Configuring Trust Framework attribute caching for production
For higher environments, including testing and production, you can define an external attribute cache for the Trust Framework.
With the Policy Decision Service set to embedded policy decision point (PDP) mode, the PingAuthorize Server is configured by default to cache attribute values in memory (for any attributes with a defined caching strategy). Alternatively, you can define an external attribute cache using the following Redis modes:
-
Single Redis instance
-
Single Redis instance using TLS
-
Replicated Redis
-
Redis Sentinel
-
Amazon Web Services (AWS) ElastiCache Redis
-
Using the admin console
-
Using dsconfig
Setting up Redis external attribute caching in the UI
Before you begin
To successfully assign an external Redis attribute cache to the Policy Decision Service, you must set PDP Mode to embedded.
Steps
-
On the Configuration page of the PingAuthorize administrative console, go to Authorization and Policies > External Attribute Caches.
-
Select your desired Redis mode in the New External Attribute Cache list.
Example:
-
At minimum, enter the required values, as indicated by a red asterisk, and click Save To PingAuthorize Server Cluster.
For more information on a field, click the question mark icon.
Example:
-
Go to Authorization and Policies > Policy Decision Service.
-
In the Trust Framework Attribute Cache Configuration section, in the External Attribute Cache list, select your Redis cache name and click Save To PingAuthorize Server Cluster.
Example:
Alternatively, you can use the controls next to the External Attribute Cache list to create, edit, or remove external Redis caches:
-
Click the Plus icon to create a new external attribute cache.
-
Click the Pencil icon to edit the configuration of the selected attribute cache.
-
Click X to remove the attribute cache from the Policy Decision Service and revert the PDP to an in-memory attribute cache.
-
Setting up Redis external attribute caching with dsconfig
Before you begin
When using the dsconfig set-policy-decision-service-prop
command, the new configuration must still be compliant with the following:
-
The
pdp-mode
property must be set toembedded
. -
The
deployment-package-source-type
property must be set tostore
orstatic-file
.-
If the
deployment-package-source-type
property is set tostore
, thedeployment-package-store
property must resolve to a valid deployment package store. -
If the
deployment-package-source-type
property is set tostatic-file
, thedeployment-package-store
property must resolve to a valid deployment package.
-
About this task
Here are the configuration options available for creating Redis external caches using the dsconfig
tool. When using the dsconfig create-external-attribute-cache
command, the new configuration must still be compliant with the required attributes associated with the specified cache type:
Option | Description |
---|---|
|
Required. Specifies Redis mode. Accepted values: |
|
Required, only when |
|
Required, only when |
|
Required, only when |
|
Optional, only when |
|
Optional, only when |
|
Optional, only when |
|
Optional, only when AUTH token authentication is enabled in the Redis provider. |
|
Optional, only when AUTH token authentication is enabled in the Redis provider. |
Steps
-
Create the external attribute cache using the
dsconfig create-external-attribute-cache
command. For example:Example:
$ dsconfig create-external-attribute-cache \ --cache-name 'Single Instance' \ --type redis-single-instance \ --set redis-node-addresses:redis://localhost:6379
-
Assign the defined external attribute cache to the Policy Decision Service. For example:
Example:
$ dsconfig set-policy-decision-service-prop \ --set 'external-attribute-cache:Single Instance'
Result
Your external attribute cache has been defined and attached to the Policy Decision Service. There is no need to restart the server.