--- title: Inline ASE configuration - ase.conf description: ASE system level configuration entails modifying parameters in the ase.conf file located in the config directory. Some values have default settings which can be modified to support your application requirements. The parameter values and descriptions are included in the following table: component: pingintelligence version: 5.1 page_id: pingintelligence:api_security_enforcer:pingintelligence_inline_ase_configuration canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/api_security_enforcer/pingintelligence_inline_ase_configuration.html revdate: April 3, 2024 --- # Inline ASE configuration - ase.conf ASE system level configuration entails modifying parameters in the `ase.conf` file located in the `config` directory. Some values have default settings which can be modified to support your application requirements. The parameter values and descriptions are included in the following table: | **Parameter** | **Description** | | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **ASE mode** | | | `mode` | The mode in which ASE works. Possible values are `inline` and `sideband`. The default value is `inline`. | | **ASE timezone** | | | `timezone` | Sets ASE's timezone. The values can be `local` or `UTC`. Default value is `UTC`. If ASE is deployed in a cluster, configure the same timezone on each cluster node manually. | | `enable_sideband_keepalive` | NA | | `enable_sideband_authentication` | NA | | **ASE ports** | | | `http_ws_port` | Data port used for http or WebSocket protocol.The default value is 8000. | | `https_wss_port` | Data port used for https or Secure WebSocket (wss).The default value is 8443. | | `management_port` | Management port used for CLI and REST API management.The default value is 8010. | | **ASE administration and audit** | | | `admin_log_level` | The level of log detail captured. Options include:Fatal – 1, Error – 2, Warning – 3, Info – 4, Debug – 5 | | `enable_audit` | When set to `true`, ASE logs all actions performed in ASE in the audit log files.The default value is `true`. | | `syslog_server` | Syslog server hostname or `IPv4 address:port number`.Leave this parameter blank if you do not want to generate for no syslog. | | `hostname_refresh` | Time interval at which hostnames are refreshed. The default value is 60 secs. When ASE attempts to refresh the hostname, the hostname resolution must happen in 5 secs. | | `auth_method` | Authentication method used for administrator access. See [Configuring Native and PAM Authentication](pingintelligence_configure_native_pam_authentication.html) for more information on the two options:- `ase::db` (Default - Native authentication) - `pam::ldap`(Linux-PAM Authentication with script) | | `enable_ase_health` | When `true`, enables load balancers to perform a health check using the following URL: http(s)://*\*/ase where *\* is the ASE domain nameThe default value is `false`. NOTE: Do not configure the /ase URL in an API JSON file. | | `enable_1G` | When `true,` enable 1Gbps Ethernet support.The default value is `true.` NOTE: Only applicable when using a 1G NIC card | | `http_ws_process` | The number of HTTP or WebSocket processes.The default value is 1 and the maximum value is 6. NOTE: When running ASE in a cluster deployment, all nodes must have the same number of processes. | | `https_wss_process` | The number of HTTPS or secure WebSocket processes.The default value is 1 and the maximum value is 6. NOTE: When running ASE in a cluster deployment, all nodes must have the same number of processes. | | `enable_access_log` | When `true`, log client traffic request and response information. Default value is `true`. Make sure the value is set to `true` when ASE connected ti PingOne. | | `flush_log_immediate` | When `true`, log files are immediately written to the file system. When `false`, log files are written after a time interval. The default value is `true.` | | `attack_list_memory` | The amount of memory used for maintaining black and whitelists. The default value is 128 MB. | | `keystore_password` | Password for the keystore. For more information on updating the keystore password, see [Updating Keystore Password](pingintelligence_keystore.html). | | `enable_hostname_rewrite` | When set to `true`, ASE rewrites the host header in the client request with the IP or host and port number configured in the `server` section of the API JSON. Make a note of the following points:**server\_ssl** in API JSON set to `false`:- In the server section of API JSON, if the configured port is the standard HTTP port (port number 80), then only the IP or hostname in the request header is rewritten. - In the server section of API JSON, if the configured port is any port other than the standard HTTP port (port number 80), then IP or hostname and port number in the request header is rewritten. For example, if the configured port number is 8080 in API JSON for a host example.com, then ASE rewrites the host header in request with example.com:8080.**server\_ssl** in API JSON set to `true`:- In the server section of API JSON, if the configured port is the standard HTTPS port (port number 443), then only the IP or hostname in the request header is rewritten. - In the server section of API JSON, if the configured port is any port other than the standard HTTPS port (port number 443), then IP or hostname and port number in the request header is rewritten. For example, if the configured port number is 8443 in API JSON for a host example.com, then ASE rewrites the host header in request with example.com:8443. | | **ASE cluster** | | | `enable_cluster` | When `true`, run the setup in cluster mode.The default value is `false`, run the setup in standalone mode. | | **Security** | | | `enable_sslv3` | When `true,` enable SSLv3. Default value is `false.` | | `server_ca_cert_path` | Location of the trusted CA certificates for SSL/TLS connections from ASE to backend servers.If the path parameter value is left empty, then ASE does not verify the validity of CA certificates. However, the backend connection is still encrypted.For RHEL 7.6 CA certificates, the default path is: `/etc/pki/tls/certs/.`Multiple certificates can be placed in this directory. | | `enable_xff` | When `true,` pass XFF header with originating IP address to the backend server. | | `enable_firewall` | When `true`, activate the following API security features:- API mapping - API pattern enforcement - Connection drop using attack types - Flow controlDefault value is `true` | | `enable_strict_request_parser` | When `true`, ASE blocks client http requests with invalid headers start.The default value is `true`. | | **Real-time API security** | | | `enable_ase_detected_attack` | When `true`, activates the real-time security in ASE. ASE detects and blocks pattern enforcement violations, wrong API keys and clients probing decoy API and later accessing real APIs. The default value is `false`. | | **API deception** | | | `decoy_alert_interval` | The time interval between decoy API email alerts.The default value is 180 minutes.Maximum value is 1440 minutes (i.e. 24 hours). | | **AI-based API security (ABS)** | | | `enable_abs` | When `true` (default), send access log files to ABS AI Engine for generating API metrics and detecting attacks using machine learning algorithms. Set it to`true` when ASE is connected to PingOne. | | `enable_abs_attack` | When `true` (default), ASE fetches attack list from ABS AI Engine and blocks access by the clients that are in the attack list.When `false`, attack list is not downloaded. | | `abs_attack_request_minute` | Time interval in minutes at which ASE fetches ABS attack list. The default value is 10-minutes. | | **Google Pub/Sub configuration** | | | `enable_google_pubsub` | NA | | `google_pubsub_topic` | NA | | `google_pubsub_concurrency` | NA | | `google_pubsub_qps` | NA | | `google_pubsub_apikey` | NA | | `cache_queue_size` | NA | | `google_pubsub_timeout` | NA | | **API Publish (ABS)** | | | `enable_abs_publish` | When `true`, ASE polls ABS to get list of published APIs and list of non-discovered APIs and decide whether APIs received will be added, deleted or updated. When `false`, the published list will not be downloaded.The default value is `false`. | | `abs_publish_request_minutes` | This value determines how often ASE will get published API list from ABS. The default value is `10 minutes`. | | **Alerts and reports** | | | `enable_email` | When `true`, send email notifications. The default value is `false`. ASE logs the alerts in `balancer.log` file even when email alerts are disabled. See [Email alerts and reports](pingintelligence_email_alerts_reports.html) for more information. | | `email_report` | Time interval in days at which ASE sends reports. Minimum value is 1 day and the maximum is 7-days. The default value is 1-day. | | `smtp_host` | Hostname of SMTP server. | | `smtp_port` | Port number of SMTP server. | | `smtp_ssl` | Set to `true` if you want email communication to be over SSL. Make sure that the SMTP server supports SSL. If you set `smtp_ssl` to `true` and the SMTP server does not support SSL, email communication falls back to the non-SSL channel. The default value is `true`.Set it to false if email communication is over a non-SSL channel. The email communication will fail if you set the parameter to `false`, but the SMTP server only supports SSL communication. | | `smtp_cert_verification` | Set to `true` if you want ASE to verify the SMTP server's SSL certificate. The default value is `true`.If you set it to `false`, ASE does not verify SMTP server's SSL certificate; however, the communication is still over SSL. If you have configured an IP address as smtp\_host and set smtp\_cert\_verification to true, then make sure that the certificate configured on the SMTP server has the following: X509v3 extensions: X509v3 Key Usage: Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: IP Address: X.X.X.X | | `sender_email` | Email address for sending email alerts and reports. | | `sender_password` | Password of sender's email account. NOTE: You can leave this field blank if your SMTP server does not require authentication. | | `receiver_email` | Email address to notify about alerts and reportsSee [email alerts](pingintelligence_email_alerts_reports.html) for more information. | | **ASE server resource utilization** | | | `cpu_usage` | Percentage threshold value of CPU utilization.See [email alerts](pingintelligence_email_alerts_reports.html) for more information. | | `memory_usage` | Percentage threshold value of memory usage.See [email alerts](pingintelligence_email_alerts_reports.html) for more information. | | `filesystem_size` | Percentage threshold value of filesystem capacity.See [email alerts](pingintelligence_email_alerts_reports.html) for more information. | | `buffer_size` | Customizable payload buffer size to reduce the number of iterations required for reading and writing payloads.Default value is 16KB. Minimum is 1KB and maximum is 32KB. | A sample `ase.conf` file is displayed below: ``` ; This is API Security Enforcer's main configuration file. This file is in the standard .ini format. ; It contains ports, firewall, log, ABS flags. The comments start with a semicolon (;). ; Defines running mode for API Security Enforcer (Allowed values are inline or sideband). mode=inline ; Defines http(s)/websocket(s) ports for API Security Enforcer. Linux user should have the privilege to bind to these ports. ; If you comment out a port, then that protocol is disabled. http_ws_port=8000 https_wss_port=8443 ; REST API management_port=8010 ; For controller.log and balancer.log only ; 1-5 (FATAL, ERROR, WARNING, INFO, DEBUG) admin_log_level=4 ; Defines the number of processes for a protocol. ; The maximum number of allowed process for each protocol is 6 (1 master + 5 child). The ; following defines 1 process for both http/ws and https/wss protocol. http_ws_process=1 https_wss_process=1 ; Enable or disable access logs to the filesystem (request/response). ; WARNING! It must be set to true for sending logs to ABS for analytics. enable_access_log=true ; To write access log immediately to the filesystem, set to true. flush_log_immediate=true ; Setting this value to true will enable this node to participate in an API Security Enforcer ; cluster. Define cluster configurations in the cluster.conf enable_cluster=false ; Current API Security Enforcer version has 3 firewall features: API Mapping, API Pattern ; Enforcement, and Attack Types. enable_firewall=true ; X-Forwarded For enable_xff=false ; SSLv3 enable_sslv3=false ; enable Nagle's algorithm (if NIC card is 1G). enable_1G=true ; tcp send buffer size in bytes(kernel) tcp_send_buffer_size=65535 ; tcp receive buffer size in bytes(kernel) tcp_receive_buffer_size=65535 ; buffer size for send and receive in KBs (user) buffer_size=16KB ; Set this value to true, to allow API Security Enforcer to send logs to ABS. This ; configuration depends on the value of the enable_access_log parameter. enable_abs=true ; Set this value to true, to allow API Security Enforcer to fetch attack list from ABS. enable_abs_attack=true ; This value determines how often API Security Enforcer will get attack list from ABS. abs_attack_request_minutes=10 ; Set this value to true, to allow API Security Enforcer to fetch published API list from ABS. enable_abs_publish=false ; This value determines how often API Security Enforcer will get published API list from ABS. abs_publish_request_minutes=10 ; Set this value to true, to allow API Security Enforcer to block auto detected attacks. enable_ase_detected_attack=false ; Set this value to true to enable email for both alerts and daily reports. enable_email=false ; Defines report frequency in days [0=no reports, 1=every day, 2=once in two days and max is 7 ; days] email_report=1 ; Specify your email settings smtp_host=smtp:// smtp_port=587 ; Set this value to true if smtp host support SSL smtp_ssl=true ; Set this value to true if SSL certificate verification is required smtp_cert_verification=false sender_email= sender_password= receiver_email= ; Defines threshold for an email alert. For example, if CPU usage is 70%, you will get an ; alert. cpu_usage=70 memory_usage=70 filesystem_size=70 ; Authentication method. Format is :: ; Valid values for auth_agent are ase and pam ; ase agent only supports db auth_service ; pam agent can support user configured pam services ; For example ase::db, pam::passwd, pam::ldap etc auth_method=ase::db ; Enable auditing. Valid values are true or false. enable_audit=true ; Decoy alert interval in minutes. [min=15, default=3*60, max=24*60] decoy_alert_interval=180 ; Interval for a hostname lookup (in seconds). [min=10, default=60, max=86400] hostname_refresh=60 ; Syslog server settings. The valid format is host:port. Host can be an FQDN or an IPv4 ; address. syslog_server= ; Attack List size in MB or GB. [min=64MB, max=1024GB] ; ASE will take 3*(configured memory) internally. Make sure that the system has at least ; 3*(configured memory) available ; If you are running ASE inside a container, configure the container to use 3*(configured ; memory) shared memory. attack_list_memory=128MB ; Enable or Disable health check module. ASE uses '/ase' url for both http and https. This is ; useful if ASE is deployed behind a load balancer. enable_ase_health=false ; Location for server's trusted CA certificates. If empty, Server's certificate will not be ; verified. server_ca_cert_path= ; enable client side authentication. This setting is applicable only in sideband mode. Once enabled ; request will be authenticated using authentication tokens. enable_sideband_authentication=false ; enable connection keepalive for requests from gateway to ase. ; This setting is applicable only in sideband mode. ; Once enabled ase will add 'Connection: keep-alive' header in response ; Once disabled ase will add 'Connection: close' header in response enable_sideband_keepalive=false ; keystore password keystore_password=OBF:AES:sRNp0W7sSi1zrReXeHodKQ:lXcvbBhKZgDTrjQOfOkzR2mpca4bTUcwPAuerMPwvM4 ; enable hostname rewrite for inline mode. ASE will rewrite the host header in request ; to the server's hostname enable_hostname_rewrite=false ; enable strict parsing checks for client requests ; If enabled, ASE will block request with invalid header start ; If disabled, it will allow requests ; default value = true enable_strict_request_parser=true ; Set the timezone to utc or local. The default timezone is utc. timezone=utc ; Google Pub Sub Configuation enable_google_pubsub=false google_pubsub_topic=/topic/apimetrics ; Number of concurrent connections to Google Pub/Sub ; Minimum: 1, Default: 1000, Maximum: 1024 google_pubsub_concurrency=1000 ; Number of messages published per second. ; Minimum: 1, Default: 1000, Maximum: 10000 google_pubsub_qps=1000 ; Google service account API key (Optional) google_pubsub_apikey= ; Maximum number of messages buffered in memory ; If queue is full, messages are written to logs/google_pubsub_failed.log ; Minimum: 1, Default: 300, Maximum: 10000 cache_queue_size=300 ; Timeout in seconds to publish a message to Google Pub/Sub. ; Minimum: 10, Default: 30, Maximum: 300 google_pubsub_timeout=30 ```