Installation requirements

Before you install PingAccess, review the following system, hardware, and port requirements.

System requirements

Make sure that your system meets the following requirements for PingAccess deployment and configuration.

Ping Identity qualifies the following configurations and certifies their compatibility with this PingAccess version. Variations of these platforms, such as differences in operating system version or service pack, are supported until the platform creates potential conflicts.

Operating systems

This version of PingAccess is supported on Microsoft Windows Server 2016, 2019, and 2022 (x64), and on actively maintained versions of the following Linux operating systems:

Supported platforms

Amazon Linux
Canonical Ubuntu (LTS)
Oracle Linux
Red Hat Enterprise Linux ES
Rocky Linux
SUSE Linux Enterprise Server

Ping Identity tests PingAccess with default configurations of operating system components. If your organization has custom implementations or has installed third-party plug-ins, this might affect PingAccess server deployment.

Docker versions

To deploy the PingAccess server using Docker, you must use an actively maintained GA version of Docker.

Docker deployment details

You can find more information about supported versions in Branches and tags in the Docker documentation.
You can find the PingAccess Docker image on DockerHub and more information in Ping Identity’s DevOps documentation.

Only the PingAccess software is licensed under Ping Identity’s end user license agreement. Any other software components contained within the image are licensed solely under the terms of the applicable open source or third-party license.

Ping Identity accepts no responsibility for the performance of any specific virtualization software and in no way guarantees the performance or interoperability of any virtualization software with its products.

Java runtime environments

The Java Support Policy applies to your Java Runtime Environment (JRE). You must have one of the following versions of the Java Development Kit (JDK) installed before installing the PingAccess server:

Supported JREs

Amazon Corretto 17 or 21 (64-bit)
OpenJDK 17 or 21 (64-bit)
Oracle JDK 17 or 21 (64-bit)

Browsers

The PingAccess admin console supports the following browsers:

Supported browser configurations

Google Chrome
Microsoft Edge
Mozilla Firefox

End users can access content protected by PingAccess with any of the previous browsers or Apple Safari. Support extends to Google Android and Apple iOS.

Currently, PingAccess supports HTTP 1.1 and IPv4 addressing only.

Virtual systems

Although Ping Identity doesn’t qualify or recommend any specific virtual machine (VM) products, PingAccess runs well on several, including:

Example VM products

VMWare
Xen
Windows Hyper-V

This list of products is provided only as an example. We view all products in this category equally. Ping Identity accepts no responsibility for the performance of any specific virtualization software and doesn’t guarantee the performance or interoperability of any VM software with its products.

Audit event storage

PingAccess supports audit event storage with the following databases:

Supported database versions

Microsoft SQL Server 2019 or 2022
Oracle Database 19c
PostgreSQL 13 or 16

Hardware security modules

You can find more information about configuring a hardware security module (HSM) in Hardware security module providers. PingAccess certifies the following HSMs:

Certified HSMs

AWS CloudHSM 5.16.1

PingAccess supports AWS CloudHSM with JDK 17 and 21. If you plan to use AWS CloudHSM, you must also deploy your environment on a Linux or Windows operating system that is compatible with both PingAccess and AWS CloudHSM.

Thales Luna Cloud HSM Services and Luna Network HSM (Luna HSM Client 10.x)

Currently, there’s an known issue with key pairs stored in Safenet Luna HSMs. Learn more in the PA-16103 known issue.

OpenID Connect (OIDC) providers

Ping Identity strives to support any third-party OIDC-compliant provider. The following table lists some of the most common providers used with PingAccess:

Commonly used providers

Provider	Provider Type
PingFederate	PingFederate
PingOne SSO	PingOne
PingOne Advanced Identity Cloud	PingOne Advanced Identity Cloud
PingAM	PingAM
PingOne for Enterprise	Common
Azure	Common
Okta	Common

Provider

Provider Type

PingFederate

PingOne SSO

PingOne

PingOne Advanced Identity Cloud

PingAM

PingOne for Enterprise

Common

Azure

Common

Okta

Common

PingFederate versions

This PingAccess version is fully certified with the last four versions of PingFederate. Other PingFederate versions should be compatible as Ping Identity’s EoL policy describes.

Some PingAccess features rely on a specific minimum PingFederate version to work. This will always be noted in the feature’s description.

Hardware requirements

Although it’s possible to run PingAccess on less powerful hardware, the following guidelines accommodate disk space for default logging and auditing profiles and CPU resources for a moderate level of concurrent request processing.

Run PingAccess on hardware that meets or exceeds these specifications:

Multi-CPU/Cores (8 or more)
4 GB of RAM
2.1 GB of available hard drive space

Port requirements

PingAccess uses ports and protocols to communicate with external components. This information provides guidance for firewall administrators to ensure that the correct ports are available across network segments.

Direction refers to the direction of requests relative to PingAccess:

Inbound requests: Requests that PingAccess receives from external components.
Outbound requests: Requests that PingAccess sends to external components.

Reserved ports

Service Port details Source Description

PingAccess administrative console

Protocol: HTTPS
Transport: TCP
Default port: 9000
Destination: PingAccess admin console
Direction: Inbound

PingAccess administrator browser, PingAccess administrative application programming interface (API) REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests to the PingAccess administrative console.

Configurable using the admin.port property in the run.properties file. Learn more in the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess cluster communications port

Protocol: HTTPS
Transport: TCP
Default port: 9090
Destination: PingAccess admin console
Direction: Inbound

PingAccess administrator browser, PingAccess administrative API REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests where the clustered engines request their configuration data.

Configurable using the clusterconfig.port property in the run.properties file. Learn more in the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess engine

Protocol: HTTP or HTTPS
Transport: TCP
Default port: 3000*

Any additional engine listener ports defined in the configuration must be open as well.

Destination: PingAccess engine
Direction: Inbound

Client browser, mobile devices, PingFederate engine

Used for incoming requests to the PingAccess runtime engine.

Configurable using the Listeners configuration page. Learn more in the PingAccess user interface reference guide.

PingAccess agent

Protocol: HTTP or HTTPS
Transport: TCP
Default port: 3030
Destination: PingAccess engine
Direction: Inbound

PingAccess agent

Used for incoming Agent requests to the PingAccess runtime engine.

Configurable using the agent.http.port property of the run.properties file. Learn more in the Configuration file reference guide.

PingAccess sideband (optional)

Protocol: HTTP or HTTPS
Transport: TCP
Default port: 3020
Destination: PingAccess engine
Direction: Inbound

Sideband client (an API gateway such as Kong Gateway or Apigee)

Used for incoming sideband requests to the PingAccess runtime engine.

Configurable using the sideband.http.port property of the run.properties file. Learn more in the Configuation file reference guide.

The default value of the sideband.http.enabled property is false. This property must be set to true to configure a sideband client.

PingFederate traffic

Protocol: HTTPS
Transport: TCP
Default port: 9031
Destination: PingFederate
Direction: Outbound

PingAccess engine

Used to validate OAuth access token and ID tokens, make Security Token Service (STS) calls for identity mediation, and return authorized information about a user.

Configurable using the PingFederate Settings page within PingAccess. Learn more in the PingAccess user interface reference guide.