Complete the following before running the PingIntelligence AWS policy tool.
Prerequisite:
- Install OpenJDK 11 on the system running the PingIntelligence policy tool.
-
Install PingIntelligence software
PingIntelligence should be installed and configured. Refer to the PingIntelligence deployment guide for your environment.
-
AWS admin account: To deploy the PingIntelligence sideband policy, an AWS
admin account is required. Note: Make sure that AWS cross-account is not used to deploy PingIntelligence policy.
-
Update CloudFront configuration: Verify the following options are configured
correctly:
- Disable Caching: The PingIntelligence policy deployment tool requires that CloudFront be available with caching disabled for all CloudFront behaviors. Select None (Improves Caching) from the Cache Based on Selected Request Headers drop-down list.
- TTL: Confirm that Minimum TTL, Maximum TTL, and the Default TTL are set to 0
- Forward Cookies: Select All from the drop-down list
- Query String Forwarding and Caching: Select Forward all, cache based on all from the drop-down list
- Lambda function: PingIntelligence policy tool requires viewer request and origin response Lambda functions. Make sure that there is no viewer request or origin response Lambda function defined in the caching behavior.
-
Verify that ASE is in sideband mode
Check if ASE is insideband
mode by running the following command in the ASE command line:
If ASE is not in/opt/pingidentity/ase/bin/cli.sh status API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB
sideband
mode, then stop ASE and change the mode by editing the/opt/pingidentity/ase/config/ase.conf
file. Setmode
assideband
and start ASE. -
Enable sideband authentication: For a secure communication between CloudFront
and ASE, enable sideband authentication by entering the following command in the ASE
command line:
# ./bin/cli.sh enable_sideband_authentication -u admin –p
-
Generate sideband authentication token
A token is required for CloudFront to authenticate with ASE. This token is generated in ASE and configured in the
aws.properties
file of PingIntelligence automated policy tool. To generate the token in ASE, enter the following command in the ASE command line:
Save the generated authentication token for further use.# ./bin/cli.sh -u admin -p admin create_sideband_token
Note: For improved performance, you can optionally set the
enable_sideband_keepalive parameter to true
in ase.conf file. For more information, see Sideband ASE configuration using the ase.conf file.