PingIntelligence

Changing settings in dashboard-defaults.yml

You can change the default settings of PingIntelligence Dashboard by editing the /<pi-install-path>/pingidentity/pi-api-deployment/config/dashboard-defaults.yml file.

The following table lists the variables that you can set for PingIntelligence Dashboard in various configurations.

Variable Description

port

Port number to connect to PingIntelligence Dashboard.

authentication_mode

Defines the mode in which Dashboard authenticates. The valid values are native and sso.

You should use native authentication for proof-of-concept deployments.

session_max_age

Defines the maximum time for a session. The configured values should be in the form of <number><duration_suffix>. Duration should be > 0. Allowed duration_suffix values: m for minutes, h for hours, and d for days.

max_active_sessions

Defines the maximum number of active UI sessions at any given time. The value should be greater than 1.

admin_password and ping_user_password

The passwords for webgui admin and ping_user accounts.

admin_password and ping_user_password are applicable in native authentication_mode only.

Single sign-on (SSO) configurations - Applicable only when authentication_mode is set as sso

sso_oidc_client_id

Client ID value in configured in the identity provider.

sso_oidc_client_secret

Client secret configured for the corresponding Client ID.

sso_oidc_client_authentication_method

OpenID Connect (OIDC) client authentication mode. The valid values are BASIC, POST, or NONE

sso_oidc_provider_issuer_uri

HTTPS IP address of OIDC provider. Also, place the SSO provider’s issuer-certificate in the following path: <installation_path>/pingidentity/certs/webgui/

sso_oidc_provider_user_uniqueid_claim_name

Claim name for unique ID of the user in UserInfo response. A new user is provisioned using this unique ID value.

sso_oidc_provider_user_first_name_claim_name

Claim name for first name of the user in UserInfo response. Either first name or last name can be empty, but both should not be empty.

sso_oidc_provider_user_last_name_claim_name

Claim name for last name of the user in UserInfo response. Either first name or last name can be empty, but both should not be empty.

sso_oidc_provider_user_role_claim_name

Claim name for role of the user in UserInfo response. The default value is role.

sso_oidc_client_additional_scopes

Additional scopes in authorization request. Multiple scopes should be comma (,) separated values. OpenID profile scopes are always requested.

End-of-SSO configurations

SSL configuration for PingIntelligence Dashboard

  • server_ssl_key_store_password

  • server_ssl_key_alias

Configure the passwords for key store and key alias.

H2 database configuration:

  • h2_db_password

  • h2_db_encryption_password

Password for H2 database and password for encryption

Discovery configuration - The following variables configure discovery settings for Dashboard:

  • discovery_source

  • discovery_mode

  • discovery_mode_auto_polling_interval

  • discovery_mode_auto_delete_non_discovered_apis

Discovery source - Defines the details of discovery source for PingAccess or Axway API gateway.

PingAccess:

  • pingaccess_url

  • pingaccess_username

  • pingaccess_password

Axway

  • axway_url

  • axway_username

  • axway_password

  • discovery_source - Defines the source of discovered APIs. The discovery source can be abs, pingaccess, or axway

  • discovery_mode - Defines the mode in which Dashboard publishes APIs to ASE. It can either auto or manual mode. For more information on discovery mode, seeDiscovered APIs

  • discovery_mode_auto_polling_interval - If the mode is set to auto in previous option, then configure the time interval in minutes for publishing the APIs to ASE. It recommended to keep a minimum time interval of 10 minutes.

  • discovery_mode_auto_delete_non_discovered_apis - If the mode is set to auto, you can configure whether you want to delete the other APIs from ASE when Dashboard publishes the discovered APIs.

Configure PingAccess or Axway URL, username and password if the discovery source is pingaccess or axway.

enable_xpack

Configures whether the deployment package installs Xpack. The default value is true. If you are using an existing Elasticsearch and authentication is not configured for Xpack, set enable_xpack to false.

elasticsearch_url

If you have set install_elasticsearch as false in the hosts file, configure the Elasticsearch Uniform Resource Locator (URL). Enter the complete URL, including http/https. For example, https://myelasticsearchurl.pi.com:443. NOTE: Providing the port number in the URL is mandatory.

elasticsearch_distro_type

Configure the distribution type of Elasticsearch. Allowed values are default or aws.

This variable is available for configuration in PingIntelligence for APIs 4.4.1.

elastic_username

If you want to use an already available Elasticsearch username, configure it in elastic_username.

elastic_password

Elasticsearch password. The default value is changeme.

Do not change the elastic_password after PingIntelligence installation is complete.

elasticsearch_purge_schedule

The schedule for Elasticsearch purge to run.

elasticsearch_purge_days

The number of days for Elasticsearch purge.

consumer_user

Consumer user in Kafka.

Default: pi4api_de_user

consumer_authentication_password

Consumer user password.

Default: changeme

dataengine_groupid

Group in Kafka for data engine consumer.

Default: pi4api.data-engine

ping_user_password

Password for the default user name ping_user.

ping_admin_password

Password for the admin.

Syslog configuration:

  • enable_syslog

  • host, port

  • facility

Configure syslog details.

Setting enable_syslog to true lets dashboard engine log the ABS detected attacks in the syslog server.

Provide the host and port number of the syslog server.

Make a backup of the dashboard-defaults.yml file on a secure machine after the automated installation is complete.

The following is a sample dashboard-defaults.yml file.

---
webgui:
 # Define ports for PingIntelligence WebGUI
 # Make sure ports are not same for single server installation
 port: 8030

 # allowed values: native, sso.
 # In native mode, webgui users are self managed and stored in webgui.
 # In sso mode, webgui users are managed and stored in an Identity provider.
 authentication_mode: native
 # Maximum duration of a session.
 # Value should be in the form of <number><duration_suffix>
 # Duration should be > 0.
 # Allowed duration_suffix values: m for minutes, h for hours, d for days.
 session_max_age: 6h

 # Number of active UI sessions at any time.
 # Value should be greater than 1.
 max_active_sessions: 50

  admin_password and ping_user_password are applicable in native authentication_mode only.
 # webgui "admin" account password
 admin_password: changeme
 # webgui "ping_user" account password
 ping_user_password: changeme

  Below sso configuration properties are applicable in sso authentication_mode only.
 # Client ID value in Identity provider.
 sso_oidc_client_id: pingintelligence
 # Client Secret of the above Client ID.
 sso_oidc_client_secret: changeme
 # OIDC Client authentication mode.
 # Valid values: BASIC, POST, or NONE
 sso_oidc_client_authentication_method: BASIC
 # OIDC Provider uri
 # WebGUI queries <issuer-uri>/.well-known/openid-configuration to get OIDC provider metadata
 # issuer ssl certificate is not trusted by default. So import issuer ssl certificate into config/webgui.jks
 # issuer should be reachable from both back-end and front-end
 sso_oidc_provider_issuer_uri: https://127.0.0.1:9031

 # Place the sso provider issuer-certificate in the following path => <installation_path>/pingidentity/certs/webgui/
 # Name of the file should be => webgui-sso-oidc-provider.crt

 # claim name for unique id of the user in UserInfo response
 # a new user is provisioned using this unique id value
 sso_oidc_provider_user_uniqueid_claim_name: sub
 # claim name for first name of the user in UserInfo response
 # either first name or last name can be empty, but both should not be empty
 sso_oidc_provider_user_first_name_claim_name: given_name
 # claim name for last name of the user in UserInfo response
 # either first name or last name can be empty, but both should not be empty
 sso_oidc_provider_user_last_name_claim_name: family_name
 # claim name for role of the user in UserInfo response
 sso_oidc_provider_user_role_claim_name: role
 # additional scopes in authorization request
 # multiple scopes should be comma (,) separated
 # openid,profile scopes are always requested
 sso_oidc_client_additional_scopes:
 ## End of sso configuration

 # ssl key store password of webgui hosts
 server_ssl_key_store_password: changeme
 server_ssl_key_alias: webgui

 # local h2 db datasource properties
 h2_db_password: changeme
 h2_db_encryption_password: changeme

 # allowed values: abs/pingaccess/axway
 discovery_source: abs
 # allowed values: auto/manual
 discovery_mode: auto
 # value is in minutes
 discovery_mode_auto_polling_interval: 10
 discovery_mode_auto_delete_non_discovered_apis: false

 # valid only if discovery_source is set to pingaccess
 pingaccess_url: https://127.0.0.1:9000/
 pingaccess_username: Administrator
 pingaccess_password:

 # valid only if discovery_source is set to axway
 axway_url: https://127.0.0.1:8075/
 axway_username: apiadmin
 axway_password:


dataengine:
 ui:
   # Install elasticsearch with xpack enabled
   # If there is no authentication on pre-existing elasticsearch, set this to false
   enable_xpack: true
   server_port: 8040
   # When install_elasticsearch is set to false in config/hosts, this url will be used
   # Give the complete url with https/http and elasticsearch port number
   # Make sure elasticsearch_url is accessible from ansible management host, dataengine, webgui nodes.
   elasticsearch_url: https://search-giueibohzd6pfijfysjfsxucty.pingidentity.com:443
   # Configuration distribution type of elasticsearch. Allowed values are default or aws
   elasticsearch_distro_type: default

   # User with permission set similar to "elastic" user
   elastic_username: elastic

   # Passwords for "elasticsearch","ping_user" and "ping_admin" users
   # dataengine will be accessible for these accounts
   # Please set strong passwords
   # If enable_xpack is set to false, below passwords are ignored
   elastic_password: changeme

    # ssl key store password of webgui hosts
   server_ssl_key_store_password: changeme
   server_ssl_key_alias: dataengine

   #Users ,passowrd and groupid for dataengine in kafka
   consumer_user: pi4api_de_user
   consumer_authentication_password: changeme
   dataengine_groupid: pi4api.data-engine

   #Elastic Search Purge Schedule
   elasticsearch_purge_schedule: "0 23 * * * * "
   elasticsearch_purge_days: "30"

 syslog:
   # Configuration for syslog
   enable_syslog: false
   host: localhost
   port: 614
   facility: LOCAL0