PingAM 8.0.0

General security considerations

This list does not intend to show you best practices in network and system administration. Rather, it suggests a number of security mechanisms that you can expand upon.

Keep up to date on patches

Security vulnerabilities are the reason why you should keep your operating systems, web and application servers, and any other application in your environment up to date. Knowledge of vulnerabilities spread fast across malicious users, who would not hesitate in trying to exploit them.

Ping Identity maintains a list of security advisories you should follow. You should also follow similar lists from all your vendors.

Keep up to date on cryptographic methods and algorithms

Different algorithms and methods are discovered and tested over time, and communities of experts decide which are the most secure for different uses. Do not use outdated algorithms such as RSA for generating your keys.

Enable certificate verification

The Online Certificate Status Protocol (OCSP) lets AM determine the revocation status for digital certificates.

To enable OCSP verification, set the following server properties under Deployment > Servers > Server Name > Security > Online Certificate Status Protocol Check:

  1. Click then turn on Check Enabled.

  2. Click and enter the URL of the issuing certificate authority’s OCSP server in the Responder URL field.

  3. Save your changes.

These settings enable certificate verification across the server. Individual services that rely on certificate verification (such as the WebAuthn Metadata Service) have finer grained settings that override the values set here.

Turn off unnecessary features

The more features you have turned on, the more features you need to secure, patch, and audit. If something is not being used, disable it or uninstall it.

Limit access to the servers hosting AM

A large part of protecting your environment is making sure only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and presenting strong-enough credentials.

Ensure users connect through SSL / TLS to the systems and audit system access periodically.

For a list of ports used in AM by default, see Ports used.

Enforce security

Don’t expect your users to follow security practices on their own; enforce security when possible by requiring secure connections, password resets, and strong authentication methods.

Audit access and changes

Audit logs record all events that have happened. Some applications store them with their engine logs, some others use specific files or send the information to a different server for archiving. Operating systems have audit logs as well, to detect unauthorized login attempts and changes to the software.

AM has its own audit logging service that adheres to the log structure common across the Ping Identity Platform.

Protect system passwords and secrets

Put secrets like passwords and symmetric keys in secret stores or files, or enter them interactively.

When you set file permissions correctly, the operating system grants access only to authorized accounts, such as the account to run a server process. Other accounts can’t read the secret from a properly protected file.

Don’t put secrets in commands, environment variables, or Java system properties. Example commands in the documentation favor ease of use for evaluation, often including passwords. When you harden services for deployment, don’t sacrifice security for ease of use.

Including secrets in commands, environment variables, or Java system properties isn’t secure:

  • Operating system processes can access the full command to run another process. Those processes can read any secrets you set in the command to run a service, for example.

  • Operating system processes can access the environment variables of a server process.

  • Monitoring software, command-line tools, and support tools extract values of Java system properties and can share them with other systems.