API discovery and configuration
The ABS AI Engine works in tandem with ASE to automatically discover new and unknown APIs in your ecosystem. You can view the discovered APIs by using the ABS discovery REST API. You can also add the discovered APIs to ASE by using API Discovery in PingIntelligence for APIs Dashboard. For more information, see Discovered APIs.
Following is the summary of the steps to configure API discovery in your environment:
-
Enable ABS in ASE
-
Define
rootAPI JSON in ASE. ABS discovers APIs only for arootAPI JSON in ASE. -
Optionally, configure OAuth token and API Key parameters in
rootAPI JSON -
Configure discovery related parameters using Global configuration update REST API.
Use the
update.shscript to edit the default values related to API discovery. For more information on update script, see Manage discovery intervals.
Configuration in ASE for API discovery
-
Enable ABS in ASE Enable ABS by running the
enable_abscommand in ASE:./bin/cli.sh -u admin -p admin enable_abs ABS is now enabled
To verify, run the
statuscommand in ASE:./bin/cli.sh status API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB google pubsub : disabled
-
Configure root API in ASE: ABS discovers APIs in your environment only when
rootAPI is defined in ASE. If you have configured other APIs in ASE along with therootAPI, ABS monitors traffic only on the root API for the discovery process.A
rootAPI in ASE is an API for which the API JSON file hasurlas“/”andhostnameas“*”. Following is a snippet ofrootAPI JSON:{ "api_metadata": { "protocol": "http", "url": "/", "hostname": "*", "cookie": "", "oauth2_access_token": false, "apikey_qs": "", "apikey_header": "", "enable_blocking": false, "cookie_idle_timeout": "200m", "logout_api_enabled": false, "cookie_persistence_enabled": false, "login_url": "", "api_mapping": { "internal_url": "" },A sample
rootAPI ships with ASE in/pingidentity/ase/config/apidirectory.If API discovery is enabled in ABS without
rootAPI in ASE and you run thediscoveryREST API, it displays an error message:root API not configured in ASE. To discover APIs configure root API in ASE. -
API JSON configuration (Optional ): You can optionally configure the settings for
cookie,oauth2_access_token,apikey_qs, orapikey_headerin therootAPI JSON file in ASE.API discovery process discovers these parameters in an API only when you set these in the root API. API discovery reports these attributes of an API only when it receives at least 50% of traffic having these attributes. For example, if the root API receives 100 requests and 51 requests have OAuth token, then the OAuth token is reported in the discovered API. Similarly, if the same traffic has less than 50% traffic for API keys or cookies, then they are not reported in the discovered API.
ABS configuration for API discovery: Configure API discovery in ABS by setting the api_discovery parameter to true using Global configuration update REST API.
The following table summarizes the variables related to API discovery that you need to configure. If you want update the values on an already running system, use the update.sh script. For more information on update script, see Manage discovery intervals:
| Variable | Description |
|---|---|
|
Set this variable to |
|
The initial time in hours during which APIs are discovered in your API ecosystem. The default and minimum value is 1-hour. |
|
The time interval in hours at which any new discovered APIs are reported. The default and minimum value is 1-hour. |
|
The number of subpaths that is discovered in an API. The minimum value is 1 and maximum value is 6. For more information, see Discovery Subpaths. |
|
Defines the maximum number of URLs that are reported in a discovered API. |