Starting PingAuthorize Policy Editor
For a manual software installation, use the start-server
command-line interface (CLI) command to start the Policy Editor. Also, you can use environment variables to override configuration variables at startup.
To start PingAuthorize Policy Editor, use the bin/start-server
command.
$ bin/start-server
You can run |
Overriding the configuration at startup
You can override a number of Policy Editor settings by defining specific environment variables before starting the server. By overriding some of the configuration, you can redefine certain aspects of the configuration without re-running the setup
tool.
To override the configuration, stop the Policy Editor, define one or more of the environment variables, and restart the Policy Editor.
Environment variables you can use to override configuration variables
The following table lists the environment variables that you can define, sorted based on expected frequency of use with related variables grouped together.
Environment variable | Example value | Description | ||
---|---|---|---|---|
|
pap.example.com:9443 |
The Policy Editor hostname and port. PingAuthorize uses this value to construct AJAX requests. The port value must match the value of |
||
|
443 |
The Policy Editor HTTPS port. The server binds to this listen port. |
||
|
JKS |
The Policy Editor’s key store type. Valid values include |
||
|
|
The path to the Policy Editor’s key store. |
||
|
|
The path to the Policy Editor’s key store PIN file. When present, this environment variable takes precedence over |
||
|
password1234 |
The Policy Editor’s key store password. |
||
|
server-cert |
The alias for the Policy Editor’s server certificate. |
||
|
pingauthorize |
The Policy Editor’s shared secret, which PingAuthorize Server needs to make policy requests to the Policy Editor. |
||
|
https://oidc.example.com:9031/.well-known/openid-configuration |
The OpenID Connect (OIDC) provider’s discovery Uniform Resource Locator (URL). Used when the Policy Editor is set up in OIDC mode. |
||
|
openid email profile additional_scope |
Space-separated OIDC scope that the Policy Editor requests during authorization and validates during token verification. Used to override the requested OIDC scopes configured during server setup. |
||
|
NONE |
The OIDC Transport Layer Security (TLS) validation setting. Set to Used when the Policy Editor is set up in OIDC mode. For non-production use only. |
||
|
8cb9f2c9-c366-47e0-9560-db2132b2d813 |
The Policy Editor’s client ID with the OIDC provider. Used when the Policy Editor is set up in OIDC mode. |
||
|
admin, user1, user2 |
Used in demo mode. A comma-separated list of usernames accepted by the Policy Editor for sign on. |
||
|
/Symphonic |
The path to the policy database H2 file. Leave off the |
||
|
db_user |
The username the application uses to access the server database. |
||
|
Pa$$w0rd!23 |
The password the application uses to access the server database. |
||
|
db_admin |
The username the |
||
|
$3cr3T |
The password the |
||
|
|
The path to an |
||
|
9444 |
The admin port where the H2 database backup endpoint is available. The policy administration point (PAP) uses this endpoint to back up the H2 database, which stores your Trust Framework, policies, commit history, and other data. Related environment variables: |
||
|
0 0 0 * * ? |
The periodic database backup schedule for the Policy Editor (also known as the PAP) in the form of a
The default is For more information, see .quartz-scheduler.org/documentation/quartz-2.3.0/tutorials/crontrigger.html//[Quartz 2.3.0 cron format]. Related environment variables: |
||
|
|
The directory in which to place the H2 database backup files. The default is Related environment variables: |
||
|
false |
Controls the API HTTP caching feature for the run-time instance of the server. APIs are cached by default. Provide this environment variable at run time and set it to |
||
|
false |
Determines whether PingAuthorize performs SNI hostname checks. By default, these checks are disabled. |
Example: Use an existing SSL certificate for HTTPS connections
This example shows how to provide the environment variables necessary for the Policy Editor to present a different SSL certificate than the one configured during setup
:
env PING_CERT_ALIAS=<certificate-nickname> \ PING_KEYSTORE_PATH=<path-to-keystore-file> \ PING_KEYSTORE_TYPE=<PKCS12-or-JKS> \ KEYSTORE_PIN_FILE=<path-to-keystore-pin-file> \ bin/start-server
Example: Override the configured HTTPS port
In this example, the Policy Editor is started using an HTTPS port that differs from the value configured during installation. The override requires two environment variables: PING_PORT
and PING_EXTERNAL_BASE_URL
.
$ bin/stop-server
$ export PING_PORT=9443 PING_EXTERNAL_BASE_URL=pap.example.com:9443; bin/start-server
Example: Override the configured policy database location
This example changes the policy database location. The new value must be a policy server Java database connectivity (JDBC) connection string for an H2 embedded database. To use a file located at /opt/shared/Symphonic.mv.db
, use the following commands:
$ bin/stop-server
$ export PING_H2_FILE=/opt/shared/Symphonic
$ bin/setup demo {ADDITIONAL_ARGUMENTS} && bin/start-server
Even though the actual filename of the policy database includes the extension |
If /opt/shared/Symphonic.mv.db
does not exist, setup
creates a new one. If the file does exist and is from an older PingAuthorize server, setup
updates the file to the latest version.