PingIntelligence

Akana API gateway sideband integration

This integration guide discusses the deployment of PingIntelligence for APIs in a sideband configuration with Akana API Gateway. PingIntelligence for APIs in a sideband deployment mode integrates with Akana API Gateway to provide in-depth analytics on API traffic. A PingIntelligence policy is installed in the Policy Manager component of Akana API Gateway to pass API metadata to PingIntelligence for detailed API activity reporting and attack detection. For more information on sideband deployment, see Sideband ASE.

PingIntelligence for APIs provides JavaScript policy that extracts API metadata from a request and response processed by Akana API Gateway. The API metadata is passed to API Security Enforcer (ASE). Here are a few highlights of the integration solution:

  • Support for SSL connectivity through a valid CA signed certificate.

  • Support for connection keep alive between Akana gateway and ASE, for faster processing of request and response data.

  • Support for ASE-failover by provisioning a secondary ASE.

  • OAuth attribute extraction and username support for OAuth enabled APIs.

  • Interception of OAuth tokens sent as part of query parameters.

Akana Gateway does not support self-signed certificates.

PingIntelligence policies:

Three policies are made available to support the integration. They are packaged in pi-api-akana-policy-4.x.x.tar.gz file. The following diagram shows the directory structure for reference.

arz1579618135863

pi_policy.js: This is the main PingIntelligence policy. It extracts the metadata for each API call, formats it into JSON and makes API calls to pass the metadata to ASE.

retain-header-policy.js: After validating a token with the OAuth server, Akana gateway deletes the incoming Authorization header. As a result, this header does not get forwarded to ASE. The retainHeader.js remedies this by capturing the deleted Authorization header and passes it to pi_policy.js for metadata extraction. The retainHeader.js policy gets executed before pi_policy.js.

config.js: This script takes ASE configuration as input from the user. The script then connects the ASE nodes and the policy.

The retain-header.js policy needs to be attached to all OAuth enabled APIs, to ensure user information is extracted from API reqeusts.

The following diagram shows the logical setup of PingIntelligence for APIs components and Akana API Gateway:

foo1579668498425

The traffic flow through the Akana API gateway and PingIntelligence for APIs components is explained below:

  1. Client sends an incoming request to Akana API gateway.

  2. PingIntelligence policy deployed on Akana API gateway is executed on the request to extract the metadata from the incoming request.

  3. Akana API gateway makes an API call to send the request metadata to API Security Enforcer (ASE).The ASE checks the identifiers such as usernames, tokens against the blacklist. If all checks pass, ASE returns a 200-OK response to the Akana API gateway. If not, a different response code is sent to Akana API gateway (400 or 403). The request information is also logged by ASE and sent to the Ping Intelligence API Behavioral Security (ABS )AI Engine for processing.

  4. The Akana API gateway forwards the API requests to the backend server after the ASE processes it. If the gateway receives a 403-Forbidden response from ASE, it blocks the client. Otherwise it forwards the request to the backend server.

  5. The response from the backend server is received by Akana API Gateway.

  6. The PingIntelligence policy is again applied on the response to extract the metadata from the server response.

  7. Akana API gateway makes a second API call to pass the response information to ASE which sends the information to the AI engine for processing. ASE sends a 200-OK to API gateway.

  8. Akana API gateway sends the response received from the backend server to the client.