--- title: Signing on to and configuring the admin console description: After you install the server, access the admin console to verify the configuration and manage the server. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_sign_on_admin_console canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_sign_on_admin_console.html revdate: August 20, 2024 page_aliases: ["pd_sync_setting_admin_console_timeout.adoc", "pd_ds_deploy_admin_console.adoc", "pd_ds_configure_admin_console.adoc", "pd_ds_docker_standalone_admin_console.adoc", "pd_ds_setup_admin_console_tomcat.adoc", "pd_ds_customizetext_ds.adoc", "pd_ds_customizecolor_ds.adoc", "pd_ds_customizeicon_ds.adoc", "pd_ds_use_custom_rebranding.adoc"] section_ids: steps: Steps setting_admin_console_timeout: Setting the admin console session timeout window steps-2: Steps choose-from: Choose from: choose-from-2: Choose from: deploying_admin_console: Deploying the admin console environment-variables: Environment variables application-base-path: Application base path using-docker-to-run-a-standalone-admin-console: Using Docker to run a standalone admin console steps-3: Steps admin_console_tomcat: Setting up the admin console on a Tomcat server before-you-begin: Before you begin steps-4: Steps result: Result: example: Example: configuring-the-admin-console: Configuring the admin console steps-5: Steps choose-from-3: Choose from: --- # Signing on to and configuring the admin console After you install the server, access the admin console to verify the configuration and manage the server. The admin console is designed primarily for server configuration, which includes the creation of new schema elements like attribute types and object classes. Most entry-monitoring tasks, such as searching and modifying, must be executed with the built-in command-line tools. Learn more in [Managing entries](pd_ds_manage_entries.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------- | | | The information in this topic applies to all servers in the PingDirectory suite of products unless otherwise specified. | ## Steps 1. Start the server. `$ bin/start-server` 2. To access the admin console, go to https\://*\*:*\*/console. *\* is the host name of the server, and *\* is the port on which the server accepts connections from HTTPS clients. | | | | - | ----------------------------------------------------------- | | | The host name and port were configured during installation. | 3. In the **Username** and **Password** fields, enter the root user DN credentials. ![Screen capture of the admin console sign-on screen showing the Server, Username, and Password fields.](_images/admin-console-sign-on.png) | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To sign on to the admin console, you need either the root user distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* or the common name of a root user DN.For example, if the DN created when the server was installed is `cn=Directory Manager`, you can use either `cn=Directory Manager` or `directory manager` to sign on. | 4. Click **Continue**. To set up an SSO connection, refer to [Single sign-on with the admin console](pd_ds_sso_admin_console.html). To run the console in an external container, such as Tomcat, refer to [Deploying the admin console](#deploying_admin_console). ## Setting the admin console session timeout window The default session timeout for the admin console is 30 minutes. You can adjust your session length to suit your organization's needs. | | | | - | --------------------------------------------------------------------------------------- | | | When the session duration is exceeded, all inactive users are logged off automatically. | To change the default session timeout value: ### Steps 1. To configure the `server.servlet.session.timeout` application parameter, which specifies the timeout duration in seconds, set the value as an `init-parameter` either in the console or on the command line: #### Choose from: * Use the admin console: 1. In the sidebar, click **Configuration**. 2. Enable the **Show all configuration** toggle. 3. In the **Web Services and Applications** list, select **Web Application Extensions**. ![A screen capture of the admin console Configuration screen with the Show all configuration toggle enabled.](_images/admin-console-show-all-config.png) 4. In the **Web Application Extension** list, select **Console**. 5. In the **Init Parameter** field, enter `server.servlet.session.timeout=`, replacing *\* with the desired timeout duration in seconds. 6. Click **Save**. * Use the command line to run the following: ``` dsconfig set-web-application-extension-prop --no-prompt \ --extension-name Console \ --add init-parameter:server.servlet.session.timeout= ``` 2. To save your changes, restart the HTTP Connection Handler or the server: #### Choose from: * Restart the HTTP Connection Handler: ``` dsconfig set-connection-handler-prop \ --handler-name "" \ --set enabled:false dsconfig set-connection-handler-prop \ --handler-name "" \ --set enabled:true ``` * Restart the server using `bin/stop-server` with the `-R` or `--restart` option: ``` bin/stop-server --restart ``` ## Deploying the admin console To administer multiple servers from a single console instance, you can use Docker or a Java application server, such as Tomcat or Jetty, to run the admin console as a standalone instance. Running the admin console as a standalone instance also allows you to make changes to the console without restarting the server's HTTPS connection handlers. | | | | - | ----------------------------------------------------------------------------------------------------------------------- | | | The admin console packaged with version 11.0 of the PingDirectory suite of products only supports version 11.0 servers. | ### Environment variables You can change the value of any configuration property within the `../WEB-INF/classes/application.yml` file by setting an environment variable following the pattern shown in [this article](https://medium.com/programmers-journey/how-to-override-spring-properties-with-env-vars-82ee1db2ae78). For example, to set the `system.readOnly` property to `true`, which puts the console into read-only mode, include the following argument for a Docker deployment: ``` --env SYSTEM_READ_ONLY=true ``` Alternatively, you can run the following command for either Tomcat or Docker deployments: ``` export SYSTEM_READ_ONLY=true ``` ### Application base path By default, the server hosts the admin console at the `/console` endpoint. If you want to change this path, you can update the `base-context-path` property by updating the console's web application extension. If you [host the admin console on a Tomcat server](#admin_console_tomcat), you can deploy the `resource/admin-console.war` file to serve the console at the `/admin-console` endpoint. If you change the `.war` file name, you change the admin console endpoint. ### Using Docker to run a standalone admin console The admin console is available as a standalone Docker image on [Docker Hub](https://hub.docker.com/r/pingidentity/pingdataconsole). The [Ping Identity Helm charts](https://helm.pingidentity.com/) also include support for the admin console, which you should use when deploying the console in Kubernetes. #### Steps * To connect with a server that's deployed in Docker, run the admin console image in a local Docker deployment. The network you use must match the network used by the server's container. Learn how to configure and deploy the admin console with Docker in the [DevOps documentation](https://developer.pingidentity.com/devops/docker-images/pingdataconsole/README.html). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For a `docker-compose` example that deploys a PingDirectory container with a corresponding console, refer to the [PingDirectory getting started demo](https://github.com/pingidentity/pingidentity-devops-getting-started/blob/master/11-docker-compose/00-standalone/pingdirectory/docker-compose.yaml). | * To access the admin console, go to https\://*\*:*\*/console and enter the following credentials. | Field | Credential | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Server** | `:` The name of the server you enter on the sign-on page must match the name of the server container you're trying to connect to along with the LDAPS port of that container. For example, use pingdirectory:1636 to connect to a standalone PingDirectory Docker container on the same network. | | **Username** | `administrator` | | **Password** | `2FederateM0re` | ### Setting up the admin console on a Tomcat server #### Before you begin To set up a standalone admin console, you need the `.war` file from the server's `resource/admin-console.zip` archive. You can use the `.war` file with Java application servers, such as Tomcat or Jetty. The following example uses Tomcat as the server environment. #### Steps 1. Download the Tomcat 11 `.zip` archive from the [Apache Tomcat downloads page](https://tomcat.apache.org/download-11.cgi). 2. Extract the `.zip` archive. 3. To set up the Tomcat server, follow the instructions in the `RUNNING.txt` file from the extracted directory. 4. To keep the Tomcat server information from being exposed, in the `Host` section of the `Tomcat_directory/conf/server.xml` file, add the following line: ``` ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | This information is sourced from the [Smart Scanner](https://www.thesmartscanner.com/vulnerability-list/server-version-disclosure) website, where you can learn more about this Tomcat server vulnerability. | 5. Copy the `.war` file into the `webapps` folder in the Tomcat root directory. 6. To start the Tomcat server, run `startup.sh` or `startup.bat` from the `bin` folder of the Tomcat root directory. ##### Result: Tomcat automatically extracts the admin console from the compressed `.war` file into an exploded application directory and starts running the console. 7. Set a specific location for the console's log output by updating the value of `log.file` in the `../WEB-INF/classes/application.yml` file. 8. To access the admin console, add the name of the `.war` file to the end of the Tomcat server's path. ##### Example: If the Tomcat server is deployed on `localhost:8080`, and the `.war` file is named `admin-console.war`, then the path to access the console is `localhost:8080/admin-console`. ## Configuring the admin console After you have deployed the admin console, you can configure it. #### Steps 1. To configure the admin console settings: #### Choose from: * Modify the `../WEB-INF/classes/application.yml` file. * Set `init-parameter` values for the desired configuration properties, following the same steps described in Step 1 of [Setting the admin console session timeout window](#setting_admin_console_timeout). To see the different configuration settings included with the admin console, expand the following table: > **Collapse: Configuration settings** > > | Setting | Description | > | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | `spring.*` | Learn more about these properties in the [Spring API docs](https://docs.spring.io/spring-boot/appendix/application-properties/index.html).You shouldn't modify them. | > | `management.server.base-path` | Controls the prefix of the Spring Boot Actuator endpoints of the admin console application.You shouldn't modify this setting. | > | `branding.appName` | Controls the title of the admin console application displayed on the sign on page and in the console's banner, for example **PingDirectory admin console**. | > | `logging.level.*` | Controls the severity level of messages logged about these packages. | > | `log.console` | If this is set to `true`, the admin console logs messages to a file. | > | `log.file` | If logging is enabled, this specifies the file that the admin console will log to. | > | `PingData.SSO.OIDC.enabled` | If this is set to `true`, the admin console attempts to use OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* to bind to the managed server.If `false`, the admin console asks for a username and password. | > | `PingData.SSO.OIDC.issuer-uri` | The issuer URI to the OIDC provider. | > | `PingData.SSO.OIDC.client-id` | The client ID used with the OIDC provider. | > | `PingData.SSO.OIDC.client-secret` | The client secret used with the OIDC provider. | > | `PingData.SSO.OIDC.trust-store-file` | The file path to the trust store used when communicating with the OIDC provider. | > | `PingData.SSO.OIDC.trust-store-type` | The type of trust store specified by `PingData.SSO.OIDC.trust-store-file`. | > | `PingData.SSO.OIDC.trust-store-pin` | Specifies the password used with the trust store specified by `PingData.SSO.OIDC.trust-store-file`. | > | `PingData.SSO.OIDC.trust-store-pin-environment-variable` | Specifies the environment variable containing the password used with the trust store specified by `PingData.SSO.OIDC.trust-store-file`. | > | `PingData.SSO.OIDC.strict-hostname-verification` | If this is set to `true`, the admin console requires a matching host name on the OIDC provider certificate. | > | `PingData.SSO.OIDC.trust-all` | If this is set to `true`, the admin console accepts any OIDC provider certificate. | > | `PingData.SSO.OIDC.username-attributes` | The LDAP attribute containing the username of the user the admin console is logging in as when using SSO. | > | `login.hide-server` | If this is set to `true`, the **Server** field is hidden on the sign on page. | > | `ldap.server` | Auto-populates the **Server** field on the sign-on page.If `login.hide-server=true`, this value determines which directory server the admin console tries to bind to. | > | `ldap.init-user` | Auto-populates the **Username** field on the sign-on page. | > | `ldap.init-password` | Auto-populates the **Password** field on the sign-on page. | > | `ldap.trust-store-file` | The file path to the trust store used when binding to the directory server. | > | `ldap.trust-store-type` | Specifies the type of trust store specified by `trust-store-file`. | > | `ldap.trust-store-pin` | Specifies the password used with the trust store specified by `trust-store-file`. | > | `ldap.trust-store-pin-environment-variable` | Specifies the environment variable containing the password used with the trust store specified by `trust-store-file`. | > | `ldap.file-servlet-name` | Specifies the name of the file servlet on the managed directory server to use when fetching generated `collect-support-data` (CSD) or server profiles. | > | `ldap.csd-task-enabled` | If this is set to `true`, the admin console has a button that has the managed directory server run a `collect-support-data` task. | > | `ldap.csd-destination-folder` | The file path to the folder where the managed directory server stores generated CSD files after running the `collect-support-data` task. | > | `ldap.profile-destination-folder` | The file path to the folder where the managed directory server stores generated server profiles after running the `generate-server-profile` task. Don't change this property. | > | `configuration.complexity` | Determines the maximum complexity level for shown configuration objects.The possible values are `basic`, `standard`, `advanced`, and `expert`. | > | `server.servlet.session.timeout` | The amount of time a web session can remain idle before the user must sign on again. The time is set in seconds unless you use a time interval (**h** for hours or **m** for minutes). If not specified, the default is 30 minutes. | > | `system.readOnly` | If this is set to `true`, it puts the console in read-only mode. This prevents console-based modifications to the server's configuration or schema. | 2. To make your changes take effect, restart the admin console.