PingIntelligence

Preparing to deploy the PingIntelligence policy on APIM

Complete the following prerequisites before deploying the PingIntelligence policy on API Manager (APIM):

About this task

Before deploying the PingIntelligence policy on APIM:

Steps

  1. Confirm that the Azure APIM Service is available.

    The PingIntelligence policy supports Azure APIM Q2CY2020 version. If you are using any other version, contact Ping Identity support.

  2. Confirm that the APIs to which you want to apply the PingIntelligence policy are available.

  3. To use the API Security Enforcer (ASE) self-signed certificate, configure the CA certificate from the Security → CA certificates the section.

    A screenshot of the CA certificates page.
  4. Select one of the following four levels to apply the PingIntelligence policy:

    • For all the APIs

    • For a group of APIs, that is, at the product level

    • For individual APIs

    • For a specific operation in the API

  5. Install and configure the PingIntelligence software.

    Refer to the PingIntelligence deployment guide for your environment type.

  6. Verify that ASE is in sideband mode by running the following ASE command:

    /opt/pingidentity/ase/bin/cli.sh status

    Result:

    API Security Enforcer
    status                  : started
     mode : sideband
    http/ws                 : port 80
    https/wss               : port 443
    firewall                : enabled
    abs                     : disabled, ssl: enabled
    abs attack              : disabled
    audit                   : enabled
    sideband authentication : disabled
    ase detected attack     : disabled
    attack list memory      : configured 128.00 MB, used 25.61 MB, free 102.39 MB
    google pubsub           : disabled
    log level               : debug
    timezone                : local (UTC)

    Troubleshooting:

    If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.

  7. For a secure communication between APIM and ASE, enable sideband authentication by entering the following ASE command:

    # ./bin/cli.sh enable_sideband_authentication -u admin –p
  8. A token is required for APIM to authenticate with ASE. To generate the token in ASE, enter the following ASE command and save the generated authentication token for further use:

    # ./bin/cli.sh -u admin -p admin create_sideband_token