When client-certificate authentication is enabled, the API calls must be authenticated by X.509 client certificates; otherwise, the administrative API returns an error message.
In addition to X.509 client certificate authentication, the corresponding root certificate authority (CA) certificates must either be contained in the Java runtime or be imported into the PingFederate's Trusted CA store. For more information, see Manage trusted certificate authorities.
The rest of the certificate-based authentication setup, including specifying the Issuer DN of the root CA certificates and the applicable roles of the client certificates, is available through <pf_install>/pingfederate/bin/cert_auth.properties. The roles assigned to the certificates affect the results of the API calls.
- Sign on to the administrative console with an account that has the role Crypto Admin.
Ensure the client-certificate's root CA and any intermediate CA certificates are
contained in the trusted store, either for the Java runtime, or PingFederate, or
To import a certificate, click Trusted CAs in the Certificate Management section under Server Configuration.Tip:
Click the Serial number and copy the Issuer distinguished name (DN) to use in a couple steps later.
Verify the pf.admin.api.authentication value in
is set to
cert. Update as needed.
file, enter the Issuer DN for the client certificate as a value for the property:
rootca.issuer.<x>, where <x> is a sequential number starting at 1. For more information, see the properties file.Important:
The configuration values are case-sensitive.
If you copied the Issuer DN a couple steps earlier, paste this value.
- Repeat the previous step for any additional CAs as needed.
Enter the certificate's Subject DN for the applicable PingFederate permission
roles, as described in the properties file. For information about permissions
attached to the PingFederate roles, see the PingFederate User Access Control table in
Configure access to the administrative API.
The configuration values are case-sensitive.Note:
When assigning roles, keep in mind that all client certificates specified in cert_auth.properties can be used to access the administrative API and the administrative console.
- Repeat the previous step for all client certificates as needed.
In a clustered PingFederate environment, you only need to modify run.properties and cert_auth.properties on the console node.