When deployed in sideband mode. ASE receives API calls from an API gateway which passes API
traffic information for AI processing. In such a deployment, ASE works along with the API gateway
to protect your API environment. The following diagram shows a typical ASE sideband
The following is a description of the traffic flow through the API gateway and Ping Identity
- Incoming request to API gateway
- API gateway makes an API call to send the request detail in JSON format to ASE
- ASE checks the request against a registered set of APIs and checks the origin IP against the
AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the API gateway.
Else, a different response code is sent to the Gateway. The request is also logged by ASE and
sent to the AI Engine for processing.
- If the API gateway receives a 200-OK response from ASE, then it forwards the request to the
backend server, else the Gateway returns a different response code to the client.
- The response from the backend server is received by the API gateway.
- The API gateway makes a second API call to pass the response information to ASE which sends
the information to the AI engine for processing.
- ASE receives the response information and sends a 200-OK to the API gateway.
- API gateway sends the response received from the backend server to the client.
Note: Make sure that XFF is enabled in the API gateway for ASE to detect the client IP addresses
Configuring ASE for sideband
To configure ASE to work in the sideband mode, edit the ase.conf file
located in the config directory. Set the value of the
mode parameter to sideband. The default value of the
mode parameter is inline. Following is a snippet of the
ase.conf file with the mode parameter set to
; Defines running mode for API Security Enforcer.