Manage the PingAccess Agent for RHEL's configuration through the paa.conf and agent.properties configuration files.
The /etc/httpd/conf.d/paa.conf file contains the configuration options defined in the following table.
/etc/httpd/conf.d/paa.conf configuration optionsParameter | Definition | Default Value |
---|---|---|
PaaCertificateDir |
String value containing the path to the certificates extracted from the .properties files. |
|
PaaEnabled |
Determines whether the agent is enabled or disabled for a specific server
configuration. Valid values are This value can be set globally; set for individual virtual hosts, directories, locations, or files; or both. The agent follows the most specific value that you set. Note:
If you disable the PaaEnabled parameter globally,
ensure that the PaaEnabled directive is set to
For example, adding this text to an included configuration file enables PingAccess for the /pa context root and for the /var/www/html/one directory:
Adding this text to an included configuration file disables PingAccess for all content in the
/var/www/html/two directory except for files
named
|
|
PaaPropertyFiles |
List of .properties files that store configuration data used to connect the agent to the PingAccess engine nodes that the agent will communicate with. |
conf.d/agent.properties |
PaaEnabledNoteName |
An optional parameter which defines a note name. If a request includes a
note with this name and a value of If you want to use this feature, you must deploy a custom module to include this note with the correct value. |
|
The configured agent.properties files can contain the following parameters.
agent.properties configuration optionsParameter | Definition | Default Value |
---|---|---|
agent.engine.configuration.scheme |
The URI scheme used to connect to the
engine node. Valid values are |
|
agent.engine.configuration.host |
The PingAccess host name. |
The value in the agent node's |
agent.engine.configuration.port |
The port that the agent connects to on the PingAccess host. This value is defined in
the PingAccess
|
Defined in the PingAccess Admin UI |
agent.engine.configuration.username |
The unique agent name that identifies the agent in PingAccess. |
Defined in the PingAccess Admin UI |
agent.engine.configuration.shared.secret |
The password used to authenticate the agent to the engine. |
Defined in the PingAccess Admin UI |
agent.engine.configuration.bootstrap.truststore |
The base64-encoded public certificate used to establish HTTPS trust by the agent to the PingAccess engine. Note:
If you're having difficulty connecting an agent to the PingAccess engine, verify that the Agent Trusted Certificate is configured correctly in Agent Management. |
Generated by PingAccess |
agent.engine.configuration.maxConnections |
The number of connections that a single web server worker process maintains to the PingAccess engine that's defined in the agent.engine.configuration.host parameter. |
|
agent.engine.configuration.timeout |
The maximum amount of time, in milliseconds, that a request to PingAccess can take from the agent. If this time is exceeded, the client receives a generic 500 Server Error response. |
|
agent.engine.configuration.connectTimeout |
The maximum amount of time, in milliseconds, that the agent can take to connect to the PingAccess engine. If this time is exceeded, the client receives a generic 500 Server Error response. |
|
agent.cache.missInitialTimeout |
The maximum amount of time, in milliseconds, that a web server worker process waits for a response to a policy cache request sent to other web server worker processes. |
|
agent.cache.broker.publisherPort |
The network port that web server processes use to publish policy cache requests to other web server worker processes. This port is bound to the localhost network only. |
|
agent.cache.broker.subscriberPort |
The network port that web server processes use to receive policy cache requests from other web server worker processes. This port is bound to the localhost network only. |
|
agent.cache.maxTokens |
The maximum number of tokens
stored in the policy cache for a single web server worker process. A value
of 0 means there is no maximum. |
|
agent.cache.disabled |
Determines whether policy decision caching is enabled or disabled. A
value of Warning:
Disabling caching has a significant impact on the scalability of the PingAccess policy servers because the policy server must process every rule evaluation. Only use this option as a last resort because of the performance penalty. |
|
agent.engine.configuration.failover.hosts |
The host name and port of the PingAccess server where the agent should send requests in the event of a failover from the PingAccess Host. Note:
If this parameter is set, the upstream block name in
For example, if your PingAccess
certificate contains the name |
Defined in the PingAccess Admin UI |
agent.engine.configuration.failover.failedRetryTimeout |
The number of seconds to wait before the agent should retry connecting to a failed PingAccess server. |
|
agent.engine.configuration.failover.MaxRetries |
The number of times to retry a connection to a PingAccess server after an unsuccessful attempt. If all retries fail, the agent marks the PingAccess server as failed for the duration of the agent.engine.configuration.failover.failedRetryTimeout value and tries another PingAccess server if one is available. |
|
agent.cache.type |
Controls the type of policy cache used by the agent. There are three valid values for this property:
|
|
agent.send.inventory |
Determines whether the This header contains the following fields:
For more information, see Agent inventory logging. |
|
agent.inventory |
Specifies additional values to include in the
This parameter uses the following syntax:
Note:
The specified header fields are case-sensitive. |
Not present by default. |
agent.apache.host.source.headerName |
If present, specifies a header that overrides the default
|
Not present by default. |
You can add comments to the agent.properties files if necessary.
Lines beginning with the #
or !
characters are
ignored by the agent.
Changes to the agent.properties file require a restart of the web server.
For more information on how to improve agent performance, see the Performance Tuning Guide.