Preparing to deploy the PingIntelligence policy - PingIntelligence for APIs

Preparing to deploy the PingIntelligence policy - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

Prepare to deploy the PingIntelligence policy by completing the following.

Before deploying the PingIntelligence policy:

Verify that the following versions of IBM APIC and DataPower are installed.
The PingIntelligence policy is validated only for these versions
- IBM APIC v5.0.8.7
- IBM DataPower Gateway 2018.4.10
To configure the PingIntelligence policy, verify you have permissions to edit and publish APIs in the API Manager.
Install and configure the PingIntelligence software.

For more information on PingIntelligence deployment, see PingIntelligence automated deployment for virtual machines and servers and PingIntelligence manual deployment.

Verify that API Security Enforcer (ASE) is in sideband mode by running the following ASE command:

/opt/pingidentity/ase/bin/cli.sh status

API Security Enforcer
status                  : started
mode                    : sideband
http/ws                 : port 80
https/wss               : port 443
firewall                : enabled
abs                     : enabled, ssl: enabled
abs attack              : disabled
audit                   : enabled
sideband authentication : disabled
ase detected attack     : disabled
attack list memory      : configured 128.00 MB, used 25.60 MB, free 102.40 MB

If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.

For more information on starting ASE, see Starting and stopping ASE.

For a secure communication between IBM DataPower Gateway and ASE, enable sideband authentication by entering the following ASE command:
```
# ./bin/cli.sh enable_sideband_authentication -u admin –p
```
Ensure SSL is configured in ASE for client side connection using self-signed certificate.

For more information on configuring self-signed certificate, see Configuring SSL for external APIs.
Enable a connection keep-alive between gateway and ASE:
1. Optional: If the ASE is running, stop it.
2. Navigate to /opt/pingidentity/ase/config/.
3. Set the value of enable_sideband_keepalive to true in the ase.conf file.
4. Start ASE after setting the value.
  
  For more information on ASE configuration, see Sideband ASE configuration using the ase.conf file.
To generate the token in ASE, enter the following command in the ASE command line and save the generated authentication token for further use:
```
# ./bin/cli.sh -u admin -p admin create_sideband_token
```
The token is required for IBM DataPower Gateway to authenticate with ASE. It is set as a runtime variable in ASE config set-variable policy. For more information, see Configuring the PingIntelligence policy components.