Oracle API Gateway
43 likes16,212 views
Oracle API Gateway integrates, accelerates, governs, and secures Web API and SOA-based systems. It serves REST APIs and SOAP Web Services to clients, converting between REST and SOAP and XML and JSON. It applies security rules like authentication and content filtering. It also provides monitoring of API and service usage, caching, and traffic management.
Oracle API Gateway
- 1. Oracle API Gateway Rakesh Gujjarlapudi [email protected]
- 2. Oracle API Gateway - Basic Architecture CLIENTS Application Servers Partner Applications Mobile Applications XML / JSON Oracle API Gateway Web Applications Cloud-Based Services Oracle API Gateway integrates, accelerates, governs, and secures Web API and SOA-based systems. Serves REST APIs and SOAP Web Services to clients Converts REST to SOAP Converts XML to JSON Supports other protocols also FTP, SFTP, FTPS, TIBCO Rendezvous and EMS, JMS (to IBM WebSphere MQ, ActiveMQ, JBOSS Messaging) Applies security rules Authentication: OAuth, HTTP Auth, Certificate Auth, WS-Security Content Filtering: Detection of SQL Injection, XSS, Viruses Monitoring of API and Service usage Caching and Traffic Management (routing, throttling) Legacy Applications Data
- 3. Oracle API Gateway - Deployment Architecture GREEN ZONE Shared Services Layer RED ZONE First Line Of Defense CLIENTS End point security HTTP, SOAP, REST, XML, JMS Cloud-Based Services Webservice Clients REST-WS Clients OES PDP WS-Security, Basic Auth, Digest, X509, UNT,SAML, Kerberos Sign & Encrypt EXTRANET Oracle Service Bus Oracle API Gateway (Service Virtualization) Firewall Web Applications Internal Firewall Mobile Applications Oracle Webservices Manager Partner Applications WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt O W S M BPEL/Web Service End point security HTTP, SOAP, REST, XML, JMS O W S M BPM Process End point security HTTP, SOAP, REST, XML, JMS O W S M Application INTRANET DMZ In Green Zone security use OWSM in conjunction with Oracle FMW products(SOA Suite, OSB, etc. both on the Client Side and Service Side Policy In Red Zone security OEG on the Service Side Policy.
- 4. Oracle API Gateway – Security Overview Flooding Recursive Payloads Oversized Payloads Memory Leak • • Injection & Malicious Code SQL Injection XPath Injection Cross-site scripting Malformed content Logic bombs Confidentiality Integrity Sniffing Parameter Tampering Schema Poisoning External Entity Canonicalization • Firewall DOS Attacks GREEN ZONE DMZ ZONE Firewall Oracle API Gateway protection against Virtualize a web services Inbuilt Out-ofthe-Box filters Throttle the inbound message flow Privilege Escalation Attacks Dictionary Format String Buffer Overflow Race Conditions Symlink Unprotected interfaces Oracle Webservices Manager O W S M Backend Web Service End point security O W S M Oracle API Gateway Internet/Cloud Filtered Messages • • • • • Reconnaissance Attacks Code templates Forceful browsing Directory Reversal WSDL scanning Registry Disclosure End point security Malformed Request First Line Of Defense AuthC AuthZ Auditing Signature Verification Message Encryption/Decryption Last-Mile Security Backend Web Service End point security O W S M Backend Web Service
- 5. Oracle API Gateway – Virtualization, Data/Protocol Bridging GREEN ZONE DMZ ZONE Firewall Firewall HTTP GET/POST - REST SSOToken REST/JSON < weatherreport city=“San Francisco" weather=“42" >< /weatherreport> SAML Token Oracle Webservices Manager Required transport & format protocol RESTful Web Service REST/XML SOAP Oracle API Gateway { "weatherreport" : {"city":“San Francisco", "weather":“42"} } JMS SAML Token SOAP Web Service Required transport & format protocol Data Format Transformations XML to JSON and vice versa Protocol bridging REST to SOAP and vice versa First Line Of Defense Last-Mile Security
- 6. Oracle API Gateway – DMZ Security & Access Control GREEN ZONE DMZ ZONE Firewall Firewall HTTP GET/POST - REST SAML Token SSOToken JMS SOAP/REST Virtual Web Services { "weatherreport" : {"city":“San Francisco", "weather":“42"} } Oracle Service Bus SOAP Oracle API Gateway (Service Virtualization) REST/XML Oracle Webservices Manager < weatherreport city=“San Francisco" weather=“42" >< /weatherreport> REST/JSON Required transport & format protocol RESTful Web Service SAML Token SOAP Web Service • • • • • • API SSO, Authorization, XML/WS Security Enforcement at DMZ WS Authentication, Security token translation, Federation: WS-Security, WS-SecureConversation, WSTrust (single/multiple STSs). REST Security: OAuth2, SAML (OIT). Happening on the Gateway. Protocol Security: XML Security, WS-Security, REST Security Authorization, Data Redaction, Risk: Leveraging Embedded OES PDP or remote OAM/OES PDP Required transport & format protocol
- 7. Oracle API Gateway – Social Connectivity DMZ ZONE 3rd Party IDPs GREEN ZONE OAuth OpenID Connect SAML Firewall Firewall f SAML Token Token Required transport & format protocol SOAP/REST Virtual Web Services { "weatherreport" : {"city":“San Francisco", "weather":“42"} } Oracle Service Bus Oracle API Gateway API/Web Request with Required Token (SAML, OAM, Kerberos, OAuth etc.) (Service Virtualization) API Request App/Device/User Credential Web SSO Oracle Webservices Manager < weatherreport city=“San Francisco" weather=“42" >< /weatherreport> RESTful Web Service SAML Token SOAP Web Service HTTP/REST/SOAP/OAuth Clients Required transport & format protocol
- 8. Oracle API Gateway – Fine Grained AuthZ and Data Redaction GREEN ZONE DMZ ZONE Firewall {<Response> <Response Data 1>, <Response Data 2>, <Response Data 3> <Response Data 4>, <Response Data 5>, } Firewall HTTP GET/POST – REST {<Request>} Response Data1 Response Data2 SSOToken Response Data3 {<Response> <Response Data 3> <Response Data 4>} Oracle API Gateway { <Response>} SOAP {<Request>} {<Response> <Response Data 1> <Response Data 2>} Response Data5 SAML Token/ Request End point security O W S M RESTful/SOAP Web Service Response PEP JMS {<Request>} (Service Virtualization) {<Response> <Response Data 5>} Response Data4 Oracle Service Bus {< Request>} Oracle Webservices Manager REST/JSON {<Request>} REST/XML {<Request>} Existing API/WS Returns PDP {<Response> <Response Data 1>} Entitlements Server Data Format Transformations XML to JSON and vice versa Protocol bridging REST to SOAP and vice versa First Line Of Defense Last-Mile Security
- 9. Oracle API Gateway – API Key Management(Cloud Consumer) GREEN ZONE DMZ ZONE Firewall Google Firewall APIKey_Google Oracle API Gateway SSOToken Oracle Service Bus { <Response>} (Service Virtualization) APIKey_Y API Key + Web Service Request X {< Request>} APIKey_Google Oracle Webservices Manager APIKey_X Y APIKey_X APIKey_Y First Line Of Defense Last-Mile Security SAML Token/ Request End point security O W S M Response RESTful/SOAP Web Service
- 10. Oracle API Gateway – Configuration & Management Tools Policy Studio Oracle API Gateway Policy Studio is a policy development and configuration tool • Enables policy developers to easily configure API Gateway policies and settings to control and protect deployed API services and Web services. • Policy Studio is typically installed on a separate machine from the API Gateway to enable remote administration. Manager API Gateway Manager is a centralized web-based dashboard • Enables administrators to control and manage API Gateways and groups in a domain. • Connects to the Node Manager on each host, and displays aggregated monitoring data from multiple API Gateway instances. Oracle API Gateway Instance (Core Engine) Policy Development A Oracle API Gateway policy developer typically performs the following tasks: • • • • Develops API Gateway policies and solution packs. Customizes and extends the API Gateway using scripting. Creates Java classes and/or custom filters using the API Gateway filter SDK. Uses the Policy Studio, API Gateway Explorer, and API Gateway Manager tools. Connector Usage Metrics Connector Connector Connector Analytics API Gateway Analytics is a separately installed tool used by administrators • Generates reports and charts based on usage metrics for all services and API Gateways in a domain. • API Gateway Analytics provides integration with databases such as MySQL Server, MS SQL Server, and Oracle. • Includes both real-time and historical metrics.
- 11. Oracle API Gateway – Managed Domain Architecture POLICY STUDIO Browser-based Manager UI DOMAIN ADMIN NODE MANAGER Domain is the set of all hosts(Physical machine) running API Gateway instances, which are managed centrally by the API Gateway Manager tool. NODE MANAGER Server Instance 1 Services Group 1 Server Instance 2 Server Instance 1 Services Group 2 Server Instance 2 Server Instance 1 TEST GROUP Node 1(Master) Node 2 API Gateway's group-based domain architecture, which enables to break down projects into logical groups and manage configuration across your organization. This provides manageability and scalability, and enables you to perform load balancing and failover across distributed deployments Group • Number of API Gateway instances that all run the same configuration. • Can runs across more than one physical host machine. • Can include more than one API Gateway instance on the same host • Each API Gateway in the group runs the same configuration • Each API Gateway has its own deployment descriptor file (envSettings.properties) • A group also has a deployment descriptor, which specifies settings values that are the same across the group but may differ in different environments. • A standalone API Gateway runs in a group of one member (TEST GROUP in the diagram). • Deploy, manage, and monitor a group of API Gateways using the Policy Studio and the browser-based API Gateway Manager. Node Manager(Server side process) • Manages & Monitors API Gateway instances on the host • Only one Node Manager runs per host. • Communication between the Node Manager and the API Gateway is secured using SSL. • Policy Studio and the browser-based API Gateway Manager are clients of the Node Manager. • The first Node Manager added in a domain is known as the Admin Node Manager. • The Admin Node Manager acts as the master Node Manager. It performs Role-Based Access Control (RBAC), and forwards requests to other Node Managers when required. • The Admin Node Manager also manages and deploys configuration to the API Gateway instance(s) in a domain.
- 12. Oracle API Gateway – Concepts(Filter, Policy, Message Attribute, Selector, Faults, Policy Shortcuts & Alerts ) Filter is an executable rule that performs a specific type of processing on a message. • Example: Message Size filter rejects messages that are greater or less than a specified size. • Categories of message filters available with the API Gateway, including authentication, authorization, content filtering, signing, and conversion. Policy is a network of message filters in which each filter is a modular unit that processes a message. • A message can traverse different paths through the policy, depending on which filters succeed or fail. • A policy can also contain other policies, which enables you to build modular reusable policies. • A policy must have a Start filter. Filters labeled End stop the execution of the policy if the filter execution fails. • A policy starts with a START filter and ends with END Filter Policy Policy Filter The following example screen shot shows an example policy with success paths and a single failure path: Message Attributes Each filter requires input data and produces output data(message attributes) . Specific filters to create your own message attributes, and to set their values. The Trace filter enables you to trace message attribute values at execution time. Message Attributes Selector is a special syntax that enables API Gateway configuration settings to be evaluated and expanded at runtime based on metadata Faults When a SOAP transaction fails, you can use a SOAP fault to return error information to the SOAP client. Policy Shortcut enables you to create a link from one policy to another policy. Ex: Create a policy that inserts security tokens into a message, and another that adds HTTP headers. You can then create a third policy that calls the other two policies using Policy Shortcut filters. SOAP Alerts can be send alert messages for specified events to various alerting destinations. System alerts are usually sent when a filter fails, but they can also be used for notification purposes. Fault
- 13. Oracle API Gateway – Concepts(Policy Container, Policy Context, Process, Listeners, Protocol Mediation, Remote Hosts, Servlet Application, Configuration Profile, Service Virtualization) Policy Container used to group similar policies together (for example, all authentication or logging policies), or policies that relate to a particular service. Policy Context : Policies can execute in a specified context(set a context by associating a relative execution path or listener with a policy). Process is an instance of the API Gateway capable of running on a host. Listeners : Define different types of listeners and associate them with specific policies. Protocol Mediation: The API Gateway can be used to provide protocol mediation (for example, receiving a SOAP request over JMS, and transforming it into a SOAP/HTTP request to a backend service). Remote Hosts: Define a remote host when you need more control of the connection settings to a particular server. HTTP version, IP addresses, Timeouts, Buffers, Caches Servlet Applications : Provides a Web server and servlet application server that can be used to host static content (for example, documentation for your project), or servlets providing internal services. Configuration Profile contains the configuration information required to run the API Gateway. For example, a specific Configuration Profile instance can store certificates, users, core policies and services, external connections, or listeners. Service Virtualization When you register an API service or Web Service, and deploy it to the API Gateway, the API Gateway virtualizes the service. Instead of connecting to the service directly, clients connect through the API Gateway. The API Gateway can then apply policies to messages sent to the destination service