PingIntelligence

API environment integration with on-premise ASE

Configure the deployment mode in API Security Enforcer (ASE) and integrate your API environment with ASE.

Ping Identity supports two integration options for your API environment:

  • Sideband deployment

  • Inline deployment

Sideband deployment

When deployed in sideband mode, ASE receives API calls from an API gateway, which passes API traffic information for artificial intelligence (AI) processing. ASE requires no changes to clients or backend API servers. In sideband deployment, ASE works along with the API gateway to protect your API environment. A custom sideband policy is provided, which is deployed in the gateway to route the API traffic. The following diagram shows ASE in sideband deployment mode.

A diagram of PingIntelligence ASE in sideband deployment mode.

To configure ASE for a sideband environment, see #/section_hrs_jnh_vqb.

Configure ASE for sideband deployment

PingIntelligence provides custom sideband policies for API gateways, routers, and other API platforms to support integration with your API environments. See API gateway integrations supported by PingIntelligence for a list of gateway integrations supported along with the deployment instructions. The sideband policy is deployed in your API gateway, and it sends the request and response API metadata to ASE for processing. Follow the instructions in the integration guides to deploy a sideband policy in your environment.

After you determine which API gateways to integrate, set the deployment mode in the ase.conf file located in the /<ASE installation path>/pingidentity/ase/config/ directory.

Parameter Description

mode

Set the mode to sideband for ASE to work in a sideband mode.

enable_sideband_keepalive

When set to true, ASE sends a keep-alive in response header for the TCP connection between API gateway and ASE. With the default false value, ASE sends a connection close in the response header for connection between API gateway and ASE.

Set to trueunless using a MuleSoft API gateway.

enable_sideband_authentication

Set to true if you intend to enable authentication between an API gateway and ASE. After setting it to true, generate a sideband authentication token using the ASE create_sideband_token command.

Set to false for evaluation deployments to simplify setup.

After updating the settings, restart ASE using the following commands:

  • Change the working directory to /bin and run the stop.sh script:

    # /<ASE installation path>/pingidentity/ase/bin/stop.sh
  • Change the working directory to /bin and run the start.sh script:

    # /<ASE installattion path>/pingidentity/ase/bin/start.sh

Inline environment

When deployed in inline mode, ASE is a reverse proxy deployed between the API clients and servers. It is typically deployed behind load balancers, such as AWS Elastic Load Balancing (ELB), to distribute traffic across an ASE cluster for high availability. ASE terminates SSL connections from API clients and then routes the requests to the destination APIs on an API gateway or app servers, such as Node.js, WebLogic, or Tomcat. The following diagram shows an inline deployment.

A diagram of PingIntelligence ASE inline mode.

To continue with an inline deployment, see Inline ASE.