API Security Enforcer (ASE) supports RHEL 7.9 and Ubuntu 18.04 LTS. The provisioned infrastructure can be an EC2 instance, bare metal x86 server, or VMware ESXi. You can install ASE as a root user or as a non-root user. The example installation path assumes that you are a root user. The installation works in a similar way for a non-root user.
To install ASE on-premise and connect it to PingOne:
- Go to the Ping Identity Product Downloads site.
- In the Software & Cloud Containers section, click View Now under PingIntelligence for APIs.
- Select the installation type to download.
- After downloading the file, copy the ASE file to the directory where you want to install ASE.
-
At the command prompt, enter the following command to untar the ASE file.
tar –zxvf <filename>The following is an example of the full command.
tar –zxvf pi-api-ase-rhel-5.0.tar.gz -
To verify that ASE successfully installed, enter the ls
command at the command prompt.
You see a list of the pingidentity directory and the build’s .tar file.
/home/pingidentity/ase/bin/$ ls pingidentity pi-api-ase-rhel-5.0.tar.gz -
To start ASE, you need a valid PingIntelligence license.
Important:
The name of the license file must be PingIntelligence.lic.
- Copy the license file to the /<ASE installation path>/pingidentity/ase/config directory and start ASE.
-
To connect ASE to PingOne,
set the deployment type and configure the
gateway_credentials parameter in the
/<ASE installation
path>/pingidentity/ase/config/abs.conf file.
Parameter Description deployment_type
The ABS AI Engine deployment mode. Valid values are
cloudoronprem. Set the value tocloud.gateway_credential
This parameter is used to connect ASE with PingOne. Set it to the gateway credential generated in PingOne, during configuration of the PingIntelligence connection. For more information on PingOne connections, see Generating a credential in PingOne.
; API Security Enforcer ABS configuration. ; This file is in the standard .ini format. The comments start with a semicolon (;). ; Following configurations are applicable only if ABS is enabled with true. ; Configure ABS deployment type. Supported values (onprem/cloud) deployment_type=cloud ; PingIntelligence Gateway Credentials gateway_credential=eyJraWQiOiI1OWI2NDk5OS0yOWIzLTQ4ZDAtODUxZC01NWI2Y2NhY2YxNDMiLCJhbGciOiJSUzI1NiJ9. eyJhdWQiOiJodHRwczovL2FwaS5waW5nb25lLmFzaWEiLCJhdXRoVXJsIjoiaHR0cHM Note: Ignore the remaining settings in the file.Important:Make sure the gateway credentials in the abs.conf file are obfuscated when the file is updated. To do this, run the following command-line interface (CLI) command:
# /<ASE installation path>/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p -
Run the following command and start ASE.
# /<ASE installation path>/pingidentity/ase/bin/start.shThe following is an example of the full command.
/home/pingidentity/ase/bin/start.sh Starting API Security Enforcer 5.0... please see /opt/pingidentity/ase/logs/controller.log for more details -
Run the following command, and confirm ASE to PingOne connectivity is
operational.
# /<ASE installation path>/pingidentity/ase/bin/cli.sh -uadmin -padmin abs_infoThe following is an example of the full command and the resulting output.
ubuntu@ip-10-96-6-222:~/pingidentity/ase$ ./bin/cli.sh -uadmin -padmin abs_info auth endpoint : pingone.com current auth endpoint status : token exchange success last successful token exchange time : 2021-Sep-03 00:31:34 api endpoint : pingone.com current api endpoint status : get attack list success last successful api access time : 2021-Sep-03 00:31:47 current log upload status : not started last successful upload status : 0 current get attacks status : starting download from s3 last successful get attack time : 0Note:A
successresponse for current auth endpoint status indicates an operational connection.To resolve any connectivity issues between ASE and PingOne, see https://docs.pingidentity.com/bundle/pingintelligence-50/page/pyc1626712176437.html.