PingAccess

Configuration file reference

You can configure any of the following parameters used by PingAccess at runtime in the <PA_HOME>/conf/run.properties file.

In a clustered environment, each node has a unique run.properties file. Because changes to the run.properties file can significantly impact performance, use an identical run.properties configuration on all engine nodes.

Changes made to the run.properties file will take effect after the PingAccess service is restarted on the given node.

When storing passwords in run.properties, you should obfuscate them using the obfuscate.bat or obfuscate.sh utility to mask the password value. This utility is located in the <PA_HOME>/bin folder.

If you are running PingAccess in FIPS mode, all Secure Sockets Layer (SSL) cipher and protocol settings in the run.properties file are ignored. See Managing Federal Information Processing Standards (FIPS) mode for information about the protocols and ciphers used in this mode.

Operational mode

For more information about operational modes in PingAccess, see the following guides.

pa.operational.mode

Controls the operational mode of the PingAccess server in a cluster. Valid values are:

Value Description

STANDALONE

Use this value for a standalone (unclustered) PingAccess instance that runs both the administrative console and the engine. This is the default value.

CLUSTERED_CONSOLE

Use this value for the server instance you want to use as the administrative console server.

Only one engine in a cluster can run the administrative console.

CLUSTERED_CONSOLE_REPLICA

Use this value for the server instance you want to use as the backup administrative console server.

CLUSTERED_ENGINE

Use this value to indicate a server engine.

Define the following Engine and Admin properties depending on what operational mode an engine is using.

  • Define all Engine and Admin properties when pa.operational.mode is set to STANDALONE.

  • Define only the Admin properties when using CLUSTERED_CONSOLE or CLUSTERED_CONSOLE_REPLICA mode.

  • Define only the Engine properties when using CLUSTERED_ENGINE mode.

Admin properties

For more information about administrative properties, see the following guides.

admin.port

Defines the TCP port on which the PingAccess administrative console runs. The default value is 9000.

admin.bindAddress

Defines the Internet Protocol (IP) address that admin.port will bind to. This is typically required on multihomed servers having multiple IP addresses. The default value of 0.0.0.0 means that the port will bind to all of the server’s IP addresses.

admin.ssl.protocols

Defines the protocols for use with administrative HTTPS ports. The default value is $\{tls.default.protocols}, which uses the protocols specified by the tls.default.protocols parameter.

admin.ssl.ciphers

Defines the type of cryptographic ciphers available for use with administrative HTTPS ports. The default value is $\{tls.default.cipherSuites}, which uses the ciphers specified by the tls.default.cipherSuites parameter.

admin.acceptors

Defines the number of admin acceptor threads used to establish connections. The default value is 1.

admin.backlog

Defines the maximum queue length for incoming admin connection indications. The default value is 512.

admin.httptransport.coreThreadPoolSize

Defines the number of threads to keep in the admin transport pool, even if they are idle. The default value is 5.

admin.httptransport.ioThreads

Defines the number of I/O threads for the admin host. The default value is 0, which indicates that PingAccess should automatically calculate the appropriate number of I/O threads for the host.

admin.httptransport.maxThreadPoolSize

Defines the maximum number of threads for the admin transport pool. The default value is -1, which denotes no limit.

admin.httptransport.socketTimeout

Defines, in milliseconds, the admin socket timeout. The default value is 30000.

admin.auth

Overrides the administrator authentication method. For example, if single sign-on (SSO) authentication is enabled and is somehow misconfigured, this property can be used to bypass the database configuration and force the use of Basic Authentication. The default value is default. A value of native overrides the administrator authentication method, meaning that only the local administrator credentials can be used to access the PingAccess console.

admin.reuseAddress

When enabled, allows a process to bind to a port which remains in a TIME_WAIT state for the admin transport. The default value is true.

admin.max.request.bodylength

Defines, in megabytes, the maximum body length for a request to the administrative application programming interface (API) endpoint. The default value is 15.

admin.ui.max.sessions

Defines the maximum number of sessions for the admin UI when admin single logout (SLO) is not enabled. The default value is 100.

admin.export.encryption.mode

Specifies how sensitive data should be encrypted on export. The default value is MASTER_KEY, which uses the system default master key for encryption. The PORTABLE_INSECURE value uses a randomly generated key for each export and includes the key in the export data. This method allows the exported data to be imported anywhere, including another cluster with a different master key, but since it includes the key it can present a significant security risk.

admin.startup.config.import.failfast

Defines the behavior when attempting to import a configuration file on startup. A value of true stops at the first failure, while a value of false continues and notes all errors. The default value is false.

Token provider communication settings

For more information about token providers, see the token providers section of the PingAccess User Interface Reference Guide.

pa.default.availability.ondemand.maxRetries

Defines the maximum number of retries before marking the target system down. The default value is 2.

pa.default.availability.ondemand.connectTimeout

Defines, in milliseconds, the amount of time to wait before trying to connect to the remote host. The default value is 10000.

pa.default.availability.ondemand.retryDelay

Defines, in milliseconds, the amount of time to wait after a timeout before retrying the host. The default value is 250.

pa.default.availability.ondemand.failedRetryTimeout

Defines, in seconds, the amount of time to wait before retrying a failed host. The default value is 60.

pa.default.availability.ondemand.pooledConnectionTimeout

Defines, in milliseconds, the amount of time to wait before timing out the request for a pooled connection to the target site. The default value is -1, which indicates no timeout.

pa.default.availability.ondemand.readTimeout

Defines, in milliseconds, the amount of time to wait before timing out the read response for a target site. The default value is -1, which indicates no timeout.

Cluster configuration settings

For more information about cluster configuration, see the Clustering Reference Guide.

clusterconfig.enabled

When enabled, uses the cluster configuration port for cluster replication. When disabled, the admin port is used for cluster configuration replication. The default value is true.

This parameter is set to false by the PingAccess Upgrade Utility after a PingAccess cluster is upgraded from a version earlier than 4.0.

clusterconfig.port

Defines the optional port used for cluster configuration. The default value is 9090.

clusterconfig.bindAddress

Defines the optional address used for cluster configuration. The default value is 0.0.0.0.

clusterconfig.acceptors

Defines the number of cluster configuration acceptor threads used to establish connections. The default value is 1.

clusterconfig.backlog

Defines the maximum queue length for incoming cluster configuration connection indications. The default value is 512.

clusterconfig.reuseAddress

When enabled, allows a process to bind to a port, which remains in a TIME_WAIT state for the cluster configuration transport. The default value is true.

clusterconfig.httptransport.socketTimeout

Defines, in milliseconds, the cluster configuration socket timeout. The default value is 30000.

clusterconfig.httptransport.ioThreads

Defines the number of I/O threads for the cluster configuration host. The default value is 0, which indicates that PingAccess should automatically calculate the appropriate number of I/O threads for the host.

clusterconfig.httptransport.coreThreadPoolSize

Defines the number of threads to keep in the cluster configuration transport pool, even if they are idle. The default value is 5.

clusterconfig.httptransport.maxThreadPoolSize

Defines the maximum number of threads for the cluster configuration transport pool. The default value is -1, which denotes no limit.

engine.admin.configuration.audience

Defines the audience used for cluster authentication. This property must be set to the same value on all nodes in a PingAccess cluster. The default value is PingAccessAdminServer.

engine.polling.initialdelay

Defines, in milliseconds, how long after the engine starts up before it begins to poll the administrative console for configuration information. The default value is 500.

engine.polling.delay

Defines, in milliseconds, how long after the prior query to the administrative console that the engine begins a new query for configuration information. The default value is 2000.

admin.polling.initialdelay

Defines, in milliseconds, how long after the replica administrative node starts up before it begins to poll the administrative console for configuration information. The default value is 500.

admin.polling.delay

Defines, in milliseconds, how long after the prior query to the administrative console that the replica administrative node begin a new query for configuration information. The default value is 2000.

pa.config.replication.readTimeout

Defines, in milliseconds, the amount of time to wait before timing out the read response for the administrative node. The default value is 30000.

pa.config.replication.maxRetries

Defines the maximum number of retries before marking the administrative node system down. The default value is 5.

pa.config.replication.connectTimeout

Defines, in milliseconds, the amount of time to wait before trying to connect to the administrative node. The default value is 5000.

pa.config.replication.retryDelay

Defines, in milliseconds, the amount of time to wait after a timeout before retrying the administrative node. The default value is 2000.

pa.config.replication.failedRetryTimeout

Defines, in seconds, the amount of time to wait before retrying a failed connection to the administrative node. The default value is -1, which indicates no timeout.

pa.config.replication.pooledConnectionTimeout

Defines, in milliseconds, the amount of time to wait before timing out the request for a pooled connection to the administrative node. The default value is -1, which indicates no timeout.

Engine properties

For more information about engine settings, see the following guides.

engine.http.bindAddress

Defines the address for an engine in a clustered environment. The default value is 0.0.0.0.

engine.http.acceptors

Defines the number of engine acceptor threads used to establish connections. The default value is 1.

engine.http.backlog

Defines the maximum queue length for incoming engine connection indications. The default value is 512.

engine.http.reuseAddress

When enabled, allows a process to bind to a port which remains in a TIME_WAIT state for the engine transport. The default value is true.

engine.http.enabled

Defines whether a STANDALONE or CLUSTERED_ENGINE node listens for requests on the ports defined by the Engine Listeners. The default value is true.

engine.httptransport.coreThreadPoolSize

Defines the number of threads to keep in the engine transport pool, even if they are idle. The default value is 5.

engine.httptransport.maxThreadPoolSize

Defines the maximum number of threads for the engine transport pool. The default value is -1, which denotes no limit.

engine.httptransport.socketTimeout

Defines, in milliseconds, the engine socket timeout. The default value is 30000.

engine.httptransport.ioThreads

Defines the number of I/O threads for the engine host. The default value is 0 which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host.

engine.websocket.maxConnections

Sets the maximum number of allowed web socket connections. The default value is -1, which denotes no limit.

engine.ssl.protocols

Defines the protocols used with engine HTTPS ports. The default value is TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.

engine.ssl.ciphers

Defines the type of cryptographic ciphers available for use with engine HTTPS ports. The default value is $\{tls.default.cipherSuites}, which uses the ciphers specified by the tls.default.cipherSuites parameter.

client.ioThreads

Defines the number of threads for client connections to backend sites. The default value is 0, which denotes no limit.

pa.default.contentRewrite.buffer.min

Defines, in bytes, the minimum buffer size used when using a rewrite content rule. The default value is 1024.

pa.default.contentRewrite.buffer.default

Defines, in bytes, the default buffer size when using a rewrite content rule to do a search and replace of content. The default value is 2048.

pa.default.limitRequestLine

Defines the maximum number of bytes to read from the request line. The default value is 8192.

pa.default.maxHeaderCount

Defines the maximum number of headers to read from a request. The default value is 100.

pa.default.maxHttpHeaderSize

Defines the maximum number of bytes to read when reading headers. The default value is 8192.

pa.default.maxRequestBodySize

Defines the maximum number of bytes to read from a request body. The default value is 204800.

pa.default.maxConnectionsPerSite

Defines the maximum number of connections PingAccess will open to the PingFederate Admin or Engine. The default value is -1, which denotes no limit.

pa.default.session.cookie.attributes.httponly

Defines the default setting for the HTTP-Only Cookie setting for newly-created web sessions. The default value is true.

pa.default.session.cookie.attributes.secure

Defines the default setting for the Secure Cookie setting for newly-created web sessions. The default value is true.

pa.default.session.cookie.size.threshold

Defines, in bytes, the default maximum session cookie size. The default value is 4093.

pa.websession.cookie.sameSiteExcludedUserAgentPatterns

A comma-separated list of regex that specifies whether an end-user browser should have SameSite=None applied to cookies issued to it. If the user-agent header from a request matches any of the values in the list, any PingAccess-issued cookie is set with no SameSite attribute if SameSite=None would otherwise have been applied. The default value is:

^.\\(iP.+; CPU .*OS 12[_\\d].\\) AppleWebKit\\/.$,\
^.Macintosh;.*Mac OS X 10_14.*Version.*Safari.$,\
^.(Chromium|Chrome)\\/(5[1-9]|6[0-6])\\.(\\d+)(?:\\.(\\d+)|)(?:\\.(\\d+)|).$,\
^.UCBrowser\\/[0-9][0-1]?.(\\d+)\\.(\\d+)[\\.\\d].$,\
^.*UCBrowser\\/12.[0-9][0-2]?.(\\d+)[\\.\\d].$,\
^.*UCBrowser\\/12.13.[0-2][\\.\\d].*$
pa.uri.strict

When enabled, this setting requires the raw input Uniform Resource Identifier (URI) be in strict compliance with the URI spec implemented by java.net.URI when generating URIs. The default value is false.

pa.uri.canonicalize

When enabled, PingAccess normalizes empty and dot path segments that contain URL-encoded forward slashes (/, encoded as %2f) or periods (encoded as %2e). When this setting has a value of false, PingAccess doesn’t normalize empty and dot path segments that contain URL-encoded forward slashes or periods. The default value is true.

Agent properties

For more information about agents, see the following guides.

agent.http.port

Defines the TCP port on which the engine listens for agent requests. The default value is 3030.

agent.http.bindAddress

Defines the address from which an engine listens for agent requests. The default value is 0.0.0.0.

agent.http.acceptors

Defines the number of admin acceptor threads used to establish agent connections. The default value is 1.

agent.http.secure

Defines whether the engine is using HTTPS for agent requests. The default value is true.

agent.http.backlog

Defines the maximum queue length for incoming admin connection indications. The default value is 512.

agent.http.enabled

Defines whether a STANDALONE or CLUSTERED_ENGINE node listens for agent requests on the port defined by the agent.http.port setting. The default value is true.

agent.http.reuseAddress

When enabled, allows a process to bind to a port which remains in a TIME_WAIT state for the agent transport. The default value is true.

agent.ssl.protocols

Defines the protocols used for communication with agent HTTPS ports. The default value is $\{tls.default.protocols}, which uses the protocols specified by the tls.default.protocols parameter.

agent.ssl.ciphers

Defines the type of cryptographic ciphers available for use with agent HTTPS ports. The default value is $\{tls.default.cipherSuites}, which uses the ciphers specified by the tls.default.cipherSuites parameter.

agent.httptransport.coreThreadPoolSize

Defines the number of threads to keep in the agent transport pool, even if they are idle. The default value is 5.

agent.httptransport.maxThreadPoolSize

Defines the maximum number of threads for the agent transport pool. The default value is -1, which denotes no limit.

agent.httptransport.socketTimeout

Defines, in milliseconds, the agent socket timeout. The default value is 30000.

agent.httptransport.ioThreads

Defines the number of I/O threads for the agent host. The default value is 0, which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host.

agent.authz.header.required

Defines whether PingAccess server should authenticate agent requests using agent name and shared secret in the vnd-pi-authz header. The default value is true. Setting this to false is useful for POCs and/or debugging.

agent.default.token.cache.ttl

Defines, in seconds, the time to live for cached agent tokens. The default value is 60.

Sideband properties

For more information about sideband clients, see the following guides.

sideband.http.port

Defines the TCP port on which the engine listens for sideband requests. The default value is 3030.

sideband.http.bindAddress

Defines the address from which an engine listens for sideband requests. The default value is 0.0.0.0.

sideband.http.acceptors

Defines the number of admin acceptor threads used to establish sideband connections. The default value is 1.

sideband.http.secure

Defines whether the engine is using HTTPS for sideband requests. The default value is true.

sideband.http.backlog

Defines the maximum queue length for incoming admin connection indications. The default value is 512.

sideband.http.enabled

Defines whether a STANDALONE or CLUSTERED_ENGINE node listens for sideband requests on the port defined by the agent.http.port setting. The default value is false.

sideband.http.reuseAddress

When enabled, allows a process to bind to a port which remains in a TIME_WAIT state for the agent transport. The default value is true.

sideband.ssl.protocols

Defines the protocols used for communication with sideband HTTPS ports. The default value is $\{tls.default.protocols}, which uses the protocols specified by the tls.default.protocols parameter.

sideband.ssl.ciphers

Defines the type of cryptographic ciphers available for use with sideband HTTPS ports. The default value is $\{tls.default.cipherSuites}, which uses the ciphers specified by the tls.default.cipherSuites parameter.

sideband.httptransport.coreThreadPoolSize

Defines the number of threads to keep in the sideband transport pool, even if they are idle. The default value is 5.

sideband.httptransport.maxThreadPoolSize

Defines the maximum number of threads for the sideband transport pool. The default value is -1, which denotes no limit.

sideband.httptransport.socketTimeout

Defines, in milliseconds, the sideband socket timeout. The default value is 30000.

sideband.httptransport.ioThreads

Defines the number of I/O threads for the sideband host. The default value is 0, which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host.

URL filtering settings

For more information about URL filtering, see Adding rewrite URL rules in the PingAccess User Interface Reference Guide.

pa.interceptors.relativepath.strict

When this property is set to true, the incoming URL is matched with the whitelist pattern defined in pa.interceptors.relativepath.decode.regex. All other request URLs are rejected. The default value is false.

pa.interceptors.relativepath.decode.count

Number of times the URL is decoded to check for path traversal characters. The default value is 3.

pa.interceptors.relativepath.decode.regex

Defines the regular expression to use when checking for a valid path in an incoming request. The default value is:

[\\p{Po}\\p{N}\\p{Z}\\p{L}\\p{M}\\p{Zs}\\./_\\-\\\\~()\\{\\}\\[\\]]*

This value is double-escaped as required by the java.util.regex.Pattern Java class.

Monitoring

For more information about monitoring, see the PingAccess Monitoring Guide.

pa.mbean.site.connection.pool.enable

When set to true, enables Java Management Extensions (JMX) read-only access to backend connection pools. This can be useful when troubleshooting latency issues because it provides information about requests that are waiting for a connection to targets in a site when maxConnections is not unlimited. The default value is false.

enable.detailed.heartbeat.response

When enabled, this setting enables a customizable heartbeat response to be returned. When disabled, the heartbeat endpoint returns a 200 OK response. The default value is false.

pa.statistics.window.seconds

If the enable.detailed.heartbeat.response parameter is set to true, this parameter sets the number of seconds back to collect response statistics. A value less than 1 disables collection. The default value is 0.

TLS/SSL

For more information about the use of TLS/SSL, see the following guides.

tls.default.protocols

Defines the default protocols used for HTTPS communication. The default value is TLSv1.1, TLSv1.2, TLSv1.3.

tls.default.cipherSuites

Defines the default set of ciphers used for HTTPS communication. The default value is:

TLS_CHACHA20_POLY1305_SHA256,\
TLS_AES_256_GCM_SHA384,\
TLS_AES_128_GCM_SHA256,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\
TLS_RSA_WITH_AES_128_GCM_SHA256,\
TLS_RSA_WITH_AES_128_CBC_SHA256,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Legacy browsers might require the addition of SHA1-based ciphers to negotiate a cipher suite with the server. In this case, add the following ciphers to the run.properties file and restart PingAccess:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

clusterconfig.ssl.protocols

Defines the protocols used for communication with HTTPS ports in a clustered configuration. The default value is $\{tls.default.protocols}, which uses the protocols specified by the tls.default.protocols parameter.

clusterconfig.ssl.ciphers

Defines the type of cryptographic ciphers available for use with HTTPS ports in a clustered configuration. The default value is $\{tls.default.cipherSuites}, which uses the ciphers specified by the tls.default.cipherSuites parameter.

site.ssl.protocols

Defines the protocols used for communication with Site HTTPS ports. There is no default value. When not specified, the protocols defined in the Java Development Kit (JDK) are used.

site.ssl.ciphers

Defines the type of cryptographic ciphers available for use with Site HTTPS ports. There is no default value. When not specified, the protocols defined in the JDK are used.

pf.ssl.protocols

Defines the protocols used for communication with PingFederate HTTPS ports. There is no default value. When not specified, the protocols defined in the JDK are used.

pf.ssl.ciphers

Defines the type of cryptographic ciphers available for use with PingFederate HTTPS ports. There is no default value. When not specified, the protocols defined in the JDK are used.

provider.ssl.protocols

Defines the protocols used for communication with Provider HTTPS ports. There is no default value. When not specified, the protocols defined in the JDK are used.

provider.ssl.ciphers

Defines the type of cryptographic ciphers available for use with Provider HTTPS ports. There is no default value. When not specified, the protocols defined in the JDK are used.

as.ssl.protocols

Defines the protocols used for communication with authorization server HTTPS ports. There is no default value. When not specified, the protocols defined in the JDK are used.

as.ssl.ciphers

Defines the type of cryptographic ciphers available for use with authorization server HTTPS ports. There is no default value. When not specified, the protocols defined in the JDK are used.

p14c.ssl.protocols

Defines the protocols used for communication with PingOne. There is no default value. When not specified, the protocols defined in the JDK are used.

p14c.ssl.ciphers

Defines the type of cryptographic ciphers available for use with PingOne. There is no default value. When not specified, the protocols defined in the JDK are used.

thirdpartyservice.ssl.protocols

Defines the protocols used for communication with third-party services. There is no default value. When not specified, the protocols defined in the JDK are used.

thirdpartyservice.ssl.ciphers

Defines the type of cryptographic ciphers available for use with third-party services. There is no default value. When not specified, the protocols defined in the JDK are used.

POST preservation properties

For more information about POST preservation, see the following documents.

pa.oidc.post.preservation.encrypt

When enabled, POST data preserved through a redirection to PingFederate for authentication is encrypted on the client to be used after the authentication is successful. The default value is false.

pa.oidc.post.preservation.maxRequestBodySize

Defines, in bytes, the maximum size of the post body for POST preservation. The default value is 8192.

pa.oidc.post.preservation.paramsAttributeName

Used to store the encoded or encrypted POST payload in the browser session storage during POST preservation. The default value is postParams.

Configuration database and keystore settings

For more information about configuration database and keystore settings, see the following documents:

derby.language.statementCacheSize

Defines the number of statements that are stored in memory. The default value is 500.

derby.storage.pageCacheSize

Defines the number of pages cached in memory. The default value is 1000.

pa.keystore.pw

Defines the password for the $JAVA_HOME/lib/security/cacerts keystore. The value is encrypted.

PingFederate administration integration properties

For more information about using PingAccess with PingFederate, see the following documents:

pf.api.maxRetries

Defines the maximum number of retries PingAccess attempts to make to the PingFederate server before declaring the server unavailable. The default value is 0.

pf.api.socketTimeout

Defines, in milliseconds, the socket timeout for the PingFederate API endpoint. The default value is 5000.

pf.api.maxConnections

Defines the maximum number of connections PingAccess will establish to the PingFederate API endpoint. The default value is -1, which means there is no limit.

pf.api.keepAliveTimeout

Defines, in milliseconds, the keep alive timeout for the PingFederate API. The default value is 30000.

pf.api.readTimeout

Defines, in milliseconds, how long the API will wait for responses from PingFederate when making calls to the PingFederate Admin API. The default value is -1, which means there is no limit.

Administrative console settings

For more information about PingAccess administration, see the PingAccess User Interface Reference Guide.

pa.backup.filesToKeep

Defines the number of backup files to preserve when the Administrator authenticates to PingAccess. The default value is 25. A value of 0 disables the creation of backup files.

Disabling the creation of backup files can speed up the sign-on process in large environments. If you disable the creation of backup files, use the administrative API backup endpoint to create regular backups.

pa.admin.user.password.regex

Defines the regex that controls password complexity for the Administration Console. The default value is

((?=.\\d)(?=.[a-z])(?=.*[A-Z]).{8,20})
pa.admin.user.password.error.message

Defines the message returned when password complexity is not satisfied. The default value is Password must be at least 8 characters in length, contain one upper-case letter, one lower-case letter and one digit..

pa.admin.test.connections

A boolean property that allows the PingAccess admin UI to make HTTP calls to validate that it can reach PingFederate and sites when the user configures them. The default value is true.

account.locking.max.consecutive.failures

Defines the maximum number of failed login attempts before locking the account when using basic authentication in the administrative UI or administrative REST APIs. The default value is 3.

account.locking.max.lockout.period

Defines, in minutes, the amount of time to lock an account out from the administrative interfaces after exceeding the account.locking.max.consecutive.failures. The default value is 1.

EHCache configuration properties

For more information about EHCache configuration, see the Clustering Reference Guide.

pa.ehcache.PingFederateReferenceTokenCache.maxEntriesLocalHeap

Defines the maximum number of entries in the local heap for OAuth tokens. The default value is 10000.

pa.ehcache.PingFederateReferenceTokenCache.timeToIdleSeconds

Defines, in seconds, the time an entry in the OAuth token cache can be idle before it is expired. The default value is 0.

pa.ehcache.PingFederateReferenceTokenCache.timeToLiveSeconds

Defines, in seconds, the maximum time an entry can be in the OAuth token cache. The default value is 0.

pa.ehcache.ServiceTokenCache.maxEntriesLocalHeap

Defines the maximum number of entries in the local heap for token mediation. The default value is 10000.

pa.ehcache.ServiceTokenCache.timeToIdleSeconds

Defines, in seconds, the time an entry in the token mediation cache can be idle before it is expired. The default value is 1800.

pa.ehcache.ServiceTokenCache.timeToLiveSeconds

Defines, in seconds, the maximum time an entry can be in the token mediation cache. The default value is 14400.

pa.ehcache.PATokenValidationCache.maxEntriesLocalHeap

Defines the maximum number of entries in the local heap for decryption of signed or encrypted PingAccess tokens. The default value is 10000.

pa.ehcache.PATokenValidationCache.timeToIdleSeconds

Defines, in seconds, the time an entry in the token validation cache can be idle before it is expired. The default value is 120.

pa.ehcache.PATokenValidationCache.timeToLiveSeconds

Defines, in seconds, the maximum time an entry can be in the token validation cache. The default value is 300.

pa.ehcache.PFSessionValidationCache.maxEntriesLocalHeap

Defines the maximum number of entries in the local heap for the session validation cache. The default value is 10000.

pa.ehcache.PFSessionValidationCache.timeToIdleSeconds

Defines, in seconds, the time an entry in the session validation cache can be idle before it is expired. The default value is 120.

pa.ehcache.PFSessionValidationCache.timeToLiveSeconds

Defines, in seconds, the maximum time an entry can be in the session validation cache. The default value is 300.

pa.ehcache.PAWamUserAttributesCache.maxEntriesLocalHeap

Defines the maximum number of entries in the local heap for the PingAccess Web Access Management (WAM) user attribute cache. The default value is 10000.

pa.ehcache.PAWamUserAttributesCache.timeToIdleSeconds

Defines, in seconds, the time an entry in the PA WAM user attribute cache can be idle before it is expired. The default value is 120 seconds.

pa.ehcache.PAWamUserAttributesCache.timeToLiveSeconds

Defines, in seconds, the maximum time an entry can be in the PA WAM user attribute cache. The default value is 300 seconds.

pa.ehcache.AuthTokenCache.maxEntriesLocalHeap

Defines the maximum size of the JSON Web Token (JWT) identity mapping token cache used when sending tokens to a protected site. The default value is 10000.

pa.ehcache.SessionStateCache.maxEntriesLocalHeap

Defines the maximum size of the identity attribute entry cache when the user’s attributes are stored on the server rather than as a cookie. The default value is 10000.

pa.ehcache.AzureGroupNameCache.maxEntriesLocalHeap

Defines the maximum number of entries in the local heap for the Azure group name cache. The default value is 10000.

Security headers properties

For more information about security headers, see the following documents.

admin.headers

Additional headers added to responses from the PingAccess administrative console and the administrator API interface. Header values are defined using the admin.header prefix. The default value is:

X-Frame-Options,X-XSS-Protection,X-Content-Type-Options,Strict-Transport-Security,Content-Security-Policy
admin.header.X-Frame-Options

Sets the parameters for the X-Frame-Options HTTP response header sent to the browser when an admin is interacting with the Admin UI. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

admin.header.X-XSS-Protection

Sets the parameters for the X-XSS-Protection HTTP response header sent to the browser when an admin is interacting with the Admin UI. The default value is 1; mode=block.

admin.header.X-Content-Type-Options

Sets the parameters for the X-Content-Type-Options response header sent to the browser when an admin is interacting with the Admin UI. The default value is nosniff.

admin.header.Content-Security-Policy

Sets the parameters for the content-security-policy response header sent by PingAccess in response to API calls. The default value is:

default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:;
admin.header.Strict-Transport-Security

Sets the parameters for the Strict-Transport-Security response header sent to the browser when an administrator is interacting with the Admin UI. This parameter is commented out by default, and should be enabled only if the admin and engine use different host names. The default value is max-age=31536000; includeSubDomains.

agent.assets.headers

Additional headers added to responses from PingAccess agents. Header values are defined using the agent.assets.header prefix. The default value is X-Frame-Options.

agent.assets.header.X-Frame-Options

Sets the parameters for the X-Frame-Options HTTP response header sent to the browser using the agent when responding to a request for an asset used by a PingAccess template. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

agent.error.headers

Additional headers added to error responses from PingAccess Agents. Header values are defined using the agent.error.header prefix. The default value is X-Frame-Options, Content-Security-Policy.

Content-Security-Policy might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the Content-Security-Policy value to this property and uncomment agent.error.header.Content-Security-Policy.

agent.error.header.Content-Security-Policy

Sets the parameters for the Content-Security-Policy HTTP response header sent to the browser using the agent when responding with a PingAccess error template. The default value is

default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';

This property might be commented out if PingAccess was upgraded with template customizations.

agent.error.header.X-Frame-Options

Sets the parameters for the X-Frame-Options HTTP response header sent to the browser using the agent when responding with a PingAccess error template. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

engine.assets.headers

Additional headers added to responses from the PingAccess Engine. Header values are defined using the engine.assets.header prefix. The default value is X-Frame-Options.

engine.assets.header.X-Frame-Options

Sets the parameters for the X-Frame-Options HTTP response header sent to the browser using the engine when responding to a request for an asset used by a PingAccess template. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

engine.error.headers

Additional headers added to error responses from the PingAccess Engine. Header values are defined using the engine.error.header prefix. The default value is X-Frame-Options, Content-Security-Policy.

Content-Security-Policy might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the Content-Security-Policy value to this property and uncomment engine.error.header.Content-Security-Policy.

engine.error.header.Content-Security-Policy

Sets the parameters for the Content-Security-Policy HTTP response header sent to the browser using the engine when responding with a PingAccess error template. The default value is

default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';

This property might be commented out if PingAccess was upgraded with template customizations.

engine.error.header.X-Frame-Options

Sets the parameters for the X-Frame-Options HTTP response header sent to the browser using the engine when responding with a PingAccess error template. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

sideband.assets.headers

Additional headers added to responses from PingAccess sideband clients. Header values are defined using the sideband.assets.header prefix. The default value is X-Frame-Options.

sideband.assets.header.X-Frame-Options

Sets the parameters for the X-Frame-Options HTTP response header sent to the browser using the sideband client when responding to a request for an asset used by a PingAccess template. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

Content-Security-Policy might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the Content-Security-Policy value to this property and uncomment sideband.error.header.Content-Security-Policy.

sideband.error.header.Content-Security-Policy

Sets the parameters for the Content-Security-Policy HTTP response header sent tot he browser using the sideband client when responding with a PingAccess error template. The default value is

default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';

This property might be commented out if PingAccess was upgraded with template customizations.

sideband.error.headers

Additional headers added to error responses from PingAccess sideband clients. Header values are defined using the sideband.error.header prefix. The default value is X-Frame-Options,Content-Security-Policy.

Content-Security-Policy might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the Content-Security-Policy value to this property and uncomment sideband.error.header.Content-Security-Policy.

sideband.error.header.X-Frame-Options

Sets the parameters for the X-Frame-Options HTTP response header sent to the browser using the sideband client when responding with a PingAccess error template. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

pf.redirect.headers

Additional headers added to the redirection response that sends the client to PingFederate for authentication. These headers are added when using the SPA support disabled Authentication Challenge Policy, using the global PingFederate Redirect Headers Appender challenge response filter, or using an application that is configured without an Authentication Challenge Policy and SPA support disabled. Header values are defined using the pf.redirect.header prefix. The default value is X-Frame-Options,Content-Security-Policy.

Content-Security-Policy might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the Content-Security-Policy value to this property and uncomment pf.redirect.header.Content-Security-Policy.

pf.redirect.header.Content-Security-Policy

Sets the parameters for the Content-Security-Policy HTTP response header that is sent when the user is redirected to PingFederate to authenticate. The default value is

default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';

This property might be commented out if PingAccess was upgraded with template customizations.

pf.redirect.header.X-Frame-Options

Sets the parameters for the X-Frame-Options value that is sent when the user is redirected to PingFederate to authenticate. The default value is DENY.

For more information on this header and its potential values, see 7.6 The 'X-Frame Options' Header.

rule.error.headers

Additional headers added to responses that result from policy rule results. Header values are defined using the rule.error.header prefix. The default value is Content-Security-Policy.

Content-Security-Policy might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the Content-Security-Policy value tot his property and uncomment rule.error.header.Content-Security-Policy.

rule.error.header.Content-Security-Policy

Sets the parameters for the Content-Security-Policy HTTP response header sent to the browser when the response is generated by a rule failure. The default value is

default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';

This property might be commented out if PingAccess was upgraded with template customizations.

oauth.error.headers

Additional headers added to responses that result from requests made to a protected API application that lack a valid OAuth Bearer token. Define header values using the oauth.error.header prefix. The default value is Content-Security-Policy.

oauth.error.header.Content-Security-Policy

Sets the parameters for the Content-Security-Policy HTTP response header sent to the browser when PingAccess receives a request made to a protected API application that doesn’t contain a valid OAuth Bearer token. The default value is:

default-src 'self'; style-src 'self'; \ script-src 'self'; font-src 'self' data:; object-src 'none';

Localization settings

For more information about localization, see the following documents. Customize and Localize PingAccess.

pa.localization.resource.bundle.cache.enable

When set to false, allows language files in /conf/localization to be added or modified. When true, enables caching of language files and properties. The default value is true.

pa.localization.missing.message.placeholder

Defines the message used when an error message is unresolvable. There is no default value.