Skip to content

Ping Identity DevOps Docker Image - pingintelligence-ase

This docker image includes the Ping Identity PingIntelligence API Security Enforcer product binaries and associated hook scripts to create and run PingIntelligence ASE instances.

  • pingidentity/pingbase - Parent Image

    This image inherits, and can use, Environment Variables from pingidentity/pingbase

  • pingidentity/pingcommon - Common Ping files (i.e. hook scripts)
  • pingidentity/pingdownloader - Used to download product bits

Environment Variables

In addition to environment variables inherited from pingidentity/pingbase, the following environment ENV variables can be used with this image.

ENV Variable Default Description
SHIM ${SHIM}
IMAGE_VERSION ${IMAGE_VERSION}
IMAGE_GIT_REV ${IMAGE_GIT_REV}
PING_PRODUCT PingIntelligence_ASE Ping product name
LICENSE_FILE_NAME PingIntelligence.lic Name of license File
LICENSE_DIR ${SERVER_ROOT_DIR}/config License directory
LICENSE_SHORT_NAME pingintelligence Shortname used when retrieving license from License Server
LICENSE_VERSION ${LICENSE_VERSION} Version used when retrieving license from License Server
STARTUP_COMMAND ${SERVER_ROOT_DIR}/bin/start_ase.sh The command that the entrypoint will execute in the foreground to instantiate the container
STARTUP_FOREGROUND_OPTS The command-line options to provide to the the startup command when the container starts with the server in the foreground. This is the normal start flow for the container
STARTUP_BACKGROUND_OPTS The command-line options to provide to the the startup command when the container starts with the server in the background. This is the debug start flow for the container
ROOT_USER_PASSWORD_FILE
ADMIN_USER_PASSWORD_FILE
ENCRYPTION_PASSWORD_FILE
PING_INTELLIGENCE_ADMIN_USER admin PingIntelligence global variables PingIntelligence default administrative user (this should probably not be changed)
PING_INTELLIGENCE_ADMIN_PASSWORD 2FederateM0re PingIntelligence default administrative user credentials (this should be changed)
PING_INTELLIGENCE_ASE_HTTP_PORT 8000 The ASE HTTP listener port
PING_INTELLIGENCE_ASE_HTTPS_PORT 8443 The ASE HTTPS listener port
PING_INTELLIGENCE_ASE_MGMT_PORT 8010 the ASE management port
PING_INTELLIGENCE_ASE_TIMEZONE utc The timezone the ASE container is operating in
PING_INTELLIGENCE_ASE_MODE sideband Defines running mode for API Security Enforcer (Allowed values are inline or sideband).
PING_INTELLIGENCE_ASE_ENABLE_SIDEBAND_AUTHENTICATION false Enable client-side authentication with tokens in sideband mode
PING_INTELLIGENCE_ASE_HOSTNAME_REWRITE false
PING_INTELLIGENCE_ASE_KEYSTORE_PASSWORD OBF:AES:sRNp0W7sSi1zrReXeHodKQ:lXcvbBhKZgDTrjQOfOkzR2mpca4bTUcwPAuerMPwvM4
PING_INTELLIGENCE_ASE_ADMIN_LOG_LEVEL 4 For controller.log and balancer.log only 1-5 (FATAL, ERROR, WARNING, INFO, DEBUG)
PING_INTELLIGENCE_ASE_ENABLE_CLUSTER false enable cluster
PING_INTELLIGENCE_ASE_SYSLOG_SERVER Syslog server
PING_INTELLIGENCE_ASE_CA_CERT_PATH Path the to CA certificate
PING_INTELLIGENCE_ASE_ENABLE_HEALTH false enable the ASE health check service
PING_INTELLIGENCE_ASE_ENABLE_ABS true Set this value to true, to allow API Security Enforcer to send logs to ABS.
PING_INTELLIGENCE_ASE_ENABLE_ABS_ATTACK_LIST_RETRIEVAL true Toggle ABS attack list retrieval
PING_INTELLIGENCE_ASE_BLOCK_AUTODETECTED_ATTACKS false Toggle whether ASE blocks auto-detected attacks
PING_INTELLIGENCE_ASE_ATTACK_LIST_REFRESH_MINUTES 10 ABS attack list retieval frequency in minutes
PING_INTELLIGENCE_ASE_HOSTNAME_REFRESH_SECONDS 60 Hostname refresh interval in seconds
PING_INTELLIGENCE_ASE_DECOY_ALERT_INTERVAL_MINUTES 180 Alert interval for teh decoy services
PING_INTELLIGENCE_ASE_ENABLE_XFORWARDED_FOR false Toggle X-Forwarded-For
PING_INTELLIGENCE_ASE_ENABLE_FIREWALL true Toggle ASE Firewall
PING_INTELLIGENCE_ASE_ENABLE_SIDEBAND_KEEPALIVE false Enable connection keepalive for requests from gateway to ASE in sideband mode When enabled, ASE sends 'Connection: keep-alive' header in response When disabled, ASE sends 'Connection: close' header in response
PING_INTELLIGENCE_ASE_ENABLE_GOOGLE_PUBSUB false Enable Google Pub/Sub
PING_INTELLIGENCE_ASE_ENABLE_ACCESS_LOG true Toggle the access log
PING_INTELLIGENCE_ASE_ENABLE_AUDIT false Toggle audit logging
PING_INTELLIGENCE_ASE_FLUSH_LOG_IMMEDIATELY true Toggle whether logs are flushed to disk immediately
PING_INTELLIGENCE_ASE_HTTP_PROCESS 1 The number of processes for HTTP requests
PING_INTELLIGENCE_ASE_HTTPS_PROCESS 1 The number of processes for HTTPS requests
PING_INTELLIGENCE_ASE_ENABLE_SSL_V3 false Toggle SSLv3 -- this should absolutely stay disabled
PING_INTELLIGENCE_TCP_SEND_BUFFER_BYTES 212992 Kernel TCP send buffer size in bytes
PING_INTELLIGENCE_TCP_RECEIVE_BUFFER_BYTES 212992 enrel TCP receive buffer size in bytes
PING_INTELLIGENCE_ASE_ATTACK_LIST_MEMORY 128MB
PING_INTELLIGENCE_CLUSTER_PEER_NODE_CSV_LIST a comma-separated list of hostname:cluster_manager_port or IPv4_address:cluster_manager_port the ASE will try to connect to each server peer in the list
PING_INTELLIGENCE_CLUSTER_ID ase_cluster The ASE cluster ID -- this must be unique
PING_INTELLIGENCE_CLUSTER_MGMT_PORT 8020 The ASE cluster management port
PING_INTELLIGENCE_CLUSTER_SECRET_KEY OBF:AES:nPJOh3wXQWK/BOHrtKu3G2SGiAEElOSvOFYEiWfIVSdummoFwSR8rDh2bBnhTDdJ:7LFcqXQlqkW9kldQoFg0nJoLSojnzHDbD3iAy84pT84 Secret key required to join the cluster
PING_INTELLIGENCE_ABS_ENDPOINT a comma-separated list of abs nodes having hostname:port or ipv4:port as an address.
PING_INTELLIGENCE_ABS_ACCESS_KEY access key for ase to authenticate with abs node
PING_INTELLIGENCE_ABS_SECRET_KEY secret key for ase to authenticate with abs node
PING_INTELLIGENCE_ABS_ENABLE_SSL true Setting this value to true will enable encrypted communication with ABS.
PING_INTELLIGENCE_ABS_CA_CERT_PATH Configure the location of ABS's trusted CA certificates.
PING_INTELLIGENCE_ABS_DEPLOYMENT_TYPE cloud Default deployment type -- Supported values (onprem/cloud)
PING_INTELLIGENCE_ABS_DEPLOYMENT_TYPE_VALIDATION true Must be either cloud or onprem
PING_INTELLIGENCE_GATEWAY_CREDENTIALS Obtain the appropriate JWT token in PinOne under Connections->PingIntelligence
PING_INTELLIGENCE_GATEWAY_CREDENTIALS_REDACT true
PING_STARTUP_TIMEOUT 8 The amount of time to wait for ASE to start before exiting
TAIL_LOG_FILES ${SERVER_ROOT_DIR}/logs/access.log Files tailed once container has started Other potentially useful log file to tail for debug purposes are logs/controller.log and logs/balancer.log

Running a PingIntelligence container

To run a PingIntelligence container:

  docker run \
           --name pingintellgence \
           --publish 8443:8443 \
           --detach \
           --env PING_IDENTITY_ACCEPT_EULA=YES \
           --env PING_IDENTITY_DEVOPS_USER=user@pingone.com \
           --env PING_IDENTITY_DEVOPS_KEY=<edvops key here> \
           --env PING_INTELLIGENCE_GATEWAY_CREDENTIALS=<PingIntelligence App JWT here> \
           --ulimit nofile=65536:65536 \
           pingidentity/pingintelligence:edge

Follow Docker logs with:

docker logs -f pingintelligence

If using the command above, use cli.sh with: * Username: admin

Docker Container Hook Scripts

Please go here for details on all pingintelligence hook scripts


This document is auto-generated from pingintelligence/Dockerfile

Copyright © 2021 Ping Identity Corporation. All rights reserved.