PingAccess

Configuring PingAccess agents to use bearer token authentication

Authenticate PingAccess agents to the engine nodes with bearer token authentication in addition to the shared secret.

About this task

When bearer token authentication is enabled, PingAccess engine nodes:

  • Require PingAccess agents to send a signed JSON Web Token (JWT) with all HTTP requests.

  • Verify that the JWT was signed by the expected key.

  • Log debug messages to confirm that the token was received and validated as expected.

The PingAccess agents haven’t been updated to support bearer token authentication yet, but the agent.properties file has been updated to include a private key. Agent compatibility will be added in a future release.

You can download and use the updated agent.properties file normally in the meantime. Complete this procedure to do so.

Steps

  1. In the PingAccess administrative console, go to Applications > Agents and open the agent configuration that you want to update.

  2. To prompt PingAccess to add the private key into the agent.properties file, select the Require Token Authentication checkbox.

    If you clear this checkbox later, you don’t need to generate a new agent.properties file to update the shared secret. PingAccess will continue to use the shared secret from the active agent.properties file.

  3. Download a new agent.properties file for the agent as shown in Adding agents.

    In PingAccess 8.2 and later, the PingAccess server generates a public key and private key in addition to the shared secret. You can find the public key on this page, identified with a timestamp. The updated agent.properties file contains the expected private key.

    To rotate keys, generate a new agent.properties file, then remove the old file and public key.

  4. Clear the Require Token Authentication checkbox.

    After downloading the new agent.properties file, leave the Require Token Authentication checkbox cleared until agent compatibility is added and this agent has been updated to the supported version.

  5. (Optional) To confirm that shared secret authentication still works as expected, configure the agent with the updated agent.properties file.

    After the agents have been updated to support bearer token authentication, make sure to download the latest version of the agents and configure them with the updated agent.properties files.

    Following that, you can select the Require Token Authentication checkbox to require all PingAccess agents to use bearer token authentication in addition to the shared secret when making requests to the PingAccess engine nodes.

  6. Repeat steps 1 - 5 for all configured agents.