Installing the PingAuthorize Policy Editor interactively
You can run the PingAuthorize Policy Editor setup
command interactively in command-line interface (CLI) install mode.
Before you begin
You must have the following information:
-
The location of a valid license file
-
An available port for the PingAuthorize Policy Editor to accept HTTPS requests
About this task
The setup
tool prompts you interactively for the information that it needs.
You cannot configure some setup options when installing the PingAuthorize Policy Editor interactively, such as PostgreSQL database configuration. For more information, see Installing the PingAuthorize Policy Editor non-interactively. |
Steps
-
Choose the authentication mode for the PingAuthorize Policy Editor:
Choose from:
-
Demo mode: Configures the PingAuthorize Policy Editor to use form-based authentication with a fixed set of credentials. Unlike OpenID Connect (OIDC) mode, this mode doesn’t require an external authentication server. However, it is inherently insecure and should only be used for demonstration purposes.
-
OIDC mode: Configures the PingAuthorize Policy Editor to delegate authentication and sign-on services to a PingFederate OIDC provider.
In OIDC mode, you must provide the following additional information:
-
The host name and port of an OIDC provider
-
Information related to the server’s connection security, including the location of a keystore that contains the server certificate, the nickname of that server certificate, and the location of a trust store
To use PingAuthorize Policy Editor with other OIDC providers, such as PingOne, see Installing the PingAuthorize Policy Editor non-interactively.
-
-
-
Run the
setup
command.If you don’t want to use the default database credential, see Setting database credentials at initial setup.
-
Copy and record any generated values needed to configure external servers.
The Shared Secret is used in PingAuthorize, under External Servers → Policy External Server → Shared Secret.
-
To start the Policy Editor, or policy administration point (PAP), run
bin/start-server
.The Policy Editor runs in the background, so you can close the terminal window in which it was started without interrupting it.
Example
See Example: Installing and configuring the Policy Editor interactively for a more detailed walkthrough of the previous steps.
Next steps
-
Complete the steps in Post-setup steps (manual installation).
-
Consider additional configuration options in Specifying custom configuration with an options file.
Example: Installing and configuring the Policy Editor interactively
This tutorial describes how to install an instance of the PingAuthorize Policy Editor interactively.
About this task
These installation instructions are for tutorial purposes. They will only provide a limited install. |
Steps
-
Extract the contents of the compressed PingAuthorize-PAP distribution file.
-
Change the directory to
PingAuthorize-PAP
. -
To configure the application, run the
./bin/setup
script. -
Answer the on-screen questions.
For the following questions, use the recommended answers provided.
Question Answer How would you like to configure the Policy Editor?
Use
Quickstart
to set up a demo server with credentialsadmin
/password123
and to use a self-signed certificate for SSLOn which port should the Policy Editor listen for HTTPS communications?
You can use any unused port here, but most of the examples in this guide assume that port 9443 is used for the PingAuthorize Policy Editor.
Enter the fully qualified host name or IP address that users’ browsers will use to connect to this GUI
Unless you are testing on
localhost
, ensure that the provided API URL uses the public DNS name of the PingAuthorize Policy Editor server. For example,pap.example.com
. -
Copy and record any generated values needed to configure external servers.
The Shared Secret is used in PingAuthorize, under External Servers → Policy External Server → Shared Secret.
-
To start the Policy Editor, or policy administration point (PAP), run
bin/start-server
.The Policy Editor runs in the background, so you can close the terminal window in which it was started without interrupting it.
Result
Your demo configuration should resemble the following example.
[/opt/{pingauthorize}-PAP]$ bin/setup Please enter the location of a valid {pingauthorize} with Symphonic license file [/opt/{pingauthorize}-PAP/{pingauthorize}.lic]: /opt/{pingauthorize}/{pingauthorize}.lic {pingauthorize} Policy Editor ============================================ How would you like to configure the Policy Editor? 1) Quickstart (DEMO PURPOSES ONLY): This option configures the server with a form based authentication and generates a self-signed server certificate 2) OpenID Connect: This option configures the server to use an OpenID Connect provider such as {pingfed} 3) Cancel the setup Enter option [1]: 1 On which port should the Policy Editor listen for application HTTPS communications? [9443]: 9443 Enter the fully qualified host name or IP address that users' browsers will use to connect to this GUI [centos.localdomain]: pap.examplecom On which port should the Policy Editor listen for administrative HTTPS communications? [9444]: 9444 Would you like to enable periodic policy database backups? (yes / no) [yes]: yes Enter the backup schedule as a cron expression (defaults to daily at midnight): [0 0 0 * * ?]: 0 0 0 * * ? Setup Summary ========================================== Host Name: pap.example.com Server Port: 9443 Secure Access: Self-signed certificate Admin Port: 9444 Periodic Backups: Enabled Backup Schedule: 0 0 0 * * ? Command-line arguments that would set up this server non-interactively: setup demo --hostname pap.example.com --adminPort 9444 --port 9443 --certNickname server-cert \ --licenseKeyFile /opt/{pingauthorize}/{pingauthorize}.lic \ --backupSchedule '0 0 0 * * ?' --pkcs12KeyStorePath config/keystore.p12 \ --generateSelfSignedCertificate What would you like to do? 1) Set up the server with the parameters above 2) Provide the setup parameters again 3) Cancel the setup Enter option [1]: Setup completed successfully Please configure the following values ==================================================================================== {pingauthorize} Server - Policy External Server Base URL: https://pap.example.com:9443 Shared Secret: 7ed6f52d6e71411ca9e58f9567c7de2e Trust Manager Provider: Blind Trust Please start the server by running bin/start-server
In this example, the PingAuthorize Policy Editor is now running and listening on port 9443.
Next steps
To sign on to the interface, go to https://<host>:9443
. The default credentials are admin
and password123
.
Use the default user name and password sign on credentials for demo and testing purposes only, such as this initial walk-through. To configure the PingAuthorize Policy Editor for PingFederate OpenID Connect (OIDC) single sign-on (SSO), see Installing the PingAuthorize Policy Editor non-interactively. |