Use policies in a production environment - PingAuthorize - 9.3

PingAuthorize 9.3

bundle
pingauthorize-93
ft:publication_title
PingAuthorize 9.3
Product_Version_ce
PingAuthorize 9.3
category
ContentType
Product
Productdocumentation
paz-93
pingauthorize
ContentType_ce
Product documentation

After developing and testing policies in external policy decision point (PDP) mode, you can configure PingAuthorize Server for embedded PDP mode for higher environments.

You should use embedded PDP mode for production environments because it is considerably more performant for authorization decisions. This performance boost happens because in embedded PDP mode, PingAuthorize Server doesn't need to call out to the Policy Editor.

When configured to use embedded PDP mode, a policy file called a deployment package is used in PingAuthorize Server’s internal policy engine, which then handles all policy requests. The deployment package can be loaded into the server in two ways:

  • The deployment package is exported from the Policy Editor and loaded into the internal policy engine by an administrator.
  • The deployment package is deployed to a deployment package store, which is read by the internal policy engine for updates at a configurable interval.
    Note:

    If you still anticipate some policy changes in production, consider using this method instead of the exported deployment package method.

Configuring embedded PDP mode

See the following tabs to configure PingAuthorize Server to use embedded PDP mode and assign to the Policy Decision Service either:

  • A deployment package store using the Deployment Manager functionality
  • An exported deployment package

Configuring embedded PDP mode with a deployment package store

Follow these steps to assign a deployment package store to the Policy Decision Service and set the policy decision point (PDP) mode to embedded.

Note:

For more information on the deployment package store option and the requirements for the Deployment Manager feature, see Using the Deployment Manager.

  • Use dsconfig or the administrative console:
    • Run dsconfig with the set-policy-decision-service-prop option.
      dsconfig set-policy-decision-service-prop \
      --set pdp-mode:embedded \
      --set deployment-package-source-type:store \
      --set deployment-package-store:<name of the store>
    • Use the administrative console.
      1. In the administrative console, go to Configuration > Authorization and Policies > Policy Decision Service .
      2. On the Edit Policy Decision Service page, complete the General Configuration fields.
        Screen capture of the General Configuration section of the Edit Policy Decision Service page, showing PDP Mode set to embedded and Deployment Package Source Type to store
      3. In the Deployment Package Store Configuration section, in the Deployment Package Store field, select your deployment package store.
      4. In the Policy Request Configuration section, select a Trust Framework Version.
      5. Click Save To PingAuthorize Server Cluster.

Configuring embedded PDP mode with an exported deployment package

To assign an exported deployment package to the Policy Decision Service and set the PDP mode:

  • Run dsconfig with the set-policy-decision-service-prop option.

    In this example, the deployment-package value is the full path to a deployment package file. To create a deployment package for export, see Exporting a policy deployment package.

    dsconfig set-policy-decision-service-prop \
      --set pdp-mode:embedded \
      --set "deployment-package</path/to/my-deployment-package.deploymentpackage"