PingIntelligence

Install PingIntelligence Dashboard

Complete the following steps to install PingIntelligence Dashboard.

  1. Create a <ping_install_dir> directory on your host machine. Make sure that the user has read and write permissions for the <ping_install_dir> directory.

  2. Download the PingIntelligence Dashboard binary

  3. Download Elasticsearch 6.8.1 (macOS/RHEL)

  4. Change directory to ping_install_dir:

    # cd pi_install_dir
  5. Untar the PingIntelligence Dashboard:

    # tar -zxf pi-api-dashboard-5.1.tar.gz
  6. Change directory to pingidentity/webgui/

    # cd pingidentity/webgui/
  7. Install PingIntelligence Dashboard by entering the following command and follow the instructions displayed on the prompt:

    # ./bin/pi-install-ui.sh
    # ./bin/pi-install-ui.sh
    
    elasticsearch-7.13.4.tar.gz file path >
    Use bundled ssl key and self signed certificate for ui server [y/n]?  >[y]
    Use default password [changeme] for all components and users [y/n]?  >[y]
    ABS url  >[https://127.0.0.1:8080]
    ABS access key  >[abs_ak]
    ABS secret key  >[abs_sk]
    API Service URL  >[https://127.0.0.1:8050]
    Kafka Host:Port >[127.0.0.1:9093]
    Kafka Authentication username  >[pi4api_de_user]
    Kafka Group ID  >[pi4api.data-engine]
    ASE management url  >[]
    extracting elasticsearch package
    creating elasticsearch config keystore
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    Created elasticsearch keystore in <pi_install_dir>/pingidentity/elasticsearch/config/elasticsearch.keystore
    elasticsearch config keystore created
    Generating a 2048 bit RSA private key
    ..........................................+++
    ........................+++
    writing new private key to 'config/ssl/autogen_es.key'
    -----
    creating password protected pkcs#12 keystore for elasticsearch private key and certificate
    pkcs#12 keystore created at config/ssl/elastic-certificates.p12
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    configuring elasticsearch. Please wait 15 seconds
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
    elasticsearch config is completed
    configuring dataengine
    configuring webgui
    starting webgui for configuration update
    WebGUI configured for UTC timezone.
    WebGUI 5.1 starting...
    please see <pi_install_dir>/pingidentity/webgui/logs/admin/admin.log for more details
    success: password updated.
    Note: All active sessions for this user are invalidated. Login with new credentials
    success: password updated.
    Note: All active sessions for this user are invalidated. Login with new credentials
    WebGUI 5.1
    WebGUI is stopped.
    webgui configuration done
    
    UI configuration done
    writing internal credentials to <pi_install_dir>/pingidentity/webgui/install/webgui_internal.creds
    Start UI [y/n]?  >[y]
    starting elasticsearch...
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
    OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
    elasticsearch started
    starting dataengine
    Data Engine configured for UTC timezone.
    PingIntelligence Data Engine 5.1 starting...
    Data-Engine started
    starting webgui
    WebGUI configured for UTC timezone.
    WebGUI 5.1 starting...
    please see <pi_install_dir>/pingidentity/webgui/logs/admin/admin.log for more details
    Please access WebGUI at https://<pi_install_host>:8030
    
    <pi_install_host> can be ip address, hostname or fully qualified domain name of this server.
    <pi_install_host> should be reachable from your computer.
    
    Credentials:
      1) Username: admin
         Password: changeme
      2) Username: ping_user
         Password: changeme
    
    Important Actions:
    1) Credentials for all internal components are available in <pi_install_dir>/pingidentity/webgui/install/webgui_internal.creds file.
        Move this file from this server and securely keep it elsewhere.
        For any debugging purposes you will be asked to get credentials for a component from this file.
    2) Following obfuscation master keys are auto-generated
          <pi_install_dir>/pingidentity/webgui/config/webgui_master.key
          <pi_install_dir>/pingidentity/dataengine/config/dataengine_master.key

The ASE management url is an optional parameter.

Verify the installation

You can verify the installation by checking the process IDs (PID) of each component. You can check the pid of components at the following location:

  • Elasticsearch: <pi_install_dir>/elasticsearch/logs/elasticsearch.pid

  • Dataengine: <pi_install_dir>/dataengine/logs/dashboard.pid

  • Webgui: <pi_install_dir>/webgui/logs/webgui.pid

Tune Dashboard performance parameters

Configure the following three parameters for Dashboard’s better performance. Note that the following tuning parameters if you have your setup of Elasticsearch.

If you have used PingIntelligence automated deployment or pi-install-ui.sh script to deploy Dashboard, these tuning are done as part of installation.

Parameter Description Location

Elasticsearch

-Xms and -Xmx

  • Xms - Defines the minimum heap size of Elasticsearch. Set it to 4GB as Xms4g.

  • Xmx - Defines the maximum heap size of Elasticsearch. Set it to 4GB as Xmx4g.

$ES_HOME/config/jvm.options

thread_pool.search.size

Defines thread pool size for count/search/suggest operations in Elasticsearch. Configure it to 50% of total CPUs allocated.

$ES_HOME/config/elasticsearch.yml

Mitigating XSS

To detect and mitigate attacks like Cross Site Scripting (XSS), PingIntelligence Dashboard implements Content Security Policy (CSP). The following are the configuration details.

Response header - Content-Security-Policy
Response header value - default-src ‘self’; font-src ‘self’ use.typekit.net; script-src ‘self’ use.typekit.net; style-src ‘self’ ‘unsafe-inline’ use.typekit.net p.typekit.net; img-src ‘self’ data: p.typekit.net;