PingIntelligence

Preparing to run the AWS policy tool

Before running the PingIntelligence AWS policy tool, complete the following prerequisites.

About this task

Before running the PingIntelligence AWS policy tool:

Steps

  1. Install OpenJDK 11 on the system running the PingIntelligence policy tool.

  2. Install and configure the PingIntelligence software. Refer to the PingIntelligence deployment guide for your environment.

    To deploy the PingIntelligence sideband policy, you must have an AWS admin account.

    Make sure that AWS cross-account is not used to deploy PingIntelligence policy.

  3. To update the CloudFront configuration, verify the following options are configured correctly:

    1. The PingIntelligence policy deployment tool requires that CloudFront be available with caching disabled for all CloudFront behaviors. Select None (Improves Caching) from the Cache Based on Selected Request Headers drop-down list.

    2. Confirm that Minimum TTL, Maximum TTL, and the Default TTL are set to 0.

    3. For Forward Cookies, select All from the drop-down list.

    4. Under Query String Forwarding and Caching, select Forward all, cache based on all from the drop-down list.

    A screenshot of Edit Behavior page. A yellow box is around the Cache Based on Selected Request Headers field, the TTL fields, and the Forward Cookies + Query String Forwarding and Caching fields.

  4. The PingIntelligence policy tool requires viewer request and origin response Lambda functions. Make sure that there is no viewer request or origin response Lambda function defined in the caching behavior.

  5. Verify that ASE is in sideband mode by running the following command in the ASE command line:

    /opt/pingidentity/ase/bin/cli.sh status

    Result:

    API Security Enforcer
status                  : started
 mode : sideband
http/ws                 : port 80
https/wss               : port 443
firewall                : enabled
abs                     : enabled, ssl: enabled
abs attack              : disabled
audit                   : enabled
sideband authentication : disabled
ase detected attack     : disabled
attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB

    Troubleshooting:

    If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.

  6. For a secure communication between CloudFront and ASE, enable sideband authentication by entering the following command in the ASE command line:

    # ./bin/cli.sh enable_sideband_authentication -u admin –p

  7. A token is required for CloudFront to authenticate with ASE. This token is generated in ASE and configured in the aws.properties file of the PingIntelligence automated policy tool. To generate the token in ASE, enter the following command in the ASE command line and save the generated authentication token for further use:

    # ./bin/cli.sh -u admin -p admin create_sideband_token

  8. Optional: For improved performance, set the enable_sideband_keepalive parameter to true in the ase.conf file.

    For more information, see Sideband ASE configuration using the ase.conf file.