PingIntelligence

Configure automated policy tool

Download

Complete the following steps to download and install the PingIntelligence policy tool:

  1. Download the PingIntelligence policy tool to the /opt directory.

  2. Complete the following steps to untar the policy tool:

    1. At the command prompt, type the following command to untar the policy tool file:

      tar –zxvf <filename>

      For example:

      tar –zxvf pi-aws-4.0.tar.gz
    2. To verify that the tool successfully installed, type the ls command at the command prompt. This should list the pingidentity directory and the build .tgz file.

      The following table lists the directories:

      Directory Description

      bin

      Contains the following scripts:

      • deploy.sh: The script to deploy the PingIntelligence policy.

      • undeploy.sh: The script to undeploy the PingIntelligence policy.

      • status.sh: Reports the deployment status of IAM role and Lambda function.

      lib

      Jar files and various dependencies. Do not edit the contents of this directory.

      policy

      Contains the request and response Lambda functions:

      • request_lambda.zip

      • response_lambda.zip

      config

      Contains the aws.properties file.

      logs

      Contains the log and status files.

Configure the automated tool

Configure the aws.properties file available in the /pingidentity/pi/aws/config/ directory. The following table describes the variables in the aws.properties file:

Variable Description

mode

Choose the authentication mode between keys and role

If you running the PingIntelligence policy tool from your local machine, use the keys mode. If you are running the tool from an EC2 instance, use the role mode.

access_key

AWS access key. This is applicable when the mode is set to keys

secret_key

AWS secret key. This is applicable when the mode is set to keys

aws_lambda_memory

AWS Origin Response Lambda memory in MB. Default value is 1024 MB. The memory can be configured in multiple of 64. Minimum and maximum value are 128 and 3008 respectively. For more information, see AWS Lambda Pricing

cloudfront_distribution_id

The CloudFront distribution ID.

ase_host_primary

The ASE primary host IP address and port or hostname and port

ase_host_secondary

The ASE secondary host IP address and port or hostname and port. ASE secondary host receives traffic only when the primary ASE host is unreachable.

This field cannot be left blank. In a testing environment, enter the same IP address for primary and secondary ASE host.

If both the ASE hosts are unreachable, the request is directly sent to the backend API server.

ase_ssl

Enable or disable SSL communication between Lambda functions and ASE. The default value is true.

ase_sideband_token

Enter the ASE token generated during the prerequisite step.

Following is a sample aws.properties file:

# Copyright 2019 Ping Identity Corporation. All Rights Reserved.
# Ping Identity reserves all rights in The program as delivered. Unauthorized use, copying,
# modification, reverse engineering, disassembling, attempt to discover any source code or
# underlying ideas or algorithms, creating other works from it, and distribution of this
# program is strictly prohibited. The program or any portion thereof may not be used or
# reproduced in any form whatsoever except as provided by a license without the written
# consent of Ping Identity.  A license under Ping Identity's rights in the Program may be
# available directly from Ping Identity.

#Authentication mode access-key & secret-key / role based access. Values can be keys or role.
mode=keys
#AWS access key
access_key=AKIAID7MDWSCUUVHMTNA
#AWS secret key
secret_key=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
#AWS Lambda memory in MB. It should be a multiple of 64. Minimum and maximum value are 128 and 3008 respectively.
aws_lambda_memory=1024
#Cloudfront distribution ID
cloudfront_distribution_id=EGQ9OEG3ZDABP

#ASE Primary Host <IP/Host>:<port>
ase_host_primary=test.elasticbeam.com
#ASE Secondary Host <IP/Host>:<port>
ase_host_secondary=test.elasticbeam.com
#ASE SSL status
ase_ssl=true
#ASE sideband authentication token
ase_sideband_token=283ded57cd5f48e6bcd8fa3ba9d2888d

Create Role

If you have set the authentication mode as role in the aws.properties file, create a role for the EC2 instance. This role is required for the PingIntelligence policy deployment tool. Complete the following steps to create and configure.

  1. Select EC2 as service and click on Next: Permissions button.

    tqq1564009226089

  2. Choose the following three Policies and provide a name for each role (for example, PIDeploymentToolRole):

    • IAMFullAccess

    • AWSLambdaFullAccess

    • CloudFrontFullAccess

    • AmazonEC2FullAccess

      After providing the name, click on Create role.

      zrw1564009227137

  3. In the Summary page of the role that you created in step 2, click on the Trust relationships tab and then click on Edit trust relationship button.

    wsv1564009228021

  4. In the Edit Trust Relationship page, enter the following lines and click on Update Trust Policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        },
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

    zxp1564009230164

  5. Configure the IAM role, as the role that you created (for example, PIDeploytmentToolRole).

    xbm1564009232101