PingIntelligence

Apigee properties file configuration

The apigee.properties file is required for all sideband Apigee configurations.

The properties file is used to set properties for the PingIntelligence policy tool after installation. You can optionally configure it to capture user information. You can find the file in the /pingidentity/apigee/config/ directory.

The following tables describe the variables in the file.

General variables
Variable Description

configuration_store

Where to store the ASE token.

The possible values are kvm and custom. The default is custom.

When you choose custom, the ASE token is configured inside the PingIntelligence policy and uploaded to Apigee Edge directly. When kvm is chosen, the ASE token is stored in the KVM store.

apigee_url

URL to connect to Apigee Edge.

If your Apigee installation is on a private cloud, change the URL to the one that matches your Apigee management server API IP:Port or hostname with protocol.

apigee_username

The username to connect to Apigee Edge.

apigee_password

The password to connect to Apigee Edge.

apigee_environment

The target environment for the PingIntelligence shared flow.

apigee_organization

The target organization for the PingIntelligence shared flow.

ase_host_primary

The ASE primary host IP address and port or hostname and port.

ase_host_secondary

The ASE secondary host IP address and port or hostname and port.

This field cannot be left empty. In a testing environment, you can provide the same IP address for primary and secondary ASE host.

ase_ssl

Enable or disable SSL communication between Apigee Edge and ASE. The default value is true.

ase_sideband_token

Configure the ASE token generated in Preparing to deploy the PingIntelligence shared flow.

enable_mtls

Enable or disable mutual authentication between ASE and the Apigee API gateway. The default is false.

This feature requires ASE version 5.1.3 or later.

mtls_password

When mutual TLS (MTLS) is enabled, the password to access the keystore.

If the private key is password protected, then the keystore and private key password must be the same.

Configuration properties to extract user information
Variable Description

enable_oauth_policy

Choose whether to use the PingIntelligence OAuth policy to extract user_info or not. Possible values are true or false. The default value is false.

  • When set to true, the PingIntelligence OAuthPolicy is executed and user_info is sent to ASE.

  • When set to false, the PingIntelligence OAuthPolicy is not executed. Theuser_info is captured from an existing custom OAuthPolicy, if available, and sent to ASE.

In both the cases, even if authorization token is deleted by the gateway,user_info and token information are still sent to ASE.

For more information on the PingIntelligence OAuth policy, see Extract user information from access tokens.

enable_async

Choose synchronous or asynchronous mode between the gateway and ASE. In synchronous mode, the gateway waits for a response from ASE before forwarding the request to backend server.

If asynchronous mode is enabled, the gateway forwards the request to the backend server without waiting for the response from ASE. The ASE passively logs the request and forwards it to ABS for attack analysis. It performs attack detection without blocking of attacks. Possible values are true or false.

access_token_position

Location of access_token in the API request. Possible values are header or queryparam. The default value is header. It is used in the OAuthPolicy.

access_token_position=queryparam

At present, Apigee supports only the Bearer prefix in an authorization header.

access_token_variable

A variable to hold access_token value, as shown in the following example.

access_token_variable=access_token => -H "access_token: Rft3dqrs56Blirls56a"

The default value is Authorization. It is used in the OAuthPolicy.

username_key_mapping

This is used in the PingIntelligence policy to set the key of username attribute in access_token info. The default value is username.

client_id_key_mapping

This is used in the PingIntelligence policy to set the key of client_id attribute in the access_token info. The default value is client_id.

Timeout configurations
Variable Description

connect_timeout

Connection timeout in milliseconds between Apigee API gateway and PingIntelligence ASE.

io_timeout

Read timeout in milliseconds between Apigee API gateway and PingIntelligence ASE.

keepalive_timeout

Connection keepalive timeout between Apigee API gateway and PingIntelligence ASE. Make sure that enable_keepalive to true in ase.conf for the keep-alive configuration to take effect.

Make sure that the enable_sideband_keepalive is set to true in ase.conf file for keep-alive connection between Apigee API gateway and ASE.

Backslashes (\) are not supported in username and client_id values.

The following is a sample apigee.properties file.

# Copyright 2020 Ping Identity Corporation. All Rights Reserved.
# Ping Identity reserves all rights in The program as delivered. Unauthorized use, copying,
# modification, reverse engineering, disassembling, attempt to discover any source code or
# underlying ideas or algorithms, creating other works from it, and distribution of this
# program is strictly prohibited. The program or any portion thereof may not be used or
# reproduced in any form whatsoever except as provided by a license without the written
# consent of Ping Identity.  A license under Ping Identity's rights in the Program may be
# available directly from Ping Identity.

# KVM Mode kvm/custom
configuration_store=custom
# Apigee management server URL
apigee_url=https://api.enterprise.apigee.com
# Apigee management server username
apigee_username=
# Apigee management server username
apigee_password=
# Apigee environment to which it should be deployed
apigee_environment=prod
# Apigee organization name
apigee_organization=

# ASE Primary Host  <IP/Host>:<port>
ase_host_primary=
# ASE Secondary Host  <IP/Host>:<port>
ase_host_secondary=
# ASE SSL status
ase_ssl=true
# ASE sideband authentication token
ase_sideband_token=none

# Enable OAuth Policy (allowed values: true | false)

enable_oauth_policy=false
# Enable async (allowed values: true | false)
enable_async=true

# Position of Access Token (allowed values: header | queryparam)
access_token_position=header
# access_token_position=header, access_token_variable=Authorization => -H "Authorization: Bearer Rft3dqrs56Blirls56a"
# access_token_position=header, access_token_variable=access_token => -H "access_token: Rft3dqrs56Blirls56a"
# access_token_position=queryparam, access_token_variable=access_token => ...?access_token=Rft3dqrs56Blirls56a
access_token_variable=Authorization

# username key mapping in access_token. This is the key of username in access_token attributes
username_key_mapping=username
# client_id key mapping in access_token. This is the key of client_id in access_token attributes
client_id_key_mapping=client_id

# connection timeout between Apigee and ASE. Value is in milliseconds
connect_timeout=5000
# read timeout between Apigee and ASE. Value is in milliseconds
io_timeout=5000
# keepalive timeout between Apigee and ASE. Value is in milliseconds
# set enable_keepalive to true in ase.conf for the below configuration to take effect
keepalive_timeout=30000

If configuration_store is set to custom, the configuration will be embedded into the PingIntelligence policy.

If configuration_store is set to kvm, the configuration is pushed to a key-value map store while deploying the policy and is retrieved during policy execution.