--- title: Ping Identity DevOps Docker Image - pingaccess description: This docker image includes the Ping Identity PingAccess product binaries and associated hook scripts to create and run both PingAccess Admin and Engine nodes. component: devops page_id: devops::docker-images/pingaccess/README canonical_url: https://developer.pingidentity.com/devops/docker-images/pingaccess/README.html section_ids: devops-ping-identity-devops-docker-image: Ping Identity DevOps Docker Image - pingaccess devops-related-docker-images: Related Docker Images devops-environment-variables: Environment Variables devops-ports-exposed: Ports Exposed devops-running-a-pingaccess-container: Running a PingAccess container devops-docker-container-hook-scripts: Docker Container Hook Scripts --- # Ping Identity DevOps Docker Image - `pingaccess` ## Ping Identity DevOps Docker Image - `pingaccess` This docker image includes the Ping Identity PingAccess product binaries and associated hook scripts to create and run both PingAccess Admin and Engine nodes. ### Related Docker Images * `pingidentity/pingbase` - Parent Image > This image inherits, and can use, Environment Variables from [pingidentity/pingbase](https://devops.pingidentity.com/docker-images/pingbase/) * `pingidentity/pingcommon` - Common Ping files (i.e. hook scripts) ### Environment Variables In addition to environment variables inherited from **[pingidentity/pingbase](https://devops.pingidentity.com/docker-images/pingbase/)**, the following environment `ENV` variables can be used with this image. | ENV Variable | Default | Description | | ----------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | BASE | ${BASE:-/opt} | Location of the top level directory where everything is located in image/container | | ROOT\_USER | administrator | the default administrative user for PingData | | JAVA\_HOME | /opt/java | | | STAGING\_DIR | ${BASE}/staging | Path to the staging area where the remote and local server profiles can be merged | | OUT\_DIR | ${BASE}/out | Path to the runtime volume | | SERVER\_ROOT\_DIR | ${OUT\_DIR}/instance | Path from which the runtime executes | | IN\_DIR | ${BASE}/in | Location of a local server-profile volume | | SERVER\_BITS\_DIR | ${BASE}/server | Path to the server bits | | BAK\_DIR | ${BASE}/backup | Path to a volume generically used to export or backup data | | LOGS\_DIR | ${BASE}/logs | Path to a volume generically used for logging | | PING\_IDENTITY\_ACCEPT\_EULA | NO | Must be set to 'YES' for the container to start | | PING\_IDENTITY\_DEVOPS\_FILE | devops-secret | File name for devops-creds passed as a Docker secret | | STAGING\_MANIFEST | ${BASE}/staging-manifest.txt | Path to a manifest of files expected in the staging dir on first image startup | | CLEAN\_STAGING\_DIR | false | Whether to clean the staging dir when the image starts | | SECRETS\_DIR | /run/secrets | Default path to the secrets | | TOPOLOGY\_FILE | ${STAGING\_DIR}/topology.json | Path to the topology file | | HOOKS\_DIR | ${STAGING\_DIR}/hooks | Path where all the hooks scripts are stored | | CONTAINER\_ENV | ${STAGING\_DIR}/.env | Environment Property file use to share variables between scripts in container | | SERVER\_PROFILE\_DIR | /tmp/server-profile | Path where the remote server profile is checked out or cloned before being staged prior to being applied on the runtime | | SERVER\_PROFILE\_URL | | A valid git HTTPS URL (not ssh) | | SERVER\_PROFILE\_URL\_REDACT | true | When set to "true", the server profile git URL will not be printed to container output. | | SERVER\_PROFILE\_BRANCH | | A valid git branch (optional) | | SERVER\_PROFILE\_PATH | | The subdirectory in the git repo | | SERVER\_PROFILE\_UPDATE | false | Whether to update the server profile upon container restart | | SECURITY\_CHECKS\_STRICT | false | Requires strict checks on security | | SECURITY\_CHECKS\_FILENAME | .jwk .pin | Perform a check for filenames that may violate security (i.e. secret material) | | UNSAFE\_CONTINUE\_ON\_ERROR | | If this is set to true, then the container will provide a hard warning and continue. | | LICENSE\_DIR | ${SERVER\_ROOT\_DIR} | License directory | | PD\_LICENSE\_DIR | ${STAGING\_DIR}/pd.profile/server-root/pre-setup | PD License directory. Separating from above LICENSE\_DIR to differentiate for different products | | STARTUP\_FOREGROUND\_OPTS | | The command-line options to provide to the the startup command when the container starts with the server in the foreground. This is the normal start flow for the container | | STARTUP\_BACKGROUND\_OPTS | | The command-line options to provide to the the startup command when the container starts with the server in the background. This is the debug start flow for the container | | PING\_IDENTITY\_DEVOPS\_KEY\_REDACT | true | | | TAIL\_LOG\_FILES | | A whitespace separated list of log files to tail to the container standard output - DO NOT USE WILDCARDS like /path/to/logs/\*.log | | COLORIZE\_LOGS | true | If 'true', the output logs will be colorized with GREENs and REDs, otherwise, no colorization will be done. This is good for tools that monitor logs and colorization gets in the way. | | LOCATION | Docker | Location default value If PingDirectory is deployed in multi cluster mode, that is, K8S\_CLUSTER, K8S\_CLUSTERS and K8S\_SEED\_CLUSTER are defined, LOCATION is ignored and K8S\_CLUSTER is used as the location | | LOCATION\_VALIDATION | true | Any string denoting a logical/physical location | | MAX\_HEAP\_SIZE | 384m | Heap size (for java products) | | JVM\_TUNING | AGGRESSIVE | | | JAVA\_RAM\_PERCENTAGE | 75.0 | Percentage of the container memory to allocate to PingFederate JVM DO NOT set to 100% or your JVM will exit with OutOfMemory errors and the container will terminate | | VERBOSE | false | Triggers verbose messages in scripts using the set -x option. | | PING\_DEBUG | false | Set the server in debug mode, with increased output | | PING\_PRODUCT | | The name of Ping product, i.e. PingFederate, PingDirectory - must be a valid Ping product type. This variable should be overridden by child images. | | PING\_PRODUCT\_VALIDATION | true | i.e. PingFederate,PingDirectory | | ADDITIONAL\_SETUP\_ARGS | | List of setup arguments passed to Ping Data setup-arguments.txt file | | LDAP\_PORT | 1389 | Port over which to communicate for LDAP | | LDAPS\_PORT | 1636 | Port over which to communicate for LDAPS | | HTTPS\_PORT | 1443 | Port over which to communicate for HTTPS | | JMX\_PORT | 1689 | Port for monitoring over JMX protocol | | ORCHESTRATION\_TYPE | | The type of orchestration tool used to run the container, normally set in the deployment (.yaml) file. Expected values include: - compose - swarm - kubernetes Defaults to blank (i.e. No type is set) | | USER\_BASE\_DN | dc=example,dc=com | Base DN for user data | | DOLLAR | '$' | Variable with a literal value of '$', to avoid unwanted variable substitution | | PD\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PD (PingDirectory) public hostname that may be used in redirects | | PD\_ENGINE\_PRIVATE\_HOSTNAME | pingdirectory | PD (PingDirectory) private hostname | | PDP\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PDP (PingDirectoryProxy) public hostname that may be used in redirects | | PDP\_ENGINE\_PRIVATE\_HOSTNAME | pingdirectoryproxy | PDP (PingDirectoryProxy) private hostname | | PDS\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PDS (PingDataSync) public hostname that may be used in redirects | | PDS\_ENGINE\_PRIVATE\_HOSTNAME | pingdatasync | PDS (PingDataSync) private hostname | | PAZ\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PAZ (PingAuthorize) public hostname that may be used in redirects | | PAZ\_ENGINE\_PRIVATE\_HOSTNAME | pingauthorize | PAZ (PingAuthorize) private hostname | | PAZP\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PAZP (PingAuthorize-PAP) public hostname that may be used in redirects | | PAZP\_ENGINE\_PRIVATE\_HOSTNAME | pingauthorizepap | PAZP (PingAuthorize-PAP) private hostname | | PF\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PF (PingFederate) engine public hostname that may be used in redirects | | PF\_ENGINE\_PRIVATE\_HOSTNAME | pingfederate | PF (PingFederate) engine private hostname | | PF\_ADMIN\_PUBLIC\_BASEURL | https\://localhost:9999 | PF (PingFederate) admin public baseurl that may be used in redirects | | PF\_ADMIN\_PUBLIC\_HOSTNAME | localhost | PF (PingFederate) admin public hostname that may be used in redirects | | PF\_ADMIN\_PRIVATE\_HOSTNAME | pingfederate-admin | PF (PingFederate) admin private hostname | | PA\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PA (PingAccess) engine public hostname that may be used in redirects | | PA\_ENGINE\_PRIVATE\_HOSTNAME | pingaccess | PA (PingAccess) engine private hostname | | PA\_ADMIN\_PUBLIC\_HOSTNAME | localhost | PA (PingAccess) admin public hostname that may be used in redirects | | PA\_ADMIN\_PRIVATE\_HOSTNAME | pingaccess-admin | PA (PingAccess) admin private hostname | | ROOT\_USER\_DN | cn=${ROOT\_USER} | DN of the server root user | | ENV | ${BASE}/.profile | | | PS1 | \\${PING\_PRODUCT}:\h:\w\n> | Default shell prompt (i.e. productName:hostname:workingDir) | | PATH | ${JAVA\_HOME}/bin:${BASE}:${SERVER\_ROOT\_DIR}/bin:${PATH} | PATH used by the container | | SHIM | ${SHIM} | | | IMAGE\_VERSION | ${IMAGE\_VERSION} | | | IMAGE\_GIT\_REV | ${IMAGE\_GIT\_REV} | | | DATE | ${DATE} | | | PING\_PRODUCT\_VERSION | ${VERSION} | | | PING\_PRODUCT | PingAccess | Ping product name | | LICENSE\_DIR | ${SERVER\_ROOT\_DIR}/conf | License directory | | LICENSE\_FILE\_NAME | pingaccess.lic | Name of license file | | LICENSE\_SHORT\_NAME | PA | Short name used when retrieving license from License Server | | LICENSE\_VERSION | ${LICENSE\_VERSION} | Version used when retrieving license from License Server | | OPERATIONAL\_MODE | STANDALONE | PA\_RUN\_PA\_OPERATIONAL\_MODE will override this value for PingAccess 7.3 and later. | | PA\_ADMIN\_PASSWORD\_INITIAL | 2Access | | | PING\_IDENTITY\_PASSWORD | 2FederateM0re | Specify a password for administrator user for interaction with admin API | | STARTUP\_COMMAND | ${SERVER\_ROOT\_DIR}/bin/run.sh | The command that the entrypoint will execute in the foreground to instantiate the container | | TAIL\_LOG\_FILES | ${SERVER\_ROOT\_DIR}/log/pingaccess.log | Files tailed once container has started | | PA\_ADMIN\_PORT | 9000 | Default port for PA Admin API and console Ignored when using PingIdentity Helm charts | | PA\_ADMIN\_CLUSTER\_PORT | 9090 | Default port when clustering PA primary administrative node Ignored when using PingIdentity Helm charts | | JAVA\_RAM\_PERCENTAGE | 60.0 | Percentage of the container memory to allocate to PingAccess JVM DO NOT set to 100% or your JVM will exit with OutOfMemory errors and the container will terminate | | FIPS\_MODE\_ON | false | Turns on FIPS mode (currently with the Bouncy Castle FIPS provider) set to exactly "true" lowercase to turn on set to anything else to turn off PA\_FIPS\_MODE\_PA\_FIPS\_MODE will override this for PingAccess 7.3 and later. | | SHOW\_LIBS\_VER | true | Defines a variable to allow showing library versions in the output at startup default to true | | SHOW\_LIBS\_VER\_PRE\_PATCH | false | Defines a variable to allow showing library version prior to patches being applied default to false This is helpful to ensure that the patch process updates all libraries affected | | PA\_ENGINE\_PORT | 3000 | | | ADMIN\_WAITFOR\_TIMEOUT | 300 | wait-for timeout for 80-post-start.sh hook script How long to wait for the PA Admin console to be available | ### Ports Exposed The following ports are exposed from the container. If a variable is used, then it may come from a parent container * ${PA\_ADMIN\_PORT} * ${PA\_ENGINE\_PORT} * ${HTTPS\_PORT} ### Running a PingAccess container To run a PingAccess container: ```shell docker run \ --name pingaccess \ --publish 9000:9000 \ --publish 443:1443 \ --detach \ --env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \ --env SERVER_PROFILE_PATH=getting-started/pingaccess \ --env PING_IDENTITY_ACCEPT_EULA=YES \ --env PING_IDENTITY_DEVOPS_USER \ --env PING_IDENTITY_DEVOPS_KEY \ --tmpfs /run/secrets \ pingidentity/pingaccess:edge ``` Follow Docker logs with: ```shell docker logs -f pingaccess ``` If using the command above with the embedded [server profile](https://devops.pingidentity.com/reference/config/), log in with: * https\://localhost:9000 * Username: Administrator * Password: 2FederateM0re ### Docker Container Hook Scripts Please go [here](https://github.com/pingidentity/pingidentity-devops-getting-started/tree/master/docs/docker-images/pingaccess/hooks/README.md) for details on all pingaccess hook scripts *** This document is auto-generated from *[pingaccess/Dockerfile](https://github.com/pingidentity/pingidentity-docker-builds/blob/master/pingaccess/Dockerfile)* Copyright © 2026 Ping Identity Corporation