PingIntelligence

CLI for sideband ASE

The following table shows the command-line interface (CLI) functions and their syntax for API Security Enforcer (ASE) in sideband mode.

Function Description Syntax

Start ASE

Starts ASE

./start.sh

Stop ASE

Stops ASE

./stop.sh

Help

Displays cli.sh help

./cli.sh help

Version

Displays the version number of ASE

./cli.sh version

Status

Displays the running status of ASE

./cli.sh status

Update Password

Changes ASE admin password

./cli.sh update_password -u admin - p

Change log level

Changes balancer.log and controller.log log level

./cli.sh log_level -u admin -p

Options:

  • warn

  • info

  • error

  • fatal

  • debug

Get Authentication Method

Displays the current authentication method

./cli.sh get_auth_method -u admin -p

Update Authentication Method

Updates ASE authentication method

./cli.sh update_auth_method {method} -u admin -p

Enable Sideband Authentication

Enables authentication between API gateway and ASE when ASE is deployed in sideband mode

./cli.sh enable_sideband_authentication -u admin – p

Disable Sideband Authentication

Disables authentication between API gateway and ASE when ASE is deployed in sideband mode

./cli.sh disable_sideband_authentication -u admin – p

Create ASE Authentication Token

Create the ASE token that is used to authenticate between the API gateway and ASE

./cli.sh create_sideband_token -u admin – p

List ASE Authentication Token

List the ASE token that is used to authenticate between the API gateway and ASE

./cli.sh list_sideband_token -u admin – p

Import ASE Authentication Token

Imports ASE token that is used for authentication between ASE and API gateway.

The token should be 32 characters long and the allowable characters in the token are alphabets in small case and digits 0-9.

./cli.sh import_sideband_token {token} -u admin – p admin

Delete ASE Authentication Token

Deletes the ASE token that is used to authenticate between the API gateway and ASE

./cli.sh delete_sideband_token {token} -u admin – p

Enable Audit Logging

Enables audit logging

./cli.sh enable_audit -u admin -p admin

Disable Audit Logging

Disables audit logging

./cli.sh disable_audit -u admin -p admin

Add Syslog Server

Adds a new syslog server

./cli.sh –u admin -p admin add_syslog_server host:port

Delete Syslog Server

Deletes the syslog server

./cli.sh –u admin -p admin delete_syslog_server host:port

List Syslog Server

Lists the current syslog server

./cli.sh –u admin -p admin list_syslog_server

Add API

Add a new API file in JSON format. File should have .json extension. Provide the complete path where you have stored the API JSON file. After running the command, API is added to /opt/pingindentity/ase/config/api directory

./cli.sh –u admin -p admin add_api {config_file_path}

Update API

Updates an API after the API JSON file has been edited and saved

./cli.sh –u admin -p admin update_api {api_name}

List APIs

Lists all APIs configured in ASE

./cli.sh –u admin -p admin list_api

API Info

Displays the API JSON file

./cli.sh –u admin -p admin api_info {api_id}

API Count

Displays the total number of APIs configured

./cli.sh –u admin -p admin api_count

Enable Per API Blocking

Enables attack blocking for the API

./cli.sh –u admin -p admin enable_blocking {api_id}

Disable Per API Blocking

Disables attack blocking for the API

./cli.sh –u admin -p admin disable_blocking {api_id}

Delete API

Deletes an API from ASE. Deleting an API removes the corresponding JSON file and deletes all the cookies associated with that API

./cli.sh –u admin -p admin delete_api {api_id}

Generate Master Key

Generates the master obfuscation key ase_master.key

./cli.sh -u admin -p admin generate_obfkey

Obfuscate Keys and Password

Obfuscates the keys and passwords configured in various configuration files

./cli.sh -u admin -p admin obfuscate_keys

Create a Key Pair

Creates private key and public key pair in keystore

./cli.sh –u admin -p admin create_key_pair

Create a CSR

Creates a certificate signing request

./cli.sh –u admin -p admin create_csr

Create a Self-Signed Certificate

Creates a self-signed certificate

./cli.sh –u admin -p admin create_self_sign_cert

Import Certificate

Imports a CA-signed certificate into keystore

./cli.sh –u admin -p admin import_cert {cert_path}

Create Management Key Pair

Creates a private key for management server

/cli.sh –u admin -p admin create_management_key_pair

Create Management CSR

Creates a certificate signing request for management server

/cli.sh –u admin -p admin create_management_csr

Create Management Self-signed Certificate

Creates a self-signed certificate for management server

/cli.sh –u admin -p admin create_management_self_sign_cert

Import Management Key Pair

Imports a key-pair for management server

/cli.sh –u admin -p admin import_management_key_pair {key_path}

Import Management Certificate

Imports a CA-signed certificate for management server

/cli.sh –u admin -p admin import_management_cert {cert_path}

Cluster Info

Displays information about an ASE cluster

./cli.sh –u admin -p admin cluster_info

Delete Cluster Node

Deletes an inactive ASE cluster node

./cli.sh –u admin -p admin delete_cluster_node host:port

Enable Firewall

Enables API firewall. Activates pattern enforcement, API name mapping, manual attack type

./cli.sh –u admin -p admin enable_firewall

Disable Firewall

Disables API firewall

./cli.sh –u admin -p admin disable_firewall

Enable ASE detected attacks

Enables ASE-detected attacks

./cli.sh –u admin -p admin enable_ase_detected_attack

Disable ASE Detected Attacks

Disables ASE-detected attacks

./cli.sh –u admin -p admin disable_ase_detected_attack

Enable ABS

Enables ABS to send access logs to ABS

./cli.sh –u admin -p admin enable_abs

Disable ABS

Disables ABS to stop sending access logs to ABS

./cli.sh –u admin -p admin disable_abs

Adding deny list

Adds an entry to ASE deny list using CLI. Valid type values are: IP, Cookie, OAuth2 token, API Key, and username

./cli.sh –u admin -p admin add_blacklist {type}{name}{value}

If type is ip, then name is the IP address.

If type is cookie, then name is the cookie name, and value is the cookie value

Example:

/cli.sh -u admin -p admin add_blacklist ip 1.1.1.1

Delete deny list Entry

Deletes entry from the deny list.

./cli.sh –u admin -p admin delete_blacklist {type}{name}{value}

Example:

cli.sh -u admin -p delete_blacklist token 58fcb0cb97c54afbb88c07a4f2d73c35

Clear deny list

Clears all the entries from the deny list

./cli.sh –u admin -p admin clear_blacklist

View deny list

Views the entire deny list or view a deny list for the specified attack type (for example, invalid_method)

./cli.sh –u admin -p admin view_blacklist \{all|manual|abs_generated|invalid_content_type|invalid_method|invalid_protocol|decoy|missing_token}

View deny list for IP addresses with missing tokens

Views the deny list entries that are blocked due to missing tokens

./cli.sh view_blacklist missing_token -uadmin -padmin

Adding allow list

Adds an entry to ASE allow list using CLI. Valid type values are: IP, cookie, OAuth2 token, API key, and username

./cli.sh –u admin -p admin add_whitelist {type}{name}{value}

Options:

  • If type is ip, then name is the IP address.

  • If type is cookie, then name is the cookie name, and value is the cookie value

Example:

/cli.sh -u admin -p admin add_whitelist api_key AccessKey 065f73cdf39e486f9d7cda97d2dd1597

Delete allow list Entry

Delete entry from the allow list

./cli.sh –u admin -p admin delete_whitelist {type}{name}{value}

Example:

/cli.sh -u admin -p delete_whitelist token 58fcb0cb97c54afbb88c07a4f2d73c35

Clear allow list

Clears all the entries from the allow list

./cli.sh –u admin -p admin clear_whitelist

View allow list

Views the entire allow list

./cli.sh –u admin -p admin view_whitelist

ABS Info

Displays ABS status information

ABS enabled or disabled, ASE fetching ABS attack types, and ABS cluster information

./cli.sh –u admin -p admin abs_info