Configure automated policy tool - PingIntelligence for APIs

Configure automated policy tool - PingIntelligence for APIs - 5.1

PingIntelligence

bundle

pingintelligence-51

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.1

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-51

pingintelligence

private

ContentType_ce

Page created: 1 Nov 2021 |

Page updated: 3 May 2022

| 4 min read

Product PingIntelligence for APIs 5.1 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment Configuration User task Configuration Integration IT Operations Audience

Download

Complete the following steps to download and install the PingIntelligence policy tool:

Download the PingIntelligence policy tool to the /opt directory.
Complete the following steps to untar the policy tool:
1. At the command prompt, type the following command to untar the policy tool file:
```
tar –zxvf <filename>
```
  For example:
```
tar –zxvf pi-aws-4.0.tar.gz
```
2. To verify that the tool successfully installed, type the ls command at the command prompt. This should list the pingidentity directory and the build .tgz file.

The following table lists the directories:

Directory	Description
`bin`	Contains the following scripts: `deploy.sh`: The script to deploy the PingIntelligence policy. `undeploy.sh`: The script to undeploy the PingIntelligence policy. `status.sh`: Reports the deployment status of IAM role and Lambda function.
`lib`	Jar files and various dependencies. Do not edit the contents of this directory.
`policy`	Contains the request and response Lambda functions: `request_lambda.zip` `response_lambda.zip`
`config`	Contains the `aws.properties` file.
`logs`	Contains the log and status files.

Configure the automated tool

Configure the aws.properties file available in the /pingidentity/pi/aws/config/ directory. The following table describes the variables in the aws.properties file:

Variable	Description
`mode`	Choose the authentication mode between `keys` and `role` Note: If you running the PingIntelligence policy tool from your local machine, use the `keys` mode. If you are running the tool from an EC2 instance, use the `role`mode.
`access_key`	AWS access key. This is applicable when the mode is set to `keys`
`secret_key`	AWS secret key. This is applicable when the mode is set to `keys`
`aws_lambda_memory`	AWS Origin Response Lambda memory in MB. Default value is 1024 MB. The memory can be configured in multiple of 64. Minimum and maximum value are 128 and 3008 respectively. For more information, see AWS Lambda Pricing
`cloudfront_distribution_id`	The CloudFront distribution ID.
`ase_host_primary`	The ASE primary host IP address and port or hostname and port
`ase_host_secondary`	The ASE secondary host IP address and port or hostname and port. ASE secondary host receives traffic only when the primary ASE host is unreachable. Note: This field cannot be left blank. In a testing environment, enter the same IP address for primary and secondary ASE host. If both the ASE hosts are unreachable, the request is directly sent to the backend API server.
`ase_ssl`	Enable or disable SSL communication between Lambda functions and ASE. The default value is `true`.
`ase_sideband_token`	Enter the ASE token generated during the prerequisite step.

Following is a sample aws.properties file:

# Copyright 2019 Ping Identity Corporation. All Rights Reserved.
# Ping Identity reserves all rights in The program as delivered. Unauthorized use, copying,
# modification, reverse engineering, disassembling, attempt to discover any source code or
# underlying ideas or algorithms, creating other works from it, and distribution of this
# program is strictly prohibited. The program or any portion thereof may not be used or
# reproduced in any form whatsoever except as provided by a license without the written
# consent of Ping Identity.  A license under Ping Identity's rights in the Program may be
# available directly from Ping Identity.

#Authentication mode access-key & secret-key / role based access. Values can be keys or role.
mode=keys
#AWS access key
access_key=AKIAID7MDWSCUUVHMTNA
#AWS secret key
secret_key=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
#AWS Lambda memory in MB. It should be a multiple of 64. Minimum and maximum value are 128 and 3008 respectively.
aws_lambda_memory=1024
#Cloudfront distribution ID
cloudfront_distribution_id=EGQ9OEG3ZDABP

#ASE Primary Host <IP/Host>:<port>
ase_host_primary=test.elasticbeam.com
#ASE Secondary Host <IP/Host>:<port>
ase_host_secondary=test.elasticbeam.com
#ASE SSL status
ase_ssl=true
#ASE sideband authentication token
ase_sideband_token=283ded57cd5f48e6bcd8fa3ba9d2888d

Create Role

If you have set the authentication mode as role in the aws.properties file, create a role for the EC2 instance. This role is required for the PingIntelligence policy deployment tool. Complete the following steps to create and configure.

Select EC2 as service and click on Next: Permissions button:
Choose the following three Policies and provide a name for each role (for example, PIDeploymentToolRole):
- IAMFullAccess
- AWSLambdaFullAccess
- CloudFrontFullAccess
- AmazonEC2FullAccess
After providing the name, click on Create role.
In the Summary page of the role that you created in step 2, click on the Trust relationships tab and then click on Edit trust relationship button: