Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WSO2 API Manager 2.0 - Overview


Published on

New stuff on WSO2 API Manger 2.0

Published in: Technology
  • Be the first to comment

WSO2 API Manager 2.0 - Overview

  1. 1. WSO2 API Manager 2.0.0 Overview
  2. 2. Agenda o Introduction o Creating APIs o Protecting APIs o APIs Lifecycles o Developer Portal o Testing APIs o API Gateway o Deployment o API Analytics
  3. 3. Introduction
  4. 4. APIs for Business Innovation o API - Business capability offered via a digital channel o Open internally and/or externally o Monitored o In some cases, monetized o Fuel for rapid innovation, development of new apps Image: thinkpublic/photopin cc
  5. 5. API Management Platform
  6. 6. WSO2 API Manager o The only complete, 100% open source API Management solution o A cleanly integrated system supporting API publishing, lifecycle management, developer portal, access control and analytics o Backed by high performance gateway o A single node supports more than 100 million requests/day o eBay handles up to 4.6 billion requests per day at peak times (Cyber Monday)
  7. 7. WSO2 API Manager cont. o Includes Social enablement such as ratings and tagging o Supports single-sign on with Facebook, GoogleApps, etc. o Named a Strong Performer in this space by Forrester in 2014 and 2015 o Best API Design across all vendors o Best Solution Cost for on-premise solution o Extremely Satisfied customers o Available on-premise, as managed deployment and as SaaS application (API Cloud)
  8. 8. Competitive Advantage o API Management is part of a complete platform o Integration o Security (Identity Management, Federated Identity) o API Analytics o Open Architecture o Custom security tokens and grant types o Custom store/developer’s portal user interface o Custom user’s repositories o Custom transports to back-end o Available on-premise, as managed offering, as SaaS offering - Same code everywhere
  9. 9. Competitive Advantage cont. o Scalable Architecture o Each component (Gateway, Dev Portal, Admin Portal, Key Server) can be deployed and scaled separately o Over 5000 TPS for a single node o Business Model o Subscriptions only for production systems - Makes cost very competitive o Pricing is adapted to small, medium and enterprises customers o Cost linked to instances, not to machine power o No community vs. enterprise distinction
  10. 10. Typical Use Cases o Expose APIs for internal consumption o Manage APIs used in internal applications o Internal Monetization o Control Access to Cloud Services - Manage and secure access from internal applications to cloud services (e.g. SalesForce and Google Apps) o APIs for public consumption o Extend your business through APIs o Integrate with partners and customers
  11. 11. API Manager Components
  12. 12. Creating APIs
  13. 13. Getting Started o For REST - Start from existing API definition (Swagger 2.0) or start from scratch o For SOAP - Start from WSDL and generate default mapping and definition
  14. 14. REST API Editing o Basic editor to create the API structure
  15. 15. REST API Editing cont. o Swagger editor (YAML-based) for advanced editing, configuration, etc.
  16. 16. API Documentation
  17. 17. Protecting APIs
  18. 18. API Access Tokens o OAuth2 standard compliant o Supports multiple Grant Types o SAML, IWA/NTLM o Client credentials, Implicit, Password o Pre-generated Access Token - Mostly used for testing o On-demand Access Token - Generated via API call to the Gateway, using any of the supported Grant Types o Tokens can be refreshed/revoked via API calls as well
  19. 19. Pluggable OAuth Authorization Server o OAuth token management is by default done with WSO2’s Key Server (based on WSO2’s Identity Server) o Can be replaced by third-party authorization server, capable of creating, refreshing, validating, revoking OAuth tokens
  20. 20. Limiting Access to API Resources o Achieved through OAuth scopes - Scope defines what can be accessed by a token o How to request a token grant_type=password&username=john&password=john123&scope=news_read news_write
  21. 21. Throttling & Rate Limiting o Throttling o Regulates API traffic o Makes APIs and applications available to consumers at different service levels o Secures APIs against security attacks (e.g. DoS attacks) o Throttling is controlled through tiers-based policies - A tier is defined by a time duration and a maximum no of requests during that duration o Tiers can be applied at application, API and API resource levels
  22. 22. Throttling & Rate Limiting cont. o At subscription time, API users can choose tiers they can subscribe to - This default behavior can be overridden through usage of workflows o Throttling policies encompasses: o Standard usage quotas of total subscriptions and resources o Rate limiting based complex, extensible and dynamic rules, scenarios and events o Complex throttling policies (with transport headers, IP addresses, etc.) can be created on the fly o Facilitates blacklisting users/applications abusing rate limits
  23. 23. Throttling & Rate Limiting cont.
  24. 24. JWT Token Creation o Using JSON Web Tokens (JWT) o Lightweight o Can be signed o Easy to parse and consume o Standard o JWT Structure {token info}.{claims list}.{signature} o Base-64 or Base64 URL Encoded o Contents of JWT are configurable
  25. 25. API Lifecycles
  26. 26. API Lifecycle Management o Create new APIs from existing versions o Deploy multiple versions in parallel o Deprecate versions to remove them from store o Retire them to un-deploy from gateway o Keeps audit of lifecycle changes o Supports custom lifecycles leveraging WSO2 Governance Registry
  27. 27. Developer Portal
  28. 28. Discover APIs o Users can search APIs by name, provider, version number, context, description, meta-data from docs, etc. o Tags to easily find all APIs related to a same domain o Notifications on new API versions
  29. 29. Social Features o Share with fellow developers via social media or mail o Embed API link into blogs, Tweets, etc.
  30. 30. Forums o Rich editor embedded within interface o Forums are searchable and indexed
  31. 31. Customization o All API store functionality available through REST API o Customization through CSS, HTML5, JavaScript
  32. 32. Monetization o Configurable payment schemes to monetize API usage o Monetization rules are associated to Tiers o Supports Free, Paid, Freemium models o Usually coupled with 3rd party invoice/payment plans software (such as Zuora)
  33. 33. Testing APIs
  34. 34. Embedded API Console o Part of Swagger tooling suite o Integrates token access for fast testing o Gives direct access to Swagger definition of API o Support Swagger schemas for predefined values
  35. 35. Testing via ReadyAPI’s SOAP UI
  36. 36. API Gateway
  37. 37. API Gateway Processing Workflow
  38. 38. Message Transformation and Mediation o Custom mediation flows can be created by a developer and just engaged by API Creator o Mediations flows can be created using Developer Studio and directly published to API Manager o Full power of WSO2 ESB mediation language o Graphical and Source view o Mediations flows are tenant-specific (not visible/usable across tenants)
  39. 39. Workflows o Provides extension point to engage custom workflow o Default sample implementation leverages WSO2 Business Process Server but a simple Java-based implementation or another BPM engine can also be used o Supports redirecting to third-party entities o Available for user self-sign up, API subscription and application creation
  40. 40. Deployment
  41. 41. Component Deployment o Out-of-the-box, all components are packaged together o They can also be deployed separately in an HA scenario – Active/Active, Active/Passive
  42. 42. Component Deployment cont.
  43. 43. Multi-tenancy o Creation of multiple domains (tenants) o Each domain can have their own store or publish APIs to a central store - This is transparent to consumers o Typical Use Cases o Segmenting publishers by business unit or partner and restricting editing rights by domain o Create an API marketplace - one-stop store for domain APIs o API Cloud heavily leverages this functionality
  44. 44. Recommended Deployment: API Facade Pattern o API Gateway acts as simple reverse proxy, enforcing policies and collecting monitoring information o Specific security checks/protection at edge of the network o Invalid requests are stopped at the edge of the network o Clear separation of concern between layers o The mediation and API management layers scale independently o You can combine the Façade and Mediation layers (if required) and run as a single architecture layer
  45. 45. WSO2 Platform Deployment Options o Stand-alone servers o Private clouds: e.g. Stratos, Kubernetes o Public Clouds: e.g. AWS o Hybrid deployments o Dedicated hosting of any WSO2-based solutions o WSO2 operations team is managing the deployment and keeps it running o 99.99% uptime SLA o Any AWS region of choice o Can be VPNed to local network o Includes monitoring, backups, patching, updates o Shared public cloud, o Currently available for application and API hosting (hosted API Manager and App Factory), o Preset multitenant deployment in AWS US East run by WSO2, o Month-to-month credit card payment
  46. 46. API Analytics
  47. 47. Analytics o WSO2 API Manager out-of-the-box supports Google Analytics and WSO2 Analytics
  48. 48. Importance of API Management & Analytics Combination o Build confidence in the API model o Understand your customer - Not just the developer but also the end-user of APIs o Helps manage services and versions - Understand when deprecated services can be retired o Be notified when abnormal events take place o Plan better o Monitor the growth of aggregated API traffic o Monitor the growth of specific apps
  49. 49. WSO2 Analytics Platform
  50. 50. WSO2 Analytics Platform cont. o Out-of-the- box reports covering all aspects of o Subscriber behavior o API usage o Performance o Can publish your own events from any API and build your own dashboards
  51. 51. Reports for API Creators & Publishers o Stats on APIs o Published APIs Over Time o API Usage o API Response Times o API Last Access Times o Usage by Resource Path o Usage by Destination o API Usage Comparison o API Throttled Requests o Faulty Invocations o API Latency o API Usage Across Geo Locations o API Usage Across User Agent o Stats on Applications o App Throttled Requests o Applications Created Over Time o Stats on Subscriptions o API Subscriptions o Developer Signups Over Time o Subscriptions Created Over Time
  52. 52. Reports for API Creators & Publishers cont.
  53. 53. Reports for API Subscribers o API Usage per Application o Top Users per Application o API Usage from Resource Path per Application o Faulty Invocation per Application
  54. 54. Real-time API Behavior Analysis o Leverages real-time analytics streaming engine o Detects fraudulent token usage - Indication of lost tokens via alerts on abnormal token renewals and unseen source IP access (abrupt changes to geo-location) o Supports API product managers to provide better customer service o Alerts when API response time is outside normal parameters, indicating a potential SLA breach o Alerts when apps/users are throttled out for hitting the current subscription tier - potential opportunity to proactively propose a tier upgrade or to adjust SLAs o Detect when APIs are not used as expected o Identifies erratic behavior and supports capacity planning o Alerts when a sudden spike/drop in the request count in a given duration for an API resource – Possible indication of a system problem o Determining trends in increased response times – Indication of potential issues with APIs or backend system capacity
  55. 55. Why Real-time Analytics for APIs ? o Blacklist & whitelist verifications in real time o Detect trends o Detect incoherencies in trends o Detect API calls sequences that you don’t want to allow o Detect non-usage scenarios ( raise alerts on poor usage of a certain API)
  56. 56. Example – Real-time Fraud Detection
  57. 57. Log Analysis o Log Analysis through reports on low-level system operations: o Log events - Overall statistics of the types of log events created in a given time period o Application errors - Breakdown of error log events based on exception category and error message o Artifact deployment stats - Number of artifacts deployed in a given duration o Login failures - No of failed login attempts in a given duration o No of API failures o Access token-related issues o Ability to view live log events on per-tenant basis
  58. 58. CONTACT US !