Changing ABS default settings - PingIntelligence for APIs

Changing ABS default settings - PingIntelligence for APIs - 5.1

PingIntelligence

bundle

pingintelligence-51

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.1

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-51

pingintelligence

private

ContentType_ce

You can change the default settings in ABS by editing the abs-defaults.yml file.

The following table lists the variables that you can set for ABS.

Variable	Description
`management_port`	Port for ABS to ASE and REST API to ABS communication. The default value is 8080.
`mongo_username` and `mongo_password`	MongoDB username and password. The default username is `absuser`, and the default password is `abs123`.
`mongo_cache_size`	If you are running all the PingIntelligence components on the same instance, keep the MongoDB cache size to a maximum of 25% of the system memory. If you are running MongoDB on a separate instance, keep the MongoDB cache size to a maximum of 40% of the system memory.
`mongo_ssl`	Default value is `true`. PingIntelligence deployment ships with a default self-signed certificate. Setting it to `false` establishes non-SSL connection between ABS and Mongo.
`mongo_certificate_verify`	Set it to `true` if you want to verify MongoDB SSL server certificate when ABS connects to MongoDB. The default value is `false`. Note: Make sure `mongo_ssl` is set to `true` before setting `mongo_certificate_verify` to `true`.
`mongo_replica_set`	Name of the MongoDB replica set. Default name is `absrs01`.
`attack_initial_training`	The number of hours that you want to train the AI model before it moves to the prediction mode. Default value is 24 hours.
`system_memory`	Memory size in MB allocated to run machine learning jobs. Recommended to be at least 50% of system memory.
`access_key` and `secret_key`	The access key and secret for the admin user. For more information on different ABS users, see ABS users. Note: ":" (colon) is a restricted character and not allowed in access key and secret key.
`access_key_ru` and `secret_key_ru`	The access key and secret for the restricted user. For more information on different ABS users, see ABS users. Note: ":" (colon) is a restricted character and not allowed in access key and secret key.
`jks_password`	The password of the Java Keystore (JKS). The default password is `abs123`.
`Email default settings`	Configure the following settings: `enable_emails`: Set it to `true` for ASE to send email notifications. Default value is false. `smtp_host` and `smtp_port` `sender_email`: Email address used from which email alerts and reports are sent. `email_password`: Password of sender’s email account. `receiver_email`: Email address at which the email alerts and reports are sent.
`CLI admin password`	The default value for CLI admin is `admin`. To change the password, you need the current password.
`poc_mode`	Sets the mode in which AI engine sets the thresholds for the AI models. If set to `true`, AI engine sets thresholds at a lower value. It should be set to `true` only for a proof-of-concept deployment.
`consumer_user`	ABS consumer user in Kafka. Default: `abs_consumer`
`producer_user`	ABS producer user in Kafka. Default: `abs_producer`
`abs_groupid`	ABS group in Kafka. Default: `pi4api.abs`
`consumer_authentication_password`	ABS consumer user password. Default: `changeme`
`producer_authentication_password`	ABS producer user password. Default: `changeme`
`min_insync_replicas`	Minimum number of insync replicas for data in Kafka.
`transactions_topic`	ABS transaction topic in Kafka.
`attacks_topic`	ABS attack topic in Kafka.
`anomalies_topic`	ABS anomalies topic in Kafka.
`topic_partitions`	Number of partitions for topics.
`replication_factor`	Replication factor for topics.
`retention_period`	Retention period of data on topics.
`kafka_server_url`	Pre-existing Kafka `ip:port` that must be configured in `config/abs-defaults.yml`.
`kafka_custom_truststore_password`	Pre-existing Kafka truststore password in `config/abs-defaults.yml`.
`management_port`	API Publish service port. Default: `8050`
`jks_password`	API Publish service JKS password. You can change the password for the JKS file. It will be generated during installation.
`mongo_certificate_verify`	Mongodb Server Certificate Verification for API Publish service. Default: `false`
`server_ssl_key_alias`	Alias for API Publish service SSL JKS file. Default: `pingidentity`
`data_dbname`	API Publish service database name. Default: `abs_data`
`meta_database`	API Publish service metadatabase name. Default: `abs_metadata`
`current_admin_password`	API Publish service CLI password. Default: `admin`
`new_admin_password`	API Publish service new admin password. Default: `admin`

Important:

Make sure to take a backup of the abs-defaults.yml file on a secure machine after the automated installation is complete.

The following is a sample abs-defaults.yml file.

---
abs:
 # Define ports for the PingIntelligence ABS
 # Make sure ports are not same for single server installation
 management_port: 8080
 
 # Mongo DB User and password
 mongo_username: absuser
 mongo_password: abs123
 # Define cache size for MongoDB (% of total RAM).
 # MongoDB will be configured to use this percentage of host memory.
 mongo_cache_size: 25
 # Communication between mongo and ABS
 mongo_ssl: true
 # Mongo DB Server Certificate Verification
 # Set to true if Mongo DB instance is configured in SSL mode and you want to do the server certificate verification
 # By default ABS will not verify the MongoDB server certificate
 mongo_certificate_verify: false
 # Mongo replica set name
 mongo_replica_set: absrs01
 
 # When kafka is set to false in config/hosts, this url will be used
 # Give the host:port combination of mutiple kafka server in comma seperated.
 # Make sure kafka_server_url is accessible from ansible management host, dataengine, and abs nodes.
 #This will be used via dashboard dataengine module too.
 
 kafka_server_url: kafka_1:9093
 
 # When kafka is set to false in config/hosts, this passoword for jks will be used
 #This will be used via dashboard dataengine module too.
 
 kafka_custom_truststore_password: custom
 
 
 
 # Duration of initial training period (units in hours)
 # This value will be set in the mongo nodes
 attack_initial_training: 24
 
 # Memory for webserver and streaming server (unit is in MB)
 system_memory: 4096
 
 # Access keys and secret keys to access ABS
 access_key: abs_ak
 secret_key: abs_sk
 access_key_ru: abs_ak_ru
 secret_key_ru: abs_sk_ru
 
 # Password for ABS keystore
 jks_password: abs123
 
 #Users in Kafka for abs
 consumer_user: abs_consumer
 producer_user: abs_producer
 abs_groupid: pi4api.abs
 
 # Kafka Consumer Producer Password
 consumer_authentication_password: changeme
 producer_authentication_password: changeme
 
 #Kafka Relicas
 min_insync_replicas: 1 
 #topics to be created in kafka
 transactions_topic: pi4api.queuing.transactions
 attacks_topic: pi4api.queuing.ioas
 anomalies_topic: pi4api.queuing.anomalies
 
  #Topic partition ,replication_factor and retention_period(in milli seconds)
  #These will be used when install_kafka is true and topics are created as part of deployment.
 topic_partitions: 1
 replication_factor: 1
 retention_period: 172800000
 
 # Configure Email Alert. Set enable_emails to true to configure
 # email settings for ABS
 enable_emails: false
 smtp_host: smtp.example.com
 smtp_port: 587
 sender_email: sender@example.com
 email_password: password
 receiver_email: receiver@example.com
 
 # CLI admin password
 current_admin_password: admin
 new_admin_password: admin
 
 poc_mode: false

api_publishing_service:
 # Define ports for the PingIntelligence API Publish Service
 # Make sure ports are not same for single server installation
 management_port: 8050
 
 # Password for APIPublish keystore
 jks_password: api123
 
 # Mongo DB Server Certificate Verification
 # Set to true if Mongo DB instance is configured in SSL mode and you want to do the server certificate verification
 # By default apipublish will not verify the MongoDB server certificate
 mongo_certificate_verify: false
 
 server_ssl_key_alias: pingidentity
 
 # MongoDB Database names
 data_dbname: abs_data
 meta_database: abs_metadata
 
 # MongoDB authentication
 # If authentication is not enabled in MongoDB, set the mongo_auth_mechanism to NONE
 # The supported MongoDB authentication mechanisms are DEFAULT and PLAIN.
 # If authentication mechanism is DEFAULT, provide MongoDB username and password for mongo_username
 # and mongo_password. If authentication mechanism is PLAIN, provide external
 # LDAP username and password in mongo_username and mongo_password.
 mongo_authentication_mechanism: DEFAULT
 
 # CLI admin password
 current_admin_password: admin
 new_admin_password: admin

To change the default system memory in theabs.properties file of ABS:

Go to the software directory.
Untar the ABS binary by entering the following command.
```
# tar –zxvf pi-api-abs-5.0.tar.gz
```
Edit the config/abs.properties file to change the default value of system_memory to 50% of host memory.
```
# vi pingidentity/abs/config/abs.properties
```
For example, if host ABS system has 16 GB of memory, set the value to 8192 MB.
Save the file.
Tar the ABS binary and save it with the same file name (pi-api-abs-5.0.tar.gz) in the software directory by entering the following command.
```
# tar -czf pi-api-abs-5.0.tar.gz pingidentity/abs
```