Note:

We recommend that you increase the default heap size in PingAccess before deploying the PingIntelligence policy for PingAccess 6.x. Refer to the instructions in Modifying the Java heap size for changing the default heap size. For more information, contact Ping Identity support.

To integrate PingAccess with the PingIntelligence components:

  1. Download the PingIntelligence policy from the Ping Identity download site and unzip it.

    The zip file contains three policy files based on the Java Development Kit (JDK) version. Use the policy based on your deployment environment.


    The directory structure of files in the zip file.
  2. Copy the PingIntelligence.jar file into the lib directory in PA_home.
  3. Restart PingAccess.
  4. Sign on to PingAccess.

    A screen capture of the PingAccess sign-on page.
    Note:

    To support fail-over, a secondary ASE is provisioned. Complete the following steps for both primary and secondary ASEs.

  5. Add the primary ASE as a third-party service:
    1. In the left pane, click Sites.
    2. Navigate to THIRD-PARTY SERVICES and click + Add Third-Party Service to add the Primary ASE.
      A screen capture of the Sites page in PingAccess. Red arrows are point to the Sites link in the left navigation, the Third-Party Services menu, and the Add Third-Party Service button.
    3. In the New Third-Party Service page, enter a name that identifies the Primary ASE in NAME and enter the endpoint used to reach the Primary ASE in TARGET.
      Note:

      Select options under SECURE to connect PingAccess to PingIntelligence ASE using HTTPS.

    4. Click Save.

      A screen capture of the New Third-Party Service page in PingAccess. A red arrow is pointing to the Save button.
  6. Repeat step 5 to add the secondary ASE as a third-party service. Enter the name and endpoint specific to the secondary ASE.
  7. Add PingIntelligence sideband rule:
    1. In the left pane, click Rules.
    2. In the new Rule page in the NAME field, enter the name of the rule for PingIntelligence.
    3. In the TYPE drop-down list, select PingIntelligence.

      This appears in the drop-down list after adding PingIntelligence.jar inPA_home in step 2.

    4. Select the ASE endpoint for primary ASE in the PINGINTELLIGENCE ASE ENDPOINT drop-down list.
    5. Select the ASE endpoint for S\secondary ASE in PINGINTELLIGENCE ASE ENDPOINT-BACKUP drop-down list.
      Note:

      If the secondary ASE is not installed, you can choose Primary ASE Endpoint in PINGINTELLIGENCE ASE ENDPOINT-BACKUP drop-down list.

    6. In the PINGINTELLIGENCE ASE TOKEN field, enter the ASE sideband token that was generated for authentication between PingAccess and ASE.
    7. If an OAuth token comes as part of a query string, enter the name of the query string in the PINGINTELLIGENCE QS OAUTH field.
      Note:

      The PingIntelligence policy extracts the OAuth token from the query string configured in PINGINTELLIGENCE QS OAUTH. A new Authorization header- Authorization: Bearer <OAuth token> is added to the metadata sent to ASE. If there is an existing Authorization header, the token is prepended so that ABS AI engine can analyse it. If the query string has multiple query parameters with the same name, the first parameter is intercepted by the policy.

    8. Select the ENABLE ASYNC MODE to choose Asynchronous mode between PingAccess and ASE.
      Note:

      The PingIntelligence policy supports both synchronous and asynchronous modes of communication between PingAccess and ASE. By default, the communication mode is synchronous. When the asynchronous mode is enabled, the PingAccess gateway does not wait for a response from ASE and sends the request to backend server. ASE performs attack detection without blocking of attacks in asynchronous mode.

    A screen capture of the PingIntelligence rule in PingAccess.
  8. Apply the rule:
    1. Edit the existing application.
    2. In the edit application page, click API Policy.
    3. Under Available Rules, click the A screenshot of the + icon. button for the PingIntelligence rule.

      After clicking the A screenshot of the + icon. button, the PingIntelligence rule moves under the API APPLICATION POLICY as shown in the screen capture below.

      A screen capture of the PingIntelligence rule in the API Application Policy column.
    4. Click Save to save the rule.
      A screen capture of the ApiTest application on the API Policy tab. The API Policy tab has a red square around it. Available Rules has a red arrow and box around it, and a red arrow is pointing to the + icon. The Save button also has a red arrow pointing to it.
      Note:

      You can selectively apply the PingIntelligence sideband rule to individual resources as well. To apply the sideband rule, click the RESOURCES tab and move the rule from AVAILABLE RULES onto the policy bar. For more information, see Applying rules to applications and resources.