PingAuthorize

Installing the PingAuthorize Policy Editor non-interactively

For an automated software installation, run PingAuthorize Policy Editor setup in the non-interactive command-line interface (CLI) install mode.

About this task

You must run setup in non-interactive command-line mode instead of interactive mode if you need to do any of the following:

  • Configure the Policy Editor with a policy configuration key.

  • Configure a key store for a policy information provider.

  • Configure a trust store for a policy information provider.

  • Customize the Policy Editor’s logging behavior.

  • Configure the Policy Editor for a PostgreSQL database.

  • Configure the Policy Editor to present an existing instead of generating a self-signed certificate.

  • Enable self-governance.

  • Enable Camel services.

For more information, see Specifying custom configuration with an options file.

Steps

  1. Optional: If you choose to use a PostgreSQL policy database, you must set up the database before you install the Policy Editor.

    After you set up your PostgreSQL policy database, be prepared to provide the following information when installing the Policy Editor:

    • PostgreSQL connection string, with the host, port, and database name

    • The server runtime provided through the policy-db tool

  2. Choose the authentication mode for the PingAuthorize Policy Editor:

    Choose from:

    • Demo mode: Configures the PingAuthorize Policy Editor to use form-based authentication with a fixed set of credentials. Unlike mode, this mode doesn’t require an external authentication server. However, it’s inherently insecure and should only be used for demonstration purposes.

    • OIDC mode: Configures the PingAuthorize Policy Editor to delegate authentication and sign-on services to an OIDC provider, such as PingFederate.

      If you choose OIDC mode, you must provide the host name and port of an OIDC provider or its base URL.

      If you don’t use the setup tool to generate a self-signed certificate, you must also provide information related to the PingAuthorize Policy Editor’s connection security, including the location of a key store that contains the server certificate and the nickname of that server certificate.

      If the OIDC provider presents a certificate that is not trusted by the Policy Editor’s , do one of the following:

      The setup tool’s --help option displays the options available for a non-interactive installation.

  3. Run the setup command with the appropriate authentication mode, as illustrated in Authentication mode examples.

    1. Optional: If you’re using a PostgreSQL policy database, provide the server runtime user value you used to create the database to --dbAppUsername as part of the setup command.

    2. Optional: Explore the CLI help documentation for the setup command.

      Option Command

      View the general options for running setup.

      $ bin/setup --help

      View the options for running setup in demo mode.

      $ bin/setup demo --help

      View the options for running setup in OIDC mode.

      $ bin/setup oidc --help

      If you don’t want to use the default database credentials for your H2 policy database, see Setting database credentials at initial setup.

  4. Copy and record any generated values needed to configure external servers.

    The shared secret is used in PingAuthorize, under External Servers → Policy External Server → Shared Secret.

  5. To start the Policy Editor, or policy administration point (PAP), run bin/start-server.

    The Policy Editor runs in the background, so you can close the terminal window in which it was started without interrupting it.

    1. Optional: If you’re using a PostgreSQL policy database, provide the server runtime password value you used to create the database to the PING_DB_APP_PASSWORD environment variable before server start.

Authentication mode examples

Click the following tabs for examples of the setup command in different authentication modes.

  1. After you complete setup, see Post-setup steps (manual installation).

  2. Consider additional configuration options in Specifying custom configuration with an options file.

Example: Set up the PingAuthorize Policy Editor in OIDC mode (PingFederate)

Use this example as a reference to set up the PingAuthorize Policy Editor for sign-ons using a PingFederate OIDC provider:

$ bin/setup oidc \
  --oidcHostname  <ping-federate-hostname>  \
  --oidcPort  <ping-federate-port>  \
  --clientId pingauthorizepolicyeditor \
  --generateSelfSignedCertificate \
  --decisionPointSharedSecret pingauthorize \
  --hostname  <pap-hostname>  \
  --port  <pap-port>  \
  --adminPort  <admin-port>  \
  --licenseKeyFile  <path-to-license>
shell

The Policy Editor uses the provided OIDC host name and OIDC to query the PingFederate server’s autodiscovery endpoint for the information it needs to make OIDC requests. The provided client ID represents the Policy Editor and must be configured in PingFederate.

The Policy Editor can skip host name verification and accept self-signed SSL certificates from the OIDC provider.

The following example uses the PING_OIDC_TLS_VALIDATION environment variable to set up the Policy Editor to handle sign-ons for a provider using a self-signed certificate:

$ env PING_OIDC_TLS_VALIDATION=NONE bin/setup oidc \
  --oidcHostname  <ping-federate-hostname>  \
  --oidcPort  <ping-federate-port>  \
  --clientId pingauthorizepolicyeditor \
  --generateSelfSignedCertificate \
  --decisionPointSharedSecret pingauthorize \
  --hostname  <pap-hostname>  \
  --port  <pap-port>  \
  --adminPort  <admin-port>  \
  --licenseKeyFile  <path-to-license>
shell

For more information about configuring PingFederate, see Configuring an OIDC provider for single sign-on requests from PingAuthorize.