrics Engine Data" chapter of the UnboundID Metrics Engine Administration Guide.

Known Issues and Workarounds

These were known issues at the time of the release of version 4.0.0.0 of the Data Metrics Server:

  • Version 3.6.x Metrics Engine cannot monitor version 4.x servers. To monitor a version 4.x server you must first upgrade the Metrics Engine to version 4.0. Issue:7743

Resolved Issues

These issues were resolved with version 4.0.0.0 of the Data Metrics Server:

  • File Server HTTP Servlet Extensions now allow a default MIME type to be set with the default-mime-type property. Issue:DS-6959

  • Change the stop-* tools to behave like other task based tools. These tools require the use of the --task argument to ensure that user knows they are using a server task. These tools also will not use properties files unless you provide the --usePropertiesFile or --propertiesFilePath arguments.

  • Fix a bug that prevented viewing hidden and complex configuration properties using dsconfig in a non-interactive mode. Issue:DS-7245

  • Fix a bug in the manage-extension tool that would cause an error when attempting to install an extension if that extension's getExtensionDescription method returned null (which is allowed as per the documentation). Issue:DS-7367

  • Fix a bug in the LDAPConnectionHandler where it did not close the NIO Selector on shutdown. On some platforms this caused the underlying socket channel to remain bound, which prevented the server from being able to restart. Issue:DS-7373

Data Metrics Server 3.6.0.0

New Features

These features were added for version 3.6.0.0 of the Data Metrics Server:

  • IPv6 is now a supported deployment option.

  • 64-bit JDK 7 is now a supported deployment option, but 32-bit JDKs are no longer supported.

  • Provide API for accessing monitored server Alerts.

Known Issues and Workarounds

These were known issues at the time of the release of version 3.6.0.0 of the Data Metrics Server:

  • Version 3.6.x Metrics Engine cannot monitor version 4.x servers. To monitor a version 4.x server you must first upgrade the Metrics Engine to version 4.0. Issue:7743

Resolved Issues

These issues were resolved with version 3.6.0.0 of the Data Metrics Server:

  • Fix a typo in the output of "query-metrics explore". It had indicated that "&dimensions=application-name:value1,value2" could be used to restrict the query output, but it should just be "&dimension=application-name:value1,value2" (not plural). Issue:DS-7226

  • Fix a problem in the manage-extension tool where it would fail on Windows because it tried to delete some temp files that were currently in use. Issue:DS-6770

  • The default behavior of the API is changed to address how incomplete sample intervals close to the current real time are returned when performing a multi-time interval query:

    - The datatable and chart resources now truncates incomplete time intervals from the data by default but only up to 5 min worth of intervals or 20% of the total number of intervals, which ever is less. - Introduced the lastCompleteIndex property to the data series objects in a dataset response. This is used to indicate the index of most current 'complete' sample where a complete sample is a sample that contains values for all aggregates. No data is truncated by default. - The default trimming behaviors of all resources may be overridden using the new maxTruncatedIntervals query parameter. This allows the client to specify the maximum number of incomplete sample intervals that may be truncated from the resulting response. Issue:DS-7068

  • Added a new includeEmptySeries query param to the datatable and chart resources that may be used to control whether the results should contain series with no data. The default is false. Issues:DS-7071,DS-7077

  • Fix a bug in dsconfig that prevented going back when adding a new configuration object inside of an existing one. Issue:DS-7263 SF#:1793

  • Prevent disk space monitoring for metrics db for environments where file permissions disallow reading. Issue:DS-7266 SF#:1794

  • Add a few query parameters to the chart resource (/api/v1/{metricId}/chart) to allow customizations:

    - title: The input is now treated as a Velocity template and the $metric context may be used to reference anything in the Metric object. - subTitle: Allows adding one or more sub-titles to the chart. Velocity templates may be used. - tz: Specifies the time zone used for all date/times on the chart. Default is GMT. - dateFormat: Specifies the format of the all date/times on the chart. It uses the standard Java SimpleDateFormat strings. - useLogScale: Use a logarithmic scale for the range axis. - style: Allows customizations of various stylistic elements in the chart in a psudo CSS format (semi-colon separated list of rules where the key and value separated by a colon). The following rules are implemented: -- series-color: A space separated list of colors to use for the different series in the order specified. The standard 17 CSS named colors are supported along with the hex (ie.#445566) and rgb (ie. rgb(45, 100, 255)) notations. (ie. series-color: blue red #221122 rgb(234,255,255);) -- series-width: The width of the series lines in px notation (ie. series-width: 5px;) -- background-color: The background color of the chart (ie. background-color: white;) -- grid-line-width: The width of the gridlines. If only one value is present, both the domain and range gridlines will use the same width. Otherwise, the first value is for the domain and the second for the range gridlines. (ie. grid-line-width: 4px 6px;) -- grid-line-color: The color of the gridlines. (ie. grid-line-color: red blue;) -- legend-position: The position of the legend, if present. (ie. legend-position: right;) Issue:DS-7076

Data Metrics Server 3.5.1.0

New Features

These features were added for version 3.5.1.0 of the Data Metrics Server:

  • The Metrics Engine is a core server product that collects and aggregates key diagnostic, capacity, and usage information from an UnboundID server topology consisting of instrumented Directory Server, Directory Proxy Server, and Synchronization Servers running release 3.5.0.0 and above. Metrics data can be explored and graphed using the included query-metric tool, and the Metrics Engine REST API makes this information available to custom applications and third-party systems. To learn more about the Metrics Engine, please refer to the UnboundID Metrics Engine Administration Guide.

Known Issues and Workarounds

These were known issues at the time of the release of version 3.5.1.0 of the Data Metrics Server:

Resolved Issues

These issues were resolved with version 3.5.1.0 of the Data Metrics Server:

No information is available