Environment variables are exposed in the Docker images.
If you do not set the environment variable, the default values are used. The following tables list the environment variables for API Security Enforcer (ASE), API Behavioral Security (ABS), Dashboard, and MongoDB.
ASE Environment Variables
The following table lists the ASE environment variables and the values.
Environment | Value | Usage |
---|---|---|
MODE |
inline/sideband |
ASE can be deployed either in inline mode or sideband mode. For more information, see the ASE admin guide. |
TIMEZONE |
string |
Set the timezone of ASE to either Note:
Make sure TIMEZONE is set to the same value in ASE, ABS, and Dashboard. |
ENABLE_CLUSTER |
true/false |
Set the value to |
ENABLE_ABS |
true/false |
Set the value to |
PEER_NODE |
|
ASE cluster peer node's IP address and port number. |
ASE_SECRET_KEY |
string |
Set the value of the ASE secret key. Note:
The ASE access key cannot be changed. Its value always remains
|
ABS_ENDPOINT |
|
IP address or host name of the ABS endpoint. |
ABS_ACCESS_KEY |
string |
Access key to connect to ABS. |
ABS_SECRET_KEY |
string |
Secret key to connect to ABS. |
ADMIN_LOG_LEVEL |
1-5 |
1-5 (FATAL, ERROR, WARNING, INFO, DEBUG) |
ENABLE_SIDEBAND_AUTHENTICATION |
true/false |
Enable client side authentication. This setting is applicable only in sideband mode. When enabled, ASE authenticates requests using ASE authentication tokens. |
ENABLE_SIDEBAND_KEEPALIVE |
true/false |
Set the value to |
ENABLE_ASE_HEALTH |
true/false |
Set the value to |
ENABLE_GOOGLE_PUBSUB |
true/false |
Google Pub/Sub configuration. |
GOOGLE_PUBSUB_TOPIC |
string |
Google Pub/Sub topic. |
GOOGLE_PUBSUB_CONCURRENCY |
number |
The number of concurrent connections to Google Pub/Sub. Minimum: 1, Default: 1000, Maximum: 1024 |
GOOGLE_PUBSUB_QPS |
number |
The number of messages published per second. Minimum: 1, Default: 1000, Maximum: 10000 |
GOOGLE_PUBSUB_APIKEY |
string |
Google service account API key (Optional) |
CACHE_QUEUE_SIZE |
number |
The maximum number of messages buffered in memory. If the queue is full, messages are written to logs/google_pubsub_failed.log. Minimum: 1, Default: 300, Maximum: 10000 |
GOOGLE_PUBSUB_TIMEOUT |
number |
Timeout in seconds to publish a message to Google Pub/Sub. Minimum: 10, Default: 30, Maximum: 300 |
DEPLOYMENT_TYPE |
string |
Indicates ABS deployment type to ASE. Supported values are |
GATEWAY_CREDENTIAL |
string |
The obfuscated gateway credentials that are generated at cloud portal. ASE parses these gateway credentials to get OAuth URL and URL for ABS API calls. Populate this value when DEPLOYMENT_TYPE is set to
|
ENABLE_ABS_PUBLISH |
true/false |
Set this value to |
ABS_PUBLISH_REQUEST_MINUTES |
This value determines how often ASE will get the published API list from ABS. |
|
ENABLE_STRICT_REQUEST_PARSER |
true/false |
Enable strict parsing checks for client requests.
|
ABS Environment Variables
The following table lists the ABS environment variables and the values.
Environment | Value | Usage |
---|---|---|
MONGO_RS |
|
MongoDB replica set IP addresses or host names and port numbers. |
MONGO_USERNAME |
string |
MongoDB username. |
MONGO_PASSWORD |
string |
MongoDB password. |
ABS_LOG_LEVEL |
string |
Log levels ( The default is |
MONGO_SSL |
true/false |
Set to By default, ABS will try to connect to MongoDB using non-SSL connection.
The default is |
IS_DASHBOARD_NODE |
true/false |
Setting as true makes an ABS node for dashboard engine query only and does not participate in ABS cluster for log processing. |
ENABLE_EMAILS |
true/false |
Enable ( |
SENDER_EMAIL |
string |
The email address used for sending email alerts and reports. |
SENDER_EMAIL_PASSWORD |
string |
The password of the sender's email account. Note:
You can leave this field blank if your SMTP server does not require authentication. |
RECEIVER_EMAIL |
string |
The email address notified about alerts and reports. If you want more than one person to be notified, use an email alias. |
ABS_CLI_ADMIN_PASSWORD |
string |
Set the ABS command-line interface (CLI) admin password. |
ABS_JKS_PASSWORD |
string |
Set the ABS Java keystore password. |
MONGO_CERTIFICATE_VERIFY |
true/false |
Set to true if you want to enable verification of MongoDB SSL server certificate. By default, ABS will try to connect to MongoDB without verifying SSL
connection. The default is |
TIMEZONE |
string |
Set the timezone of ABS to either Note:
Make sure TIMEZONE is set to the same value in ASE, ABS, and the Dashboard. |
ABS_ACCESS_KEY |
string |
The access key for the ABS admin user. For more information, see ABS users. |
ABS_SECRET_KEY |
string |
The secret key for the ABS admin user. For more information, see ABS users. |
ABS_ACCESS_KEY_RU |
string |
The access key for the restricted user. For more information on restricted users, see ABS users. |
ABS_SECRET_KEY_RU |
string |
The secret key for the restricted user. For more information on restricted users, see ABS users. |
ATTACK_INITIAL_TRAINING |
integer |
The attack training period. |
ATTACK_UPDATE_INTERVAL |
integer |
The attack threshold uphold interval. |
API_DISCOVERY |
true/false |
Set the value to For more information, see API discovery and configuration. |
API_DISCOVERY_INITIAL_PERIOD |
integer |
The initial period set in hours in which ABS has to be discover APIs. It is good practice to keep the API discovery interval period less than the initial attack training interval. |
API_DISCOVERY_UPDATE_INTERVAL |
integer |
The time period in hours in which ABS reports the newly discovered APIs. |
API_DISCOVERY_SUBPATH |
integer |
The number of subpaths that are discovered in an API. The maximum value is 3. |
POC_MODE |
string |
Sets the mode in which ABS trains its API models. Set it to
For more information, see Configuring and verifying ABS POC mode. |
KAFKA_SERVERS |
string |
The Kafka |
ABS_CONSUMER_USER |
string |
ABS consumer user in Kafka. |
ABS_PRODUCER_USER |
string |
ABS producer user in Kafka. |
ABS_CONSUMER_GROUP |
string |
ABS group in Kafka. |
ABS_CONSUMER_PASSWORD |
string |
ABS consumer user password. |
ABS_PRODUCER_PASSWORD |
string |
ABS producer user password. |
KAFKA_MIN_INSYNC_REPLICA |
integer |
The number of minimum in-sync replicas for data in Kafka. |
TRANSACTIONS_TOPIC |
string |
ABS transaction topic in Kafka. |
ATTACK_TOPIC |
string |
ABS attack topic in Kafka. |
ANOMALIES_TOPIC |
string |
ABS anomalies topic in Kafka. |
MongoDB Environment Variables
The following table lists the MongoDB environment variables and the values.
Environment | Value | Usage |
---|---|---|
MONGO_USERNAME |
string |
MongoDB username. |
MONGO_PASSWORD |
string |
MongoDB password. |
MUTLI_NODE_REPLICA_SET |
string |
Set it to Run abs_init.js script from the primary MongoDB node. |
WIRED_TIGER_CACHE_SIZE_GB |
float |
Memory in GB to be used by MongoDB cache. |
MONGO_SSL |
string |
Configures whether MongoDB uses SSL. The default value is
|
MONGO_PORT |
string |
Custom port for Mongo. |
Dashboard Environment Variables
The following table lists the Dashboard environment variables and the values.
Environment | Value | Usage |
---|---|---|
DISCOVERY_SOURCE |
string |
Source of API discovery. Values can be |
PINGACCESS_URL |
string |
The URL of PingAccess if you set the discovery source as
|
PINGACCESS_USERNAME |
string |
The PingAccess username for API discovery. |
PINGACCESS_PASSWORD |
string |
The PingAccess password for API discovery. |
AXWAY_URL |
string |
The URL of Axway if you set the discovery source as
|
AXWAY_USERNAME |
string |
The Axway username for API discovery. |
AXWAY_PASSWORD |
string |
The Axway username for API discovery. |
DISCOVERY_MODE |
string |
The mode in which the Dashboard publishes APIs to ASE. Values can be
For more information, see Discovered APIs. |
DISCOVERY_MODE_AUTO_POLLING_INTERVAL |
integer |
If the DISCOVERY_MODE is set as
|
DISCOVERY_MODE_AUTO_DELETE_NON_DISCOVERED_APIS |
string |
If the DISCOVERY_MODE is set as
|
ASE_MODE |
string |
Sets the mode in which ASE is deployed. Values can be either
|
ABS_ACCESS_KEY |
string |
The access key for the ABS admin user. For more information, see ABS users. |
ABS_SECRET_KEY |
string |
The secret key for the ABS admin user. For more information, see ABS users. |
ABS_HOST |
string |
The IP address of ABS host. |
ENABLE_XPACK |
string |
Configures whether X-Pack is installed. Default value is
|
ENABLE_SYSLOG |
string |
Configures whether the Dashboard sends Syslog messages to the Syslog
server. The default value is Important:
ENABLE_SYSLOG and ENABLE_UI
both cannot be When ENABLE_SYSLOG environment variable is passed to the container, SYSLOG_HOST, and SYSLOG_PORT should also be passed. These are to configure the Syslog server and port number. |
ABS_RESTRICTED_USER_ACCESS |
true/false |
Set to For more information on restricted users, see ABS users. |
ABS_URL |
string |
The URL should be in the form of https://<IP>:<port>. The URL is used by WebGUI to connect to ABS. |
ASE_URL |
string |
The URL should be in the form of https://<IP>:<port>. The URL is used by WebGUI to connect to ASE. |
ASE_ACCESS_KEY |
string |
The access key of the ASE admin user. |
ASE_SECRET_KEY |
string |
The secret key of the ASE admin user. |
DASHBOARD_URL |
string |
The URL should be in the form of https://<IP>:<port>. The URL is used by WebGUI to connect to the Dashboard. IP and port number are for Kibana. |
H2_DB_PASSWORD |
string |
The password for the H2 database. |
H2_DB_ENCRYPTION_PASSWORD |
string |
The password to change the encryption method of the H2 database. |
WEBGUI_ADMIN_PASSWORD |
string |
The password for the admin user of WebGUI. |
WEBGUI_PING_USER_PASSWORD |
string |
The password for |
SESSION_MAX_AGE |
6h |
Defines the maximum time for a session. The configured values should be
in the form of
<number><duration_suffix>.
The duration should be > 0. Allowed |
MAX_ACTIVE_SESSIONS |
50 |
Defines the maximum number of active UI sessions at any given time. The value should be greater than 1. |
AUTHENTICATION_MODE |
native or sso |
Set the value to |
SSO_OIDC_CLIENT_ID |
string |
Client ID value configured in the identity provider. |
SSO_OIDC_CLIENT_SECRET |
string |
Client secret configured for the corresponding Client ID. |
SSO_OIDC_CLIENT_AUTHENTICATION_METHOD |
BASIC, POST, and NONE |
OpenID Connect (OIDC) Client authentication mode.
The valid values are |
SSO_OIDC_PROVIDER_ISSUER_URI |
string |
The PingFederate URI
that is required by WebGUI to establish single sign-on (SSO). The default value is Note:
The PingIntelligence Dashboard Docker image can be generated by packaging it with the PingFederate public certificate. To do so, the certificate needs to be placed in certs/webgui directory with the name webgui-sso-oidc-provider.crt. |
SSO_OIDC_PROVIDER_USER_UNIQUEID_CLAIM_NAME |
string |
Claim name for the unique ID of the user in the UserInfo response. A new user is provisioned using this unique ID value. |
SSO_OIDC_PROVIDER_USER_FIRST_NAME_CLAIM_NAME |
string |
Claim name for the first name of the user in the UserInfo response. Either first name or last name can be empty, but both should not be empty. |
SSO_OIDC_PROVIDER_USER_LAST_NAME_CLAIM_NAME |
string |
Claim name for the last name of the user in the UserInfo response. Either first name or last name can be empty, but both should not be empty. |
SSO_OIDC_PROVIDER_USER_ROLE_CLAIM_NAME |
string |
Claim name for the role of the user in the UserInfo response. Valid
values for roles are |
SSO_OIDC_PROVIDER_CLIENT_ADDITIONAL_SCOPES |
string |
Additional scopes in the authorization request. Multiple scopes should be values separated with a comma (,). OpenID profile scopes are always requested. |
TIMEZONE |
string |
Set the timezone of the Dashboard to either Note:
Make sure TIMEZONE is set to the same value in ASE, ABS, and the Dashboard. |
KAFKA_SERVERS |
string |
Kafka |
DE_CONSUMER_USER |
string |
The data engine consumer user in Kafka. |
DE_CONSUMER_PASSWORD |
string |
Consumer user password. |
DE_CONSUMER_GROUP |
string |
The group in Kafka for the data engine consumer. |
TRANSACTIONS_TOPIC |
string |
ABS transaction topic in Kafka. |
ATTACK_TOPIC |
string |
ABS attack topic in Kafka. |
ELASTIC_URL |
string |
External Elasticsearch URL. |
ELASTIC_PASSWORD |
string |
External Elasticsearch password. |
ELASTIC_USERNAME |
string |
External Elasticsearch username. |
API Publish Environment Variables
The following table lists the API Publish environment variables and the values.
Environment | Value | Usage |
---|---|---|
MONGO_USERNAME |
string |
MongoDB username. |
MONGO_PASSWORD |
string |
MongoDB password. |
MONGO_CERTIFICATE |
string |
Set to |
MONGO_AUTH_MECHANISM |
string |
MongoDB authentication:
|
MANAGEMENT_PORT |
string |
Port for the API Publish service |
APIPUBLISH_JKS_PASSWORD |
string |
The API Publish password for the JKS file. You can change the password, and it will be generated during installation. |
MONGO_SSL |
string |
Indicates whether SSL is used for Mongo. The default value is |
DATABASE_NAME |
string |
Database name. |
META_DATABASE |
string |
Meta database name. |
APIPUBLISH_CLI_ADMIN_PASSWORD |
string |
API Publish command-line interface (CLI) password. |
Kafka Environment Variables
The following table lists the Kafka environment variables and the values.
Environment | Value | Usage |
---|---|---|
ZOOKEEPER_URL |
|
Zookeeper URL. |
KAFKA_SSL_PORT |
string |
SSL port for Kafka. |
KAFKA_SASL_PORT |
string |
SASL port for Kafka. |
KAFKA_MIN_INSYNC_REPLICA |
string |
The minimum number of in-sync replicas for data in Kafka. |
ABS_CONSUMER_USER |
string |
ABS consumer user in Kafka. |
ABS_PRODUCER_USER |
string |
ABS producer user in Kafka. |
ABS_CONSUMER_PASSWORD |
string |
ABS consumer user password. |
ABS_PRODUCER_PASSWORD |
string |
ABS producer user password. |
ABS_CONSUMER_GROUP |
string |
ABS group in Kafka. |
DE_CONSUMER_USER |
string |
Data engine consumer user in Kafka. |
DE_CONSUMER_PASSWORD |
string |
Consumer user password. |
DE_CONSUMER_GROUP |
string |
Group in Kafka for the data engine consumer. |
RETENTION_PERIOD |
string |
Retention period of data in topics. |
POD_NAME |
string |
Kafka broker ID. |
Zookeeper Environment Variables
The following table lists the Zookeeper environment variables and the values.
Environment | Value | Usage |
---|---|---|
ZOOKEEPER_PORT |
string |
Non-SSL port for Zookeeper. |
ZOOKEEPER_SSL_PORT |
string |
Non-SSL port for Zookeeper. |