Oracle Fusion Middleware

OracleAPIGatewayConceptsGuide
11gRelease2(11.1.2.4.0)

July2015


OracleAPIGatewayConceptsGuide,11gRelease2(11.1.2.4.0)
Copyright1999,2015,Oracleand/oritsaffiliates.Allrightsreserved.
Thissoftwareandrelateddocumentationareprovidedunderalicenseagreementcontainingrestrictionsonuseand
disclosureandareprotectedbyintellectualpropertylaws.Exceptasexpresslypermittedinyourlicenseagreementorallowed
bylaw,youmaynotuse,copy,reproduce,translate,broadcast,modify,license,transmit,distribute,exhibit,perform,
publish,ordisplayanypart,inanyform,orbyanymeans.Reverseengineering,disassembly,ordecompilationofthis
software,unlessrequiredbylawforinteroperability,isprohibited.
Theinformationcontainedhereinissubjecttochangewithoutnoticeandisnotwarrantedtobeerror-free.Ifyoufindany
errors,pleasereportthemtousinwriting.
IfthissoftwareorrelateddocumentationisdeliveredtotheU.S.GovernmentoranyonelicensingitonbehalfoftheU.S.
Government,thefollowingnoticeisapplicable:
U.S.GOVERNMENTRIGHTSPrograms,software,databases,andrelateddocumentationandtechnicaldatadeliveredtoU.S.
Governmentcustomersare"commercialcomputersoftware"or"commercialtechnicaldata"pursuanttotheapplicable
FederalAcquisitionRegulationandagency-specificsupplementalregulations.Assuch,theuse,duplication,disclosure,
modification,andadaptationshallbesubjecttotherestrictionsandlicensetermssetforthintheapplicableGovernment
contract,and,totheextentapplicablebythetermsoftheGovernmentcontract,theadditionalrightssetforthinFAR52.22719,CommercialComputerSoftwareLicense(December2007).OracleUSA,Inc.,500OracleParkway,RedwoodCity,CA
94065.
Thissoftwareisdevelopedforgeneraluseinavarietyofinformationmanagementapplications.Itisnotdevelopedor
intendedforuseinanyinherentlydangerousapplications,includingapplicationswhichmaycreateariskofpersonalinjury.If
youusethissoftwareindangerousapplications,thenyoushallberesponsibletotakeallappropriatefail-safe,backup,
redundancy,andothermeasurestoensurethesafeuseofthissoftware.OracleCorporationanditsaffiliatesdisclaimany
liabilityforanydamagescausedbyuseofthissoftwareindangerousapplications.
OracleisaregisteredtrademarkofOracleCorporationand/oritsaffiliates.Othernamesmaybetrademarksoftheirrespective
owners.
Thissoftwareanddocumentationmayprovideaccesstoorinformationoncontent,products,andservicesfromthirdparties.
OracleCorporationanditsaffiliatesarenotresponsibleforandexpresslydisclaimallwarrantiesofanykindwithrespectto
third-partycontent,products,andservices.OracleCorporationanditsaffiliateswillnotberesponsibleforanyloss,costs,or
damagesincurredduetoyouraccesstooruseofthird-partycontent,products,orservices.Thisdocumentationisin
prereleasestatusandisintendedfordemonstrationandpreliminaryuseonly.Itmaynotbespecifictothehardwareonwhich
youareusingthesoftware.OracleCorporationanditsaffiliatesarenotresponsibleforandexpresslydisclaimallwarrantiesof
anykindwithrespecttothisdocumentationandwillnotberesponsibleforanyloss,costs,ordamagesincurredduetothe
useofthisdocumentation.
Theinformationcontainedinthisdocumentisforinformationalsharingpurposesonlyandshouldbeconsideredinyour
capacityasacustomeradvisoryboardmemberorpursuanttoyourbetatrialagreementonly.Itisnotacommitmentto
deliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,
release,andtimingofanyfeaturesorfunctionalitydescribedinthisdocumentremainsatthesolediscretionofOracle.
Thisdocumentinanyform,softwareorprintedmatter,containsproprietaryinformationthatistheexclusivepropertyof
Oracle.YouraccesstoanduseofthisconfidentialmaterialissubjecttothetermsandconditionsofyourOracleSoftware
LicenseandServiceAgreement,whichhasbeenexecutedandwithwhichyouagreetocomply.Thisdocumentand
informationcontainedhereinmaynotbedisclosed,copied,reproduced,ordistributedtoanyoneoutsideOraclewithout
priorwrittenconsentofOracle.Thisdocumentisnotpartofyourlicenseagreementnorcanitbeincorporatedintoany
contractualagreementwithOracleoritssubsidiariesoraffiliates.
27July2015

Contents

Preface

Whoshouldreadthisdocument

Howtousethisdocument

1 Introduction to API Gateway

Overview

APIGatewayservices

APItransformation

APIcontrolandgovernance

APIsecurity

APImonitoring

APIdevelopmentlifecycle

APIadministration

APIGatewayiscoreinfrastructure

APIGatewayuserroles

APIGatewayfeatures

10

Integration

10

Performance

11

Governance

11

Security

12

Formfactors

13

2 API Gateway tools

14

Overview

14

APIGateway

14

PolicyStudio

15

APITester

16

ConfigurationStudio

16

APIGatewayManager

17

APIGatewayAnalytics

18

KeyPropertyStore

19

EmbeddedApacheActiveMQ

20

3 API Gateway architecture

22

Overview

22

APIGatewaygroups

22

APIGatewaydomains

23

SimpleAPIGatewaydomain

23

ComplexAPIGatewaydomain

25

Oracle API Gateway11.1.2.4.0

Concepts Guide3

Solutionpartitioning

25

Virtualization

26

Environmenttopology

26

Availability,loadbalancing,andscalability

27

4 API Gateway documentation

29

Overview

29

APIGatewaylibrary

29

Glossary

Oracle API Gateway11.1.2.4.0

31

Concepts Guide4

Preface

ThisdocumentprovidesanoverviewoftheAPIGatewayanddescribesitsmainconcepts,features,
andarchitecture.

Who should read this document

TheintendedaudienceforthisdocumentisAPIGatewayarchitectsandevaluators,andallusers
whoarenewtoAPIGateway(forexample,policydevelopersorsystemadministrators).Fordetails
oninstallingAPIGateway,seetheAPIGatewayInstallationGuide.

How to use this document

ThisdocumentshouldbeusedwiththeotherdocumentsintheAPIGatewaydocumentationset.
Beforeyoubegin,reviewthisdocumentthoroughly.Thefollowingisabriefdescriptionofthe
contentsofeachtopic:
l IntroductiontoAPIGatewayonpage6p rovidesanoverviewoftheservicesandinfrastructure
providedbyAPIGateway,anddescribesthemainuserrolesandhigh-levelfunctionality.
l APIGatewaytoolsonpage14introduceseachofthemainAPIGatewaycomponenttools.
l APIGatewayarchitectureonpage22explainsthemainconceptsandcomponentsinthe
APIGatewayarchitecture,andshowsexampledeploymentscenarios.
l APIGatewaydocumentationonpage29showswheretolookintheAPIGateway
documentationlibraryformoredetails.

Oracle API Gateway11.1.2.4.0

Concepts Guide5

Introduction to
APIGateway

Overview
OracleAPIGatewaymanages,delivers,andsecuresenterpriseAPIs,applications,andconsumers.
ThefollowingoverviewdiagramshowstherangeoftransportsandprotocolssupportedbyAPI
Gatewayontheleft,andtheservicesthatitprovidesontheright:

API Gateway services

ThemainservicessupportedbyOracleAPIGatewayaredescribedinthissection.

API transformation
TheAPItransformationfeaturesincludethefollowing:
l APIvirtualizationandmediation
l Widerangeofprotocols,dataformats,andstandards

Oracle API Gateway11.1.2.4.0

Concepts Guide6

1 Introduction to APIGateway

l Bi-directionaltransformation(forexample,REST-to-SOAP,XML-to-JSON,andHTTP-to-JMS)

API control and governance

TheAPIcontrolandgovernancefeaturesincludethefollowing:
l ServiceLevelAgreement(SLA)monitoringandenforcement
l Quotamanagement,trafficthrottling,andloadbalancing
l Content-basedrouting,blocking,andprocessing
l Auditingoftransactions

API security
TheAPIsecurityfeaturesincludethefollowing:
l ProtectAPIsatalllevels(interface,access,anddata)
l Authenticationandauthorization
l IdentitymediationandintegrationwithIDMplatforms
l Datamonitoring,redaction,encryption,andsigning
l Keyandcertificatemanagement

API monitoring
TheAPImonitoringfeaturesincludethefollowing:
l Real-timeAPImonitoring,withalertingbasedonerrors,exceptions,andthresholds
l ConfigurableloggingofAPItransactiondata
l AnalyzeAPIuseforinsightandtrends
l Automatedgenerationanddeliveryofreports

API development lifecycle

TheAPIdevelopmentfeaturesincludesthefollowing:
l ManageAPIlifecyclefromcreationtoend-of-life
l Drag-n-droppolicycreationwithintuitiveflowchartmetaphor
l Extensivelibraryofpre-builtpolicyrules
l InteractiveAPItestingtool
l Promotionbetweenenvironments

Oracle API Gateway11.1.2.4.0

Concepts Guide7

1 Introduction to APIGateway

API administration
TheAPIadministrationfeaturesincludethefollowing:
l ManageallaspectsofthedailyAPIoperations
l Transactionmanagement
l Tracinganddebugging
l OAuthclientmanagement
l ManagingJMS-basedmessaging

Formoredetails,seeAPIGatewayfeaturesonpage10.

API Gateway is core infrastructure

APIGatewaydoesforAPIswhattheapplicationserverdoesforapplications.ThisAPIGatewayrole
ascoreapplicationinfrastructureisshownasfollows:

TheAPIGatewaycanbeseenastheAPIruntimeenvironment,whichprovidescoreservicessuchas
thefollowing:
l Security(forexample,authenticationandauthorization)
l Connectivitywitharangeofdifferentprotocols
l Virtualization

Oracle API Gateway11.1.2.4.0

Concepts Guide8

1 Introduction to APIGateway

l Scalabilityandelasticity
l Highavailability
l Manageability(forexample,usingAPIGatewayManager)
l Developmentsimplicity
BecausetheAPIGatewayprovidesthiscoreAPIinfrastructure,developerscanfocusonproviding
theapplicationlogic.Theynolongerneedtobuildtheseservicesintotheirapplication,andcan
leveragethecoreinfrastructureprovidedbytheAPIGateway.
Previously,theAPIwasnottreatedasafirstclasscitizen,andinmanycaseswaspartofthe
applicationinterface.However,theAPIGatewayseestheAPIasafirstclassartifact,withitsown
particularconstructs,anditsownruntimeenvironment.TheAPIGatewayprovidesallofthesame
benefitsfortheAPIthattheapplicationserverprovidesfortheapplication.Inthisway,itis
importanttodistinguishbetweentheAPIandtheapplicationastwodistinctentities.

API Gateway user roles

APIGatewayprovidesthefollowingmainuserroles:

Theseuserrolesaredescribedasfollows:
l Policy developer
ThisuserrolevirtualizesAPIsanddevelopspoliciesforAPIs.Policiesarerulesusedtogovernor
manageanAPI(forexample,forsecurity,integration,SLAmonitoring,ortransformation).This
isatechnicaldeveloperrole.
l KPS administrator
ThisisabusinessoroperationalrolemanagingdynamicpolicyconfigurationdatainaKey
PropertyStore(KPS).AKPSisusedtostoreparametersthatarepassedintopoliciesatruntime
(forexample,authorizationlevels,quotas,orcustomerdetails).Thismeansthatthesedetailsdo
notneedtobeconfiguredbythepolicydeveloper.

Oracle API Gateway11.1.2.4.0

Concepts Guide9

1 Introduction to APIGateway

l API Gateway administrator

Thisrolemonitors,manages,andtroubleshootstheAPIGateway.Ithasfulladministrative
privileges,includingdeploymentofAPIGatewayconfigurations.
ThisisthetraditionalsystemadministrationoroperationalrolefortheAPIGateway.Itinvolves
keepingtheAPIGatewayrunning,monitoringitsoperation,managinganysettings,and
performinganytroubleshooting.Thisusertypicallyworksinanupstreamstagingorproduction
environmentinsteadofinadevelopmentenvironment.
l API Gateway operator
ThisrolemonitorstheAPIGateway.Ithasread-onlyadministrativecapability.Thisistypicallya
productionoperationsrole.
l Deployer
ThisroledeploysAPIGatewayconfigurationsusingscripts.Ithasarestricteddeploymentrole,
andistypicallyusedinproductionenvironments.

API Gateway features

APIGatewayprovidesacomprehensiveplatformformanaging,delivering,andsecuringAPIs.It
providesintegration,acceleration,governance,andsecurityforWebAPIandSOA-basedsystems.
Thissectiondescribesthehigh-levelfunctionalityavailableinAPIGateway.

Integration
APIGatewayprovidesthefollowingintegrationfeatures:
l Identity management
APIGatewayintegrateswithexistingthird-partyIdentityManagement(IM)infrastructuresto
performauthenticationandauthorizationofmessagetraffic.Forexample,integrationis
providedwithLDAP,MicrosoftActiveDirectory,OracleAccessManager,ComputerAssociates
SiteMinder,EntrustGetAccess,IBMTivoliAccessManager,RSAAccessManager,andotherIM
products.APIGatewayalsointeroperateswithleadingintegrationproductsandplatforms(for
example,Microsoft.NET,OracleWebLogic,IBMWebSphere,andSAPNetWeaver).
l Scalability
APIGatewayisdesignedtoofferahighlyflexibleandscalablesolutionarchitecture.
AdministratorscandeploynewAPIGatewayinstancesasneeded,anddeploythesameor
differentpoliciesacrossagroupofAPIGatewayinstancesasrequired.Thisenables
administratorstoapplypolicesatanypointintheirsystem.Policyenforcementpointscanbe
distributedaroundthenetwork,anywheretrafficisbeingpassed.
l Pluggable pipeline
TheAPIGatewayinternalmessage-handlingpipelineisextensible,enablingextraaccesscontrol
andcontent-filteringrulestobeaddedwithease.Customersdonothavetowaitforafull
productreleasebeforereceivingupdatesofsupportforemergingstandardsandforadditional
adapters.

Oracle API Gateway11.1.2.4.0

Concepts Guide10

1 Introduction to APIGateway

l REST APIs
TheAPIGatewayRESTsupportenablesyoutomakeenterpriseapplicationdataandoperations
availableusingWebAPIs.Forexample,youcanconvertalegacySOAPservice,anddeployitas
aRESTAPItobeconsumedbymobileapps.REST-to-SOAPconversioniseasytoachieveusing
theAPIGateway.ItcanexposeRESTAPIsthatmaptoSOAPservices,dynamicallycreatinga
SOAPrequestbasedontheRESTAPIcall.
l Internationalization (i18n)
APIGatewayincludessupportformulti-bytemessagedataandawiderangeofinternational
languagesandcharactersets.Forexample,thisincludesrequestsinlanguagessuchasChinese,
German,French,Spanish,Danish,Serbian,Russian,Japanese,Korean,Greek,Arabic,Hebrew,
andsoon.TheAPIGatewaysupportscharactersetssuchasUTF-8,KO-I8,UTF-16,UTF-32,
ISO-8859-1,EUC-JP,US-ASCII,ISO-8859-7,andsoon.

Performance
APIGatewayacceleratesperformanceasfollows:
l Processing offload
YoucanuseAPIGatewaytooffloadtheheavyliftingofXMLfromapplicationservers,andonto
thenetwork.Thisfreesupresourcesonapplicationserversandenablesapplicationstorun
faster.Oracle'spatentedhigh-performancecoreXMLaccelerationengine,coupledwith
hardwareaccelerationensureswirespeednetworkperformance.
l Acceleration engine
ThecoreaccelerationengineisintegratedintoAPIGatewaytoacceleratetheessentialXML
securityprimitives.ThisengineprovidesXMLprocessingatfasterlevelsthanthoseperformedby
commonJAXPimplementationsinapplicationserversandotherapplicationsthatsitdownstream
fromAPIGateway.TheaccelerationengineperformsDocumentObjectModel(DOM)processing,
XPath,JSONPath,XSLTconversion,andvalidationofXMLandJSON.
l Data enrichment
APIGatewaycanautomaticallypopulatecontentinXMLandJSONdocumentsfromsourcessuch
asdatabases.Byputtingthisfunctionalityontothenetworkinfrastructure,dataisautomatically
populatedinmessagesbeforetheyreachtheconsumingservices.Thissimplifiesandaccelerates
applicationsinESBsandapplicationservers.

Governance
APIGatewayprovidesthefollowinggovernancefeatures:
l Ease of deployment
APIGatewayincludesmanyfeaturesthatspeedupdeployment.Forexample,certificatesand
privatekeys,necessaryforXMLsecurityfunctions,areissuedonboard.APIGatewayhasadenyby-defaultdefenseposture,todetectandblockunauthorizeddeploymentsofservices.Policies

Oracle API Gateway11.1.2.4.0

Concepts Guide11

1 Introduction to APIGateway

canbere-appliedacrossmultipleendpointsusingsimplemenus.Policiescanalsobeimported
andexportedasXMLfiles.ThisminimizestimeneededtoreplicatepoliciesacrossmultipleAPI
Gateways,ortomovefromastagingsystemtoproductionenvironment.
l Centralized management
Aweb-basedsystemmanagementdashboardprovidescentralizedcontrolofAPIGatewaysin
yourdomain.APIGatewayManagerprovidesquickandeasyaccesstoenableyoutomanage
yourAPIGatewaysandservices.Forexample,youcanusemonitoringandatrafficlogto
monitormessagessentthroughAPIGatewaysinyourdomain.Allmonitoringdatacanbe
aggregatedacrossmultipleAPIGatewayinstancesinagroupordomain.
l ThePolicyStudiotoolenablesadministratorstoaddsecurityandmanagementpoliciestothe
APIGateway,andtomanagepolicyversionsacrossmultipleAPIGateways.Thisenables
enterprisepolicymanagementtobebroughtundercentralizedcontrol,ratherthanbemanaged
separatelyoneachAPIGateway.
l Reporting
TheAPIGatewayAnalyticstoolprovidesauditingandreportingonusageacrossallentrypoints
andcreatescomprehensivereportstomeetoperationalandcompliancerequirements.API
GatewayAnalyticsalsoprovidesrootcauseanalysisbyidentifyingcommonfailurepointsin
multi-servicetransactions.Ifaservicefails,andimpactsthetransactionasawhole,APIGateway
Analyticscandetectthisandgeneratealerts.
l Traffic throttling
APIGatewayprotectsservicesfromunanticipatedtrafficspikesbysmoothingouttraffic.Italso
limitsclientstoagreedserviceconsumptionlevelsinaccordancewithserviceusageagreements.
ThisenablesOraclecustomerstochargetheirclientsfordifferentlevelsofserviceusage.

Security
APIGatewayincludesthefollowingsecurityfeatures:
l Identity mediation
Throughitssupportforawiderangeofsecuritystandards,APIGatewayenablesidentity
mediationbetweendifferentidentityschemes.Forexample,theAPIGatewaycanauthenticate
externalclientsbyusernameandpassword,butthenissueSAMLtokensthatareusedfor
identitypropagationtoapplicationservers.
l API management
APIGatewayenablesyoutosecureWebAPIsagainstattackandabuse.Italsoenablesyouto
governandmeteraccesstoandusageofWebAPIs.APIGatewayprovidessupportforAPI
managementsecuritystandardssuchasOAuth.Thisenablesyoutoshareprivateresourceswith
third-partywebsiteswithoutneedingtoprovidecredentials.
l Application-level networking

Oracle API Gateway11.1.2.4.0

Concepts Guide12

1 Introduction to APIGateway

APIGatewayroutesdatabasedonsenderidentity,content,andtype.Thisenablesmessagesto
besenttotheappropriateapplicationinasecuremanner.Italsoenablesservicevirtualization,
whereservicesareexposedtoclientswithvirtualaddressestomasktheiractualaddressesfor
securityandapplicationdelivery.Inthisway,theAPIGatewayactsasanimportantcontrolpoint
fornetworktrafficbyshieldingendpointservicesfromdirectaccess.
l Audit trail
APIGatewaysatisfiesauditrequirementsbyenablingservicetransactionstobearchivedina
tamper-proofstoreforsubsequentaudit.Oraclealsofacilitatesprivacycompliancesupportby
allowingsensitiveinformation,suchascustomernames,tobeencryptedorstrippedoutof
messagetraffic.

Form factors
APIGatewayisavailableo nWindows,Linux,andSolaris.Formoredetailsonsupportedplatforms,
seetheAPIGatewayInstallationGuide.

Oracle API Gateway11.1.2.4.0

Concepts Guide13

API Gateway tools

Overview
OracleAPIGatewayprovidespowerfuleasy-to-usetoolsthatenableyoutodevelop,deploy,and
manageAPIsolutions.ThistopicintroduceseachoftheAPIGatewaytools:

Formoredetails,seetheAPIPortalUserGuide.

API Gateway
ThecentralAPIGatewaycorecomponentisdescribedasfollows:
l ProvidestheruntimeenvironmentforexposingvirtualizedAPIsandexecutingpolicies
l ImplementedusingcombinationofnativecodeforperformanceandJavaforextensibility
l Deployedandmanagedinadistributedenvironmentofmultipleserversprovidingscalabilityand
availability
l Availableinthefollowingformfactors:
o SoftwareWindows,Linux,andSolaris
Inenterpriseorganizations,theAPIGatewayistypicallydeployedintheDMZbetweenthepublic
Internetandprivateintranet.
Formoredetails,seeAPIGatewayarchitectureonpage22.

Oracle API Gateway11.1.2.4.0

Concepts Guide14

2 API Gateway tools

Policy Studio
PolicyStudioisgraphicaltoolthatenablesyoutovirtualizeAPIsanddeveloppolicies(forexample,
toenforcesecurity,compliance,andoperationalrequirements).Itincludesthefollowingfeatures:
l Flow-chartstylevisualizationforeasydevelopmentandmaintenance
l Graphicaldrag-n-dropuserinterfacethatenablesyoutodragfilters(processingrules)ontothe
policycanvasandconfigurethem
l Extensivelibraryoffilterstobuildpowerfulpolicies
Thefollowingexampleshowsthepolicycanvasatthecenterandthefilterlibraryontheright:

Afilterisanexecutablerulethatperformsaspecifictypeofprocessingonamessage.Forexample,
theMessage Sizefilterrejectsmessagesthataregreaterorlessthanaspecifiedsize.
TherearemanycategoriesofmessagefiltersavailablewiththeAPIGateway(forexample,
Authentication,Authorization,ContentFiltering,Conversion,Trust,andsoon).InPolicyStudio,a
filterisdisplayedasablockofbusinesslogicthatformspartofanexecutionflowknownasapolicy.
Apolicyisanetworkoffiltersinwhicheachfilterisamodularunitthatprocessesamessage.A
messagecantraversedifferentpathsthroughthepolicy,dependingonwhichfilterssucceedorfail.
Forexample,thisenablesyoutoconfigurepoliciesthatroutemessagesthatpassaSchema
Validationfiltertoaback-endsystem,androutemessagesthatpassadifferentSchema
Validationfiltertoadifferentsystem.
Apolicycanalsocontainotherpolicies,whichenablesyoutobuildmodularreusablepolicies.In
PolicyStudio,thepolicyisdisplayedasapaththroughasetoffilters,asshownintheprevious
example.
Formoredetails,seetheAPIGatewayPolicyDeveloperGuide.

Oracle API Gateway11.1.2.4.0

Concepts Guide15

2 API Gateway tools

API Tester
OracleAPITesterisagraphicaltoolthatenablesyoutotestAPIperformance,scalability,and
security.Forexample,youcanuseAPITestertosendanexamplerequestmessagetoaspecificAPI
service,andviewtheassociatedresponse.

APITesterincludesthefollowingfeatures:
l RESTAPIandSOAPWebservicestesting
l Securitytokeninsertion(forexample,WS-SecurityandSAML)
l SOAPattachmentmanagement
l Simplifiedcertificateandkeymanagement
l Testcasecreationandstresstesting
Formoredetails,seetheAPITesterUserGuide.

Configuration Studio
ConfigurationStudioisagraphicaltoolusedtopromoteAPIGatewayconfigurationfrom
developmentenvironmentstoupstreamenvironments(forexample,testingo rproduction).
ConfigurationStudioenablesAPIGatewayadministratorstotakeconfigurationpreparedbypolicy
developers,andtocreateenvironment-specificconfigurationfordeployment.ConfigurationStudio
isdesignedfortheskillsofupstreamadministrators,anddoesnotassumeexpertiseinpolicy
developmentandpolicyconfiguration.

Oracle API Gateway11.1.2.4.0

Concepts Guide16

2 API Gateway tools

ConfigurationStudioenablesadministratorstoperformtaskssuchasthefollowing:
l Openapolicypackage(.pol)receivedfromadevelopmentenvironment.
l Specifyvaluesforenvironment-specificsettingsselectedinadevelopmentenvironment(for
example,policy,listener,andexternalconnections).
l Importorcreateenvironment-specificcertificatesandkeys.
l Defineenvironment-specificusersandusergroups.
l Exporttheenvironmentpackagetoafileondisk.Theenvironmentpackageisimplementedas
an.envfile.
Formoredetails,seetheAPIGatewayDeploymentandPromotionGuide.

API Gateway Manager

APIGatewayManagerisaWeb-basedadministrationconsolethatenablesyoutoperform
operationalmonitoring,management,andtroubleshooting.

Oracle API Gateway11.1.2.4.0

Concepts Guide17

2 API Gateway tools

APIGatewayManagerincludesthefollowingfeatures:
l Dashboarddisplayingthedistributedtopologywithareal-timeoverviewofmessagetrafficby
domain,group,andAPIGateway
l Real-timemonitoringofmessagetrafficandcontent,enablingeasyidentificationofexceptions
anddrillingintomessagedetails
l Real-timemonitoringofperformancemetricsbyAPIservice,system,andremotehost
l Aggregatedviewofaudit,alert,andSLAalertmessagesacrossthedomain
l CentralizedviewingofauditanddebuglogsofeachAPIGatewayinstance
l Managingdynamicsystemsettings
l Managinguserrolesassignedinthedomain
Formoredetails,seetheAPIGatewayAdministratorGuide.

API Gateway Analytics

APIGatewayAnalyticsisaWeb-basedmonitoringandreportingconsolethatenablesyouto
generatescheduledreportsandanalyzeAPIuseinmultipleAPIGatewaysacrossthedomain.

Oracle API Gateway11.1.2.4.0

Concepts Guide18

2 API Gateway tools

APIGatewayAnalyticsincludesthefollowingfeatures:
l Web-basedconsolethatmonitorsandreportsonallAPIGatewaysinthedomain(multipleAPI
Gatewaysareshownontheleftinthediagram)
l Reportingoveranextendedtimeperiodratherthanimmediateoperationalmonitoring
l AnalysisofwhatAPIsareused,howoftenAPIsareused,whenAPIsareused,andwhoisusing
APIs
l ScheduledreportsinPDFformatcanbeemailedtospecificusers
Formoredetails,seetheAPIGatewayAdministratorGuide.

Key Property Store

AKeyPropertyStore(KPS)isusedtostoreconfigurationparametersthataredynamicallypassed
intopoliciesatruntime.Thisenablespolicyconfigurationdatatobemanageddirectlybybusiness
oroperationalusersatruntime,andallowsdynamicchangeofpolicybehavior.

AKPSincludesthefollowingfeatures:

Oracle API Gateway11.1.2.4.0

Concepts Guide19

2 API Gateway tools

l PolicieslookupconfigurationdataintheKPSatruntimetodynamicallydeterminebehavior
l PoliciesdevelopedinthePolicyStudiouseaselectorsyntaxtospecifycontext-sensitivelookup
ofpolicyconfigurationdataatruntimefromtheKPS(forexample,${kps.CustomerProfiles
[JoeBloggs].age}obtainstheageofthespecifiedcustomer)
l Providesacachedread-frequently,writeoccasionallycachewithbackingstores
l Policy-specificUIscanbedevelopedforbusinessoroperationaluserstomanagethepolicy
configurationdataintheKPS
Formoredetails,seetheAPIGatewayKeyPropertyStoreUserGuide.

Embedded Apache ActiveMQ

APIGatewaycanactasanativeJavaMessageService(JMS)providerbyembeddingApache
ActiveMQ.ThisenablestheAPIGatewaytointegrateexternalfacingRESTAPIsandSOAPWeb
serviceswithback-endsystemsandapplicationsusingreliable,asynchronousmessaging.
ForinternalintegrationandESB-styleprojects,APIGatewayprovidesamessagingandmediation
solutiontorouteandtransformmessagesflowingbetweenapplicationsandservices.Inaddition,
JMSqueueshostedontheembeddedActiveMQcanbeusedbyAPIGatewaypoliciestoprovide
asynchronouspolicybehavior.
AnActiveMQbrokerisembeddedineachAPIGatewayinstance,withbrokersorganizedbyAPI
Gatewaygroups.Anactive/activedeploymentissupportedtoensurehighavailabilityofthe
messaginginfrastructure,withanexternalsharedfilesystemusedforthepersistentmessagestore.
QueueandtopicmanagementisintegratedintotheAPIGatewayManagerwebconsole,which
enablestheAPIadministratortoviewqueuesandtopics,messagesonqueues,andindividual
messagecontents.Forexample:

TheAPIGatewayinstallationincludestheActiveMQJavaJMS1.1clientlibrary,whichapplications
canusetosendandreceivesmessagetoandfromthequeuesandtopicshostedontheembedded
ActiveMQbroker.Inaddition,ActiveMQclientsthatusetheOpenWireprotocol(ActiveMQdefault
transportprotocol)caninteractwiththeembeddedbroker.Formoredetails,see
http://activemq.apache.org/openwire.html.

Oracle API Gateway11.1.2.4.0

Concepts Guide20

2 API Gateway tools

FordetailsonhowtomanageActiveMQbrokersembeddedintheAPIGateway,seetheAPIGateway
AdministratorGuide.

Oracle API Gateway11.1.2.4.0

Concepts Guide21

API Gateway architecture

Overview
TheAPIGatewaysupportsadistributedarchitecturebasedongroupsofAPIGatewaysinan
administrativedomain.Thebenefitsofthisarchitectureincludethefollowing:
l ManagingagroupofAPIGatewaysasasingleunit
l Solutionpartitioningbygroup
l Loadbalancing,scalability,andavailabilityacrossthegroup
l Virtualizationbyseparatinglogicalandphysicalarchitecturesdecouplingwhatisbuiltfromthe
physicalarchitecturethatrunsittoenableinfrastructureflexibilityandscalability
l RunningmultipleisolatedAPIapplicationsonsharedvirtualizedinfrastructure
l Managingthedomainbasedonadministrativeboundaries

API Gateway groups

AnAPIGatewaygroupconsistsofoneormoreAPIGatewayinstancesthataremanagedasaunit
andrunthesameconfigurationtovirtualizethesameAPIsandexecutethesamepolicies.API
GatewaygroupsenableyoutoorganizeAPIGatewayinstancesbysolutiontypeandmanagethem
asasingleentity.
ThefollowingdiagramshowstwoAPIGatewaygroups,eachconsistingoftwoAPIGateway
instances,distributedacrosstwodifferenthostmachines.EachAPIGatewayinstanceinthesame
grouprunsthesameconfigurationtodistributetheAPIsandpoliciesacrossbothhostsfor
scalabilityandavailability.BothgroupsrundifferentconfigurationstovirtualizedifferentAPIs,and
rundifferentpoliciesthatmanagedifferentsolutions:

Thisgroup-basedarchitectureisdescribedasfollows:

Oracle API Gateway11.1.2.4.0

Concepts Guide22

3 API Gateway architecture

l APIGatewaysaredeployedonthehostmachines.
l APIGatewaysareorganizedintogroupsofmultipleAPIGateways.Agroupmustcontainatleast
oneAPIGateway.
l AllAPIGatewaysinthegrouprunthesameconfigurationtovirtualizethesameAPIsandexecute
thesamepolicies.PartitioningofAPIsandpoliciesintodifferentconfigurationsshouldbe
performedbysolutiontype.
l Groupsspanmultiplehostmachinestoprovideavailability,scalability,andloadbalancing.
l Managementoperationsareperformedongroups.Forexample:
o AggregatingmonitoringinformationfromAPIGatewaysinthegroup
o DeployingAPIandpolicyconfigurationstoallAPIGatewaysinthegroup
Note

MultipleAPIGatewayscanrunonthesamehostmachine.However,eachAPIGateway
wouldbeinadifferentgroupandrunadifferentconfiguration.Thereisnobenefitto
runningmultipleAPIGatewaysinthesamegrouponasinglehostmachine.

API Gateway domains

AnAPIGatewaydomainisadistinctadministrativeentitythatconsistsofmultiplegroupsspanning
multiplehostmachines.Domainsarescopedontheboundariesofadministrativecontrol,which
maybeorganizationalorgeographical.
Multipledomainsarepossiblebasedondifferentboundariesofadministrativecontrol.Forexample,
youmighthavedifferentdomainsfordevelopmentandproductionenvironments,ordifferent
domainsforeachbusinessunit.

Simple API Gateway domain

Thefollowingdiagramshowsthedeploymentofthetwogroupsfromthepreviousexampleinthe
contextofadomain:

Oracle API Gateway11.1.2.4.0

Concepts Guide23

3 API Gateway architecture

Thisdomain-basedarchitectureisdescribedasfollows:
l TheAdminNodeManagerinthedomainisthecentraladministrationserverfortheentire
domain,andisresponsibleforperformingallmanagementoperationsacrossthedomain.
l TheNodeManager(NM)oneachmachinemanagesallthelocalAPIGatewaysonthatmachine,
regardlessofthegrouptheyarein.Thisincludesthefollowing:
o Collectingmonitoringinformation
o Managingdynamicsettings
o DeployingAPIandpolicyconfigurations
l InadditiontomanagingthelocalAPIGatewaysonitshost,theAdminNodeManager
communicateswiththeNMstoperformmanagementoperationsacrossthedomain.
l NodeManagersonlycommunicatewiththeAdminNodeManager.
l TheAPIGatewayManagerandPolicyStudiotoolsconnecttotheAdminNodeManager.
l Role-BasedAccessControl(RBAC)foradministrativeusersisacrossthedomain.Forexample,an
APIGatewayadministratorcanlogintoAPIGatewayManagerandmanageallAPIGatewaysand
groupsinthedomain.
l ThereisasingleAPIGatewayAnalyticsdatabaseinadomain.AllAPIGatewaysrecordanalytics
informationinthissingledatabase.
Note

AsingleAdminNodeManagerisdeployedinthedomainbydefault.However,youmust
configureatleasttwoAdminNodeManagersforhighavailability.Formoredetails,seethe
APIGatewayAdministratorGuide.

Oracle API Gateway11.1.2.4.0

Concepts Guide24

3 API Gateway architecture

Complex API Gateway domain

Thefollowingdiagramshowsamorecomplexdomainwiththreegroupsdistributedacrossfourhost
machines:

Solution partitioning
APIGatewaygroupsenableyoutopartitionyourAPIsandpoliciesbysolutiontype.PartitionedAPIs
andpoliciesassociatedwithspecificsolutionsareimplementedindifferentAPIGateway
configurations,whicharedeployedtodifferentgroupsandmanagedindependently.
ThefollowingdiagramshowsanexampleAPIGatewaysolutionpartitionedintogroups:

Oracle API Gateway11.1.2.4.0

Concepts Guide25

3 API Gateway architecture

Virtualization
TheAPIGatewaygroupanddomain-basedarchitectureenablesvirtualizationbyseparatinglogical
andphysicalarchitectures.TheAPIsandpoliciesthatarebuiltandpackagedintoAPIGateway
configurationsaredecoupledfromthephysicalarchitecturethattheyrun,whichprovidesflexibility
andscalabilityofinfrastructure.

Environment topology
Thefollowingdiagramshowsatypicalenvironmenttopologythatincludesseparatedomainsfor
eachenvironment:

Oracle API Gateway11.1.2.4.0

Concepts Guide26

3 API Gateway architecture

Inthiscontext,promotionreferstomovingAPIGatewayconfigurationbetweenenvironmentsand
ensuringthatenvironment-specificsettingsareproperlyconfigured.Deploymentreferstothe
physicalactofpushingconfigurationtoanAPIGatewayinstance(forexample,usingPolicy
Studio).
Fordetailsonhowtopromotebetweenenvironments,seetheAPIGatewayDeploymentand
PromotionGuide.

Availability, load balancing, and scalability

AvailabilityandhorizontalscalabilityisachievedbydeployingmultipleAPIGatewaysonmultiple
hostsandloadbalancingacrossthemusingastandardloadbalancer.TheAPIGatewayimposesno
specialrequirementsonloadbalancers.Loadsarebalancedonanumberofcharacteristicsincluding
theresponsetimeorsystemload.
APIGatewaysbeingloadbalancedmustrunthesameconfigurationtovirtualizethesameAPIsand
executethesamepolicies.Ifmultiplegroupsaredeployed,loadbalancingshouldbeacrossgroups
also.Forexample,thefollowingdiagramshowsloadbalancingacrosstwogroupsofAPIGateways
deployedontwohosts:

Oracle API Gateway11.1.2.4.0

Concepts Guide27

3 API Gateway architecture

Theexecutionofpoliciesisstateless,andtheroutethatamessagetakeshasnobearingonits
processing.Nosessiondataiscreated,sothereisnoneedtoreplicatesessionstateacrossAPI
Gateways.Ifthepoliciesusecachesandcounters,theseshouldbeconfiguredtousethedistributed
cachesharedbyallAPIGateways.Formoredetailsoncaching,seetheAPIGatewayPolicy
DeveloperGuide.

Oracle API Gateway11.1.2.4.0

Concepts Guide28

API Gateway
documentation

Overview
Thistopicshowswheretolookinthed ocumentationlibraryformoredetailedinformation.

API Gateway library

TheAPIGatewaydocumentationlibraryincludesthefollowinguserguides:
Document

Description

APIGatewayInstallation
Guide

DescribeshowtoinstallAPIGatewaycomponentsonall
platforms,andhowtoupgradeAPIGatewayversions.

APIGatewayAdministrator
Guide

Describeshowtoconfigureandmanagethecomponentsinan
APIGatewaydomain.

APIGatewayPolicy
DeveloperGuide

DescribesthemainAPIGatewayfeatures(forexample,policies,
filters,andconfigurationoptions),andhowtoconfigurethem
usingthePolicyStudiographicaltool.

APIGatewayDeploymentand DescribeshowtopromoteanddeployAPIGateway
PromotionGuide
configurationbetweendifferentenvironments(forexample,
development,testing,andproduction).
APIGatewayOAuthUser
Guide

DescribeshowtoconfigureandmanagetheAPIGatewayfor
usewiththeOAuthopenstandardforauthentication.

APITesterUserGuide

DescribeshowtousetheAPITestergraphicaltooltotestRESTbasedAPIsandSOAP-basedwebservices.

APIGatewayDeveloperGuide

Describeshowtoextend,leverage,andcustomizetheAPI
Gatewaytosuittheneedsofyourenvironment.

APIGatewayKeyProperty
StoreUserGuide

DescribeshowtoconfigureandmanagetheAPIGatewayKey
PropertyStore(KPS).Thisenablesyoutomanaged ata
referencedfrompoliciesrunningontheAPIGateway.

Oracle API Gateway11.1.2.4.0

Concepts Guide29

4 API Gateway documentation

Document

Description

APIGatewayPassPort
InteroperabilityGuide

DescribeshowtointegrateAPIGatewayandAxwayPassPort.

APIGatewaySentinel
InteroperabilityGuide

DescribeshowtointegrateAPIGatewayandAxwaySentinel.

APIGatewayValidation
AuthorityInteroperability
Guide

DescribeshowtointegrateAPIGatewayandAxwayValidation
Authority.

Oracle API Gateway11.1.2.4.0

Concepts Guide30

Glossary

Admin Node Manager

AnAPIGatewaycomponentresponsibleformanagingAPIGatewayinstancesinadomain.For
example,thisincludescollectingmonitoringinformation,managingdynamicsettings,and
deployingAPIandpolicyconfiguration.TheAdminNodeManagermustberunningtousethe
APIGatewaymanagementtoolsthatconnecttoit(forexample,PolicyStudioandAPIGateway
Manager).
API
AnApplicationProgrammingInterface(API)isasetofbusinessservicesthatanenterprisecan
exposetoexternalcustomers,partners,oremployeesusingarangeofdifferenttechnologies
onarangeofdifferentdevices.Forexample,APIstypicallysupportHTTPrequestsandJSONor
XMLresponsestoenablemobileclientapplications.
API Gateway
Aserver-sideapplicationthatmanages,delivers,andsecuresAPIs.APIGatewayprovides
servicessuchasAPItransformation,controlandgovernance,security,monitoring,
developmentlifecycle,andadministration.
B2B
Business-to-Business
B2C
Business-to-Consumer
B2E
Business-to-Employee
Base64
Amethodofencoding8-bitcharactersasASCIIprintablecharacters.Itistypicallyusedto
encodebinarydatasothatitmaybesentovertext-basedprotocolssuchasHTTPandSMTP.
Base64isaschemewhere3bytesareconcatenated,andsplittoform4groupsof6-bitseach.
Each6-bitsistranslatedtoanencodedprintableASCIIcharacter,usingatablelookup.The
specificationisdescribedinRFC2045.
CA
ACertificateAuthority(CA)issuesdigitalcertificates(especiallyX.509certificates),and
vouchesforthebindingbetweenthedataitemsinacertificate.

Oracle API Gateway11.1.2.4.0

Concepts Guide31

Glossary

cacerts
Afileusedtokeeptherootcertificatesofsigningauthorities.Thisistypicallystoredin
..\jre\lib\security\cacerts.Eachentryisidentifiedbyauniquealias,andisakeyentryora
certificateentry.Keyentriesconsistofakeypair,andcertificateentriesconsistofjusta
certificate.BecauseyouimplicitlytrustallCAsinthecacertsfileforcodesigningand
verification,youmustmanagethecacertsfilecarefully.Thecacertsfileshouldcontainonly
certificatesoftheCAsyoutrust.
CMS
ContentManagementSystem
CRL
ACertificateRevocationList(CRL)isasignedlistindicatingasetofcertificatesthatareno
longerconsideredvalidbythecertificateissuer.CRLsmaybeusedtoidentifyrevokedpublickeycertificatesorattributecertificates,andmayrepresentrevocationofcertificatesissuedto
authoritiesortousers.ThetermCRLisalsocommonlyusedasagenerictermapplyingto
differenttypesofrevocationlists.
DName
ADistinguishedName(DNameorDN)isanidentifierthatuniquelyrepresentsanobjectinthe
X.500DirectoryInformationTree(DIT).ADNameasetofattributevaluesthatidentifythepath
leadingfromthebaseoftheDITtotheobjectthatisnamed.AnX.509public-keycertificateor
CRLcontainsaDNamethatidentifiesitsissuer,andanX.509attributecertificatecontainsaDN
orotherformofnamethatidentifiesitssubject.
Domain
AnAPIGatewaydomainconsistsofmultiplegroupsofAPIGatewaysspanningmultiplehost
machines.Adomainisadistinctadministrativeentity,whichismanagedseparatelybyAPI
GatewaytoolssuchasAPIGatewayManagerandAPIGatewayAnalytics.
ERP
EnterpriseResourcePlanning
Filter
AnAPIGatewayfilterisanexecutablerulethatperformsaspecifictypeofprocessingona
message.Forexample,theMessageSizefilterrejectsmessagesthataregreaterorlessthana
specifiedsize.ManycategoriesofmessagefiltersareavailablewiththeAPIGateway(for
example,Authentication,Authorization,Contentfiltering,Conversion,Trust,andsoon).In
PolicyStudio,afilterisdisplayedasablockofbusinesslogicthatformspartofanexecution
flowknownasapolicy.
Group
AnAPIGatewaygroupconsistsofoneormoreAPIGatewayinstancesthataremanagedasa
unitandrunthesameconfigurationtovirtualizethesameAPIsandexecutethesamepolicies.

Oracle API Gateway11.1.2.4.0

Concepts Guide32

Glossary

APIGatewaygroupsenableyoutoorganizeAPIGatewayinstancesbysolutiontypeand
managethemasasingleentity.
HTTP
HypertextTransferProtocol(HTTP)isaprotocolfordistributedhypermediasystems.HTTPis
thefoundationofdatacommunicationfortheWorldWideWeb.Formoredetails,see
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol.
HTTPS
HypertextTransferProtocolSecure(HTTPS)isaprotocolforsecurecommunicationovera
computernetwork,andwhichiswidelydeployedontheInternet.Itistheresultoflayering
HTTPontopoftheSSL/TLSprotocol.Formoredetails,see
http://en.wikipedia.org/wiki/HTTP_Secure.
JMS
JavaMessageService(JMS)isamessagingstandardthatenablesapplicationcomponents
basedonJava2EnterpriseEdition(J2EE)tocreate,send,receive,andreadmessages.It
enablescommunicationbetweendifferentcomponentsofadistributedapplicationtobe
looselycoupled,reliable,andasynchronous.Formoredetails,see
http://en.wikipedia.org/wiki/Java_Message_Service.
JSON
JavaScriptObjectNotation(JSON)isalightweightdata-interchangeformat,whichiseasyfor
humanstoreadandwrite,andeasyformachinestoparseandgenerate.JSONisbasedona
subsetoftheJavaScriptprogramminglanguage.Itstextformatisprogramminglanguage
independent,butusesconventionsthatarefamiliartoprogrammersoftheCfamilyof
languages(forexample,C,C++,C#,Java,JavaScript,Perl,andPython).Formoredetails,see
http://www.json.org.
JSON Path
JSONPathenablesyoutolocateandprocessspecificpartsofaJSONdocument.Itisavailable
inprogramminglanguagessuchasJavaScript,Java,PythonandPHP.Formoredetails,seethe
JSONspecification.
Keystore
ThekeystorefileoftheJDKcontainsyourpublicandprivatekeys.Ithasafilenameof.keystore
(leadingdotmakesthefileread-onlyonUnix).ItisstoredinPKCS#12format,containsboth
publicandprivatekeys,andisprotectedbyapassphrase.
KPS
AKeyPropertyStore(KPS)isadatamanagementcomponentintheAPIGateway.DatainaKPS
tableisassumedtobereadfrequentlyandseldomwritten,andcanbechangedwithout
incurringanAPIGatewayserviceoutage.KPStablesaresharedacrossanAPIGatewaygroup.

Oracle API Gateway11.1.2.4.0

Concepts Guide33

Glossary

LDAP
LDAPisalightweightversionofDirectoryAccessProtocol(DAP),whichispartofX.500,a
standardfordirectoryservicesinanetwork.AnLDAPdirectorystoresinformationonresources
inahierarchicalfashion,whichmakesdataretrievalveryefficient.
Node Manager
AnAPIGatewaycomponentthatisresponsibleformanagingAPIGatewayinstancesonahost
machine.TheremustbeoneNodeManageroneachmanagedhostmachine.AsingleAdmin
NodeManagercommunicateswithallNodeManagersinadomaintoperformmanagement
operations.
OCSP
OnlineCertificateStatusProtocol(OCSP)isanautomatedcertificatecheckingnetwork
protocol.AclientwillquerytheOCSPresponderforthestatusofacertificate.Theresponder
returnswhetherthecertificateisstilltrustedbytheCAthatissuedit.
PEM
PrivacyEnhancedMail(PEM)wasoriginallyintendedforsecuringemailusingvarious
encryptiontechniques.Itsscopewidenedforuseinabroaderrangeofapplications,suchas
Webservers.Itsformatisessentiallyabase64-encodedcertificatewrappedinBEGIN
CERTIFCATEandENDCERTIFICATEdirectives.
PKCS#12
AstandardforstoringprivatekeysandX.509certificatessecurely(forexample,ina.p12file).
Policy
AnAPIGatewayp olicyisanetworkoffiltersinwhicheachfilterisamodularunitthatprocesses
amessage.Messagescantraversedifferentpathsthroughthepolicy,dependingonwhich
filterssucceedorfail.Forexample,youcouldconfigurepoliciesroutingmessagesthatpassa
SchemaValidationfiltertoaback-endsystem,androutingmessagesthatpassadifferent
SchemaValidationfiltertoanothersystem.Apolicycanalsocontainotherpolicies,which
enablesyoutobuildmodularreusablepolicies.
Private key
Thesecretcomponentofapairofcryptographickeysusedforasymmetriccryptography.
Public key
Thepublicly-disclosedcomponentofapairofcryptographickeysusedforasymmetric
cryptography.
RBAC
Role-BasedAccessControl(RBAC)restrictssystemaccesstoauthorizedusersbasedonassigned
roles.Permissionstoperformspecificsystemoperationsareassignedtospecificroles,and
systemusersaregrantedpermissiontoperformspecificoperationsonlythroughtheirroles.

Oracle API Gateway11.1.2.4.0

Concepts Guide34

Glossary

Thissimplifiessystemadministrationbecauseusersdonotneedtobeassignedpermissions
directly,andinsteadacquirethemthroughtheirassignedroles.
REST
RepresentationalStateTransfer(REST)isanarchitecturalstyleforbuildinglarge-scale
distributedsoftwarethatusesthetechnologiesandprotocolsoftheWorldWideWeb(for
example,JSON/XMLandHTTP).Formoredetails,see
http://en.wikipedia.org/wiki/Representational_state_transfer.
SAML
SecurityAssertionMarkupLanguage(SAML)isanXMLstandardforestablishingtrustbetween
entities.SAMLassertionscontainidentityinformationaboutusers(authenticationassertions),
andinformationaboutuseraccesspermissionsof(authorizationassertions).Whenauseris
authenticatedatasite,thesiteissuesaSAMLauthenticationassertiontotheuser.Theusercan
usethisassertioninrequestsatotheraffiliatedsites.Thesesitesneedonlycheckthedetailsin
theauthenticationassertiontoauthenticatetheuser.Inthisway,SAMLallowsauthentication
andauthorizationinformationtobesharedbetweendifferentsites.
SCM
SupplyChainManagement
Selector
AspecialsyntaxthatenablesAPIGatewayconfigurationsettingstobeevaluatedandexpanded
atruntimebasedonmetadatavalues(forexample,fromaKPS,messageattribute,or
environmentvariable).
Signature
Avaluecomputedwithacryptographicalgorithmandaddedtoadataobjectinsuchawaythat
anyrecipientofthedatacanusethesignaturetoverifythedata'soriginandintegrity.
SOAP
SimpleObjectAccessProtocol(SOAP)isanXML-basedobjectinvocationprotocol.SOAPwas
originallydevelopedfordistributedapplicationstocommunicateoverHTTPandcorporate
firewalls.SOAPdefinestheuseofXMLandHTTPtoaccessservices,objects,andserversina
platform-independentway.SOAPisawireprotocolthatcanbeusedtofacilitatehighlyultradistributedarchitecture.Formoredetails,seetheSOAPspecification.
SSL
SecureSocketsLayer(SSL)isanencryptedcommunicationprotocolforsendinginformation
securelyacrosstheInternet.Itsitsjustabovethetransportlayer,andbelowtheapplication
layerandtransparentlyhandlestheencryptionanddecryptionofdatawhenaclientestablishes
asecureconnectiontotheserver.Itoptionallyprovidespeerentityauthenticationbetween
clientandserver.

Oracle API Gateway11.1.2.4.0

Concepts Guide35

Glossary

TLS
TransportLayerSecurity(TLS)isthesuccessortoSSL3.0.LikeSSL,itallowsapplicationsto
communicateoverasecurechannel.
UDDI
UniversalDescription,Discovery,andIntegration(UDDI)isanXML-basedlookupservicefor
locatingWebservicesontheInternet.Formoredetails,seetheUDDIstandard.
URI
AUniformResourceIdentifier(URI)isaplatform-independentwaytospecifyafileorresource
ontheWeb.Strictlyspeaking,everyURLisalsoaURI,butnoteveryURIisalsoaURL.Formore
detailsonURIformats,seeRFC2396andRFC2732.
WSDL
WebServicesDescriptionLanguage(WSDL)isanXMLformatfordescribingnetworkservicesas
asetofendpointsoperatingonmessagescontainingdocument-orientedorprocedure-oriented
information.Operationsandmessagesaredescribedabstractly,andboundtoaconcrete
networkprotocolandmessageformattodefineanendpoint.Relatedconcreteendpointsare
combinedintoabstractendpoints(services).WSDLisextensibletoallowdescriptionof
endpointsandmessagesregardlessofwhatmessageformatsornetworkprotocolsareused.For
moredetails,seetheWSDLspecification.
X.509
Astandardthatdefinesthecontentsanddataformatofapublickeycertificate.
XKMS
XMLKeyManagementSpecification(XKMS)usesXMLtoprovidekeymanagementservicesso
thataWebservicecanquerythetrustworthinessofauser'scertificateovertheInternet.XKMS
aimstosimplifyapplicationbuildingbyseparatingdigital-signaturehandlingandencryption
fromtheapplicationsthemselves.Formoredetails,seetheXMLKeyManagementspecification.
XML
ExtensibleMarkupLanguage(XML)isasubsetofStructuredGeneralMarkupLanguage(SGML).
ItsgoalistoenablegenericSGMLtobeserved,received,andprocessedontheWebinasimilar
waytoHTML.SeetheXMLSpecificationformoredetails.
XPath
XMLPath(XPath)isalanguagethatdescribeshowtolocateandprocessspecificpartsofan
XMLdocument.Formoredetails,seetheXMLPathLanguagespecification.
XSL
XMLStylesheetLanguage(XSL)isusedtoconvertXMLdocumentsintodifferentformats,the
mostcommonofwhichisHTML.Inatypicalscenario,anXMLdocumentreferencesanXSL
stylesheet,whichdefineshowtheXMLelementsofthedocumentshouldbedisplayedasHTML.
Thisenablesaclearseparationofcontentandpresentation.

Oracle API Gateway11.1.2.4.0

Concepts Guide36

Glossary

XSLT
ExtensibleStylesheetLanguageTransformation(XSLT)isusedtoconvertXMLdocumentsinto
otherXMLdocumentsorotherformats( forexample,HTML,plaintext,orXSLFormatting
objects).

Oracle API Gateway11.1.2.4.0

Concepts Guide37