PingIntelligence

Preparing to deploy the PingIntelligence policy

Complete the following prerequisites before deploying the PingIntelligence policy.

About this task

The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support.

Before deploying the PingIntelligence policy:

Steps

  1. Install and configure the PingIntelligence software as follows.

    1. Sign on to your ASE machine and check that ASE is in sideband mode by running the following status command:

      /opt/pingidentity/ase/bin/cli.sh status

      Result:

      API Security Enforcer
      status                  : started
       mode : sideband
      http/ws                 : port 80
      https/wss               : port 443
      firewall                : enabled
      abs                     : enabled, ssl: enabled
      abs attack              : disabled
      audit                   : enabled
      sideband authentication : disabled
      ase detected attack     : disabled
      attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB

    If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.

    1. For secure communication between NGINX and ASE, enable sideband authentication by entering the following ASE command:

      # ./bin/cli.sh enable_sideband_authentication -u admin –p
    2. To generate the sideband authentication token in ASE, enter the following command in the ASE command line and save the token for further use in Configuring NGINX for PingIntelligence.

      A token is required for NGINX to authenticate with ASE.

      # ./bin/cli.sh -u admin -p admin create_sideband_token
  2. Configure the following for your operating system:

    Choose from:

    • RHEL 7.6:

      The PingIntelligence modules for NGINX 1.14.2 are specifically compiled for RHEL 7.6 and OpenSSL 1.0.2k-fips. If you do not have these specific versions of RHEL and OpenSSL, contact Ping Identity support.

      1. Verify your RHEL version by entering the following command on your machine:

        $ cat /etc/redhat-release
        Red Hat Enterprise Linux Server release 7.6 (Maipo)
      2. Open OpenSSL 1.0.2k-fips on your RHEL 7.6 machine and check the OpenSSL version using the openssl version command:

        $ openssl version
        OpenSSL 1.0.2k-fips  26 Jan 2017
      3. Extract the ASE certificate:

        1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE:

          /opt/pingidentity/ase/bin/start.sh
          Starting API Security Enforcer 4.0.2...
          please see /opt/pingidentity/ase/logs/controller.log for more details

      For more information on starting ASE, see Starting and stopping ASE

      1. Run the following command to extract the ASE certificate and append it in the test.ase.pi file:

        openssl s_client -connect  <ASE_IP>:<ASE_PORT>   2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi
      2. Copy the certificate file to the NGINX machine and configure the certificate path in the nginx.conf file.

        1. Run the following command to download RHEL dependencies for compiling NGINX:

          # yum install pcre-devel.x86_64 openssl-devel.x86_64 zlib-devel.x86_64 wget gcc
    • Ubuntu 16.0.4 LTS:

      The PingIntelligence modules are specifically compiled for Ubuntu 16.0.4 and OpenSSL 1.0.2g. If you do not have these specific versions of Ubuntu and OpenSSL, contact Ping Identity support.

      1. Run the following command to check your Ubuntu version:

        $ cat /etc/os-release
        NAME="Ubuntu"
        VERSION="16.04.6 LTS (Xenial Xerus)"
        ID=ubuntu
        ID_LIKE=debian
        PRETTY_NAME="Ubuntu 16.04.6 LTS"
        VERSION_ID="16.04"
        HOME_URL="http://www.ubuntu.com/"
        SUPPORT_URL="http://help.ubuntu.com/"
        BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
        VERSION_CODENAME=xenial
        UBUNTU_CODENAME=xenial
      2. OpenSSL 1.0.2g and check the OpenSSL version using the openssl version command:

        $ openssl version
        OpenSSL 1.0.2g  26 Jan 2017
      3. Extract the ASE certificate:

        1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE:

          /opt/pingidentity/ase/bin/start.sh
          Starting API Security Enforcer 4.0.2...
          please see /opt/pingidentity/ase/logs/controller.log for more details

    For more information on starting ASE, see Starting and stopping ASE.

    1. Run the following command to extract the ASE certificate and append in the test.ase.pi file:

      openssl s_client -connect  <ASE_IP>:<ASE_PORT>   2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi
    2. Copy the certificate file to the NGINX machine and configure the certificate path in the nginx.conf file.

      1. Run the following command to download Ubuntu dependencies for compiling NGINX:

        # apt-get -yq install make g++ gcc libpcre3 libpcre3-dev apt-utils zlib1g zlib1g-dev curl openssl libssl-dev