PingIntelligence

IBM DataPower Gateway sideband integration

This integration guide discusses the deployment of PingIntelligence for APIs in a sideband configuration with IBM DataPower Gateway. PingIntelligence for APIs provides policy assembly components that extract the API metadata from a request or response processed by IBM DataPower Gateway. The API metadata is passed to PingIntelligence for APIs for detailed API activity reporting and attack detection. For more information on sideband deployment, see Sideband ASE.

The PingIntelligence policy assembly components are added using API Manager in IBM API Connect. The following diagram shows the implementation steps of the PingIntelligence policy assembly components in the IBM API ecosystem.

xxm1585578131130

The PingIntelligence policy assembly components get deployed on a per API basis. You must configure them for an individual API to extract the request and response metadata for the API.

The following diagram shows the logical setup of PingIntelligence for APIs and IBM DataPower Gateway.

A diagram of the setup of PingIntelligence and IBM DataPower Gateway.

The traffic flow through the IBM DataPower Gateway and PingIntelligence for APIs components is explained below:

  1. A client sends an incoming request to the IBM DataPower Gateway.

  2. PingIntelligence policy component is executed on the request to extract the metadata from the incoming request.

  3. IBM DataPower Gateway makes an API call to send the request metadata to API Security Enforcer (ASE). The ASE checks the client identifiers such as usernames, tokens against the blacklist. If all checks pass, ASE returns a 200-OK response to the IBM DataPower Gateway. If the checks do not pass, ASE sends different response code (403) to the IBM DataPower Gateway. In both cases, ASE logs the request information and sends it to the Ping Intelligence API Behavioral Security (ABS) AI Engine for processing.

  4. If the ASE sends a 200-OK response to the IBM DataPower Gateway, it forwards the API requests to the backend server. If the gateway receives a 403-Forbidden response from ASE, it blocks the client.

  5. IBM DataPower Gateway receives the response from the backend server.

  6. PingIntelligence policy component is applied on the response to extract the metadata from the server response.

  7. IBM DataPower Gateway makes a second API call to pass the response information to ASE, which sends the information to the ABS AI engine for processing.

  8. IBM DataPower API Gateway sends the response received from the backend server to the client.