On this page:

Policy Engine

The Policy Engine adapter integrates IAP with the Policy Engine service, and is required for app-policy_manager to operate.

Verify Policy Engine Service is Running

To ensure the policy engine service is running, consult the Itential Policy Engine admin guide.

Adapter Configuration

To setup the policy engine adapter:

  1. Update the service_config properties for Policy Engine with the following parameters.

    Parameter Description
    host Specifies the hostname of your Policy Engine instance.
    port Specifies the port of your Policy Engine instance.
    base_path Specifies the base path for the Policy Engine API. If the service is running directly on the host/port above, this should be /api.
    version Specifies the API version that adapter-policy_engine should use. This should be set to v1.
    cache_location Specifies where results should be cached. Must be redis, local, or none. Recommend none.
    protocol Specifies which protocol to use when communicating with your Policy Engine instance. Must be http or https.
    authentication An object describing the authentication mechanism for Policy Engine. See below for details.
    healthcheck An object describing the healthcheck policy for the service. See below for details.
    ssl SSL settings for the service if you have configured SSL in your Policy Engine installation. See below for details.
    proxy Useful setting if Policy Engine is hosted behind an HTTP proxy (not a reverse proxy or load balancer). See below for details.
  2. The Policy Engine adapter does not serve as a broker. Verify the brokers field is an empty array.

      "properties": {
        "brokers": []


The following properties are used to define the authentication process to Policy Engine.

Note: Depending on the method that is used to authenticate with Policy Engine, you may not need to set all of the authentication properties.

Property Description
auth_method Required. Used to define the type of authentication currently supported. Authentication methods currently supported are: basic user_password, static_token, request_token, and no_authentication.
username Used to authenticate with Policy Engine on every request or when pulling a token that will be used in subsequent requests.
password Used to authenticate with Policy Engine on every request or when pulling a token that will be used in subsequent requests.
auth_field Defines the request field the authentication (e.g., tokens are basic auth credentials) needs to be placed in order for the calls to work.
auth_field_format Defines the format of the auth_field. See examples below. Items enclosed in {} inform the adapter to perform an action prior to sending the data. It may be to replace the item with a value or it may be to encode the item.
token Defines a static token that can be used on all requests. Only used with static_token as an authentication method (auth_method).
invalid_token_error Defines the HTTP error that is received when the token is invalid. Notifies the adapter to pull a new token and retry the request. Default is 401.
token_timeout Defines how long a token is valid. Measured in milliseconds. Once a dynamic token is no longer valid, the adapter has to pull a new token. If the token_timeout is set to -1, the adapter will pull a token on every request to Policy Engine. If the timeout_token is 0, the adapter will use the expiration from the token response to determine when the token is no longer valid.
token_cache Used to determine where the token should be stored (local memory or in Redis).

auth_field examples


auth_field_format examples

"Token {token}",
"Basic {b64}{username}:{password}{/b64}",


The proxy section defines the properties to utilize when Policy Engine is behind a proxy server.

Property Description
enabled Required. Default is false. If Policy Engine is behind a proxy server, set enabled flag to true.
host Host information for the proxy server. Required if enabled is true.
port Port information for the proxy server. Required if enabled is true.
protocol The protocol (i.e., http, https, etc.) used to connect to the proxy. Default is http.


The healthcheck properties define the API that runs the healthcheck to tell the adapter that it can reach Policy Engine. There are currently three types of health checks.

  • None - Not recommended. Adapter will not run a healthcheck. Consequently, unable to determine before making a request if the adapter can reach Policy Engine.
  • Startup - Adapter will check for connectivity when the adapter initially comes up, but it will not check afterwards.
  • Intermittent - Adapter will check connectivity to Policy Engine at a frequency defined in the frequency property.
Property Description
type Required. The type of healthcheck to run.
frequency Required if intermittent. Defines how often the health check should run. Measured in milliseconds. Default is 300000.

We recommend an intermittent healthcheck every 300 seconds. As in:

{ "type": "intermittent", "frequency": 300000 }


The SSL section defines the properties utilized for SSL authentication with Policy Engine. SSL can work two different ways: set the accept_invalid_certs flag to true (only recommended for lab environments), or provide a ca_file.

Property Description
enabled If SSL is required, set to true.
accept_invalid_certs Defines if the adapter should accept invalid certificates (only recommended for lab environments). Required if SSL is enabled. Default is false.
ca_file Defines the path name to the CA file used for SSL. If SSL is enabled and the accept invalid certifications is false, then ca_file is required.
secure_protocol Defines the protocol (e.g., SSLv3_method) to use on the SSL request.
ciphers Required if SSL enabled. Specifies a list of SSL ciphers to use.

secure_protocol examples



A colon (:) separated list of acceptable ciphers.

Some example values: