Before running the PingIntelligence AWS policy tool, complete the following prerequisites.
Before running the PingIntelligence AWS policy tool:
- Install OpenJDK 11 on the system running the PingIntelligence policy tool.
-
Install and configure the PingIntelligence software. Refer to the PingIntelligence deployment guide
for your environment.
To deploy the PingIntelligence sideband policy, you must have an AWS admin account.
Make sure that AWS cross-account is not used to deploy PingIntelligence policy.
-
To update the CloudFront configuration, verify the following options are configured
correctly:
- The PingIntelligence policy deployment tool requires that CloudFront be available with caching disabled for all CloudFront behaviors. Select None (Improves Caching) from the Cache Based on Selected Request Headers drop-down list.
- Confirm that Minimum TTL, Maximum TTL, and the Default TTL are set to 0.
- For Forward Cookies, select All from the drop-down list.
-
Under Query String Forwarding and Caching, select
Forward all, cache based on all from the drop-down
list.
- The PingIntelligence policy tool requires viewer request and origin response Lambda functions. Make sure that there is no viewer request or origin response Lambda function defined in the caching behavior.
-
Verify that ASE is in sideband mode by running the following command in the ASE
command line:
/opt/pingidentity/ase/bin/cli.sh status
API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB
If ASE is not in
sideband
mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Setmode
as sideband and start ASE. -
For a secure communication between CloudFront and ASE, enable sideband
authentication by entering the following command in the ASE command line:
# ./bin/cli.sh enable_sideband_authentication -u admin –p
-
A token is required for CloudFront to authenticate with ASE. This token is
generated in ASE and configured in the aws.properties file of
the PingIntelligence automated
policy tool. To generate the token in ASE, enter the following command in the ASE
command line and save the generated authentication token for further use:
# ./bin/cli.sh -u admin -p admin create_sideband_token
- Optional:
For improved performance, set the enable_sideband_keepalive
parameter to true in the ase.conf file.
For more information, see Sideband ASE configuration using the ase.conf file.