Configuring SSL for client-side connection or external APIs - PingIntelligence for APIs

Configuring SSL for client-side connection or external APIs - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

ASE supports both TLS 1.2 and SSLv3 for external APIs.

By default, SSLv3 is disabled due to security vulnerabilities. To change the default and enable SSLv3, stop ASE and then change enable_sslv3 to true in ase.conf file. Restart ASE to activate SSLv3 protocol support. SSLv3 is only supported for client to ASE connections, not ASE to backend server connections.

; SSLv3
enable_sslv3=true

OpenSSL is bundled with ASE. The following are the version details:

RHEL: OpenSSL 1.0.2k-fips 26 Jan 2017
Ubuntu: OpenSSL 1.0.2g 1 Mar 2016

You can configure SSL in ASE for client-side connection using one of the following methods:

Using a CA-signed certificate
Using a self-signed certificate
Importing an existing certificate

The steps provided in this section are for the certificate and key generated for connections between the client and ASE as depicted in the diagram below:

A diagram of SSL connections between the API clients and ASE.

In a cluster setup:

Stop all the ASE cluster nodes
Configure the certificate on the management node.
Note:
For more information on management node, see API Security Enforcer Admin Guide.
Start the cluster nodes one by one for the certificates to synchronize across the nodes

Important: You can also configure for Management APIs. For more information on configuring SSL for management APIs, see Configure SSL for Management APIs.