Environment variables exposed in Docker images

Environment variables are exposed in the Docker images.

If you do not set the environment variable, the default values are used. The following tables list the environment variables for API Security Enforcer (ASE), API Behavioral Security (ABS), Dashboard, and MongoDB.

ASE Environment Variables

The following table lists the ASE environment variables and the values.

Environment Value Usage

MODE

inline/sideband

ASE can be deployed either in inline mode or sideband mode.

For more information, see the ASE admin guide.

TIMEZONE

string

Set the timezone of ASE to either local or UTC. The default value is utc.

Make sure TIMEZONE is set to the same value in ASE, ABS, and Dashboard.

ENABLE_CLUSTER

true/false

Set the value to true to enable ASE cluster.

ENABLE_ABS

true/false

Set the value to true to enable ABS.

PEER_NODE

<IP or hostname>:port

ASE cluster peer node’s IP address and port number.

ASE_SECRET_KEY

string

Set the value of the ASE secret key.

The ASE access key cannot be changed. Its value always remains admin.

ABS_ENDPOINT

<IP or hostname>:port

IP address or host name of the ABS endpoint.

ABS_ACCESS_KEY

string

Access key to connect to ABS.

ABS_SECRET_KEY

string

Secret key to connect to ABS.

ADMIN_LOG_LEVEL

1-5

1-5 (FATAL, ERROR, WARNING, INFO, DEBUG)

ENABLE_SIDEBAND_AUTHENTICATION

true/false

Enable client side authentication. This setting is applicable only in sideband mode. When enabled, ASE authenticates requests using ASE authentication tokens.

ENABLE_SIDEBAND_KEEPALIVE

true/false

Set the value to true to enable connection keepalive for requests from gateway to ASE. This configuration is applicable only in sideband mode.

ENABLE_ASE_HEALTH

true/false

Set the value to true to enable ASE health check module.

ENABLE_GOOGLE_PUBSUB

true/false

Google Pub/Sub configuration.

GOOGLE_PUBSUB_TOPIC

string

Google Pub/Sub topic.

GOOGLE_PUBSUB_CONCURRENCY

number

The number of concurrent connections to Google Pub/Sub.

Minimum: 1, Default: 1000, Maximum: 1024

GOOGLE_PUBSUB_QPS

number

The number of messages published per second.

Minimum: 1, Default: 1000, Maximum: 10000

GOOGLE_PUBSUB_APIKEY

string

Google service account API key (Optional)

CACHE_QUEUE_SIZE

number

The maximum number of messages buffered in memory. If the queue is full, messages are written to logs/google_pubsub_failed.log.

Minimum: 1, Default: 300, Maximum: 10000

GOOGLE_PUBSUB_TIMEOUT

number

Timeout in seconds to publish a message to Google Pub/Sub.

Minimum: 10, Default: 30, Maximum: 300

DEPLOYMENT_TYPE

string

Indicates ABS deployment type to ASE.

Supported values are onprem or cloud.

GATEWAY_CREDENTIAL

string

The obfuscated gateway credentials that are generated at cloud portal. ASE parses these gateway credentials to get OAuth Uniform Resource Locator (URL) and URL for ABS API calls.

Populate this value when DEPLOYMENT_TYPE is set to cloud.

ENABLE_ABS_PUBLISH

true/false

Set this value to true to allow ASE to fetch the published API list from ABS.

ABS_PUBLISH_REQUEST_MINUTES

This value determines how often ASE will get the published API list from ABS.

ENABLE_STRICT_REQUEST_PARSER

true/false

Enable strict parsing checks for client requests.

true: ASE will block requests with an invalid header start.
false: ASE will allow requests.

ABS Environment Variables

The following table lists the ABS environment variables and the values.

Environment Value Usage

MONGO_RS

mongodb://<IP or hostname>:<port>,<IP or hostname>:<port>, <IP or hostname>:<port>

MongoDB replica set IP addresses or host names and port numbers.

MONGO_USERNAME

string

MongoDB username.

MONGO_PASSWORD

string

MongoDB password.

ABS_LOG_LEVEL

string

Log levels (ALL > DEBUG > INFO > WARN > ERROR > FATAL > OFF)

The default is INFO.

MONGO_SSL

true/false

Set to true if MongoDB instance is configured in SSL mode.

By default, ABS will try to connect to MongoDB using non-SSL connection. The default is false.

IS_DASHBOARD_NODE

true/false

Setting as true makes an ABS node for dashboard engine query only and does not participate in ABS cluster for log processing.

ENABLE_EMAILS

true/false

Enable (true) or disable (false) ABS email notifications.

SENDER_EMAIL

string

The email address used for sending email alerts and reports.

SENDER_EMAIL_PASSWORD

string

The password of the sender’s email account.

You can leave this field blank if your SMTP server does not require authentication.

RECEIVER_EMAIL

string

The email address notified about alerts and reports. If you want more than one person to be notified, use an email alias.

ABS_CLI_ADMIN_PASSWORD

string

Set the ABS command-line interface (CLI) admin password.

ABS_JKS_PASSWORD

string

Set the ABS Java keystore password.

MONGO_CERTIFICATE_VERIFY

true/false

Set to true if you want to enable verification of MongoDB SSL server certificate.

By default, ABS will try to connect to MongoDB without verifying SSL connection. The default is false.

TIMEZONE

string

Set the timezone of ABS to either local or UTC. The default value is utc.

Make sure TIMEZONE is set to the same value in ASE, ABS, and the Dashboard.

ABS_ACCESS_KEY

string

The access key for the ABS admin user.

For more information, see ABS users.

ABS_SECRET_KEY

string

The secret key for the ABS admin user.

For more information, see ABS users.

ABS_ACCESS_KEY_RU

string

The access key for the restricted user.

For more information on restricted users, see ABS users.

ABS_SECRET_KEY_RU

string

The secret key for the restricted user.

For more information on restricted users, see ABS users.

ATTACK_INITIAL_TRAINING

integer

The attack training period.

ATTACK_UPDATE_INTERVAL

integer

The attack threshold uphold interval.

API_DISCOVERY

true/false

Set the value to true to enable application programming interface (API) discovery in ABS. For ABS to discover APIs, a global API JavaScript Object Notation (JSON) must be configured in ASE.

For more information, see API discovery and configuration.

API_DISCOVERY_INITIAL_PERIOD

integer

The initial period set in hours in which ABS has to be discover APIs. It is good practice to keep the API discovery interval period less than the initial attack training interval.

API_DISCOVERY_UPDATE_INTERVAL

integer

The time period in hours in which ABS reports the newly discovered APIs.

API_DISCOVERY_SUBPATH

integer

The number of subpaths that are discovered in an API. The maximum value is 3.

POC_MODE

string

Sets the mode in which ABS trains its API models. Set it to true for running ABS in evaluation deployment mode.

For more information, see Configuring and verifying ABS POC mode.

KAFKA_SERVERS

string

The Kafka ip:port needs to be configured.

ABS_CONSUMER_USER

string

ABS consumer user in Kafka.

ABS_PRODUCER_USER

string

ABS producer user in Kafka.

ABS_CONSUMER_GROUP

string

ABS group in Kafka.

ABS_CONSUMER_PASSWORD

string

ABS consumer user password.

ABS_PRODUCER_PASSWORD

string

ABS producer user password.

KAFKA_MIN_INSYNC_REPLICA

integer

The number of minimum in-sync replicas for data in Kafka.

TRANSACTIONS_TOPIC

string

ABS transaction topic in Kafka.

ATTACK_TOPIC

string

ABS attack topic in Kafka.

ANOMALIES_TOPIC

string

ABS anomalies topic in Kafka.

MongoDB Environment Variables

The following table lists the MongoDB environment variables and the values.

Environment Value Usage

Environment	Value	Usage
`MONGO_USERNAME`	`string`	MongoDB username.
`MONGO_PASSWORD`	`string`	MongoDB password.
`MUTLI_NODE_REPLICA_SET`	`string`	Set it to `true` if you wan to run multiple MongoDB nodes in MongoDB replica set. The default value is `false`. If you have set to it to `true`, then manually add MongoDB nodes into replica set. Run `abs_init.js` script from the primary MongoDB node.
`WIRED_TIGER_CACHE_SIZE_GB`	`float`	Memory in GB to be used by MongoDB cache.
`MONGO_SSL`	`string`	Configures whether MongoDB uses SSL. The default value is `false`.
`MONGO_PORT`	`string`	Custom port for Mongo.

MONGO_USERNAME

string

MongoDB username.

MONGO_PASSWORD

string

MongoDB password.

MUTLI_NODE_REPLICA_SET

string

Set it to true if you wan to run multiple MongoDB nodes in MongoDB replica set. The default value is false. If you have set to it to true, then manually add MongoDB nodes into replica set.

Run abs_init.js script from the primary MongoDB node.

WIRED_TIGER_CACHE_SIZE_GB

float

Memory in GB to be used by MongoDB cache.

MONGO_SSL

string

Configures whether MongoDB uses SSL. The default value is false.

MONGO_PORT

string

Custom port for Mongo.

Dashboard Environment Variables

The following table lists the Dashboard environment variables and the values.

Environment Value Usage

DISCOVERY_SOURCE

string

Source of API discovery. Values can be abs, pingaccess, or axway.

PINGACCESS_URL

string

The URL of PingAccess if you set the discovery source as pingaccess.

PINGACCESS_USERNAME

string

The PingAccess username for API discovery.

PINGACCESS_PASSWORD

string

The PingAccess password for API discovery.

AXWAY_URL

string

The URL of Axway if you set the discovery source as axway.

AXWAY_USERNAME

string

The Axway username for API discovery.

AXWAY_PASSWORD

string

The Axway username for API discovery.

DISCOVERY_MODE

string

The mode in which the Dashboard publishes APIs to ASE. Values can be auto or manual.

For more information, see Discovered APIs.

DISCOVERY_MODE_AUTO_POLLING_INTERVAL

integer

If the DISCOVERY_MODE is set as auto, set the polling interval at which the Dashboard polls the discovery source for APIs. It is recommended to have a minimum value of 10 minutes.

DISCOVERY_MODE_AUTO_DELETE_NON_DISCOVERED_APIS

string

If the DISCOVERY_MODE is set as auto, you can choose to retain to delete APIs in ASE that are added manually. Set it to true, if you want to delete the APIs that are manually added in ASE.

ASE_MODE

string

Sets the mode in which ASE is deployed. Values can be either inline or sideband. Make sure this value is same as the value set in ASE.

ABS_ACCESS_KEY

string

The access key for the ABS admin user.

For more information, see ABS users.

ABS_SECRET_KEY

string

The secret key for the ABS admin user.

For more information, see ABS users.

ABS_HOST

string

The Internet Protocol (IP) address of ABS host.

ENABLE_XPACK

string

Configures whether X-Pack is installed. Default value is true. If the variable is set to false, the Web GUI protocol should be HTTP.

ENABLE_SYSLOG

string

Configures whether the Dashboard sends Syslog messages to the Syslog server. The default value is false.

ENABLE_SYSLOG and ENABLE_UI both cannot be false at the same time.

When ENABLE_SYSLOG environment variable is passed to the container, SYSLOG_HOST, and SYSLOG_PORT should also be passed. These are to configure the Syslog server and port number.

ABS_RESTRICTED_USER_ACCESS

true/false

Set to true if you want to use an ABS restricted user.

For more information on restricted users, see ABS users.

ABS_URL

string

The URL should be in the form of https://<IP>:<port>. The URL is used by WebGUI to connect to ABS.

ASE_URL

string

The URL should be in the form of https://<IP>:<port>. The URL is used by WebGUI to connect to ASE.

ASE_ACCESS_KEY

string

The access key of the ASE admin user.

ASE_SECRET_KEY

string

The secret key of the ASE admin user.

DASHBOARD_URL

string

The URL should be in the form of https://<IP>:<port>. The URL is used by WebGUI to connect to the Dashboard. IP and port number are for Kibana.

H2_DB_PASSWORD

string

The password for the H2 database.

H2_DB_ENCRYPTION_PASSWORD

string

The password to change the encryption method of the H2 database.

WEBGUI_ADMIN_PASSWORD

string

The password for the admin user of WebGUI.

WEBGUI_PING_USER_PASSWORD

string

The password for ping_user of WebGUI.

SESSION_MAX_AGE

6h

Defines the maximum time for a session. The configured values should be in the form of <number><duration_suffix>. The duration should be > 0. Allowed duration_suffix values are m for minutes, h for hours, and d for days.

MAX_ACTIVE_SESSIONS

50

Defines the maximum number of active UI sessions at any given time. The value should be greater than 1.

AUTHENTICATION_MODE

native or sso

Set the value to sso to authenticate the Dashboard with PingFederate.

SSO_OIDC_CLIENT_ID

string

Client ID value configured in the identity provider.

SSO_OIDC_CLIENT_SECRET

string

Client secret configured for the corresponding Client ID.

SSO_OIDC_CLIENT_AUTHENTICATION_METHOD

BASIC, POST, and NONE

OpenID Connect (OIDC) Client authentication mode. The valid values are BASIC, POST, or NONE.

SSO_OIDC_PROVIDER_ISSUER_URI

string

The PingFederate URI that is required by WebGUI to establish single sign-on (SSO). The default value is https://127.0.0.1:9031.

The PingIntelligence Dashboard Docker image can be generated by packaging it with the PingFederate public certificate. To do so, the certificate needs to be placed in certs/webgui directory with the name webgui-sso-oidc-provider.crt.

SSO_OIDC_PROVIDER_USER_UNIQUEID_CLAIM_NAME

string

Claim name for the unique ID of the user in the UserInfo response. A new user is provisioned using this unique ID value.

SSO_OIDC_PROVIDER_USER_FIRST_NAME_CLAIM_NAME

string

Claim name for the first name of the user in the UserInfo response. Either first name or last name can be empty, but both should not be empty.

SSO_OIDC_PROVIDER_USER_LAST_NAME_CLAIM_NAME

string

Claim name for the last name of the user in the UserInfo response. Either first name or last name can be empty, but both should not be empty.

SSO_OIDC_PROVIDER_USER_ROLE_CLAIM_NAME

string

Claim name for the role of the user in the UserInfo response. Valid values for roles are ADMIN and REGULAR.

SSO_OIDC_PROVIDER_CLIENT_ADDITIONAL_SCOPES

string

Additional scopes in the authorization request. Multiple scopes should be values separated with a comma (,). OpenID profile scopes are always requested.

TIMEZONE

string

Set the timezone of the Dashboard to either local or UTC. The default value is utc.

Make sure TIMEZONE is set to the same value in ASE, ABS, and the Dashboard.

KAFKA_SERVERS

string

Kafka ip:port needs to be configured.

DE_CONSUMER_USER

string

The data engine consumer user in Kafka.

DE_CONSUMER_PASSWORD

string

Consumer user password.

DE_CONSUMER_GROUP

string

The group in Kafka for the data engine consumer.

TRANSACTIONS_TOPIC

string

ABS transaction topic in Kafka.

ATTACK_TOPIC

string

ABS attack topic in Kafka.

ELASTIC_URL

string

External Elasticsearch URL.

ELASTIC_PASSWORD

string

External Elasticsearch password.

ELASTIC_USERNAME

string

External Elasticsearch username.

API Publish Environment Variables

The following table lists the API Publish environment variables and the values.

Environment Value Usage

Environment	Value	Usage
`MONGO_USERNAME`	`string`	MongoDB username.
`MONGO_PASSWORD`	`string`	MongoDB password.
`MONGO_CERTIFICATE`	`string`	Set to `true` if the MongoDB instance is configured in Secure Sockets Layer (SSL) mode, and you want to do the server certificate verification.
`MONGO_AUTH_MECHANISM`	`string`	MongoDB authentication: Supported Mongo authentication mechanisms are: `DEFAULT`: Provide `MONGO_USERNAME` and `MONGO_PASSWORD`. `PLAIN`: Provide the external Lightweight Directory Access Protocol (LDAP) username and password in `MONGO_USERNAME` and `MONGO_PASSWORD`. Set to `NONE` if authentication is not enabled in Mongo.
`MANAGEMENT_PORT`	`string`	Port for the API Publish service
`APIPUBLISH_JKS_PASSWORD`	`string`	The API Publish password for the JKS file. You can change the password, and it will be generated during installation.
`MONGO_SSL`	`string`	Indicates whether SSL is used for Mongo. The default value is `false`.
`DATABASE_NAME`	`string`	Database name.
`META_DATABASE`	`string`	Meta database name.
`APIPUBLISH_CLI_ADMIN_PASSWORD`	`string`	API Publish command-line interface (CLI) password.

MONGO_USERNAME

string

MongoDB username.

MONGO_PASSWORD

string

MongoDB password.

MONGO_CERTIFICATE

string

Set to true if the MongoDB instance is configured in Secure Sockets Layer (SSL) mode, and you want to do the server certificate verification.

MONGO_AUTH_MECHANISM

string

MongoDB authentication:

Supported Mongo authentication mechanisms are:
- DEFAULT: Provide MONGO_USERNAME and MONGO_PASSWORD.
- PLAIN: Provide the external Lightweight Directory Access Protocol (LDAP) username and password in MONGO_USERNAME and MONGO_PASSWORD.
Set to NONE if authentication is not enabled in Mongo.

MANAGEMENT_PORT

string

Port for the API Publish service

APIPUBLISH_JKS_PASSWORD

string

The API Publish password for the JKS file.

You can change the password, and it will be generated during installation.

MONGO_SSL

string

Indicates whether SSL is used for Mongo.

The default value is false.

DATABASE_NAME

string

Database name.

META_DATABASE

string

Meta database name.

APIPUBLISH_CLI_ADMIN_PASSWORD

string

API Publish command-line interface (CLI) password.

Kafka Environment Variables

The following table lists the Kafka environment variables and the values.

Environment Value Usage

Environment	Value	Usage
`ZOOKEEPER_URL`	`<IP or hostname>:port`	Zookeeper URL.
`KAFKA_SSL_PORT`	`string`	SSL port for Kafka.
`KAFKA_SASL_PORT`	`string`	SASL port for Kafka.
`KAFKA_MIN_INSYNC_REPLICA`	`string`	The minimum number of in-sync replicas for data in Kafka.
`ABS_CONSUMER_USER`	`string`	ABS consumer user in Kafka.
`ABS_PRODUCER_USER`	`string`	ABS producer user in Kafka.
`ABS_CONSUMER_PASSWORD`	`string`	ABS consumer user password.
`ABS_PRODUCER_PASSWORD`	`string`	ABS producer user password.
`ABS_CONSUMER_GROUP`	`string`	ABS group in Kafka.
`DE_CONSUMER_USER`	`string`	Data engine consumer user in Kafka.
`DE_CONSUMER_PASSWORD`	`string`	Consumer user password.
`DE_CONSUMER_GROUP`	`string`	Group in Kafka for the data engine consumer.
`RETENTION_PERIOD`	`string`	Retention period of data in topics.
`POD_NAME`	`string`	Kafka broker ID.

ZOOKEEPER_URL

<IP or hostname>:port

Zookeeper URL.

KAFKA_SSL_PORT

string

SSL port for Kafka.

KAFKA_SASL_PORT

string

SASL port for Kafka.

KAFKA_MIN_INSYNC_REPLICA

string

The minimum number of in-sync replicas for data in Kafka.

ABS_CONSUMER_USER

string

ABS consumer user in Kafka.

ABS_PRODUCER_USER

string

ABS producer user in Kafka.

ABS_CONSUMER_PASSWORD

string

ABS consumer user password.

ABS_PRODUCER_PASSWORD

string

ABS producer user password.

ABS_CONSUMER_GROUP

string

ABS group in Kafka.

DE_CONSUMER_USER

string

Data engine consumer user in Kafka.

DE_CONSUMER_PASSWORD

string

Consumer user password.

DE_CONSUMER_GROUP

string

Group in Kafka for the data engine consumer.

RETENTION_PERIOD

string

Retention period of data in topics.

POD_NAME

string

Kafka broker ID.

Zookeeper Environment Variables

The following table lists the Zookeeper environment variables and the values.

Environment Value Usage

Environment	Value	Usage
`ZOOKEEPER_PORT`	`string`	Non-SSL port for Zookeeper.
`ZOOKEEPER_SSL_PORT`	`string`	Non-SSL port for Zookeeper.

ZOOKEEPER_PORT

string

Non-SSL port for Zookeeper.

ZOOKEEPER_SSL_PORT

string

Non-SSL port for Zookeeper.