To connect ASE to ABS, configure the ABS address (IPv4:Port or Hostname:Port), access key, and secret key in the abs.conf file located in the /opt/pingidentity/ase/config directory.
The parameter values and descriptions are included in the following table:
Parameter | Description |
abs_endpoint | Hostname and port or the IPv4 and port of all the ABS nodes |
access_key | The access key or the username for the ABS nodes. It is the same for all
the ABS nodes. The same value has to be configured in ABS MongoDB database.
This value is obfuscated during the start of ASE. Note: ":" is a restricted
character and allowed in access key. |
secret_key | The secret key or the password for the ABS nodes. It is the same for all
the ABS nodes. The same value has to be configured in ABS MongoDB database.
This value is obfuscated during the start of ASE. Note: ":" is a restricted
character and allowed in secret key. |
enable_ssl | Set the value to true for SSL communication between ASE and ABS. The default value is true. ASE sends the access log files in plain text if the value is set to false. |
abs_ca_cert_path |
Location of the trusted CA certificates for SSL/TLS connections from ASE to ABS. If the path parameter value is left empty, then ASE does not verify the validity of CA certificates. However, the connection to ABS is still encrypted. |
Here is a sample abs.conf file:
; API Security Enforcer ABS configuration.
; This file is in the standard .ini format. The comments start with a semicolon (;).
; Following configurations are applicable only if ABS is enabled with true.
; a comma-separated list of abs nodes having hostname:port or ipv4:port as an address.
abs_endpoint=127.0.0.1:8080
; access key for abs node
access_key=OBF:AES://ENOzsqOEhDBWLDY+pIoQ:jN6wfLiHTTd3oVNzvtXuAaOG34c4JBD4XZHgFCaHry0
; secret key for abs node
secret_key=OBF:AES:Y2DadCU4JFZp3bx8EhnOiw:zzi77GIFF5xkQJccjIrIVWU+RY5CxUhp3NLcNBel+3Q
; Setting this value to true will enable encrypted communication with ABS.
enable_ssl=true
; Configure the location of ABS's trusted CA certificates. If empty, ABS's certificate
; will not be verified
abs_ca_cert_path=
Configuring ASE-ABS encrypted communication
To enable SSL communication between ASE and ABS so that the access logs are encrypted and sent to ABS, set the value of enable_ssl to true. The abs_ca_cert_path is the location of ABS’s trusted CA certificate. If the field is left empty, ASE does not verify ABS’s certificate, however, the communication is till encrypted.
Check and open ABS ports
/opt/pingidentity/ase/util ./check_ports_ase.sh {ABS IPv4:[port]}