Configuring the administrative console - PingDirectory

Configuring the administrative console - PingDirectory - 10.0

PingDirectory 10.0

bundle

pingdirectory-100

ft:publication_title

PingDirectory 10.0

Product_Version_ce

PingDirectory 10.0 (Latest)

category

Product

pd-100

pingdirectory

ContentType_ce

After you have deployed the PingDirectory administrative console, you can configure it.

Disable the embedded administrative console using dsconfig or the administrative console to configure connection handlers:
- To use dsconfig, run dsconfig set-connection-handler-prop:
```
dsconfig set-connection-handler-prop \
    --handler-name "<HTTPS Connection Handler>"  \
    --reset web-application-extension
```
  Note:
  Replace <HTTPS Connection Handler> with the name of the connection handler hosting the administrative console.
- To use the administrative console, open the console:
  1. On the Configuration page, go to Connection Handlers.
  2. In the Connection Handlers list, select the HTTP or HTTPS connection handler that is hosting the administrative console.
  3. Go to Web Application Extension and click the arrows to move Console from the Selected column on the right to the Available column on the left.

To finalize your changes, restart the HTTPS Connection Handler using dsconfig:

dsconfig set-connection-handler-prop \
    --handler-name "<HTTPS Connection Handler>" \
    --set enabled:false

dsconfig set-connection-handler-prop \
    --handler-name "<HTTPS Connection Handler>" \
    --set enabled:true

Configure the administrative console's application.yml file.

You can configure the standalone PingDirectory server administrative console by modifying the /tmp/Console/WEB-INF/classes/application.yml file. To see the different configuration settings listed in the default application.yml file included with the administrative console and what they do, expand the following table.

Configuration settings

Configuration settings
Setting	Description
`spring.*`	For information about these properties, see the Spring API docs. You should not modify them.
`management.server.base-path`	Controls the prefix of the Spring Boot Actuator endpoints of the console application. You should not modify this setting.
`logging.level.*`	Controls the severity level of messages logged about these packages.
`log.console`	If this is set to `true`, the console logs messages to a file.
`log.file`	If logging is enabled, this specifies the file that the console will log to.
`PingData.SSO.OIDC.enabled`	If this is set to `true`, the console attempts to use OpenID Connect (OIDC) single sign-on (SSO) to bind to the managed server. If `false`, the console asks for a username and password.
`PingData.SSO.OIDC.issuer-uri`	The issuer URI to the OIDC provider.
`PingData.SSO.OIDC.client-id`	The client ID used with the OIDC provider.
`PingData.SSO.OIDC.client-secret`	The client secret used with the OIDC provider.
`PingData.SSO.OIDC.trust-store-file`	The file path to the trust store used when communicating with the OIDC provider.
`PingData.SSO.OIDC.trust-store-type`	The type of trust store specified by PingData.SSO.OIDC.trust-store-file.
`PingData.SSO.OIDC.trust-store-pin`	Specifies the password used with the trust store specified by PingData.SSO.OIDC.trust-store-file.
`PingData.SSO.OIDC.trust-store-pin-environment-variable`	Specifies the environment variable containing the password used with the trust store specified by PingData.SSO.OIDC.trust-store-file.
`PingData.SSO.OIDC.strict-hostname-verification`	If this is set to `true`, the console requires a matching host name on the OIDC provider certificate.
`PingData.SSO.OIDC.trust-all`	If this is set to `true`, the console accepts any OIDC provider certificate.
`PingData.SSO.OIDC.username-attributes`	The LDAP attribute containing the username of the user the console is logging in as when using SSO.
`login.hide-server`	If this is set to `true`, the 'server' field is hidden on the sign on page.
`ldap.server`	Auto-populates the 'server' field on the sign-on page. If `login.hide-server=true`, this value determines which directory server the console tries to bind to.
`ldap.init-user`	Auto-populates the `user` field on the sign-on page.
`ldap.init-password`	Auto-populates the `password` field on the sign-on page.
`ldap.trust-store-file`	The file path to the trust store used when binding to the directory server.
`ldap.trust-store-type`	Specifies the type of trust store specified by trust-store-file.
`ldap.trust-store-pin`	Specifies the password used with the trust store specified by trust-store-file.
`ldap.trust-store-pin-environment-variable`	Specifies the environment variable containing the password used with the trust store specified by trust-store-file.
`ldap.file-servlet-name`	Specifies the name of the file servlet on the managed directory server to use when fetching generated `collect-support-data` (CSD) or server profiles.
`ldap.csd-task-enabled`	If this is set to `true`, the console has a button that has the managed directory server run a `collect-support-data` task.
`ldap.csd-destination-folder`	The file path to the folder where the managed directory server stores generated CSD files after running the `collect-support-data` task.
`ldap.profile-destination-folder`	The file path to the folder where the managed directory server stores generated server profiles after running the `generate-server-profile` task. Important: Do not change this property.
`branding.custom-folder`	The file path to the folder that holds custom branding.properties, branding.css, and favicon.ico files. If empty, default Ping Identity branding is used instead.
`configuration.complexity`	Determines the maximum complexity level for shown configuration objects. The possible values are `basic`, `standard`, `advanced`, and `expert`.
`server.sessionTimeout`	The amount of time a web session can remain idle before the user must sign on again. The time is set in seconds unless you use a time interval (h for hours or m for minutes). If not specified, the default is 24 hours.

Note:

After modifying the application.yml file, you must restart the console for your changes to take effect.

Select servers to manage in the administrative console:
1. To use the application.yml file to select a server for the administrative console to manage:
  1. Set the ldap.server property to the address of the LDAP server to bind to.
  2. Restart the console using the following command:
```
dsconfig set-connection-handler-prop \
    --handler-name "<HTTPS Connection Handler>" \
    --set enabled:false

dsconfig set-connection-handler-prop \
    --handler-name "<HTTPS Connection Handler>" \
    --set enabled:true
```
2. To switch between managed servers in a single topology while signed on to the administrative console, in the Servers list, select the server that you want to manage.
3. To select a server when sso is not enabled and the login.hide-server property in application.yml is false:
  1. If you are signed on to the console, sign off of your current session.
  2. Change the Server field value on the console sign-on page to the address of the LDAP server you want to manage.
4. To select a server when SSO is enabled:
  1. Enter the console URL with the ldap-hostname and ldaps-port query parameters specified when accessing the console: https://<hostname>:<port>/console/login?ldap-hostname=<ldap.host>&ldaps-port=<ldaps-port>
  In the following example URL, <hostname> is localhost, <port> is 443, ldap-hostname is <ldap.host>, and the <ldaps-port> is 636.
  
  https://localhost:443/console/login?ldap-hostname=ldap.host&ldaps-port=636