Last Updated: Nov 2014

VP,  Product,  WSO2Isabelle  Mauny

Lessons  from  the  ba.lefield

Tuesday, December 9, 14

2

๏ French  na)ve

๏ Living  in  Madrid

๏ Working  mostly  in  Sri  Lanka  and  Europe

๏ 17  years  @  IBM,  5  years  in  startups

๏ Managing  the  overall  WSO2  porEolio

๏ Linux  command  line  user...

About  the  speaker...

Tuesday, December 9, 14

3

Who  is  WSO2  ?  

๏ Open  Source  Middleware  Pla2orm  Provider

๏ Apache  2.0  License

๏ Provides  Integra?on,  API  Management,  Security  and  Mobile  enterprise  management  products

๏ Main  contributor  to  Apache  Stratos  PaaS

๏ Creators  of  DevOps  “AppFactory”  cloud  solu?on

Tuesday, December 9, 14

4Tuesday, December 9, 14

Architecture  Roadmap

5

Decompose  your  exis7ng  business  processes,  data  

and  capabili7es  into  services

Make  all  services  accessible  via  APIs,  externally  and  internally

Put  services  and  APIs  under  control  !

Build  an  ecosystem  around  

your  APIs

Collect  data  on  your  new  products  and  APIs

1

2

3

4

5

Tuesday, December 9, 14

6

Crea%ng  and  Managing  Services

Tuesday, December 9, 14

7

๏ Service  deals  with  implementa)on

๏ API  deals  with  subscrip)on  (consumer)

๏ Two  very  dis)nct  life  cycles  !

๏ You  don’t  need  the  service  to  create  the  API...

Services  and  APIs

Tuesday, December 9, 14

8

API  Lifecycle

๏ An  API  can  pass  through  mul)ple  states

๏ For  example:๏ CREATED

๏ PUBLISHED

๏ DEPRECATED

๏ RETIRED

๏ BLOCKED

๏ Should  integrate  with  complete  governance  lifecycle

Tuesday, December 9, 14

9

Building  a  Managed  API

๏ Crea)ng  APIs  (interface,  docs,  samples,etc.)

๏ Adver)sing  APIs

๏ Making  APIs  subscribe-­‐able  by  consumers

๏ Associa)ng  SLAs

๏ Securing  APIs

๏ Mone)za)on  and  Analy)cs

Tuesday, December 9, 14

10

API  Security

Tuesday, December 9, 14

11

API  Security  ๏ Security  is  not  an  a\er  thought  !  

๏ APIs  are  part  of  a  much  larger  enterprise  picture

๏ How  will  consumers  request  an  access  token  ?  ๏ Using  a  SAML  2.0  asser)on  ?  

๏ Using  client_creden)als  ?  

๏ Using  userid/password  ?  

๏ Make  sure  you  document  thoroughly  how  developers  need  to  manage  tokens:

๏ Tokens  are  like  passwords!

๏ Always  use  SSL  for  token  transporta)on  !

๏ Use  Domain  restric)ons  (WSO2  API  Manager)

Tuesday, December 9, 14

12

Fine-­‐grained  access  to  APIs

๏ OAuth2  is  all  about  access  control:  a  token  is  associated  to  a  scope.

๏ XACML  (eXtensible  Access  Control  Markup  Language)  is  the  de-­‐facto  standard  for  fine-­‐grained  access  control.

๏ OAuth  scope  can  be  represented  in  XACML  policies

๏ Provides  fine  grain  control  over  what  a  user/applica?on  can  do  (  i.e.  you  can  call  GET  but  not  POST  on  an  API)  

Tuesday, December 9, 14

13

Passing  Auth  Informa:on  to  back-­‐end  services

๏ Using  JSON  Web  Tokens  (JWT)  ๏ Lightweight

๏ Can  be  signed

๏ Easy  to  parse  and  consume

๏ Standard

Tuesday, December 9, 14

14

Token  Format

๏ JWT  Structure  {token  info}.{claims  list}.{signature}  

๏ Base-­‐64  Encoded  

Tuesday, December 9, 14

15

What  are  Claims  ?  

๏ Claims  are  a  set  of  ahributes  about  a  user,  mapped  to  the  underlying  user  store.

๏ A  set  of  claims  is  called  a  dialect

Tuesday, December 9, 14

16

Deployment

Tuesday, December 9, 14

17

Gateway  vs.  ESB

๏ Oh,  but  I  already  have  an  ESB  !  Why  do  I  need  a  gateway  ?

๏ API  Gateway  vs.  Media)on  Layer  (ESB)๏ Gateway  =  light  ESB  ?  

๏ Think  ESB  as  an  architecture  pahern,  not  a  product!

Tuesday, December 9, 14

18

Generic  Facade  Pa.ern

๏ Pros๏ No  addi)onal  hop  in  the  network

๏ Single  Server  to  be  managed

๏ More  suited  for  internal  deployments

๏ Cons๏ Complexity  of  integra)on  at  edge  of  network

๏ API  Management  layer  can’t  really  scale  independently  

๏ Not  appropriate  for  DMZ  deployments  (direct  access  to  backend  services)

Tuesday, December 9, 14

19

Separated  Facade  &  MediaWon

๏ API  Gateway  Layer  acts  as  simple  reverse  proxy,  enforcing  basic  policies

๏ Clear  separa?on  of  concern  between  layers

๏ Media?on  layer  and  API  management  layer  scale  independently

๏ Specific  security  checks/protec?on  at  edge  of  the  network

๏ Provides  protocol  transforma?on  to  the  edge  of  the  network

Tuesday, December 9, 14

20

Specific  WSO2  SoluWon

๏ Our  API  gateway  is  actually  a  full-­‐blown  ESB  under  the  hood,  constrained  at  UI  level.  

๏ You  can  install  the  missing  ESB  features  on  top  of  API  manager  and  combine  both  architecture  layers  into  a  single  run)me!

๏ Makes  the  choice  a  deployment  one.

Tuesday, December 9, 14

21

Typical  Deployment

Tuesday, December 9, 14

22

Users  Store

๏ Separate  admins  /  corporate  users  from  the  developers  users’s  store  (created  via  self-­‐sign  up)

Tuesday, December 9, 14

23

You  can’t  manage  what  you  can’t  measure.

Tuesday, December 9, 14

24

Why  Analy:cs  and  API  Management  are  important  together?

๏ Build  confidence  in  the  API  model

๏ Understand  your  customer  ๏ Not  just  the  developer  but  also  the  end-­‐user

๏ Help  manage  services  and  versions๏ Understand  when  deprecated  services  can  be  re?red

๏ Plan  beZer๏ Monitor  the  growth  of  aggregated  API  traffic

๏ Monitor  the  growth  of  specific  apps

๏ Even  if  you’re  not  going  to  put  analy?cs  in  place,  make  sure  you  capture  all  events  right  from  beginning  of  project.

Tuesday, December 9, 14

25

AnalyWcs  101:  AggregaWon

• How  to  collect  data  efficiently

• How  to  store  data  effec)vely

• Choose  which  data  to  capture

Tuesday, December 9, 14

26

AnalyWcs  101  :  Analysis• Data  opera)ons

• Defining  KPIs  and  analy)cs

• Opera)ng  on  large  amounts  of  historical  or  current  data

• Crea)ng  intelligence  

Tuesday, December 9, 14

27

AnalyWcs  101  :  PresentaWon

• Visualiza)on

• Dashboards

• Reports

Tuesday, December 9, 14

28

Monitor  And  Analyze๏ Take  decisions  in  real  ?me  through  Complex  Event  Processing

๏ Create  dashboards  for  both  technical  and  business  monitoring

Tuesday, December 9, 14

29

DetecWng  Usage  Pa.erns

๏ My  API  customer  is  trying  to  steal  my  business  :  let’s  block  them.

๏ A  customer  is  at  80%  of  API  plan  :  let’s  warn  them  

๏ A  customer  is  systema)cally  at  120%  of  the  plan  :  propose  an  upgrade  to  the  premium  plan

Tuesday, December 9, 14

30

Demo

Tuesday, December 9, 14

31

Demo  Setup

Tuesday, December 9, 14

32

References๏ Building  an  ecosystem  for  API  Security  (White  Paper)

๏ hhp://wso2.com/whitepapers/wso2-­‐whitepaper-­‐building-­‐an-­‐ecosystem-­‐for-­‐api-­‐security/

๏ API  Facade  Pahern  (Webinar)๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-­‐api-­‐facade-­‐using-­‐

wso2-­‐api-­‐management-­‐plaEorm/

๏ API  Management:  missing  link  for  SOA  ๏ hhp://sanjiva.weerawarana.org/2012/08/api-­‐management-­‐missing-­‐link-­‐for-­‐

soa.html

๏ Promo)ng  Service  Reuse  ๏ hhp://wso2.com/whitepapers/promo)ng-­‐service-­‐reuse-­‐within-­‐your-­‐enterprise-­‐

and-­‐maximizing-­‐soa-­‐success/

Tuesday, December 9, 14

33

Download  API  Manager  today!

๏ hhp://wso2.com/products/api-­‐manager/

Tuesday, December 9, 14

Contact  us  !

Tuesday, December 9, 14