Confirm that the following prerequisites are met before using the PingIntelligence Apigee tool.
Before using the PingIntelligence Apigee tool:
-
Confirm Apigee version.
PingIntelligence supports Apigee API gateways supporting shared flows.
- Confirm one of the OpenJDK versions between 11.0.2 to 11.0.6 is on the machine where the PingIntelligence Apigee deployment tool is installed.
-
Install and configure PingIntelligence software 4.0 or higher.
For information on installing PingIntelligencesoftware, see PingIntelligence automated deployment for virtual machines and servers.
-
Verify API Security Enforcer (ASE) is in sideband mode by running
the following command in the ASE command line:
/opt/pingidentity/ase/bin/cli.sh status
API Security Enforcer status : started mode : sideband http/ws : port 80 https/wss : port 443 firewall : enabled abs : enabled, ssl: enabled abs attack : disabled audit : enabled sideband authentication : disabled ase detected attack : disabled attack list memory : configured 128.00 MB, used 25.60 MB, free 102.40 MB
If ASE is not in sideband mode, then stop ASE and change the mode by editing the /opt/pingidentity/ase/config/ase.conf file. Set mode as sideband and start ASE.
-
For a secure communication between Apigee Edge and ASE, enable sideband
authentication by entering the following command in the ASE command line:
# ./bin/cli.sh enable_sideband_authentication -u admin –p
-
To generate a sideband authentication token in ASE, enter the following command in
the ASE command line and save the generated authentication token for further
use.
A token is required for Apigee Edge to authenticate with ASE. This token is generated in ASE and configured in the apigee.properties file of the PingIntelligence automated policy tool.
# ./bin/cli.sh -u admin -p admin create_sideband_token
-
Verify the certificate in ase.pem when using self-signed
certificates.
- Make sure that the certificate applied for the ASE data port matches with the certificate present in the ase.pem certificate file to prevent SSL issues after policy deployment.
-
Run the following command to obtain the certificate used in the ASE data
port. If the certificates do not match, paste the correct certificate in the
/opt/pingidentity/pi/apigee/certs/ase.pem file.
# openssl s_client -showcerts -connect <ASE IP address>:<port no> </dev/null 2>/dev/null | openssl x509 -outform PEM > ase.pem