Complete the following prerequisites before deploying the PingIntelligence policy.
The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support.
Before deploying the PingIntelligence policy:
-
Install and configure the PingIntelligence software as follows.
For more information on installing PingIntelligence, see PingIntelligence automated deployment for virtual machines and servers or PingIntelligence manual deployment.
-
Sign on to your ASE machine and check that ASE is in
sideband mode by running the following
status command:
/opt/pingidentity/ase/bin/cli.sh status
API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB
If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set
mode
assideband
and start ASE. -
For secure communication between NGINX and ASE, enable sideband
authentication by entering the following ASE command:
# ./bin/cli.sh enable_sideband_authentication -u admin –p
-
To generate the sideband authentication token in ASE, enter the following
command in the ASE command line and save the token for further use in Configuring NGINX for PingIntelligence.
A token is required for NGINX to authenticate with ASE.
# ./bin/cli.sh -u admin -p admin create_sideband_token
-
Sign on to your ASE machine and check that ASE is in
sideband mode by running the following
status command:
-
Configure the following for your operating system:
- RHEL 7.6:Important:
The PingIntelligence modules for NGINX 1.14.2 are specifically compiled for RHEL 7.6 and OpenSSL 1.0.2k-fips. If you do not have these specific versions of RHEL and OpenSSL, contact Ping Identity support.
- Verify your RHEL version by entering the following command on your
machine:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 (Maipo)
- Open OpenSSL 1.0.2k-fips on your RHEL 7.6 machine and
check the OpenSSL version using the openssl version
command:
$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
- Extract the ASE certificate:
- Make sure that ASE is running. If ASE is not running, run the
following command on ASE command line to start
ASE:
/opt/pingidentity/ase/bin/start.sh Starting API Security Enforcer 4.0.2... please see /opt/pingidentity/ase/logs/controller.log for more details
For more information on starting ASE, see Starting and stopping ASE
- Run the following command to extract the ASE certificate and append
it in the test.ase.pi file:
openssl s_client -connect <ASE_IP>:<ASE_PORT> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi
- Copy the certificate file to the NGINX machine and configure the certificate path in the nginx.conf file.
- Make sure that ASE is running. If ASE is not running, run the
following command on ASE command line to start
ASE:
- Run the following command to download RHEL dependencies for compiling
NGINX:
# yum install pcre-devel.x86_64 openssl-devel.x86_64 zlib-devel.x86_64 wget gcc
- Verify your RHEL version by entering the following command on your
machine:
- Ubuntu 16.0.4 LTS:Important:
The PingIntelligence modules are specifically compiled for Ubuntu 16.0.4 and OpenSSL
1.0.2g
. If you do not have these specific versions of Ubuntu and OpenSSL, contact Ping Identity support.- Run the following command to check your Ubuntu
version:
$ cat /etc/os-release NAME="Ubuntu" VERSION="16.04.6 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.6 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial
- OpenSSL 1.0.2g and check the OpenSSL version using the
openssl version
command:
$ openssl version OpenSSL 1.0.2g 26 Jan 2017
- Extract the ASE certificate:
- Make sure that ASE is running. If ASE is not running, run the
following command on ASE command line to start
ASE:
/opt/pingidentity/ase/bin/start.sh Starting API Security Enforcer 4.0.2... please see /opt/pingidentity/ase/logs/controller.log for more details
For more information on starting ASE, see Starting and stopping ASE.
- Run the following command to extract the ASE certificate and append
in the test.ase.pi file:
openssl s_client -connect <ASE_IP>:<ASE_PORT> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi
- Copy the certificate file to the NGINX machine and configure the certificate path in the nginx.conf file.
- Make sure that ASE is running. If ASE is not running, run the
following command on ASE command line to start
ASE:
- Run the following command to download Ubuntu dependencies for compiling
NGINX:
# apt-get -yq install make g++ gcc libpcre3 libpcre3-dev apt-utils zlib1g zlib1g-dev curl openssl libssl-dev
- Run the following command to check your Ubuntu
version:
- RHEL 7.6: