API Security Enforcer (ASE) supports RHEL 7.9 and Ubuntu 18.04 LTS. The provisioned infrastructure can be an EC2 instance, bare metal x86 server, or VMware ESXi. You can install ASE as a root user or as a non-root user. The example installation path assumes that you are a root user. The installation works in a similar way for a non-root user.

To install ASE on-premise and connect it to PingOne:

  1. Go to the Ping Identity Product Downloads site.
  2. In the Software & Cloud Containers section, click View Now under PingIntelligence for APIs.
  3. Select the installation type to download.
  4. After downloading the file, copy the ASE file to the directory where you want to install ASE.
  5. At the command prompt, enter the following command to untar the ASE file.
    tar –zxvf <filename>

    The following is an example of the full command.

    tar –zxvf pi-api-ase-rhel-5.0.tar.gz
  6. To verify that ASE successfully installed, enter the ls command at the command prompt.

    You see a list of the pingidentity directory and the build’s .tar file.

    /home/pingidentity/ase/bin/$ ls 
    pingidentity pi-api-ase-rhel-5.0.tar.gz
  7. To start ASE, you need a valid PingIntelligence license.

    The name of the license file must be PingIntelligence.lic.

  8. Copy the license file to the /<ASE installation path>/pingidentity/ase/config directory and start ASE.
  9. To connect ASE to PingOne, set the deployment type and configure the gateway_credentials parameter in the /<ASE installation path>/pingidentity/ase/config/abs.conf file.
    Parameter Description


    The ABS AI Engine deployment mode. Valid values are cloud or onprem. Set the value to cloud.


    This parameter is used to connect ASE with PingOne. Set it to the gateway credential generated in PingOne, during configuration of the PingIntelligence connection. For more information on PingOne connections, see Generating a credential in PingOne.

    ; API Security Enforcer ABS configuration.
    ; This file is in the standard .ini format. The comments start with a semicolon (;).
    ; Following configurations are applicable only if ABS is enabled with true.
    ; Configure ABS deployment type. Supported values (onprem/cloud)
    ; PingIntelligence Gateway Credentials
    Note: Ignore the remaining settings in the file.

    Make sure the gateway credentials in the abs.conf file are obfuscated when the file is updated. To do this, run the following command-line interface (CLI) command:

    # /<ASE installation path>/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p 
  10. Run the following command and start ASE.
    # /<ASE installation path>/pingidentity/ase/bin/start.sh

    The following is an example of the full command.

    Starting API Security Enforcer 5.0...
    please see /opt/pingidentity/ase/logs/controller.log for more details
  11. Run the following command, and confirm ASE to PingOne connectivity is operational.
    # /<ASE installation path>/pingidentity/ase/bin/cli.sh -uadmin -padmin abs_info

    The following is an example of the full command and the resulting output.

    ubuntu@ip-10-96-6-222:~/pingidentity/ase$ ./bin/cli.sh -uadmin -padmin abs_info
    auth endpoint                       : pingone.com
    current auth endpoint status        : token exchange success
    last successful token exchange time : 2021-Sep-03 00:31:34
    api endpoint                        : pingone.com
    current api endpoint status         : get attack list success
    last successful api access time     : 2021-Sep-03 00:31:47
    current log upload status           : not started
    last successful upload status       : 0
    current get attacks status          : starting download from s3
    last successful get attack time     : 0

    A success response for current auth endpoint status indicates an operational connection.

    To resolve any connectivity issues between ASE and PingOne, see https://docs.pingidentity.com/bundle/pingintelligence-50/page/pyc1626712176437.html.