Complete the following before running the PingIntelligence AWS policy tool.

  • Install OpenJDK 11 on the system running the PingIntelligence policy tool.
  • Install PingIntelligence software

    PingIntelligence should be installed and configured. Refer to the PingIntelligence deployment guide for your environment.

  • AWS admin account: To deploy the PingIntelligence sideband policy, an AWS admin account is required.
    Note: Make sure that AWS cross-account is not used to deploy PingIntelligence policy.
  • Update CloudFront configuration: Verify the following options are configured correctly:
    • Disable Caching: The PingIntelligence policy deployment tool requires that CloudFront be available with caching disabled for all CloudFront behaviors. Select None (Improves Caching) from the Cache Based on Selected Request Headers drop-down list.
    • TTL: Confirm that Minimum TTL, Maximum TTL, and the Default TTL are set to 0
    • Forward Cookies: Select All from the drop-down list
    • Query String Forwarding and Caching: Select Forward all, cache based on all from the drop-down list

  • Lambda function: PingIntelligence policy tool requires viewer request and origin response Lambda functions. Make sure that there is no viewer request or origin response Lambda function defined in the caching behavior.
  • Verify that ASE is in sideband mode

    Check if ASE is in sideband mode by running the following command in the ASE command line:
    /opt/pingidentity/ase/bin/ status
    API Security Enforcer
    status                  : started
    mode                    : sideband
    http/ws                 : port 80
    https/wss               : port 443
    firewall                : enabled
    abs                     : enabled, ssl: enabled
    abs attack              : disabled
    audit                   : enabled
    sideband authentication : disabled
    ase detected attack     : disabled
    attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB
    If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.
  • Enable sideband authentication: For a secure communication between CloudFront and ASE, enable sideband authentication by entering the following command in the ASE command line:
    # ./bin/ enable_sideband_authentication -u admin –p
  • Generate sideband authentication token

    A token is required for CloudFront to authenticate with ASE. This token is generated in ASE and configured in the file of PingIntelligence automated policy tool. To generate the token in ASE, enter the following command in the ASE command line:

    # ./bin/ -u admin -p admin create_sideband_token
    Save the generated authentication token for further use.
Note: For improved performance, you can optionally set the enable_sideband_keepalive parameter to true in ase.conf file. For more information, see Sideband ASE configuration - ase.conf.