Sharing Best Practices and Recommendations from the Integration Battlefield

Last Updated: Nov 2014

VP, Product, WSO2Isabelle Mauny

Lessons from the ba.lefield

Tuesday, December 9, 14

2

๏ French na)ve

๏ Living in Madrid

๏ Working mostly in Sri Lanka and Europe

๏ 17 years @ IBM, 5 years in startups

๏ Managing the overall WSO2 porEolio

๏ Linux command line user...

About the speaker...


3

Who is WSO2 ?

๏ Open Source Middleware Pla2orm Provider

๏ Apache 2.0 License

๏ Provides Integra?on, API Management, Security and Mobile enterprise management products

๏ Main contributor to Apache Stratos PaaS

๏ Creators of DevOps “AppFactory” cloud solu?on


4Tuesday, December 9, 14

Architecture Roadmap

5

Decompose your exis7ng business processes, data

and capabili7es into services

Make all services accessible via APIs, externally and internally

Put services and APIs under control !

Build an ecosystem around

your APIs

Collect data on your new products and APIs

1

2

3

4

5


6

Crea%ng and Managing Services


7

๏ Service deals with implementa)on

๏ API deals with subscrip)on (consumer)

๏ Two very dis)nct life cycles !

๏ You don’t need the service to create the API...

Services and APIs


8

API Lifecycle

๏ An API can pass through mul)ple states

๏ For example:๏ CREATED

๏ PUBLISHED

๏ DEPRECATED

๏ RETIRED

๏ BLOCKED

๏ Should integrate with complete governance lifecycle


9

Building a Managed API

๏ Crea)ng APIs (interface, docs, samples,etc.)

๏ Adver)sing APIs

๏ Making APIs subscribe-‐able by consumers

๏ Associa)ng SLAs

๏ Securing APIs

๏ Mone)za)on and Analy)cs


10

API Security


11

API Security ๏ Security is not an a\er thought !

๏ APIs are part of a much larger enterprise picture

๏ How will consumers request an access token ? ๏ Using a SAML 2.0 asser)on ?

๏ Using client_creden)als ?

๏ Using userid/password ?

๏ Make sure you document thoroughly how developers need to manage tokens:

๏ Tokens are like passwords!

๏ Always use SSL for token transporta)on !

๏ Use Domain restric)ons (WSO2 API Manager)


12

Fine-‐grained access to APIs

๏ OAuth2 is all about access control: a token is associated to a scope.

๏ XACML (eXtensible Access Control Markup Language) is the de-‐facto standard for fine-‐grained access control.

๏ OAuth scope can be represented in XACML policies

๏ Provides fine grain control over what a user/applica?on can do ( i.e. you can call GET but not POST on an API)


13

Passing Auth Informa:on to back-‐end services

๏ Using JSON Web Tokens (JWT) ๏ Lightweight

๏ Can be signed

๏ Easy to parse and consume

๏ Standard


14

Token Format

๏ JWT Structure {token info}.{claims list}.{signature}

๏ Base-‐64 Encoded


15

What are Claims ?

๏ Claims are a set of ahributes about a user, mapped to the underlying user store.

๏ A set of claims is called a dialect


16

Deployment


17

Gateway vs. ESB

๏ Oh, but I already have an ESB ! Why do I need a gateway ?

๏ API Gateway vs. Media)on Layer (ESB)๏ Gateway = light ESB ?

๏ Think ESB as an architecture pahern, not a product!


18

Generic Facade Pa.ern

๏ Pros๏ No addi)onal hop in the network

๏ Single Server to be managed

๏ More suited for internal deployments

๏ Cons๏ Complexity of integra)on at edge of network

๏ API Management layer can’t really scale independently

๏ Not appropriate for DMZ deployments (direct access to backend services)


19

Separated Facade & MediaWon

๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies

๏ Clear separa?on of concern between layers

๏ Media?on layer and API management layer scale independently

๏ Specific security checks/protec?on at edge of the network

๏ Provides protocol transforma?on to the edge of the network


20

Specific WSO2 SoluWon

๏ Our API gateway is actually a full-‐blown ESB under the hood, constrained at UI level.

๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single run)me!

๏ Makes the choice a deployment one.


21

Typical Deployment


22

Users Store

๏ Separate admins / corporate users from the developers users’s store (created via self-‐sign up)


23

You can’t manage what you can’t measure.


24

Why Analy:cs and API Management are important together?

๏ Build confidence in the API model

๏ Understand your customer ๏ Not just the developer but also the end-‐user

๏ Help manage services and versions๏ Understand when deprecated services can be re?red

๏ Plan beZer๏ Monitor the growth of aggregated API traffic

๏ Monitor the growth of specific apps

๏ Even if you’re not going to put analy?cs in place, make sure you capture all events right from beginning of project.


25

AnalyWcs 101: AggregaWon

• How to collect data efficiently

• How to store data effec)vely

• Choose which data to capture


26

AnalyWcs 101 : Analysis• Data opera)ons

• Defining KPIs and analy)cs

• Opera)ng on large amounts of historical or current data

• Crea)ng intelligence


27

AnalyWcs 101 : PresentaWon

• Visualiza)on

• Dashboards

• Reports


28

Monitor And Analyze๏ Take decisions in real ?me through Complex Event Processing

๏ Create dashboards for both technical and business monitoring


29

DetecWng Usage Pa.erns

๏ My API customer is trying to steal my business : let’s block them.

๏ A customer is at 80% of API plan : let’s warn them

๏ A customer is systema)cally at 120% of the plan : propose an upgrade to the premium plan


30

Demo


31

Demo Setup


32

References๏ Building an ecosystem for API Security (White Paper)

๏ hhp://wso2.com/whitepapers/wso2-‐whitepaper-‐building-‐an-‐ecosystem-‐for-‐api-‐security/

๏ API Facade Pahern (Webinar)๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-‐api-‐facade-‐using-‐

wso2-‐api-‐management-‐plaEorm/

๏ API Management: missing link for SOA ๏ hhp://sanjiva.weerawarana.org/2012/08/api-‐management-‐missing-‐link-‐for-‐

soa.html

๏ Promo)ng Service Reuse ๏ hhp://wso2.com/whitepapers/promo)ng-‐service-‐reuse-‐within-‐your-‐enterprise-‐

and-‐maximizing-‐soa-‐success/


http://wso2.com/whitepapers/wso2-whitepaper-building-an-ecosystem-for-api-security/




http://wso2.com/library/webinars/2014/01/implementing-api-facade-using-wso2-api-management-platform/




http://sanjiva.weerawarana.org/2012/08/api-management-missing-link-for-soa.html




http://wso2.com/whitepapers/promoting-service-reuse-within-your-enterprise-and-maximizing-soa-success/




33

Download API Manager today!

๏ hhp://wso2.com/products/api-‐manager/


http://wso2.com/products/api-manager/

http://wso2.com/products/api-manager/

Contact us !


http://wso2.com/contact

http://wso2.com/contact

https://twitter.com/wso2









https://www.facebook.com/WSO2Inc



Technology

Sharing Best Practices and Recommendations from the Integration Battlefield