PingAccess

Installation requirements

Before you install PingAccess, review the following system, hardware, and port requirements.

System requirements

Make sure that your system meets the following requirements for PingAccess deployment and configuration.

Ping Identity qualifies the following configurations and certifies that they are compatible with the product. Variations of these platforms, such as differences in operating system version or service pack, are supported until the platform or other required software creates potential conflicts.

PingAccess currently supports IPv4 addressing but not IPv6 addressing.
System component Requirements

Operating systems

  • Amazon Linux 2

    • Amazon Linux 2022

    • Amazon Linux 2023

  • Canonical Ubuntu 20.04 (LTS)

    • Canonical Ubuntu 22.04 (LTS)

  • Microsoft Windows Server 2016 (x64)

    • Microsoft Windows Server 2019 (x64)

    • Microsoft Windows Server 2022 (x64)

  • Oracle Linux 7.9 (Red Hat Compatible Kernel)

    • Oracle Linux 8.6 (Red Hat Compatible Kernel)

  • Red Hat Enterprise Linux ES 7.9

    • Red Hat Enterprise Linux ES 8.8

    • Red Hat Enterprise Linux ES 9.2

  • SUSE Linux Enterprise Server 12 SP5

    • SUSE Linux Enterprise Server 15 SP4

PingAccess was tested with default configurations of operating system components. If your organization has custom implementations or has installed third-party plug-ins, PingAccess server deployment might be affected.

Docker support
Docker version

20.10.17

You can find the PingAccess Docker image on DockerHub and more information in Ping Identity’s DevOps documentation.

Only the PingAccess software is licensed under Ping Identity’s end user license agreement. Any other software components contained within the image are licensed solely under the terms of the applicable open source or third-party license.

Ping Identity accepts no responsibility for the performance of any specific virtualization software and in no way guarantees the performance or interoperability of any virtualization software with its products.

Virtual systems

Although Ping Identity doesn’t qualify or recommend any specific virtual machine (VM) products, PingAccess runs well on several, including:

  • VMWare

  • Xen

  • Windows Hyper-V.

This list of products is provided only as an example. We view all products in this category equally. Ping Identity accepts no responsibility for the performance of any specific virtualization software and does not guarantee the performance or interoperability of any VM software with its products.

Java environments

  • Amazon Corretto 11 (64-bit)

    • Amazon Corretto 17 (64-bit)

    • Amazon Corretto 21 (64-bit)

  • OpenJDK 11 (64-bit)

    • OpenJDK 17 (64-bit)

    • OpenJDK 21 (64-bit)

  • Oracle Java SE Development Kit (JDK) 11 (64-bit)

    • Oracle Java SE Development Kit (JDK) 17 (64-bit)

    • Oracle Java SE Development Kit (JDK) 21 (64-bit)

The Ping Identity Java support policy applies.

Ping Identity intends to remove Java 11 support from PingAccess in December 2025.

PingFederate

The following versions of PingFederate are fully certified with this version of PingAccess:

  • PingFederate 11.3

  • PingFederate 12.0

  • PingFederate 12.1

  • PingFederate 12.2

Other versions of PingFederate are expected to be compatible with this version of PingAccess as described in Ping Identity’s end of life policy.

Some features rely on a specific version of PingFederate to work. This will always be noted in the feature’s description.

End-user browsers

  • Google Chrome

    • Google Android (Chrome)

  • Microsoft Edge

  • Mozilla Firefox

  • Apple Safari

    • Apple iOS (Safari)

Admin console browsers

  • Google Chrome

  • Microsoft Edge

  • Mozilla Firefox

Audit event storage (external database)

  • MS SQL Server 2019

    • MS SQL Server 2022

  • Oracle 19c

  • PostgreSQL 13

    • PostGreSQL 16

Hardware security module

You can find more information about configuring a hardware security module (HSM) in Hardware security module providers. PingAccess certifies the following HSMs:

AWS CloudHSM 5.9.0

AWS CloudHSM is supported with JDK 11. If you plan to use AWS CloudHSM, you must also deploy your environment on a Linux or Windows operating system that is compatible with both PingAccess and AWS CloudHSM.
Thales Luna Cloud HSM Services and Luna Network HSM (Luna HSM Client 10.x)

PingAccess requires you to use Java 8 with Luna HSMs. This is the only exception to PingAccess’s removal of Java 8 support.

Supported HTTP versions

HTTP 1.1

OpenID Connect (OIDC) providers

Ping Identity strives to support any third-party OIDC-compliant provider. The following table includes some of the most common providers used with PingAccess:

Provider Provider Type

PingFederate

PingFederate

PingOne for Enterprise

Common

PingOne SSO

PingOne

PingOne Advanced Identity Cloud

PingOne Advanced Identity Cloud

PingAM

PingAM

Azure

Common

Okta

Common

Hardware requirements

Although it’s possible to run PingAccess on less powerful hardware, the following guidelines accommodate disk space for default logging and auditing profiles and CPU resources for a moderate level of concurrent request processing.

Although the requirements for different environments vary, run PingAccess on hardware that meets or exceeds these specifications:

  • Multi-CPU/Cores (8 or more)

  • 4 GB of RAM

  • 2.1 GB of available hard drive space

Port requirements

PingAccess uses ports and protocols to communicate with external components. This information provides guidance for firewall administrators to ensure that the correct ports are available across network segments.

Direction refers to the direction of requests relative to PingAccess:

Inbound requests

Requests that PingAccess receives from external components.

Outbound requests

Requests that PingAccess sends to external components.
Service Port details Source Description

PingAccess administrative console
Protocol

HTTPS

Transport

TCP

Default port

9000

Destination

PingAccess admin console

Direction

Inbound

PingAccess administrator browser, PingAccess administrative application programming interface (API) REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests to the PingAccess administrative console.

Configurable using the admin.port property in the run.properties file. Learn more in the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess cluster communications port
Protocol

HTTPS

Transport

TCP

Default port

9090

Destination

PingAccess admin console

Direction

Inbound

PingAccess administrator browser, PingAccess administrative API REST calls, PingAccess replica admin and clustered engine nodes

Used for incoming requests where the clustered engines request their configuration data.

Configurable using the clusterconfig.port property in the run.properties file. Learn more in the Configuration file reference guide.

This port is also used by clustered engine nodes and the replica admin node to pull configuration data using the admin REST API.

PingAccess engine
Protocol

HTTP or HTTPS

Transport

TCP

Default port

3000*

Any additional engine listener ports defined in the configuration must be open as well.
Destination

PingAccess engine

Direction

Inbound

Client browser, mobile devices, PingFederate engine

Used for incoming requests to the PingAccess runtime engine.

Configurable using the Listeners configuration page. Learn more in the PingAccess user interface reference guide.

PingAccess agent
Protocol

HTTP or HTTPS

Transport

TCP

Default port

3030

Destination

PingAccess engine

Direction

Inbound

PingAccess agent

Used for incoming Agent requests to the PingAccess runtime engine.

Configurable using the agent.http.port property of the run.properties file. Learn more in the Configuration file reference guide.

PingAccess sideband (optional)
Protocol

HTTP or HTTPS

Transport

TCP

Default port

3020

Destination

PingAccess engine

Direction

Inbound

Sideband client (an API gateway such as Kong Gateway or Apigee)

Used for incoming sideband requests to the PingAccess runtime engine.

Configurable using the sideband.http.port property of the run.properties file. Learn more in the Configuation file reference guide.

The default value of the sideband.http.enabled property is false. This property must be set to true to configure a sideband client.

PingFederate traffic
Protocol

HTTPS

Transport

TCP

Default port

9031

Destination

PingFederate

Direction

Outbound

PingAccess engine

Used to validate OAuth access token and ID tokens, make Security Token Service (STS) calls for identity mediation, and return authorized information about a user.

Configurable using the PingFederate Settings page within PingAccess. Learn more in the PingAccess user interface reference guide.