--- title: Deploying PingAuthorize Server and Policy Editor using Docker description: Instead of manual software installation, you can run Docker images of the PingAuthorize Server and Policy Editor. component: pingauthorize version: 11.0 page_id: pingauthorize:installing_and_uninstalling_pingauthorize:paz_install_server_pe_docker canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/installing_and_uninstalling_pingauthorize/paz_install_server_pe_docker.html revdate: April 28, 2025 section_ids: steps: Steps next-steps: Next steps paz_install_docker: Deploying PingAuthorize Server using Docker about-this-task: About this task steps-2: Steps pe_install_docker: Deploying the Policy Editor using Docker about-this-task-2: About this task steps-3: Steps choose-from: Choose from: --- # Deploying PingAuthorize Server and Policy Editor using Docker Instead of manual software installation, you can run Docker images of the PingAuthorize Server and Policy Editor. To start the setup process after you obtain the Docker images: ## Steps 1. Run the [PingAuthorize Server](#paz_install_docker) container, `pingauthorize`. 2. Run the [Policy Editor](#pe_install_docker) container, `pingauthorizepap`. 3. (Optional) To configure PingAuthorize with a GUI, run the PingAuthorize administrative console container, `pingdataconsole`. 4. (Optional) If you need user-level control of the data, set up a user store. If you use PingDirectory, run the `pingdirectory` container. ## Next steps * Perform [Post-setup steps (Docker deployment)](paz_post_setup_docker.html). * Perform [Next steps](paz_install_next_steps.html) as needed. ## Deploying PingAuthorize Server using Docker Perform a PingAuthorize Server deployment by running a Docker image. ### About this task The following command uses the `~/.pingidentity/config` environment file to configure common environment variables. See [Get Started](https://devops.pingidentity.com/get-started/introduction/). ### Steps * Run the following command. ```shell docker run --network= \ --env-file ~/.pingidentity/config \ --name {SERVER_CONTAINER_NAME} \ --publish 1389:1389 \ --publish 8443:1443 \ --detach \ --env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \ --env SERVER_PROFILE_PATH=getting-started/{SERVER_CONTAINER_NAME} \ --tmpfs /run/secrets \ pingidentity/{SERVER_CONTAINER_NAME}: ``` The Docker image *\* used in the example is only a placeholder. For actual tag values, see [Docker Hub](https://hub.docker.com/r/pingidentity/pingauthorize). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * For proper communication between containers, create a Docker network using a command, such as `docker network create --driver `, and then connect to that network with the `--network=` option. * You can use server profiles to automate deployment of PingAuthorize Server. For more information, see [Deployment automation and server profiles](../pingauthorize_server_administration_guide/paz_deploy_auto_server_prof.html). | ## Deploying the Policy Editor using Docker Deploy the Policy Editor by running its Docker image. Using Docker DevOps enables the automated policy database update feature with mounted volumes. ### About this task When running the Ping Identity DevOps `pingauthorizepap` Docker container, you can use the following commands to ensure that the policy database is on the mounted volume in preparation for future versions of the image. The commands: * Run a `pingauthorizepap` Docker container named `pap` on host port 8443. * Use the `~/.pingidentity/config` environment file to configure common environment variables. See [Get Started](https://devops.pingidentity.com/get-started/introduction/). * Bind mount a customized `options.yml` file named `custom-options.yml` to the server root using the server profile capability. The host system `server-profile` folder must contain `instance/custom-options.yml` for this example to work correctly. See . * Set the `Ping_Options_File` environment variable to tell `setup` to use `custom-options.yml`. For an H2 database, the command: * Bind-mounts a volume that maps a policy database to `/opt/out/Symphonic.mv.db`. * Sets the `PING_H2_FILE` environment variable to tell `setup` to use `/opt/out/Symphonic.mv.db` for the policy database. The environment variable must exclude the `.mv.db` extension. To use a PostgreSQL policy database, make sure you have met the following prerequisites: * The PostgreSQL instance must be reachable on the network from the Policy Editor host and listening for connections. * The Policy Editor uses both a PostgreSQL administration user and a server runtime user. Have a database administrator create both users before providing their credentials to the `policy-db` tool. The administration user must be able to create new databases. When new releases of the Policy Editor become available, continue using the same administration user to prevent database object ownership issues. Learn more about creating new database users and configuring PostgreSQL to listen for remote connections securely in the [PostgreSQL documentation](https://www.postgresql.org/docs/). * The Policy Editor uses Java Database Connectivity (JDBC) to connect to PostgreSQL. Be prepared to provide the JDBC connection string in the following format: `jdbc:postgresql://:/`. For example: `jdbc:postgresql://example.com:5432/pap_db` | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | - The Ping Identity DevOps Docker image documentation is frequently updated as new features are released. For the most recent instructions about running the Docker images, see . - For proper communication between containers, create a Docker network using a command such as `docker network create --driver `, and then connect to that network with the `--network=` option. - The Docker image *\* used in the example is only a placeholder. For actual tag values, see [Docker Hub](https://hub.docker.com/r/pingidentity/pingauthorizepap). | ### Steps * Run the `pingauthorizepap` Docker container. #### Choose from: * If you are using an H2 database, run the following command. ```shell $ docker run --network= --name pap -p 8443:1443 \ --env-file ~/.pingidentity/config \ --volume /home/developer/pap/server-profile:/opt/in/ \ --env PING_OPTIONS_FILE=custom-options.yml \ --volume /home/developer/pap/Symphonic.mv.db:/opt/out/Symphonic.mv.db \ --env PING_H2_FILE=/opt/out/Symphonic \ pingidentity/{PAP_CONTAINER_NAME}: ``` * If you are using a PostgreSQL database, run the following command. The official `pingauthorizepap` Docker image detects whether a PostgreSQL database needs to be created or upgraded when you provide the `PING_POLICY_DB_SYNC=true` environment variable along with the database connection string, database administration credentials, and server runtime credentials. ```shell $ docker run --network= --name pap -p 8443:1443 \ --env PING_POLICY_DB_SYNC=true \ --env PING_DB_CONNECTION_STRING="jdbc:postgresql://:/" \ --env PING_DB_ADMIN_USERNAME="" \ --env PING_DB_ADMIN_PASSWORD="" \ --env PING_DB_APP_USERNAME="" \ --env PING_DB_APP_PASSWORD="" \ --env-file ~/.pingidentity/config \ --volume /home/developer/pap/server-profile:/opt/in/ \ --env PING_OPTIONS_FILE=custom-options.yml \ --detach \ --tmpfs /run/secrets \ pingidentity/pingauthorizepap: ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `PING_DB_APP_PASSWORD` and `PING_DB_ADMIN_PASSWORD` can instead be provided as Vault secrets or through a secrets volume. See [Using Hashicorp Vault](https://devops.pingidentity.com/how-to/usingVault/). |