--- title: Preparing to deploy the PingIntelligence policy description: Complete the following prerequisites before deploying the PingIntelligence policy. component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_integrations:pingintelligence_nginx_prepare canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_integrations/pingintelligence_nginx_prepare.html revdate: April 3, 2024 section_ids: about-this-task: About this task steps: Steps result: Result: choose-from: Choose from: --- # Preparing to deploy the PingIntelligence policy Complete the following prerequisites before deploying the PingIntelligence policy. ## About this task The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support. Before deploying the PingIntelligence policy: ## Steps 1. Install and configure the PingIntelligence software as follows. For more information on installing PingIntelligence, see [PingIntelligence automated deployment for virtual machines and servers](../installing_pingintelligence_for_apis/pingintelligence_automated_deployment.html) or [PingIntelligence manual deployment](../installing_pingintelligence_for_apis/pingintelligence_manual_deployment.html). 1. Sign on to your ASE machine and check that ASE is in `sideband` mode by running the following `status` command: ``` /opt/pingidentity/ase/bin/cli.sh status ``` ### Result: ``` API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB ``` If ASE is not in `sideband` mode, then stop ASE and change the mode by editing the `/opt/pingidentity/ase/config/ase.conf` file. Set `mode` as `sideband` and start ASE. 1. For secure communication between NGINX and ASE, enable sideband authentication by entering the following ASE command: ``` # ./bin/cli.sh enable_sideband_authentication -u admin –p ``` 2. To generate the sideband authentication token in ASE, enter the following command in the ASE command line and save the token for further use in [Configuring NGINX for PingIntelligence](pingintelligence_configure_nginx_sideband.html). A token is required for NGINX to authenticate with ASE. ``` # ./bin/cli.sh -u admin -p admin create_sideband_token ``` 2. Configure the following for your operating system: ### Choose from: * RHEL 7.6: | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingIntelligence modules for NGINX 1.14.2 are specifically compiled for RHEL 7.6 and OpenSSL `1.0.2k-fips`. If you do not have these specific versions of RHEL and OpenSSL, contact Ping Identity support. | 1. Verify your RHEL version by entering the following command on your machine: ```shell $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 (Maipo) ``` 2. Open OpenSSL `1.0.2k-fips` on your RHEL 7.6 machine and check the OpenSSL version using the `openssl version` command: ```shell $ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 ``` 3. Extract the ASE certificate: 1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE: ``` /opt/pingidentity/ase/bin/start.sh Starting API Security Enforcer 4.0.2... please see /opt/pingidentity/ase/logs/controller.log for more details ``` For more information on starting ASE, see [Starting and stopping ASE](../pingintelligence_reference_guide/pingintelligence_starting_and_stopping_ase.html) 1. Run the following command to extract the ASE certificate and append it in the `test.ase.pi` file: ``` openssl s_client -connect : 2>/dev/null test.ase.pi ``` 2. Copy the certificate file to the NGINX machine and configure the certificate path in the `nginx.conf` file. 1. Run the following command to download RHEL dependencies for compiling NGINX: ``` # yum install pcre-devel.x86_64 openssl-devel.x86_64 zlib-devel.x86_64 wget gcc ``` * Ubuntu 16.0.4 LTS: | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingIntelligence modules are specifically compiled for Ubuntu 16.0.4 and OpenSSL `1.0.2g`. If you do not have these specific versions of Ubuntu and OpenSSL, contact Ping Identity support. | 1. Run the following command to check your Ubuntu version: ```shell $ cat /etc/os-release NAME="Ubuntu" VERSION="16.04.6 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.6 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial ``` 2. OpenSSL `1.0.2g` and check the OpenSSL version using the `openssl version` command: ```shell $ openssl version OpenSSL 1.0.2g 26 Jan 2017 ``` 3. Extract the ASE certificate: 1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE: ``` /opt/pingidentity/ase/bin/start.sh Starting API Security Enforcer 4.0.2... please see /opt/pingidentity/ase/logs/controller.log for more details ``` For more information on starting ASE, see [Starting and stopping ASE](../pingintelligence_reference_guide/pingintelligence_starting_and_stopping_ase.html). 1. Run the following command to extract the ASE certificate and append in the `test.ase.pi` file: ``` openssl s_client -connect : 2>/dev/null test.ase.pi ``` 2. Copy the certificate file to the NGINX machine and configure the certificate path in the `nginx.conf` file. 1. Run the following command to download Ubuntu dependencies for compiling NGINX: ``` # apt-get -yq install make g++ gcc libpcre3 libpcre3-dev apt-utils zlib1g zlib1g-dev curl openssl libssl-dev ```