--- title: Preparing to run the AWS policy tool description: Before running the PingIntelligence AWS policy tool, complete the following prerequisites. component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_integrations:pingintelligence_preparing_aws_policy_tool canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_integrations/pingintelligence_preparing_aws_policy_tool.html revdate: April 3, 2024 section_ids: about-this-task: About this task steps: Steps result: Result: troubleshooting: Troubleshooting: --- # Preparing to run the AWS policy tool Before running the PingIntelligence AWS policy tool, complete the following prerequisites. ## About this task Before running the PingIntelligence AWS policy tool: ## Steps 1. Install OpenJDK 11 on the system running the PingIntelligence policy tool. 2. Install and configure the PingIntelligence software. Refer to the PingIntelligence deployment guide for your environment. To deploy the PingIntelligence sideband policy, you must have an AWS admin account. Make sure that AWS cross-account is not used to deploy PingIntelligence policy. 3. To update the CloudFront configuration, verify the following options are configured correctly: 1. The PingIntelligence policy deployment tool requires that CloudFront be available with caching disabled for all CloudFront behaviors. Select **None (Improves Caching)** from the **Cache Based on Selected Request Headers** drop-down list. 2. Confirm that **Minimum TTL**, **Maximum TTL**, and the **Default TTL** are set to 0. 3. For **Forward Cookies**, select **All** from the drop-down list. 4. Under **Query String Forwarding and Caching**, select **Forward all, cache based on all** from the drop-down list. ![A screenshot of Edit Behavior page. A yellow box is around the Cache Based on Selected Request Headers field, the TTL fields, and the Forward Cookies + Query String Forwarding and Caching fields.](../_images/llr1564009224321.png) 4. The PingIntelligence policy tool requires viewer request and origin response Lambda functions. Make sure that there is no viewer request or origin response Lambda function defined in the caching behavior. 5. Verify that ASE is in sideband mode by running the following command in the ASE command line: ``` /opt/pingidentity/ase/bin/cli.sh status ``` ### Result: ``` API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB ``` ### Troubleshooting: If ASE is not in `sideband` mode, then stop ASE and change the mode by editing the `/opt/pingidentity/ase/config/ase.conf` file. Set `mode` as `sideband` and start ASE. 6. For a secure communication between CloudFront and ASE, enable sideband authentication by entering the following command in the ASE command line: ``` # ./bin/cli.sh enable_sideband_authentication -u admin –p ``` 7. A token is required for CloudFront to authenticate with ASE. This token is generated in ASE and configured in the `aws.properties` file of the PingIntelligence automated policy tool. To generate the token in ASE, enter the following command in the ASE command line and save the generated authentication token for further use: ``` # ./bin/cli.sh -u admin -p admin create_sideband_token ``` 8. **Optional:** For improved performance, set the `enable_sideband_keepalive` parameter to `true` in the `ase.conf` file. For more information, see [Sideband ASE configuration using the `ase.conf` file](../pingintelligence_reference_guide/pingintelligence_sideband_ase_configuration.html).