The C:/Apache24/conf/paa.conf file contains these configuration options.

Parameter Definition Default Value


String value containing the path to the certificates extracted from the .properties files.



Determines whether the agent is enabled or disabled for a specific server configuration. Valid values: on/off

This value can be set globally; set for individual virtual hosts, directories, locations, or files; or both. The most specific value is used.


If you disable the PaaEnabled parameter globally, ensure that the PaaEnabled directive is set to on for the PingAccess reserved application context root. This is /pa by default.

For example, adding this text to an included configuration file enables PingAccess for the /pa/var/www/html/one directory.

<VirtualHost *:81>
    <Location /pa>
        PaaEnabled on
    <Directory "/var/www/html/one">
        PaaEnabled on

Adding this text to an included configuration file disables PingAccess for all content in the /var/www/html/two directory except for files named page2.html.

<VirtualHost *:81>
    <Directory "/var/www/html/two">
        PaaEnabled off
       <Files "page2.html">
            PaaEnabled on



List of .properties files that store configuration data used to connect the agent to the PingAccess engine nodes the agent will communicate with.



An optional parameter which defines a note name. If a request includes a note with this name and a value of on or off, this value overrides the PaaEnabled setting for that request.

If you want to use this feature, you must deploy a custom module to include this note with the correct value.


The configured files can contain the following parameters.

Parameter Definition Default Value


The URIURIURI (Uniform Resource Identifier) Identifies a web resource with a string of characters conforming to a specified format. scheme used to connect to the engine node. Valid values are http and https.


The PingAccess hostname.

The value in the Agent Node's PingAccess Host field.


The port the agent connects to on the PingAccess host. This value is defined in the PingAccess file.

Defined in the PingAccess Admin UI


The unique agent name that identifies the agent in PingAccess.

Defined in the PingAccess Admin UI


The password used to authenticate the agent to the engine.

Defined in the PingAccess Admin UI


The base64-encoded public certificate used to establish HTTPS trust by the agent to the PingAccess engine.


If you are having difficulty connecting an agent to the PingAccess engine, verify that the Agent Trusted Certificate has been configured correctly in Agent Management.

Generated by PingAccess


The number of connections a single web server worker process maintains to the PingAccess engine defined in the parameter.



The maximum time (in milliseconds) a request to PingAccess can take from the agent. If this time is exceeded, the client will receive a generic 500 Server Error response.



The maximum time (in milliseconds) the agent can take to connect to the PingAccess engine. If this time is exceeded, the client will receive a generic 500 Server Error response.



The maximum time (in milliseconds) a web server worker process waits for a response to a policy cache request sent to other web server worker processes.


The network port web server processes use to publish policy cache requests to other web server worker processes. This port is bound to the localhost network only.


The network port web server processes use to receive policy cache requests from other web server worker processes. This port is bound to the localhost network only.



The maximum number of tokens stored in the policy cache for a single web server worker process. A value of 0 means there is no maximum.



Determines whether caching of policy decisions is enabled or disabled. A value of 1 disables caching, forcing the agent to communicate with the PingAccess host any time a policy decision needs to be made.


Disabling caching has a significant impact on the scalability of the PingAccess Policy servers, as every rule evaluation is processed by the Policy Server. This option should only be used as a last resort because of the performance penalty.



The hostname and port of the PingAccess server where the agent should send requests in the event of a failover from the PingAccess Host.


If this parameter is set, the upstream block name in $NGINX/paa/http.conf needs to be modified to a name that will be found in the certificate associated with the PingAccess Agent HTTPS Listener.

For example, if your PingAccess certificate contains name 'pa.nginx', set the upstream name to upstream pa.nginx.

Defined in the PingAccess Admin UI


The number of seconds to wait before the agent should retry connecting to a failed PingAccess server.



The number of times to retry a connection to a PingAccess server after an unsuccessful attempt. If all retries fail, the agent marks the PingAccess server as failed for the duration of the agent.engine.configuration.failover.failedRetryTimeout value and tries another PingAccess server if one is available.



Controls the type of policy cache used by the agent. There are three valid values for this property:

The AUTO cache type determines the appropriate cache to use based on the number of worker processes. If the number of worker processes is 1, or 16 or above, the agent uses the STANDALONE cache. If the number of worker processes is between 2 and 15, the agent uses the ZMQ cache.
The STANDALONE cache type does not share policy cache entries across worker processes.
The ZMQ cache type allows the agent to share policy cache entries across all worker processes using ZeroMQ for inter-process communication.



Determines whether the vnd-pi-agent agent inventory header is sent along with each request to the PingAccess policy server.

This header contains the following fields:

The PingAccess agent version.
The type of PingAccess agent retrieved using the ap_get_server_description function.
The hostname of the PingAccess agent retrieved using the ServerName directive.

For more information, see Agent inventory logging.



Specifies additional values to include in the vnd-pi-agent agent inventory header.

The following syntax is used.


The specified header fields are case-sensitive.

Not present by default.

If present, specifies a header that overrides the default X-Forwarded-Host header. This header communicates the authority component of the effective request URLURLURL (Uniform Resource Locator) Identifies a resource according to its Internet location. on the protected application.

Not present by default.

Add comments to the files if necessary. Lines beginning with the # or ! characters are ignored by the agent.

Changes to the file require a restart of the web server.


See the Performance tuning guide for a discussion on improving agent performance.