Use policies in a production environment
After developing and testing policies in external policy decision point (PDP) mode, you can configure PingAuthorize Server for embedded PDP mode for higher environments.
You should use embedded PDP mode for production environments because it is considerably more performant for authorization decisions. This performance boost happens because in embedded PDP mode, PingAuthorize Server doesn’t need to call out to the Policy Editor.
When configured to use embedded PDP mode, a policy file called a deployment package is used in PingAuthorize Server’s internal policy engine, which then handles all policy requests. The deployment package can be loaded into the server in two ways:
-
The deployment package is exported from the Policy Editor and loaded into the internal policy engine by an administrator.
-
The deployment package is deployed to a deployment package store, which is read by the internal policy engine for updates at a configurable interval.
If you anticipate some policy changes in production, consider using this method instead of the exported deployment package method.
Configuring embedded PDP mode
On the following tabs, learn how to configure PingAuthorize Server to use embedded PDP mode and assign to the Policy Decision Service either:
-
A deployment package store using the Deployment Manager functionality
-
An exported deployment package
-
Deployment package store
-
Exported deployment package
Configuring embedded PDP mode with a deployment package store
About this task
Follow these steps to assign a deployment package store to the Policy Decision Service and set the policy decision point (PDP) mode to embedded.
For more information on the deployment package store option and the requirements for the Deployment Manager feature, see Using the Deployment Manager. |
Steps
-
Use
dsconfig
or the administrative console:Choose from:
-
Run
dsconfig
with theset-policy-decision-service-prop
option.dsconfig set-policy-decision-service-prop \ --set pdp-mode:embedded \ --set deployment-package-source-type:store \ --set deployment-package-store:<name of the store>
-
Use the administrative console.
-
In the administrative console, go to Configuration → Authorization and Policies → Policy Decision Service.
-
On the Edit Policy Decision Service page, complete the [.label]#General Configuration#fields.
-
In the [.label]#Deployment Package Store Configuration#section, in the [.label]#Deployment Package Store#field, select your deployment package store.
-
In the Policy Request Configuration#section, select a [.label]#Trust Framework Version.
-
Click Save To PingAuthorize Server Cluster.
-
-
Configuring embedded PDP mode with an exported deployment package
About this task
To assign an exported deployment package to the Policy Decision Service and set the PDP mode:
Steps
-
Run
dsconfig
with theset-policy-decision-service-prop
option.Example:
In this example, the
deployment-package
value is the full path to a deployment package file. To create a deployment package for export, see Exporting a policy deployment package.dsconfig set-policy-decision-service-prop \ --set pdp-mode:embedded \ --set "deployment-package</path/to/my-deployment-package.deploymentpackage"