Prerequisite for PingIntelligence
The prerequisites are divided in the three sections:
This section assumes that you have installed and configured PingIntelligence software. For more information on PingIntelligence installation, see PingIntelligence setup or PingIntelligence manual deployment
-
Verify that ASE is in sideband mode: Log in to your ASE machine and check that ASE is in
sideband
mode by running the following status command:
If ASE is not in/opt/pingidentity/ase/bin/cli.sh status API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB
sideband
mode, then stop ASE and change the mode by editing the/opt/pingidentity/ase/config/ase.conf
file. Setmode
assideband
and start ASE. -
Enable sideband authentication: For secure communication between NGINX and
ASE, enable sideband authentication by entering the following ASE
command:
# ./bin/cli.sh enable_sideband_authentication -u admin –p
-
Generate sideband authentication token
A token is required for NGINX to authenticate with ASE. To generate the token in ASE, enter the following command in the ASE command line:
Save the generated authentication token for further use in Configure NGINX for PingIntelligence# ./bin/cli.sh -u admin -p admin create_sideband_token
Prerequisites for RHEL 7.6
Complete the following prerequisites before deploying PingIntelligence policy on NGINX:
- NGINX version: The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support.
-
RHEL version: RHEL 7.6. Verify your RHEL version by entering the following
command on your machine:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 (Maipo)
-
OpenSSL version: OpenSSL
1.0.2k-fips
on your RHEL 7.6 machine. You can the check the OpenSSL version using the openssl version command.$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
- Extract ASE certificate: Complete the following steps to extract the ASE
certificate:
- Make sure that ASE is running. If ASE is not running, run the following
command on ASE command line to start
ASE:
For more information on starting ASE, see Start and stop ASE/opt/pingidentity/ase/bin/start.sh Starting API Security Enforcer 4.0.2... please see /opt/pingidentity/ase/logs/controller.log for more details
- Run the following command:
This command extract the ASE certificate and appends inopenssl s_client -connect <ASE_IP>:<ASE_PORT> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi
test.ase.pi
file. Copy the certificate file to the NGINX machine and configure the certificate path innginx.conf
file.
- Make sure that ASE is running. If ASE is not running, run the following
command on ASE command line to start
ASE:
- Download dependencies for RHEL: Run the following command to download RHEL
dependencies for compiling NGINX:
# yum install pcre-devel.x86_64 openssl-devel.x86_64 zlib-devel.x86_64 wget gcc
1.0.2k-fips
. If you do not have these specific versions of RHEL and
OpenSSL, contact Ping Identity support.Prerequisites for Ubuntu 16.0.4 LTS
Complete the following prerequisites before deploying PingIntelligence policy on NGINX:
- NGINX version: The PingIntelligence policy modules are complied for NGINX 1.14.2. If you have a different version of NGINX, contact Ping Identity support.
-
Ubuntu version: Ubuntu 16.04 LTS. Run the following command to check your
Ubuntu version:
$ cat /etc/os-release NAME="Ubuntu" VERSION="16.04.6 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.6 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial
-
OpenSSL version: OpenSSL
1.0.2g
. You can the check the OpenSSL version using the openssl version command:$ openssl version OpenSSL 1.0.2g 26 Jan 2017
- Extract ASE certificate: Complete the following steps to extract the ASE
certificate:
- Make sure that ASE is running. If ASE is not running, run the following
command on ASE command line to start
ASE:
For more information on starting ASE, see Start and stop ASE/opt/pingidentity/ase/bin/start.sh Starting API Security Enforcer 4.0.2... please see /opt/pingidentity/ase/logs/controller.log for more details
- Run the following command:
This command extract the ASE certificate and appends inopenssl s_client -connect <ASE_IP>:<ASE_PORT> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.ase.pi
test.ase.pi
file. Copy the certificate file to the NGINX machine and configure the certificate path innginx.conf
file.
- Make sure that ASE is running. If ASE is not running, run the following
command on ASE command line to start
ASE:
- Download dependencies for Ubuntu: Run the following command to download
Ubuntu dependencies for compiling NGINX:
# apt-get -yq install make g++ gcc libpcre3 libpcre3-dev apt-utils zlib1g zlib1g-dev curl openssl libssl-dev
1.0.2g
. If you
do not have these specific versions of Ubuntu and OpenSSL, contact Ping Identity
support.