Deploying the PingIntelligence policy
About this task
To integrate PingAccess with PingIntelligence components, complete the following steps in PingAccess:
We recommend that you increase the default heap size in PingAccess before deploying the PingIntelligence policy for PingAccess 6.x. Refer to the instructions explained in Modifying the Java heap size for changing the default heap size. For more information, contact PingIdentity support. |
Steps
-
Download the PingIntelligence policy from the Ping Identity download site and unzip it. The zip file contains three policy files based on the JDK version. Use the policy based on your deployment environment.
-
Copy the
PingIntelligence.jar
file into thelib
directory inPA_home
. -
Restart PingAccess.
-
Sign on to PingAccess.
To support fail-over, a secondary ASE is provisioned. Complete the following steps for both Primary and Secondary ASEs. -
Add the Primary ASE as a Third-Party Service:
-
In the left pane click Sites. Navigate to THIRD-PARTY SERVICES and click Add Third-Party Service to add the Primary ASE.
-
In the New Third-Party Service page, enter a name that identifies the Primary ASE in NAME and enter the endpoint used to reach the Primary ASE inTARGET.
Select options under SECURE to connect PingAccess to PingIntelligence ASE using HTTPS.
-
ClickSave.
-
-
Repeat step 5 to add the Secondary ASE as a Third-Party Service. Enter the Name and endpoint specific to the Secondary ASE.
-
Add PingIntelligence sideband rule :
-
In the left pane clickRules. In the new Rule page, in the NAME field, enter the name of the rule for PingIntelligence.
-
In the TYPE drop-down list, select PingIntelligence. This appears in the drop-down list after adding PingIntelligence.jar in PA_HOME in step 3.
-
Select the ASE Endpoint for Primary ASE inPINGINTELLIGENCE ASE ENDPOINT drop-down list.
-
Select the ASE Endpoint for Secondary ASE inPINGINTELLIGENCE ASE ENDPOINT-BACKUP drop-down list.
If the Secondary ASE is not installed, you can choose Primary ASE Endpoint in PINGINTELLIGENCE ASE ENDPOINT-BACKUP drop-down list.
-
In the PINGINTELLIGENCE ASE TOKEN field, enter ASE sideband token that is generated for authentication between PingAccess and ASE.
-
If an OAuth token comes as part of a query string, enter the name of the query string in the PINGINTELLIGENCE QS OAUTH field.
The PingIntelligence policy extracts the OAuth token from the query string, configured in PINGINTELLIGENCE QS OAUTH. A new Authorization header-
Authorization: Bearer <OAuth token>
is added to the metadata sent to ASE. If there is an existing Authorization header, the token is prepended so that ABS AI engine can analyse it. If the query string has multiple query parameters with the same name, the first parameter is intercepted by the policy. -
Select the ENABLE ASYNC MODE to choose Asynchronous mode between PingAccess and ASE.
The PingIntelligence policy supports both synchronous and asynchronous modes of communication between PingAccess and ASE. By default, the communication mode is synchronous. When the asynchronous mode is enabled, the PingAccess gateway does not wait for a response from ASE and sends the request to backend server. ASE performs attack detection without blocking of attacks in asynchronous mode.
-
-
Apply the rule by completing the following steps :
-
Edit the existing application.
-
In the edit application page, click on API Policy.
-
Under Available Rules, click the icon for the PingIntelligence rule.
-
After clicking on the icon, the PingIntelligence rule moves under the API APPLICATION POLICY as shown in the following screen capture.
-
Click Save to save the rule.
You can selectively apply the PingIntellligence sideband rule to individual Resources as well. To apply the sideband rule, click the RESOURCES tab and move the rule from AVAILABLE RULES onto the policy bar. For more information, see Applying rules to applications and resources
-