Other setup steps, including designating user permissions, must be completed by using configuration files located in the <pf_install>/pingfederate/bin directory.

Note that the roles configured in the properties file apply to both the administrative console and the administrative API.

  1. If not already done, import the necessary client key and certificate into the web browser used to access PingFederate.
  2. Log on normally (using username and password) to the PingFederate console as a user with permissions that include the Crypto Admin role.
  3. Ensure the client-certificate's root CA and any intermediate CA certificates are contained in the trusted store (either for the Java runtime or PingFederate, or both).
    You can import a certificate to PingFederate in the Security > Trusted CAs screen.
    Tip:

    You may wish to click the Serial number and copy the Issuer DN to use in a couple steps later.

  4. In the <pf_install>/pingfederate/bin/run.properties file, change the value of the pf.console.authentication property as shown below:
    pf.console.authentication=cert
  5. In the <pf_install>/pingfederate/bin/cert_auth.properties file, enter the Issuer DN for the client certificate as a value for the property: rootca.issuer.x
    where x is a sequential number starting at 1.

    If you copied the Issuer DN a couple steps earlier, paste this value.

    See the comments in the file for instructions and additional information.

    Note that the roles configured in the properties file apply to both the administrative console and the administrative API.

  6. Repeat the previous step for any additional CAs as needed.
  7. Enter the certificate user's Subject DN for the applicable PingFederate permission roles, as described in the properties file.
    Important:

    The configuration values are case-sensitive.

  8. Repeat the previous step for all users as needed.
    Note:

    Other settings in the properties file are used to display the user's ID (the Subject DN) in abbreviated form in the administrative console.

  9. Start or restart PingFederate.