Before using the PingIntelligence Apigee tool, confirm the following:

  • Apigee version

    PingIntelligence supports Apigee API gateways supporting shared flows.

  • OpenJDK version

    The machine where the PingIntelligence Apigee deployment tool is installed supports OpenJDK versions between 11.0.2 to 11.0.6.

  • PingIntelligence software installation

    PingIntelligence 4.0 or later software is installed and configured. For installation of PingIntelligence software, see the manual or platform-specific automated deployment guides.

  • Verify that ASE is in sideband mode

    Make sure that ASE is in sideband mode by running the following command in the ASE command line:

    /opt/pingidentity/ase/bin/ status
    API Security Enforcer
    status                  : started
    mode                   : sideband
    http/ws                 : port 80
    https/wss               : port 443
    firewall                : enabled
    abs                     : enabled, ssl: enabled
    abs attack              : disabled
    audit                   : enabled
    sideband authentication : disabled
    ase detected attack     : disabled
    attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB

    If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.

  • Enable sideband authentication

    For a secure communication between Apigee Edge and ASE, enable sideband authentication by entering the following command in the ASE command line:

    # ./bin/ enable_sideband_authentication -u admin –p
  • Generate sideband authentication token

    A token is required for Apigee Edge to authenticate with ASE. This token is generated in ASE and configured in the file of the PingIntelligence automated policy tool. To generate the token in ASE, enter the following command in the ASE command line:

    # ./bin/ -u admin -p admin create_sideband_token

    Save the generated authentication token for further use.

  • Verify the certificate in ase.pem when using self-signed certificates

    Make sure that the certificate applied for ASE data port matches with the certificate present in the ase.pem certificate file to prevent SSL issues after policy deployment. Run the following command to obtain the certificate used in ASE data port. If the certificates do not match, paste the correct certificate in the /opt/pingidentity/pi/apigee/certs/ase.pem file.

    # openssl s_client -showcerts -connect <ASE IP address>:<port no> </dev/null 2>/dev/null | openssl x509 -outform PEM > ase.pem