ASE cluster setup (optional) - PingIntelligence for APIs

ASE cluster setup (optional) - PingIntelligence for APIs - 4.4

PingIntelligence

bundle

pingintelligence-44

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 4.4

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-44

pingintelligence

private

ContentType_ce

Page created: 6 Nov 2020 |

Page updated: 12 May 2021

| 2 min read

4.4 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product Installation User task

For production environments, Ping Identity recommends setting up a cluster of ASE nodes for improved performance and availability.

Note: Enable NTP on each ASE node system. All cluster nodes must be in the same time zone.

To setup an ASE cluster node:

Navigate to the config directory
Edit ase.conf file:
1. Set enable_cluster=true for all cluster nodes.
2. Confirm that the parameter mode is the same on each ASE cluster node, either inline or sideband. If parameter mode values do not match, the nodes will not form a cluster.

Edit the cluster.conf file:

Configure cluster_id with an identical value for all nodes in a single cluster (for example, cluster_id=shopping)
Enter port number in the cluster_manager_port parameter. ASE node uses this port number to communicate with other nodes in the cluster.
Enter an IPv4 address or hostname with the port number for peer_node which is the first (or any existing) node in the cluster. Keep peer_node empty for the first cluster node.
Provide the cluster_secret_key which must be the same in each cluster node. It must be entered on each cluster node before the nodes to connect to each other.

Here is a sample cluster.conf file:

; API Security Enforcer's cluster configuration.
; This file is in the standard .ini format. The comments start with a 
; semicolon (;).
; Section is enclosed in []
; Following configurations are applicable only if cluster is enabled 
; with true in ase.conf
; unique cluster id.
; valid character class is [ A-Z a-z 0-9 _ - . / ]
; nodes in same cluster should share same cluster id
cluster_id=ase_cluster

; cluster management port.
cluster_manager_port=8020

; cluster peer nodes.
; a comma-separated list of hostname:cluster_manager_port or 
; IPv4_address:cluster_manager_port
; this node will try to connect all the nodes in this list
; they should share same cluster id
peer_node=

; cluster secret key.
; maximum length of secret key is 128 characters (deobfuscated length).
; every node should have same secret key to join same cluster.
; this field can not be empty.
; change default key for production.
cluster_secret_key=OBF:AES:nPJOh3wXQWK/BOHrtKu3G2SGiAEElOSvOFYEiWfIVSdu

After configuring an ASE node, start the node by running the following command:
```
/opt/pingidentity/ase/bin/start.sh
```