--- title: Configuration file reference description: You can configure any of the following properties used by PingAccess at runtime in the /conf/run.properties file. component: pingaccess version: 9.0 page_id: pingaccess:reference_guides:pa_config_file_ref canonical_url: https://docs.pingidentity.com/pingaccess/9.0/reference_guides/pa_config_file_ref.html revdate: October 3, 2025 section_ids: pa-operational-mode: Operational mode pa-admin-properties: Administrative properties pa-token-provider-communication-settings: Token provider communication settings pa-cluster-config-settings: Cluster configuration settings pa-engine-properties: Engine properties pa-agent-properties: Agent properties pa-sideband-properties: Sideband properties pa-url-filtering-settings: URL filtering settings pa-monitoring: Monitoring pa-tls-ssl: TLS/SSL pa-post-preservation-properties: POST preservation properties pa-config-database-and-key-store-settings: Configuration database and key store settings pa-pf-admin-integration-properties: PingFederate administration integration properties pa-admin-console-settings: Administrative console settings pa-ehcache-config-properties: EHCache configuration properties pa-security-headers-properties: Security headers properties pa-localization-settings: Localization settings --- # Configuration file reference You can configure any of the following properties used by PingAccess at runtime in the `/conf/run.properties` file. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When making changes to the `run.properties` file, use the following guidelines:- When storing passwords in `run.properties`, obfuscate them using the `obfuscate.bat or obfuscate.sh` utility to mask the password value. You can find this utility in the `/bin` folder. - In a clustered environment, each node has a unique `run.properties` file. Because changes to the `run.properties` file can significantly impact performance, use an identical `run.properties` configuration on all engine nodes. - Changes made to the `run.properties` file only take effect after you restart the PingAccess service on the given node. | If you're running PingAccess in FIPS mode, PingAccess ignores all Secure Sockets Layer (SSL) *(tooltip: \
\

A protocol for authenticated and encrypted links between networked machines, typically over HTTPS. SSL was deprecated in 1999 in favor of Transport Layer Security (TLS).\

\
)* cipher and protocol settings in the `run.properties` file. Learn more about the protocols and ciphers used in this mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). ## Operational mode > **Collapse: Click to expand or collapse the whole section** > > * pa.operational.mode > > Controls the operational mode of the PingAccess server in a cluster. The following table describes the acceptable values: > > > **Collapse: Value** > > > > | Value | Description | > > | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > > | `STANDALONE` | Use this value for a standalone (un-clustered) PingAccess instance that runs both the administrative console and the engine. This is the default value. | > > | `CLUSTERED_CONSOLE` | Use this value for the server instance that you want to use as the administrative console server. Only one engine in a cluster can run the administrative console. | > > | `CLUSTERED_CONSOLE_REPLICA` | Use this value for the server instance that you want to use as the backup administrative console server. | > > | `CLUSTERED_ENGINE` | Use this value to indicate a server engine. | > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | Define the following engine and administrative properties depending on what operational mode an engine is using:- Define all engine and administrative properties when `pa.operational.mode` is set to `STANDALONE`. > > - Define only administrative properties when using `CLUSTERED_CONSOLE` or `CLUSTERED_CONSOLE_REPLICA` mode. > > - Define only engine properties when using `CLUSTERED_ENGINE` mode. | > > > **Collapse: Learn more** > > > > * Learn more about configuring nodes using clustered operational mode in the [Clustering Reference Guide](pa_clustering_ref_guide.html). > > > > * Learn more about installing PingAccess in standalone mode in [Installing and Uninstalling PingAccess](../installing_and_uninstalling_pingaccess/pa_installing_and_uninstalling_pa.html). ## Administrative properties > **Collapse: Click to expand or collapse the whole section** > > * admin.port > > Defines the TCP port on which the PingAccess administrative console runs. The default value is `9000`. > > * admin.bindAddress > > Defines the Internet Protocol (IP) *(tooltip: \
> \

The method by which data is sent across the internet from the source host to the destination host.\

> \
)* address that `admin.port` binds to. Typically required on multi-homed servers with multiple IP addresses. The default value of `0.0.0.0` means that the port will bind to all the server's IP addresses. > > * admin.ssl.protocols > > Defines the protocols for use with administrative HTTPS ports. The default value is `$\{tls.default.protocols}`, which uses the protocols specified by the `tls.default.protocols` property. > > * admin.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with administrative HTTPS ports. The default value is `$\{tls.default.cipherSuites}`, which uses the ciphers specified by the `tls.default.cipherSuites` property. > > * admin.acceptors > > Defines the number of admin acceptor threads used to establish connections. The default value is `1`. > > * admin.backlog > > Defines the maximum queue length for incoming admin connection indications. The default value is `512`. > > * admin.httptransport.coreThreadPoolSize > > Defines the number of threads to keep in the admin transport pool, even if they're idle. The default value is `5`. > > * admin.httptransport.ioThreads > > Defines the number of I/O threads for the admin host. The default value is `0`, which indicates that PingAccess should automatically calculate the appropriate number of I/O threads for the host. > > * admin.httptransport.maxThreadPoolSize > > Defines the maximum number of threads for the admin transport pool. The default value is `-1`, which denotes no limit. > > * admin.httptransport.socketTimeout > > Defines, in milliseconds, the admin socket timeout. The default value is `30000`. > > * admin.auth > > Overrides the administrator authentication method. For example, if single sign-on (SSO) *(tooltip: \
> \

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

> \
)* authentication is enabled and becomes misconfigured, this property can be used to bypass the database configuration and force the use of Basic authentication. The default value is `default`. A value of `native` overrides the administrator authentication method, meaning that only the local administrator credentials can be used to access the PingAccess console. > > * admin.reuseAddress > > When enabled, allows a process to bind to a port which remains in a `TIME_WAIT` state for the admin transport. The default value is `true`. > > * admin.max.request.bodylength > > Defines, in megabytes, the maximum body length for a request to the administrative application programming interface (API) *(tooltip: \
> \

A specification of interactions available for building software to access an application or service.\

> \
)* endpoint *(tooltip: \
> \

One end in a communication channel, typically a URI.\

> \
)*. The default value is `15`. > > * admin.ui.max.sessions > > Defines the maximum number of sessions for the admin UI when admin single logout (SLO) *(tooltip: \
> \

The process of signing a user out of multiple sites where the user has started a SSO session.\

> \
)* isn't enabled. The default value is `100`. > > * admin.export.encryption.mode > > Specifies how sensitive data should be encrypted on export. The default value is `MASTER_KEY`, which uses the system default master key for encryption. > > | | | > | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | The `PORTABLE_INSECURE` value uses a randomly generated key for each export and includes the key in the export data.This method allows the exported data to be imported anywhere, including another cluster with a different master key. However, because the exported data includes the key, this method can present a significant security risk. | > > * admin.startup.config.import.failfast > > Defines the behavior when attempting to import a configuration file on startup. A value of `true` stops at the first failure, while a value of `false` continues and notes all errors. The default value is `false`. > > > **Collapse: Learn more** > > > > * Learn more about how some properties are configured during installation in [Installing and Uninstalling PingAccess](../installing_and_uninstalling_pingaccess/pa_installing_and_uninstalling_pa.html). > > > > * Learn more about how some properties impact administrative use in [PingAccess User Interface Reference Guide](../pingaccess_user_interface_reference_guide/pa_ui_ref_guide.html). > > > > * Learn more about how some SSL properties are overridden in FIPS mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). ## Token provider communication settings > **Collapse: Click to expand or collapse the whole section** > > * pa.default.availability.ondemand.maxRetries > > Defines the maximum number of retries before marking the target system down. The default value is `2`. > > * pa.default.availability.ondemand.connectTimeout > > Defines, in milliseconds, the amount of time to wait before trying to connect to the remote host. The default value is `10000`. > > * pa.default.availability.ondemand.retryDelay > > Defines, in milliseconds, the amount of time to wait after a timeout before retrying the host. The default value is `250`. > > * pa.default.availability.ondemand.failedRetryTimeout > > Defines, in seconds, the amount of time to wait before retrying a failed host. The default value is `60`. > > * pa.default.availability.ondemand.pooledConnectionTimeout > > Defines, in milliseconds, the amount of time to wait before timing out the request for a pooled connection to the target site. The default value is `-1`, which indicates no timeout. > > * pa.default.availability.ondemand.readTimeout > > Defines, in milliseconds, the amount of time to wait before timing out the read response for a target site. The default value is `-1`, which indicates no timeout. > > > **Collapse: Learn more** > > > > * Learn more in the token providers section of the [PingAccess User Interface Reference Guide](../pingaccess_user_interface_reference_guide/pa_ui_ref_guide.html). ## Cluster configuration settings > **Collapse: Click to expand or collapse the whole section** > > * clusterconfig.enabled > > When enabled, uses the cluster configuration port for cluster replication. When disabled, the admin port is used for cluster configuration replication. The default value is `true`. > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------- | > | | This property is set to `false` by the PingAccess upgrade utility after a PingAccess cluster is upgraded from a version earlier than 4.0. | > > * clusterconfig.port > > Defines the optional port used for cluster configuration. The default value is `9090`. > > * clusterconfig.bindAddress > > Defines the optional address used for cluster configuration. The default value is `0.0.0.0`. > > * clusterconfig.acceptors > > Defines the number of cluster configuration acceptor threads used to establish connections. The default value is `1`. > > * clusterconfig.backlog > > Defines the maximum queue length for incoming cluster configuration connection indications. The default value is `512`. > > * clusterconfig.reuseAddress > > When enabled, allows a process to bind to a port, which remains in a `TIME_WAIT` state for the cluster configuration transport. The default value is `true`. > > * clusterconfig.httptransport.socketTimeout > > Defines, in milliseconds, the cluster configuration socket timeout. The default value is `30000`. > > * clusterconfig.httptransport.ioThreads > > Defines the number of I/O threads for the cluster configuration host. The default value is `0`, which indicates that PingAccess should automatically calculate the appropriate number of I/O threads for the host. > > * clusterconfig.httptransport.coreThreadPoolSize > > Defines the number of threads to keep in the cluster configuration transport pool, even if they are idle. The default value is `5`. > > * clusterconfig.httptransport.maxThreadPoolSize > > Defines the maximum number of threads for the cluster configuration transport pool. The default value is `-1`, which denotes no limit. > > * engine.admin.configuration.audience > > Defines the audience used for cluster authentication. This property must be set to the same value on all nodes in a PingAccess cluster. The default value is `PingAccessAdminServer`. > > * engine.polling.initialdelay > > Defines, in milliseconds, how long after the engine starts up before it begins to poll the administrative console for configuration information. The default value is `500`. > > * engine.polling.delay > > Defines, in milliseconds, how long after the prior query to the administrative console that the engine begins a new query for configuration information. The default value is `2000`. > > * engine.polling.test.delay > > Defines, in milliseconds, how long after detecting an engine's `lastUpdated` value to be `null` or `zero` that PingAccess should wait before double-checking the value. The default value is `6000`. > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | This property determines whether a replacement engine should self-register if PingAccess detects that there's an existing engine with the same name that isn't running. Changing this value changes PingAccess's behavior according to the following table: | > > > **Collapse: Self-registration settings** > > > > | engine.polling.test.delayvalue | PingAccess behavior | > > | ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > > | A negative number | Self-registration always fails, even if the existing engine with the same name was never updated or isn't polling. | > > | A number from `0` up to the `engine.polling.delay` value | Self-registration happens automatically if the existing engine's `lastUpdated` value is `null` or `0`. | > > | A number that's greater than the `engine.polling.delay `value | Self-registration happens if the existing engine's `lastUpdated` value is `null` or `0`. If the value is greater than `0`, PingAccess waits for a number of milliseconds equal to the `engine.polling.test.delay` value, then checks the `lastUpdated` value a second time.If the value doesn't change, PingAccess allows self-registration. Otherwise, this indicates that the existing engine is active, so PingAccess fails self-registration for the replacement engine. | > > * admin.polling.initialdelay > > Defines, in milliseconds, how long after the replica administrative node starts up before it begins to poll the administrative console for configuration information. The default value is `500`. > > * admin.polling.delay > > Defines, in milliseconds, how long after the prior query to the administrative console that the replica administrative node begin a new query for configuration information. The default value is `2000`. > > * pa.config.replication.readTimeout > > Defines, in milliseconds, the amount of time to wait before timing out the read response for the administrative node. The default value is `30000`. > > * pa.config.replication.maxRetries > > Defines the maximum number of retries before marking the administrative node system down. The default value is `5`. > > * pa.config.replication.connectTimeout > > Defines, in milliseconds, the amount of time to wait before trying to connect to the administrative node. The default value is `5000`. > > * pa.config.replication.retryDelay > > Defines, in milliseconds, the amount of time to wait after a timeout before retrying the administrative node. The default value is `2000`. > > * pa.config.replication.failedRetryTimeout > > Defines, in seconds, the amount of time to wait before retrying a failed connection to the administrative node. The default value is `-1`, which indicates no timeout. > > * pa.config.replication.pooledConnectionTimeout > > Defines, in milliseconds, the amount of time to wait before timing out the request for a pooled connection to the administrative node. The default value is `-1`, which indicates no timeout. > > > **Collapse: Learn more** > > > > * Learn more about cluster configuration in the [Clustering Reference Guide](pa_clustering_ref_guide.html). ## Engine properties > **Collapse: Click to expand or collapse the whole section** > > * engine.http.bindAddress > > Defines the address for an engine in a clustered environment. The default value is `0.0.0.0`. > > * engine.http.acceptors > > Defines the number of engine acceptor threads used to establish connections. The default value is `1`. > > * engine.http.backlog > > Defines the maximum queue length for incoming engine connection indications. The default value is `512`. > > * engine.http.reuseAddress > > When enabled, allows a process to bind to a port which remains in a `TIME_WAIT` state for the engine transport. The default value is `true`. > > * engine.http.enabled > > Defines whether the engine node (either `STANDALONE` or `CLUSTERED_ENGINE`, if you're running PingAccess in a cluster) listens for requests on the ports defined by the engine listeners. The default value is `true`. > > * engine.httptransport.coreThreadPoolSize > > Defines the number of threads to keep in the engine transport pool, even if they are idle. The default value is `5`. > > * engine.httptransport.maxThreadPoolSize > > Defines the maximum number of threads for the engine transport pool. The default value is `-1`, which denotes no limit. > > * engine.httptransport.socketTimeout > > Defines, in milliseconds, the engine socket timeout. The default value is `30000`. > > * engine.httptransport.ioThreads > > Defines the number of I/O threads for the engine host. The default value is `0` which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host. > > * engine.websocket.maxConnections > > Sets the maximum number of allowed web socket connections. The default value is `-1`, which denotes no limit. > > * engine.ssl.protocols > > Defines the protocols used with engine HTTPS ports. The default value is `TLSv1, TLSv1.1, TLSv1.2, TLSv1.3`. > > * engine.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with engine HTTPS ports. The default value is `$\{tls.default.cipherSuites}`, which uses the ciphers specified by the `tls.default.cipherSuites` property. > > * client.ioThreads > > Defines the number of threads for client connections to backend sites. The default value is `0`, which denotes no limit. > > * pa.default.contentRewrite.buffer.min > > Defines, in bytes, the minimum buffer size used when using a rewrite content rule. The default value is `1024`. > > * pa.default.contentRewrite.buffer.default > > Defines, in bytes, the default buffer size when using a rewrite content rule to do a search and replace of content. The default value is `2048`. > > * pa.default.limitRequestLine > > Defines the maximum number of bytes to read from the request line. The default value is `8192`. > > * pa.default.maxHeaderCount > > Defines the maximum number of headers to read from a request. The default value is `100`. > > * pa.default.maxHttpHeaderSize > > Defines the maximum number of bytes to read when reading headers. The default value is `8192`. > > * pa.default.maxRequestBodySize > > Defines the maximum number of bytes to read from a request body. The default value is `204800`. > > * pa.default.maxConnectionsPerSite > > Defines the maximum number of connections PingAccess can open to the PingFederate admin or engine. The default value is `-1`, which denotes no limit. > > * pa.default.session.cookie.attributes.httponly > > Defines the default setting for the **HTTP-Only Cookie** setting for newly created web sessions. The default value is `true`. > > * pa.default.session.cookie.attributes.secure > > Defines the default setting for the **Secure Cookie** setting for newly created web sessions. The default value is `true`. > > * pa.default.session.cookie.size.threshold > > Defines, in bytes, the default maximum session cookie size. The default value is `4093`. > > * pa.websession.cookie.sameSiteExcludedUserAgentPatterns > > A comma-separated list of regex that specifies whether an end-user browser should have `SameSite=None` applied to cookies issued to it. If the user-agent header from a request matches any of the values in the list, any PingAccess-issued cookie is set with no `SameSite` attribute if `SameSite=None` would otherwise have been applied. The default value is: > > ``` > ^.\\(iP.+; CPU .*OS 12[_\\d].\\) AppleWebKit\\/.$,\ > ^.Macintosh;.*Mac OS X 10_14.*Version.*Safari.$,\ > ^.(Chromium|Chrome)\\/(5[1-9]|6[0-6])\\.(\\d+)(?:\\.(\\d+)|)(?:\\.(\\d+)|).$,\ > ^.UCBrowser\\/[0-9][0-1]?.(\\d+)\\.(\\d+)[\\.\\d].$,\ > ^.*UCBrowser\\/12.[0-9][0-2]?.(\\d+)[\\.\\d].$,\ > ^.*UCBrowser\\/12.13.[0-2][\\.\\d].*$ > ``` > > * pa.default.session.cookie.attributes.partitioned > > When enabled, adds the `Partitioned` attribute to cookies set by PingAccess. This ensures that cross-site cookies continue to be readable within the same context that they're created in. Learn more in the [PingAccess 8.1 release notes](../release_notes/pa_release_notes.html#previous-releases). > > The default value is `false`. If you edit this value, restart PingAccess to make your changes take effect. > > * pa.default.cookie.attributes.partitioned.excludedUserAgentPatterns > > If `pa.default.session.cookie.attributes.partitioned` is enabled, or if you've selected **Partitioned Cookie** on a [web session](../pingaccess_user_interface_reference_guide/pa_advanced_web_session_settings.html) or the [admin web session](../pingaccess_user_interface_reference_guide/pa_configuring_session_properties.html), you can define a comma-separated list of regex to declare any user-agents that don't support the `Partitioned` attribute. If the user-agent header from a request matches any of the values in the list, PingAccess excludes the `Partitioned` attribute from any related cookies that it sets. > > For example: > > ``` > pa.default.cookie.attributes.partitioned.excludedUserAgentPatterns= ^.\\(iP.+; CPU .*OS 12[\\d].\\) AppleWebKit\\/.$,\ > > ^.Macintosh;.*Mac OS X 10_14.*Version.*Safari.$,\ > > ^.(Chromium|Chrome)\\/(5[1-9]|6[0-6])\\.(\\d+)(?:\\.(\\d+)|)(?:\\.(\\d+)|).$,\ > > ^.UCBrowser\\/[0-9][0-1]?.(\\d+)\\.(\\d+)[\\.\\d].$,\ > > ^.*UCBrowser\\/12.[0-9][0-2]?.(\\d+)[\\.\\d].$,\ > > ^.*UCBrowser\\/12.13.[0-2][\\.\\d].$,\ > > ^.\\(Macintosh;.Mac OS X 10_14[\\d].\\) AppleWebKit\\/[\\.\\d]+ \\(KHTML. like Gecko\\)$,\ > > Box.\\/.+Darwin\\/10.14.$,\ > > ^.*PAN GlobalProtect.*Mac OS X 10.*14.$ > ``` > > By default, this property doesn't have a value. If you edit this value, restart PingAccess to make your changes take effect. > > * pa.uri.strict > > When enabled, this setting requires that the raw input Uniform Resource Identifier (URI) *(tooltip: \
> \

Identifies a web resource with a string of characters conforming to a specified format.\

> \
)* be in strict compliance with the URI spec implemented by `java.net.URI` when generating URIs. The default value is `false`. > > * pa.uri.canonicalize > > When enabled, PingAccess normalizes empty and dot path segments that contain URL-encoded forward slashes (`/`, encoded as `%2f`) or periods (encoded as `%2e`). When this setting has a value of `false`, PingAccess doesn't normalize empty and dot path segments that contain URL-encoded forward slashes or periods. The default value is `true`. > > > **Collapse: Learn more** > > > > * Learn more about cluster configuration in the [Clustering Reference Guide](pa_clustering_ref_guide.html). > > > > * Learn more about how some SSL properties are overridden in FIPS mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). ## Agent properties > **Collapse: Click to expand or collapse** > > * agent.http.port > > Defines the TCP port on which the engine listens for agent requests. The default value is `3030`. > > * agent.http.bindAddress > > Defines the address from which an engine listens for agent requests. The default value is `0.0.0.0`. > > * agent.http.acceptors > > Defines the number of acceptor threads used to establish agent connections. The default value is `1`. > > * agent.http.secure > > Defines whether the engine is using HTTPS for agent requests. The default value is `true`. > > * agent.http.backlog > > Defines the maximum queue length for incoming agent connection indications. The default value is `512`. > > * agent.http.enabled > > Defines whether the engine node (either `STANDALONE` or `CLUSTERED_ENGINE`, if you're running PingAccess in a cluster) listens for agent requests on the port defined by the `agent.http.port` setting. The default value is `true`. > > * agent.http.reuseAddress > > When enabled, allows a process to bind to a port which remains in a `TIME_WAIT` state for the agent transport. The default value is `true`. > > * agent.ssl.protocols > > Defines the protocols used for communication with agent HTTPS ports. The default value is `${tls.default.protocols}`, which uses the protocols specified by the `tls.default.protocols` property. > > * agent.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with agent HTTPS ports. The default value is `${tls.default.cipherSuites}`, which uses the ciphers specified by the `tls.default.cipherSuites` property. > > * agent.httptransport.coreThreadPoolSize > > Defines the number of threads to keep in the agent transport pool, even if they are idle. The default value is `5`. > > * agent.httptransport.maxThreadPoolSize > > Defines the maximum number of threads for the agent transport pool. The default value is `-1`, which denotes no limit. > > * agent.httptransport.socketTimeout > > Defines, in milliseconds, the agent socket timeout. The default value is `30000`. > > * agent.httptransport.ioThreads > > Defines the number of I/O threads for the agent host. The default value is `0`, which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host. > > * agent.authz.header.required > > Defines whether PingAccess server should authenticate agent requests using agent name and shared secret in the vnd-pi-authz header. The default value is `true`. Setting this to `false` is useful for POCs and/or debugging. > > * agent.default.token.cache.ttl > > Defines, in seconds, the time to live for cached agent tokens. The default value is `60`. > > > **Collapse: Learn more** > > > > * Learn more about agent settings in [PingAccess User Interface Reference Guide](../pingaccess_user_interface_reference_guide/pa_ui_ref_guide.html). > > > > * Learn more about agent installation and management for Apache (RHEL) in [PingAccess Agent for Apache (RHEL)](../agents_and_integrations/pa_agent_for_apache_rhel.html). > > > > * Learn more about agent installation and management for Apache (SLES) in [PingAccess Agent for Apache (SLES)](../agents_and_integrations/pa_agent_for_apache_sles.html). > > > > * Learn more about agent installation and management for Apache (Windows) in [PingAccess Agent for Apache (Windows)](../agents_and_integrations/pa_agent_for_apache_windows.html). > > > > * Learn more about agent installation and management for IIS in [PingAccess Agent for IIS](../agents_and_integrations/pa_agent_for_iis.html). > > > > * Learn more about agent installation and management foe NGINX in [PingAccess Agent for NGINX](../agents_and_integrations/pa_agent_for_nginx.html). > > > > * Learn more about how some SSL properties are overridden in FIPS mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). ## Sideband properties > **Collapse: Click to expand or collapse the whole section** > > * sideband.http.port > > Defines the TCP port on which the engine listens for sideband requests. The default value is `3020`. > > * sideband.http.bindAddress > > Defines the address from which an engine listens for sideband requests. The default value is `0.0.0.0`. > > * sideband.http.acceptors > > Defines the number of acceptor threads used to establish sideband connections. The default value is `1`. > > * sideband.http.secure > > Defines whether the engine is using HTTPS for sideband requests. The default value is `true`. > > * sideband.http.backlog > > Defines the maximum queue length for incoming sideband connection indications. The default value is `512`. > > * sideband.http.enabled > > Defines whether the engine node (either `STANDALONE` or `CLUSTERED_ENGINE`, if you're running PingAccess in a cluster) listens for sideband requests on the port defined by the `sideband.http.port` setting. The default value is `false`. > > * sideband.http.reuseAddress > > When enabled, allows a process to bind to a port which remains in a `TIME_WAIT` state for the sideband transport. The default value is `true`. > > * sideband.ssl.protocols > > Defines the protocols used for communication with sideband HTTPS ports. The default value is `${tls.default.protocols}`, which uses the protocols specified by the `tls.default.protocols` property. > > * sideband.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with sideband HTTPS ports. The default value is `${tls.default.cipherSuites}`, which uses the ciphers specified by the `tls.default.cipherSuites` property. > > * sideband.httptransport.coreThreadPoolSize > > Defines the number of threads to keep in the sideband transport pool, even if they are idle. The default value is `5`. > > * sideband.httptransport.maxThreadPoolSize > > Defines the maximum number of threads for the sideband transport pool. The default value is `-1`, which denotes no limit. > > * sideband.httptransport.socketTimeout > > Defines, in milliseconds, the sideband socket timeout. The default value is `30000`. > > * sideband.httptransport.ioThreads > > Defines the number of I/O threads for the sideband host. The default value is `0`, which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host. > > > **Collapse: Learn more** > > > > * Learn more about how to configure a sideband client in the user interface in [Sideband Clients](../pingaccess_user_interface_reference_guide/pa_sideband_clients.html). > > > > * Learn more about how some SSL properties are overwritten in FIPS mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). ## URL filtering settings > **Collapse: Click to expand or collapse the whole section** > > * pa.interceptors.relativepath.strict > > When this property is set to `true`, the incoming URL is matched with the allow list pattern defined in `pa.interceptors.relativepath.decode.regex`. All other request URLs are rejected. The default value is `false`. > > * pa.interceptors.relativepath.decode.count > > Defines the number of times the URL is decoded to check for path traversal characters. The default value is `3`. > > * pa.interceptors.relativepath.decode.regex > > Defines the regular expression to use when checking for a valid path in an incoming request. The default value is: > > ``` > [\\p{Po}\\p{N}\\p{Z}\\p{L}\\p{M}\\p{Zs}\\./_\\-\\\\~()\\{\\}\\[\\]]* > ``` > > | | | > | - | ------------------------------------------------------------------------------------- | > | | This value is double-escaped as required by the `java.util.regex.Pattern` Java class. | > > > **Collapse: Learn more** > > > > * You can find more information about URL filtering in [Adding rewrite URL rules](../pingaccess_user_interface_reference_guide/pa_adding_rewrite_url_rules.html). ## Monitoring > **Collapse: Click to expand or collapse the whole section** > > * pa.mbean.site.connection.pool.enable > > When set to `true`, enables Java Management Extensions (JMX) *(tooltip: \
> \

Java technology that provides tools for managing and monitoring applications, devices, system objects, and service-oriented networks.\

> \
)* read-only access to backend connection pools. This can be useful when troubleshooting latency issues because it provides information about requests that are waiting for a connection to targets in a site when `maxConnections` isn't unlimited. The default value is `false`. > > * enable.detailed.heartbeat.response > > When enabled, this setting enables a customizable heartbeat response to be returned. When disabled, the heartbeat endpoint returns a `200 OK` response. The default value is `false`. > > * pa.statistics.window\.seconds > > If the `enable.detailed.heartbeat.response` property is set to `true`, this property sets the number of seconds back to collect response statistics. A value less than `1` disables collection. The default value is `0`. > > > **Collapse: Learn more** > > > > * You can find more information about monitoring in the [PingAccess Monitoring Guide](../pingaccess_monitoring_guide/pa_monitoring_guide.html). ## TLS/SSL > **Collapse: Click to expand or collapse the whole section** > > * tls.default.protocols > > Defines the default protocols used for HTTPS communication. The default value is `TLSv1.1, TLSv1.2, TLSv1.3`. > > * tls.default.cipherSuites > > Defines the default set of ciphers used for HTTPS communication. The default value is: > > ``` > TLS_CHACHA20_POLY1305_SHA256,\ > TLS_AES_256_GCM_SHA384,\ > TLS_AES_128_GCM_SHA256,\ > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\ > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\ > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\ > TLS_RSA_WITH_AES_128_GCM_SHA256,\ > TLS_RSA_WITH_AES_128_CBC_SHA256,\ > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\ > TLS_EMPTY_RENEGOTIATION_INFO_SCSV > ``` > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | Legacy browsers might require the addition of SHA1-based ciphers to negotiate a cipher suite with the server. In this case, add the following ciphers to the `run.properties` file and restart PingAccess:- `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` > > - `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` > > - `TLS_RSA_WITH_AES_128_CBC_SHA` | > > * clusterconfig.ssl.protocols > > Defines the protocols used for communication with HTTPS ports in a clustered configuration. The default value is `$\{tls.default.protocols}`, which uses the protocols specified by the `tls.default.protocols` property. > > * clusterconfig.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with HTTPS ports in a clustered configuration. The default value is `$\{tls.default.cipherSuites}`, which uses the ciphers specified by the `tls.default.cipherSuites` property. > > * site.ssl.protocols > > Defines the protocols used for communication with site HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the Java Development Kit (JDK) *(tooltip: \
> \

A development environment for building applications and components using Java.\

> \
)*. > > * site.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with site HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * pf.ssl.protocols > > Defines the protocols used for communication with PingFederate HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * pf.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with PingFederate HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * provider.ssl.protocols > > Defines the protocols used for communication with provider HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * provider.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with provider HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * as.ssl.protocols > > Defines the protocols used for communication with authorization server HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * as.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with authorization server HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * p14c.ssl.protocols > > Defines the protocols used for communication with PingOne. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * p14c.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with PingOne. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * thirdpartyservice.ssl.protocols > > Defines the protocols used for communication with third-party services. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > * thirdpartyservice.ssl.ciphers > > Defines the type of cryptographic ciphers available for use with third-party services. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK. > > > **Collapse: Learn more** > > > > * You can find more information about the use of TLS/SSL settings for security in the [PingAccess Hardening Guide](https://support.pingidentity.com/s/article/PingAccess-Security-Hardening-Guide). > > > > * Learn more about how some TLS properties are overwritten in FIPS mode in [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). ## POST preservation properties > **Collapse: Click to expand or collapse the whole section** > > * pa.oidc.post.preservation.encrypt > > When enabled, PingAccess preserves POST data through a redirection to PingFederate for authentication is encrypted on the client to be used after the authentication is successful. The default value is `false`. > > * pa.oidc.post.preservation.maxRequestBodySize > > Defines, in bytes, the maximum size of the request body for POST preservation. The default value is `8192`. > > * pa.oidc.post.preservation.paramsAttributeName > > Used to store the encoded or encrypted POST payload in the browser session storage during POST preservation. The default value is `postParams`. > > > **Collapse: Learn more** > > > > * Learn more about the use of POST preservation in system templates meant to provide information to the end user in [User-facing page customization reference](../configuring_and_customizing_pingaccess/pa_user_facing_page_customization_ref.html). > > > > * Learn more about the use of POST preservation in system templates meant to provide localized versions of user-facing status messages generated by PingAccess in [User-facing page localization reference](../configuring_and_customizing_pingaccess/pa_user_facing_page_localization_ref.html). > > > > * Learn more about the use of POST preservation in web sessions in the [PingAccess User Interface Reference Guide](../pingaccess_user_interface_reference_guide/pa_ui_ref_guide.html). ## Configuration database and key store settings > **Collapse: Click to expand or collapse the whole section** > > * derby.language.statementCacheSize > > Defines the number of statements that are stored in memory. The default value is `500`. > > * derby.storage.pageCacheSize > > Defines the number of pages cached in memory. The default value is `1000`. > > * pa.trust.keystore.type > > Defines the truststore type for the `$JAVA_HOME/lib/security/cacerts` keystore. The default value is `JKS`. > > | | | > | - | ----------------------------------------------------------------------------------- | > | | PKCS#12 isn't supported if you're using FIPS mode, because it isn't FIPS-compliant. | > > * pa.trust.keystore.path > > Defines the path for the `$JAVA_HOME/lib/security/cacerts` keystore. The default value is `${java.home}/lib/security/cacerts`. > > * pa.keystore.pw > > Defines the password for the truststore configured in the `pa.trust.keystore.path` property. The value is encrypted. > > > **Collapse: Learn more** > > > > * Learn more about the initial database settings in [Installing and Uninstalling PingAccess](../installing_and_uninstalling_pingaccess/pa_installing_and_uninstalling_pa.html). > > > > * Learn more about adjusting PingAccess settings for specific environments in the [Performance Tuning Reference Guide](pa_performance_tuning.html). > > > > * Learn more about how the native Apache Derby properties are used in the [Apache Derby: Documentation](https://db.apache.org/derby/manuals/) in the Apache documentation. ## PingFederate administration integration properties > **Collapse: Click to expand or collapse the whole section** > > * pf.api.maxRetries > > Defines the maximum number of retries PingAccess attempts to make to the PingFederate server before declaring the server unavailable. The default value is `0`. > > * pf.api.socketTimeout > > Defines, in milliseconds, the socket timeout for the PingFederate API endpoint. The default value is `5000`. > > * pf.api.maxConnections > > Defines the maximum number of connections PingAccess will establish to the PingFederate API endpoint. The default value is `-1`, which means there is no limit. > > * pf.api.keepAliveTimeout > > Defines, in milliseconds, the keep alive timeout for the PingFederate API. The default value is `30000`. > > * pf.api.readTimeout > > Defines, in milliseconds, how long the API will wait for responses from PingFederate when making calls to the PingFederate administrative API. The default value is `-1`, which means there is no limit. > > > **Collapse: Learn more** > > > > You can find more information about using PingAccess with PingFederate in: > > > > * [Configure PingFederate as the token provider for PingAccess](../token_providers/pa_configure_pf_as_the_token_provider_for_pa.html). > > > > * [PingAccess User Interface Reference Guide](../pingaccess_user_interface_reference_guide/pa_ui_ref_guide.html). ## Administrative console settings > **Collapse: Click to expand or collapse the whole section** > > * pa.backup.filesToKeep > > Defines the number of backup files to preserve when the administrator authenticates to PingAccess. The default value is `25`. A value of `0` disables the creation of backup files. > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | Disabling the creation of backup files can speed up the sign-on process in large environments. If you disable the creation of backup files, use the administrative API backup endpoint to create regular backups. | > > * pa.admin.user.password.regex > > Defines the regex that controls password complexity for the administrative console. The default value is: > > ``` > ((?=.\\d)(?=.[a-z])(?=.*[A-Z]).{8,20}) > ``` > > * pa.admin.user.password.error.message > > Defines the message returned when password complexity isn't satisfied. The default value is `Password must be at least 8 characters in length, contain one upper-case letter, one lower-case letter and one digit`. > > * pa.admin.test.connections > > A boolean property that allows the PingAccess administrative console to make HTTP calls to validate that it can reach PingFederate and sites when the user configures them. The default value is `true`. > > * account.locking.max.consecutive.failures > > Defines the maximum number of failed sign-on attempts before locking the account when using basic authentication in the administrative console or administrative REST APIs. The default value is `3`. > > * account.locking.max.lockout.period > > Defines, in minutes, the amount of time to lock an account out from the administrative interfaces after exceeding the `account.locking.max.consecutive.failures`. The default value is `1`. > > > **Collapse: Learn more** > > > > * You can find more information about PingAccess administration in the [PingAccess User Interface Reference Guide](../pingaccess_user_interface_reference_guide/pa_ui_ref_guide.html). ## EHCache configuration properties > **Collapse: Click to expand or collapse the whole section** > > * pa.ehcache.PingFederateReferenceTokenCache.maxEntriesLocalHeap > > Defines the maximum number of entries in the local heap for OAuth *(tooltip: \
> \

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

> \
)* tokens. The default value is `10000`. > > * pa.ehcache.PingFederateReferenceTokenCache.timeToIdleSeconds > > Defines, in seconds, the time an entry in the OAuth token cache can be idle before it is expired. The default value is `0`. > > * pa.ehcache.PingFederateReferenceTokenCache.timeToLiveSeconds > > Defines, in seconds, the maximum time an entry can be in the OAuth token cache. The default value is `0`. > > * pa.ehcache.ServiceTokenCache.maxEntriesLocalHeap > > Defines the maximum number of entries in the local heap for token mediation. The default value is `10000`. > > * pa.ehcache.ServiceTokenCache.timeToIdleSeconds > > Defines, in seconds, the time an entry in the token mediation cache can be idle before it is expired. The default value is `1800`. > > * pa.ehcache.ServiceTokenCache.timeToLiveSeconds > > Defines, in seconds, the maximum time an entry can be in the token mediation cache. The default value is `14400`. > > * pa.ehcache.PATokenValidationCache.maxEntriesLocalHeap > > Defines the maximum number of entries in the local heap for decryption of signed or encrypted PingAccess tokens. The default value is `10000`. > > * pa.ehcache.PATokenValidationCache.timeToIdleSeconds > > Defines, in seconds, the time an entry in the token validation cache can be idle before it is expired. The default value is `120`. > > * pa.ehcache.PATokenValidationCache.timeToLiveSeconds > > Defines, in seconds, the maximum time an entry can be in the token validation cache. The default value is `300`. > > * pa.ehcache.PFSessionValidationCache.maxEntriesLocalHeap > > Defines the maximum number of entries in the local heap for the session validation cache. The default value is `10000`. > > * pa.ehcache.PFSessionValidationCache.timeToIdleSeconds > > Defines, in seconds, the time an entry in the session validation cache can be idle before it expires. The default value is `120`. > > * pa.ehcache.PFSessionValidationCache.timeToLiveSeconds > > Defines, in seconds, the maximum time an entry can be in the session validation cache. The default value is `300`. > > * pa.ehcache.PAWamUserAttributesCache.maxEntriesLocalHeap > > Defines the maximum number of entries in the local heap for the PingAccess Web Access Management (WAM) user attribute cache. The default value is `10000`. > > * pa.ehcache.PAWamUserAttributesCache.timeToIdleSeconds > > Defines, in seconds, the time an entry in the PingAccess WAM user attribute cache can be idle before it is expired. The default value is `120` seconds. > > * pa.ehcache.PAWamUserAttributesCache.timeToLiveSeconds > > Defines, in seconds, the maximum time an entry can be in the PingAccess WAM user attribute cache. The default value is `300` seconds. > > * pa.ehcache.AuthTokenCache.maxEntriesLocalHeap > > Defines the maximum size of the JSON Web Token (JWT) *(tooltip: \
> \

An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \RFC 7519\.\

> \
)* identity mapping token cache used when sending tokens to a protected site. The default value is `10000`. > > * pa.ehcache.SessionStateCache.maxEntriesLocalHeap > > Defines the maximum size of the identity attribute entry cache when the user's attributes are stored on the server rather than as a cookie. The default value is `10000`. > > * pa.ehcache.AzureGroupNameCache.maxEntriesLocalHeap > > Defines the maximum number of entries in the local heap for the Azure group name cache. The default value is `10000`. > > > **Collapse: Learn more** > > > > * You can find more information about EHCache configuration in the [Clustering Reference Guide](pa_clustering_ref_guide.html). ## Security headers properties > **Collapse: Click to expand or collapse the whole section** > > * admin.headers > > Additional headers added to responses from the PingAccess administrative console and the administrative API interface. Define header values using the `admin.header` prefix. The default value is: > > ``` > X-Frame-Options,X-XSS-Protection,X-Content-Type-Options,Strict-Transport-Security,Content-Security-Policy > ``` > > * admin.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` HTTP response header sent to the browser when an admin is interacting with the administrative console. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > * admin.header.X-XSS-Protection > > Sets the parameters for the `X-XSS-Protection` HTTP response header sent to the browser when an admin is interacting with the administrative console. The default value is `1; mode=block`. > > * admin.header.X-Content-Type-Options > > Sets the parameters for the `X-Content-Type-Options` response header sent to the browser when an admin is interacting with the administrative console. The default value is `nosniff`. > > * admin.header.Content-Security-Policy > > Sets the parameters for the `content-security-policy` response header sent by PingAccess in response to API calls. The default value is: > > ``` > default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; > ``` > > * admin.header.Strict-Transport-Security > > Sets the parameters for the `Strict-Transport-Security` response header sent to the browser when an administrator is interacting with the administrative console. This property is commented out by default and should be enabled only if the admin and engine use different host names. The default value is `max-age=31536000; includeSubDomains`. > > * agent.assets.headers > > Additional headers added to responses from PingAccess agents. Header values are defined using the `agent.assets.header` prefix. The default value is `X-Frame-Options`. > > * agent.assets.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` HTTP response header sent to the browser using the agent when responding to a request for an asset used by a PingAccess template. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > * agent.error.headers > > Additional headers added to error responses from PingAccess agents. Header values are defined using the `agent.error.header` prefix. The default value is `X-Frame-Options, Content-Security-Policy`. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | `Content-Security-Policy` might be omitted if PingAccess was upgraded with template customizations. To enable for this case, add the `Content-Security-Policy` value to this property and uncomment `agent.error.header.Content-Security-Policy`. | > > * agent.error.header.Content-Security-Policy > > Sets the parameters for the `Content-Security-Policy` HTTP response header sent to the browser using the agent when responding with a PingAccess error template. The default value is: > > ``` > default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; > ``` > > | | | > | - | --------------------------------------------------------------------------------------------- | > | | This property might be commented out if PingAccess was upgraded with template customizations. | > > * agent.error.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` HTTP response header sent to the browser using the agent when responding with a PingAccess error template. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > * engine.assets.headers > > Additional headers added to responses from the PingAccess engine. Header values are defined using the `engine.assets.header` prefix. The default value is `X-Frame-Options`. > > * engine.assets.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` HTTP response header sent to the browser using the engine when responding to a request for an asset used by a PingAccess template. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > * engine.error.headers > > Additional headers added to error responses from the PingAccess engine. Define header values using the `engine.error.header` prefix. The default value is `X-Frame-Options, Content-Security-Policy`. > > | | | > | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | `Content-Security-Policy` might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the `Content-Security-Policy` value to this property and uncomment `engine.error.header.Content-Security-Policy`. | > > * engine.error.header.Content-Security-Policy > > Sets the parameters for the `Content-Security-Policy` HTTP response header sent to the browser using the engine when responding with a PingAccess error template. The default value is: > > ``` > default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; > ``` > > | | | > | - | --------------------------------------------------------------------------------------------- | > | | This property might be commented out if PingAccess was upgraded with template customizations. | > > * engine.error.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` HTTP response header sent to the browser using the engine when responding with a PingAccess error template. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > * sideband.assets.headers > > Additional headers added to responses from PingAccess sideband clients. Define header values using the `sideband.assets.header` prefix. The default value is `X-Frame-Options`. > > * sideband.assets.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` HTTP response header sent to the browser using the sideband client when responding to a request for an asset used by a PingAccess template. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | `Content-Security-Policy` might be omitted if PingAccess was upgraded with template customizations. To enable for this case, add the `Content-Security-Policy` value to this property and uncomment `sideband.error.header.Content-Security-Policy`. | > > * sideband.error.header.Content-Security-Policy > > Sets the parameters for the `Content-Security-Policy` HTTP response header sent to the browser using the sideband client when responding with a PingAccess error template. The default value is: > > ``` > default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; > ``` > > | | | > | - | --------------------------------------------------------------------------------------------- | > | | This property might be commented out if PingAccess was upgraded with template customizations. | > > * sideband.error.headers > > Additional headers added to error responses from PingAccess sideband clients. Define header values using the `sideband.error.header` prefix. The default value is `X-Frame-Options,Content-Security-Policy`. > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | `Content-Security-Policy` might be omitted if PingAccess was upgraded with template customizations. To enable for this case, add the `Content-Security-Policy` value to this property and uncomment `sideband.error.header.Content-Security-Policy`. | > > * sideband.error.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` HTTP response header sent to the browser using the sideband client when responding with a PingAccess error template. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > * pf.redirect.use.default.csp > > Determines whether PingAccess uses the default CSP for HTML authentication challenge responses (ACRs) for web apps. The default value is `true`. > > If you set the `pf.redirect.use.default.csp` property to `false`, you can use the `pf.redirect.headers` to set the CSP that PingAccess uses. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | Make sure to use the `pf.redirect.headers` to configure a value if you set `pf.redirect.use.default.csp` to `false`. Otherwise, PingAccess won't use any CSP. | > > * pf.redirect.headers > > Additional headers added to the redirection response that sends the client to PingFederate for authentication. > > These headers are added when using the **SPA Support Disabled** authentication challenge policy (ACP), the global PingFederate Redirect Headers Appender challenge response filter, or an application that's configured without an ACP and has SPA support disabled. > > Define header values using the `pf.redirect.header` prefix. The default value is `X-Frame-Options,Content-Security-Policy`. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | `Content-Security-Policy` might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add the `Content-Security-Policy` value to this property and uncomment `pf.redirect.header.Content-Security-Policy`. | > > * pf.redirect.header.Content-Security-Policy > > Sets the parameters for the `Content-Security-Policy` HTTP response header that is sent when the user is redirected to PingFederate to authenticate. The default value is: > > ``` > default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; > ``` > > | | | > | - | --------------------------------------------------------------------------------------------- | > | | This property might be commented out if PingAccess was upgraded with template customizations. | > > * pf.redirect.header.X-Frame-Options > > Sets the parameters for the `X-Frame-Options` value that is sent when the user is redirected to PingFederate to authenticate. The default value is `DENY`. > > Learn more about this header and its potential values in [x-frame-options](https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options). > > * rule.error.headers > > Additional headers added to responses that result from policy rule results. Define header values using the `rule.error.header` prefix. The default value is `Content-Security-Policy`. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | `Content-Security-Policy` might be omitted if PingAccess was upgraded with template customizations. To enable for this case, add the `Content-Security-Policy` value to this property and uncomment `rule.error.header.Content-Security-Policy`. | > > * rule.error.header.Content-Security-Policy > > Sets the parameters for the `Content-Security-Policy` HTTP response header sent to the browser when the response is generated by a rule failure. The default value is: > > ``` > default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; > ``` > > | | | > | - | --------------------------------------------------------------------------------------------- | > | | This property might be commented out if PingAccess was upgraded with template customizations. | > > * oauth.error.headers > > Additional headers added to responses that result from requests made to a protected API application that lack a valid OAuth Bearer token. Define header values using the `oauth.error.header` prefix. The default value is `Content-Security-Policy`. > > * oauth.error.header.Content-Security-Policy > > Sets the parameters for the `Content-Security-Policy` HTTP response header sent to the browser when PingAccess receives a request made to a protected API application that doesn't contain a valid OAuth Bearer token. The default value is: > > ``` > default-src 'self'; style-src 'self'; \ script-src 'self'; font-src 'self' data:; object-src 'none'; > ``` > > > **Collapse: Learn more** > > > > * Learn more about security headers and the behavior of the administrative API in [PingAccess API endpoints](pa_api_endpoints.html). > > > > * Learn more about security headers and administrative console settings in the [PingAccess User Interface Reference Guide](../pingaccess_user_interface_reference_guide/pa_ui_ref_guide.html). > > > > * Learn more about security headers and measures to ensure security in the [PingAccess Hardening Guide](https://support.pingidentity.com/s/article/PingAccess-Security-Hardening-Guide). ## Localization settings > **Collapse: Click to expand or collapse the whole section** > > * pa.localization.resource.bundle.cache.enable > > When set to `false`, allows language files in `/conf/localization` to be added or modified. When `true`, enables caching of language files and properties. The default value is `true`. > > * pa.localization.missing.message.placeholder > > Defines the message used when an error message is unresolvable. There is no default value. > > > **Collapse: Learn more** > > > > * Learn more about localization and customizing PingAccess page templates in [User-facing page customization reference](../configuring_and_customizing_pingaccess/pa_user_facing_page_customization_ref.html). You can also find more information about the differences between customizable templates and system templates. > > > > * Learn more about localizing user-facing system status messages in [User-facing page localization reference](../configuring_and_customizing_pingaccess/pa_user_facing_page_localization_ref.html).