Change settings in dashboard-default.yml - PingIntelligence for APIs

Change settings in dashboard-default.yml - PingIntelligence for APIs - 5.0

PingIntelligence

bundle

pingintelligence-50

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.0

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-50

pingintelligence

private

ContentType_ce

Page created: 12 May 2021 |

Page updated: 1 Nov 2021

| 8 min read

5.0 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

You can change the default settings of PingIntelligence Dashboard by editing the /<pi-install-path>/pingidentity/pi-api-deployment/config/dashboard-defaults.yml file. The following table lists the variables that you can set for PingIntelligence Dashboard in various configurations.

Variable	Description
`port`	Port number to connect to PingIntelligence Dashboard.
`authentication_mode`	Defines the mode in which Dashboard authenticates. The valid values are `native` and `sso`. Note: You should use `native` authentication for proof-of-concept deployments.
`session_max_age`	Defines the maximum time for a session. The configured values should be in the form of `<number><duration_suffix>`. Duration should be > 0. Allowed `duration_suffix` values: `m` for minutes, `h` for hours, and `d` for days.
`max_active_sessions`	Defines the maximum number of active UI sessions at any given time. The value should be greater than 1.
`admin_password` and `ping_user_password`	The passwords for webgui `admin` and `ping_user` accounts. Note: `admin_password` and `ping_user_password` are applicable in native authentication_mode only.
Single sign-on (SSO) configurations - Applicable only when `authentication_mode` is set as `sso`
`sso_oidc_client_id`	Client ID value in configured in the Identity provider.
`sso_oidc_client_secret`	Client Secret configured for the corresponding Client ID.
`sso_oidc_client_authentication_method`	OpenID Connect (OIDC) Client authentication mode. The valid values are `BASIC`, `POST`, or `NONE`
`sso_oidc_provider_issuer_uri`	HTTPS IP address of OIDC provider. Also, place the SSO provider's issuer-certificate in the following path - <installation_path>/pingidentity/certs/webgui/
`sso_oidc_provider_user_uniqueid_claim_name`	Claim name for unique ID of the user in UserInfo response. A new user is provisioned using this unique ID value.
`sso_oidc_provider_user_first_name_claim_name`	Claim name for first name of the user in UserInfo response. Either first name or last name can be empty, but both should not be empty.
`sso_oidc_provider_user_last_name_claim_name`	Claim name for last name of the user in UserInfo response. Either first name or last name can be empty, but both should not be empty.
`sso_oidc_provider_user_role_claim_name`	Claim name for role of the user in UserInfo response. Default value is `role`.
`sso_oidc_client_additional_scopes`	Additional scopes in authorization request. Multiple scopes should be comma (,) separated values. OpenID, profile scopes are always requested.
-End-of-SSO-configurations-
SSL configuration for PingIntelligence Dashboard `server_ssl_key_store_password` `server_ssl_key_alias`	Configure the passwords for keystore and key alias.
H2 database configuration: `h2_db_password` `h2_db_encryption_password`	Password for H2 database and password for encryption
Discovery configuration - The following variables configure discovery settings for Dashboard: `discovery_source` `discovery_mode` `discovery_mode_auto_polling_interval` `discovery_mode_auto_delete_non_discovered_apis` Discovery source - Defines the details of discovery source for PingAccess or Axway API gateway. PingAccess `pingaccess_url` `pingaccess_username` `pingaccess_password` Axway `axway_url` `axway_username` `axway_password`	`discovery_source` - Defines the source of discovered APIs. The discovery source can be `abs`, `pingaccess`, or `axway` `discovery_mode` - Defines the mode in which Dashboard publishes APIs to ASE. It can either `auto` or `manual` mode. For more information on discovery mode, seeDiscovered APIs `discovery_mode_auto_polling_interval` - If the mode is set to `auto` in previous option, then configure the time interval in minutes for publishing the APIs to ASE. It recommended to keep a minimum time interval of 10 minutes. `discovery_mode_auto_delete_non_discovered_apis` - If the mode is set to `auto`, you can configure whether you want to delete the other APIs from ASE when Dashboard publishes the discovered APIs. Configure PingAccess or Axway URL, username and password if the discovery source is `pingaccess` or `axway`.
`enable_xpack`	Configures whether the deployment package installs X-pack. The default value is `true`. If you are using an existing Elasticsearch and authentication is not configured for Xpack, set `enable_xpack` to `false`.
`elasticsearch_url`	If you have set `install_elasticsearch` as `false` in the `hosts` file, configure the Elasticsearch URL. Enter the complete URL including http/https. For example, https://myelasticsearchurl.pi.com:443. Providing the port number in the URL is mandatory.
`elasticsearch_distro_type`	Configure the distribution type of Elasticsearch. Allowed values are `default` or `aws`. Note: This variable is available for configuration in PingIntelligence for APIs 4.4.1.
`elastic_username`	If you want to use an already available Elasticsearch username, configure it in `elastic_username`.
`kibana_port`	The port number on which Dashboard communicates with Kibana.
`elastic_password`	Elasticsearch password. The default value is `changeme`. Note: Do not change the `elastic_password` after PingIntelligence installation is complete.
`kibana_password`	Kibana password. The default value is `changeme`. Note: Do not change the `kibana_password` after PingIntelligence installation is complete.
`ping_user_password`	Password for the default user name `ping_user`.
`ping_admin_password`	Password for the admin.
Syslog configuration: `enable_syslog` `host, port` `facility`	Configure Syslog details. Setting `enable_syslog` to `true` lets dashboard engine log the ABS detected attacks in the `syslog` server. Provide the host and port number of syslog server.
`restricted_user_access`	Defines the user for viewing information in API Dashboard. Set it to `true` to set the user as a restricted user. The header in API query string used depends on the type of user, restricted or admin. For more information on user headers, see ABS users for API reports

Important:

Make sure to take a backup of the dashboard-defaults.yml file on a secure machine after the automated installation is complete.

The following is a sample dashboard-defaults.yml file.

---
webgui:
  # Define ports for PingIntelligence WebGUI
  # Make sure ports are not same for single server installation
  port: 8030

  # allowed values: native, sso.
  # In native mode, webgui users are self managed and stored in webgui.
  # In sso mode, webgui users are managed and stored in an Identity provider.
  authentication_mode: native
  # Maximum duration of a session.
  # Value should be in the form of <number><duration_suffix>
  # Duration should be > 0.
  # Allowed duration_suffix values: m for minutes, h for hours, d for days.
  session_max_age: 6h

  # Number of active UI sessions at any time.
  # Value should be greater than 1.
  max_active_sessions: 50

  ## admin_password and ping_user_password are applicable in native authentication_mode only.
  # webgui "admin" account password
  admin_password: changeme
  # webgui "ping_user" account password
  ping_user_password: changeme

  ## Below sso configuration properties are applicable in sso authentication_mode only.
  # Client ID value in Identity provider.
  sso_oidc_client_id: pingintelligence
  # Client Secret of the above Client ID.
  sso_oidc_client_secret: changeme
  # OIDC Client authentication mode.
  # Valid values: BASIC, POST, or NONE
  sso_oidc_client_authentication_method: BASIC
  # OIDC Provider uri
  # WebGUI queries <issuer-uri>/.well-known/openid-configuration to get OIDC provider metadata
  # issuer ssl certificate is not trusted by default. So import issuer ssl certificate into config/webgui.jks
  # issuer should be reachable from both back-end and front-end
  sso_oidc_provider_issuer_uri: https://127.0.0.1:9031

  # Place the sso provider issuer-certificate in the following path => <installation_path>/pingidentity/certs/webgui/
  # Name of the file should be => webgui-sso-oidc-provider.crt

  # claim name for unique id of the user in UserInfo response
  # a new user is provisioned using this unique id value
  sso_oidc_provider_user_uniqueid_claim_name: sub
  # claim name for first name of the user in UserInfo response
  # either first name or last name can be empty, but both should not be empty
  sso_oidc_provider_user_first_name_claim_name: given_name
  # claim name for last name of the user in UserInfo response
  # either first name or last name can be empty, but both should not be empty
  sso_oidc_provider_user_last_name_claim_name: family_name
  # claim name for role of the user in UserInfo response
  sso_oidc_provider_user_role_claim_name: role
  # additional scopes in authorization request
  # multiple scopes should be comma (,) separated
  # openid,profile scopes are always requested
  sso_oidc_client_additional_scopes:
  ## End of sso configuration

  # ssl key store password of webgui hosts
  server_ssl_key_store_password: changeme
  server_ssl_key_alias: webgui

  # local h2 db datasource properties
  h2_db_password: changeme
  h2_db_encryption_password: changeme

  # allowed values: abs/pingaccess/axway
  discovery_source: abs
  # allowed values: auto/manual
  discovery_mode: auto
  # value is in minutes
  discovery_mode_auto_polling_interval: 10
  discovery_mode_auto_delete_non_discovered_apis: false

  # valid only if discovery_source is set to pingaccess
  pingaccess_url: https://127.0.0.1:9000/
  pingaccess_username: Administrator
  pingaccess_password:

  # valid only if discovery_source is set to axway
  axway_url: https://127.0.0.1:8075/
  axway_username: apiadmin
  axway_password:

dashboard:
  ui:
    # Install elasticsearch with xpack enabled
    # If there is no authentication on pre-existing elasticsearch, set this to false
    enable_xpack: true

    # When install_elasticsearch is set to false in config/hosts, this url will be used
    # Give the complete url with https/http and elasticsearch port number
    # Make sure elasticsearch_url is accessible from ansible management host, dashboard, webgui and kibana nodes.
    elasticsearch_url: https://search-giueibohzd6pfijfysjfsxucty.pingidentity.com:443
    # Configuration distribution type of elasticsearch. Allowed values are default or aws
    elasticsearch_distro_type: default

    # User with permission set similar to "elastic" user
    elastic_username: elastic

    # Passwords for "elasticsearch", "kibana", "ping_user" and "ping_admin" users
    # Dashboard will be accessible for these accounts
    # Please set strong passwords
    # If enable_xpack is set to false, below passwords are ignored
    elastic_password: changeme
    kibana_password: changeme
    ping_user_password: changeme
    ping_admin_password: changeme

    # Define ports for the PingIntelligence Dashboard
    # Make sure ports are not same for single server installation
    kibana_port: 5601

  syslog:
    # Configuration for syslog
    enable_syslog: false
    host: localhost
    port: 614
    facility: LOCAL0

  # ABS Restricted user access ( true/false )
  # Set to false for displaying non-obfuscated blacklist in Kibana
  abs:
    restricted_user_access: false