Configuring the administrative console
About this task
After you have deployed the PingDirectory administrative console, you can configure it.
Steps
-
Disable the embedded administrative console using
dsconfig
or the administrative console to configure connection handlers:Choose from:
-
To use
dsconfig
, rundsconfig set-connection-handler-prop
:dsconfig set-connection-handler-prop \ --handler-name "<HTTPS Connection Handler>" \ --reset web-application-extension
Replace <HTTPS Connection Handler> with the name of the connection handler hosting the administrative console.
-
To use the administrative console, open the console:
-
On the Configuration page, go to Connection Handlers.
-
In the Connection Handlers list, select the HTTP or HTTPS connection handler that is hosting the administrative console.
-
Go to Web Application Extension and click the arrows to move Console from the Selected column on the right to the Available column on the left.
-
-
-
To finalize your changes, restart the HTTPS Connection Handler using
dsconfig
:Example:
dsconfig set-connection-handler-prop \ --handler-name "<HTTPS Connection Handler>" \ --set enabled:false dsconfig set-connection-handler-prop \ --handler-name "<HTTPS Connection Handler>" \ --set enabled:true
-
Configure the administrative console’s
application.yml
file.You can configure the standalone PingDirectory server administrative console by modifying the
/tmp/Console/WEB-INF/classes/application.yml
file. To see the different configuration settings listed in the defaultapplication.yml
file included with the administrative console and what they do, expand the following table.Configuration settings
Setting Description spring.*
For information about these properties, see the .spring.io/spring-boot/docs/current/reference/html/application-properties.html//Spring API docs].
You should not modify them.
management.server.base-path
Controls the prefix of the Spring Boot Actuator endpoints of the console application.
You should not modify this setting.
logging.level.*
Controls the severity level of messages logged about these packages.
log.console
If this is set to
true
, the console logs messages to a file.log.file
If logging is enabled, this specifies the file that the console will log to.
PingData.SSO.OIDC.enabled
If this is set to
true
, the console attempts to use OpenID Connect (OIDC) single sign-on (SSO) to bind to the managed server.If
false
, the console asks for a username and password.PingData.SSO.OIDC.issuer-uri
The issuer URI to the OIDC provider.
PingData.SSO.OIDC.client-id
The client ID used with the OIDC provider.
PingData.SSO.OIDC.client-secret
The client secret used with the OIDC provider.
PingData.SSO.OIDC.trust-store-file
The file path to the trust store used when communicating with the OIDC provider.
PingData.SSO.OIDC.trust-store-type
The type of trust store specified by
PingData.SSO.OIDC.trust-store-file
.PingData.SSO.OIDC.trust-store-pin
Specifies the password used with the trust store specified by
PingData.SSO.OIDC.trust-store-file
.PingData.SSO.OIDC.trust-store-pin-environment-variable
Specifies the environment variable containing the password used with the trust store specified by
PingData.SSO.OIDC.trust-store-file
.PingData.SSO.OIDC.strict-hostname-verification
If this is set to
true
, the console requires a matching host name on the OIDC provider certificate.PingData.SSO.OIDC.trust-all
If this is set to
true
, the console accepts any OIDC provider certificate.PingData.SSO.OIDC.username-attributes
The LDAP attribute containing the username of the user the console is logging in as when using SSO.
login.hide-server
If this is set to
true
, the 'server' field is hidden on the sign on page.ldap.server
Auto-populates the 'server' field on the sign-on page.
If
login.hide-server=true
, this value determines which directory server the console tries to bind to.ldap.init-user
Auto-populates the
user
field on the sign-on page.ldap.init-password
Auto-populates the
password
field on the sign-on page.ldap.trust-store-file
The file path to the trust store used when binding to the directory server.
ldap.trust-store-type
Specifies the type of trust store specified by
trust-store-file
.ldap.trust-store-pin
Specifies the password used with the trust store specified by
trust-store-file
.ldap.trust-store-pin-environment-variable
Specifies the environment variable containing the password used with the trust store specified by
trust-store-file
.ldap.file-servlet-name
Specifies the name of the file servlet on the managed directory server to use when fetching generated
collect-support-data
(CSD) or server profiles.ldap.csd-task-enabled
If this is set to
true
, the console has a button that has the managed directory server run acollect-support-data
task.ldap.csd-destination-folder
The file path to the folder where the managed directory server stores generated CSD files after running the
collect-support-data
task.ldap.profile-destination-folder
The file path to the folder where the managed directory server stores generated server profiles after running the
generate-server-profile
task.Do not change this property.
branding.custom-folder
The file path to the folder that holds custom
branding.properties
,branding.css
, andfavicon.ico
files.If empty, default Ping Identity branding is used instead.
configuration.complexity
Determines the maximum complexity level for shown configuration objects.
The possible values are
basic
,standard
,advanced
, andexpert
.server.sessionTimeout
The amount of time a web session can remain idle before the user must sign on again. The time is set in seconds unless you use a time interval (h for hours or m for minutes). If not specified, the default is 24 hours.
After modifying the
application.yml
file, you must restart the console for your changes to take effect. -
Select servers to manage in the administrative console:
-
To use the
application.yml
file to select a server for the administrative console to manage:-
Set the
ldap.server
property to the address of the LDAP server to bind to. -
Restart the console using the following command:
dsconfig set-connection-handler-prop \ --handler-name "<HTTPS Connection Handler>" \ --set enabled:false dsconfig set-connection-handler-prop \ --handler-name "<HTTPS Connection Handler>" \ --set enabled:true
-
-
To switch between managed servers in a single topology while signed on to the administrative console, in the Servers list, select the server that you want to manage.
-
To select a server when SSO is not enabled and the
login.hide-server
property inapplication.yml
isfalse
:-
If you are signed on to the console, sign off of your current session.
-
Change the Server field value on the console sign-on page to the address of the LDAP server you want to manage.
-
-
To select a server when SSO is enabled:
-
Enter the console URL with the
ldap-hostname
andldaps-port
query parameters specified when accessing the console:https://<hostname>:<port>/console/login?ldap-hostname=<ldap.host>&ldaps-port=<ldaps-port>
Example:
In the following example URL, <hostname> is
localhost
, <port> is443
,ldap-hostname
is <ldap.host>, and the <ldaps-port> is636
.
-
-