Professional Documents
Culture Documents
OracleAPIGatewayConceptsGuide
11gRelease2(11.1.2.4.0)
July2015
OracleAPIGatewayConceptsGuide,11gRelease2(11.1.2.4.0)
Copyright1999,2015,Oracleand/oritsaffiliates.Allrightsreserved.
Thissoftwareandrelateddocumentationareprovidedunderalicenseagreementcontainingrestrictionsonuseand
disclosureandareprotectedbyintellectualpropertylaws.Exceptasexpresslypermittedinyourlicenseagreementorallowed
bylaw,youmaynotuse,copy,reproduce,translate,broadcast,modify,license,transmit,distribute,exhibit,perform,
publish,ordisplayanypart,inanyform,orbyanymeans.Reverseengineering,disassembly,ordecompilationofthis
software,unlessrequiredbylawforinteroperability,isprohibited.
Theinformationcontainedhereinissubjecttochangewithoutnoticeandisnotwarrantedtobeerror-free.Ifyoufindany
errors,pleasereportthemtousinwriting.
IfthissoftwareorrelateddocumentationisdeliveredtotheU.S.GovernmentoranyonelicensingitonbehalfoftheU.S.
Government,thefollowingnoticeisapplicable:
U.S.GOVERNMENTRIGHTSPrograms,software,databases,andrelateddocumentationandtechnicaldatadeliveredtoU.S.
Governmentcustomersare"commercialcomputersoftware"or"commercialtechnicaldata"pursuanttotheapplicable
FederalAcquisitionRegulationandagency-specificsupplementalregulations.Assuch,theuse,duplication,disclosure,
modification,andadaptationshallbesubjecttotherestrictionsandlicensetermssetforthintheapplicableGovernment
contract,and,totheextentapplicablebythetermsoftheGovernmentcontract,theadditionalrightssetforthinFAR52.22719,CommercialComputerSoftwareLicense(December2007).OracleUSA,Inc.,500OracleParkway,RedwoodCity,CA
94065.
Thissoftwareisdevelopedforgeneraluseinavarietyofinformationmanagementapplications.Itisnotdevelopedor
intendedforuseinanyinherentlydangerousapplications,includingapplicationswhichmaycreateariskofpersonalinjury.If
youusethissoftwareindangerousapplications,thenyoushallberesponsibletotakeallappropriatefail-safe,backup,
redundancy,andothermeasurestoensurethesafeuseofthissoftware.OracleCorporationanditsaffiliatesdisclaimany
liabilityforanydamagescausedbyuseofthissoftwareindangerousapplications.
OracleisaregisteredtrademarkofOracleCorporationand/oritsaffiliates.Othernamesmaybetrademarksoftheirrespective
owners.
Thissoftwareanddocumentationmayprovideaccesstoorinformationoncontent,products,andservicesfromthirdparties.
OracleCorporationanditsaffiliatesarenotresponsibleforandexpresslydisclaimallwarrantiesofanykindwithrespectto
third-partycontent,products,andservices.OracleCorporationanditsaffiliateswillnotberesponsibleforanyloss,costs,or
damagesincurredduetoyouraccesstooruseofthird-partycontent,products,orservices.Thisdocumentationisin
prereleasestatusandisintendedfordemonstrationandpreliminaryuseonly.Itmaynotbespecifictothehardwareonwhich
youareusingthesoftware.OracleCorporationanditsaffiliatesarenotresponsibleforandexpresslydisclaimallwarrantiesof
anykindwithrespecttothisdocumentationandwillnotberesponsibleforanyloss,costs,ordamagesincurredduetothe
useofthisdocumentation.
Theinformationcontainedinthisdocumentisforinformationalsharingpurposesonlyandshouldbeconsideredinyour
capacityasacustomeradvisoryboardmemberorpursuanttoyourbetatrialagreementonly.Itisnotacommitmentto
deliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,
release,andtimingofanyfeaturesorfunctionalitydescribedinthisdocumentremainsatthesolediscretionofOracle.
Thisdocumentinanyform,softwareorprintedmatter,containsproprietaryinformationthatistheexclusivepropertyof
Oracle.YouraccesstoanduseofthisconfidentialmaterialissubjecttothetermsandconditionsofyourOracleSoftware
LicenseandServiceAgreement,whichhasbeenexecutedandwithwhichyouagreetocomply.Thisdocumentand
informationcontainedhereinmaynotbedisclosed,copied,reproduced,ordistributedtoanyoneoutsideOraclewithout
priorwrittenconsentofOracle.Thisdocumentisnotpartofyourlicenseagreementnorcanitbeincorporatedintoany
contractualagreementwithOracleoritssubsidiariesoraffiliates.
27July2015
Contents
Preface
Whoshouldreadthisdocument
Howtousethisdocument
Overview
APIGatewayservices
APItransformation
APIcontrolandgovernance
APIsecurity
APImonitoring
APIdevelopmentlifecycle
APIadministration
APIGatewayiscoreinfrastructure
APIGatewayuserroles
APIGatewayfeatures
10
Integration
10
Performance
11
Governance
11
Security
12
Formfactors
13
14
Overview
14
APIGateway
14
PolicyStudio
15
APITester
16
ConfigurationStudio
16
APIGatewayManager
17
APIGatewayAnalytics
18
KeyPropertyStore
19
EmbeddedApacheActiveMQ
20
22
Overview
22
APIGatewaygroups
22
APIGatewaydomains
23
SimpleAPIGatewaydomain
23
ComplexAPIGatewaydomain
25
Concepts Guide3
Solutionpartitioning
25
Virtualization
26
Environmenttopology
26
Availability,loadbalancing,andscalability
27
29
Overview
29
APIGatewaylibrary
29
Glossary
31
Concepts Guide4
Preface
ThisdocumentprovidesanoverviewoftheAPIGatewayanddescribesitsmainconcepts,features,
andarchitecture.
Concepts Guide5
Introduction to
APIGateway
Overview
OracleAPIGatewaymanages,delivers,andsecuresenterpriseAPIs,applications,andconsumers.
ThefollowingoverviewdiagramshowstherangeoftransportsandprotocolssupportedbyAPI
Gatewayontheleft,andtheservicesthatitprovidesontheright:
API transformation
TheAPItransformationfeaturesincludethefollowing:
l APIvirtualizationandmediation
l Widerangeofprotocols,dataformats,andstandards
Concepts Guide6
1 Introduction to APIGateway
l Bi-directionaltransformation(forexample,REST-to-SOAP,XML-to-JSON,andHTTP-to-JMS)
API security
TheAPIsecurityfeaturesincludethefollowing:
l ProtectAPIsatalllevels(interface,access,anddata)
l Authenticationandauthorization
l IdentitymediationandintegrationwithIDMplatforms
l Datamonitoring,redaction,encryption,andsigning
l Keyandcertificatemanagement
API monitoring
TheAPImonitoringfeaturesincludethefollowing:
l Real-timeAPImonitoring,withalertingbasedonerrors,exceptions,andthresholds
l ConfigurableloggingofAPItransactiondata
l AnalyzeAPIuseforinsightandtrends
l Automatedgenerationanddeliveryofreports
Concepts Guide7
1 Introduction to APIGateway
API administration
TheAPIadministrationfeaturesincludethefollowing:
l ManageallaspectsofthedailyAPIoperations
l Transactionmanagement
l Tracinganddebugging
l OAuthclientmanagement
l ManagingJMS-basedmessaging
Formoredetails,seeAPIGatewayfeaturesonpage10.
TheAPIGatewaycanbeseenastheAPIruntimeenvironment,whichprovidescoreservicessuchas
thefollowing:
l Security(forexample,authenticationandauthorization)
l Connectivitywitharangeofdifferentprotocols
l Virtualization
Concepts Guide8
1 Introduction to APIGateway
l Scalabilityandelasticity
l Highavailability
l Manageability(forexample,usingAPIGatewayManager)
l Developmentsimplicity
BecausetheAPIGatewayprovidesthiscoreAPIinfrastructure,developerscanfocusonproviding
theapplicationlogic.Theynolongerneedtobuildtheseservicesintotheirapplication,andcan
leveragethecoreinfrastructureprovidedbytheAPIGateway.
Previously,theAPIwasnottreatedasafirstclasscitizen,andinmanycaseswaspartofthe
applicationinterface.However,theAPIGatewayseestheAPIasafirstclassartifact,withitsown
particularconstructs,anditsownruntimeenvironment.TheAPIGatewayprovidesallofthesame
benefitsfortheAPIthattheapplicationserverprovidesfortheapplication.Inthisway,itis
importanttodistinguishbetweentheAPIandtheapplicationastwodistinctentities.
Theseuserrolesaredescribedasfollows:
l Policy developer
ThisuserrolevirtualizesAPIsanddevelopspoliciesforAPIs.Policiesarerulesusedtogovernor
manageanAPI(forexample,forsecurity,integration,SLAmonitoring,ortransformation).This
isatechnicaldeveloperrole.
l KPS administrator
ThisisabusinessoroperationalrolemanagingdynamicpolicyconfigurationdatainaKey
PropertyStore(KPS).AKPSisusedtostoreparametersthatarepassedintopoliciesatruntime
(forexample,authorizationlevels,quotas,orcustomerdetails).Thismeansthatthesedetailsdo
notneedtobeconfiguredbythepolicydeveloper.
Concepts Guide9
1 Introduction to APIGateway
Integration
APIGatewayprovidesthefollowingintegrationfeatures:
l Identity management
APIGatewayintegrateswithexistingthird-partyIdentityManagement(IM)infrastructuresto
performauthenticationandauthorizationofmessagetraffic.Forexample,integrationis
providedwithLDAP,MicrosoftActiveDirectory,OracleAccessManager,ComputerAssociates
SiteMinder,EntrustGetAccess,IBMTivoliAccessManager,RSAAccessManager,andotherIM
products.APIGatewayalsointeroperateswithleadingintegrationproductsandplatforms(for
example,Microsoft.NET,OracleWebLogic,IBMWebSphere,andSAPNetWeaver).
l Scalability
APIGatewayisdesignedtoofferahighlyflexibleandscalablesolutionarchitecture.
AdministratorscandeploynewAPIGatewayinstancesasneeded,anddeploythesameor
differentpoliciesacrossagroupofAPIGatewayinstancesasrequired.Thisenables
administratorstoapplypolicesatanypointintheirsystem.Policyenforcementpointscanbe
distributedaroundthenetwork,anywheretrafficisbeingpassed.
l Pluggable pipeline
TheAPIGatewayinternalmessage-handlingpipelineisextensible,enablingextraaccesscontrol
andcontent-filteringrulestobeaddedwithease.Customersdonothavetowaitforafull
productreleasebeforereceivingupdatesofsupportforemergingstandardsandforadditional
adapters.
Concepts Guide10
1 Introduction to APIGateway
l REST APIs
TheAPIGatewayRESTsupportenablesyoutomakeenterpriseapplicationdataandoperations
availableusingWebAPIs.Forexample,youcanconvertalegacySOAPservice,anddeployitas
aRESTAPItobeconsumedbymobileapps.REST-to-SOAPconversioniseasytoachieveusing
theAPIGateway.ItcanexposeRESTAPIsthatmaptoSOAPservices,dynamicallycreatinga
SOAPrequestbasedontheRESTAPIcall.
l Internationalization (i18n)
APIGatewayincludessupportformulti-bytemessagedataandawiderangeofinternational
languagesandcharactersets.Forexample,thisincludesrequestsinlanguagessuchasChinese,
German,French,Spanish,Danish,Serbian,Russian,Japanese,Korean,Greek,Arabic,Hebrew,
andsoon.TheAPIGatewaysupportscharactersetssuchasUTF-8,KO-I8,UTF-16,UTF-32,
ISO-8859-1,EUC-JP,US-ASCII,ISO-8859-7,andsoon.
Performance
APIGatewayacceleratesperformanceasfollows:
l Processing offload
YoucanuseAPIGatewaytooffloadtheheavyliftingofXMLfromapplicationservers,andonto
thenetwork.Thisfreesupresourcesonapplicationserversandenablesapplicationstorun
faster.Oracle'spatentedhigh-performancecoreXMLaccelerationengine,coupledwith
hardwareaccelerationensureswirespeednetworkperformance.
l Acceleration engine
ThecoreaccelerationengineisintegratedintoAPIGatewaytoacceleratetheessentialXML
securityprimitives.ThisengineprovidesXMLprocessingatfasterlevelsthanthoseperformedby
commonJAXPimplementationsinapplicationserversandotherapplicationsthatsitdownstream
fromAPIGateway.TheaccelerationengineperformsDocumentObjectModel(DOM)processing,
XPath,JSONPath,XSLTconversion,andvalidationofXMLandJSON.
l Data enrichment
APIGatewaycanautomaticallypopulatecontentinXMLandJSONdocumentsfromsourcessuch
asdatabases.Byputtingthisfunctionalityontothenetworkinfrastructure,dataisautomatically
populatedinmessagesbeforetheyreachtheconsumingservices.Thissimplifiesandaccelerates
applicationsinESBsandapplicationservers.
Governance
APIGatewayprovidesthefollowinggovernancefeatures:
l Ease of deployment
APIGatewayincludesmanyfeaturesthatspeedupdeployment.Forexample,certificatesand
privatekeys,necessaryforXMLsecurityfunctions,areissuedonboard.APIGatewayhasadenyby-defaultdefenseposture,todetectandblockunauthorizeddeploymentsofservices.Policies
Concepts Guide11
1 Introduction to APIGateway
canbere-appliedacrossmultipleendpointsusingsimplemenus.Policiescanalsobeimported
andexportedasXMLfiles.ThisminimizestimeneededtoreplicatepoliciesacrossmultipleAPI
Gateways,ortomovefromastagingsystemtoproductionenvironment.
l Centralized management
Aweb-basedsystemmanagementdashboardprovidescentralizedcontrolofAPIGatewaysin
yourdomain.APIGatewayManagerprovidesquickandeasyaccesstoenableyoutomanage
yourAPIGatewaysandservices.Forexample,youcanusemonitoringandatrafficlogto
monitormessagessentthroughAPIGatewaysinyourdomain.Allmonitoringdatacanbe
aggregatedacrossmultipleAPIGatewayinstancesinagroupordomain.
l ThePolicyStudiotoolenablesadministratorstoaddsecurityandmanagementpoliciestothe
APIGateway,andtomanagepolicyversionsacrossmultipleAPIGateways.Thisenables
enterprisepolicymanagementtobebroughtundercentralizedcontrol,ratherthanbemanaged
separatelyoneachAPIGateway.
l Reporting
TheAPIGatewayAnalyticstoolprovidesauditingandreportingonusageacrossallentrypoints
andcreatescomprehensivereportstomeetoperationalandcompliancerequirements.API
GatewayAnalyticsalsoprovidesrootcauseanalysisbyidentifyingcommonfailurepointsin
multi-servicetransactions.Ifaservicefails,andimpactsthetransactionasawhole,APIGateway
Analyticscandetectthisandgeneratealerts.
l Traffic throttling
APIGatewayprotectsservicesfromunanticipatedtrafficspikesbysmoothingouttraffic.Italso
limitsclientstoagreedserviceconsumptionlevelsinaccordancewithserviceusageagreements.
ThisenablesOraclecustomerstochargetheirclientsfordifferentlevelsofserviceusage.
Security
APIGatewayincludesthefollowingsecurityfeatures:
l Identity mediation
Throughitssupportforawiderangeofsecuritystandards,APIGatewayenablesidentity
mediationbetweendifferentidentityschemes.Forexample,theAPIGatewaycanauthenticate
externalclientsbyusernameandpassword,butthenissueSAMLtokensthatareusedfor
identitypropagationtoapplicationservers.
l API management
APIGatewayenablesyoutosecureWebAPIsagainstattackandabuse.Italsoenablesyouto
governandmeteraccesstoandusageofWebAPIs.APIGatewayprovidessupportforAPI
managementsecuritystandardssuchasOAuth.Thisenablesyoutoshareprivateresourceswith
third-partywebsiteswithoutneedingtoprovidecredentials.
l Application-level networking
Concepts Guide12
1 Introduction to APIGateway
APIGatewayroutesdatabasedonsenderidentity,content,andtype.Thisenablesmessagesto
besenttotheappropriateapplicationinasecuremanner.Italsoenablesservicevirtualization,
whereservicesareexposedtoclientswithvirtualaddressestomasktheiractualaddressesfor
securityandapplicationdelivery.Inthisway,theAPIGatewayactsasanimportantcontrolpoint
fornetworktrafficbyshieldingendpointservicesfromdirectaccess.
l Audit trail
APIGatewaysatisfiesauditrequirementsbyenablingservicetransactionstobearchivedina
tamper-proofstoreforsubsequentaudit.Oraclealsofacilitatesprivacycompliancesupportby
allowingsensitiveinformation,suchascustomernames,tobeencryptedorstrippedoutof
messagetraffic.
Form factors
APIGatewayisavailableo nWindows,Linux,andSolaris.Formoredetailsonsupportedplatforms,
seetheAPIGatewayInstallationGuide.
Concepts Guide13
Overview
OracleAPIGatewayprovidespowerfuleasy-to-usetoolsthatenableyoutodevelop,deploy,and
manageAPIsolutions.ThistopicintroduceseachoftheAPIGatewaytools:
Formoredetails,seetheAPIPortalUserGuide.
API Gateway
ThecentralAPIGatewaycorecomponentisdescribedasfollows:
l ProvidestheruntimeenvironmentforexposingvirtualizedAPIsandexecutingpolicies
l ImplementedusingcombinationofnativecodeforperformanceandJavaforextensibility
l Deployedandmanagedinadistributedenvironmentofmultipleserversprovidingscalabilityand
availability
l Availableinthefollowingformfactors:
o SoftwareWindows,Linux,andSolaris
Inenterpriseorganizations,theAPIGatewayistypicallydeployedintheDMZbetweenthepublic
Internetandprivateintranet.
Formoredetails,seeAPIGatewayarchitectureonpage22.
Concepts Guide14
Policy Studio
PolicyStudioisgraphicaltoolthatenablesyoutovirtualizeAPIsanddeveloppolicies(forexample,
toenforcesecurity,compliance,andoperationalrequirements).Itincludesthefollowingfeatures:
l Flow-chartstylevisualizationforeasydevelopmentandmaintenance
l Graphicaldrag-n-dropuserinterfacethatenablesyoutodragfilters(processingrules)ontothe
policycanvasandconfigurethem
l Extensivelibraryoffilterstobuildpowerfulpolicies
Thefollowingexampleshowsthepolicycanvasatthecenterandthefilterlibraryontheright:
Afilterisanexecutablerulethatperformsaspecifictypeofprocessingonamessage.Forexample,
theMessage Sizefilterrejectsmessagesthataregreaterorlessthanaspecifiedsize.
TherearemanycategoriesofmessagefiltersavailablewiththeAPIGateway(forexample,
Authentication,Authorization,ContentFiltering,Conversion,Trust,andsoon).InPolicyStudio,a
filterisdisplayedasablockofbusinesslogicthatformspartofanexecutionflowknownasapolicy.
Apolicyisanetworkoffiltersinwhicheachfilterisamodularunitthatprocessesamessage.A
messagecantraversedifferentpathsthroughthepolicy,dependingonwhichfilterssucceedorfail.
Forexample,thisenablesyoutoconfigurepoliciesthatroutemessagesthatpassaSchema
Validationfiltertoaback-endsystem,androutemessagesthatpassadifferentSchema
Validationfiltertoadifferentsystem.
Apolicycanalsocontainotherpolicies,whichenablesyoutobuildmodularreusablepolicies.In
PolicyStudio,thepolicyisdisplayedasapaththroughasetoffilters,asshownintheprevious
example.
Formoredetails,seetheAPIGatewayPolicyDeveloperGuide.
Concepts Guide15
API Tester
OracleAPITesterisagraphicaltoolthatenablesyoutotestAPIperformance,scalability,and
security.Forexample,youcanuseAPITestertosendanexamplerequestmessagetoaspecificAPI
service,andviewtheassociatedresponse.
APITesterincludesthefollowingfeatures:
l RESTAPIandSOAPWebservicestesting
l Securitytokeninsertion(forexample,WS-SecurityandSAML)
l SOAPattachmentmanagement
l Simplifiedcertificateandkeymanagement
l Testcasecreationandstresstesting
Formoredetails,seetheAPITesterUserGuide.
Configuration Studio
ConfigurationStudioisagraphicaltoolusedtopromoteAPIGatewayconfigurationfrom
developmentenvironmentstoupstreamenvironments(forexample,testingo rproduction).
ConfigurationStudioenablesAPIGatewayadministratorstotakeconfigurationpreparedbypolicy
developers,andtocreateenvironment-specificconfigurationfordeployment.ConfigurationStudio
isdesignedfortheskillsofupstreamadministrators,anddoesnotassumeexpertiseinpolicy
developmentandpolicyconfiguration.
Concepts Guide16
ConfigurationStudioenablesadministratorstoperformtaskssuchasthefollowing:
l Openapolicypackage(.pol)receivedfromadevelopmentenvironment.
l Specifyvaluesforenvironment-specificsettingsselectedinadevelopmentenvironment(for
example,policy,listener,andexternalconnections).
l Importorcreateenvironment-specificcertificatesandkeys.
l Defineenvironment-specificusersandusergroups.
l Exporttheenvironmentpackagetoafileondisk.Theenvironmentpackageisimplementedas
an.envfile.
Formoredetails,seetheAPIGatewayDeploymentandPromotionGuide.
Concepts Guide17
APIGatewayManagerincludesthefollowingfeatures:
l Dashboarddisplayingthedistributedtopologywithareal-timeoverviewofmessagetrafficby
domain,group,andAPIGateway
l Real-timemonitoringofmessagetrafficandcontent,enablingeasyidentificationofexceptions
anddrillingintomessagedetails
l Real-timemonitoringofperformancemetricsbyAPIservice,system,andremotehost
l Aggregatedviewofaudit,alert,andSLAalertmessagesacrossthedomain
l CentralizedviewingofauditanddebuglogsofeachAPIGatewayinstance
l Managingdynamicsystemsettings
l Managinguserrolesassignedinthedomain
Formoredetails,seetheAPIGatewayAdministratorGuide.
Concepts Guide18
APIGatewayAnalyticsincludesthefollowingfeatures:
l Web-basedconsolethatmonitorsandreportsonallAPIGatewaysinthedomain(multipleAPI
Gatewaysareshownontheleftinthediagram)
l Reportingoveranextendedtimeperiodratherthanimmediateoperationalmonitoring
l AnalysisofwhatAPIsareused,howoftenAPIsareused,whenAPIsareused,andwhoisusing
APIs
l ScheduledreportsinPDFformatcanbeemailedtospecificusers
Formoredetails,seetheAPIGatewayAdministratorGuide.
AKPSincludesthefollowingfeatures:
Concepts Guide19
l PolicieslookupconfigurationdataintheKPSatruntimetodynamicallydeterminebehavior
l PoliciesdevelopedinthePolicyStudiouseaselectorsyntaxtospecifycontext-sensitivelookup
ofpolicyconfigurationdataatruntimefromtheKPS(forexample,${kps.CustomerProfiles
[JoeBloggs].age}obtainstheageofthespecifiedcustomer)
l Providesacachedread-frequently,writeoccasionallycachewithbackingstores
l Policy-specificUIscanbedevelopedforbusinessoroperationaluserstomanagethepolicy
configurationdataintheKPS
Formoredetails,seetheAPIGatewayKeyPropertyStoreUserGuide.
TheAPIGatewayinstallationincludestheActiveMQJavaJMS1.1clientlibrary,whichapplications
canusetosendandreceivesmessagetoandfromthequeuesandtopicshostedontheembedded
ActiveMQbroker.Inaddition,ActiveMQclientsthatusetheOpenWireprotocol(ActiveMQdefault
transportprotocol)caninteractwiththeembeddedbroker.Formoredetails,see
http://activemq.apache.org/openwire.html.
Concepts Guide20
FordetailsonhowtomanageActiveMQbrokersembeddedintheAPIGateway,seetheAPIGateway
AdministratorGuide.
Concepts Guide21
Overview
TheAPIGatewaysupportsadistributedarchitecturebasedongroupsofAPIGatewaysinan
administrativedomain.Thebenefitsofthisarchitectureincludethefollowing:
l ManagingagroupofAPIGatewaysasasingleunit
l Solutionpartitioningbygroup
l Loadbalancing,scalability,andavailabilityacrossthegroup
l Virtualizationbyseparatinglogicalandphysicalarchitecturesdecouplingwhatisbuiltfromthe
physicalarchitecturethatrunsittoenableinfrastructureflexibilityandscalability
l RunningmultipleisolatedAPIapplicationsonsharedvirtualizedinfrastructure
l Managingthedomainbasedonadministrativeboundaries
Thisgroup-basedarchitectureisdescribedasfollows:
Concepts Guide22
l APIGatewaysaredeployedonthehostmachines.
l APIGatewaysareorganizedintogroupsofmultipleAPIGateways.Agroupmustcontainatleast
oneAPIGateway.
l AllAPIGatewaysinthegrouprunthesameconfigurationtovirtualizethesameAPIsandexecute
thesamepolicies.PartitioningofAPIsandpoliciesintodifferentconfigurationsshouldbe
performedbysolutiontype.
l Groupsspanmultiplehostmachinestoprovideavailability,scalability,andloadbalancing.
l Managementoperationsareperformedongroups.Forexample:
o AggregatingmonitoringinformationfromAPIGatewaysinthegroup
o DeployingAPIandpolicyconfigurationstoallAPIGatewaysinthegroup
Note
MultipleAPIGatewayscanrunonthesamehostmachine.However,eachAPIGateway
wouldbeinadifferentgroupandrunadifferentconfiguration.Thereisnobenefitto
runningmultipleAPIGatewaysinthesamegrouponasinglehostmachine.
Concepts Guide23
Thisdomain-basedarchitectureisdescribedasfollows:
l TheAdminNodeManagerinthedomainisthecentraladministrationserverfortheentire
domain,andisresponsibleforperformingallmanagementoperationsacrossthedomain.
l TheNodeManager(NM)oneachmachinemanagesallthelocalAPIGatewaysonthatmachine,
regardlessofthegrouptheyarein.Thisincludesthefollowing:
o Collectingmonitoringinformation
o Managingdynamicsettings
o DeployingAPIandpolicyconfigurations
l InadditiontomanagingthelocalAPIGatewaysonitshost,theAdminNodeManager
communicateswiththeNMstoperformmanagementoperationsacrossthedomain.
l NodeManagersonlycommunicatewiththeAdminNodeManager.
l TheAPIGatewayManagerandPolicyStudiotoolsconnecttotheAdminNodeManager.
l Role-BasedAccessControl(RBAC)foradministrativeusersisacrossthedomain.Forexample,an
APIGatewayadministratorcanlogintoAPIGatewayManagerandmanageallAPIGatewaysand
groupsinthedomain.
l ThereisasingleAPIGatewayAnalyticsdatabaseinadomain.AllAPIGatewaysrecordanalytics
informationinthissingledatabase.
Note
AsingleAdminNodeManagerisdeployedinthedomainbydefault.However,youmust
configureatleasttwoAdminNodeManagersforhighavailability.Formoredetails,seethe
APIGatewayAdministratorGuide.
Concepts Guide24
Solution partitioning
APIGatewaygroupsenableyoutopartitionyourAPIsandpoliciesbysolutiontype.PartitionedAPIs
andpoliciesassociatedwithspecificsolutionsareimplementedindifferentAPIGateway
configurations,whicharedeployedtodifferentgroupsandmanagedindependently.
ThefollowingdiagramshowsanexampleAPIGatewaysolutionpartitionedintogroups:
Concepts Guide25
Virtualization
TheAPIGatewaygroupanddomain-basedarchitectureenablesvirtualizationbyseparatinglogical
andphysicalarchitectures.TheAPIsandpoliciesthatarebuiltandpackagedintoAPIGateway
configurationsaredecoupledfromthephysicalarchitecturethattheyrun,whichprovidesflexibility
andscalabilityofinfrastructure.
Environment topology
Thefollowingdiagramshowsatypicalenvironmenttopologythatincludesseparatedomainsfor
eachenvironment:
Concepts Guide26
Inthiscontext,promotionreferstomovingAPIGatewayconfigurationbetweenenvironmentsand
ensuringthatenvironment-specificsettingsareproperlyconfigured.Deploymentreferstothe
physicalactofpushingconfigurationtoanAPIGatewayinstance(forexample,usingPolicy
Studio).
Fordetailsonhowtopromotebetweenenvironments,seetheAPIGatewayDeploymentand
PromotionGuide.
Concepts Guide27
Theexecutionofpoliciesisstateless,andtheroutethatamessagetakeshasnobearingonits
processing.Nosessiondataiscreated,sothereisnoneedtoreplicatesessionstateacrossAPI
Gateways.Ifthepoliciesusecachesandcounters,theseshouldbeconfiguredtousethedistributed
cachesharedbyallAPIGateways.Formoredetailsoncaching,seetheAPIGatewayPolicy
DeveloperGuide.
Concepts Guide28
API Gateway
documentation
Overview
Thistopicshowswheretolookinthed ocumentationlibraryformoredetailedinformation.
Description
APIGatewayInstallation
Guide
DescribeshowtoinstallAPIGatewaycomponentsonall
platforms,andhowtoupgradeAPIGatewayversions.
APIGatewayAdministrator
Guide
Describeshowtoconfigureandmanagethecomponentsinan
APIGatewaydomain.
APIGatewayPolicy
DeveloperGuide
DescribesthemainAPIGatewayfeatures(forexample,policies,
filters,andconfigurationoptions),andhowtoconfigurethem
usingthePolicyStudiographicaltool.
APIGatewayDeploymentand DescribeshowtopromoteanddeployAPIGateway
PromotionGuide
configurationbetweendifferentenvironments(forexample,
development,testing,andproduction).
APIGatewayOAuthUser
Guide
DescribeshowtoconfigureandmanagetheAPIGatewayfor
usewiththeOAuthopenstandardforauthentication.
APITesterUserGuide
DescribeshowtousetheAPITestergraphicaltooltotestRESTbasedAPIsandSOAP-basedwebservices.
APIGatewayDeveloperGuide
Describeshowtoextend,leverage,andcustomizetheAPI
Gatewaytosuittheneedsofyourenvironment.
APIGatewayKeyProperty
StoreUserGuide
DescribeshowtoconfigureandmanagetheAPIGatewayKey
PropertyStore(KPS).Thisenablesyoutomanaged ata
referencedfrompoliciesrunningontheAPIGateway.
Concepts Guide29
Document
Description
APIGatewayPassPort
InteroperabilityGuide
DescribeshowtointegrateAPIGatewayandAxwayPassPort.
APIGatewaySentinel
InteroperabilityGuide
DescribeshowtointegrateAPIGatewayandAxwaySentinel.
APIGatewayValidation
AuthorityInteroperability
Guide
DescribeshowtointegrateAPIGatewayandAxwayValidation
Authority.
Concepts Guide30
Glossary
Concepts Guide31
Glossary
cacerts
Afileusedtokeeptherootcertificatesofsigningauthorities.Thisistypicallystoredin
..\jre\lib\security\cacerts.Eachentryisidentifiedbyauniquealias,andisakeyentryora
certificateentry.Keyentriesconsistofakeypair,andcertificateentriesconsistofjusta
certificate.BecauseyouimplicitlytrustallCAsinthecacertsfileforcodesigningand
verification,youmustmanagethecacertsfilecarefully.Thecacertsfileshouldcontainonly
certificatesoftheCAsyoutrust.
CMS
ContentManagementSystem
CRL
ACertificateRevocationList(CRL)isasignedlistindicatingasetofcertificatesthatareno
longerconsideredvalidbythecertificateissuer.CRLsmaybeusedtoidentifyrevokedpublickeycertificatesorattributecertificates,andmayrepresentrevocationofcertificatesissuedto
authoritiesortousers.ThetermCRLisalsocommonlyusedasagenerictermapplyingto
differenttypesofrevocationlists.
DName
ADistinguishedName(DNameorDN)isanidentifierthatuniquelyrepresentsanobjectinthe
X.500DirectoryInformationTree(DIT).ADNameasetofattributevaluesthatidentifythepath
leadingfromthebaseoftheDITtotheobjectthatisnamed.AnX.509public-keycertificateor
CRLcontainsaDNamethatidentifiesitsissuer,andanX.509attributecertificatecontainsaDN
orotherformofnamethatidentifiesitssubject.
Domain
AnAPIGatewaydomainconsistsofmultiplegroupsofAPIGatewaysspanningmultiplehost
machines.Adomainisadistinctadministrativeentity,whichismanagedseparatelybyAPI
GatewaytoolssuchasAPIGatewayManagerandAPIGatewayAnalytics.
ERP
EnterpriseResourcePlanning
Filter
AnAPIGatewayfilterisanexecutablerulethatperformsaspecifictypeofprocessingona
message.Forexample,theMessageSizefilterrejectsmessagesthataregreaterorlessthana
specifiedsize.ManycategoriesofmessagefiltersareavailablewiththeAPIGateway(for
example,Authentication,Authorization,Contentfiltering,Conversion,Trust,andsoon).In
PolicyStudio,afilterisdisplayedasablockofbusinesslogicthatformspartofanexecution
flowknownasapolicy.
Group
AnAPIGatewaygroupconsistsofoneormoreAPIGatewayinstancesthataremanagedasa
unitandrunthesameconfigurationtovirtualizethesameAPIsandexecutethesamepolicies.
Concepts Guide32
Glossary
APIGatewaygroupsenableyoutoorganizeAPIGatewayinstancesbysolutiontypeand
managethemasasingleentity.
HTTP
HypertextTransferProtocol(HTTP)isaprotocolfordistributedhypermediasystems.HTTPis
thefoundationofdatacommunicationfortheWorldWideWeb.Formoredetails,see
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol.
HTTPS
HypertextTransferProtocolSecure(HTTPS)isaprotocolforsecurecommunicationovera
computernetwork,andwhichiswidelydeployedontheInternet.Itistheresultoflayering
HTTPontopoftheSSL/TLSprotocol.Formoredetails,see
http://en.wikipedia.org/wiki/HTTP_Secure.
JMS
JavaMessageService(JMS)isamessagingstandardthatenablesapplicationcomponents
basedonJava2EnterpriseEdition(J2EE)tocreate,send,receive,andreadmessages.It
enablescommunicationbetweendifferentcomponentsofadistributedapplicationtobe
looselycoupled,reliable,andasynchronous.Formoredetails,see
http://en.wikipedia.org/wiki/Java_Message_Service.
JSON
JavaScriptObjectNotation(JSON)isalightweightdata-interchangeformat,whichiseasyfor
humanstoreadandwrite,andeasyformachinestoparseandgenerate.JSONisbasedona
subsetoftheJavaScriptprogramminglanguage.Itstextformatisprogramminglanguage
independent,butusesconventionsthatarefamiliartoprogrammersoftheCfamilyof
languages(forexample,C,C++,C#,Java,JavaScript,Perl,andPython).Formoredetails,see
http://www.json.org.
JSON Path
JSONPathenablesyoutolocateandprocessspecificpartsofaJSONdocument.Itisavailable
inprogramminglanguagessuchasJavaScript,Java,PythonandPHP.Formoredetails,seethe
JSONspecification.
Keystore
ThekeystorefileoftheJDKcontainsyourpublicandprivatekeys.Ithasafilenameof.keystore
(leadingdotmakesthefileread-onlyonUnix).ItisstoredinPKCS#12format,containsboth
publicandprivatekeys,andisprotectedbyapassphrase.
KPS
AKeyPropertyStore(KPS)isadatamanagementcomponentintheAPIGateway.DatainaKPS
tableisassumedtobereadfrequentlyandseldomwritten,andcanbechangedwithout
incurringanAPIGatewayserviceoutage.KPStablesaresharedacrossanAPIGatewaygroup.
Concepts Guide33
Glossary
LDAP
LDAPisalightweightversionofDirectoryAccessProtocol(DAP),whichispartofX.500,a
standardfordirectoryservicesinanetwork.AnLDAPdirectorystoresinformationonresources
inahierarchicalfashion,whichmakesdataretrievalveryefficient.
Node Manager
AnAPIGatewaycomponentthatisresponsibleformanagingAPIGatewayinstancesonahost
machine.TheremustbeoneNodeManageroneachmanagedhostmachine.AsingleAdmin
NodeManagercommunicateswithallNodeManagersinadomaintoperformmanagement
operations.
OCSP
OnlineCertificateStatusProtocol(OCSP)isanautomatedcertificatecheckingnetwork
protocol.AclientwillquerytheOCSPresponderforthestatusofacertificate.Theresponder
returnswhetherthecertificateisstilltrustedbytheCAthatissuedit.
PEM
PrivacyEnhancedMail(PEM)wasoriginallyintendedforsecuringemailusingvarious
encryptiontechniques.Itsscopewidenedforuseinabroaderrangeofapplications,suchas
Webservers.Itsformatisessentiallyabase64-encodedcertificatewrappedinBEGIN
CERTIFCATEandENDCERTIFICATEdirectives.
PKCS#12
AstandardforstoringprivatekeysandX.509certificatessecurely(forexample,ina.p12file).
Policy
AnAPIGatewayp olicyisanetworkoffiltersinwhicheachfilterisamodularunitthatprocesses
amessage.Messagescantraversedifferentpathsthroughthepolicy,dependingonwhich
filterssucceedorfail.Forexample,youcouldconfigurepoliciesroutingmessagesthatpassa
SchemaValidationfiltertoaback-endsystem,androutingmessagesthatpassadifferent
SchemaValidationfiltertoanothersystem.Apolicycanalsocontainotherpolicies,which
enablesyoutobuildmodularreusablepolicies.
Private key
Thesecretcomponentofapairofcryptographickeysusedforasymmetriccryptography.
Public key
Thepublicly-disclosedcomponentofapairofcryptographickeysusedforasymmetric
cryptography.
RBAC
Role-BasedAccessControl(RBAC)restrictssystemaccesstoauthorizedusersbasedonassigned
roles.Permissionstoperformspecificsystemoperationsareassignedtospecificroles,and
systemusersaregrantedpermissiontoperformspecificoperationsonlythroughtheirroles.
Concepts Guide34
Glossary
Thissimplifiessystemadministrationbecauseusersdonotneedtobeassignedpermissions
directly,andinsteadacquirethemthroughtheirassignedroles.
REST
RepresentationalStateTransfer(REST)isanarchitecturalstyleforbuildinglarge-scale
distributedsoftwarethatusesthetechnologiesandprotocolsoftheWorldWideWeb(for
example,JSON/XMLandHTTP).Formoredetails,see
http://en.wikipedia.org/wiki/Representational_state_transfer.
SAML
SecurityAssertionMarkupLanguage(SAML)isanXMLstandardforestablishingtrustbetween
entities.SAMLassertionscontainidentityinformationaboutusers(authenticationassertions),
andinformationaboutuseraccesspermissionsof(authorizationassertions).Whenauseris
authenticatedatasite,thesiteissuesaSAMLauthenticationassertiontotheuser.Theusercan
usethisassertioninrequestsatotheraffiliatedsites.Thesesitesneedonlycheckthedetailsin
theauthenticationassertiontoauthenticatetheuser.Inthisway,SAMLallowsauthentication
andauthorizationinformationtobesharedbetweendifferentsites.
SCM
SupplyChainManagement
Selector
AspecialsyntaxthatenablesAPIGatewayconfigurationsettingstobeevaluatedandexpanded
atruntimebasedonmetadatavalues(forexample,fromaKPS,messageattribute,or
environmentvariable).
Signature
Avaluecomputedwithacryptographicalgorithmandaddedtoadataobjectinsuchawaythat
anyrecipientofthedatacanusethesignaturetoverifythedata'soriginandintegrity.
SOAP
SimpleObjectAccessProtocol(SOAP)isanXML-basedobjectinvocationprotocol.SOAPwas
originallydevelopedfordistributedapplicationstocommunicateoverHTTPandcorporate
firewalls.SOAPdefinestheuseofXMLandHTTPtoaccessservices,objects,andserversina
platform-independentway.SOAPisawireprotocolthatcanbeusedtofacilitatehighlyultradistributedarchitecture.Formoredetails,seetheSOAPspecification.
SSL
SecureSocketsLayer(SSL)isanencryptedcommunicationprotocolforsendinginformation
securelyacrosstheInternet.Itsitsjustabovethetransportlayer,andbelowtheapplication
layerandtransparentlyhandlestheencryptionanddecryptionofdatawhenaclientestablishes
asecureconnectiontotheserver.Itoptionallyprovidespeerentityauthenticationbetween
clientandserver.
Concepts Guide35
Glossary
TLS
TransportLayerSecurity(TLS)isthesuccessortoSSL3.0.LikeSSL,itallowsapplicationsto
communicateoverasecurechannel.
UDDI
UniversalDescription,Discovery,andIntegration(UDDI)isanXML-basedlookupservicefor
locatingWebservicesontheInternet.Formoredetails,seetheUDDIstandard.
URI
AUniformResourceIdentifier(URI)isaplatform-independentwaytospecifyafileorresource
ontheWeb.Strictlyspeaking,everyURLisalsoaURI,butnoteveryURIisalsoaURL.Formore
detailsonURIformats,seeRFC2396andRFC2732.
WSDL
WebServicesDescriptionLanguage(WSDL)isanXMLformatfordescribingnetworkservicesas
asetofendpointsoperatingonmessagescontainingdocument-orientedorprocedure-oriented
information.Operationsandmessagesaredescribedabstractly,andboundtoaconcrete
networkprotocolandmessageformattodefineanendpoint.Relatedconcreteendpointsare
combinedintoabstractendpoints(services).WSDLisextensibletoallowdescriptionof
endpointsandmessagesregardlessofwhatmessageformatsornetworkprotocolsareused.For
moredetails,seetheWSDLspecification.
X.509
Astandardthatdefinesthecontentsanddataformatofapublickeycertificate.
XKMS
XMLKeyManagementSpecification(XKMS)usesXMLtoprovidekeymanagementservicesso
thataWebservicecanquerythetrustworthinessofauser'scertificateovertheInternet.XKMS
aimstosimplifyapplicationbuildingbyseparatingdigital-signaturehandlingandencryption
fromtheapplicationsthemselves.Formoredetails,seetheXMLKeyManagementspecification.
XML
ExtensibleMarkupLanguage(XML)isasubsetofStructuredGeneralMarkupLanguage(SGML).
ItsgoalistoenablegenericSGMLtobeserved,received,andprocessedontheWebinasimilar
waytoHTML.SeetheXMLSpecificationformoredetails.
XPath
XMLPath(XPath)isalanguagethatdescribeshowtolocateandprocessspecificpartsofan
XMLdocument.Formoredetails,seetheXMLPathLanguagespecification.
XSL
XMLStylesheetLanguage(XSL)isusedtoconvertXMLdocumentsintodifferentformats,the
mostcommonofwhichisHTML.Inatypicalscenario,anXMLdocumentreferencesanXSL
stylesheet,whichdefineshowtheXMLelementsofthedocumentshouldbedisplayedasHTML.
Thisenablesaclearseparationofcontentandpresentation.
Concepts Guide36
Glossary
XSLT
ExtensibleStylesheetLanguageTransformation(XSLT)isusedtoconvertXMLdocumentsinto
otherXMLdocumentsorotherformats( forexample,HTML,plaintext,orXSLFormatting
objects).
Concepts Guide37