When deployed in sideband mode ASE receives API calls from an API gateway which passes API traffic information for AI processing. In such a deployment, ASE works along with the API gateway to protect your API environment. The following diagram shows a typical ASE sideband deployment:
The following is a description of the traffic flow through the API gateway and Ping Identity ASE.
- Incoming request to API gateway
- API gateway makes an API call to send the request metadata in JSON format to ASE
- ASE checks the request against a registered set of APIs and checks the origin IP against the AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the API gateway. Otherwise, a different response code is sent to the Gateway. The request is also logged by ASE and sent to the AI Engine for processing.
- If the API gateway receives a 200-OK response from ASE, then it forwards the request to the backend server. If it receives a 403, the Gateway does not forward the request to the backend server and returns a different response code to the client.
- The response from the backend server is received by the API gateway.
- The API gateway makes a second API call to pass the metadata information to ASE which sends the information to the AI engine for processing.
- ASE receives the metadata information and sends a 200-OK to the API gateway.
- API gateway sends the response received from the backend server to the client.
Configuring ASE for sideband
To configure ASE to work in the sideband mode, edit the ase.conf file located in the config directory. Set the value of the mode parameter to sideband. The default value of the mode parameter is inline. Following is a snippet of the ase.conf file with the mode parameter set to sideband.
; Defines running mode for API Security Enforcer. mode=sideband
Enable sideband authentication
/opt/pingidentity/ase/bin/cli.sh enable_sideband_authentication -u admin -p admin Sideband authentication is successfully enabled
/opt/pingidentity/ase/bin/cli.sh create_sideband_token -u admin -p admin Sideband token d9b7203c97844434bd1ef9466829e019 created.