PingDirectory

Signing on to and configuring the admin console

After you install the server, access the admin console to verify the configuration and manage the server.

The admin console is designed primarily for server configuration, which includes the creation of new schema elements like attribute types and object classes. Most entry-monitoring tasks, such as searching and modifying, must be executed with the built-in command-line tools. Learn more in Managing entries.

The information in this topic applies to all servers in the PingDirectory suite of products unless otherwise specified.

Steps

  1. Start the server.

    $ bin/start-server

  2. To access the admin console, go to https://<host>:<port>/console.

    <host> is the host name of the server, and <port> is the port on which the server accepts connections from HTTPS clients.

    The host name and port were configured during installation.

  3. In the Username and Password fields, enter the root user DN credentials.

    Screen capture of the admin console sign-on screen showing the Server, Username, and Password fields.

    To sign on to the admin console, you need either the root user distinguished name (DN) or the common name of a root user DN.

    For example, if the DN created when the server was installed is cn=Directory Manager, you can use either cn=Directory Manager or directory manager to sign on.

  4. Click Continue.

    To set up an SSO connection, refer to Single sign-on with the admin console.

    To run the console in an external container, such as Tomcat, refer to Deploying the admin console.

Setting the admin console session timeout window

The default session timeout for the admin console is 30 minutes. You can adjust your session length to suit your organization’s needs.

When the session duration is exceeded, all inactive users are logged off automatically.

To change the default session timeout value:

Steps

  1. To configure the server.servlet.session.timeout application parameter, which specifies the timeout duration in seconds, set the value as an init-parameter either in the console or on the command line:

    Choose from:

    • Use the admin console:

      1. In the sidebar, click Configuration.

      2. Enable the Show all configuration toggle.

      3. In the Web Services and Applications list, select Web Application Extensions.

        A screen capture of the admin console Configuration screen with the Show all configuration toggle enabled.

      4. In the Web Application Extension list, select Console.

      5. In the Init Parameter field, enter server.servlet.session.timeout=<value>, replacing <value> with the desired timeout duration in seconds.

      6. Click Save.

    • Use the command line to run the following:

      dsconfig set-web-application-extension-prop --no-prompt \
    --extension-name Console \
	--add init-parameter:server.servlet.session.timeout=<value in seconds>

  2. To save your changes, restart the HTTP Connection Handler or the server:

    Choose from:

    • Restart the HTTP Connection Handler:

      dsconfig set-connection-handler-prop \
    --handler-name "<HTTPS Connection Handler>" \
    --set enabled:false

dsconfig set-connection-handler-prop \
    --handler-name "<HTTPS Connection Handler>" \
    --set enabled:true

    • Restart the server using bin/stop-server with the -R or --restart option:

      bin/stop-server --restart

Deploying the admin console

To administer multiple servers from a single console instance, you can use Docker or a Java application server, such as Tomcat or Jetty, to run the admin console as a standalone instance. Running the admin console as a standalone instance also allows you to make changes to the console without restarting the server’s HTTPS connection handlers.

The admin console packaged with version 11.0 of the PingDirectory suite of products only supports version 11.0 servers.

Environment variables

You can change the value of any configuration property within the ../WEB-INF/classes/application.yml file by setting an environment variable following the pattern shown in this article.

For example, to set the system.readOnly property to true, which puts the console into read-only mode, include the following argument for a Docker deployment:

--env SYSTEM_READ_ONLY=true

Alternatively, you can run the following command for either Tomcat or Docker deployments:

export SYSTEM_READ_ONLY=true

Application base path

By default, the server hosts the admin console at the /console endpoint. If you want to change this path, you can update the base-context-path property by updating the console’s web application extension.

If you host the admin console on a Tomcat server, you can deploy the resource/admin-console.war file to serve the console at the /admin-console endpoint. If you change the .war file name, you change the admin console endpoint.

Using Docker to run a standalone admin console

The admin console is available as a standalone Docker image on Docker Hub.

Steps

  • To connect with a server that’s deployed in Docker, run the admin console image in a local Docker deployment.

    The network you use must match the network used by the server’s container.

    Example:

    The following example deploys the standalone admin console image in a local Docker deployment with the console listening on port 8443 using the pingnet network:

    docker login docker.corp.pingidentity.com:5600

docker run \
    --name pingdirectoryadminconsole \
    --publish 8443:8443 \
    --detach \
    --env VERBOSE=true \
    --tmpfs /run/secret \
    --network pingnet \
    --platform=linux/amd64 \
    docker.corp.pingidentity.com:5600/pingdataconsole/11.0.0.0-120825

    • If you deploying the console on an ARM version of Linux, you must include the --platform=linux/amd64 argument or set --env DOCKER_DEFAULT_PLATFORM=linux/amd64.

    • You can change the first port in the --publish line based on what port you want to use on your local machine, but you shouldn’t change the second port.

      To access the admin console outside of Docker on port 9443, for example, use 9443:8443.

  • To access the admin console, go to https://<hostname>:<port>/console and enter the following credentials.

    Field Credential

    Server

    <PingDirectory-container-name>:<LDAPS-port>

    The name of the server you enter on the sign-on page must match the name of the server container you’re trying to connect to along with the LDAPS port of that container.

    For example, use pingdirectory:1636 to connect to a standalone PingDirectory Docker container on the same network.

    Username

    administrator

    Password

    2FederateM0re

Setting up the admin console on a Tomcat server

Before you begin

To set up a standalone admin console, you need the .war file from the server’s resource/admin-console.zip archive.

You can use the .war file with Java application servers, such as Tomcat or Jetty. The following example uses Tomcat as the server environment.

Steps

  1. Download the Tomcat 11 .zip archive from the Apache Tomcat downloads page.

  2. Extract the .zip archive.

  3. To set up the Tomcat server, follow the instructions in the RUNNING.txt file from the extracted directory.

  4. To keep the Tomcat server information from being exposed, in the Host section of the Tomcat_directory/conf/server.xml file, add the following line:

    <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false" />
    This information is sourced from the Smart Scanner website, where you can learn more about this Tomcat server vulnerability.

  5. Copy the .war file into the webapps folder in the Tomcat root directory.

  6. To start the Tomcat server, run startup.sh or startup.bat from the bin folder of the Tomcat root directory.

    Result:

    Tomcat automatically extracts the admin console from the compressed .war file into an exploded application directory and starts running the console.

  7. Set a specific location for the console’s log output by updating the value of log.file in the ../WEB-INF/classes/application.yml file.

  8. To access the admin console, add the name of the .war file to the end of the Tomcat server’s path.

    Example:

    If the Tomcat server is deployed on localhost:8080, and the .war file is named admin-console.war, then the path to access the console is localhost:8080/admin-console.

Configuring the admin console

After you have deployed the admin console, you can configure it.

Steps

  1. To configure the admin console settings:

    Choose from:

    To see the different configuration settings included with the admin console, expand the following table:

    Configuration settings
    Setting Description

    spring.*

    Learn more about these properties in the Spring API docs.

    You shouldn’t modify them.

    management.server.base-path

    Controls the prefix of the Spring Boot Actuator endpoints of the admin console application.

    You shouldn’t modify this setting.

    branding.appName

    Controls the title of the admin console application displayed on the sign on page and in the console’s banner, for example PingDirectory admin console.

    logging.level.*

    Controls the severity level of messages logged about these packages.

    log.console

    If this is set to true, the admin console logs messages to a file.

    log.file

    If logging is enabled, this specifies the file that the admin console will log to.

    PingData.SSO.OIDC.enabled

    If this is set to true, the admin console attempts to use OpenID Connect (OIDC) single sign-on (SSO) to bind to the managed server.

    If false, the admin console asks for a username and password.

    PingData.SSO.OIDC.issuer-uri

    The issuer URI to the OIDC provider.

    PingData.SSO.OIDC.client-id

    The client ID used with the OIDC provider.

    PingData.SSO.OIDC.client-secret

    The client secret used with the OIDC provider.

    PingData.SSO.OIDC.trust-store-file

    The file path to the trust store used when communicating with the OIDC provider.

    PingData.SSO.OIDC.trust-store-type

    The type of trust store specified by PingData.SSO.OIDC.trust-store-file.

    PingData.SSO.OIDC.trust-store-pin

    Specifies the password used with the trust store specified by PingData.SSO.OIDC.trust-store-file.

    PingData.SSO.OIDC.trust-store-pin-environment-variable

    Specifies the environment variable containing the password used with the trust store specified by PingData.SSO.OIDC.trust-store-file.

    PingData.SSO.OIDC.strict-hostname-verification

    If this is set to true, the admin console requires a matching host name on the OIDC provider certificate.

    PingData.SSO.OIDC.trust-all

    If this is set to true, the admin console accepts any OIDC provider certificate.

    PingData.SSO.OIDC.username-attributes

    The LDAP attribute containing the username of the user the admin console is logging in as when using SSO.

    login.hide-server

    If this is set to true, the Server field is hidden on the sign on page.

    ldap.server

    Auto-populates the Server field on the sign-on page.

    If login.hide-server=true, this value determines which directory server the admin console tries to bind to.

    ldap.init-user

    Auto-populates the Username field on the sign-on page.

    ldap.init-password

    Auto-populates the Password field on the sign-on page.

    ldap.trust-store-file

    The file path to the trust store used when binding to the directory server.

    ldap.trust-store-type

    Specifies the type of trust store specified by trust-store-file.

    ldap.trust-store-pin

    Specifies the password used with the trust store specified by trust-store-file.

    ldap.trust-store-pin-environment-variable

    Specifies the environment variable containing the password used with the trust store specified by trust-store-file.

    ldap.file-servlet-name

    Specifies the name of the file servlet on the managed directory server to use when fetching generated collect-support-data (CSD) or server profiles.

    ldap.csd-task-enabled

    If this is set to true, the admin console has a button that has the managed directory server run a collect-support-data task.

    ldap.csd-destination-folder

    The file path to the folder where the managed directory server stores generated CSD files after running the collect-support-data task.

    ldap.profile-destination-folder

    The file path to the folder where the managed directory server stores generated server profiles after running the generate-server-profile task.

    Don’t change this property.

    configuration.complexity

    Determines the maximum complexity level for shown configuration objects.

    The possible values are basic, standard, advanced, and expert.

    server.servlet.session.timeout

    The amount of time a web session can remain idle before the user must sign on again. The time is set in seconds unless you use a time interval (h for hours or m for minutes). If not specified, the default is 30 minutes.

    system.readOnly

    If this is set to true, it puts the console in read-only mode. This prevents console-based modifications to the server’s configuration or schema.

  2. To make your changes take effect, restart the admin console.