You can configure any of the following parameters used by PingAccess at runtime in
the <PA_HOME>/conf/run.properties
file.
In a clustered environment, each node has a unique run.properties file. Because changes to the run.properties file can significantly impact performance, use an identical run.properties configuration on all engine nodes.
Changes made to the run.properties file only take effect after you restart the PingAccess service on the given node.
When storing passwords in run.properties
, obfuscate them using
the obfuscate.bat or obfuscate.sh
utility to mask the password
value. You can find this utility in the
<PA_HOME>/bin
folder.
If you're running PingAccess in FIPS mode,
PingAccess ignores all
Operational mode
- pa.operational.mode
- Controls the operational mode of the PingAccess server in a cluster. The
following table describes the valid values.ValueNote:
Define the following engine and administrative properties depending on what operational mode an engine is using:
- Define all engine and administrative properties when
pa.operational.mode
is set toSTANDALONE
. - Define only administrative properties when using
CLUSTERED_CONSOLE
orCLUSTERED_CONSOLE_REPLICA
mode. - Define only engine properties when using
CLUSTERED_ENGINE
mode.
- Define all engine and administrative properties when
For more information about operational modes in PingAccess, see:
- For information about configuring nodes using clustered operational mode, see the Clustering Reference Guide.
- For information about installingPingAccess in standalone mode, see Installing and Uninstalling PingAccess.
Administrative properties
- admin.port
- Defines the TCP port on which the PingAccess administrative console runs. The
default value is
9000
. - admin.bindAddress
- Defines the
IP address thatIP (Internet Protocol) The method by which data is sent across the Internet from the source host to the destination host. admin.port
binds to. This is typically required on multihomed servers having multiple IP addresses. The default value of0.0.0.0
means that the port will bind to all of the server's IP addresses. - admin.ssl.protocols
- Defines the protocols for use with administrative HTTPS ports. The default
value is
${tls.default.protocols}
, which uses the protocols specified by the tls.default.protocols parameter. - admin.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with
administrative HTTPS ports. The default value is
${tls.default.cipherSuites}
, which uses the ciphers specified by the tls.default.cipherSuites parameter. - admin.acceptors
- Defines the number of admin acceptor threads used to establish connections.
The default value is
1
. - admin.backlog
- Defines the maximum queue length for incoming admin connection indications.
The default value is
512
. - admin.httptransport.coreThreadPoolSize
- Defines the number of threads to keep in the admin transport pool, even if
they're idle. The default value is
5
. - admin.httptransport.ioThreads
- Defines the number of I/O threads for the admin host. The default value is
0
, which indicates that PingAccess should automatically calculate the appropriate number of I/O threads for the host. - admin.httptransport.maxThreadPoolSize
- Defines the maximum number of threads for the admin transport pool. The
default value is
-1
, which denotes no limit. - admin.httptransport.socketTimeout
- Defines, in milliseconds, the admin socket timeout. The default value is
30000
. - admin.auth
- Overrides the administrator authentication method. For example, if
single sign-on (SSO) authentication is enabled and becomes misconfigured, this property can be used to bypass the database configuration and force the use of Basic authentication. The default value issingle sign-on (SSO) sso The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating. default
. A value ofnative
overrides the administrator authentication method, meaning that only the local administrator credentials can be used to access the PingAccess console. - admin.reuseAddress
- When enabled, allows a process to bind to a port which remains in a
TIME_WAIT
state for the admin transport. The default value istrue
. - admin.max.request.bodylength
- Defines, in megabytes, the maximum body length for a request to the
administrative
API application programming interface (API) A specification of interactions available for building software to access an application or service. endpoint . The default value isendpoint One end in a communication channel, typically a URI. 15
. - admin.ui.max.sessions
- Defines the maximum number of sessions for the admin UI when admin
single logout (SLO) is not enabled. The default value issingle logout (SLO) SLO The process of signing a user out of multiple sites where the user has started a single sign-on (SSO) session. 100
. - admin.export.encryption.mode
- Specifies how sensitive data should be encrypted on export. The default
value is
MASTER_KEY
, which uses the system default master key for encryption. ThePORTABLE_INSECURE
value uses a randomly generated key for each export and includes the key in the export data. This method allows the exported data to be imported anywhere, including another cluster with a different master key, but since it includes the key it can present a significant security risk. - admin.startup.config.import.failfast
- Defines the behavior when attempting to import a configuration file on
startup. A value of
true
stops at the first failure, while a value offalse
continues and notes all errors. The default value isfalse
.
For more information about administrative properties, see:
- For information about how some properties are configured during installation, see Installing and Uninstalling PingAccess.
- For information about how some properties impact administrative use, see PingAccess User Interface Reference Guide.
- For information about how some SSL properties are overridden in FIPS mode, see Managing Federal Information Processing Standards (FIPS) mode.
Token provider communication settings
- pa.default.availability.ondemand.maxRetries
- Defines the maximum number of retries before marking the target system down.
The default value is
2
. - pa.default.availability.ondemand.connectTimeout
- Defines, in milliseconds, the amount of time to wait before trying to
connect to the remote host. The default value is
10000
. - pa.default.availability.ondemand.retryDelay
- Defines, in milliseconds, the amount of time to wait after a timeout before
retrying the host. The default value is
250
. - pa.default.availability.ondemand.failedRetryTimeout
- Defines, in seconds, the amount of time to wait before retrying a failed
host. The default value is
60
. - pa.default.availability.ondemand.pooledConnectionTimeout
- Defines, in milliseconds, the amount of time to wait before timing out the
request for a pooled connection to the target site. The default value is
-1
, which indicates no timeout. - pa.default.availability.ondemand.readTimeout
- Defines, in milliseconds, the amount of time to wait before timing out the
read response for a target site. The default value is
-1
, which indicates no timeout.
For more information about token providers, see the token providers section of the PingAccess User Interface Reference Guide.
Cluster configuration settings
- clusterconfig.enabled
- When enabled, uses the cluster configuration port for cluster replication.
When disabled, the admin port is used for cluster configuration replication.
The default value is
true
.Note:This parameter is set to
false
by the PingAccess upgrade utility after a PingAccess cluster is upgraded from a version earlier than 4.0. - clusterconfig.port
- Defines the optional port used for cluster configuration. The default value
is
9090
. - clusterconfig.bindAddress
- Defines the optional address used for cluster configuration. The default
value is
0.0.0.0
. - clusterconfig.acceptors
- Defines the number of cluster configuration acceptor threads used to
establish connections. The default value is
1
. - clusterconfig.backlog
- Defines the maximum queue length for incoming cluster configuration
connection indications. The default value is
512
. - clusterconfig.reuseAddress
- When enabled, allows a process to bind to a port, which remains in a
TIME_WAIT
state for the cluster configuration transport. The default value istrue
. - clusterconfig.httptransport.socketTimeout
- Defines, in milliseconds, the cluster configuration socket timeout. The
default value is
30000
. - clusterconfig.httptransport.ioThreads
- Defines the number of I/O threads for the cluster configuration host. The
default value is
0
, which indicates that PingAccess should automatically calculate the appropriate number of I/O threads for the host. - clusterconfig.httptransport.coreThreadPoolSize
- Defines the number of threads to keep in the cluster configuration transport
pool, even if they are idle. The default value is
5
. - clusterconfig.httptransport.maxThreadPoolSize
- Defines the maximum number of threads for the cluster configuration
transport pool. The default value is
-1
, which denotes no limit. - engine.admin.configuration.audience
- Defines the audience used for cluster authentication. This property must be
set to the same value on all nodes in a PingAccess cluster. The default value is
PingAccessAdminServer
. - engine.polling.initialdelay
- Defines, in milliseconds, how long after the engine starts up before it
begins to poll the administrative console for configuration information. The
default value is
500
. - engine.polling.delay
- Defines, in milliseconds, how long after the prior query to the
administrative console that the engine begins a new query for configuration
information. The default value is
2000
. - engine.polling.test.delay
- Defines, in milliseconds, how long after detecting an engine's
lastUpdated value to be
null or zero
that PingAccess should wait before
double-checking the value. The default value is
6000
.Note:Self-registration settingsThis property determines whether a replacement engine should self-register if PingAccess detects that there's an existing engine with the same name that isn’t running. Changing this value changes PingAccess's behavior according to the following table.
- admin.polling.initialdelay
- Defines, in milliseconds, how long after the replica administrative node
starts up before it begins to poll the administrative console for
configuration information. The default value is
500
. - admin.polling.delay
- Defines, in milliseconds, how long after the prior query to the
administrative console that the replica administrative node begin a new
query for configuration information. The default value is
2000
. - pa.config.replication.readTimeout
- Defines, in milliseconds, the amount of time to wait before timing out the
read response for the administrative node. The default value is
30000
. - pa.config.replication.maxRetries
- Defines the maximum number of retries before marking the administrative node
system down. The default value is
5
. - pa.config.replication.connectTimeout
- Defines, in milliseconds, the amount of time to wait before trying to
connect to the administrative node. The default value is
5000
. - pa.config.replication.retryDelay
- Defines, in milliseconds, the amount of time to wait after a timeout before
retrying the administrative node. The default value is
2000
. - pa.config.replication.failedRetryTimeout
- Defines, in seconds, the amount of time to wait before retrying a failed
connection to the administrative node. The default value is
-1
, which indicates no timeout. - pa.config.replication.pooledConnectionTimeout
- Defines, in milliseconds, the amount of time to wait before timing out the
request for a pooled connection to the administrative node. The default
value is
-1
, which indicates no timeout.
For more information about cluster configuration, see the Clustering Reference Guide.
Engine properties
- engine.http.bindAddress
- Defines the address for an engine in a clustered environment. The default
value is
0.0.0.0
. - engine.http.acceptors
- Defines the number of engine acceptor threads used to establish connections.
The default value is
1
. - engine.http.backlog
- Defines the maximum queue length for incoming engine connection indications.
The default value is
512
. - engine.http.reuseAddress
- When enabled, allows a process to bind to a port which remains in a
TIME_WAIT
state for the engine transport. The default value istrue
. - engine.http.enabled
- Defines whether a
STANDALONE
orCLUSTERED_ENGINE
node listens for requests on the ports defined by the engine listeners. The default value istrue
. - engine.httptransport.coreThreadPoolSize
- Defines the number of threads to keep in the engine transport pool, even if
they are idle. The default value is
5
. - engine.httptransport.maxThreadPoolSize
- Defines the maximum number of threads for the engine transport pool. The
default value is
-1
, which denotes no limit. - engine.httptransport.socketTimeout
- Defines, in milliseconds, the engine socket timeout. The default value is
30000
. - engine.httptransport.ioThreads
- Defines the number of I/O threads for the engine host. The default value is
0
which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host. - engine.websocket.maxConnections
- Sets the maximum number of allowed web socket connections. The default value
is
-1
, which denotes no limit. - engine.ssl.protocols
- Defines the protocols used with engine HTTPS ports. The default value is
TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
. - engine.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with engine
HTTPS ports. The default value is
${tls.default.cipherSuites}
, which uses the ciphers specified by the tls.default.cipherSuites parameter. - client.ioThreads
- Defines the number of threads for client connections to backend sites. The
default value is
0
, which denotes no limit. - pa.default.contentRewrite.buffer.min
- Defines, in bytes, the minimum buffer size used when using a rewrite content
rule. The default value is
1024
. - pa.default.contentRewrite.buffer.default
- Defines, in bytes, the default buffer size when using a rewrite content rule
to do a search and replace of content. The default value is
2048
. - pa.default.limitRequestLine
- Defines the maximum number of bytes to read from the request line. The
default value is
8192
. - pa.default.maxHeaderCount
- Defines the maximum number of headers to read from a request. The default
value is
100
. - pa.default.maxHttpHeaderSize
- Defines the maximum number of bytes to read when reading headers. The
default value is
8192
. - pa.default.maxRequestBodySize
- Defines the maximum number of bytes to read from a request body. The default
value is
204800
. - pa.default.maxConnectionsPerSite
- Defines the maximum number of connections PingAccess will open to the PingFederate admin or engine. The default value
is
-1
, which denotes no limit. - pa.default.session.cookie.attributes.httponly
- Defines the default setting for the HTTP-Only Cookie
setting for newly-created web sessions. The default value is
true
. - pa.default.session.cookie.attributes.secure
- Defines the default setting for the Secure Cookie
setting for newly-created web sessions. The default value is
true
. - pa.default.session.cookie.size.threshold
- Defines, in bytes, the default maximum session cookie size. The default
value is
4093
. - pa.websession.cookie.sameSiteExcludedUserAgentPatterns
- A comma-separated list of regex that specifies whether an end-user browser
should have
SameSite=None
applied to cookies issued to it. If the user-agent header from a request matches any of the values in the list, any PingAccess-issued cookie is set with noSameSite
attribute ifSameSite=None
would otherwise have been applied. The default value is:^.*\\(iP.+; CPU .*OS 12[_\\d]*.*\\) AppleWebKit\\/.*$,\ ^.*Macintosh;.*Mac OS X 10_14.*Version.*Safari.*$,\ ^.*(Chromium|Chrome)\\/(5[1-9]|6[0-6])\\.(\\d+)(?:\\.(\\d+)|)(?:\\.(\\d+)|).*$,\ ^.*UCBrowser\\/[0-9][0-1]?.(\\d+)\\.(\\d+)[\\.\\d]*.*$,\ ^.*UCBrowser\\/12.[0-9][0-2]?.(\\d+)[\\.\\d]*.*$,\ ^.*UCBrowser\\/12.13.[0-2][\\.\\d]*.*$
- pa.uri.strict
- When enabled, this setting requires that the raw input
URI be in strict compliance with the URI spec implemented byURI URI (Uniform Resource Identifier) Identifies a web resource with a string of characters conforming to a specified format. java.net.URI
when generating URIs. The default value isfalse
.
For more information about engine settings, see:
- For information about cluster configuration, see the Clustering Reference Guide.
- For information about how some SSL properties are overridden in FIPS mode, see Managing Federal Information Processing Standards (FIPS) mode.
Agent properties
- agent.http.port
- Defines the TCP port on which the engine listens for agent requests. The
default value is
3030
. - agent.http.bindAddress
- Defines the address from which an engine listens for agent requests. The
default value is
0.0.0.0
. - agent.http.acceptors
- Defines the number of admin acceptor threads used to establish agent
connections. The default value is
1
. - agent.http.secure
- Defines whether the engine is using HTTPS for agent requests. The default
value is
true
. - agent.http.backlog
- Defines the maximum queue length for incoming admin connection indications.
The default value is
512
. - agent.http.enabled
- Defines whether a
STANDALONE
orCLUSTERED_ENGINE
node listens for agent requests on the port defined by theagent.http.port
setting. The default value istrue
. - agent.http.reuseAddress
- When enabled, allows a process to bind to a port which remains in a
TIME_WAIT
state for the agent transport. The default value istrue
. - agent.ssl.protocols
- Defines the protocols used for communication with agent HTTPS ports. The
default value is
${tls.default.protocols}
, which uses the protocols specified by the tls.default.protocols parameter. - agent.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with agent HTTPS
ports. The default value is
${tls.default.cipherSuites}
, which uses the ciphers specified by the tls.default.cipherSuites parameter. - agent.httptransport.coreThreadPoolSize
- Defines the number of threads to keep in the agent transport pool, even if
they are idle. The default value is
5
. - agent.httptransport.maxThreadPoolSize
- Defines the maximum number of threads for the agent transport pool. The
default value is
-1
, which denotes no limit. - agent.httptransport.socketTimeout
- Defines, in milliseconds, the agent socket timeout. The default value is
30000
. - agent.httptransport.ioThreads
- Defines the number of I/O threads for the agent host. The default value is
0
, which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host. - agent.authz.header.required
- Defines whether PingAccess server
should authenticate agent requests using agent name and shared secret in the
vnd-pi-authz header. The default value is
true
. Setting this tofalse
is useful for POCs and/or debugging. - agent.default.token.cache.ttl
- Defines, in seconds, the time to live for cached agent tokens. The default
value is
60
.
For more information about agents, see:
- For information about agent settings, see PingAccess User Interface Reference Guide.
- For information about agent installation and management for Apache (RHEL), see PingAccess Agent for Apache (RHEL).
- For information about agent installation and management for Apache (SLES), see PingAccess Agent for Apache (SLES).
- For information about agent installation and management for Apache (Windows), see PingAccess Agent for Apache (Windows).
- For information about agent installation and management for IIS, see PingAccess Agent for IIS.
- For information about agent installation and management foe NGINX, see PingAccess Agent for NGINX.
- For information about how some SSL properties are overridden in FIPS mode, see Managing Federal Information Processing Standards (FIPS) mode.
Sideband properties
- sideband.http.port
- Defines the TCP port on which the engine listens for sideband requests. The
default value is
3030
. - sideband.http.bindAddress
- Defines the address from which an engine listens for sideband requests. The
default value is
0.0.0.0
. - sideband.http.acceptors
- Defines the number of admin acceptor threads used to establish sideband
connections. The default value is
1
. - sideband.http.secure
- Defines whether the engine is using HTTPS for sideband requests. The default
value is
true
. - sideband.http.backlog
- Defines the maximum queue length for incoming admin connection indications.
The default value is
512
. - sideband.http.enabled
- Defines whether a
STANDALONE
orCLUSTERED_ENGINE
node listens for sideband requests on the port defined by theagent.http.port
setting. The default value isfalse
. - sideband.http.reuseAddress
- When enabled, allows a process to bind to a port which remains in a
TIME_WAIT
state for the agent transport. The default value istrue
. - sideband.ssl.protocols
- Defines the protocols used for communication with sideband HTTPS ports. The
default value is
${tls.default.protocols}
, which uses the protocols specified by the tls.default.protocols parameter. - sideband.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with sideband
HTTPS ports. The default value is
${tls.default.cipherSuites}
, which uses the ciphers specified by the tls.default.cipherSuites parameter. - sideband.httptransport.coreThreadPoolSize
- Defines the number of threads to keep in the sideband transport pool, even
if they are idle. The default value is
5
. - sideband.httptransport.maxThreadPoolSize
- Defines the maximum number of threads for the sideband transport pool. The
default value is
-1
, which denotes no limit. - sideband.httptransport.socketTimeout
- Defines, in milliseconds, the sideband socket timeout. The default value is
30000
. - sideband.httptransport.ioThreads
- Defines the number of I/O threads for the sideband host. The default value
is
0
, which denotes that PingAccess should automatically calculate the appropriate number of I/O threads for the host.
For more information about sideband clients, see:
- For information about how to configure a sideband client in the user interface, see Sideband Clients.
- For information about how some SSL properties are overwritten in FIPS mode, see Managing Federal Information Processing Standards (FIPS) mode.
URL filtering settings
- pa.interceptors.relativepath.strict
- When this property is set to
true
, the incoming URL is matched with the allow list pattern defined inpa.interceptors.relativepath.decode.regex
. All other request URLs are rejected. The default value isfalse
. - pa.interceptors.relativepath.decode.count
- Defines the number of times the URL is decoded to check for path traversal
characters. The default value is
3
. - pa.interceptors.relativepath.decode.regex
- Defines the regular expression to use when checking for a valid path in an
incoming request. The default value is:
[\\p{Po}\\p{N}\\p{Z}\\p{L}\\p{M}\\p{Zs}\\./_\\-\\\\~()\\{\\}\\[\\]]*
Note:This value is double-escaped as required by the
java.util.regex.Pattern
Java class.
For more information about URL filtering, see Adding rewrite URL rules.
Monitoring
- pa.mbean.site.connection.pool.enable
- When set to
true
, enablesJava Management Extensions (JMX) read-only access to backend connection pools. This can be useful when troubleshooting latency issues because it provides information about requests that are waiting for a connection to targets in a site whenJava Management Extensions (JMX) JMX Java technology that provides tools for managing and monitoring applications, devices, system objects, and service-oriented networks. maxConnections
is not unlimited. The default value isfalse
. - enable.detailed.heartbeat.response
- When enabled, this setting enables a customizable heartbeat response to be
returned. When disabled, the heartbeat endpoint returns a 200
OK response. The default value is
false
. - pa.statistics.window.seconds
- If the enable.detailed.heartbeat.response parameter is
set to
true
, this parameter sets the number of seconds back to collect response statistics. A value less than1
disables collection. The default value is0
.
For more information about monitoring, see the PingAccess Monitoring Guide.
TLS/SSL
- tls.default.protocols
- Defines the default protocols used for HTTPS communication. The default
value is
TLSv1.1, TLSv1.2, TLSv1.3
. - tls.default.cipherSuites
- Defines the default set of ciphers used for HTTPS communication. The default
value is:
TLS_CHACHA20_POLY1305_SHA256,\ TLS_AES_256_GCM_SHA384,\ TLS_AES_128_GCM_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\ TLS_RSA_WITH_AES_128_GCM_SHA256,\ TLS_RSA_WITH_AES_128_CBC_SHA256,\ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Note:Legacy browsers might require the addition of SHA1-based ciphers to negotiate a cipher suite with the server. In this case, add the following ciphers to the run.properties file and restart PingAccess:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
- clusterconfig.ssl.protocols
- Defines the protocols used for communication with HTTPS ports in a clustered
configuration. The default value is
${tls.default.protocols}
, which uses the protocols specified by the tls.default.protocols parameter. - clusterconfig.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with HTTPS ports
in a clustered configuration. The default value is
${tls.default.cipherSuites}
, which uses the ciphers specified by the tls.default.cipherSuites parameter. - site.ssl.protocols
- Defines the protocols used for communication with site HTTPS ports. There is
no default value. When not specified, PingAccess uses the
protocols defined in the
Java Development Kit (JDK) .Java Development Kit (JDK) JDK A development environment for building applications and components using Java. - site.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with site HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- pf.ssl.protocols
- Defines the protocols used for communication with PingFederate HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- pf.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with PingFederate HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- provider.ssl.protocols
- Defines the protocols used for communication with provider HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- provider.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with provider HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- as.ssl.protocols
- Defines the protocols used for communication with authorization server HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- as.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with authorization server HTTPS ports. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- p14c.ssl.protocols
- Defines the protocols used for communication with PingOne. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- p14c.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with PingOne. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- thirdpartyservice.ssl.protocols
- Defines the protocols used for communication with third-party services. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
- thirdpartyservice.ssl.ciphers
- Defines the type of cryptographic ciphers available for use with third-party services. There is no default value. When not specified, PingAccess uses the protocols defined in the JDK.
For more information about the use of TLS/SSL, see:
- For information about the use of these settings for security, see the PingAccess Hardening Guide.
- For information about how some TLS properties are overwritten in FIPS mode, see Managing Federal Information Processing Standards (FIPS) mode.
POST preservation properties
- pa.oidc.post.preservation.encrypt
- When enabled, PingAccess preserves POST data through a redirection to
PingFederate for authentication is
encrypted on the client to be used after the authentication is successful.
The default value is
false
. - pa.oidc.post.preservation.maxRequestBodySize
- Defines, in bytes, the maximum size of the post body for POST preservation.
The default value is
8192
. - pa.oidc.post.preservation.paramsAttributeName
- Used to store the encoded or encrypted POST payload in the browser session
storage during POST preservation. The default value is
postParams
.
For more information about POST preservation, see:
- For information about the use of POST preservation in system templates meant to provide information to the end user, see User-facing page customization reference.
- For information about the use of POST preservation in system templates meant to provide localized versions of user-facing status messages generated by PingAccess, see User-facing page localization reference.
- For information about the use of POST preservation in web sessions, see the PingAccess User Interface Reference Guide.
Configuration database and key store settings
- derby.language.statementCacheSize
- Defines the number of statements that are stored in memory. The default
value is
500
. - derby.storage.pageCacheSize
- Defines the number of pages cached in memory. The default value is
1000
. - pa.keystore.pw
- Defines the password for the
$JAVA_HOME/lib/security/cacerts
keystore. The value is encrypted.
For more information about configuration database and key store settings, see:
- For information about the initial database settings, see Installing and Uninstalling PingAccess.
- For information about adjusting PingAccess settings for specific environments, see the Performance Tuning Reference Guide.
- For information about how the native Apache Derby properties are used, see the Apache Derby: Documentation in the Apache documentation.
PingFederate administration integration properties
- pf.api.maxRetries
- Defines the maximum number of retries PingAccess attempts to make to the PingFederate server before declaring the server
unavailable. The default value is
0
. - pf.api.socketTimeout
- Defines, in milliseconds, the socket timeout for the PingFederate API endpoint. The default value is
5000
. - pf.api.maxConnections
- Defines the maximum number of connections PingAccess will establish to the PingFederate API endpoint. The default value is
-1
, which means there is no limit. - pf.api.keepAliveTimeout
- Defines, in milliseconds, the keep alive timeout for the PingFederate API. The default value is
30000
. - pf.api.readTimeout
- Defines, in milliseconds, how long the API will wait for responses from
PingFederate when making calls to the
PingFederate administrative API. The
default value is
-1
, which means there is no limit.
For more information about using PingAccess with PingFederate, see:
Administrative console settings
- pa.backup.filesToKeep
- Defines the number of backup files to preserve when the administrator
authenticates to PingAccess. The
default value is
25
. A value of0
disables the creation of backup files.Note:Disabling the creation of backup files can speed up the sign-on process in large environments. If you disable the creation of backup files, use the administrative API backup endpoint to create regular backups.
- pa.admin.user.password.regex
- Defines the regex that controls password complexity for the administrative
console. The default value is:
((?=.*\\d)(?=.*[a-z])(?=.*[A-Z]).{8,20})
- pa.admin.user.password.error.message
- Defines the message returned when password complexity is not satisfied. The
default value is
Password must be at least 8 characters in length, contain one upper-case letter, one lower-case letter and one digit
. - pa.admin.test.connections
- A boolean property that allows the PingAccess administrative console to make
HTTP calls to validate that it can reach PingFederate and sites when the user configures
them. The default value is
true
. - account.locking.max.consecutive.failures
- Defines the maximum number of failed sign on attempts before locking the
account when using basic authentication in the administrative console or
administrative REST APIs. The default value is
3
. - account.locking.max.lockout.period
- Defines, in minutes, the amount of time to lock an account out from the
administrative interfaces after exceeding the
account.locking.max.consecutive.failures
. The default value is1
.
For more information about PingAccess administration, see the PingAccess User Interface Reference Guide.
EHCache configuration properties
- pa.ehcache.PingFederateReferenceTokenCache.maxEntriesLocalHeap
- Defines the maximum number of entries in the local heap for
OAuth tokens. The default value isOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. 10000
. - pa.ehcache.PingFederateReferenceTokenCache.timeToIdleSeconds
- Defines, in seconds, the time an entry in the OAuth token cache can be idle
before it is expired. The default value is
0
. - pa.ehcache.PingFederateReferenceTokenCache.timeToLiveSeconds
- Defines, in seconds, the maximum time an entry can be in the OAuth token
cache. The default value is
0
. - pa.ehcache.ServiceTokenCache.maxEntriesLocalHeap
- Defines the maximum number of entries in the local heap for token mediation.
The default value is
10000
. - pa.ehcache.ServiceTokenCache.timeToIdleSeconds
- Defines, in seconds, the time an entry in the token mediation cache can be
idle before it is expired. The default value is
1800
. - pa.ehcache.ServiceTokenCache.timeToLiveSeconds
- Defines, in seconds, the maximum time an entry can be in the token mediation
cache. The default value is
14400
. - pa.ehcache.PATokenValidationCache.maxEntriesLocalHeap
- Defines the maximum number of entries in the local heap for decryption of
signed or encrypted PingAccess tokens.
The default value is
10000
. - pa.ehcache.PATokenValidationCache.timeToIdleSeconds
- Defines, in seconds, the time an entry in the token validation cache can be
idle before it is expired. The default value is
120
. - pa.ehcache.PATokenValidationCache.timeToLiveSeconds
- Defines, in seconds, the maximum time an entry can be in the token
validation cache. The default value is
300
. - pa.ehcache.PFSessionValidationCache.maxEntriesLocalHeap
- Defines the maximum number of entries in the local heap for the session
validation cache. The default value is
10000
. - pa.ehcache.PFSessionValidationCache.timeToIdleSeconds
- Defines, in seconds, the time an entry in the session validation cache can
be idle before it expires. The default value is
120
. - pa.ehcache.PFSessionValidationCache.timeToLiveSeconds
- Defines, in seconds, the maximum time an entry can be in the session
validation cache. The default value is
300
. - pa.ehcache.PAWamUserAttributesCache.maxEntriesLocalHeap
- Defines the maximum number of entries in the local heap for the PingAccess Web Access Management (WAM) user
attribute cache. The default value is
10000
. - pa.ehcache.PAWamUserAttributesCache.timeToIdleSeconds
- Defines, in seconds, the time an entry in the PingAccess WAM user attribute cache can be
idle before it is expired. The default value is
120
seconds. - pa.ehcache.PAWamUserAttributesCache.timeToLiveSeconds
- Defines, in seconds, the maximum time an entry can be in the PingAccess WAM user attribute cache. The
default value is
300
seconds. - pa.ehcache.AuthTokenCache.maxEntriesLocalHeap
- Defines the maximum size of the
JSON Web Token (JWT) identity mapping token cache used when sending tokens to a protected site. The default value isJSON Web Token (JWT) JWT An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. To read the industry standard, see RFC 7519 10000
. - pa.ehcache.SessionStateCache.maxEntriesLocalHeap
- Defines the maximum size of the identity attribute entry cache when the
user's attributes are stored on the server rather than as a cookie. The
default value is
10000
. - pa.ehcache.AzureGroupNameCache.maxEntriesLocalHeap
- Defines the maximum number of entries in the local heap for the Azure group
name cache. The default value is
10000
.
For more information about EHCache configuration, see the Clustering Reference Guide.
Security headers properties
- admin.headers
- Additional headers added to responses from the PingAccess administrative console and the
administrative API interface. Define header values using the
admin.header
prefix. The default value is:X-Frame-Options,X-XSS-Protection,X-Content-Type-Options,Strict-Transport-Security,Content-Security-Policy
- admin.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
HTTP response header sent to the browser when an admin is interacting with the administrative console. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
- admin.header.X-XSS-Protection
- Sets the parameters for the
X-XSS-Protection
HTTP response header sent to the browser when an admin is interacting with the administrative console. The default value is1; mode=block
. - admin.header.X-Content-Type-Options
- Sets the parameters for the
X-Content-Type-Options
response header sent to the browser when an admin is interacting with the administrative console. The default value isnosniff
. - admin.header.Content-Security-Policy
- Sets the parameters for the
content-security-policy
response header sent by PingAccess in response to API calls. The default value is:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:;
- admin.header.Strict-Transport-Security
- Sets the parameters for the
Strict-Transport-Security
response header sent to the browser when an administrator is interacting with the administrative console. This parameter is commented out by default and should be enabled only if the admin and engine use different host names. The default value ismax-age=31536000; includeSubDomains
. - agent.assets.headers
- Additional headers added to responses from PingAccess agents. Header values
are defined using the
agent.assets.header
prefix. The default value isX-Frame-Options
. - agent.assets.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
HTTP response header sent to the browser using the agent when responding to a request for an asset used by a PingAccess template. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
- agent.error.headers
- Additional headers added to error responses from PingAccess agents. Header values are defined
using the
agent.error.header
prefix. The default value isX-Frame-Options, Content-Security-Policy
. - agent.error.header.Content-Security-Policy
- Sets the parameters for the
Content-Security-Policy
HTTP response header sent to the browser using the agent when responding with a PingAccess error template. The default value is:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';
- agent.error.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
HTTP response header sent to the browser using the agent when responding with a PingAccess error template. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
- engine.assets.headers
- Additional headers added to responses from the PingAccess engine. Header values are defined
using the
engine.assets.header
prefix. The default value isX-Frame-Options
. - engine.assets.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
HTTP response header sent to the browser using the engine when responding to a request for an asset used by a PingAccess template. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
- engine.error.headers
- Additional headers added to error responses from the PingAccess engine. Define header values
using the
engine.error.header
prefix. The default value isX-Frame-Options, Content-Security-Policy
. - engine.error.header.Content-Security-Policy
- Sets the parameters for the
Content-Security-Policy
HTTP response header sent to the browser using the engine when responding with a PingAccess error template. The default value is:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';
Note:This property might be commented out if PingAccess was upgraded with template customizations.
- engine.error.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
HTTP response header sent to the browser using the engine when responding with a PingAccess error template. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
- sideband.assets.headers
- Additional headers added to responses from PingAccess sideband clients. Define header
values using the
sideband.assets.header
prefix. The default value isX-Frame-Options
. - sideband.assets.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
HTTP response header sent to the browser using the sideband client when responding to a request for an asset used by a PingAccess template. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
Note:Content-Security-Policy
might be omitted if PingAccess was upgraded with template customizations. To enable for this case, add theContent-Security-Policy
value to this property and uncommentsideband.error.header.Content-Security-Policy
. - sideband.error.header.Content-Security-Policy
- Sets the parameters for the
Content-Security-Policy
HTTP response header sent tot he browser using the sideband client when responding with a PingAccess error template. The default value is:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';
Note:This property might be commented out if PingAccess was upgraded with template customizations.
- sideband.error.headers
- Additional headers added to error responses from PingAccess sideband clients. Define header
values using the
sideband.error.header
prefix. The default value isX-Frame-Options,Content-Security-Policy
.Note:Content-Security-Policy
might be omitted if PingAccess was upgraded with template customizations. To enable for this case, add theContent-Security-Policy
value to this property and uncommentsideband.error.header.Content-Security-Policy
. - sideband.error.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
HTTP response header sent to the browser using the sideband client when responding with a PingAccess error template. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
- pf.redirect.headers
- Additional headers added to the redirection response that sends the client
to PingFederate for authentication. These
headers are added when using the SPA support disabled Authentication
Challenge Policy, using the global PingFederate Redirect Headers Appender challenge
response filter, or using an application that is configured without an
Authentication Challenge Policy and SPA support disabled. Define header
values using the
pf.redirect.header
prefix. The default value isX-Frame-Options,Content-Security-Policy
.Note:Content-Security-Policy
might be omitted if PingAccess was upgraded with template customizations. If you want to enable for this case, add theContent-Security-Policy
value to this property and uncommentpf.redirect.header.Content-Security-Policy
. - pf.redirect.header.Content-Security-Policy
- Sets the parameters for the
Content-Security-Policy
HTTP response header that is sent when the user is redirected to PingFederate to authenticate. The default value is:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';
Note:This property might be commented out if PingAccess was upgraded with template customizations.
- pf.redirect.header.X-Frame-Options
- Sets the parameters for the
X-Frame-Options
value that is sent when the user is redirected to PingFederate to authenticate. The default value isDENY
.For more information on this header and its potential values, see https://html.spec.whatwg.org/multipage/document-lifecycle.html#x-frame-options.
- rule.error.headers
- Additional headers added to responses that result from policy rule results.
Define header values using the
rule.error.header
prefix. The default value isContent-Security-Policy
.Note:Content-Security-Policy
might be omitted if PingAccess was upgraded with template customizations. To enable for this case, add theContent-Security-Policy
value to this property and uncommentrule.error.header.Content-Security-Policy
. - rule.error.header.Content-Security-Policy
- Sets the parameters for the
Content-Security-Policy
HTTP response header sent to the browser when the response is generated by a rule failure. The default value is:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none';
Note:This property might be commented out if PingAccess was upgraded with template customizations.
For more information about security headers, see:
- For information about the behavior of the administrative API, see PingAccess API endpoints.
- For information about administrative console settings, see the PingAccess User Interface Reference Guide.
- For more information on measures to ensure security, see the PingAccess Hardening Guide.
Localization settings
- pa.localization.resource.bundle.cache.enable
- When set to false, allows language files in
/conf/localization to be added or modified. When
true, enables caching of language files and
properties. The default value is
true
. - pa.localization.missing.message.placeholder
- Defines the message used when an error message is unresolvable. There is no default value.
For more information about localization, see:
- For information on customizing PingAccess page templates and understanding the difference between customizable templates and system templates, see User-facing page customization reference.
- For information on localizing user-facing system status messages, see User-facing page localization reference.