Prepare to deploy the PingIntelligence policy by completing the following.
Before deploying the PingIntelligence policy:
-
Verify that the following versions of IBM APIC and DataPower are
installed.
The PingIntelligence policy is validated only for these versions
- IBM APIC v5.0.8.7
- IBM DataPower Gateway 2018.4.10
- To configure the PingIntelligence policy, verify you have permissions to edit and publish APIs in the API Manager.
-
Install and configure the PingIntelligence
software.
For more information on PingIntelligence deployment, see PingIntelligence automated deployment for virtual machines and servers and PingIntelligence manual deployment.
-
Verify that API Security Enforcer (ASE) is in sideband mode by running the
following ASE command:
/opt/pingidentity/ase/bin/cli.sh status
API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB
If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.
For more information on starting ASE, see Starting and stopping ASE.
-
For a secure communication between IBM DataPower Gateway and ASE, enable
sideband authentication by entering the following ASE command:
# ./bin/cli.sh enable_sideband_authentication -u admin –p
-
Ensure SSL is configured in ASE for client side connection using self-signed
certificate.
For more information on configuring self-signed certificate, see Configuring SSL for external APIs.
-
Enable a connection keep-alive between gateway and ASE:
- Optional: If the ASE is running, stop it.
- Navigate to /opt/pingidentity/ase/config/.
- Set the value of enable_sideband_keepalive to true in the ase.conf file.
-
Start ASE after setting the value.
For more information on ASE configuration, see Sideband ASE configuration using the ase.conf file.
-
To generate the token in ASE, enter the following command in the ASE command
line and save the generated authentication token for further use:
# ./bin/cli.sh -u admin -p admin create_sideband_token
The token is required for IBM DataPower Gateway to authenticate with ASE. It is set as a runtime variable in ASE config set-variable policy. For more information, see Configuring the PingIntelligence policy components.