--- title: Configure ASE to ABS connectivity description: To connect ASE to ABS, configure the ABS address (IPv4:Port or Hostname:Port), access key, and secret key in the abs.conffile located in the //pingidentity/ase/config directory. component: pingintelligence version: 5.1 page_id: pingintelligence:api_security_enforcer:pingintelligence_ase_to_abs_connectivity_inline canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/api_security_enforcer/pingintelligence_ase_to_abs_connectivity_inline.html revdate: May 28, 2024 section_ids: configuring-ase-abs-encrypted-communication: Configuring ASE-ABS encrypted communication check-and-open-abs-ports: Check and open ABS ports --- # Configure ASE to ABS connectivity To connect ASE to ABS, configure the ABS address (IPv4:Port or Hostname:Port), access key, and secret key in the `abs.conf`file located in the `//pingidentity/ase/config` directory. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------- | | | `enable_abs` must be set to `true` in the `ase.conf` file. when ABS is in a different AWS security group, use a private IP address. | The parameter values and descriptions are included in the following table: | Parameter | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `deployment_type` | The ABS deployment mode. Valid values are `cloud` or `onprem`. The default value is `onprem`. | | `gateway_credential` | This parameter is used when ABS is deployed in `cloud` mode. The credential generated in PingOne, while creating a PingIntelligence connection is assigned here so that PingOne can authenticate the data sent by ASE during runtime. For more information on PingOne connections, see [Connections](https://docs.pingidentity.com/bundle/p14c/page/pof1597955873924.html). | | `abs_cloud_endpoint` | Use this parameter to assign an endpoint other than the one decoded by the gateway credentials. It's used when ABS is deployed in `cloud` mode. | | `abs_endpoint` | The parameter has two possible configurations:- When ABS is deployed with a load balancer - Configure the hostname and port or the IPv4 and port of the load balancer. To allow the load balancer to bind ASE's session to a specific ABS node, enable cookie stickiness in the load balancer with PISESSIONID cookie.- When ABS is deployed without a load balancer - Configure the parameter with the hostname and port or the IPv4 and port of all the ABS nodes in a cluster. If later a new ABS node is added to the cluster, add its hostname or IPv4 to the list and restart ASE. | | `access_key` | The access key or the username for the ABS nodes. It is the same for all the ABS nodes. The same value has to be configured in ABS MongoDB database. This value is obfuscated during the start of ASE. This parameter is used when ABS is deployed in `onprem` mode. ":" is a restricted character and allowed in access key. | | `secret_key` | The secret key or the password for the ABS nodes. It is the same for all the ABS nodes. The same value has to be configured in ABS MongoDB database. This value is obfuscated during the start of ASE. This parameter is used when ABS is deployed in `onprem` mode. ":" is a restricted character and allowed in secret key. | | `enable_ssl` | Set the value to true for SSL communication between ASE and ABS. The default value is true. ASE sends the access log files in plain text if the value is set to false. This parameter is used when ABS is deployed in `onprem` mode. | | `abs_ca_cert_path` | Location of the trusted CA certificates for SSL/TLS connections from ASE to ABS.If the path parameter value is left empty, then ASE does not verify the validity of CA certificates. However, the connection to ABS is still encrypted. This parameter is used when ABS is deployed in `onprem` mode. | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `access_key` and `secret_key` are configured in ABS. For more information, see [ABS AI Engine](../abs_ai_engine/pingintelligence_abs_ai_engine.html). | Here is a sample `abs.conf` file. ``` ; API Security Enforcer ABS configuration.; This file is in the standard .ini format. The comments start with a semicolon (;).; Following configurations are applicable only if ABS is enabled with true. ; Configure ABS deployment type. Supported values (onprem/cloud) deployment_type=onprem ; PingIntelligence Gateway Credentials gateway_credential= ; ABS endpoint for cloud abs_cloud_endpoint= ; a comma-separated list of abs nodes having hostname:port or ipv4:port as an address. abs_endpoint=127.0.0.1:8080 ; access key for abs node access_key=OBF:AES://ENOzsqOEhDBWLDY+pIoQ:jN6wfLiHTTd3oVNzvtXuAaOG34c4JBD4XZHgFCaHry0 ; secret key for abs node secret_key=OBF:AES:Y2DadCU4JFZp3bx8EhnOiw:zzi77GIFF5xkQJccjIrIVWU+RY5CxUhp3NLcNBel+3Q ; Setting this value to true will enable encrypted communication with ABS. enable_ssl=true ; Configure the location of ABS's trusted CA certificates. If empty, ABS's certificate ; will not be verified abs_ca_cert_path= ``` ## Configuring ASE-ABS encrypted communication To enable SSL communication between ASE and ABS so that the access logs are encrypted and sent to ABS, set the value of `enable_ssl` to `true`. The `abs_ca_cert_path` is the location of ABS's trusted CA certificate. If the field is left empty, ASE does not verify ABS's certificate, however, the communication is till encrypted. ## Check and open ABS ports The default port for connection with ABS is 8080. Run the `check_ports.sh` script on the ASE machine to determine ABS accessibility. Input ABS host IP address and ports as arguments. ``` /opt/pingidentity/ase/util ./check_ports.sh {ABS IPv4:[port]} ```