WSO2 API Manager 2.0.0
Overview
Agenda
o  Introduction
o  Creating APIs
o  Protecting APIs
o  APIs Lifecycles
o  Developer Portal
o  Testing APIs
o  API Gateway
o  Deployment
o  API Analytics
Introduction
APIs for Business Innovation
o  API - Business capability offered via a digital channel
o  Open internally and/or externally
o  Monitored
o  In some cases, monetized
o  Fuel for rapid innovation, development of new apps
Image: thinkpublic/photopin cc
API Management Platform
WSO2 API Manager
o  The only complete, 100% open source API Management solution
o  A cleanly integrated system supporting API publishing, lifecycle
management, developer portal, access control and analytics
o  Backed by high performance gateway
o  A single node supports more than 100 million requests/day
o  eBay handles up to 4.6 billion requests per day at peak times
(Cyber Monday)
0
7500
15000
22500
30000
June-Dec 2013 Jul-Dec 2014 Jul-Dec 2015
Product Downloads
0
28
55
83
110
138
Dec 2014 June 2015 Dec 2015
Production Customers
WSO2 API Manager cont.
o  Includes Social enablement such as ratings and tagging
o  Supports single-sign on with Facebook, GoogleApps, etc.
o  Named a Strong Performer in this space by Forrester in 2014 and
2015
o  Best API Design across all vendors
o  Best Solution Cost for on-premise solution
o  Extremely Satisfied customers
o  Available on-premise, as managed deployment and as SaaS
application (API Cloud)
Competitive Advantage
o  API Management is part of a complete platform
o  Integration
o  Security (Identity Management, Federated Identity)
o  API Analytics
o  Open Architecture
o  Custom security tokens and grant types
o  Custom store/developer’s portal user interface
o  Custom user’s repositories
o  Custom transports to back-end
o  Available on-premise, as managed offering, as SaaS offering -
Same code everywhere
Competitive Advantage cont.
o  Scalable Architecture
o  Each component (Gateway, Dev Portal, Admin Portal, Key Server)
can be deployed and scaled separately
o  Over 5000 TPS for a single node
o  Business Model
o  Subscriptions only for production systems - Makes cost very
competitive
o  Pricing is adapted to small, medium and enterprises customers
o  Cost linked to instances, not to machine power
o  No community vs. enterprise distinction
Typical Use Cases
o  Expose APIs for internal
consumption
o  Manage APIs used in
internal applications
o  Internal Monetization
o  Control Access to Cloud Services - Manage and secure access from
internal applications to cloud services (e.g. SalesForce and Google Apps)
o  APIs for public consumption
o  Extend your business through APIs
o  Integrate with partners and customers
API Manager Components
Creating APIs
Getting Started
o  For REST - Start from existing API definition (Swagger 2.0) or
start from scratch
o  For SOAP - Start from WSDL and generate default mapping and
definition
REST API Editing
o  Basic editor to create the API structure
REST API Editing cont.
o  Swagger editor (YAML-based) for advanced editing, configuration,
etc.
API Documentation
Protecting APIs
API Access Tokens
o  OAuth2 standard compliant
o  Supports multiple Grant
Types
o  SAML, IWA/NTLM
o  Client credentials, Implicit,
Password
o  Pre-generated Access
Token - Mostly used for testing
o  On-demand Access Token -
Generated via API call to the
Gateway, using any of the
supported Grant Types
o  Tokens can be refreshed/
revoked via API calls as well
Pluggable OAuth Authorization Server
o  OAuth token management is by default done with WSO2’s Key
Server (based on WSO2’s Identity Server)
o  Can be replaced by third-party authorization server, capable of
creating, refreshing, validating, revoking OAuth tokens
Limiting Access to API Resources
o  Achieved through OAuth scopes - Scope defines what can be
accessed by a token
o  How to request a token
grant_type=password&username=john&password=john123&scope=news_read news_write
Throttling & Rate Limiting
o  Throttling
o  Regulates API traffic
o  Makes APIs and applications available to consumers at different
service levels
o  Secures APIs against security attacks (e.g. DoS attacks)
o  Throttling is controlled through tiers-based policies - A tier is defined
by a time duration and a maximum no of requests during that duration
o  Tiers can be applied at application, API and API resource levels
Throttling & Rate Limiting cont.
o  At subscription time, API users can choose tiers they can
subscribe to - This default behavior can be overridden through
usage of workflows
o  Throttling policies encompasses:
o  Standard usage quotas of total subscriptions and resources
o  Rate limiting based complex, extensible and dynamic rules,
scenarios and events
o  Complex throttling policies (with transport headers, IP addresses,
etc.) can be created on the fly
o  Facilitates blacklisting users/applications abusing rate limits
Throttling & Rate Limiting cont.
JWT Token Creation
o  Using JSON Web Tokens
(JWT)
o  Lightweight
o  Can be signed
o  Easy to parse and consume
o  Standard
o  JWT Structure {token info}.
{claims list}.{signature}
o  Base-64 or Base64 URL
Encoded
o  Contents of JWT are
configurable
API Lifecycles
API Lifecycle Management
o  Create new APIs from
existing versions
o  Deploy multiple versions in
parallel
o  Deprecate versions to
remove them from store
o  Retire them to un-deploy
from gateway
o  Keeps audit of lifecycle
changes
o  Supports custom lifecycles
leveraging WSO2
Governance Registry
Developer Portal
Discover APIs
o  Users can search APIs by name, provider, version number,
context, description, meta-data from docs, etc.
o  Tags to easily find all APIs related to a same domain
o  Notifications on new API versions
Social Features
o  Share with fellow developers via social media or mail
o  Embed API link into blogs, Tweets, etc.
Forums
o  Rich editor embedded within interface
o  Forums are searchable and indexed
Customization
o  All API store functionality available through REST API
o  Customization through CSS, HTML5, JavaScript
Monetization
o  Configurable payment schemes to monetize API usage
o  Monetization rules are associated to Tiers
o  Supports Free, Paid, Freemium models
o  Usually coupled with 3rd party invoice/payment plans software
(such as Zuora)
Testing APIs
Embedded API Console
o  Part of Swagger tooling suite
o  Integrates token access for fast testing
o  Gives direct access to Swagger definition of API
o  Support Swagger schemas for predefined values
Testing via ReadyAPI’s SOAP UI
API Gateway
API Gateway Processing Workflow
Message Transformation and Mediation
o  Custom mediation flows can be created by a developer and just
engaged by API Creator
o  Mediations flows can be created using Developer Studio and directly
published to API Manager
o  Full power of WSO2 ESB mediation language
o  Graphical and Source view
o  Mediations flows are tenant-specific (not visible/usable across tenants)
Workflows
o  Provides extension point to engage custom workflow
o  Default sample implementation leverages WSO2 Business Process
Server but a simple Java-based implementation or another BPM
engine can also be used
o  Supports redirecting to third-party entities
o  Available for user self-sign up, API subscription and application
creation
Deployment
Component Deployment
o  Out-of-the-box, all components are packaged together
o  They can also be deployed separately in an HA scenario – Active/
Active, Active/Passive
Component Deployment cont.
Multi-tenancy
o  Creation of multiple domains (tenants)
o  Each domain can have their own store or publish APIs to a central
store - This is transparent to consumers
o  Typical Use Cases
o  Segmenting publishers by business unit or partner and restricting
editing rights by domain
o  Create an API marketplace - one-stop store for domain APIs
o  API Cloud heavily leverages this functionality
Recommended Deployment: API Facade Pattern
o  API Gateway acts as simple reverse proxy, enforcing policies and
collecting monitoring information
o  Specific security checks/protection at edge of the network
o  Invalid requests are stopped at the edge of the network
o  Clear separation of concern between layers
o  The mediation and API management layers scale independently
o  You can combine the Façade and Mediation layers (if required)
and run as a single architecture layer
WSO2 Platform Deployment Options
o  Stand-alone servers
o  Private clouds:
e.g. Stratos, Kubernetes
o  Public Clouds:
e.g. AWS
o  Hybrid deployments
o  Dedicated hosting of any WSO2-
based solutions
o  WSO2 operations team is
managing the deployment and
keeps it running
o  99.99% uptime SLA
o  Any AWS region of choice
o  Can be VPNed to local network
o  Includes monitoring, backups,
patching, updates
o  Shared public cloud,
o  Currently available for application
and API hosting (hosted API
Manager and App Factory),
o  Preset multitenant deployment in
AWS US East run by WSO2,
o  Month-to-month credit card
payment
API Analytics
Analytics
o  WSO2 API Manager out-of-the-box supports Google Analytics and
WSO2 Analytics
Importance of API Management & Analytics
Combination
o  Build confidence in the API model
o  Understand your customer - Not just the developer but also the end-
user of APIs
o  Helps manage services and versions - Understand when deprecated
services can be retired
o  Be notified when abnormal events take place
o  Plan better
o  Monitor the growth of aggregated API traffic
o  Monitor the growth of specific apps
WSO2 Analytics Platform
WSO2 Analytics Platform cont.
o  Out-of-the- box reports covering all aspects of
o  Subscriber behavior
o  API usage
o  Performance
o  Can publish your own events from any API and build your own
dashboards
Reports for API Creators & Publishers
o  Stats on APIs
o  Published APIs Over Time
o  API Usage
o  API Response Times
o  API Last Access Times
o  Usage by Resource Path
o  Usage by Destination
o  API Usage Comparison
o  API Throttled Requests
o  Faulty Invocations
o  API Latency
o  API Usage Across Geo
Locations
o  API Usage Across User Agent
o  Stats on Applications
o  App Throttled Requests
o  Applications Created Over Time
o  Stats on Subscriptions
o  API Subscriptions
o  Developer Signups Over Time
o  Subscriptions Created Over
Time
Reports for API Creators & Publishers cont.
Reports for API Subscribers
o  API Usage per Application
o  Top Users per Application
o  API Usage from Resource
Path per Application
o  Faulty Invocation per
Application
Real-time API Behavior Analysis
o  Leverages real-time analytics streaming engine
o  Detects fraudulent token usage - Indication of lost tokens via alerts on
abnormal token renewals and unseen source IP access (abrupt changes to geo-
location)
o  Supports API product managers to provide better customer
service
o  Alerts when API response time is outside normal parameters, indicating a
potential SLA breach
o  Alerts when apps/users are throttled out for hitting the current subscription
tier - potential opportunity to proactively propose a tier upgrade or to adjust
SLAs
o  Detect when APIs are not used as expected
o  Identifies erratic behavior and supports capacity planning
o  Alerts when a sudden spike/drop in the request count in a given duration for
an API resource – Possible indication of a system problem
o  Determining trends in increased response times – Indication of potential
issues with APIs or backend system capacity
Why Real-time Analytics for APIs ?
o  Blacklist & whitelist verifications in real time
o  Detect trends
o  Detect incoherencies in trends
o  Detect API calls sequences that you don’t want to allow
o  Detect non-usage scenarios ( raise alerts on poor usage of a
certain API)
Example – Real-time Fraud Detection
Log Analysis
o  Log Analysis through reports on low-level system operations:
o  Log events - Overall statistics of the types of log events created in a given
time period
o  Application errors - Breakdown of error log events based on exception
category and error message
o  Artifact deployment stats - Number of artifacts deployed in a given duration
o  Login failures - No of failed login attempts in a given duration
o  No of API failures
o  Access token-related issues
o  Ability to view live log events on per-tenant basis
CONTACT US !

WSO2 API Manager - Product Overview

  • 1.
    WSO2 API Manager2.0.0 Overview
  • 2.
    Agenda o  Introduction o  CreatingAPIs o  Protecting APIs o  APIs Lifecycles o  Developer Portal o  Testing APIs o  API Gateway o  Deployment o  API Analytics
  • 3.
  • 4.
    APIs for BusinessInnovation o  API - Business capability offered via a digital channel o  Open internally and/or externally o  Monitored o  In some cases, monetized o  Fuel for rapid innovation, development of new apps Image: thinkpublic/photopin cc
  • 5.
  • 6.
    WSO2 API Manager o The only complete, 100% open source API Management solution o  A cleanly integrated system supporting API publishing, lifecycle management, developer portal, access control and analytics o  Backed by high performance gateway o  A single node supports more than 100 million requests/day o  eBay handles up to 4.6 billion requests per day at peak times (Cyber Monday) 0 7500 15000 22500 30000 June-Dec 2013 Jul-Dec 2014 Jul-Dec 2015 Product Downloads 0 28 55 83 110 138 Dec 2014 June 2015 Dec 2015 Production Customers
  • 7.
    WSO2 API Managercont. o  Includes Social enablement such as ratings and tagging o  Supports single-sign on with Facebook, GoogleApps, etc. o  Named a Strong Performer in this space by Forrester in 2014 and 2015 o  Best API Design across all vendors o  Best Solution Cost for on-premise solution o  Extremely Satisfied customers o  Available on-premise, as managed deployment and as SaaS application (API Cloud)
  • 8.
    Competitive Advantage o  APIManagement is part of a complete platform o  Integration o  Security (Identity Management, Federated Identity) o  API Analytics o  Open Architecture o  Custom security tokens and grant types o  Custom store/developer’s portal user interface o  Custom user’s repositories o  Custom transports to back-end o  Available on-premise, as managed offering, as SaaS offering - Same code everywhere
  • 9.
    Competitive Advantage cont. o Scalable Architecture o  Each component (Gateway, Dev Portal, Admin Portal, Key Server) can be deployed and scaled separately o  Over 5000 TPS for a single node o  Business Model o  Subscriptions only for production systems - Makes cost very competitive o  Pricing is adapted to small, medium and enterprises customers o  Cost linked to instances, not to machine power o  No community vs. enterprise distinction
  • 10.
    Typical Use Cases o Expose APIs for internal consumption o  Manage APIs used in internal applications o  Internal Monetization o  Control Access to Cloud Services - Manage and secure access from internal applications to cloud services (e.g. SalesForce and Google Apps) o  APIs for public consumption o  Extend your business through APIs o  Integrate with partners and customers
  • 11.
  • 12.
  • 13.
    Getting Started o  ForREST - Start from existing API definition (Swagger 2.0) or start from scratch o  For SOAP - Start from WSDL and generate default mapping and definition
  • 14.
    REST API Editing o Basic editor to create the API structure
  • 15.
    REST API Editingcont. o  Swagger editor (YAML-based) for advanced editing, configuration, etc.
  • 16.
  • 17.
  • 18.
    API Access Tokens o OAuth2 standard compliant o  Supports multiple Grant Types o  SAML, IWA/NTLM o  Client credentials, Implicit, Password o  Pre-generated Access Token - Mostly used for testing o  On-demand Access Token - Generated via API call to the Gateway, using any of the supported Grant Types o  Tokens can be refreshed/ revoked via API calls as well
  • 19.
    Pluggable OAuth AuthorizationServer o  OAuth token management is by default done with WSO2’s Key Server (based on WSO2’s Identity Server) o  Can be replaced by third-party authorization server, capable of creating, refreshing, validating, revoking OAuth tokens
  • 20.
    Limiting Access toAPI Resources o  Achieved through OAuth scopes - Scope defines what can be accessed by a token o  How to request a token grant_type=password&username=john&password=john123&scope=news_read news_write
  • 21.
    Throttling & RateLimiting o  Throttling o  Regulates API traffic o  Makes APIs and applications available to consumers at different service levels o  Secures APIs against security attacks (e.g. DoS attacks) o  Throttling is controlled through tiers-based policies - A tier is defined by a time duration and a maximum no of requests during that duration o  Tiers can be applied at application, API and API resource levels
  • 22.
    Throttling & RateLimiting cont. o  At subscription time, API users can choose tiers they can subscribe to - This default behavior can be overridden through usage of workflows o  Throttling policies encompasses: o  Standard usage quotas of total subscriptions and resources o  Rate limiting based complex, extensible and dynamic rules, scenarios and events o  Complex throttling policies (with transport headers, IP addresses, etc.) can be created on the fly o  Facilitates blacklisting users/applications abusing rate limits
  • 23.
    Throttling & RateLimiting cont.
  • 24.
    JWT Token Creation o Using JSON Web Tokens (JWT) o  Lightweight o  Can be signed o  Easy to parse and consume o  Standard o  JWT Structure {token info}. {claims list}.{signature} o  Base-64 or Base64 URL Encoded o  Contents of JWT are configurable
  • 25.
  • 26.
    API Lifecycle Management o Create new APIs from existing versions o  Deploy multiple versions in parallel o  Deprecate versions to remove them from store o  Retire them to un-deploy from gateway o  Keeps audit of lifecycle changes o  Supports custom lifecycles leveraging WSO2 Governance Registry
  • 27.
  • 28.
    Discover APIs o  Userscan search APIs by name, provider, version number, context, description, meta-data from docs, etc. o  Tags to easily find all APIs related to a same domain o  Notifications on new API versions
  • 29.
    Social Features o  Sharewith fellow developers via social media or mail o  Embed API link into blogs, Tweets, etc.
  • 30.
    Forums o  Rich editorembedded within interface o  Forums are searchable and indexed
  • 31.
    Customization o  All APIstore functionality available through REST API o  Customization through CSS, HTML5, JavaScript
  • 32.
    Monetization o  Configurable paymentschemes to monetize API usage o  Monetization rules are associated to Tiers o  Supports Free, Paid, Freemium models o  Usually coupled with 3rd party invoice/payment plans software (such as Zuora)
  • 33.
  • 34.
    Embedded API Console o Part of Swagger tooling suite o  Integrates token access for fast testing o  Gives direct access to Swagger definition of API o  Support Swagger schemas for predefined values
  • 35.
  • 36.
  • 37.
  • 38.
    Message Transformation andMediation o  Custom mediation flows can be created by a developer and just engaged by API Creator o  Mediations flows can be created using Developer Studio and directly published to API Manager o  Full power of WSO2 ESB mediation language o  Graphical and Source view o  Mediations flows are tenant-specific (not visible/usable across tenants)
  • 39.
    Workflows o  Provides extensionpoint to engage custom workflow o  Default sample implementation leverages WSO2 Business Process Server but a simple Java-based implementation or another BPM engine can also be used o  Supports redirecting to third-party entities o  Available for user self-sign up, API subscription and application creation
  • 40.
  • 41.
    Component Deployment o  Out-of-the-box,all components are packaged together o  They can also be deployed separately in an HA scenario – Active/ Active, Active/Passive
  • 42.
  • 43.
    Multi-tenancy o  Creation ofmultiple domains (tenants) o  Each domain can have their own store or publish APIs to a central store - This is transparent to consumers o  Typical Use Cases o  Segmenting publishers by business unit or partner and restricting editing rights by domain o  Create an API marketplace - one-stop store for domain APIs o  API Cloud heavily leverages this functionality
  • 44.
    Recommended Deployment: APIFacade Pattern o  API Gateway acts as simple reverse proxy, enforcing policies and collecting monitoring information o  Specific security checks/protection at edge of the network o  Invalid requests are stopped at the edge of the network o  Clear separation of concern between layers o  The mediation and API management layers scale independently o  You can combine the Façade and Mediation layers (if required) and run as a single architecture layer
  • 45.
    WSO2 Platform DeploymentOptions o  Stand-alone servers o  Private clouds: e.g. Stratos, Kubernetes o  Public Clouds: e.g. AWS o  Hybrid deployments o  Dedicated hosting of any WSO2- based solutions o  WSO2 operations team is managing the deployment and keeps it running o  99.99% uptime SLA o  Any AWS region of choice o  Can be VPNed to local network o  Includes monitoring, backups, patching, updates o  Shared public cloud, o  Currently available for application and API hosting (hosted API Manager and App Factory), o  Preset multitenant deployment in AWS US East run by WSO2, o  Month-to-month credit card payment
  • 46.
  • 47.
    Analytics o  WSO2 APIManager out-of-the-box supports Google Analytics and WSO2 Analytics
  • 48.
    Importance of APIManagement & Analytics Combination o  Build confidence in the API model o  Understand your customer - Not just the developer but also the end- user of APIs o  Helps manage services and versions - Understand when deprecated services can be retired o  Be notified when abnormal events take place o  Plan better o  Monitor the growth of aggregated API traffic o  Monitor the growth of specific apps
  • 49.
  • 50.
    WSO2 Analytics Platformcont. o  Out-of-the- box reports covering all aspects of o  Subscriber behavior o  API usage o  Performance o  Can publish your own events from any API and build your own dashboards
  • 51.
    Reports for APICreators & Publishers o  Stats on APIs o  Published APIs Over Time o  API Usage o  API Response Times o  API Last Access Times o  Usage by Resource Path o  Usage by Destination o  API Usage Comparison o  API Throttled Requests o  Faulty Invocations o  API Latency o  API Usage Across Geo Locations o  API Usage Across User Agent o  Stats on Applications o  App Throttled Requests o  Applications Created Over Time o  Stats on Subscriptions o  API Subscriptions o  Developer Signups Over Time o  Subscriptions Created Over Time
  • 52.
    Reports for APICreators & Publishers cont.
  • 53.
    Reports for APISubscribers o  API Usage per Application o  Top Users per Application o  API Usage from Resource Path per Application o  Faulty Invocation per Application
  • 54.
    Real-time API BehaviorAnalysis o  Leverages real-time analytics streaming engine o  Detects fraudulent token usage - Indication of lost tokens via alerts on abnormal token renewals and unseen source IP access (abrupt changes to geo- location) o  Supports API product managers to provide better customer service o  Alerts when API response time is outside normal parameters, indicating a potential SLA breach o  Alerts when apps/users are throttled out for hitting the current subscription tier - potential opportunity to proactively propose a tier upgrade or to adjust SLAs o  Detect when APIs are not used as expected o  Identifies erratic behavior and supports capacity planning o  Alerts when a sudden spike/drop in the request count in a given duration for an API resource – Possible indication of a system problem o  Determining trends in increased response times – Indication of potential issues with APIs or backend system capacity
  • 55.
    Why Real-time Analyticsfor APIs ? o  Blacklist & whitelist verifications in real time o  Detect trends o  Detect incoherencies in trends o  Detect API calls sequences that you don’t want to allow o  Detect non-usage scenarios ( raise alerts on poor usage of a certain API)
  • 56.
    Example – Real-timeFraud Detection
  • 57.
    Log Analysis o  LogAnalysis through reports on low-level system operations: o  Log events - Overall statistics of the types of log events created in a given time period o  Application errors - Breakdown of error log events based on exception category and error message o  Artifact deployment stats - Number of artifacts deployed in a given duration o  Login failures - No of failed login attempts in a given duration o  No of API failures o  Access token-related issues o  Ability to view live log events on per-tenant basis
  • 58.