Axway with eBPF TLS
This topic provides step-by-step instructions for integrating Axway, a leading API management solution, with Traceable using eBPF TLS traffic mirroring. Axway enables organizations to securely manage, monitor, and scale their API integrations, while Traceable’s eBPF integration allows for secure traffic mirroring and enhanced observability into TLS-encrypted communications. This setup helps organizations monitor API traffic in real-time, identify security risks, and capture spans and metrics without impacting performance.
Supported Versions:
Traceable Platform Agent (TPA): Version 1.48.0 and later
eBPF: Version 16 and later
Before You Begin
Ensure the following prerequisites are met:
System Requirements
Virtual Machines (VMs):
VM1: Hosts the Traceable Platform Agent (TPA).
VM2: Hosts eBPF and the Axway Gateway.
Network Access: Ensure both VMs can communicate over the required ports.
Files and Configuration
Certificates: Obtain the required TLS certificates:
domain.keydomain.crtroot_ca.crt
eBPF Override Config File: Create an
override-config.yamlfile with necessary process inclusion settings.
Software Dependencies
Install Java and other necessary runtime dependencies on VM2.
Download the
install.shscript file from Traceable’s download site.
Permissions
Ensure you have administrative access to both VMs.
Assumptions
It is assumed that you already have a working Axway setup.
Installation and Configuration
Follow the steps below to install and configure Axway with eBPF TLS:
Step 1: Install the Traceable Platform Agent (TPA) on VM1
Refer to the TPA installation documentation.
Start the TPA and verify it is running correctly. Make a note of the IP address of the Traceable Platform agent.
Step 2: Set Up eBPF on VM2
Install eBPF:
Create an override configuration file named
override-config.yamlwith the following content:Note
The
include_processconfiguration is used to identify the Axway API Gateway process. The process name (exec_name) might vary and can be customized. The arguments in the process name are dependent on how the Axway API Gateway instance is configured at startup.Run the command:
ps -a | grep vshellReview the output to find the name of your APIM instance and its associated arguments.
Update the configuration file accordingly to match your environment, ensuring the correct gateway process is included.
include_processes: - exec_name: vshell cmdline_args: - "regex:<Replace_with_relevant_argument>"Run the installation command:
sudo ./install.sh ebpf-only -s axway-ebpfservice --tpa-endpoint xx.xxx.xxx.xx --override-config-file "override-config.yaml"After running the installation command, the eBPF configuration file at
/etc/traceable/ebpf-tracerwill be updated with theinclude_processescontent.
Start eBPF Service.
sudo systemctl start traceable-ebpf-tracer
Step 3: Configure TLS Between TPA and eBPF
On VM1 (TPA):
Edit the TPA configuration file to include paths to the TLS certificates (
domain.key,domain.crt,root_ca.crt). Example configuration:tls_server: endpoint: "0.0.0.0:5443" key_file: "/home/ubuntu/domain.key" cert_file: "/home/ubuntu/domain.crt" root_cert_file: "/home/ubuntu/root_ca.crt" idle_timeout: 60 disable_keep_alive: falseRestart the TPA service.
On VM2 (eBPF):
Copy
root_ca.crtfrom VM1 to VM2.Update the eBPF configuration file located at
/etc/traceable/ebpf-tracerto include the path toroot_ca.crt. Example configuration:agent_config: secure: true ca_cert_file: "/home/ubuntu/root_ca.crt" reporting: endpoint: "<Replace_with_IP_address>:5443" trace_reporter_type: "OTLP"Restart the eBPF service.
Step 4: Verify the Setup
Generate traffic by accessing the Axway Gateway URL:
https://<Axway_IP>:8075Confirm that TLS traffic is captured and spans are visible in the Traceable platform.
Troubleshooting
Certificate Errors: Ensure that all certificate paths are correctly configured on both VMs.
Service Startup Failures: Check logs for the TPA and eBPF services to identify issues.
Traffic Not Captured: Verify network connectivity between VMs and check eBPF inclusion rules.