PingIntelligence

Prerequisites

Prerequisite is divided in three sections. Prerequisite for PingIntelligence applies to both RHEL 7.6 and Ubuntu 16.04. Complete the prerequisite based on your operating system.

Prerequisite for PingIntelligence

The prerequisites are divided in the three sections:

This section assumes that you have installed and configured PingIntelligence software. For more information on PingIntelligence installation, see PingIntelligence setup or PingIntelligence manual deployment

  • Verify that ASE is in sideband mode: Log in to your ASE machine and check that ASE is in sideband mode by running the following status command:

    /opt/pingidentity/ase/bin/cli.sh status
    API Security Enforcer
    status                  : started
     mode : sideband
    http/ws                 : port 80
    https/wss               : port 443
    firewall                : enabled
    abs                     : enabled, ssl: enabled
    abs attack              : disabled
    audit                   : enabled
    sideband authentication : disabled
    ase detected attack     : disabled
    attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB

    If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.

  • Enable sideband authentication: For secure communication between NGINX and ASE, enable sideband authentication by entering the following ASE command:

    # ./bin/cli.sh enable_sideband_authentication -u admin –p
  • Generate sideband authentication token: A token is required for NGINX to authenticate with ASE. To generate the token in ASE, enter the following command in the ASE command line:

    # ./bin/cli.sh -u admin -p admin create_sideband_token

    Save the generated authentication token for further use in Configure NGINX for PingIntelligence

Prerequisites for RHEL 7.6

Complete the following prerequisites before deploying PingIntelligence policy on NGINX:

  • NGINX version: The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support.

  • RHEL version: RHEL 7.6. Verify your RHEL version by entering the following command on your machine:

    $ cat /etc/redhat-release
    Red Hat Enterprise Linux Server release 7.6 (Maipo)
  • OpenSSL version: OpenSSL 1.0.2k-fips on your RHEL 7.6 machine. You can the check the OpenSSL version using the openssl version command.

    $ openssl version
    OpenSSL 1.0.2k-fips  26 Jan 2017
  • Extract ASE certificate: Complete the following steps to extract the ASE certificate:

    1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE:

      /opt/pingidentity/ase/bin/start.sh
      Starting API Security Enforcer 4.0.2...
      please see /opt/pingidentity/ase/logs/controller.log for more details

      For more information on starting ASE, see Start and stop ASE

    2. Run the following command:

      openssl s_client -connect <ASE_IP>:<ASE_PORT>  2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi

      This command extract the ASE certificate and appends in test.ase.pi file. Copy the certificate file to the NGINX machine and configure the certificate path in nginx.conf file.

  • Download dependencies for RHEL: Run the following command to download RHEL dependencies for compiling NGINX:

    # yum install pcre-devel.x86_64 openssl-devel.x86_64 zlib-devel.x86_64 wget gcc

The PingIntelligence modules for NGINX 1.14.2 are specifically compiled for RHEL 7.6 and OpenSSL 1.0.2k-fips. If you do not have these specific versions of RHEL and OpenSSL, contact Ping Identity support.

Prerequisites for Ubuntu 16.0.4 LTS

Complete the following prerequisites before deploying PingIntelligence policy on NGINX:

  • NGINX version: The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support.

  • Ubuntu version: Ubuntu 16.04 LTS. Run the following command to check your Ubuntu version:

    $ cat /etc/os-release
    NAME="Ubuntu"
    VERSION="16.04.6 LTS (Xenial Xerus)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 16.04.6 LTS"
    VERSION_ID="16.04"
    HOME_URL="http://www.ubuntu.com/"
    SUPPORT_URL="http://help.ubuntu.com/"
    BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
    VERSION_CODENAME=xenial
    UBUNTU_CODENAME=xenial
  • OpenSSL version: OpenSSL 1.0.2g. You can the check the OpenSSL version using the openssl version command:

    $ openssl version
    OpenSSL 1.0.2g  26 Jan 2017
  • Extract ASE certificate: Complete the following steps to extract the ASE certificate:

    1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE:

      /opt/pingidentity/ase/bin/start.sh
      Starting API Security Enforcer 4.0.2...
      please see /opt/pingidentity/ase/logs/controller.log for more details

      For more information on starting ASE, see Start and stop ASE

    2. Run the following command:

      openssl s_client -connect <ASE_IP>:<ASE_PORT>  2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi

      This command extract the ASE certificate and appends in test.ase.pi file. Copy the certificate file to the NGINX machine and configure the certificate path in nginx.conf file.

  • Download dependencies for Ubuntu: Run the following command to download Ubuntu dependencies for compiling NGINX:

    # apt-get -yq install make g++ gcc libpcre3 libpcre3-dev apt-utils zlib1g zlib1g-dev curl openssl libssl-dev

The PingIntelligence modules are specifically compiled for Ubuntu 16.0.4 and OpenSSL 1.0.2g. If you do not have these specific versions of Ubuntu and OpenSSL, contact Ping Identity support.