PingAccess

Configuring PingAccess agents to use bearer token authentication

Authenticate PingAccess agents to the engine nodes with bearer token authentication in addition to, or instead of, a shared secret.

About this task

When you enable bearer token authentication, PingAccess engine nodes:

  • Require PingAccess agents to send a signed JSON Web Token (JWT) with all HTTP requests.

  • Verify that the JWT was signed by the expected key.

  • Log debug messages to confirm that the token was received and validated as expected.

The PingAccess agent for Apache (Windows) hasnt yet been updated to support bearer token authentication, but the agent.properties file includes a private key as of PingAccess 8.2.

You can download and use the updated agent.properties file normally until agent compatibility is added. Complete the Configuring incompatible PingAccess agents to test bearer token authentication procedure to do so.

Configuring compatible PingAccess agents to use bearer token authentication

About this task

Complete this procedure to configure version 3.0 of either the PingAccess agent for Apache (RHEL or SLES), IIS, or NGINX to use bearer token authentication.

Steps

  1. In the PingAccess admin console, go to Applications > Agents and open the agent configuration that you want to update.

  2. To prompt PingAccess to add the private key into the agent.properties file, select the Require Token Authentication checkbox.

    If you clear this checkbox later, you don’t need to generate a new agent.properties file to update the shared secret. The PingAccess agent will continue to use both the shared secret and the private key from the active agent.properties file if you haven’t removed them from the file.

  3. Download a new agent.properties file for the agent as shown in Adding agents.

    In PingAccess 8.2 and later, the PingAccess server generates a public key and private key in addition to the shared secret. You can find the public key on this page, identified with a timestamp. The updated agent.properties file contains the expected private key.

    To rotate keys, generate a new agent.properties file, then remove the old file and public key.

  4. Configure the agent with the updated agent.properties file.

    When the private key is present in the agent.properties file, it will generate a unique JWT for authentication with every request to the PingAccess server. The JWT expires after 2 minutes, so you must ensure you synchronize the agent and the PingAccess server’s clocks.

  5. Repeat steps 1 - 5 for all configured agents.

Configuring incompatible PingAccess agents to test bearer token authentication

About this task

Complete this procedure to configure the PingAccess agent for Apache (Windows) to test bearer token authentication.

Steps

  1. In the PingAccess admin console, go to Applications > Agents and open the agent configuration that you want to update.

  2. To prompt PingAccess to add the private key into the agent.properties file, select the Require Token Authentication checkbox.

    If you clear this checkbox later, you don’t need to generate a new agent.properties file to update the shared secret. The PingAccess agent will continue to use both the shared secret and the private key from the active agent.properties file if you haven’t removed them from the file.

  3. Download a new agent.properties file for the agent as shown in Adding agents.

    In PingAccess 8.2 and later, the PingAccess server generates a public key and private key in addition to the shared secret. You can find the public key on this page, identified with a timestamp. The updated agent.properties file contains the expected private key.

    To rotate keys, generate a new agent.properties file, then remove the old file and public key.

  4. Clear the Require Token Authentication checkbox.

    After downloading the new agent.properties file, leave the Require Token Authentication checkbox cleared until agent compatibility is added and this agent has been updated to the supported version.

  5. (Optional) To confirm that shared secret authentication still works as expected, configure the agent with the updated agent.properties file.

    After the agents have been updated to support bearer token authentication, make sure to download the latest version of the agents and configure them with the updated agent.properties files.

    Following that, you can select the Require Token Authentication checkbox to require the configured PingAccess agent to use bearer token authentication in addition to the shared secret when making requests to the PingAccess engine nodes.

  6. Repeat steps 1 - 5 for all configured agents.