--- title: Managing environments description: All environments managed within PingCentral, as well as connected PingFederate and PingAccess environments, display on the Environments page, where you can view and update information about each environment and delete them from PingCentral when they are no longer needed. component: pingcentral version: 2.2 page_id: pingcentral:pingcentral_for_iam_administrators:pingcentral_mng_environments canonical_url: https://docs.pingidentity.com/pingcentral/2.2/pingcentral_for_iam_administrators/pingcentral_mng_environments.html revdate: July 9, 2024 section_ids: adding-environments: Adding environments before-you-begin: Before you begin steps: Steps choose-from: Choose from: choose-from-2: Choose from: result: Result: updating-environments: Updating environments steps-2: Steps choose-from-3: Choose from: deleting-environments: Deleting environments steps-3: Steps result-2: Result: result-3: Result: --- # Managing environments All environments managed within PingCentral, as well as connected PingFederate and PingAccess environments, display on the **Environments** page, where you can view and update information about each environment and delete them from PingCentral when they are no longer needed. Items worth mentioning: * If you add PingAccess environments to PingCentral, ensure that PingFederate is configured as the PingAccess token provider. See [Configuring PingFederate as a PingAccess token provider](pingcentral_configuring_pf_token_provider.html) for details. * To enforce random secret generation and restrict non-administrators from creating their own, select the **Generate Client Secret on Promotion** check box when managing your environments. PingCentral will generate random client secrets. * If your application owners promote Security Assertion Markup Language (SAML) *(tooltip: \
\

A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\

\
)* applications to PingFederate or PingAccess environments, ensure that the appropriate trusted certificate authority (CA) *(tooltip: \
\

An entity that issues digital certificates.\

\
)* certificates are available in PingCentral. See [Adding trusted CA certificates to PingCentral](pingcentral_add_trusted_certs.html) for details. * Starting with version 1.14, PingCentral performs regular health checks on its environments. These checks involve calling either the heartbeat endpoint or the admin API version endpoint, depending on the version of PingFederate being used. To configure this process, modify the `orchestrator.heartbeat.polling-interval-ms` and `orchestrator.heartbeat.offset-ms` parameters in the `conf/application.properties` file. These settings determine both the frequency of polling and the initial delay before the health check begins. * Starting with PingCentral 1.8, trusted CA certificates are stored in the PingCentral database instead of an external trust store. Certificates that exist in this trust store in previous versions are imported to the PingCentral database during the upgrade process. ## Adding environments Use the wizard to add PingFederate and PingAccess environments to PingCentral. ### Before you begin Ensure that PingFederate is configured as a token provider for PingAccess. For more information, see [Configuring PingFederate as a PingAccess token provider](pingcentral_configuring_pf_token_provider.html). ### Steps 1. On the **Environments** page, click **Add Environment**. 2. On the **Connect to Instances** page, connect to a PingFederate or PingAccess environment: #### Choose from: * **Native**: Complete the **Username** and **Password** fields for your PingFederate or PingAccess environments. * **OAuth2**: Complete the **Token Endpoint URL**, **Client ID**, **Client Secret**, and **Scopes** fields. * **Client Certificate**: Select the certificate you want to use for mTLS. See [Configuring Mutual TLS](pingcentral_config_mtls.html) for details on uploading these certificates. | | | | - | --------------------------------------------------------------------------------------------------- | | | If an environment is disabled or offline, you will be unable to add the environment to PingCentral. | If this is the first time that you have set up this environment, and the initial validation fails, you see a **Skip Verification** option. If you select this option, it allows you to skip the validation process. However, if you set it up correctly, you won't see this option. If the environment is disabled or offline, and you edit the connection configuration, the **Skip Verification** check box is automatically marked. 3. Click **Next**. 4. On the **Name Environment** page, complete the **Name**, **Short Code**, and **Description** fields. 5. **Optional:** To configure whether non-administrators need approval for promoting an application to an environment, select an option from the **Approval Type** list: #### Choose from: * Select **No Approval** to allow non-administrators to promote applications to the environment freely. * Select **Approval Required** to indicate that application promotion requires approval. * Select **Require Approval If Any Expression Fails** and proceed to the next step to configure an **Approval Expression**. * Select **Require Approval If Any Expression Succeeds** and proceed to the next step to configure an **Approval Expression**. 6. **Optional:** If you selected **Require Approval If Any Expression Fails** or **Require Approval If Any Expression Succeeds**, you must configure a Spring Expression Language (SpEL) expression in the **Approval Expression** field. You can use SpEL expressions to determine whether an application requires approval or not. For more information, see [Creating and testing approval expressions](pingcentral_create_test_expressions.html) at the bottom of this page for details. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For more information on SpEL, see [Spring Expression Language (SpEL)](https://docs.spring.io/spring-framework/docs/3.0.x/reference/expressions.html) in the Spring Framework documentation. | 7. **Optional:** If you want application owners to be able to edit the underlying application JSON when they promote their OAuth and SAML applications, select **Allow JSON editing for application promotions**. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Providing application owners with this ability can be risky, so it's highly recommended that you require promotion requests to be approved. That way, you'll be able to compare the submitted application JSON to the original application JSON before you approve the promotion. | 8. **Optional:** To enforce random secret generation and restrict non-administrators from creating their own, select the **Enforce Random Client Secrets** check box. PingCentral will generate random client secrets. 9. **Optional:** Select the **Allow only administrators to delete applications from PingFederate** (and PingAccess, when applicable), option to restrict application owners from deleting applications from environments. 10. **Optional:** To add an identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* certificate, select the appropriate certificate in the **Signing Certificate** list or to upload your own certificate, click **Choose** and enter the certificate password in the appropriate field. Click **Save and Close**. #### Result: The environment is displayed on the **Environments** page. If you chose to protect the environment, you see a shield icon next to its name. Depending on the type of environment, you also see a **PF** or **PA** icon. The color of this icon represents the status of the environment. A green icon indicates that the environment is verified while a red icon indicates that the environment isn't verified. Depending on if an environment is online, offline, or disabled, you see the environment status in a display bar. You also see the toggle switch that you can click to disable the environment and indicate that it is undergoing maintenance. 11. Click **Save and Continue**. 12. Click the expandable icon associated with the environment to view environment details. ![A screen capture showing the Environments page, which lists all of the environments and displays details regarding each environment when the associated expandable icon is clicked.](_images/val1695410125951.png) Environment details include: * A link to PingFederate. * A link to PingAccess. * A description of the environment. * The total number of applications hosted on this environment and a breakdown of or clients, connections, and applications. Click these links to access filtered lists of these applications on the **Applications** page. | | | | - | -------------------------------------------------------------------------------------------------------------- | | | If an environment is unavailable, applications in that environment don't display on the **Applications** page. | ## Updating environments Update PingFederate and PingAccess environment information at any time. ### Steps 1. To manage the environment maintenance status, see the following choices: #### Choose from: * To indicate that an environment is down for maintenance, toggle the switch on the applicable environment status bar from left (green) to right (gray). This action signals to application owners that the environment is undergoing maintenance and is now **Disabled**. This prevents PingCentral from connecting to the environment, avoiding UI errors. * To revert maintenance status, toggle the switch on the applicable environment status bar from right (gray) to left (green). This action removes the maintenance **Disabled** status, allowing application owners to resume interactions with the environment. This is the default status. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If an environment is offline or **Disabled**, the environment information displays a gray **OFFLINE** status bar. If an environment status is unknown, the status bar is unavailable. | 2. To edit environment information, click the expandable icon associated with it, and then click the **Pencil** icon. All of the editable information displays on one page. | Option | Description | | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Update the name and description | To update the name and description, change the information in the **Name**, **Short Code**, and **Description** fields. | | Update the assertion encryption certificate | To update the assertion encryption certificate, click **Choose** to upload a new certificate and enter the certificate password in the appropriate field. | | Update connection information | To update the connection, ensure that the authentication method you want to use is selected:- **Native**: Update the **Username** and **Password** fields for your PingFederate or PingAccess environments. - **OAuth2**: Update the information in the **Token Endpoint URL**, **Client ID**, **Client Secret**, and **Scopes** fields. - **Client Certificate**: Update the certificate used for mTLS. If a PingAccess environment is added to PingCentral and removed through the edit page, the connection information is saved and restored if the PingAccess environment is selected again. | | Configure promotion approval requirements | To configure if non-administrators need approval for promoting an application to an environment, select an option from the **Approval Type**.Choose from:- Select **No Approval** to allow non-administrators to promote applications to the environment freely. - Select **Approval Required** to indicate that application promotion requires approval. - Select **Require Approval If Any Expression Fails** and see [Creating and testing approval expressions](pingcentral_create_test_expressions.html) at the bottom of this page for details. - Select **Require Approval If Any Expression Succeeds** and go to [Creating and testing approval expressions](pingcentral_create_test_expressions.html) on this page. | | Update the JSON editing option | If you want application owners to be able to edit the underlying application JSON when they promote their OAuth and SAML applications, select **Allow JSON editing for application promotions**. Providing application owners with this ability can be risky, so it's highly recommended that you require promotion requests to be approved. That way, you'll be able to compare the submitted application JSON to the original application JSON before you approve the promotion. | | Add or remove the enforcement of random client secret generation | To enforce random secret generation and restrict non-administrators from creating their own, select the **Enforce Random Client Secrets** check box. PingCentral will generate random client secrets. To allow non-administrators to generate their own secret, clear the check box. | | Configure application owner deletion access | To restrict application owners from deleting applications from environments, select the **Allow only administrators to delete applications from PingFederate** (and PingAccess, when applicable), option. | | Update the signing certificate | To update the signing certificate used to promote SAML applications, select the appropriate certificate in the **Signing Certificate** list or upload your own. | | Update the SP certificate | To update the service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* certificate, click **Choose** to upload a new certificate and enter the certificate password in the appropriate field. | | Update the assertion encryption certificate | To update the assertion encryption certificate, click **Choose** to upload a new certificate and enter the certificate password in the appropriate field. | 3. Click **Save**. ## Deleting environments Delete environments from PingCentral when they are no longer needed. ### Steps 1. Click the expandable icon associated with the environment to view environment details. 2. To delete the environment from PingCentral, click its associated **Delete** icon. #### Result: A message displays asking you if you want to delete the environment. 3. Click **Delete**. #### Result: A message displays saying that the environment was deleted. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------- | | | When an environment is deleted, applications that were promoted to that environment retain the promotion details from the deleted environment. |