PingIntelligence

Configuring Google Pub/Sub

Google Cloud Pub/Sub is an enterprise event-driven message system. API Security Enforcer (ASE) integrates with Google Pub/Sub in ASE sideband mode. When you enable Google Pub/Sub in the ase.conf file, ASE sends the event message in a JavaScript Object Notation (JSON) file to Google Cloud.

Before you begin

You can verify that Google Pub/Sub is enabled by running the status command:

/opt/pingidentity/ase/bin/cli.sh status -u admin -p admin
API Security Enforcer
status                  : started
mode                    : sideband
http/ws                 : port 80
https/wss               : port 443
firewall                : enabled
abs                     : disabled, ssl: enabled
abs attack              : disabled
audit                   : enabled
sideband authentication : disabled
ase detected attack     : disabled
attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB
google pubsub           : enabled

About this task

Configure Google Pub/Sub in ASE:

Steps

  1. Download the key file in JSON format from your Google Pub/Sub account.

    For more information on generating the key file, see Quickstart: building a functioning Cloud Pub/Sub system.

  2. Copy the downloaded Key JSON file to /pingidentity/ase/config directory.

  3. Rename the file to google_application_credentials.json.

  4. Configure the following Google Pub/Sub options in the ase.conf file.

    enable_google_pubsub

    Set it to true if you want ASE to push metrics data to Google cloud. The default value is false.

    [NOTE] ====

    ASE must be in the sideband mode for Google Pub/Sub configuration to take effect. ====

    google_pubsub_topic

    The path to your topic for publishing and subscribing the messages. For example, /pingidentity/topic/your_topic.

    google_pubsub_concurrency

    The number of concurrent connection between ASE and Google Pub/Sub. The maximum value is 1024 connections. The default value is 1000 connections.

    google_pubsub_qps

    The number of messages per second that ASE can publish to the topic. Maximum value is 10,000. The default value is 1000.

    google_pubsub_apikey

    The application programming interface (API) Key to establish connection between ASE and Google Pub/Sub. Configuring the API Key for Google Pub/Sub is optional.

    cache_queue_size

    The number of messages that are buffered in cache when ASE cannot publish to Google Pub/Sub. Maximum size of the queue is 10,000 messages. The default value is 300 messages.

    google_pubsub_timeout

    The time in seconds for which ASE tries to publish messages to Google Pub/Sub. In case of failure to publish, ASE makes three attempts to publish the message, after which it writes the message to the google_pubsub_failed.log file.

Result

ASE sends the event information to Google Pub/Sub in a JSON message. The message captures the following information:

  • Method

  • URL

  • Host

  • Request time-stamp

  • Request length

  • Source IP

  • X-forwarded-for IPs

  • Response code

  • Response length, and

  • Latency in milliseconds

ASE makes three attempts to publish the message to Google Pub/Sub, after which the entire message is logged in failed log file. The message that is logged in the failed log file is not in plain text. If the message is not published to Google Pub/Sub, you can check the reason for failure in balancer.log file. For more information on balancer.log file, see ASE access, management, and audit logs.

When messages are successfully published to Google Pub/Sub, the message ID is logged in the success log file. The following is a snippet of an event message JSON file logged in balancer.log file when ASE is running in debug mode:

{
  "method": "PUT",
  "url": "/shopapi-books/order",
  "host": "shop-electronics.cloudhub.io",
  "request_timestamp": "1573767522429",
  "request_length": "464",
  "source_ip": "1.2.3.4",
  "x_forwarded_for": "1.1.1.1, 1.1.1.2",
  "response_code": "200",
  "response_length": "26",
  "latency_ms": "208"
}

Configuring the API key

Before you begin

Obtain the API key for your Google project and configure it in the google_pubsub_apikey option. Obfuscate the API key for it to take effect. For more information on obfuscating keys and password, see Obfuscating keys and passwords.

About this task

You can optionally configure the API key in the ase.conf file.

Steps

  1. Stop ASE.

    For more information, see Stopping ASE.

  2. Edit the ase.conf file to add the API key.

  3. Obfuscate the API key.

  4. Start ASE.

    For more information, see Starting ASE.