Oracle API Gateway integrates, accelerates, governs, and secures Web API and SOA-based systems. It serves REST APIs and SOAP Web Services to clients, converting between REST and SOAP and XML and JSON. It applies security rules like authentication and content filtering. It also provides monitoring of API and service usage, caching, and traffic management.
2. Oracle API Gateway - Basic Architecture
CLIENTS
Application Servers
Partner Applications
Mobile Applications
XML / JSON
Oracle API
Gateway
Web Applications
Cloud-Based Services
Oracle API Gateway integrates, accelerates, governs, and secures Web API and SOA-based systems.
Serves REST APIs and SOAP Web Services to clients
Converts REST to SOAP
Converts XML to JSON
Supports other protocols also
FTP, SFTP, FTPS, TIBCO Rendezvous and EMS, JMS (to IBM WebSphere MQ, ActiveMQ, JBOSS Messaging)
Applies security rules
Authentication: OAuth, HTTP Auth, Certificate Auth, WS-Security
Content Filtering: Detection of SQL Injection, XSS, Viruses
Monitoring of API and Service usage
Caching and Traffic Management (routing, throttling)
Legacy Applications
Data
3. Oracle API Gateway - Deployment Architecture
GREEN ZONE
Shared Services
Layer
RED ZONE
First Line Of
Defense
CLIENTS
End point security
HTTP, SOAP, REST, XML, JMS
Cloud-Based Services
Webservice Clients
REST-WS Clients
OES
PDP
WS-Security, Basic Auth, Digest, X509,
UNT,SAML, Kerberos Sign & Encrypt
EXTRANET
Oracle Service Bus
Oracle API
Gateway
(Service Virtualization)
Firewall
Web Applications
Internal Firewall
Mobile Applications
Oracle Webservices Manager
Partner Applications
WS-Security, Basic
Auth, Digest,
X509, UNT, SAML,
Kerberos Sign &
Encrypt
O
W
S
M
BPEL/Web
Service
End point security
HTTP, SOAP, REST, XML, JMS
O
W
S
M
BPM Process
End point security
HTTP, SOAP, REST, XML, JMS
O
W
S
M
Application
INTRANET
DMZ
In Green Zone security use
OWSM in conjunction with
Oracle FMW products(SOA
Suite, OSB, etc. both on
the Client Side and Service
Side Policy
In Red Zone security OEG
on the Service Side Policy.
4. Oracle API Gateway – Security Overview
Flooding
Recursive Payloads
Oversized Payloads
Memory Leak
•
•
Injection & Malicious Code
SQL Injection
XPath Injection
Cross-site scripting
Malformed content
Logic bombs
Confidentiality Integrity
Sniffing
Parameter Tampering
Schema Poisoning
External Entity
Canonicalization
•
Firewall
DOS Attacks
GREEN ZONE
DMZ ZONE
Firewall
Oracle API Gateway protection against
Virtualize a
web services
Inbuilt Out-ofthe-Box filters
Throttle the
inbound
message flow
Privilege Escalation Attacks
Dictionary
Format String
Buffer Overflow
Race Conditions
Symlink
Unprotected interfaces
Oracle Webservices
Manager
O
W
S
M
Backend
Web Service
End point security
O
W
S
M
Oracle API
Gateway
Internet/Cloud
Filtered
Messages
•
•
•
•
•
Reconnaissance Attacks
Code templates
Forceful browsing
Directory Reversal
WSDL scanning
Registry Disclosure
End point security
Malformed
Request
First Line Of Defense
AuthC
AuthZ
Auditing
Signature Verification
Message
Encryption/Decryption
Last-Mile Security
Backend
Web Service
End point security
O
W
S
M
Backend
Web Service
5. Oracle API Gateway – Virtualization, Data/Protocol Bridging
GREEN ZONE
DMZ ZONE
Firewall
Firewall
HTTP GET/POST - REST
SSOToken
REST/JSON
< weatherreport city=“San Francisco"
weather=“42" >< /weatherreport>
SAML Token
Oracle
Webservices
Manager
Required transport
& format protocol
RESTful Web
Service
REST/XML
SOAP
Oracle API
Gateway
{ "weatherreport" : {"city":“San Francisco",
"weather":“42"} }
JMS
SAML Token
SOAP Web
Service
Required transport
& format protocol
Data Format Transformations
XML to JSON and vice versa
Protocol bridging
REST to SOAP and vice versa
First Line Of Defense
Last-Mile Security
6. Oracle API Gateway – DMZ Security & Access Control
GREEN ZONE
DMZ ZONE
Firewall
Firewall
HTTP GET/POST - REST
SAML Token
SSOToken
JMS
SOAP/REST Virtual Web Services
{ "weatherreport" : {"city":“San Francisco",
"weather":“42"} }
Oracle Service Bus
SOAP
Oracle API
Gateway
(Service Virtualization)
REST/XML
Oracle Webservices Manager
< weatherreport city=“San Francisco"
weather=“42" >< /weatherreport>
REST/JSON
Required transport
& format protocol
RESTful Web
Service
SAML Token
SOAP Web
Service
•
•
•
•
•
•
API SSO, Authorization,
XML/WS Security Enforcement at DMZ
WS Authentication, Security token translation,
Federation: WS-Security, WS-SecureConversation, WSTrust (single/multiple STSs).
REST Security: OAuth2, SAML (OIT). Happening on the
Gateway.
Protocol Security: XML Security, WS-Security, REST
Security
Authorization, Data Redaction, Risk: Leveraging
Embedded OES PDP or remote OAM/OES PDP
Required transport
& format protocol
7. Oracle API Gateway – Social Connectivity
DMZ ZONE
3rd Party IDPs
GREEN ZONE
OAuth
OpenID Connect
SAML
Firewall
Firewall
f
SAML Token
Token
Required transport
& format protocol
SOAP/REST Virtual Web Services
{ "weatherreport" : {"city":“San Francisco",
"weather":“42"} }
Oracle Service Bus
Oracle API
Gateway
API/Web Request with Required Token
(SAML, OAM, Kerberos, OAuth etc.)
(Service Virtualization)
API Request
App/Device/User Credential
Web SSO
Oracle Webservices Manager
< weatherreport city=“San Francisco"
weather=“42" >< /weatherreport>
RESTful Web
Service
SAML Token
SOAP Web
Service
HTTP/REST/SOAP/OAuth Clients
Required transport
& format protocol
8. Oracle API Gateway – Fine Grained AuthZ and Data Redaction
GREEN ZONE
DMZ ZONE
Firewall
{<Response>
<Response Data 1>, <Response Data 2>,
<Response Data 3> <Response Data 4>,
<Response Data 5>, }
Firewall
HTTP GET/POST – REST
{<Request>}
Response Data1
Response Data2
SSOToken
Response Data3
{<Response>
<Response Data 3>
<Response Data 4>}
Oracle API
Gateway
{ <Response>}
SOAP {<Request>}
{<Response>
<Response Data 1>
<Response Data 2>}
Response Data5
SAML Token/ Request
End point security
O
W
S
M
RESTful/SOAP
Web Service
Response
PEP
JMS {<Request>}
(Service Virtualization)
{<Response>
<Response Data 5>}
Response Data4
Oracle Service Bus
{< Request>}
Oracle Webservices Manager
REST/JSON
{<Request>}
REST/XML {<Request>}
Existing API/WS Returns
PDP
{<Response>
<Response Data 1>}
Entitlements Server
Data Format Transformations
XML to JSON and vice versa
Protocol bridging
REST to SOAP and vice versa
First Line Of Defense
Last-Mile Security
9. Oracle API Gateway – API Key Management(Cloud Consumer)
GREEN ZONE
DMZ ZONE
Firewall
Google
Firewall
APIKey_Google
Oracle API
Gateway
SSOToken
Oracle Service Bus
{ <Response>}
(Service Virtualization)
APIKey_Y
API Key +
Web Service Request
X
{< Request>}
APIKey_Google
Oracle Webservices Manager
APIKey_X
Y
APIKey_X
APIKey_Y
First Line Of Defense
Last-Mile Security
SAML Token/ Request
End point security
O
W
S
M
Response
RESTful/SOAP
Web Service
10. Oracle API Gateway – Configuration & Management Tools
Policy
Studio
Oracle API
Gateway
Policy Studio is a policy development and configuration tool
• Enables policy developers to easily configure API Gateway policies and settings to control
and protect deployed API services and Web services.
• Policy Studio is typically installed on a separate machine from the API Gateway to enable
remote administration.
Manager
API Gateway Manager is a centralized web-based dashboard
• Enables administrators to control and manage API Gateways and groups in a domain.
• Connects to the Node Manager on each host, and displays aggregated monitoring data from
multiple API Gateway instances.
Oracle API Gateway Instance (Core Engine)
Policy Development
A Oracle API Gateway policy developer typically performs the following tasks:
•
•
•
•
Develops API Gateway policies and solution packs.
Customizes and extends the API Gateway using scripting.
Creates Java classes and/or custom filters using the API Gateway filter SDK.
Uses the Policy Studio, API Gateway Explorer, and API Gateway Manager tools.
Connector
Usage
Metrics
Connector
Connector
Connector
Analytics
API Gateway Analytics is a separately installed tool used by administrators
• Generates reports and charts based on usage metrics for all services and API Gateways in a
domain.
• API Gateway Analytics provides integration with databases such as MySQL Server, MS SQL
Server, and Oracle.
• Includes both real-time and historical metrics.
11. Oracle API Gateway – Managed Domain Architecture
POLICY
STUDIO
Browser-based
Manager UI
DOMAIN
ADMIN NODE MANAGER
Domain is the set of all hosts(Physical machine) running API Gateway instances, which are
managed centrally by the API Gateway Manager tool.
NODE MANAGER
Server Instance 1
Services Group 1
Server Instance 2
Server Instance 1
Services Group 2
Server Instance 2
Server Instance 1
TEST
GROUP
Node 1(Master)
Node 2
API Gateway's group-based domain architecture, which
enables to break down projects into logical groups and
manage configuration across your organization. This provides
manageability and scalability, and enables you to perform
load balancing and failover across distributed deployments
Group
• Number of API Gateway instances that all run the same configuration.
• Can runs across more than one physical host machine.
• Can include more than one API Gateway instance on the same host
• Each API Gateway in the group runs the same configuration
• Each API Gateway has its own deployment descriptor file (envSettings.properties)
• A group also has a deployment descriptor, which specifies settings values that are the same
across the group but may differ in different environments.
• A standalone API Gateway runs in a group of one member (TEST GROUP in the diagram).
• Deploy, manage, and monitor a group of API Gateways using the Policy Studio and the
browser-based API Gateway Manager.
Node Manager(Server side process)
• Manages & Monitors API Gateway instances on the host
• Only one Node Manager runs per host.
• Communication between the Node Manager and the API Gateway is secured using SSL.
• Policy Studio and the browser-based API Gateway Manager are clients of the Node Manager.
• The first Node Manager added in a domain is known as the Admin Node Manager.
• The Admin Node Manager acts as the master Node Manager. It performs Role-Based Access
Control (RBAC), and forwards requests to other Node Managers when required.
• The Admin Node Manager also manages and deploys configuration to the API Gateway
instance(s) in a domain.
12. Oracle API Gateway – Concepts(Filter, Policy, Message Attribute, Selector, Faults, Policy
Shortcuts & Alerts )
Filter is an executable rule that performs a specific type of processing on a message.
• Example: Message Size filter rejects messages that are greater or less than a specified size.
• Categories of message filters available with the API Gateway, including authentication, authorization, content filtering,
signing, and conversion.
Policy is a network of message filters in which each filter is a modular unit that processes a message.
• A message can traverse different paths through the policy, depending on which filters succeed or fail.
• A policy can also contain other policies, which enables you to build modular reusable policies.
• A policy must have a Start filter. Filters labeled End stop the execution of the policy if the filter execution fails.
• A policy starts with a START filter and ends with END Filter
Policy
Policy
Filter
The following example screen shot shows an example policy with success paths and a single failure path:
Message Attributes
Each filter requires input data and produces output data(message attributes) .
Specific filters to create your own message attributes, and to set their values.
The Trace filter enables you to trace message attribute values at execution time.
Message
Attributes
Selector is a special syntax that enables API Gateway configuration settings to be evaluated and expanded at runtime based on
metadata
Faults When a SOAP transaction fails, you can use a SOAP fault to return error information to the SOAP client.
Policy Shortcut enables you to create a link from one policy to another policy.
Ex: Create a policy that inserts security tokens into a message, and another that adds HTTP headers. You can then create a third
policy that calls the other two policies using Policy Shortcut filters.
SOAP
Alerts can be send alert messages for specified events to various alerting destinations. System alerts are usually sent when a
filter fails, but they can also be used for notification purposes.
Fault
13. Oracle API Gateway – Concepts(Policy Container, Policy Context, Process, Listeners, Protocol
Mediation, Remote Hosts, Servlet Application, Configuration Profile, Service Virtualization)
Policy Container used to group similar policies together (for example, all authentication or logging policies), or policies that relate to a particular service.
Policy Context : Policies can execute in a specified context(set a context by associating a relative execution path or listener with a policy).
Process is an instance of the API Gateway capable of running on a host.
Listeners : Define different types of listeners and associate them with specific policies.
Protocol Mediation: The API Gateway can be used to provide protocol mediation (for example, receiving a SOAP request over JMS, and transforming it into a SOAP/HTTP request to a backend service).
Remote Hosts: Define a remote host when you need more control of the connection settings to a particular server.
HTTP version, IP addresses, Timeouts, Buffers, Caches
Servlet Applications : Provides a Web server and servlet application server that can be used to host static content (for example, documentation for your project), or servlets providing internal
services.
Configuration Profile contains the configuration information required to run the API Gateway.
For example, a specific Configuration Profile instance can store certificates, users, core policies and services, external connections, or listeners.
Service Virtualization
When you register an API service or Web Service, and deploy it to the API Gateway, the API Gateway virtualizes the service. Instead of connecting to the service directly, clients connect
through the API Gateway. The API Gateway can then apply policies to messages sent to the destination service