Configuring external databases for client storage - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

Specific tables are required in order for PingFederate to store OAuth client records on your database server. Table-setup scripts are provided for supported database servers.

CAUTION:

PingFederate does not migrate client records from one storage medium to another. You must recreate your clients after updating the client storage configuration. If you need only a few clients, you can recreate them using the administrative console.

If you need a large number of clients, use the administrative API to retrieve your client records before updating the client storage. Update the client storage configuration and recreate your clients using the administrative API based on the retrieved records. For more information, see PingFederate administrative API.

CAUTION:

Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.

Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by PingIdentity.

  1. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Locate the ClientManager service point.
      <!-- Service for storing OAuth client configuration. -->
      <service-point id="ClientManager" interface="org.sourceid.oauth20.domain.ClientManager">
          <invoke-factory>
              <!--
              Supported classes are
              org.sourceid.oauth20.domain.ClientManagerXmlFileImpl ...
              org.sourceid.oauth20.domain.ClientManagerJdbcImpl    ...
              org.sourceid.oauth20.domain.ClientManagerLdapImpl    ...
              org.sourceid.oauth20.domain.ClientManagerGenericImpl ...
              -->
              <construct class="org.sourceid.oauth20.domain.ClientManagerXmlFileImpl"/>
          </invoke-factory>
      </service-point>
    2. Update the class attribute value to org.sourceid.oauth20.domain.ClientManagerJdbcImpl.
    3. Save the file.
    Important:

    You must set up an external database because you cannot share the bundled HSQLDB database across multiple PingFederate engine nodes. For production standalone deployments, we recommend you store the client records in an external secured database.

  2. Run the table-setup scripts for your database server provided in the <pf_install>/pingfederate/server/default/conf/oauth-client-management/sql-scripts directory.
  3. If you have not already done so, create a Java Database Connectivity (JDBC) datastore for your database server. Go to System > Data & Credential Stores.
  4. In the Data Stores window, copy the system ID of the applicable JDBC datastore.
  5. Edit the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.domain.ClientManagerJdbcImpl.xml file.
    Note:

    For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.

    Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your datastore connection and save the file.

    If the system ID is JDBC-123456789ABCDEF123456789ABCDEF123456A0AC, update the org.sourceid.oauth20.domain.ClientManagerJdbcImpl.xml file as follows.

    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:item name="PingFederateDSJNDIName">JDBC-123456789ABCDEF123456789ABCDEF123456A0AC</c:item>
    </c:config>
  6. Start or restart PingFederate.
    Note:

    For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to activate the change.