Configuring ASE for API discovery - PingIntelligence for APIs

Configuring ASE for API discovery - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

The following table summarizes the variables related to API discovery that you need to configure.

API discovery variables
Variable	Description
api_discovery	Set this variable to true to switch on API discovery. To switch off API discovery, set it to false. The default value is true.
discovery_initial_period	The initial time in hours during which APIs are discovered in your API ecosystem. The default and minimum value is 1-hour.
discovery_update_interval	The time interval in hours at which any new discovered APIs are reported. The default and minimum value is 1-hour.
discovery_subpath	The number of sub-paths that is discovered in an API. The minimum value is 1 and maximum value is 6. For more information, see Discovery sub-paths.
url_limit	Defines the maximum number of URLs that are reported in a discovered API.

To configure ASE for API discovery:

Enable ABS in ASE by running the enable_abs command in ASE:
```
./bin/cli.sh -u admin -p admin enable_abs
ABS is now enabled
```

To verify, run the status command in ASE:

./bin/cli.sh status
API Security Enforcer
status                  : started
mode                    : sideband
http/ws                 : port 80
https/wss               : port 443
firewall                : enabled
abs                     : enabled, ssl: enabled
abs attack              : disabled
audit                   : enabled
sideband authentication : disabled
ase detected attack     : disabled
attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB
google pubsub           : disabled

To configure root API in ASE, define root API in ASE.

Important:
If you have configured other APIs in ASE along with the root API, ABS monitors traffic only on the root API for the discovery process. A root API in ASE is an API for which the API JSON file has url as “/” and hostname as “*”.

If API discovery is enabled in ABS without root API in ASE and you run the discovery REST API, it displays an error message: root API not configured in ASE. To discover APIs configure root API in ASE.
The following is a snippet of root API JSON:
```
{
    "api_metadata": {
        "protocol": "http",
        "url": "/",
        "hostname": "*",

        "cookie": "",
        "oauth2_access_token": false,
        "apikey_qs": "",
        "apikey_header": "",
        "enable_blocking": false,
        "cookie_idle_timeout": "200m",
        "logout_api_enabled": false,
        "cookie_persistence_enabled": false,
        "login_url": "",
        "api_mapping": {
            "internal_url": ""
        },
```
Note:
A sample root API ships with ASE in /pingidentity/ase/config/api directory.
Configure API JSON by configuring the settings for cookie, oauth2_access_token, apikey_qs, or apikey_header in the root API JSON file in ASE.

Note:
API discovery process discovers these parameters in an API only when you set these in the root API. API discovery reports these attributes of an API only when it receives at least 50% of traffic having these attributes. For example, if the root API receives 100 requests and 51 requests have OAuth token, then the OAuth token is reported in the discovered API. Similarly, if the same traffic has less than 50% traffic for API keys or cookies, then they are not reported in the discovered API.
Configure API discovery in ABS by setting the api_discovery parameter to true using Global configuration update REST API.

Note:
If you want update the values on an already running system, use the update.sh script. For more information on the update script, see Managing discovery intervals.