PingFederate Server

Storing PingFederate data with Redis

You can store long-term PingFederate data in an external Redis cache. This offers fast, constant access to operating data, improving PingFederate resiliency and scalability. External caching also eases upgrading in a clustered environment.

Depending on your configuration, you lose some data such as long-lived tokens and transaction records when you restart a PingFederate cluster. Storing this data in Redis allows you to retain it even in the case of a full cluster reset. Retaining this data also improves scalability by eliminating the need for memory rebalancing after a node startup or shutdown.

Storing long term data on Redis makes upgrades easier by allowing newer versions of PingFederate to run on a cluster at the same time as older versions for a short time. This allows you to stagger your upgrades and reduce downtime.

PingFederate currently supports storing data from the following services on Redis:

  • Account locking

  • Authorization artifacts

  • Inter-Request State-Management (IRSM) data

Redis connection configurations

The redis-conection.conf file contains the following parameters to allow you to configure your Redis connection:

Parameter Description

redis.mode

The mode of your Redis deployment.

The default off mode indicates no Redis connection.

PingFederate supports the following deployment modes:

  • standalone

  • sentinel

  • cluster

redis.pool.minIdle

The minimum number of idle connections in the pool. The default value is 0.

redis.pool.maxIdle

The maximum number of idle connections in the pool. The default value is 8.

redis.pool.maxTotal

The total number of connections in the pool. The default value is 8.

redis.pool.testonBorrow

Whether to test connections when borrowing from the pool. The default value is true

redis.pool.testOnReturn

Whether to test connections when they return to the pool. The default value is false.

redis.pool.testWhileIdle

Whether to test idle connections. The default value is true.

redis.credential.mode

Whether to use credentials to authenticate into Redis.

A value of off requires no authentication. A value of static authenticates with a username and password.

redis.credential.static.username redis.credential.static.password

If redis.credntial.mode value is static, either the username or password must be set. You can set both values.

The password can be in plain text, obfuscated, or stored in an external key store such as CyberArk.

You can obfuscate your password using the obfuscate utility in <pingfed_install>/pingfederate/bin.

redis.standalone.host

The Redis host name when redis.mode is set to standalone.

redis.standalone.port

The Redis port number when redis.mode is set to standalone.

redis.standalone.database

The Redis database ID. The default value is 0.

redis.sentinel.nodes

A comma-separated list of Redis host/port pairs when redis.mode is sentinel. The default port value is 26379. Example value: redis1:26379, redis2:26379.

redis.sentinel.master.id

The ID of the master node when redis.mode is sentinel.

redis.sentinel.database

The Redis database ID. The default value is 0.

Configuring your Redis connection

  1. Open the <pingfed_install>/pingfederate/server/default/conf/redis-connection.conf file in a text editor.

  2. Configure the parameters for your Redis deployment. Refer to the previous table for parameter information.

  3. Save and close the file.

You can also enable the redis-connection.conf settings using environment variables.

Learn more in Overriding configuration settings using environment variables.

Configuring account locking with Redis

  1. Open the <pingfed_install>/pingfederate/server/default/conf/service-points.conf file in a text editor.

  2. Set the account.locking.service parameter to com.pingidentity.integrations.redis.lockingservice.AccountLockingServiceRedisImpl.

  3. Save and close the file.

  4. If you’re running PingFederate in a clustered environment, repeat these steps for each node in the cluster.

  5. Restart PingFederate.

Configuring artifact storage with Redis

You can configure PingFederate to store authorization artifacts in a Redis cache. Supported artifacts are:

Steps

  1. Open the <pf_install>/pingfederate/server/default/conf/service-points.conf file in a text editor.

  2. Set the artifact.store parameter to com.pingidentity.integrations.redis.artifactpersistenceservice.ArtifactPersistenceServiceRedisImpl.

  3. Save and close the file.

  4. If you’re running PingFederate in a clustered environment, repeat these steps for each node in the cluster.

  5. Restart PingFederate.

Configuring IRSM data storage with Redis

You can configure PingFederate to store Inter-Request State-Management (IRSM) Service data in a Redis cache.

Steps

  1. Open the <pf_install>/pingfederate/server/default/conf/service-points.conf file in a text editor.

  2. Set the inter.request.state.mgmt parameter to com.pingidentity.integrations.redis.irsm.InterRequestStateMgmtRedisImpl.

  3. Save and close the file.

  4. If you’re running PingFederate in a clustered environment, repeat these steps for each node in the cluster.

  5. Restart PingFederate.