When deployed in sideband mode ASE receives API calls from an API gateway which passes API traffic information for AI processing. In such a deployment, ASE works along with the API gateway to protect your API environment. The following diagram shows a typical ASE sideband deployment:

The following is a description of the traffic flow through the API gateway and Ping Identity ASE.

  1. Incoming request to API gateway
  2. API gateway makes an API call to send the request metadata in JSON format to ASE
  3. ASE checks the request against a registered set of APIs and checks the origin IP against the AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the API gateway. Otherwise, a different response code is sent to the Gateway. The request is also logged by ASE and sent to the AI Engine for processing.
  4. If the API gateway receives a 200-OK response from ASE, then it forwards the request to the backend server. If it receives a 403, the Gateway does not forward the request to the backend server and returns a different response code to the client.
  5. The response from the backend server is received by the API gateway.
  6. The API gateway makes a second API call to pass the metadata information to ASE which sends the information to the AI engine for processing.
  7. ASE receives the metadata information and sends a 200-OK to the API gateway.
  8. API gateway sends the response received from the backend server to the client.
Note: Make sure that XFF is enabled in the API gateway for ASE to detect the client IP addresses correctly.

Configuring ASE for sideband

To configure ASE to work in the sideband mode, edit the ase.conf file located in the config directory. Set the value of the mode parameter to sideband. The default value of the mode parameter is inline. Following is a snippet of the ase.conf file with the mode parameter set to sideband.

; Defines running mode for API Security Enforcer.

Enable sideband authentication

To have a secure the connection between your API gateway and ASE, enable sideband authentication in ASE and generate a sideband token. This token is configured in the API gateway for it to communicate securely with ASE.
/opt/pingidentity/ase/bin/cli.sh enable_sideband_authentication -u admin -p admin
Sideband authentication is successfully enabled
Generate sideband token: Enter the following command to generate ASE sideband token:
/opt/pingidentity/ase/bin/cli.sh create_sideband_token -u admin -p admin
Sideband token d9b7203c97844434bd1ef9466829e019 created.