--- title: Prerequisites description: Complete the following before running the PingIntelligence AWS policy tool. component: pingintelligence version: 5.1 page_id: pingintelligence:pingintelligence_integrations:pingintelligence_prerequisites_aws_policy_tool canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/pingintelligence_integrations/pingintelligence_prerequisites_aws_policy_tool.html revdate: March 20, 2024 --- # Prerequisites Complete the following before running the PingIntelligence AWS policy tool. **Prerequisite:** * Install OpenJDK 11 on the system running the PingIntelligence policy tool. * **Install PingIntelligence software** PingIntelligence should be installed and configured. Refer to the PingIntelligence deployment guide for your environment. * **AWS admin account**: To deploy the PingIntelligence sideband policy, an AWS admin account is required. | | | | - | ----------------------------------------------------------------------------------- | | | Make sure that AWS cross-account is **not** used to deploy PingIntelligence policy. | * **Update CloudFront configuration**: Verify the following options are configured correctly: * **Disable Caching**: The PingIntelligence policy deployment tool requires that CloudFront be available with caching disabled for all CloudFront behaviors. Select **None (Improves Caching)** from the **Cache Based on Selected Request Headers** drop-down list. * **TTL**: Confirm that **Minimum TTL**, **Maximum TTL**, and the **Default TTL** are set to 0 * **Forward Cookies**: Select **All** from the drop-down list * **Query String Forwarding and Caching**: Select **Forward all, cache based on all** from the drop-down list ![llr1564009224321](../_images/llr1564009224321.png) * **Lambda function**: PingIntelligence policy tool requires viewer request and origin response Lambda functions. Make sure that there is no viewer request or origin response Lambda function defined in the caching behavior. * **Verify that ASE is in sideband mode**Check if ASE is in `sideband` mode by running the following command in the ASE command line: ``` /opt/pingidentity/ase/bin/cli.sh status API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB ``` If ASE is not in `sideband` mode, then stop ASE and change the mode by editing the `/opt/pingidentity/ase/config/ase.conf` file. Set `mode` as `sideband` and start ASE. * **Enable sideband authentication:** For a secure communication between CloudFront and ASE, enable sideband authentication by entering the following command in the ASE command line: ``` # ./bin/cli.sh enable_sideband_authentication -u admin –p ``` * **Generate sideband authentication token** A token is required for CloudFront to authenticate with ASE. This token is generated in ASE and configured in the `aws.properties` file of PingIntelligence automated policy tool. To generate the token in ASE, enter the following command in the ASE command line: ``` # ./bin/cli.sh -u admin -p admin create_sideband_token ``` Save the generated authentication token for further use. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | For improved performance, you can optionally set the `enable_sideband_keepalive` parameter to*true* in `ase.conf` file. For more information, see [Sideband ASE configuration using the `ase.conf` file](../api_security_enforcer/pingintelligence_sideband_ase_configuration.html). |