Release notes

Issue PAPQ-1034

PingAccess 6.3 deployments that use the Sideband API feature can’t be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

Issue PA-1894

Incorrect handling for IPv6 literals in host header. Note that IPv6 isn’t currently supported.

Issue PA-2896

Request preservation isn’t supported with Safari Private Browsing.

Issue PA-4888

Engines and admin replicas don’t connect to the admin console if a combination of IP addresses and DNS names are used.

Issue PA-6262

The token processor can’t connect to a JWKS endpoint via SSL when using an IP instead of a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.

Issue PA-8651

Firefox doesn’t correctly support the HTML5 time tag. When using the time range rule, enter time in 24-hour format.

Issue PA-10505

Upgrades will fail with a risk-based authorization rule if a third-party service isn’t used in the rule.

Issue PA-11390

If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Issue PA-12647

Asynchronous front-channel logout might fail in some browsers depending on end-user settings. You can find browser-specific workarounds in Managing single logout in different browsers in the Ping Identity Knowledge Base.

Issue PA-13214

Invalid special characters ((),/;<⇒?@[\]\{}") can be added to the certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Issue PA-13500

Assigning a new key pair to the Admin HTTPS listener if the browser doesn’t trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and reopen it so that all connections to the admin node use the new certificate.

Issue PA-14239

If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:

Issue PA-14414

CloudHSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Issue PA-14466

Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently doesn’t support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the rewrite content rule can prevent the page from displaying.

Issue PA-14621

If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions.

Issue PA-14907

After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.

Issue PA-14978

A race condition caused by importing applications with significant reuse of virtual hosts or context roots can deadlock the Apache Derby DB.

PingAccess 7.3 added systematic deadlock handling to reattempt operations that lead to a deadlock condition in Apache Derby. Learn more about this original fix in PA-14974 in the PingAccess 7.3 release notes.

However, a specific fix for this deadlock scenario will be added in a future release to reduce wasted cycles and warning or error log messages.

Issue PA-14985

There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message Recovered from database deadlock with transaction retry.

Issue PA-15351

If you have the administrative console and API open at the same time and you’re on a console page that isn’t Log Settings, the Log Settings page won’t immediately populate any log changes that you make in the API.

To work around this issue, go to the Log Settings page. Perform a hard refresh, or go to another page and then return to Log Settings.

Issue PA-15499

Mutual TLS with a backend site that requires post-handshake authentication isn’t supported when using TLS 1.3. Current workaround options are to remove the requirement for post-handshake authentication from the backend site or to disable TLS 1.3.

Issue PA-15559

Currently, SNI is only set up for virtual hosts that are actively configured in an application. This can prevent PingAccess from presenting an expected certificate for a given redirect host.

The workaround is to configure the source host in a redirect as the virtual host for a disabled PingAccess application.

Issue PA-15785

Rule sets or rule set groups containing a singular CORS rule can’t be assigned to applications or resources. Attempts result in the following validation error:

Issue PA-15863

Saving a configuration in the PingAccess administrative console overwrites the values of the API-only fields sslCiphers and sslProtocols.

This issue is only relevant for the following pages in the administrative console:

It affects the following administrative API endpoints:

Issue PA-15928

Federal Information Processing Standards (FIPS) mode doesn’t work with Safenet Luna HSM. Trying to configure a key pair or enter FIPS mode with a key pair already configured causes a Null Pointer Exception error.

Issue PA-15929

Federal Information Processing Standards (FIPS) mode can’t be used with ACME certificate management if you need to create an ACME account.

Issue PA-16094

Performing PingOne Protect device profiling with Chrome Devtools open causes an infinite loop. To proceed with device profiling, close Chrome Devtools.

Issue PA-16103

Key pairs stored in a Safenet Luna HSM cause SSL exceptions if using Luna HSM Client 10.8.

A potential workaround for this issue is to disable TLS 1.3 and RSASSA-PSS in the run.properties file. You can find more information in the TLS/SSL section of the PingAccess Configuration file reference.

Issue PA-16104

PingAccess fails to shut down when the Safenet Luna HSM libCryptoki2.so directory is in the deploy directory, which is a deployment requirement for Adding a Safenet Luna provider on a Linux system. This is an issue specific to Luna HSM Client 10.8.

Issue PA-16230

Trying to access the Swagger 1.2 specification information for specific individual endpoints (such as /pa-admin-api/v3/api-docs/pa/accessTokenValidators) currently results in a 404 Not Found error.

This happens because Swagger 1.2 isn’t fully compatible with JDK 17. Ping Identity recommends using the OAS 2.0 specifications instead, which you can find at https://<pa_admin_host>:<pa_admin_port>/pa-admin-api/v3/api-docs/pa/api-docs-v2.json. Learn more in Administrative API endpoints.

Issue PA-16236

Trying to use CloudHSM key pairs in Managing Federal Information Processing Standards (FIPS) mode prompts an ERR_SSL_PROTOCOL_ERROR message.