PingIntelligence

ABS configuration - abs.properties

The API Behavioral Security (ABS) configuration file abs.properties is located in the ABS config directory.

The following table explains the parameters and provides recommended values.

Parameter Description

ABS Internet Protocol (IP) , port, log level, and Java KeyStore (JKS) password

timezone

Set the timezone to utc or local. The default timezone is utc.

management_port

Port for ABS to API Security Enforcer (ASE) and REST application programming interface (API) to ABS communication.

The default value is 8080.

log_level

Log detail captured. The default is INFO.

Additional options - DEBUG, ERROR, WARN, FATAL.

jks_password

The password of the JKS Keystore. ABS ships with a default obfuscated password. You can reset the password and obfuscate it. This password should be the same that you would use in importing your CA-signed certificate.

ABS performance configurations

system_memory

Memory size in MB allocated to run machine learning jobs. Recommended to be at least 50% of system memory.

queue_size

Do not change the value of this parameter. The default is 10.

ABS email configurations for alerts and reporting

enable_emails

Enable (true) or disable (false) ABS email notifications.

sender_email

Email address used for sending email alerts and reports.

receiver_email

Email address notified about alerts and reports. If you want more than one person to be notified, use an email alias.

email_password

Password of sender’s email account.

You can leave this field blank if your SMTP server does not require authentication.

smtp_port

Port number of SMTP server.

smtp_host

Hostname of SMTP server.

smtp_ssl

Set to true if you want email communication to be over SSL. Make sure that the SMTP server supports SSL. If you set smtp_ssl to true and the SMTP server does not support SSL, email communication falls back to the non-SSL channel. The default value is true.

Set it to false if email communication is over a non-SSL channel. The email communication will fail if you set the parameter to false, but the SMTP server only supports SSL communication.

smtp_cert_verification

Set to true if you want ABS to verify the SMTP server’s SSL certificate. The default value is false.

If you set it to false, ASE does not verify SMTP server’s SSL certificate; however, the communication is still over SSL.

If you have configured an IP address as smtp_host and set smtp_cert_verification to true, then make sure that the certificate configured on the SMTP server has the following:

X509v3 extensions:
           X509v3 Key Usage:
              Key Encipherment, Data Encipherment
           X509v3 Extended Key Usage:
              TLS Web Server Authentication
           X509v3 Subject Alternative Name:
               IP Address: X.X.X.X

Here x.x.x.x is the IP address is the address configured in smtp_host.

MongoDB configurations

mongo_rs

Comma separated MongoDB replica set URI. A maximum of three nodes can be configured.

metadata_dbname

The MongoDB metadata database name.

The default value is abs_metadata.

data_dbname

The MongoDB data database name.

The default value is abs_data.

mldata_dbname

The MongoDB machine learning database name.

The default value is abs_mldata

mongo_auth_mechanism

Defines the method in which MongoDB authenticates. The possible values can be:

  • NONE - Set it to NONE, if authentication is not configured in MongoDB

  • DEFAULT - Set it to DEFAULT, if you want to use native MongoDB username and password. Prove the values in the next two variables.

  • PLAIN - Set it to PLAIN, if you want to use LDAP authentication. In this case, provide the LDAP username and password in the next two variables.

mongo_username

Username of MongoDB.

Required for MongoDB authentication

mongo_password

MongoDB password

mongo_ssl

Set it to true if MongoDB is configured to use SSL connections. The default value is false.

mongo_certificate

Set it to true if you want to verify MongoDB SSL server certificate when ABS connects to MongoDB. The default value is false.

Make sure mongo_ssl is set to true before setting mongo_certificate to true.

ABS reporting node

dashboard_node

When true, designated as a dedicated Reporting or Dashboard node. This ABS node does not process log data or participate in an ABS cluster.

The default value is false.

Multiple nodes can be Reporting or Dashboard nodes.

Cloud and OAuth configurations

The following parameters are applicable when ABS is running in cloud mode. These are preset configurations, which should not be edited.

bucket_name

The Amazon Web Services (AWS) S3 bucket name.

env_id

The environment id of the tenant.

deployment_type

The ABS deployment mode. Valid values are cloud or onprem. The default value is onprem.

oauth_audience

The audience claim of the access token.

oauth_issuer_whitelist

The list of valid JSON Web Token (JWT) issuers from whom the tokens are expected.

oauth_jwks_endpoint

The JWKS endpoint.

A sample abs.properties file is displayed below.

# Ping Identity Corporation, ABS config file
# All the keys should be present, leave blank value if not applicable

# Set the timezone to utc or local. The default timezone is utc.
timezone=utc
# REST API port
management_port=8080
# Log levels (ALL > DEBUG > INFO > WARN > ERROR > FATAL > OFF)
log_level=DEBUG
# Java KeyStore password
jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4=
# MongoDB replica set URI. For example, mongodb://<IP1>:<Port>,<IP2>:<Port>,<IP3>:<Port>. Maximum three nodes can be configured.
mongo_rs=mongodb://localhost:27017
# MongoDB Database
metadata_dbname=abs_metadata
data_dbname=abs_data
mldata_dbname=abs_mldata
# MongoDB authentication
# If authentication is not enabled in MongoDB, set the mongo_auth_mechanism to NONE
# The supported MongoDB authentication mechanisms are DEFAULT and PLAIN.
# If authentication mechanism is DEFAULT, provide MongoDB username and password for mongo_username
# and mongo_password. If authentication mechanism is PLAIN, provide external
# LDAP username and password in mongo_username and mongo_password.
mongo_auth_mechanism=DEFAULT
mongo_username=absuser
mongo_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4=
# Mongo DB SSL
# Set to true if Mongo DB instance is configured in SSL mode.
# By default, ABS will try to connect to Mongo using non-SSL connection
mongo_ssl=false
# Mongo DB Server Certificate Verification
# Set to true if Mongo DB instance is configured in SSL mode and you want to do the server certificate verification
# By default ABS will not verify the MongoDB server certificate
mongo_certificate=false
# Job queue size per node
queue_size=10
# Setting as true makes an ABS node for dashboard query only and does not participate in ABS cluster for log processing
dashboard_node=false
# Memory for webserver and streaming server (unit is in MB)
system_memory=4096
# E-mail alerts
enable_emails=false
# SMTP host
smtp_host=smtp.example.com
# SMTP port
smtp_port=587
# Set this value to true if smtp host support SSL
smtp_ssl=true
# Set this value to true if SSL certificate verification is required
smtp_cert_verification=false
# Sender email id
sender_email=sender@example.com
# Sender's email password
email_password=OBF:AES:UXzB+y+69Bn3xiX6N822ad4hf5IfNfJY9w==:T+QzM6qtc0+6MVsx4gU5p0LMHAI/y+w8DDsWv6VxVAk=
# Receiver's email id
receiver_email=receiver@example.com
# Set this value to appropriate AWS S3 Bucket name, if ABS is running in cloud mode
bucket_name=
# Set this value to appropriate Env Id, if ABS is running in cloud mode
env_id=
# Set this value to either cloud / onprem, as per the ABS running mode. By default set to onprem
deployment_type=onprem
# Token validation params
# Audience
oauth_audience=
# Issuer whitelist
oauth_issuer_whitelist=
# JWKS endpoint
oauth_jwks_endpoint=