Documentation updates

Added how-to pages for seven common use cases.

Extended HDAP documentation with sample code for JavaScript (Node.js), Python, and Ruby.

Improved the accuracy of LDAP and Prometheus metrics reference documentation.

Fixed errors and misstatements.

Improved replication monitoring examples for LDAP and Prometheus.

Fixed inaccuracies in the description of persistent searches.

Fixed the import-ldif command help to clarify how online commands resolve paths to LDIF files.

Clarified connectivity requirements in the procedure on restoring data to a known state during disaster recovery.

Fixed inaccuracies in the documentation about subtree replication and subordinate backends.

Removed references to ds-mon-requests-rejected-queue-full from the documentation. DS 6.5.4 removed this metric, though it remained in the LDAP schema.

The Log message reference now documents all messages including those related to backup.

DS documentation now depicts simpler but sufficient deployments with fewer servers for the following benefits:

Added Efficiently store backup files.

Updated Cache internal nodes to fix the advice about DB cache metrics.

Updated Use your own cryptographic keys to list required settings for X.509 key usage extensions.

Updated Track last login time and Active accounts to explain last login time format alternatives.

Updated the supportextract reference to clarify why the command requires the top -H option.

Added Different data under different base DNs to clarify why reusing base DNs for multiple setup profiles can lead to errors.

Fixed the JSON File Based Access Log Publisher reference to indicate you can change the log-directory setting without restarting the component.

Updated the pages on upgrade to clarify which steps apply only to upgrades from DS 6.5 and earlier.

Updated After you upgrade to clarify which steps are required.

Corrected an example in Audit configuration changes.

Updated Indexes to improve the explanation of big indexes.

Updated HTTP-based monitoring to clarify that the /metrics/api endpoint represents a collection you query, and requires a _queryFilter query string parameter.

Fixed the LDAP metrics reference and Prometheus metrics reference to remove obsolete metrics that were previously identified as removed in the release notes.

Updated the Java prerequisites section to recommend Java 11.0.12 or later for deployments on Java 11.

Added Replication status (LDAP) to explain the ds-mon-status attribute values, and actions to take when the status is not Normal.

Added Debug a missing index, and updated the page to clarify answers to common questions about indexing.

Added Cloud storage samples to show realistic commands for backing up and restoring data at cloud providers.

Updated JSON query filters and added Complex JSON queries to demonstrate support for complex JSON query filters.

Added Check account usability to demonstrate use of the LDAP account usability control.

Added Test password policies to suggest using the DS password quality advice features to evaluate the effectiveness of a new password policy.

Updated the steps in Bootstrap replication servers to clarify that you only need to restart the server after changing its configuration if the server loads the list of bootstrap replication servers from the environment.

Corrected an example in Audit Configuration Changes.

Fixed the LDAP Metrics Reference and Prometheus Metrics Reference to remove obsolete metrics that were previously identified as removed in the release notes.

Fixed the text to align with the example in When Adding New Servers.

Updated Configure a NIST-Inspired Subentry Policy to clarify the default PBKDF2 iteration settings for the enabled password storage schemes.

Updated Java to clarify that to use TLS 1.3 with PKCS#11, DS requires Java 11.0.8 or later.

Updated Deployment Keys to clarify that the need for a single, unique deployment key and password per deployment.

Mentioned support for Java 17.

Updated Encrypt changelog data to clarify that changelog encryption affects only data on disk.

Updated JMX-based monitoring to show how to connect with a user using a simple bind and an insecure connection.

Updated Fractional replication to clarify which attributes are replicated everywhere in the fractional replication deployment pattern.

Updated Deployment IDs to clarify that a deployment ID is required for all deployments.

Updated Antivirus interference to limit the scope of what you allow antivirus and intrusion detection software to scan.

Updated When adding new servers and Clean up admin data to be more explicit about when to start new DS 7 servers, and when to retire older servers.

Added Cloud storage samples to show realistic commands for backing up and restoring data at cloud providers.

Added Stop replicating permanently to clarify how to remove a server from a replication topology.

Added Filtering results (Prometheus) demonstrating how to filter Prometheus output by changing configuration settings.

Clearly indicate in Java that DS requires Java 11.0.6 or later.

Updated Clean up admin data to clarify that before removing admin data, you must replace or remove references to admin data from your configuration.

Corrected the command in Read-only replicas that configures a server to accept replication updates, and refuse updates from client applications.

Updated the list of actions at the beginning of After you upgrade to clarify when and how to change bootstrap replication server settings in an upgrade that involves adding new servers and retiring old servers.

Updated Troubleshooting to clarify that proxied authorization as an anonymous user is supported, but not recommended.

Added Add a bootstrap replication server to demonstrate the command to configure a new bootstrap replication server.

Updated Enable StartTLS and Set the HTTPS Port to clarify when you might need to use the ssl-cert-nickname setting.

Updated Install DS as an IDM repository and Install DS for user data to clarify why to use the am-identity-store setup profile when storing AM identities.

Added Check profiles to indicate how to list the profiles selected at setup time.

Fixed the procedures in After you upgrade to retain access to required secret keys when upgrading a production-mode server in place.

Updated Manual initialization to clarify the limitations of alternative methods for manually initializing replicas.

Added Replication Status (LDAP) to explain the ds-mon-status attribute values, and actions to take when the status is not Normal.

Updated Install DS for custom cases to clarify the steps to follow when you set up DS replicas without a setup profile, and then create backends that you want to replicate.

Corrected Replication and data sovereignty to indicate that the top entries in the example domain should not be replicated.

Added a note to Initialize from LDIF that clarifies when to follow the steps in Restore to a known state instead.

Described how to Add a monitor user account after upgrading a service without a replicated account for monitoring.

Added Install with existing cryptographic keys, and procedures for using your own keystores and truststores for transport layer security in Key management.

Updated Delete entries and Delete (REST) to clarify that deleting a subtree can be a resource-intensive operation. The resources required to remove a branch depend on the number of LDAP entries to delete.

Updated Incompatible changes to clarify that the dskeymgr command no longer supports using the --alias and --outputFile options together.

Updated About the evaluation setup profile and Proxied authorization to clarify that if you are not using the DS evaluation setup profile, you must correctly configure access for successful proxied authorization.

Adapted the Upgrade pages to make them easier to use:

Added Back sp using snapshots and Restore from a snapshot to explain the constraints when using file system snapshots for backing up and restoring directory data.

Updated Rebuild indexes to reflect best practices.

Updated Cache internal nodes to clarify what to monitor when determining whether to add memory for DB cache.

Restored Estimate minimum DB cache size.

Updated Add a base DN to a backend to show how to create a replication domain for the new base DN.

Updated Cloud storage to mention the need for access to delete files, and the need to restart DS after setting environment variables.

Updated Read schema to explain key features of attribute type definitions.

Added an example password policy that configures account lockout in Lock accounts after repeated bind failures.

Updated ACI subjects to clarify how the security strength factor (ssf) setting in ACIs can help neutralize STRIPTLS attacks.

Added a table of default global access control policies in Proxy global policies.

Updated REST API documentation as the setup process disables API descriptors by default.

Updated the documentation to point to these release notes.

Updated LDAP Metrics Reference and Prometheus Metrics Reference to remove deleted monitoring metrics.

Clearly indicated that DS requires Java 11.0.6 or later.

Updated Troubleshooting to clarify that proxied authorization as an anonymous user is supported, but not recommended.

Updated Manual Initialization to clarify the limitations of alternative methods for manually initializing replicas.

Added a note in Initialize from LDIF that clarifies when to follow the steps in Restore to a Known State instead.

Corrected Replication and Data Sovereignty to indicate that the top entries in the example domain should not be replicated.

Described how to Add a Monitor User Account after upgrading a service without a replicated account for monitoring.

Updated Rebuild Indexes to note that, when a server rebuilds an index online, the data in the affected database backend is temporarily unavailable to client applications.

Added Back Up Using Snapshots and Restore From a Snapshot to explain the constraints when using file system snapshots for backing up and restoring directory data.

Updated Restore to clarify that even a single directory server replica replays changes after you restore data, and to link to the procedure for restoring data to a known state, should you choose to prevent this.

Added Remove a Bootstrap Replication Server to demonstrate how to purge a bootstrap replication server from other servers' configurations.

Updated the release notes to mention known issue OPENDJ-7905.

Adapted the Upgrade Guide to make it easier to use:

Updated When Adding New Servers to reiterate that replication configuration now happens at setup time.

Updated Install DS for User Data to clarify that the procedure is for installing your own user data.

Updated Restrict Protocols and Cipher Suites to correct the examples demonstrating how to configure a server to require TLSv1.3.

Updated List Protocols and Cipher Suites to correct the description of the ECDHE_RSA algorithm.

Updated Use a Non-Default Superuser Account to add the missing cn attribute in the sample alternative directory superuser entry.

Updated Use the Debian Package to demonstrate installing the java11-runtime virtual package, which is a dependency of the DS Debian package.

Fix Javadoc search box.

Best practices

Better examples

Errata

Reorganization

Replication

REST

Security

Setup

Corrected a link in Product Improvements.

Added Linux Page Caching to explain how to avoid long pauses when the kernel flushes dirty pages to disk.

Added a note in To Initialize All Servers From the Same LDIF that clarifies when to follow the steps in To Restore All Replicas to a Known State instead.

Corrected Data Replication and Data Sovereignty to indicate that the top entries in the example domain should not be replicated.

Updated HTTP-Based Monitoring and LDAP-Based Monitoring to clarify that the current replication delay metric is only meaningful once the server has received replication updates.

Updated Rebuilding Indexes to note that, when a server rebuilds an index online, the data in the affected database backend is temporarily unavailable to client applications.

Updated Troubleshooting TLS/SSL Connections and How Certificates are Used to add an example command that demonstrates how to list trusted certificates with the Java 8 keytool command.

Fixed the list of known issues for 6.5.0.

Updated Monitoring Metrics to add notes that some JVM metrics, particularly GC-related metrics, depend on the JVM version and configuration.

Updated Fulfilling Storage Requirements to highlight that DS servers do not support NFS for directory data.

Fixed the port number for the first server in Trying Replication.

Updated To Enable the External Change Log to clarify which configuration is required, and to cover standalone directory servers.

Added an explanation for Crypto Manager support for PKCS#11 modules.

Changed dsreplication enable to dsreplication configure in examples.

Removed obsolete options in ldifdiff examples.

Added OPENDJ-5423 to the list of fixes for DS 6.5.1.

Updated Changing Server Certificates to clarify that, when using a keystore to hold DS server keys, the password for the keystore and any private keys it contains must be the same.

Updated To Allow a User to Read the Change Log to include access to changelog attributes on the root DSE entry. The IDM liveSync feature requires access to these attributes.

Updated LDAP Metrics by Name to fix the types of the ds-mon-updates-inbound-queue and ds-mon-updates-outbound-queue metrics, which are integers.

Added Replication Network Use and Operations to describe how replication uses DS server ports that must remain open to remote clients.

Updated Troubleshooting LDIF Import to reference the correct configuration property for relaxing syntax checking.

Updated Running in a Container as the section is no longer relevant to Java 8 update 191 and later releases.

Updated Preventing Interference With Antivirus Software to clarify how to prevent interference.

Added To Disable Change Number Indexing to explain how to disable change number indexing when not needed. For example, disable change number indexing when using DS as a CTS store for AM.

Updated Metric Types to clarify the definitions of monitoring metrics.

Updated the release notes to indicate deprecated JVM monitoring metrics.

Added Upgrading System and Server Tuning to underline the importance of revisiting tuning settings during major version upgrades.

Updated To Set Up a Directory Proxy Server to clarify the requirements when setting up a directory proxy server in production mode.

Added On Using a Load Balancer with recommendations for your deployment.

Updated Resetting the Directory Manager’s Password to indicate the default file that holds the directory superuser entry.

Added To Transform a Directory Server/Replication Server Into a Standalone Directory Server.

Updated Choosing the Listen Address for Replication to fix a broken link.

Updated Java Settings to remove mention of the -XX:+UseAES -XX:+UseAESIntrinsics options.

Updated Managing Data Replication to clarify that you should not run dsreplication configure and dsreplication initialize commands at the same time, nor should you run multiple dsreplication configure commands at the same time.

Updated documentation for all setup command profiles that now let you set the domain or the base DN.

Added a new guide, Getting Started , that provides a quick, hands-on looks at what Directory Services software can do.

Added a new chapter, Configuring REST APIs, focused on administrative work to build REST APIs.

Added a new chapter, Deploying for DevOps and SaaS, that focuses on use of DS software in DevOps and SaaS deployments.

Added a section, Setting Disk Space Thresholds For Replication Changelog Databases, showing how to set low and full disk thresholds for replication server changelog databases.

Updated To Add a New Replica to an Existing Topology to reflect the need to use the dsreplication command installed with a 2.6 server when adding a new server to a replication topology with 2.6.x servers.

Rewrote the section, Choosing Load Balancing Settings, to clarify how to choose among the alternatives offered by directory proxy servers.

Attribute Types now includes a Used By list in each table of attribute properties.

A new section shows how to back up and restore configuration files. Refer to Backing Up and Restoring Configuration Files.

Added a step in To Upgrade Replicated Servers showing how to add missing privileges to the global administrator account.

Added an example of the proxy user and ACI required on DS directory servers.

Corrected the synopsis for targattrfilters in ACI Targets.

Clarified in Updating Resources that an update operation requires a JSON payload including all the writable fields of the resource that you want to retain. The update replaces the writable fields of the resource with the values in your JSON payload.

Updated To Set Up JMX Access to explain how to avoid periodic full garbage collection events when using JMX.

Added To Disable Change Number Indexing to explain how to disable change number indexing when not needed. For example, disable change number indexing when using DS as a CTS store for AM.

Updated the list of fixed issues to include OPENDJ-4729.

Updated Preventing Interference With Antivirus Software to clarify how to prevent interference.

Fixed paths to point to the correct ads-truststore file location, which is now /path/to/opendj/db/ads-truststore by default.

Clarified that Solaris is no longer supported.

Corrected the synopsis for targattrfilters in ACI Targets.

Added a step in To Upgrade Replicated Servers showing how to add missing privileges to the global administrator account.

Added a Deployment Guide.

Updated Initializing Replicas to clarify the tradeoffs to consider when deciding how to initialize replication.

Updated Enforcing Strong Passwords and Strong Password Storage to improve the recommendations regarding password storage.

Added Adding a REST to LDAP Mapping for a Custom Object to demonstrate how to configure your REST to LDAP APIs.

Added Adding Subentry Password Policies to demonstrate how to use this feature with REST to LDAP.

The Javadoc now describes all ForgeRock classes and interfaces required to write server plugins and LDAP client applications.

Corrected the lists of key fixes for 5.5.0 and 5.5.1.

Added To Disable Change Number Indexing to explain how to disable change number indexing when not needed. For example, disable change number indexing when using DS as a CTS store for AM.

Added On Using a Load Balancer with recommendations for your deployment.

Updated Preventing Interference With Antivirus Software to clarify how to prevent interference.

Removed the -A option from the modrate and searchrate tools reference.

Clarified when you must use -XX:+UseCompressedOops.

Documented the impact of the name change from OpenDJ to ForgeRock Directory Services.

Documented that each backend needs its own backup directory in Backing Up Directory Data.

Clarified that Solaris is no longer supported.

Fixed contradictory tuning advice for JVM new generation in Java Settings.

Corrected the synopsis for targattrfilters in ACI Targets.

Updated Using Built-In Functions to reflect that the read() and readProperties() functions require absolute paths, not relative paths.

Fixed the example for setting group-id on a replication server in To Set Up Replication Groups.

Fixed the explanation of how the REST to LDAP gateway maps an HTTP Basic user name to an LDAP bind DN in Gateway Configuration File.

Fixed broken links to the Configuration Reference.

Sorted properties correctly in the Configuration Reference.

Fixed an error in the online LDIF export example shown in To Export LDIF Data.

The Javadoc now describes all ForgeRock classes and interfaces required to write server plugins and LDAP client applications.

A new LDAP Schema Reference is available.

Database Cache Settings now better describes caching for larger directories, such as those with 10 million entries or more.

Initializing Replicas has been updated to suggest how to initialize replication depending on your circumstances.

The documentation on Breaking a Multi-Role Server Into Standalone Components has been removed.