Product
Hosting Environment
Operating System
Capability
Task Type
Draft Beta
Close

PingAccess Agent for IIS

Updated 136

Add to MyDocs | Hide Show Table of Contents

Configuration

The PingAccess Agent for IIS configuration is managed through the Internet Information Services (IIS) Manager application. During the installation of the agent, a configuration schema extension is added to the system.webServer section. This schema extension adds the two configuration options defined in the following table:

Parameter Definition Default Value
PaaCertificateDir String value containing the path to the certificates extracted from the .properties files. C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs
PaaPropertyFiles List of .properties files which store configuration data used to connect the agent to the PingAccess engine nodes the agent will communicate with. C:\Program Files\Ping Identity\PingAccess Agent for IIS\agent.properties
Note: It is not necessary to make any changes to these configuration parameters if the steps in the Installation section were followed.

The configured agent.properties files can contain the following parameters:

Parameter Definition Default Value
agent.engine.configuration.scheme The URI scheme used to connect to the engine node. Valid values are http and https. https
agent.engine.configuration.host The PingAccess hostname. The value in the Agent Node's PingAccess Host field.
agent.engine.configuration.port The port the agent connects to on the PingAccess host. This value is defined in the PingAccess run.properties file. Defined in the PingAccess Admin UI
agent.engine.configuration.username The unique agent name that identifies the agent in PingAccess. Defined in the PingAccess Admin UI
agent.engine.configuration.shared.secret The password used to authenticate the agent to the engine. Defined in the PingAccess Admin UI
agent.engine.configuration.bootstrap.truststore The base64-encoded public certificate used to establish HTTPS trust by the agent to the PingAccess engine. Generated by PingAccess
agent.engine.configuration.maxConnections The number of connections a single web server worker process maintains to the PingAccess engine defined in the agent.engine.configuration.host parameter. 10
agent.engine.configuration.timeout The maximum time (in milliseconds) a request to PingAccess can take from the agent. If this time is exceeded, the client will receive a generic 500 Server Error response. 30000
agent.engine.configuration.connectTimeout The maximum time (in milliseconds) the agent can take to connect to the PingAccess engine. If this time is exceeded, the client will receive a generic 500 Server Error response. 30000
agent.cache.missInitialTimeout The maximum time (in milliseconds) a web server worker process waits for a response to a policy cache request sent to other web server worker processes. 5
agent.cache.broker.publisherPort The network port web server processes use to publish policy cache requests to other web server worker processes. This port is bound to the localhost network only. 3031
agent.cache.broker.subscriberPort The network port web server processes use to receive policy cache requests from other web server worker processes. This port is bound to the localhost network only. 3032
agent.cache.maxTokens The maximum number of tokens stored in the policy cache for a single web server worker process. A value of 0 means there is no maximum. 0
agent.cache.disabled Determines whether caching of policy decisions is enabled or disabled. A value of 1 disables caching, forcing the agent to communicate with the PingAccess host any time a policy decision needs to be made. This option may be desired when using PingAccess 3.1 or earlier with the following rule types:
  • Groovy Script Rule
  • HTTP Request Rule
  • Network Range Rule
  • Time Range Rule
Note: PingAccess 3.2 does require the cache be disabled in order to process these rules correctly from an agent.

This may also be desirable for custom rules created using the PingAccess SDK that involve data that changes with every request within a resource and session.

Warning: Disabling caching has a significant impact on the scalability of the PingAccess Policy servers, as every rule evaluation is processed by the Policy Server. This option should only be used as a last resort because of the performance penalty.
0

Changes to the agent.properties file require a restart of the web server.

Tip: See the Performance Tuning Guide for discussion on improving agent performance.

Tags Capability > API Security; Capability > Web Access Management; Hosting Environment > On-Premises; Operating System > Windows; Product > PingAccess > PingAccess Agent for IIS; Task Type > Configuration