Policy-related upgrades - PingAuthorize - 9.1

PingAuthorize

  • PingAuthorize
  • Release Notes
  • PingAuthorize 9.1.0.1 (December 2022)
  • PingAuthorize 9.1 (June 2022)
  • PingAuthorize 9.0.0.4 (January 2023)
  • PingAuthorize 9.0.0.2 (July 2022)
  • PingAuthorize 9.0.0.1 (February 2022)
  • PingAuthorize 9.0 (December 2021)
  • Previous Releases
  • Introduction to PingAuthorize
  • Getting started with PingAuthorize (tutorials)
  • Using the tutorials
  • Setting up your environment
  • Starting PingAuthorize
  • Verifying proper startup
  • Accessing the GUIs
  • Stopping PingAuthorize
  • About the tutorial configuration
  • Tutorial 1: Importing default policies
  • Introduction to the Trust Framework and default policies
  • Tutorial 2: Configuring fine-grained access control for an API
  • Configuring a reverse proxy for the Meme Game API
  • Testing the reverse proxy
  • For further consideration: The PingAuthorize API security gateway, part 1
  • Adding a policy for the Create Game endpoint
  • For further consideration: The PingAuthorize API security gateway, part 2
  • Testing the policy from the Policy Editor
  • Testing the policy by making an HTTP request
  • For further consideration: Decision Visualiser
  • Modifying the rule for the Create Game endpoint
  • For further consideration: Resolvers and value processors
  • Conclusion
  • Tutorial 3: Configuring attribute-based access control for API resources
  • Configuring the API security gateway
  • Creating the gateway API endpoint
  • Testing the gateway
  • Creating a policy based on user credentials
  • Creating a service for the Shared Answers endpoint
  • Creating a policy for the Shared Answers endpoint
  • Testing the policy
  • Creating an attribute from user data
  • Adding logic to allow non-Youngstown users
  • Testing that the policy blocks Youngstown users
  • Creating a policy based on the API response
  • Creating an attribute from response data
  • Adding logic to allow family-friendly memes
  • Testing that the policy blocks Youngstown users from viewing age 13+ memes
  • Allowing unrated memes
  • Testing the default value
  • Creating an advice to provide a more useful error message
  • Testing the advice
  • Conclusion
  • Tutorial (optional): Creating SCIM policies
  • Tutorial: Creating the policy tree
  • Tutorial: Creating SCIM access token policies
  • Creating a policy for permitted access token scopes
  • Testing the policy with cURL
  • Defining the email scope
  • Testing the email scope with cURL
  • Defining the profile scope
  • Testing the profile scope with cURL
  • Defining the scimAdmin scope
  • Adding the scimAdmin retrieve rule
  • Adding the scimAdmin create/modify rule
  • Adding the scimAdmin search rule
  • Adding the scimAdmin delete rule
  • Creating a policy for permitted OAuth2 clients
  • Testing the client policy with cURL
  • Creating a policy for permitted audiences
  • Testing the audience policy with cURL
  • Tutorial: Creating a policy for role-based access control
  • Testing the policy with cURL
  • Example files
  • Conclusion
  • Installing PingAuthorize
  • Docker deployment
  • Deployment requirements when using Docker
  • Deploying PingAuthorize Server and Policy Editor using Docker
  • Deploying PingAuthorize Server using Docker
  • Signing on to the administrative console (Docker deployment)
  • Deploying PingAuthorize Policy Editor using Docker
  • Post-setup steps (Docker deployment)
  • Next steps
  • Manual installation
  • Before you install manually
  • System requirements
  • About license keys
  • Creating a Java installation dedicated to PingAuthorize
  • Preparing a Linux environment
  • Setting the file descriptor limit
  • Setting the maximum user processes
  • Disabling file system swapping
  • Managing system entropy
  • Enabling the server to listen on privileged ports
  • Obtaining the installation packages
  • Installing the server and the Policy Editor manually
  • Installing the server manually
  • Signing on to the administrative console (manual installation)
  • Installing the PingAuthorize Policy Editor manually
  • Setting up a PostgreSQL database
  • Installing the PingAuthorize Policy Editor interactively
  • Example: Installing and configuring the PingAuthorize Policy Editor
  • Installing the PingAuthorize Policy Editor noninteractively
  • Post-setup steps (manual installation)
  • Clustering and scaling
  • Next steps
  • Signing on to the PingAuthorize Policy Editor
  • Changing the PingAuthorize Policy Editor authentication mode
  • Changing the Policy Editor authentication mode for manual installs
  • Changing the Policy Editor authentication mode for Docker deployments
  • Configuring an OIDC provider for single sign-on requests from PingAuthorize
  • Configuring PingOne as an OIDC provider for PingAuthorize
  • Configuring PingOne for PingAuthorize policy administration
  • Configuring PingAuthorize policy administration to use PingOne
  • Configuring PingFederate as an OIDC provider for PingAuthorize
  • Configuring PingFederate for PingAuthorize
  • Configuring PingAuthorize Policy Editor to use PingFederate
  • Configuring PingFederate group access for PingAuthorize
  • Upgrading PingAuthorize
  • Upgrade considerations
  • Upgrade considerations introduced in PingAuthorize 8.x
  • Docker upgrades
  • Upgrading PingAuthorize Server using Docker
  • Upgrading the PingAuthorize Policy Editor using Docker
  • Manual upgrades
  • Upgrading PingAuthorize Server manually
  • Reverting an update
  • Upgrading the PingAuthorize Policy Editor manually
  • Policy-related upgrades
  • Backing up policies
  • Upgrading the Trust Framework and policies
  • Upgrading a PostgreSQL policy database
  • Uninstalling PingAuthorize
  • PingAuthorize Integrations
  • Kong API gateway integration
  • Preparing PingAuthorize for Kong Gateway integration
  • Setting up Kong Gateway
  • Troubleshooting the Kong Gateway integration
  • Troubleshooting API client HTTP 5xx errors
  • API client HTTP 4xx errors
  • Enabling error logging in Kong Gateway
  • Enabling debug logging for the Kong Gateway plugin
  • MuleSoft API gateway integration
  • Deploying the custom MuleSoft policy for PingAuthorize
  • Applying the custom MuleSoft policy for PingAuthorize
  • PingAuthorize Server Administration Guide
  • Running PingAuthorize
  • Starting PingAuthorize Server
  • Running PingAuthorize Server as a foreground process
  • Starting PingAuthorize Server at boot time (Unix/Linux)
  • Starting PingAuthorize Server at boot time (Windows)
  • Registering PingAuthorize Server as a Windows service
  • Running multiple service instances
  • Deregistering and uninstalling services
  • Log files for Windows services
  • Starting PingAuthorize Policy Editor
  • Stopping PingAuthorize Server
  • Stopping PingAuthorize Policy Editor
  • Restarting PingAuthorize Server
  • About the API security gateway
  • API gateway request and response flow
  • Gateway configuration basics
  • API security gateway authentication
  • API security gateway policy requests
  • API gateway policy request attributes
  • Gateway API Endpoint configuration properties that affect policy requests
  • API gateway path parameters
  • Basic example
  • Advanced example
  • API security gateway HTTP 1.1 support
  • Gateway error templates
  • Configuring error templates example
  • About the Sideband API
  • API gateway integration
  • Sideband API configuration basics
  • Authenticating to the Sideband API
  • Creating a shared secret
  • Deleting a shared secret
  • Rotating shared secrets
  • Customizing the shared secret header
  • Authenticating API server requests
  • Sideband API policy requests
  • Sideband API policy request attributes
  • Sideband API Endpoint configuration properties
  • Sideband API path parameters
  • Basic example
  • Advanced example
  • Request context configuration
  • Sideband access token validation
  • Sideband error templates
  • Example: Configure error templates
  • About the SCIM service
  • SCIM API request and response flow
  • SCIM configuration basics
  • About the create-initial-config tool
  • Example: Mapped SCIM resource type for devices
  • SCIM endpoints
  • SCIM authentication
  • SCIM policy requests
  • SCIM policy request attributes
  • About SCIM searches
  • SCIM search policy processing
  • Search request authorization
  • Search response authorization
  • Using paged SCIM searches
  • Lookthrough limit for SCIM searches
  • Disabling the SCIM REST API
  • About the SCIM user store
  • Defining the LDAP user store
  • Defining the LDAP user store with create-initial-config
  • Defining the LDAP user store manually
  • Location management for load balancing
  • Automatic backend LDAP server discovery
  • Joining a PingAuthorize Server to an existing PingDirectory Server topology
  • Joining a topology at setup
  • Joining a topology with manage-topology
  • Configuring a load-balancing algorithm with an LDAP external template
  • Configuring automatic backend LDAP server discovery
  • LDAP health checks
  • Configuring a health check using dsconfig
  • Connecting non-LDAP data stores
  • About the Authorization Policy Decision APIs
  • JSON PDP API request and response flow
  • JSON PDP API request format
  • JSON PDP API response format
  • Authenticating to the JSON PDP API
  • Creating a shared secret
  • Deleting a shared secret
  • Rotating shared secrets
  • Customizing the shared secret header
  • XACML-JSON PDP API request and response flow
  • Requests
  • Authorization
  • Decision processing
  • Responses
  • Example
  • Policy Editor configuration
  • Specifying custom configuration with an options file
  • Example: Configure policy configuration keys
  • Key store configuration for policy information providers
  • Example: Configure a trust store for a policy information provider
  • Policy Editor configuration with runtime environment variables
  • Example: Configure JWT claims
  • Configuring the Policy Editor to publish policies to a deployment package store
  • Configuring Policy Editor security headers
  • Manage policy database credentials
  • Setting database credentials at initial setup
  • Changing database credentials
  • Specifying database credentials when you start the GUI
  • Docker: Setting the initial database credentials
  • Docker: Changing database credentials
  • Configuring SpEL Java classes for value processing
  • Setting the request list length for Decision Visualizer
  • HTTP caching
  • Policy administration
  • About the Trust Framework
  • Create policies in a development environment
  • Configuring external PDP mode
  • Changing the active policy branch
  • Default and example policies
  • Importing and exporting policies
  • Loading a policy snapshot
  • Exporting a policy snapshot
  • Publishing a deployment package to a deployment package store
  • Exporting a deployment package
  • Using the Deployment Manager
  • Adding a filesystem deployment package store
  • Adding an Amazon S3 deployment package store
  • Adding an Azure deployment package store
  • Use policies in a production environment
  • Configuring embedded PDP mode with a deployment package store
  • Configuring embedded PDP mode with an exported deployment package
  • Example: Define policy configuration keys
  • Example: Define a policy information provider key store for MTLS
  • Example: Define a policy information provider trust store
  • Example: Add SpEL Java classes to the allowed list
  • Example: Add non-standard Java classes to the server classpath
  • Policy database backups
  • Restoring a policy database from a backup
  • Policy application management with signed deployment packages
  • Example: Configure signed deployment packages for healthcare
  • Environment-specific Trust Framework attributes
  • Example
  • Define the policy information provider in the Trust Framework
  • Define policy configuration keys in a development environment
  • Define policy configuration keys in a preproduction environment
  • User profile availability in policies
  • Access token validators
  • Access token validator types
  • Token resource lookup methods
  • Server configuration
  • Administration accounts
  • About the dsconfig tool
  • PingAuthorize administrative console
  • About the configuration audit log
  • About the config-diff tool
  • Certificates
  • Replacing the server certificate
  • Preparing a new keystore with the replacement key pair
  • Using an existing key pair
  • Replacing the certificate associated with the original key pair
  • Importing earlier trusted certificates into the new keystore
  • Updating the server configuration to use the new certificate
  • Replacing the key store and trust store files
  • Retiring the previous certificate
  • Listener certificates
  • Replacing listener certificates
  • X.509 certificates
  • Certificate subject DNs
  • Certificate key pairs
  • Certificate extensions
  • Certificate chains
  • About representing certificates, private keys, and certificate signing requests
  • Certificate trust
  • Keystores and truststores
  • Transport Layer Security (TLS)
  • TLS handshakes
  • Key agreement
  • LDAP StartTLS extended operation
  • About the manage-certificates tool
  • Available manage-certificates subcommands
  • Using manage-certificates as a simple certification authority
  • Common manage-certificates arguments
  • Listing the certificates in a keystore
  • Generating self-signed certificates
  • Generating certificate signing requests
  • Importing signed and trusted certificates
  • Exporting certificates
  • Enabling TLS support during server setup
  • Enabling TLS support after setup
  • Configuring key and trust manager providers
  • Configuring TLS connection handlers
  • Updating the topology registry
  • Troubleshooting TLS-related issues
  • Log messages
  • About manage-certificates check-certificate-usability
  • ldapsearch for TLS-related arguments
  • Using low-level TLS debugging
  • Configure the Policy Decision Service
  • User store configuration
  • Configure access token validation
  • Configure PingOne to use SSO for the administrative console
  • Configure traffic through a load balancer
  • PingAuthorize Server configuration with dsconfig
  • Configuring the PingAuthorize user store
  • Configuring the PingAuthorize OAuth subject search
  • Configuring PingAuthorize logging
  • Deployment automation and server profiles
  • Variable substitution using manage-profile
  • Layout of a server profile
  • setup-arguments.txt
  • dsconfig/
  • server-root/
  • server-sdk-extensions/
  • variables-ignore.txt
  • server-root/permissions.properties
  • misc-files/
  • About the manage-profile tool
  • manage-profile generate-profile
  • manage-profile setup
  • manage-profile replace-profile
  • Common manage-profile workflows
  • Creating a server profile
  • Installing a new environment
  • Scaling up your environment
  • Rolling out an update
  • Server status
  • Server availability
  • User Store Availability gauge
  • Endpoint Average Response Time (Milliseconds) gauge
  • HTTP Processing (Percent) gauge
  • Policy Decision Service Availability gauge
  • Auto-healing for unavailable servers
  • Available gauges
  • Common server alarms
  • Managing monitoring
  • Profiling server performance using the Stats Logger
  • Enabling the Stats Logger
  • Configuring multiple Periodic Stats Loggers
  • Logging HTTP performance statistics using the Periodic Stats Logger
  • StatsD monitoring endpoint
  • Sending metrics to Splunk
  • Managing HTTP correlation IDs
  • About HTTP correlation IDs
  • Server SDK support
  • Enabling or disabling correlation ID support
  • Configuring the correlation ID response header
  • How the server manages correlation IDs
  • Example: HTTP correlation ID
  • Command-line tools
  • Saving command options in a file
  • Creating a tools properties file
  • Evaluation priority of command-line options
  • Sample dsconfig batch files
  • Running task-based tools
  • Diagnostic and decision data
  • Exporting policy data
  • Enable detailed logging
  • Policy Decision logger
  • Debug Trace logger
  • Debug logger
  • About the Decision Response View
  • Visualizing a policy decision response
  • Capture debugging data with the collect-support-data tool
  • About the layout of the PingAuthorize Server folders
  • About the layout of the PingAuthorize Policy Editor folders
  • PingAuthorize Policy Administration Guide
  • Getting started
  • Version control (Branch Manager)
  • Creating a new top-level branch
  • Creating a subbranch from a commit
  • Importing a branch
  • Deleting a branch
  • Merging branches
  • Reverting branch changes
  • Committing changes
  • Generating snapshots
  • Partial snapshot export and merging
  • Creating a partial snapshot export
  • Merging a partial snapshot
  • Creating a deployment package
  • Deleting a deployment package
  • Trust Framework
  • Domains (Authorization Policy Decision APIs only)
  • Services
  • Resources
  • Policy information providers
  • Common settings
  • HTTP services
  • LDAP services
  • Camel services
  • Attributes
  • Creating an attribute
  • Attribute name, description, and location
  • Resolvers
  • Resolver types
  • Conditional resolvers
  • Value processing for a resolver
  • Attribute caching
  • Value processing for an attribute
  • Value settings
  • Attribute interpolation
  • Actions
  • Identity classifications and IdP support
  • Identity properties
  • Identity providers
  • Identity classifications
  • Named conditions
  • Value processing
  • Chained value processors
  • Trust Framework testing
  • Viewing Trust Framework entity dependencies
  • Policy management
  • Policy sets, policies, and rules
  • Policies and policy sets
  • Creating policies and policy sets
  • Adding targets to a policy
  • Conditional targets (applies when)
  • Advice
  • Provided advice
  • Custom advice
  • Properties
  • Rules and combining algorithms
  • Rule structure
  • Policy testing
  • Repeating policies and attributes
  • Policy solutions
  • Use case: Using consent to determine access to a resource
  • Getting a path component from the request URL
  • Getting the requestor identifier from the access token
  • Searching for consent by resource owner to requestor
  • Getting consent status from the consent record
  • Creating a policy to check consent and then permit or deny access
  • Use case: Using consent to change a response
  • Creating a policy to check consent and then change the server response
  • Use case: Using a SCIM resource type or a policy request action to control behavior
  • Getting the SCIM resource type and the action being executed
  • Creating a policy to permit or deny the creation of resources
  • Creating a policy to control the set of actions for a specific resource
  • Creating a policy to restrict the ability to delete based on resource type
  • Creating a policy to dynamically modify a resource based on the SCIM resource type
  • Restricting the modification of attributes
  • Allowing attributes to be modified by administrators
  • Adding attributes to an allow list
  • Test Suite
  • Advice types
  • Add Filter
  • Combine SCIM Search Authorizations
  • Denied Reason
  • Exclude Attributes
  • Filter Response
  • Include Attributes
  • Modify Attributes
  • Modify Headers
  • Modify Query
  • Modify SCIM Patch
  • Regex Replace Attributes
  • REST API documentation
Page created: 23 Aug 2022 |
Page updated: 17 Oct 2022
| 1 min read

Product PingAuthorize 9.1 Content Type Product documentation Administration User task

As part of the PingAuthorize upgrade process, you must upgrade specific Policy Editor components and dependencies, including policies, policy databases, and the Trust Framework.

See the following topics for instructions on upgrading Policy Editor components and dependencies:

  • Backing up policies
  • Upgrading the Trust Framework and policies
  • Upgrading a PostgreSQL policy database
Back to home page