CLI for sideband ASE

The following table shows the command-line interface (CLI) functions and their syntax for API Security Enforcer (ASE) in sideband mode.

Function Description Syntax

Function	Description	Syntax
Start ASE	Starts ASE	`./start.sh`
Stop ASE	Stops ASE	`./stop.sh`
Help	Displays cli.sh help	`./cli.sh help`
Version	Displays the version number of ASE	`./cli.sh version`
Status	Displays the running status of ASE	`./cli.sh status`
Update Password	Changes ASE admin password	`./cli.sh update_password -u admin - p`
Change log level	Changes `balancer.log` and `controller.log` log level	`./cli.sh log_level -u admin -p` Options: `warn` `info` `error` `fatal` `debug`
Get Authentication Method	Displays the current authentication method	`./cli.sh get_auth_method -u admin -p`
Update Authentication Method	Updates ASE authentication method	`./cli.sh update_auth_method {method} -u admin -p`
Enable Sideband Authentication	Enables authentication between API gateway and ASE when ASE is deployed in sideband mode	`./cli.sh enable_sideband_authentication -u admin – p`
Disable Sideband Authentication	Disables authentication between API gateway and ASE when ASE is deployed in sideband mode	`./cli.sh disable_sideband_authentication -u admin – p`
Create ASE Authentication Token	Create the ASE token that is used to authenticate between the API gateway and ASE	`./cli.sh create_sideband_token -u admin – p`
List ASE Authentication Token	List the ASE token that is used to authenticate between the API gateway and ASE	`./cli.sh list_sideband_token -u admin – p`
Import ASE Authentication Token	Imports ASE token that is used for authentication between ASE and API gateway. The token should be 32 characters long and the allowable characters in the token are alphabets in small case and digits 0-9.	`./cli.sh import_sideband_token {token} -u admin – p admin`
Delete ASE Authentication Token	Deletes the ASE token that is used to authenticate between the API gateway and ASE	`./cli.sh delete_sideband_token {token} -u admin – p`
Enable Audit Logging	Enables audit logging	`./cli.sh enable_audit -u admin -p admin`
Disable Audit Logging	Disables audit logging	`./cli.sh disable_audit -u admin -p admin`
Add Syslog Server	Adds a new syslog server	`./cli.sh –u admin -p admin add_syslog_server host:port`
Delete Syslog Server	Deletes the syslog server	`./cli.sh –u admin -p admin delete_syslog_server host:port`
List Syslog Server	Lists the current syslog server	`./cli.sh –u admin -p admin list_syslog_server`
Add API	Add a new API file in JSON format. File should have `.json` extension. Provide the complete path where you have stored the API JSON file. After running the command, API is added to `/opt/pingindentity/ase/config/api` directory	`./cli.sh –u admin -p admin add_api {config_file_path}`
Update API	Updates an API after the API JSON file has been edited and saved	`./cli.sh –u admin -p admin update_api {api_name}`
List APIs	Lists all APIs configured in ASE	`./cli.sh –u admin -p admin list_api`
API Info	Displays the API JSON file	`./cli.sh –u admin -p admin api_info {api_id}`
API Count	Displays the total number of APIs configured	`./cli.sh –u admin -p admin api_count`
Enable Per API Blocking	Enables attack blocking for the API	`./cli.sh –u admin -p admin enable_blocking {api_id}`
Disable Per API Blocking	Disables attack blocking for the API	`./cli.sh –u admin -p admin disable_blocking {api_id}`
Delete API	Deletes an API from ASE. Deleting an API removes the corresponding JSON file and deletes all the cookies associated with that API	`./cli.sh –u admin -p admin delete_api {api_id}`
Generate Master Key	Generates the master obfuscation key `ase_master.key`	`./cli.sh -u admin -p admin generate_obfkey`
Obfuscate Keys and Password	Obfuscates the keys and passwords configured in various configuration files	`./cli.sh -u admin -p admin obfuscate_keys`
Create a Key Pair	Creates private key and public key pair in keystore	`./cli.sh –u admin -p admin create_key_pair`
Create a CSR	Creates a certificate signing request	`./cli.sh –u admin -p admin create_csr`
Create a Self-Signed Certificate	Creates a self-signed certificate	`./cli.sh –u admin -p admin create_self_sign_cert`
Import Certificate	Imports a CA-signed certificate into keystore	`./cli.sh –u admin -p admin import_cert {cert_path}`
Create Management Key Pair	Creates a private key for management server	`/cli.sh –u admin -p admin create_management_key_pair`
Create Management CSR	Creates a certificate signing request for management server	`/cli.sh –u admin -p admin create_management_csr`
Create Management Self-signed Certificate	Creates a self-signed certificate for management server	`/cli.sh –u admin -p admin create_management_self_sign_cert`
Import Management Key Pair	Imports a key-pair for management server	`/cli.sh –u admin -p admin import_management_key_pair {key_path}`
Import Management Certificate	Imports a CA-signed certificate for management server	`/cli.sh –u admin -p admin import_management_cert {cert_path}`
Cluster Info	Displays information about an ASE cluster	`./cli.sh –u admin -p admin cluster_info`
Delete Cluster Node	Deletes an inactive ASE cluster node	`./cli.sh –u admin -p admin delete_cluster_node host:port`
Enable Firewall	Enables API firewall. Activates pattern enforcement, API name mapping, manual attack type	`./cli.sh –u admin -p admin enable_firewall`
Disable Firewall	Disables API firewall	`./cli.sh –u admin -p admin disable_firewall`
Enable ASE detected attacks	Enables ASE-detected attacks	`./cli.sh –u admin -p admin enable_ase_detected_attack`
Disable ASE Detected Attacks	Disables ASE-detected attacks	`./cli.sh –u admin -p admin disable_ase_detected_attack`
Enable ABS	Enables ABS to send access logs to ABS	`./cli.sh –u admin -p admin enable_abs`
Disable ABS	Disables ABS to stop sending access logs to ABS	`./cli.sh –u admin -p admin disable_abs`
Adding deny list	Adds an entry to ASE deny list using CLI. Valid type values are: IP, Cookie, OAuth2 token, API Key, and username	`./cli.sh –u admin -p admin add_blacklist {type}{name}{value}` If type is `ip`, then `name` is the IP address. If type is `cookie`, then `name` is the cookie name, and `value` is the cookie value Example: `/cli.sh -u admin -p admin add_blacklist ip 1.1.1.1`
Delete deny list Entry	Deletes entry from the deny list.	`./cli.sh –u admin -p admin delete_blacklist {type}{name}{value}` Example: `cli.sh -u admin -p delete_blacklist token 58fcb0cb97c54afbb88c07a4f2d73c35`
Clear deny list	Clears all the entries from the deny list	`./cli.sh –u admin -p admin clear_blacklist`
View deny list	Views the entire deny list or view a deny list for the specified attack type (for example, invalid_method)	`./cli.sh –u admin -p admin view_blacklist \{all\|manual\|abs_generated\|invalid_content_type\|invalid_method\|invalid_protocol\|decoy\|missing_token}`
View deny list for IP addresses with missing tokens	Views the deny list entries that are blocked due to missing tokens	`./cli.sh view_blacklist missing_token -uadmin -padmin`
Adding allow list	Adds an entry to ASE allow list using CLI. Valid type values are: IP, cookie, OAuth2 token, API key, and username	`./cli.sh –u admin -p admin add_whitelist {type}{name}{value}` Options: If type is `ip`, then `name` is the IP address. If type is `cookie`, then `name` is the cookie name, and `value` is the cookie value Example: `/cli.sh -u admin -p admin add_whitelist api_key AccessKey 065f73cdf39e486f9d7cda97d2dd1597`
Delete allow list Entry	Delete entry from the allow list	`./cli.sh –u admin -p admin delete_whitelist {type}{name}{value}` Example: /cli.sh -u admin -p delete_whitelist token 58fcb0cb97c54afbb88c07a4f2d73c35
Clear allow list	Clears all the entries from the allow list	`./cli.sh –u admin -p admin clear_whitelist`
View allow list	Views the entire allow list	`./cli.sh –u admin -p admin view_whitelist`
ABS Info	Displays ABS status information ABS enabled or disabled, ASE fetching ABS attack types, and ABS cluster information	`./cli.sh –u admin -p admin abs_info`

Start ASE

Starts ASE

./start.sh

Stop ASE

Stops ASE

./stop.sh

Help

Displays cli.sh help

./cli.sh help

Version

Displays the version number of ASE

./cli.sh version

Status

Displays the running status of ASE

./cli.sh status

Update Password

Changes ASE admin password

./cli.sh update_password -u admin - p

Change log level

Changes balancer.log and controller.log log level

./cli.sh log_level -u admin -p

Options:

warn
info
error
fatal
debug

Get Authentication Method

Displays the current authentication method

./cli.sh get_auth_method -u admin -p

Update Authentication Method

Updates ASE authentication method

./cli.sh update_auth_method {method} -u admin -p

Enable Sideband Authentication

Enables authentication between API gateway and ASE when ASE is deployed in sideband mode

./cli.sh enable_sideband_authentication -u admin – p

Disable Sideband Authentication

Disables authentication between API gateway and ASE when ASE is deployed in sideband mode

./cli.sh disable_sideband_authentication -u admin – p

Create ASE Authentication Token

Create the ASE token that is used to authenticate between the API gateway and ASE

./cli.sh create_sideband_token -u admin – p

List ASE Authentication Token

List the ASE token that is used to authenticate between the API gateway and ASE

./cli.sh list_sideband_token -u admin – p

Import ASE Authentication Token

Imports ASE token that is used for authentication between ASE and API gateway.

The token should be 32 characters long and the allowable characters in the token are alphabets in small case and digits 0-9.

./cli.sh import_sideband_token {token} -u admin – p admin

Delete ASE Authentication Token

Deletes the ASE token that is used to authenticate between the API gateway and ASE

./cli.sh delete_sideband_token {token} -u admin – p

Enable Audit Logging

Enables audit logging

./cli.sh enable_audit -u admin -p admin

Disable Audit Logging

Disables audit logging

./cli.sh disable_audit -u admin -p admin

Add Syslog Server

Adds a new syslog server

./cli.sh –u admin -p admin add_syslog_server host:port

Delete Syslog Server

Deletes the syslog server

./cli.sh –u admin -p admin delete_syslog_server host:port

List Syslog Server

Lists the current syslog server

./cli.sh –u admin -p admin list_syslog_server

Add API

Add a new API file in JSON format. File should have .json extension. Provide the complete path where you have stored the API JSON file. After running the command, API is added to /opt/pingindentity/ase/config/api directory

./cli.sh –u admin -p admin add_api {config_file_path}

Update API

Updates an API after the API JSON file has been edited and saved

./cli.sh –u admin -p admin update_api {api_name}

List APIs

Lists all APIs configured in ASE

./cli.sh –u admin -p admin list_api

API Info

Displays the API JSON file

./cli.sh –u admin -p admin api_info {api_id}

API Count

Displays the total number of APIs configured

./cli.sh –u admin -p admin api_count

Enable Per API Blocking

Enables attack blocking for the API

./cli.sh –u admin -p admin enable_blocking {api_id}

Disable Per API Blocking

Disables attack blocking for the API

./cli.sh –u admin -p admin disable_blocking {api_id}

Delete API

Deletes an API from ASE. Deleting an API removes the corresponding JSON file and deletes all the cookies associated with that API

./cli.sh –u admin -p admin delete_api {api_id}

Generate Master Key

Generates the master obfuscation key ase_master.key

./cli.sh -u admin -p admin generate_obfkey

Obfuscate Keys and Password

Obfuscates the keys and passwords configured in various configuration files

./cli.sh -u admin -p admin obfuscate_keys

Create a Key Pair

Creates private key and public key pair in keystore

./cli.sh –u admin -p admin create_key_pair

Create a CSR

Creates a certificate signing request

./cli.sh –u admin -p admin create_csr

Create a Self-Signed Certificate

Creates a self-signed certificate

./cli.sh –u admin -p admin create_self_sign_cert

Import Certificate

Imports a CA-signed certificate into keystore

./cli.sh –u admin -p admin import_cert {cert_path}

Create Management Key Pair

Creates a private key for management server

/cli.sh –u admin -p admin create_management_key_pair

Create Management CSR

Creates a certificate signing request for management server

/cli.sh –u admin -p admin create_management_csr

Create Management Self-signed Certificate

Creates a self-signed certificate for management server

/cli.sh –u admin -p admin create_management_self_sign_cert

Import Management Key Pair

Imports a key-pair for management server

/cli.sh –u admin -p admin import_management_key_pair {key_path}

Import Management Certificate

Imports a CA-signed certificate for management server

/cli.sh –u admin -p admin import_management_cert {cert_path}

Cluster Info

Displays information about an ASE cluster

./cli.sh –u admin -p admin cluster_info

Delete Cluster Node

Deletes an inactive ASE cluster node

./cli.sh –u admin -p admin delete_cluster_node host:port

Enable Firewall

Enables API firewall. Activates pattern enforcement, API name mapping, manual attack type

./cli.sh –u admin -p admin enable_firewall

Disable Firewall

Disables API firewall

./cli.sh –u admin -p admin disable_firewall

Enable ASE detected attacks

Enables ASE-detected attacks

./cli.sh –u admin -p admin enable_ase_detected_attack

Disable ASE Detected Attacks

Disables ASE-detected attacks

./cli.sh –u admin -p admin disable_ase_detected_attack

Enable ABS

Enables ABS to send access logs to ABS

./cli.sh –u admin -p admin enable_abs

Disable ABS

Disables ABS to stop sending access logs to ABS

./cli.sh –u admin -p admin disable_abs

Adding deny list

Adds an entry to ASE deny list using CLI. Valid type values are: IP, Cookie, OAuth2 token, API Key, and username

./cli.sh –u admin -p admin add_blacklist {type}{name}{value}

If type is ip, then name is the IP address.

If type is cookie, then name is the cookie name, and value is the cookie value

Example:

/cli.sh -u admin -p admin add_blacklist ip 1.1.1.1

Delete deny list Entry

Deletes entry from the deny list.

./cli.sh –u admin -p admin delete_blacklist {type}{name}{value}

Example:

cli.sh -u admin -p delete_blacklist token 58fcb0cb97c54afbb88c07a4f2d73c35

Clear deny list

Clears all the entries from the deny list

./cli.sh –u admin -p admin clear_blacklist

View deny list

Views the entire deny list or view a deny list for the specified attack type (for example, invalid_method)

./cli.sh –u admin -p admin view_blacklist \{all|manual|abs_generated|invalid_content_type|invalid_method|invalid_protocol|decoy|missing_token}

View deny list for IP addresses with missing tokens

Views the deny list entries that are blocked due to missing tokens

./cli.sh view_blacklist missing_token -uadmin -padmin

Adding allow list

Adds an entry to ASE allow list using CLI. Valid type values are: IP, cookie, OAuth2 token, API key, and username

./cli.sh –u admin -p admin add_whitelist {type}{name}{value}

Options:

If type is ip, then name is the IP address.
If type is cookie, then name is the cookie name, and value is the cookie value

Example:

/cli.sh -u admin -p admin add_whitelist api_key AccessKey 065f73cdf39e486f9d7cda97d2dd1597

Delete allow list Entry

Delete entry from the allow list

./cli.sh –u admin -p admin delete_whitelist {type}{name}{value}

Example:

/cli.sh -u admin -p delete_whitelist token 58fcb0cb97c54afbb88c07a4f2d73c35

Clear allow list

Clears all the entries from the allow list

./cli.sh –u admin -p admin clear_whitelist

View allow list

Views the entire allow list

./cli.sh –u admin -p admin view_whitelist

ABS Info

Displays ABS status information

ABS enabled or disabled, ASE fetching ABS attack types, and ABS cluster information

./cli.sh –u admin -p admin abs_info

PingIntelligence

CLI for sideband ASE