PingIntelligence

Configure Google Pub/Sub

Google Cloud Pub/Sub is an enterprise event-driven message system. API Security Enforcer (ASE) integrates with Google Pub/Sub in ASE sideband mode. When you enable Google Pub/Sub in ase.conf file, ASE sends the event message in a JSON file to Google cloud. You can verify that Google Pub/Sub is enabled by running the ASE status command:

/opt/pingidentity/ase/bin/cli.sh status -u admin -p admin
API Security Enforcer
status                  : started
mode                    : sideband
http/ws                 : port 80
https/wss               : port 443
firewall                : enabled
abs                     : disabled, ssl: enabled
abs attack              : disabled
audit                   : enabled
sideband authentication : disabled
ase detected attack     : disabled
attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB
google pubsub           : enabled

Complete the following steps to configure Google Pub/Sub in ASE:

  1. Download the Key file in JSON format from your Google Pub/Sub account. For more information on generating the Key file, see Quickstart: building a functioning Cloud Pub/Sub system

  2. Copy the downloaded Key JSON file to /pingidentity/ase/config directory.

  3. Rename the file to google_application_credentials.json.

  4. Configure the following Google Pub/Sub options in the ase.conf file:

    enable_google_pubsub

    Set it to true if you want ASE to push metrics data to Google cloud. The default value is false. + [NOTE] ==== ASE must be in the sideband mode for Google Pub/Sub configuration to take effect. ====

    google_pubsub_topic

    The path to your topic for publishing and subscribing the messages. For example,/pingidentity/topic/your_topic

    google_pubsub_concurrency

    The number of concurrent connection between ASE and Google Pub/Sub. The maximum value is 1024 connections. Default value is 1000 connections.

    google_pubsub_qps

    The number of messages per second that ASE can publish to the topic. Maximum value is 10,000. The default value is 1000.

    google_pubsub_apikey

    The API Key to establish connection between ASE and Google Pub/Sub. Configuring API Key for Google Pub/Sub is optional.

    cache_queue_size

    The number of messages that are buffered in cache when ASE is not able to publish to Google Pub/Sub. Maximum size of the queue is 10,000 messages. The default value is 300 messages.

    google_pubsub_timeout

    The time in seconds for which ASE tries to publish messages to Google Pub/Sub. In case of failure to publish, ASE makes three attempts to publish the message, after which it writes the message to the google_pubsub_failed.log file.

Configure API Key - Optional

You can optionally configure API Key in ase.conf file. Obtain the API Key for your Google project and configure in google_pubsub_apikey option. Obfuscate the API Key for it to take effect. For more information on obfuscating keys and password, see Obfuscate keys and passwords. Following is a summary of steps that you need to complete:

  1. Stop ASE

  2. Edit ase.conf file to add API Key

  3. Obfuscate the API Key

  4. Start ASE

ASE JSON message file

ASE sends the event information to Google Pub/Sub in a JSON message. The message captures the following information:

  • Method

  • URL

  • Host

  • Request time-stamp

  • Request length

  • Source IP

  • X-forwarded-for IPs

  • Response code

  • Response length, and

  • Latency in milliseconds

ASE makes 3-attempts to publish the message to Google Pub/Sub after which the entire message is logged in failed log file. The message that is logged in the failed log file is not in plain text. If the message is not published to Google Pub/Sub, you can check the reason for failure in balancer.log file. For more information on balancer.log file, see ASE management, access and audit logs. When messages are successfully published to Google Pub/Sub, the message ID is logged in success log file. Following is a snippet of event message JSON file logged in balancer.log file when ASE is run in debug mode.

{
  "method": "PUT",
  "url": "/shopapi-books/order",
  "host": "shop-electronics.cloudhub.io",
  "request_timestamp": "1573767522429",
  "request_length": "464",
  "source_ip": "1.2.3.4",
  "x_forwarded_for": "1.1.1.1, 1.1.1.2",
  "response_code": "200",
  "response_length": "26",
  "latency_ms": "208"
}