Skip to main content

The most recent patch for this version is 7.6.1.  Learn more  

Version: 7.6

Additional configuration

This page contains additional configuration for the Axiomatics Services Manager (ASM) that you may need to consider.

Update configuration during runtime

note

The following procedure applies to Kubernetes environments only.

To apply changes made during runtime to configuration files within the kubernetes/asmcharts/configurations directory and its subfolders, follow these steps:

  1. Upgrade the Helm charts according to your specific setup.

    Run the appropriate command based on whether you have the Dashboard functionality enabled or not.
    Important

    Replace the placeholders with your own values. For details, see the table below.

    helm upgrade -n axiomatics-asm asm -f asmcharts/values.yaml asmcharts --set imageRegistry=<image_registry> --set asmHostname=<your_asm_hostname>
    PlaceholderValue
    <image_registry>The image registry:
    - For local registry: host.docker.internal:5000/
    - For remote or Axiomatics registry: <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/
    <your_asm_hostname>The hostname assigned to the instance running ASM. The default is localhost.

  2. Perform a rollout restart for each affected component.

    Important

    Replace <component_name> with adm, asm, gateway, pd-api, or service-aggregator depending on the component whose configuration files you edited.

    kubectl rollout restart deployment/<component_name> -n axiomatics-asm

Disable or enable the Dashboard

Axiomatics Services Manager (ASM) offers the Dashboard functionality using an InfluxDB instance, which can be disabled or enabled depending on your needs.

Disable the Dashboard

Using the console:

  1. Navigate to the docker/ folder and stop ASM.

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml down

  2. Restart ASM.

    docker-compose up

    This starts ASM without InfluxDB and with the Dashboard functionality disabled.

Enable the Dashboard

Using the console:

  1. Navigate to the docker/ folder and stop ASM.

    docker-compose stop

  2. Restart ASM.

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml up

    This starts ASM with InfluxDB and with the Dashboard functionality enabled.

Enable cluster-level logging

By default, ASM uses node-level logging where all service containers send their logs to standard output (stdout). The pod logs are temporarily stored in the pod's node and are retained on container restarts but are evicted on pod restarts.

To overcome this limitation, you can enable cluster-level logging on a Kubernetes (k8s) cluster. This type of logging is independent of nodes and pods lifecycle and it requires a separate backend to store, analyze, and query the logs. The logs are collected from all the pods and sent to a separate service.

  1. In case you don't have an ELK environment running, follow the instructions in Elastic documentationOpens in a new tab to create one locally, using Docker.

  2. Create a k8s secret with the Elasticsearch credentials.

    Important

    Replace <LOG_ANALYTICS_USERNAME> and <LOG_ANALYTICS_PASSWORD> with your credentials.

    kubectl create secret generic elasticsearch-credentials \
    --from-literal=username=<LOG_ANALYTICS_USERNAME> \
    --from-literal=password=<LOG_ANALYTICS_PASSWORD> \
    --namespace kube-system

  3. Open the kubernetes/asmcharts/values.yaml file and set the following:

    ParameterValue
    enableFluentdElasticsearchLoggingtrue
    clusterLogging.hostThe host of the Elasticsearch service.
    In case of a local k8s installation, use host.docker.internal.
    clusterLogging.portThe port for the logging service.
    The default port for Elasticsearch is 9200.
    clusterLogging.schemehttps

  4. Upgrade the Helm charts.

    helm upgrade -n axiomatics-asm asm -f asmcharts/values.yaml asmcharts

Configure Policy Designer

Policy Designer offers you the following options:

  • Select which Identity Provider (IdP) will be used to allow users to log in
  • Apply your own branding to its interface

  1. Open the docker/docker-compose.yml file and set the following:

    Add the alias of the IdP to be used by Policy Designer

    This is required only if you will be using Policy Designer.

    ParameterValue
    PD_IDP_NAMEThe alias of the IdP that will be configured later in Keycloak to work with Policy Designer. Learn more about the Policy Designer Keycloak configuration.
    The default is "google". Other available options:
    User-defined
    - OpenID Connect v1.0: Make sure that you use the same alias both here and in Keycloak!
    - Keycloak OpenID Connect: Make sure that you use the same alias both here and in Keycloak!
    Social
    - GitHub: "github"
    - Facebook: "facebook"
    - LinkedIn: "linkedin"
    - Instagram: "instagram"
    - Microsoft: "microsoft"
    - BitBucket: "bitbucket"
    - Twitter: "twitter"
    - Openshift v4: Make sure that you use the same alias both here and in Keycloak!
    - Openshift v3: Make sure that you use the same alias both here and in Keycloak!
    - GitLab: "gitlab"
    - StackOverfIow: "stackoverflow"
    Note: SAML is not supported.
    Important: The value should be in lowercase and enclosed in double quotation marks.
    Important: The IdP cannot be changed after the installation process is complete.
    Apply your branding to Policy Designer

    Optionally, if you want to apply your own branding to the Policy Designer interface, you should also set the following:

    ParameterValue
    PD_LOGOThe path to the logo image file displayed in the upper left corner of the Policy Designer interface.
    The default is "./assets/logo.svg" and the file contains the Axiomatics logo.
    Important: If changed, the value should be a valid URL pointing to a JPG/JPEG, PNG, or SVG file. It is recommended that the resolution of the image file is 210x50 pixels.
    PD_APP_NAMEThe app name/title displayed next to the logo and on the browser window.
    The default is "Policy designer".
    Important: The limit is 100 characters.
    PD_MAIN_COLORThe main color used in the Policy Designer interface, for buttons and highlighted components.
    The default is "#0274C1".
    Important: Replacement colors should be in hexadecimal notationOpens in a new tab.
    PD_BACKGROUND_COLORThe background color used in the Policy Designer interface.
    The default is "#F2F5F8".
    Important: Replacement colors should be in hexadecimal notationOpens in a new tab.

  2. Run the following commands

    docker-compose stop pd-ui
    docker-compose rm pd-ui
    docker-compose up pd-ui -d

Your configuration is now applied to Policy Designer.

Update Attribute Connectors

ASM is installed with a default set of standard Attribute Connectors. However, the Attribute Connectors are developed, maintained, and released independently of releases of ASM. New and updated versions may be released and made available for download at any time.

Contact Axiomatics Customer SupportOpens in a new tab for information on latest versions and available downloads.

Standard Attribute Connector versions

This release of ASM is delivered with the standard Attribute Connectors versions listed in the Release Notes.

Important

Earlier versions of the Attribute Connectors, with the exception of HTTP and Parser, should be considered incompatible with this version of ASM and should not be used. Updated versions of the Attribute Connectors may be released, which may be installed and used with this version of ASM subject to compatibility information for each attribute connector, respectively.

LDAP Attribute Connector

The LDAP Attribute Connector is used for connection to LDAP data sources. It is already deployed and does not need further installation.

SQL and Table Attribute Connectors

The SQL Attribute Connector and the Table Attribute Connector are both used for connections to SQL data sources. The functionality of the Table Attribute Connector is slightly more restrictive than the SQL Attribute Connector, but it is easier to configure. For more information about the differences between the attribute connectors, read the Attribute Connectors section.

Only the JDBC connection type is supported for the SQL Attribute Connector and the Table Attribute Connectors.

HTTP Attribute Connector

The HTTP Attribute Connector can be used to connect to a web service (HTTP-based service which returns structured content e.g. JSON and XML) and retrieve its payload which it then returns to the PDP.

Parser Attribute Connectors

Some attribute values needed to evaluate authorization policies may be nested in strings formatted following some structured document conventions, such as JSON or XML. Parser Attribute Connectors can take a string in a structured format and extract nested values from it. The choice of values to extract is made using standard means for each format.

The Parser Attribute Connectors consist of the following:

  • JSON Parser
  • XML Parser
  • JWT Parser

Update Standard Attribute Connectors

If an updated version of an Attribute Connector is released, you can check against what is already installed and decide whether an update is required.

  • If you have updated one or more Attribute Connectors in the past:

    1. Navigate to the /docker/asm.core/attribute.connectors/ folder where the .jar file(s) used for the update reside.
    2. Identify the Attribute Connector versions from the filename(s).

  • Otherwise, you are using the default Attribute Connectors.

    tip

    The default Attribute Connectors bundled with each ASM version are listed in the ASM Release Notes.

Refer to the documentation accompanying each Attribute Connector for more information on changes and functional updates in new releases.

note

The commands for the update are different depending on whether ASM is running with the Dashboard functionality enabled or not.

Update the Attribute Connector(s) with the Dashboard functionality enabled

  1. Extract the contents of the downloaded attribute connector distribution file(s) in the file system and locate the Attribute Connector jar file(s). (See the included documentation for more information.)

  2. Stop ASM if it is running. In the console, navigate to the docker/ folder and run the command

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml stop

  3. In a second file system window, navigate to <root path>/docker/asm.core/attribute.connectors/.

    There you will find a folder for each of the Standard Attribute connectors, plus one for custom Attribute Connectors.

  4. Copy the updated Attribute Connector .jar file(s) to the relevant folder(s).

    For example, the sql-attribute-connector-<version>.jar would go into the <root path>/docker/asm.core/attribute.connectors/sql-attribute-connector folder, etc.

  5. From the docker/ folder in the console, run the command 

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml build --no-cache asm

    This will rebuild the Docker image that contains the attribute connectors.

  6. Also from the docker/ folder, run the command

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml up

    This restarts ASM, which will now use the new Attribute Connector(s), and the Dashboard functionality is enabled.

Update the Attribute Connector(s) with the Dashboard functionality disabled

  1. Extract the contents of the downloaded attribute connector distribution file(s) in the file system and locate the attribute connector jar file(s). (See the included documentation for more information.)

  2. Stop ASM if it is running. Navigate to the docker/ folder and run the command

    docker-compose stop

  3. In a second file system window, navigate to <root path>/docker/asm.core/attribute.connectors/

    There you will find a folder for each of the standard attribute connectors, plus one for custom attribute connectors.

  4. Copy the updated attribute connector .jar file(s) to the relevant folder(s).

    For example, the sql-attribute-connector-<version>.jar would go into the <root path>/docker/asm.core/attribute.connectors/sql-attribute-connector folder, etc.

  5. From the docker/ folder in the console, run the command

    docker-compose build --no-cache asm

    This will rebuild the Docker image that contains the Attribute Connectors.

  6. Finally, also from the docker/ folder, run the command 

    docker-compose up

    This restarts ASM, which will now use the new Attribute Connector(s).

note

The attribute connectors can be updated individually. If an Attribute Connector folder under docker/asm.core/attribute.connectors/ is empty, the deployed ASM will continue to use the Attribute Connector that was included in the release. The folder custom-attribute-connectors is rescanned on every start to reflect the folder content.

Custom Attribute Connectors

When a custom Attribute Finder has been set up on the PDP (Policy Decision Point) side, the same Attribute Finder package must be made available to ASM as an attribute connector so that it shows up in the list of available Attribute Connector types that can be chosen in the ASM GUI.

Attribute Finders are built for the Java ServiceLoader.

note

Legacy Attribute Finders created for the JSPF plugin framework are supported for use with the current release, but Axiomatics strongly recommends converting them to the Java ServiceLoader mechanism.

Add a Java ServiceLoader Attribute Finder

An Attribute Finder built for the Java ServiceLoader can be plugged into the ASM system by following these steps:

  1. Stop ASM if it is running. Navigate to the docker/ folder and run the command

    docker-compose stop

  2. Navigate to <root path>/docker/asm.core/attribute.connectors/custom-attribute-connectors

  3. Copy the the Attribute Finder (that is, the custom attribute connector .jar file) to this folder.

  4. Restart ASM with the Dashboard functionality either enabled or disabled, as described above.