--- title: Protecting PingFederate behind a gateway deployment of PingAccess description: Learn how to proxy PingAccess to protect PingFederate in a gateway deployment. component: solution-guides page_id: solution-guides:data_and_application_security_use_cases:htg_protect_pf_gateway_deployment_pa canonical_url: https://docs.pingidentity.com/solution-guides/data_and_application_security_use_cases/htg_protect_pf_gateway_deployment_pa.html revdate: January 19, 2023 section_ids: components: Components before-you-begin: Before you begin exporting-the-pingfederate-certificate-that-protects-the-runtime-listener: Exporting the PingFederate certificate that protects the runtime listener steps: Steps importing-the-certificate-in-pingaccess: Importing the certificate in PingAccess steps-2: Steps creating-a-pingaccess-site-to-protect-pingfederate: Creating a PingAccess site to protect PingFederate steps-3: Steps creating-a-pingaccess-virtual-host: Creating a PingAccess virtual host steps-4: Steps creating-a-pingaccess-application-leveraging-the-site-and-the-virtual-host: Creating a PingAccess application leveraging the site and the virtual host steps-5: Steps creating-a-key-pair-associated-with-the-new-pingfederate-host-name: Creating a key pair associated with the new PingFederate host name steps-6: Steps tying-the-newly-imported-key-pair-to-the-associated-virtual-host: Tying the newly imported key pair to the associated virtual host steps-7: Steps setting-pingaccesss-token-provider-to-match-the-pingaccess-application: Setting PingAccess's token provider to match the PingAccess application steps-8: Steps updating-pingfederates-base-url: Updating PingFederate's base URL steps-9: Steps verifying-that-access-to-pingfederate-routes-through-pingaccess: Verifying that access to PingFederate routes through PingAccess steps-10: Steps --- # Protecting PingFederate behind a gateway deployment of PingAccess Learn how to proxy PingAccess to protect PingFederate in a gateway deployment. ## Components * PingFederate 9.2 * PingAccess 5.2 ## Before you begin Make sure the components are installed and running. | | | | - | -------------------------------------------------------------- | | | This configuration does not support X.509 and IWA connections. | ## Exporting the PingFederate certificate that protects the runtime listener ### Steps 1. Log in to your PingFederate administration console. 2. Go to **Security → SSL Server Certificates**. 3. Go to **Select Action → Export**. 4. Select **Certificate Only** and click **Next**. 5. Click **Export**. 6. Save the certificate file to a location you can easily reference. ## Importing the certificate in PingAccess ### Steps 1. Log in to your PingAccess administration console. 2. Go to **Security → Certificates**. 3. To import a new certificate, click the plus icon ([icon: circle-plus, set=fa]). 4. Under **Name**, specify **PF**. 5. Click **Choose File** and select the certificate from Step 1. Click **Add**. 6. Drag the imported certificate from the Certificates pane to the Trusted Certificate Groups pane. ## Creating a PingAccess site to protect PingFederate ### Steps 1. Go to **Sites → Add Site**. 2. Create a PingAccess site using the following table as a guide. | Parameter | Example Value | | --------------------------- | ------------------------- | | `Name` | PF | | `Targets` | `:443` | | `Secure` | Yes | | `Trusted Certificate Group` | PF | | All other parameters | Accept the defaults | 3. Click **Save**. ## Creating a PingAccess virtual host ### Steps 1. Go to **Access → Virtual Hosts**. 2. Click **Add Virtual Host**. 3. Enter the host name that you will use to access the PingFederate runtime engines using the following table as a guide. | Parameter | Example Value | | ------------------------------ | ----------------------------- | | `Host` | `https://` | | `Port` | 443 | | `Agent Resource Cache TTL (S)` | 900 | | All other parameters | Accept the defaults | 4. Click **Save**. ## Creating a PingAccess application leveraging the site and the virtual host ### Steps 1. Go to **Applications → Add Application**. 2. Enter the applicable parameters using the following table as a guide. | Parameter | Example Value | | ---------------------- | --------------------------------- | | `Name` | PF | | `Context Root` | / | | `Virtual Host(s)` | `https://:443` | | `Application Type` | Web | | `Web Session` | None | | `Web Identity Mapping` | None | | `Destination` | Site | | `Site` | PF | | `Require HTTPS` | Yes | | `Enabled` | Yes | | All other parameters | Accept the defaults | 3. Click **Save**. ## Creating a key pair associated with the new PingFederate host name ### Steps 1. Go to **Security → Key Pairs**. 2. Click **Add Key Pair** and enter the applicable parameters using the following table as a guide. | Parameter | Example Value | | ------------------------------------- | ----------------------------- | | `Alias` | PF Master | | `Common Name` | `https://` | | `Subject Alternative Name - DNS Name` | `https://` | | All other parameters | Accept the defaults | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To avoid a "Not Secure" warning in your browser, a signed certificate is required. Use PingFederate to generate a certificate signing request (CSR) and import the CSR response, as described in [Manage SSL server certificates](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-92.pdf#page=210). The certificate can be self-signed or signed by a certificate authority. | 3. Click **Save**. ## Tying the newly imported key pair to the associated virtual host ### Steps 1. Go to **Networking → Listeners**. 2. In the Engine Key Pairs pane, change `PF Master` to the base URL of the PingAccess virtual host and then click **Save**. Accept the defaults for all other parameters. ## Setting PingAccess's token provider to match the PingAccess application ### Steps 1. Go to **System → Token Provider**. 2. Create the token provider using the following table as a guide. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The host and port must match the host and port settings in [Creating a PingAccess virtual host](htg_protect_pf_gateway_deploy_pa_create_pa_host.html). | | Parameter | Example Value | | -------------------- | ----------------------------- | | `Host` | `https://` | | `Port` | 443 | | `Audit Level` | Yes | | All other parameters | Accept the defaults | 3. Click **Save**. ## Updating PingFederate's base URL ### Steps 1. Log in to your PingFederate administration console. 2. Go to **System → Protocol Settings → Federation Info** and change `Base URL` to the base URL and port of the PingAccess virtual host. Click **Save**. | | | | - | ------------------------------------------------------------------------------------------------------------------- | | | If the base URL is invalid, PingFederate will not be accessible. Make sure the base URL is valid before proceeding. | ## Verifying that access to PingFederate routes through PingAccess ### Steps 1. In a browser window, go to `https://Virtual Host and Port/pf/heartbeat.ping`. This should produce a valid response from PingFederate. 2. In a browser window, go to `https://Virtual Host and Port/pa/heartbeat.ping`. This should produce a valid response from PingAccess.