---
title: Configuring engine nodes
description: Configure an engine node as part of a cluster in PingAccess.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_engine_nodes
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_engine_nodes.html
revdate: April 26, 2023
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  result: Result:
  next-steps: Next steps
---

# Configuring engine nodes

Configure an engine node as part of a cluster in PingAccess.

## Before you begin

Make sure that you've configured an administrative node and a replica administrative node.

|   |                                                                                                                                                                                                                                                                                            |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | For a comprehensive overview of the steps necessary to set up a clustered environment, see [Configuring a PingAccess cluster](../reference_guides/pa_configuring_a_pa_cluster.html) in the [Clustering in PingAccess](../reference_guides/pa_clustering_ref_guide.html) *reference guide*. |

## Steps

1. Click **Settings**, then go to **Clustering > Engines**.

2. To configure a new engine, click **[icon: plus, set=fa]Add Engine**.

3. In the **Name** field, enter a name for the engine.

   Special characters and spaces are allowed.

4. **Optional:** In the **Description** field, enter a description of the engine.

5. If applicable, specify an **HTTP Proxy** for the engine.

   For more information about creating proxies, see [Adding proxies](pa_adding_proxies.html).

   1. To create an HTTP proxy, click **+Create**.

6. If applicable, specify an **HTTPS Proxy** for the engine.

   For more information about creating proxies, see [Adding proxies](pa_adding_proxies.html).

   1. To create an HTTPS proxy, click **+Create**.

7. Specify an **Engine Trusted Certificate** if a TLS-terminating network appliance, such as a load balancer, is placed between the engines and administrative node.

   |   |                                                                                                                                                |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Select the certificate that the network appliance uses. The certificate helps establish a secure HTTP connection with the administrative node. |

8. To generate and download a public and private key pair *(tooltip: \<div class="paragraph">
   \<p>The private key and public key represented by a certificate.\</p>
   \</div>)* into the `<enginename>_data.zip` file for the engine, click **Save & Download**.

   This file is prepended with the name you give the engine. Depending on your browser configuration, you might be prompted to save the file.

9. Copy the `.zip` file to the `<PA_HOME>` directory of the corresponding engine in the cluster and extract it.

   The engine uses these files to authenticate and communicate with the administrative console.

   |   |                                                                                                                                                                                                                                                                                                                |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can generate a new key for the engine at any time, just repeat steps 8-9.1) Click **Save & Download**.

   2) Extract the `<enginename>_data.zip` file within the engine's `<PA_HOME>` directory.When the engine node starts up and begins using the new configuration files, PingAccess deletes the old key. |

10. On Linux systems running the PingAccess engine, run the `chmod 400 conf/pa.jwk` command on the `pa.jwk` file after you've extracted the `.zip` file.

    ### Result:

    The `pa.jwk` becomes read only, preventing it from being overwritten accidentally.

11. Start each engine.

## Next steps

If you specified any proxies, enable the **Use Proxy** option for any sites, token providers, and third party services that require the use of a proxy. For more information, see [Adding sites](pa_adding_sites.html) and the [Token provider](pa_token_provider.html) section.