Configure Google Pub/Sub
Google Cloud Pub/Sub is an enterprise event-driven message system. API Security Enforcer (ASE) integrates with Google Pub/Sub in ASE sideband mode. When you enable Google Pub/Sub in ase.conf file, ASE sends the event message in a JSON file to Google cloud. You can verify that Google Pub/Sub is enabled by running the ASE status command:
/opt/pingidentity/ase/bin/cli.sh status -u admin -p admin API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : disabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB google pubsub : enabled
Complete the following steps to configure Google Pub/Sub in ASE:
-
Download the Key file in JSON format from your Google Pub/Sub account. For more information on generating the Key file, see Quickstart: building a functioning Cloud Pub/Sub system
-
Copy the downloaded Key JSON file to
/pingidentity/ase/configdirectory. -
Rename the file to
google_application_credentials.json. -
Configure the following Google Pub/Sub options in the
ase.conffile:enable_google_pubsubSet it to
trueif you want ASE to push metrics data to Google cloud. The default value isfalse. + [NOTE] ==== ASE must be in thesidebandmode for Google Pub/Sub configuration to take effect. ====google_pubsub_topicThe path to your topic for publishing and subscribing the messages. For example,
/pingidentity/topic/your_topicgoogle_pubsub_concurrencyThe number of concurrent connection between ASE and Google Pub/Sub. The maximum value is 1024 connections. Default value is 1000 connections.
google_pubsub_qpsThe number of messages per second that ASE can publish to the topic. Maximum value is 10,000. The default value is 1000.
google_pubsub_apikeyThe API Key to establish connection between ASE and Google Pub/Sub. Configuring API Key for Google Pub/Sub is optional.
cache_queue_sizeThe number of messages that are buffered in cache when ASE is not able to publish to Google Pub/Sub. Maximum size of the queue is 10,000 messages. The default value is 300 messages.
google_pubsub_timeoutThe time in seconds for which ASE tries to publish messages to Google Pub/Sub. In case of failure to publish, ASE makes three attempts to publish the message, after which it writes the message to the
google_pubsub_failed.logfile.
Configure API Key - Optional
You can optionally configure API Key in ase.conf file. Obtain the API Key for your Google project and configure in google_pubsub_apikey option. Obfuscate the API Key for it to take effect. For more information on obfuscating keys and password, see Obfuscate keys and passwords. Following is a summary of steps that you need to complete:
-
Stop ASE
-
Edit
ase.conffile to add API Key -
Obfuscate the API Key
-
Start ASE
ASE JSON message file
ASE sends the event information to Google Pub/Sub in a JSON message. The message captures the following information:
-
Method
-
URL
-
Host
-
Request time-stamp
-
Request length
-
Source IP
-
X-forwarded-for IPs
-
Response code
-
Response length, and
-
Latency in milliseconds
ASE makes 3-attempts to publish the message to Google Pub/Sub after which the entire message is logged in failed log file. The message that is logged in the failed log file is not in plain text. If the message is not published to Google Pub/Sub, you can check the reason for failure in balancer.log file. For more information on balancer.log file, see ASE management, access and audit logs. When messages are successfully published to Google Pub/Sub, the message ID is logged in success log file. Following is a snippet of event message JSON file logged in balancer.log file when ASE is run in debug mode.
{
"method": "PUT",
"url": "/shopapi-books/order",
"host": "shop-electronics.cloudhub.io",
"request_timestamp": "1573767522429",
"request_length": "464",
"source_ip": "1.2.3.4",
"x_forwarded_for": "1.1.1.1, 1.1.1.2",
"response_code": "200",
"response_length": "26",
"latency_ms": "208"
}