PingAuthorize

Deploying PingAuthorize Policy Editor using Docker

Deploy PingAuthorize Policy Editor by running its Docker image. Using Docker DevOps enables the automated policy database update feature with mounted volumes.

About this task

When running the Ping Identity DevOps pingauthorizepap Docker container, you can use the following commands to ensure that the policy database is on the mounted volume in preparation for future versions of the image. The commands:

  • Run a pingauthorizepap Docker container named pap on host port 8443.

  • Use the ~/.pingidentity/config environment file to configure common environment variables. See Get Started.

  • Bind mount a customized options.yml file named custom-options.yml to the server root using the server profile capability. The host system server-profile folder must contain instance/custom-options.yml for this example to work correctly. See https://devops.pingidentity.com/reference/config/.

  • Set the Ping_Options_File environment variable to tell setup to use custom-options.yml.

For an H2 database, the command:

  • Bind-mounts a volume that maps a policy database to /opt/out/Symphonic.mv.db.

  • Sets the PING_H2_FILE environment variable to tell setup to use /opt/out/Symphonic.mv.db for the policy database. The environment variable must exclude the .mv.db extension.

To use a PostgreSQL policy database, make sure you have met the following prerequisites:

  • The PostgreSQL instance must be reachable on the network from the Policy Editor host and listening for connections.

  • The Policy Editor uses both a PostgreSQL administration user and a server runtime user. The administration user must be able to create new databases. Continue to use the same administration user when new releases of the Policy Editor become available to prevent database object ownership issues. Consult the official PostgreSQL documentation for help with creating new database users and for configuring PostgreSQL to listen for remote connections securely.

  • The Policy Editor uses Java Database Connectivity (JDBC) to connect to PostgreSQL. Be prepared to provide the JDBC connection string in the following format: jdbc:postgresql://<host>:<port>/<name>. For example: jdbc:postgresql://example.com:5432/pap_db

  • The Ping Identity DevOps Docker image documentation is frequently updated as new features are released. For the most recent instructions about running the Docker images, see https://devops.pingidentity.com/.

  • For proper communication between containers, create a Docker network using a command such as docker network create --driver <network_type> <network_name>, and then connect to that network with the --network=<network_name> option.

  • The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see Docker Hub.

Steps

  • Run the pingauthorizepap Docker container.

    Choose from:

    • If you are using an H2 database, run the following command.

      $ docker run --network=<network_name>  --name pap -p 8443:1443 \
        --env-file ~/.pingidentity/config \
        --volume /home/developer/pap/server-profile:/opt/in/ \
        --env PING_OPTIONS_FILE=custom-options.yml \
        --volume /home/developer/pap/Symphonic.mv.db:/opt/out/Symphonic.mv.db \
        --env PING_H2_FILE=/opt/out/Symphonic \
        pingidentity/{PAP_CONTAINER_NAME}:<TAG>
    • If you are using a PostgreSQL database, run the following command.

      The official pingauthorizepap Docker image detects whether a PostgreSQL database needs to be created or upgraded when you provide the PING_POLICY_DB_SYNC=true environment variable along with the database connection string, database administration credentials, and server runtime credentials.

      $ docker run --network=<network_name>  --name pap -p 8443:1443 \
        --env PING_POLICY_DB_SYNC=true \
        --env PING_DB_CONNECTION_STRING="jdbc:postgresql://<host>:<port>/<database>" \
        --env PING_DB_ADMIN_USERNAME="<admin-username>" \
        --env PING_DB_ADMIN_PASSWORD="<admin-password>" \
        --env PING_DB_APP_USERNAME="<username>" \
        --env PING_DB_APP_PASSWORD="<password>" \
        --env-file ~/.pingidentity/config \
        --volume /home/developer/pap/server-profile:/opt/in/ \
        --env PING_OPTIONS_FILE=custom-options.yml \
        --detach \
        --tmpfs /run/secrets \
        pingidentity/pingauthorizepap:<tag>

      The PING_DB_APP_PASSWORD and PING_DB_ADMIN_PASSWORD can instead be provided as Vault secrets or through a secrets volume. See Using Hashicorp Vault.