Installation requirements

Before you install PingAccess, review the following system, hardware, and port requirements.

System requirements

Make sure that your system meets the following requirements for PingAccess deployment and configuration.

Ping Identity qualifies the following configurations and certifies that they are compatible with the product. Variations of these platforms, such as differences in operating system version or service pack, are supported until the platform or other required software creates potential conflicts.

PingAccess supports IPv4 addressing. There is currently no support for IPv6 addressing.

System component

Requirements

Operating systems

PingAccess was tested with default configurations of operating system components. If your organization has customized implementations or has installed third-party plug-ins, deployment of the PingAccess server might be affected.

Amazon Linux 2
Amazon Linux 2022
Canonical Ubuntu 18.04 (LTS)
Canonical Ubuntu 20.04 (LTS)
Canonical Ubuntu 22.04 (LTS)
Microsoft Windows Server 2016 (x64)
Microsoft Windows Server 2019 (x64)
Microsoft Windows Server 2022 (x64)
Oracle Linux 7.9 (Red Hat Compatible Kernel)
Oracle Linux 8.6 (Red Hat Compatible Kernel)
Red Hat Enterprise Linux ES 7.9
Red Hat Enterprise Linux ES 8.6
Red Hat Enterprise Linux ES 9.1
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server 15 SP4

Docker support

Docker version: 20.10.17

View the PingAccess Docker image on https://hub.docker.com/r/pingidentity/pingaccess[DockerHub]. Visit Ping Identity’s DevOps https://devops.pingidentity.com/[documentation] for more information.

Only the PingAccess software is licensed under Ping Identity’s end user license agreement. Any other software components contained within the image are licensed solely under the terms of the applicable open source or third-party license.

Ping Identity accepts no responsibility for the performance of any specific virtualization software and in no way guarantees the performance or interoperability of any virtualization software with its products.

Virtual systems

Although Ping Identity doesn’t qualify or recommend any specific virtual machine (VM) products, PingAccess runs well on several, including VMWare, Xen, and Windows Hyper-V.

This list of products is provided for example purposes only. We view all products in this category equally. Ping Identity accepts no responsibility for the performance of any specific virtualization software and does not guarantee the performance or interoperability of any VM software with its products.

Java environments

Amazon Corretto 8 (64-bit)
Amazon Corretto 11 (64-bit)
Amazon Corretto 17 (64-bit)
OpenJDK 11 (64-bit)
OpenJDK 17 (64-bit)
Oracle Java SE Runtime Environment (Server JRE) 8 (64-bit)
Oracle Java SE Development Kit (JDK) 11 (64-bit)
Oracle Java SE Development Kit (JDK) 17 (64-bit)

The Ping Identity Java Support Policy applies. For more information, see the Ping Identity Java support policy.

PingFederate

The following versions of PingFederate are fully certified with this version of PingAccess:

PingFederate 10.3
PingFederate 11.2

Other versions of PingFederate are expected to be compatible with this version of PingAccess per Ping’s end of life policy.

Some features rely on a specific version of PingFederate to work. This will always be noted in the feature’s description.

End-user browsers

Google Android (Chrome)
Google Chrome
Microsoft Edge
Mozilla Firefox
Apple iOS (Safari)
Apple Safari

Admin console browsers

Google Chrome
Microsoft Edge
Mozilla Firefox

Audit event storage (external database)

MS SQL Server 2017
MS SQL Server 2019
Oracle 19c
PostgreSQL 11.5
PostgreSQL 13

Hardware security module

For information about configuring a hardware security module (HSM), see Hardware security module providers. PingAccess certifies the following HSMs:

AWS CloudHSM 5.8.0
Thales Luna Cloud HSM Services and Luna Network HSM (Luna HSM Client 10.4)

You must use Java 8 if you plan to use a Luna hardware security module. AWS CloudHSM is compatible with JDK 8 or JDK 11.

If you plan to use AWS CloudHSM, you must also deploy your environment on a Linux or Windows operating system that is compatible with both PingAccess and AWS CloudHSM.

Supported HTTP versions

HTTP 1.1

OpenID Connect (OIDC) providers

These are the most common providers and their associated provider types. Ping strives to support any third-party OIDC-compliant provider.

PingFederate - PingFederate
PingOne for Enterprise - Common
PingOne SSO - PingOne
Azure - Common
Okta - Common

Hardware requirements

Although it’s possible to run PingAccess on less powerful hardware, the following guidelines accommodate disk space for default logging and auditing profiles and CPU resources for a moderate level of concurrent request processing.

Although the requirements for different environments vary, run PingAccess on hardware that meets or exceeds these specifications:

Multi-CPU/Cores (8 or more)
4 GB of RAM
2.1 GB of available hard drive space

Port requirements

PingAccess uses ports and protocols to communicate with external components. This information provides guidance for firewall administrators to ensure that the correct ports are available across network segments.

Direction refers to the direction of requests relative to PingAccess:

Inbound requests: Requests that PingAccess receives from external components.
Outbound requests: Requests that PingAccess sends to external components.

Service Port details Source Description

PingAccess administrative console

Protocol: HTTPS
Transport: TCP
Default port: 9000
Destination: PingAccess admin console
Direction: Inbound

PingAccess administrator browser, PingAccess administrative application programming interface (API) REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests to the PingAccess administrative console. Configurable using the admin.port property in the run.properties file. For more information, see the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess cluster communications port

Protocol: HTTPS
Transport: TCP
Default port: 9090
Destination: PingAccess admin console
Direction: Inbound

PingAccess administrator browser, PingAccess administrative API REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests where the clustered engines request their configuration data. Configurable using the clusterconfig.port property in the run.properties file. For more information, see the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess engine

Protocol: HTTP/HTTPS
Transport: TCP
Default port: 3000*

Any additional engine listener ports defined in the configuration must be open as well.
Destination: PingAccess engine
Direction: Inbound

Client browser, mobile devices, PingFederate engine

Used for incoming requests to the PingAccess runtime engine. Configurable using the Listeners configuration page. For more information, see the PingAccess user interface reference guide.

PingAccess agent

Protocol: HTTP/HTTPS
Transport: TCP
Default port: 3030
Destination: PingAccess engine
Direction: Inbound

PingAccess agent

Used for incoming Agent requests to the PingAccess runtime engine. Configurable using the agent.http.port property of the run.properties file. For more information, see the Configuration file reference guide.

PingFederate traffic

Protocol: HTTPS
Transport: TCP
Default port: 9031
Destination: PingFederate
Direction: Outbound

PingAccess engine

Used to validate OAuth access token and ID tokens, make Security Token Service (STS) calls for identity mediation, and return authorized information about a user.

Configurable using the PingFederate Settings page within PingAccess. For more information, see the PingAccess user interface reference guide.