PingIntelligence

Preparing to deploy the PingIntelligence policy

Complete the following prerequisites before deploying the PingIntelligence policy.

About this task

The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support.

Before deploying the PingIntelligence policy:

Steps

  1. Install and configure the PingIntelligence software as follows.

    For more information on installing PingIntelligence, see PingIntelligence automated deployment for virtual machines and servers or PingIntelligence manual deployment.

    1. Sign on to your ASE machine and check that ASE is in sideband mode by running the following status command:

      /opt/pingidentity/ase/bin/cli.sh status

      Result:

      API Security Enforcer
status                  : started
 mode : sideband
http/ws                 : port 80
https/wss               : port 443
firewall                : enabled
abs                     : enabled, ssl: enabled
abs attack              : disabled
audit                   : enabled
sideband authentication : disabled
ase detected attack     : disabled
attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB

    If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.

    1. For secure communication between NGINX and ASE, enable sideband authentication by entering the following ASE command:

      # ./bin/cli.sh enable_sideband_authentication -u admin –p

    2. To generate the sideband authentication token in ASE, enter the following command in the ASE command line and save the token for further use in Configuring NGINX for PingIntelligence.

      A token is required for NGINX to authenticate with ASE.

      # ./bin/cli.sh -u admin -p admin create_sideband_token

  2. Configure the following for your operating system:

    Choose from:

    • RHEL 7.6:

      The PingIntelligence modules for NGINX 1.14.2 are specifically compiled for RHEL 7.6 and OpenSSL 1.0.2k-fips. If you do not have these specific versions of RHEL and OpenSSL, contact Ping Identity support.

      1. Verify your RHEL version by entering the following command on your machine:

        $ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)

      2. Open OpenSSL 1.0.2k-fips on your RHEL 7.6 machine and check the OpenSSL version using the openssl version command:

        $ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

      3. Extract the ASE certificate:

        1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE:

          /opt/pingidentity/ase/bin/start.sh
Starting API Security Enforcer 4.0.2...
please see /opt/pingidentity/ase/logs/controller.log for more details

      For more information on starting ASE, see Starting and stopping ASE

      1. Run the following command to extract the ASE certificate and append it in the test.ase.pi file:

        openssl s_client -connect  <ASE_IP>:<ASE_PORT>   2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi

      2. Copy the certificate file to the NGINX machine and configure the certificate path in the nginx.conf file.

        1. Run the following command to download RHEL dependencies for compiling NGINX:

          # yum install pcre-devel.x86_64 openssl-devel.x86_64 zlib-devel.x86_64 wget gcc

    • Ubuntu 16.0.4 LTS:

      The PingIntelligence modules are specifically compiled for Ubuntu 16.0.4 and OpenSSL 1.0.2g. If you do not have these specific versions of Ubuntu and OpenSSL, contact Ping Identity support.

      1. Run the following command to check your Ubuntu version:

        $ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

      2. OpenSSL 1.0.2g and check the OpenSSL version using the openssl version command:

        $ openssl version
OpenSSL 1.0.2g  26 Jan 2017

      3. Extract the ASE certificate:

        1. Make sure that ASE is running. If ASE is not running, run the following command on ASE command line to start ASE:

          /opt/pingidentity/ase/bin/start.sh
Starting API Security Enforcer 4.0.2...
please see /opt/pingidentity/ase/logs/controller.log for more details

    For more information on starting ASE, see Starting and stopping ASE.

    1. Run the following command to extract the ASE certificate and append in the test.ase.pi file:

      openssl s_client -connect  <ASE_IP>:<ASE_PORT>   2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi

    2. Copy the certificate file to the NGINX machine and configure the certificate path in the nginx.conf file.

      1. Run the following command to download Ubuntu dependencies for compiling NGINX:

        # apt-get -yq install make g++ gcc libpcre3 libpcre3-dev apt-utils zlib1g zlib1g-dev curl openssl libssl-dev