Configuring PingIntelligence servlet filter - PingIntelligence for APIs

Configuring PingIntelligence servlet filter - PingIntelligence for APIs - 4.4

PingIntelligence

bundle

pingintelligence-44

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 4.4

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-44

pingintelligence

private

ContentType_ce

Page created: 6 Nov 2020 |

Page updated: 12 May 2021

| 2 min read

4.4 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

Configure the servlet filter for PingIntelligence policy in the webdefault.xml file in PingFederate.

To define the PingIntelligence for APIs servlet filter:

Add the the following filter configuration to the <pf_install>/pingfederate/etc/webdefault.xml file. Add the filter configuration within the <web-app></web-app> element.

Note:

If there are multiple filters in the webdefault.xml file, then place pi4APIFilter at the end.

<filter>
    <filter-name>pi4APIFilter</filter-name>
    <filter-class>com.pingidentity.pi.servlets.PI4APIServletFilter</filter-class>
    <init-param>
        <param-name>ASE-Primary-URL</param-name>
        <param-value>https://<IP address of primary ASE>:<Port number></param-value>
    </init-param>
    <init-param>
        <param-name>ASE-Secondary-URL</param-name>
        <param-value>https://<IP address of secondary ASE>:<Port number></param-value>
    </init-param>
    <init-param>
        <param-name>ASE-Token</param-name>
        <param-value><ASE authentication token></param-value>
    </init-param>
    <init-param>
          <param-name>Enable-Blocking</param-name>
          <param-value>false</param-value>
      </init-param>
  </filter>
  <filter-mapping>
    <filter-name>pi4APIFilter</filter-name>
    <url-pattern>/as/token.oauth2</url-pattern>
  </filter-mapping>

Make sure the following configurations are set correctly:
- The filter-class element is configured to com.pingidentity.pi.servlets.PI4APIServletFilter.
- The pi4APIFilter is mapped to the token endpoint URL of PingFederate by configuring the url-pattern element to /as/token.oauth2.
- The filter-name element in both the <filter> and <filter-mapping> blocks is pi4APIFilter.

Substitute the actual values for the init parameters in the pi44APIFilter filter.

The following table explains the PI4API init parameters in detail. They control the communication with API Security Enforcer (ASE). You can contact PingIdentity support team for the actual values of these parameters.

Parameter name	Description
ASE-Primary-URL	The URL or IP address of the ASE primary host. Note: To support high availability, PingIntelligence provides ASE primary and secondary nodes.
ASE-Secondary-URL	The URL or IP address of the ASE secondary host.
ASE-Token	The ASE sideband authentication token. You can obfuscate the sideband authentication token using one of the following utilities available in the PingFederate `<pf_install>`/pingfederate/bin/ directory: On Windows: obfuscate.bat On Linux: ./obfuscate.sh If you need further assistance in using the utility, contact Ping Identity support.
Enable-Blocking	You can optionally block a client that has been detected executing an attack. To block the client, you need to enable blocking in ASE by setting the Enable-Blocking to `true`. The default value is`false`.