Change ASE default settings - PingIntelligence for APIs

Change ASE default settings - PingIntelligence for APIs - 5.1

PingIntelligence

bundle

pingintelligence-51

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.1

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-51

pingintelligence

private

ContentType_ce

You can change the default settings in ASE by editing the ase-defaults.yml file.

The following table lists the variables that you can set for ASE.

Variable	Description
`mode`	Sets the mode in which ASE is deployed. The default value is `inline`. Set the value to `sideband` if you want ASE to work in the sideband mode.
`http_ws_port`	Data port used for HTTP or WebSocket protocol. The default value is 8000.
`https_wss_port`	Data port used for HTTPS or secure WebSocket protocol. The default value is 8443.
`management_port`	Management port used for CLI and REST API management. The default value is 8010.
`cluster_manager_port`	ASE node uses this port number to communicate with other ASE nodes in the cluster. The default value is 8020.
`keystore_password`	The password for ASE keystore. The default password is `asekeystore`.
`cluster_secret_key`	This key is used for authentication among ASE cluster node. All the nodes of the cluster must have the same `cluster_secret_key`. This key must be entered manually on each node of the ASE cluster for the nodes to communicate with each other. The default value is `yourclusterkey`.
`enable_ase_detected_attack`	This key is used to enable ASE to block auto detected attacks. Set this value to `true` to allow ASE to block auto detected attacks. The default value is `false`.
`enable_abs_attack`	This key is used to enable ASE to fetch attack list from ABS. Set this value to `true` to fetch the list from ABS. The default value is `false`.
`enable_sideband_keepalive`	This key is used only in ASE sideband mode. If set to `true`, ASE sends a keep-alive in response header for the TCP connection between API gateway and ASE. With the default `false` value, ASE sends a connection close in response header for connection between API gateway and ASE.
`Email default settings`	Configure the following settings: `enable_emails`: Set it to `true` for ASE to send email notifications. Default value is false. `smtp_host` and `smtp_port` `sender_email`: Email address used from which email alerts and reports are sent. `email_password`: Password of sender’s email account. `receiver_email`: Email address to which the email alerts and reports are sent.
`CLI admin password`	The default value for CLI admin is `admin`. To change the password, you need the current password.
`enable_abs_publish`	Determines whether the API Security Enforcer fetches the published API list from ABS. Default: `true`
`abs_publish_request_minutes`	Determines in minutes how often API Security Enforcer will get the published API list from ABS. Default: `10`
`enable_strict_request_parser`	Determines whether ASE parsing blocks requests with invalid header starts. Default: `true`

Important:

Make sure to take a backup of the ase-defaults.yml file on a secure machine after the automated installation is complete.

The following is a sample ase-defaults.yml file.

---
ase:
 # Deployment mode for ASE. Valid values are inline or sideband
 mode: inline
 
 # Define ports for the PingIntelligence API Security Enforcer
 # Make sure ports are not same for single server installation
 http_ws_port: 8000
 https_wss_port: 8443
 management_port: 8010
 cluster_manager_port: 8020
 
 # Password for ASE keystore
 keystore_password: asekeystore
 
 # cluster_secret_key for ASE cluster
 cluster_secret_key: yourclusterkey
 
 # Set this value to true, to allow API Security Enforcer to block auto detected attacks.
 enable_ase_detected_attack: false
 # Set this value to true, to allow API Security Enforcer to fetch attack list from ABS.
 enable_abs_attack: true
 
 # enable keepalive for ASE in sideband mode
 enable_sideband_keepalive: false
 
 # Set this value to true, to allow API Security Enforcer to fetch published API list from ABS.
 enable_abs_publish: true
 
 #This value determines how often API Security Enforcer will get published API list from ABS.
 abs_publish_request_minutes: 10
 
 
 # enable strict parsing checks for client requests
 # If enabled, ASE will block request with invalid header start
 # If disabled, it will allow requests
 enable_strict_request_parser: true
 
 # Configure Email Alert. Set enable_emails to true to configure
 # email settings for ASE
 enable_emails: false
 smtp_host: smtp.example.com
 smtp_port: 587
 sender_email: sender@example.com
 email_password: password
 receiver_email: receiver@example.com
 
 # CLI admin password
 current_admin_password: admin
 new_admin_password: admin