Ping Identity supports two integration options for configuring the deployment mode in ASE and integrating your API environment with ASE:

  • Sideband deployment
  • Inline deployment

Sideband deployment

When deployed in sideband mode, ASE receives API calls from an API gateway, which passes API traffic information for AI processing. It requires no changes to clients or backend API servers. In such a deployment, ASE works along with the API gateway to protect your API environment. A custom sideband policy is provided, which is deployed in the gateway to route the API traffic.

This diagram shows ASE in sideband deployment mode.


A diagram of a PingIntelligence ASE- Sideband deployment

Configure ASE for sideband deployment

PingOne API Intelligence provides custom sideband policies for API gateways, routers, and other API platforms to support integration with your API environments. See API gateway integrations supported by PingIntelligence link for a list of gateway integrations supported along with the deployment instructions.

The sideband policy is deployed in your API gateway and it sends the request and response API metadata to ASE for processing. Follow the instructions in the integration guides to deploy a sideband policy in your environment.

After you determine which API gateways to integrate, set the deployment mode in the /<ASE installation path>/pingidentity/ase/config/ase.conf file.

Parameter Description

mode

Set the mode to sideband for ASE to work in a sideband mode.

enable_sideband_keepalive

When set to true, ASE sends a keep-alive in response header for the TCP connection between API gateway and ASE. With the default false value, ASE sends a connection close in response header for connection between API gateway and ASE.

Note:

Set this to true unless you're using a MuleSoft API gateway.

enable_sideband_authentication

Set to true if you intend to enable authentication between an API gateway and ASE. After setting it to true, generate a sideband authentication token using the ASE create_sideband_token command.

Note:

Set this to false for proof of concepts to simplify setup.
Important:

After updating the settings, restart ASE using the following commands:

  • Change the working directory to /bin and run the stop.sh script.
    # /<ASE installation path>/pingidentity/ase/bin/stop.sh
  • Change the working directory to /bin and run the start.sh script.
    # /<ASE installattion path>/pingidentity/ase/bin/start.sh

Inline environment

When deployed in inline mode, ASE is a reverse proxy deployed between the API clients and servers. It is typically deployed behind load balancers, such as AWS ELB, to distribute traffic across an ASE cluster for high availability.

ASE terminates SSL connections from API clients and then routes the requests to the destination APIs on an API gateway or app servers, such as Node.js, WebLogic, Tomcat.

The following diagram shows an inline deployment.


A diagram of ASE PingIntelligence Inline mode.
Note:

To continue with an inline deployment, see the inline ASE documentation.