PingAccess

Installation requirements

Before you install PingAccess, review the following system, hardware, and port requirements.

System requirements

Make sure your system meets the following requirements for PingAccess deployment and configuration.

Ping Identity qualifies the following configurations and certifies that they are compatible with the product. Variations of these platforms, such as differences in operating system version or service pack, are supported until the platform or other required software creates potential conflicts.

PingAccess supports IPv4 addressing. There is currently no support for IPv6 addressing.

System component Requirements

Operating systems

PingAccess was tested with default configurations of operating system components. If your organization has customized implementations or has installed third-party plug-ins, deployment of the PingAccess server might be affected.

  • Amazon Linux 2

  • Amazon Linux 2022

  • Canonical Ubuntu 18.04

  • Canonical Ubuntu 20.04

  • Canonical Ubuntu 22.04

  • Microsoft Windows Server 2016 (x64)

  • Microsoft Windows Server 2019 (x64)

  • Microsoft Windows Server 2022 (x64)

  • Oracle Enterprise Linux 7.9 (Red Hat Compatible Kernel)

  • Oracle Enterprise Linux 8.6 (Red Hat Compatible Kernel)

  • Red Hat Enterprise Linux ES 7.9

  • Red Hat Enterprise Linux ES 8.6

  • Red Hat Enterprise Linux 9.1

  • SUSE Linux Enterprise Server 12 SP5

  • SUSE Linux Enterprise Server 15 SP4

Docker support

  • Docker version: 20.10.17

  • Host operating system: Canonical Ubuntu 18.04.3 LTS

View the PingAccess Docker image on DockerHub. Visit Ping Identity’s DevOps documentation for more information. Note that only the PingAccess software is licensed under Ping Identity’s end user license agreement, and any other software components contained within the image are licensed solely under the terms of the applicable open source or third-party license.

Ping Identity accepts no responsibility for the performance of any specific virtualization software and in no way guarantees the performance or interoperability of any virtualization software with its products.

Virtual systems

Although Ping Identity doesn’t qualify or recommend any specific virtual machine (VM) products, PingAccess runs well on several, including VMWare, Xen, and Windows Hyper-V.

This list of products is provided for example purposes only. We view all products in this category equally. Ping Identity accepts no responsibility for the performance of any specific virtualization software and does not guarantee the performance or interoperability of any VM software with its products.

Java environments

  • Amazon Corretto 8 (64-bit)

  • Amazon Corretto 11 (64-bit)

  • Amazon Corretto 17 (64-bit)

  • OpenJDK 11 (64-bit)

  • OpenJDK 17 (64-bit)

  • Oracle Java SE Runtime Environment (Server JRE) 8 (64-bit)

  • Oracle Java SE Development Kit (JDK) 11 (64-bit)

  • Oracle Java SE Development Kit (JDK) 17 (64-bit)

The Ping Identity Java Support Policy applies. For more information, see the Ping Identity Java support policy.

PingFederate

The following versions of PingFederate are fully certified with this version of PingAccess:

  • PingFederate 10.3

  • PingFederate 11.2

Other versions of PingFederate are expected to be compatible with this version of PingAccess as per Ping’s end of life policy.

Some features rely on a specific version of PingFederate to work. This will always be noted in the feature’s description.

End-user browsers

  • Google Android (Chrome)

  • Google Chrome

  • Microsoft Edge

  • Mozilla Firefox

  • Apple iOS (Safari)

  • Apple Safari

Admin console browsers

  • Google Chrome

  • Microsoft Edge

  • Mozilla Firefox

Audit event storage (external database)

  • MS SQL Server 2017

  • MS SQL Server 2019

  • Oracle 19c

  • PostgresSQL 11.5

  • PostgresSQL 13

Hardware security module

For information about configuring a hardware security module (HSM), see Hardware security module providers. PingAccess certifies the following HSMs:

  • AWS CloudHSM 3.0.0

  • Thales Luna Cloud HSM Services and Luna Network HSM (Luna HSM Client 10.4)

You must use Java 8 if you plan to use a hardware security module.

Supported HTTP versions

  • HTTP 1.1

OpenID Connect (OIDC) providers

These are the most common providers, however, Ping strives to support any third-party OIDC-compliant provider.

Provider Provider Type

PingFederate

PingFederate

PingOne for Enterprise

Common

PingOne SSO

PingOne

Azure

Common

Okta

Common

Hardware requirements

Although it’s possible to run PingAccess on less powerful hardware, the following guidelines accommodate disk space for default logging and auditing profiles and CPU resources for a moderate level of concurrent request processing.

Although the requirements for different environments vary, run PingAccess on hardware that meets or exceeds these specifications:

  • Multi-CPU/Cores (8 or more)

  • 4 GB of RAM

  • 2.1 GB of available hard drive space

Port requirements

PingAccess uses ports and protocols to communicate with external components. This information provides guidance for firewall administrators to ensure that the correct ports are available across network segments.

Direction refers to the direction of requests relative to PingAccess:

Inbound requests

Requests that PingAccess receives from external components.

Outbound requests

Requests that PingAccess sends to external components.

Service Port details Source Description

PingAccess administrative console

  • Protocol: HTTPS

  • Transport: TCP

  • Default port: 9000

  • Destination: PingAccess admin console

  • Direction: Inbound

PingAccess administrator browser, PingAccess administrative application programming interface (API) REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests to the PingAccess administrative console. Configurable using the admin.port property in the run.properties file. For more information, see the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess cluster communications port

  • Protocol: HTTPS

  • Transport: TCP

  • Default port: 9090

  • Destination: PingAccess admin console

  • Direction: Inbound

PingAccess administrator browser, PingAccess administrative API REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests where the clustered engines request their configuration data. Configurable using the clusterconfig.port property in the run.properties file. For more information, see the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess engine

  • Protocol: HTTP/HTTPS

  • Transport: TCP

  • Default port: 3000*

Any additional engine listener ports defined in the configuration must be open as well.

  • Destination: PingAccess engine

  • Direction: Inbound

Client browser, mobile devices, PingFederate engine

Used for incoming requests to the PingAccess runtime engine. Configurable using the Listeners configuration page. For more information, see the PingAccess user interface reference guide.

PingAccess agent

  • Protocol: HTTP/HTTPS

  • Transport: TCP

  • Default port: 3030

  • Destination: PingAccess engine

  • Direction: Inbound

PingAccess agent

Used for incoming Agent requests to the PingAccess runtime engine. Configurable using the agent.http.port property of the run.properties file. For more information, see the Configuration file reference guide.

PingFederate traffic

  • Protocol: HTTPS

  • Transport: TCP

  • Default port: 9031

  • Destination: PingFederate

  • Direction: Outbound

PingAccess engine

Used to validate OAuth access token and ID tokens, make Security Token Service (STS) calls for identity mediation, and return authorized information about a user.

Configurable using the PingFederate Settings page within PingAccess. For more information, see the PingAccess user interface reference guide.