The document discusses the roles and best practices in API management, focusing on the WSO2 platform, which provides open-source middleware solutions. It emphasizes the importance of creating, managing, and securing APIs, including lifecycle management and analytics for performance monitoring. Additionally, it covers deployment strategies, particularly the separation of API gateways from enterprise service buses for enhanced security and scalability.

1. Isabelle
Mauny
VP,
Product,
WSO2
Last Updated: Nov 2014
Lessons
from
the
ba.lefield
Tuesday, December 9, 14

2. 2
About
the
speaker...
๏ French
na)ve
๏ Living
in
Madrid
๏ Working
mostly
in
Sri
Lanka
and
Europe
๏ 17
years
@
IBM,
5
years
in
startups
๏ Managing
the
overall
WSO2
porEolio
๏ Linux
command
line
user...
Tuesday, December 9, 14

3. 3
Who
is
WSO2
?
๏ Open
Source
Middleware
Pla2orm
Provider
๏ Apache
2.0
License
๏ Provides
Integra?on,
API
Management,
Security
and
Mobile
enterprise
management
products
๏ Main
contributor
to
Apache
Stratos
PaaS
๏ Creators
of
DevOps
“AppFactory”
cloud
solu?on
Tuesday, December 9, 14

4. 4
Tuesday, December 9, 14

5. Architecture
Roadmap
5
Decompose
your
exis7ng
business
processes,
data
and
capabili7es
into
services
Make
all
services
accessible
via
APIs,
externally
and
internally
Put
services
and
APIs
under
control
!
Build
an
ecosystem
around
your
APIs
Collect
data
on
your
new
products
and
APIs
1
2
3
4
5
Tuesday, December 9, 14

6. 6
Crea%ng
and
Managing
Services
Tuesday, December 9, 14

7. 7
Services
and
APIs
๏ Service
deals
with
implementa)on
๏ API
deals
with
subscrip)on
(consumer)
๏ Two
very
dis)nct
life
cycles
!
๏ You
don’t
need
the
service
to
create
the
API...
Tuesday, December 9, 14

8. 8
API
Lifecycle
๏ An
API
can
pass
through
mul)ple
states
๏ For
example:
๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should
integrate
with
complete
governance
lifecycle
Tuesday, December 9, 14

9. 9
Building
a
Managed
API
๏ Crea)ng
APIs
(interface,
docs,
samples,etc.)
๏ Adver)sing
APIs
๏ Making
APIs
subscribe-­‐able
by
consumers
๏ Associa)ng
SLAs
๏ Securing
APIs
๏ Mone)za)on
and
Analy)cs
Tuesday, December 9, 14

10. 10
API
Security
Tuesday, December 9, 14

11. 11
API
Security
๏ Security
is
not
an
aer
thought
!
๏ APIs
are
part
of
a
much
larger
enterprise
picture
๏ How
will
consumers
request
an
access
token
?
๏ Using
a
SAML
2.0
asser)on
?
๏ Using
client_creden)als
?
๏ Using
userid/password
?
๏ Make
sure
you
document
thoroughly
how
developers
need
to
manage
tokens:
๏ Tokens
are
like
passwords!
๏ Always
use
SSL
for
token
transporta)on
!
๏ Use
Domain
restric)ons
(WSO2
API
Manager)
Tuesday, December 9, 14

12. 12
Fine-­‐grained
access
to
APIs
๏ OAuth2
is
all
about
access
control:
a
token
is
associated
to
a
scope.
๏ XACML
(eXtensible
Access
Control
Markup
Language)
is
the
de-­‐facto
standard
for
fine-­‐grained
access
control.
๏ OAuth
scope
can
be
represented
in
XACML
policies
๏ Provides
fine
grain
control
over
what
a
user/applica?on
can
do
(
i.e.
you
can
call
GET
but
not
POST
on
an
API)
Tuesday, December 9, 14

13. 13
Passing
Auth
Informa:on
to
back-­‐end
services
๏ Using
JSON
Web
Tokens
(JWT)
๏ Lightweight
๏ Can
be
signed
๏ Easy
to
parse
and
consume
๏ Standard
Tuesday, December 9, 14

14. 14
Token
Format
๏ JWT
Structure
{token
info}.{claims
list}.{signature}
๏ Base-­‐64
Encoded
Tuesday, December 9, 14

15. 15
What
are
Claims
?
๏ Claims
are
a
set
of
ahributes
about
a
user,
mapped
to
the
underlying
user
store.
๏ A
set
of
claims
is
called
a
dialect
Tuesday, December 9, 14

16. 16
Deployment
Tuesday, December 9, 14

17. 17
Gateway
vs.
ESB
๏ Oh,
but
I
already
have
an
ESB
!
Why
do
I
need
a
gateway
?
๏ API
Gateway
vs.
Media)on
Layer
(ESB)
๏ Gateway
=
light
ESB
?
๏ Think
ESB
as
an
architecture
pahern,
not
a
product!
Tuesday, December 9, 14

18. 18
Generic
Facade
Pa.ern
๏ Pros
๏ No
addi)onal
hop
in
the
network
๏ Single
Server
to
be
managed
๏ More
suited
for
internal
deployments
๏ Cons
๏ Complexity
of
integra)on
at
edge
of
network
๏ API
Management
layer
can’t
really
scale
independently
๏ Not
appropriate
for
DMZ
deployments
(direct
access
to
backend
services)
Tuesday, December 9, 14

19. 19
Separated
Facade
&
MediaWon
๏ API
Gateway
Layer
acts
as
simple
reverse
proxy,
enforcing
basic
policies
๏ Clear
separa?on
of
concern
between
layers
๏ Media?on
layer
and
API
management
layer
scale
independently
๏ Specific
security
checks/protec?on
at
edge
of
the
network
๏ Provides
protocol
transforma?on
to
the
edge
of
the
network
Tuesday, December 9, 14

20. 20
Specific
WSO2
SoluWon
๏ Our
API
gateway
is
actually
a
full-­‐blown
ESB
under
the
hood,
constrained
at
UI
level.
๏ You
can
install
the
missing
ESB
features
on
top
of
API
manager
and
combine
both
architecture
layers
into
a
single
run)me!
๏ Makes
the
choice
a
deployment
one.
Tuesday, December 9, 14

21. 21
Typical
Deployment
Tuesday, December 9, 14

22. 22
Users
Store
๏ Separate
admins
/
corporate
users
from
the
developers
users’s
store
(created
via
self-­‐sign
up)
Tuesday, December 9, 14

23. 23
You
can’t
manage
what
you
can’t
measure.
Tuesday, December 9, 14

24. 24
Why
Analy:cs
and
API
Management
are
important
together?
๏ Build
confidence
in
the
API
model
๏ Understand
your
customer
๏ Not
just
the
developer
but
also
the
end-­‐user
๏ Help
manage
services
and
versions
๏ Understand
when
deprecated
services
can
be
re?red
๏ Plan
beZer
๏ Monitor
the
growth
of
aggregated
API
traffic
๏ Monitor
the
growth
of
specific
apps
๏ Even
if
you’re
not
going
to
put
analy?cs
in
place,
make
sure
you
capture
all
events
right
from
beginning
of
project.
Tuesday, December 9, 14

25. 25
AnalyWcs
101:
AggregaWon
• How
to
collect
data
efficiently
• How
to
store
data
effec)vely
• Choose
which
data
to
capture
Tuesday, December 9, 14

26. 26
AnalyWcs
101
:
Analysis
• Data
opera)ons
• Defining
KPIs
and
analy)cs
• Opera)ng
on
large
amounts
of
historical
or
current
data
• Crea)ng
intelligence
Tuesday, December 9, 14

27. 27
AnalyWcs
101
:
PresentaWon
• Visualiza)on
• Dashboards
• Reports
Tuesday, December 9, 14

28. 28
Monitor
And
Analyze
๏ Take
decisions
in
real
?me
through
Complex
Event
Processing
๏ Create
dashboards
for
both
technical
and
business
monitoring
Tuesday, December 9, 14

29. 29
DetecWng
Usage
Pa.erns
๏ My
API
customer
is
trying
to
steal
my
business
:
let’s
block
them.
๏ A
customer
is
at
80%
of
API
plan
:
let’s
warn
them
๏ A
customer
is
systema)cally
at
120%
of
the
plan
:
propose
an
upgrade
to
the
premium
plan
Tuesday, December 9, 14

30. 30
Demo
Tuesday, December 9, 14

31. 31
Demo
Setup
Tuesday, December 9, 14

32. 32
References
๏ Building
an
ecosystem
for
API
Security
(White
Paper)
๏ hhp://wso2.com/whitepapers/wso2-­‐whitepaper-­‐building-­‐an-­‐ecosystem-­‐for-­‐api-­‐
security/
๏ API
Facade
Pahern
(Webinar)
๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-­‐api-­‐facade-­‐using-­‐
wso2-­‐api-­‐management-­‐plaEorm/
๏ API
Management:
missing
link
for
SOA
๏ hhp://sanjiva.weerawarana.org/2012/08/api-­‐management-­‐missing-­‐link-­‐for-­‐
soa.html
๏ Promo)ng
Service
Reuse
๏ hhp://wso2.com/whitepapers/promo)ng-­‐service-­‐reuse-­‐within-­‐your-­‐enterprise-­‐
and-­‐maximizing-­‐soa-­‐success/
Tuesday, December 9, 14

33. 33
Download
API
Manager
today!
๏ hhp://wso2.com/products/api-­‐manager/
Tuesday, December 9, 14

34. Contact
us
!
Tuesday, December 9, 14