This guide describes the deployment of PingIntelligence for APIs in a sideband configuration with CA API gateway. You can attach the PingIntelligence for APIs integration to your APIs in the CA API Gateway by incorporating the Encapsulated Assertions to a subset of or to each API policies. When these Encapsulated Assertions are executed inside an API Gateway policy, the gateway passes API metadata to PingIntelligence for detailed API activity reporting and attack detection with optional client blocking.
The following diagram shows the logical setup of PingIntelligence for APIs and CA API gateway:
Here is the traffic flow through the CA API gateway and PingIntelligence for APIs components.
- Incoming API Client request arrives at the CA API Gateway
- A PingIntelligence assertion running on the CA API Gateway makes an API call to send the request metadata to PingIntelligence ASE
- ASE checks the request against a registered set of APIs and looks for the origin IP, cookie, OAuth2 token or API key in the PingIntelligence Blacklist. If all checks pass, ASE returns a 200-OK response to CA. If the client is on the blacklist and blocking is enabled a 403 response is sent to CA. The request information is also logged by ASE and sent to the AI Engine for processing.
- If CA receives a 200-OK response from ASE, then it forwards the client request to the backend server. Otherwise, the CA blocks the client when a 403 response is received.
- The response from the backend server is received by CA.
- CA makes a second API call to pass the response information to ASE.
- ASE receives the response information and immediately sends a 200-OK to CA. The response information is also logged by ASE and sent to the AI Engine for processing.
- 8. CA sends the response received from the backend server to the client.
- Persistent SSL sessions - Support for flowing sideband calls across a
persistent SSL session between the API Gateway and PingIntelligence.
Note: Requires enabling
enable_sideband_keepaliveparameter in the PingIntelligence ASE
- Redundant PingIntelligence nodes - optional redundant PingIntelligence ASE nodes can be configured in the encapsulated assertion to bypass a node failure.