Complete the following steps to install PingIntelligence Dashboard:
- Create a
<ping_install_dir>directory on your host machine. Make sure that the user has read and write permissions for the<ping_install_dir>directory. - Download the PingIntelligence Dashboard binary
- Download Elasticsearch 6.8.1 (macOS/RHEL)
- Change directory to
ping_install_dir:# cd pi_install_dir - Untar the PingIntelligence Dashboard:
# tar -zxf pi-api-dashboard-5.1.tar.gz - Change directory to
pingidentity/webgui/
# cd pingidentity/webgui/ - Install PingIntelligence Dashboard by entering the following command and follow the
instructions displayed on the prompt:
# ./bin/pi-install-ui.sh# ./bin/pi-install-ui.sh elasticsearch-7.13.4.tar.gz file path > Use bundled ssl key and self signed certificate for ui server [y/n]? >[y] Use default password [changeme] for all components and users [y/n]? >[y] ABS url >[https://127.0.0.1:8080] ABS access key >[abs_ak] ABS secret key >[abs_sk] API Service URL >[https://127.0.0.1:8050] Kafka Host:Port >[127.0.0.1:9093] Kafka Authentication username >[pi4api_de_user] Kafka Group ID >[pi4api.data-engine] ASE management url >[] extracting elasticsearch package creating elasticsearch config keystore warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME Created elasticsearch keystore in <pi_install_dir>/pingidentity/elasticsearch/config/elasticsearch.keystore elasticsearch config keystore created Generating a 2048 bit RSA private key ..........................................+++ ........................+++ writing new private key to 'config/ssl/autogen_es.key' ----- creating password protected pkcs#12 keystore for elasticsearch private key and certificate pkcs#12 keystore created at config/ssl/elastic-certificates.p12 warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME configuring elasticsearch. Please wait 15 seconds warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release. elasticsearch config is completed configuring dataengine configuring webgui starting webgui for configuration update WebGUI configured for UTC timezone. WebGUI 5.1 starting... please see <pi_install_dir>/pingidentity/webgui/logs/admin/admin.log for more details success: password updated. Note: All active sessions for this user are invalidated. Login with new credentials success: password updated. Note: All active sessions for this user are invalidated. Login with new credentials WebGUI 5.1 WebGUI is stopped. webgui configuration done UI configuration done writing internal credentials to <pi_install_dir>/pingidentity/webgui/install/webgui_internal.creds Start UI [y/n]? >[y] starting elasticsearch... warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release. elasticsearch started starting dataengine Data Engine configured for UTC timezone. PingIntelligence Data Engine 5.1 starting... Data-Engine started starting webgui WebGUI configured for UTC timezone. WebGUI 5.1 starting... please see <pi_install_dir>/pingidentity/webgui/logs/admin/admin.log for more details Please access WebGUI at https://<pi_install_host>:8030 <pi_install_host> can be ip address, hostname or fully qualified domain name of this server. <pi_install_host> should be reachable from your computer. Credentials: 1) Username: admin Password: changeme 2) Username: ping_user Password: changeme Important Actions: 1) Credentials for all internal components are available in <pi_install_dir>/pingidentity/webgui/install/webgui_internal.creds file. Move this file from this server and securely keep it elsewhere. For any debugging purposes you will be asked to get credentials for a component from this file. 2) Following obfuscation master keys are auto-generated <pi_install_dir>/pingidentity/webgui/config/webgui_master.key <pi_install_dir>/pingidentity/dataengine/config/dataengine_master.key
Note:
The ASE management url is an optional parameter.
Verify the installation
You can verify the installation by checking the process IDs (PID) of each component. You
can check the pid of components at the following location:
- Elasticsearch: <pi_install_dir>/elasticsearch/logs/elasticsearch.pid
- Dataengine: <pi_install_dir>/dataengine/logs/dashboard.pid
- Webgui: <pi_install_dir>/webgui/logs/webgui.pid
Tune Dashboard performance parameters
Configure the following three parameters for Dashboard's better performance. Note that the following tuning parameters if you have your setup of Elasticsearch.
If you have used PingIntelligence automated deployment or pi-install-ui.sh
script to deploy Dashboard, these tuning are done as part of installation.
| Parameter | Description | Location |
|---|---|---|
| Elasticsearch | ||
| -Xms and -Xmx |
|
$ES_HOME/config/jvm.options |
| thread_pool.search.size | Defines thread pool size for count/search/suggest operations in Elasticsearch. Configure it to 50% of total CPUs allocated. | $ES_HOME/config/elasticsearch.yml |
Mitigating Cross-Site-Scripting (XSS)
To detect and mitigate attacks like Cross Site Scripting(XSS), PingIntelligence Dashboard implements Content Security Policy (CSP). The following are the configuration details.
Response header - Content-Security-Policy
Response header value - default-src ‘self’; font-src ‘self’ use.typekit.net;
script-src ‘self’ use.typekit.net; style-src ‘self’ ‘unsafe-inline’ use.typekit.net
p.typekit.net; img-src ‘self’ data: p.typekit.net;