Configuring system parameters - PingIntelligence for APIs - 5.2

PingIntelligence
bundle
pingintelligence-52
ft:publication_title
PingIntelligence
Product_Version_ce
PingIntelligence for APIs 5.2 (Latest)
category
APISecurity
AdvancedAPICybersecurity
Capability
Environment
OS
Product
apisecurity
capability
linux
pi-52
pingintelligence
private
ContentType_ce

Configure system parameters by running the command below or manually if the configured user does not have sudo access.

The following two system parameters are required to be set before installing the PingIntelligence software:

  • For Elasticsearch: vm.max_map_count
  • For API Security Enforcer (ASE), API Behavioral Security (ABS), MongoDB, and Elasticsearch: ulimit

Configuring command-based system parameters

The script in this task uses sudo access for the user on the Elasticsearch, ASE, ABS, and MongoDB hosts. Ensure the IP address of these hosts was configured in the hosts file. See Creating a new SSH user and configuring user authentication.

To set up system parameters using command-based configuration:

  1. Run the following command to configure the system parameters on the respective virtual machines (VMs).
    Note:

    Make sure that the following command is run only when install_as_sudo is set to true in the hosts file.

    [pi-api-deployment]# ./bin/start.sh configure
Please see /opt/pingidentity/pi-api-deployment/logs/ansible.log for 
more details.
    An example ansible.log file for a successful launch of EC2 instances is shown below:
    [pi-api-deployment]# tail -f logs/ansible.log

================================================================================
Current Time: Sun Jun 07 06:05:25 EST 2020
Starting configure scripts
================================================================================
Sun Jun 07 06:05:25 EST 2020: Setting up local environment
Sun Jun 07 06:05:25 EST 2020: Installing packages
Sun Jun 07 06:05:25 EST 2020: Installing pip and ansible

PLAY [Configure system settings for elasticsearch] *****************************

TASK [Get vm.max_map_count] ****************************************************
TASK [Set vm.max_map_count if less than 262144] ********************************
TASK [Get ulimit -n] ***********************************************************
TASK [Set ulimit nofile to 65536 if value is low - softlimit] ******************
TASK [Set ulimit nofile to 65536 if value is low - hardlimit] ******************

PLAY RECAP *********************************************************************
192.168.11.143             : ok=7    changed=1    unreachable=0    failed=0
192.168.11.144             : ok=3    changed=0    unreachable=0    failed=0
192.168.11.145             : ok=5    changed=2    unreachable=0    failed=0

Sun Jun 07 06:06:14 EST 2020: Configure successful
================================================================================

Configuring system parameters manually

If the configured user does not have sudo access, then manually edit the vm.max_map_count and ulimit values:
  1. Set the vm.max_map_count to 262144 on the Elasticsearch virtual machine (VM) by entering the following command: 
    $sudo sysctl -w vm.max_map_count=262144
  2. To make the setting persistent across reboots, run the following command: 
    $sudo echo "vm.max_map_count=262144" >> /etc/sysctl.conf
  3. Set the ulimit to 65536 on the ASE, ABS, MongoDB, and Elasticsearch hosts. To set the ulimit:
    1. Edit /etc/security/limits.conf for increasing the soft limit and hard limit.
    2. Add the following two lines for the user that you have created (for example, pi-user): 
    pi-user soft nofile 65536
pi-user hard nofile 65536
    Note:

    If the number of APIs in the environment is greather than 1500, then set the ulimit to 131070.