Sharing Best Practices and Recommendations from the Integration Battlefield
3 likes1,461 views
The document discusses the roles and best practices in API management, focusing on the WSO2 platform, which provides open-source middleware solutions. It emphasizes the importance of creating, managing, and securing APIs, including lifecycle management and analytics for performance monitoring. Additionally, it covers deployment strategies, particularly the separation of API gateways from enterprise service buses for enhanced security and scalability.
Sharing Best Practices and Recommendations from the Integration Battlefield
- 1. Isabelle Mauny VP, Product, WSO2 Last Updated: Nov 2014 Lessons from the ba.lefield Tuesday, December 9, 14
- 2. 2 About the speaker... ๏ French na)ve ๏ Living in Madrid ๏ Working mostly in Sri Lanka and Europe ๏ 17 years @ IBM, 5 years in startups ๏ Managing the overall WSO2 porEolio ๏ Linux command line user... Tuesday, December 9, 14
- 3. 3 Who is WSO2 ? ๏ Open Source Middleware Pla2orm Provider ๏ Apache 2.0 License ๏ Provides Integra?on, API Management, Security and Mobile enterprise management products ๏ Main contributor to Apache Stratos PaaS ๏ Creators of DevOps “AppFactory” cloud solu?on Tuesday, December 9, 14
- 4. 4 Tuesday, December 9, 14
- 5. Architecture Roadmap 5 Decompose your exis7ng business processes, data and capabili7es into services Make all services accessible via APIs, externally and internally Put services and APIs under control ! Build an ecosystem around your APIs Collect data on your new products and APIs 1 2 3 4 5 Tuesday, December 9, 14
- 6. 6 Crea%ng and Managing Services Tuesday, December 9, 14
- 7. 7 Services and APIs ๏ Service deals with implementa)on ๏ API deals with subscrip)on (consumer) ๏ Two very dis)nct life cycles ! ๏ You don’t need the service to create the API... Tuesday, December 9, 14
- 8. 8 API Lifecycle ๏ An API can pass through mul)ple states ๏ For example: ๏ CREATED ๏ PUBLISHED ๏ DEPRECATED ๏ RETIRED ๏ BLOCKED ๏ Should integrate with complete governance lifecycle Tuesday, December 9, 14
- 9. 9 Building a Managed API ๏ Crea)ng APIs (interface, docs, samples,etc.) ๏ Adver)sing APIs ๏ Making APIs subscribe-‐able by consumers ๏ Associa)ng SLAs ๏ Securing APIs ๏ Mone)za)on and Analy)cs Tuesday, December 9, 14
- 10. 10 API Security Tuesday, December 9, 14
- 11. 11 API Security ๏ Security is not an aer thought ! ๏ APIs are part of a much larger enterprise picture ๏ How will consumers request an access token ? ๏ Using a SAML 2.0 asser)on ? ๏ Using client_creden)als ? ๏ Using userid/password ? ๏ Make sure you document thoroughly how developers need to manage tokens: ๏ Tokens are like passwords! ๏ Always use SSL for token transporta)on ! ๏ Use Domain restric)ons (WSO2 API Manager) Tuesday, December 9, 14
- 12. 12 Fine-‐grained access to APIs ๏ OAuth2 is all about access control: a token is associated to a scope. ๏ XACML (eXtensible Access Control Markup Language) is the de-‐facto standard for fine-‐grained access control. ๏ OAuth scope can be represented in XACML policies ๏ Provides fine grain control over what a user/applica?on can do ( i.e. you can call GET but not POST on an API) Tuesday, December 9, 14
- 13. 13 Passing Auth Informa:on to back-‐end services ๏ Using JSON Web Tokens (JWT) ๏ Lightweight ๏ Can be signed ๏ Easy to parse and consume ๏ Standard Tuesday, December 9, 14
- 14. 14 Token Format ๏ JWT Structure {token info}.{claims list}.{signature} ๏ Base-‐64 Encoded Tuesday, December 9, 14
- 15. 15 What are Claims ? ๏ Claims are a set of ahributes about a user, mapped to the underlying user store. ๏ A set of claims is called a dialect Tuesday, December 9, 14
- 16. 16 Deployment Tuesday, December 9, 14
- 17. 17 Gateway vs. ESB ๏ Oh, but I already have an ESB ! Why do I need a gateway ? ๏ API Gateway vs. Media)on Layer (ESB) ๏ Gateway = light ESB ? ๏ Think ESB as an architecture pahern, not a product! Tuesday, December 9, 14
- 18. 18 Generic Facade Pa.ern ๏ Pros ๏ No addi)onal hop in the network ๏ Single Server to be managed ๏ More suited for internal deployments ๏ Cons ๏ Complexity of integra)on at edge of network ๏ API Management layer can’t really scale independently ๏ Not appropriate for DMZ deployments (direct access to backend services) Tuesday, December 9, 14
- 19. 19 Separated Facade & MediaWon ๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies ๏ Clear separa?on of concern between layers ๏ Media?on layer and API management layer scale independently ๏ Specific security checks/protec?on at edge of the network ๏ Provides protocol transforma?on to the edge of the network Tuesday, December 9, 14
- 20. 20 Specific WSO2 SoluWon ๏ Our API gateway is actually a full-‐blown ESB under the hood, constrained at UI level. ๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single run)me! ๏ Makes the choice a deployment one. Tuesday, December 9, 14
- 21. 21 Typical Deployment Tuesday, December 9, 14
- 22. 22 Users Store ๏ Separate admins / corporate users from the developers users’s store (created via self-‐sign up) Tuesday, December 9, 14
- 23. 23 You can’t manage what you can’t measure. Tuesday, December 9, 14
- 24. 24 Why Analy:cs and API Management are important together? ๏ Build confidence in the API model ๏ Understand your customer ๏ Not just the developer but also the end-‐user ๏ Help manage services and versions ๏ Understand when deprecated services can be re?red ๏ Plan beZer ๏ Monitor the growth of aggregated API traffic ๏ Monitor the growth of specific apps ๏ Even if you’re not going to put analy?cs in place, make sure you capture all events right from beginning of project. Tuesday, December 9, 14
- 25. 25 AnalyWcs 101: AggregaWon • How to collect data efficiently • How to store data effec)vely • Choose which data to capture Tuesday, December 9, 14
- 26. 26 AnalyWcs 101 : Analysis • Data opera)ons • Defining KPIs and analy)cs • Opera)ng on large amounts of historical or current data • Crea)ng intelligence Tuesday, December 9, 14
- 27. 27 AnalyWcs 101 : PresentaWon • Visualiza)on • Dashboards • Reports Tuesday, December 9, 14
- 28. 28 Monitor And Analyze ๏ Take decisions in real ?me through Complex Event Processing ๏ Create dashboards for both technical and business monitoring Tuesday, December 9, 14
- 29. 29 DetecWng Usage Pa.erns ๏ My API customer is trying to steal my business : let’s block them. ๏ A customer is at 80% of API plan : let’s warn them ๏ A customer is systema)cally at 120% of the plan : propose an upgrade to the premium plan Tuesday, December 9, 14
- 30. 30 Demo Tuesday, December 9, 14
- 31. 31 Demo Setup Tuesday, December 9, 14
- 32. 32 References ๏ Building an ecosystem for API Security (White Paper) ๏ hhp://wso2.com/whitepapers/wso2-‐whitepaper-‐building-‐an-‐ecosystem-‐for-‐api-‐ security/ ๏ API Facade Pahern (Webinar) ๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-‐api-‐facade-‐using-‐ wso2-‐api-‐management-‐plaEorm/ ๏ API Management: missing link for SOA ๏ hhp://sanjiva.weerawarana.org/2012/08/api-‐management-‐missing-‐link-‐for-‐ soa.html ๏ Promo)ng Service Reuse ๏ hhp://wso2.com/whitepapers/promo)ng-‐service-‐reuse-‐within-‐your-‐enterprise-‐ and-‐maximizing-‐soa-‐success/ Tuesday, December 9, 14
- 33. 33 Download API Manager today! ๏ hhp://wso2.com/products/api-‐manager/ Tuesday, December 9, 14
- 34. Contact us ! Tuesday, December 9, 14