Cequence API Security Platform (ASP) can be natively integrated with the Kong API Gateway. Passive Integration is enabled by deploying a Cequence provided custom plugin on the Kong API Gateway.
Passive Integration
The Cequence Security custom Kong plugin is used to capture a copy of the request and response metadata from the application traffic and send it to the Cequence ASP for analysis.
Prerequisites
Before using this plugin, make sure you have the following:
-
Kong API Gateway installed and running (Tested successfully till version 3.3.0.0)
-
Cequence tenant with the necessary API credentials
Folder Structure
Download the attached plugin Zip file "kong-api-transactions.zip" and unzip it to verify the below folder structure.
├── cequence-plugins
│ ├── cequence-ai-unified.txt
│ └── kong
│ └── plugins
│ └── cequence-ai-unified
│ ├── handler.lua
│ └── schema.lua
└── scripts
├── install-cequence.sh
└── uninstall-cequence.sh
Installation and Configuration
The custom plugin needs to be installed in each kong node.
1. Create a cequence folder in home dir of each kong node.
mkdir /home/cequence && cd $_
2. Download the attached plugin Zip file "kong-api-transactions.zip" and copy it to the cequence folder in each kong node.
3. Unzip and go into the scripts directory.
unzip kong-api-transactions.zip
cd kong-api-transactions/scripts
4. Execute the install script.
./install-cequence.sh
The script checks for kong/tools directory to find and adjust the plugin according to the kong version installed. Default directory used is /usr/local/share/lua/5.1/kong/tools
Example: Install by specifying the tools directory (optional):
./install-cequence.sh /usr/local/share/lua/5.1/kong/tools
5. Add the custom plugin’s name to the plugins list in your Kong configuration file kong.conf
(on each Kong node):
plugins = bundled,cequence-ai-unified
6. Test by reloading kong successfully.
kong prepare
kong reload
7. Register the Cequence Security plugin with the respective Kong service on each running Kong Gateway node. This will ensure the plugin is executed asynchronously every time an API request is made to that Kong service.
curl -X POST http://<kong-domain>:<kong-port>/services/<your-kong-service-name>/plugins/ \
--data "name=cequence-ai-unified" \
--data "config.auth_domain=<cequence_auth_URL>" \
--data "config.edge_domain=<cequence_edge_URL>" \
--data "config.client_ID=<cequence_client_name>" \
--data "config.client_secret=<cequence_client_secret>"
For Example:
curl -X POST http://localhost:8001/services/mock-service/plugins/ \
--data “name=cequence-ai-unified” \
--data “config.auth_domain=https://auth.common.eng1.int.cequence.ai/auth/realms/defender-1/protocol/openid-connect/token” \
--data “config.edge_domain=https://edge.defender-1.eng1.int.cequence.ai/api-transactions” \
--data “config.client_id=defender-1-client” \
--data “config.client_secret=np56jAWBSGemIWbTtKKzNimuGH8eUNWV”
If configuring the plugin via the Kong Admin Dashboard, the configuration options can be set using the form on the UI:
Name |
Default |
Description |
---|---|---|
auth_domain |
NA |
Cequence Authentication URL to retrieve Access Token |
edge_domain |
NA |
Cequence Edge URL to post network metadata |
client_id |
NA |
Cequence Client ID (Client Name as on Cequence UI) |
client_secret |
NA |
Cequence Client Secret |
max_message_size |
10000000 |
Max Payload Size per batch: 10 MB |
batch_interval |
5 |
Batch Interval in seconds |
debug_mode |
false |
Set to “true” for enable debug logging |
Performance Impact
While planning your Kong plugin deployment, it is important to estimate the impact of enabling the Cequence plugin on Kong API Gateway's system resources. Here are some benchmark test results to estimate potential impact.
Performance Test Run:
- Throughput: 500 requests per second
- Duration: 10 minutes
- Measured resource impact on:
- CPU: 5-8% additional utilization
- Memory: 20-25% additional utilization
- Upstream latency: 5-10 milliseconds.
NOTE:
If using Kong with an existing plugin installation framework (like luarocks), you may only need the Cequence plugin’s handler.lua
and schema.lua
source files placed inside the folder structure shown; and may not need to execute the Cequence provided install script.
Attachments