The Harmony API Manager provides multiple settings to apply the desired level of security for each API (URL). Each setting is independent. Using a combination of independent settings allows the user to create specific levels of security for specific use cases.
1. Any API is anonymous and publicly accessible by default at the time it is created.
- At the API level, under Authentication, you can assign a profile to the API that specifies the method for authentication. If you do not assign a profile, the API authentication is set to anonymous by default, and anyone can access the API. Note that security profiles do get cached on the gateway, so changes to an already active API could take several minutes to take effect.
2. Multiple Profiles Assigned to an API
- At the API level, in the Authentication section, you can assign multiple profiles with different methods of authentication and/or different security options.
- A profile covers the needs of a particular user, the members of a particular role or a group of roles, as well as application level security.
- Multiple profiles within the same environment can be assigned to one API.
3. Multiple Profiles Available to an Environment
- A profile is only valid in the one environment it was set up in.
- Multiple profiles can be set up within an environment with different methods of authentication and different security options.
- A profile can be assigned to a single API or to multiple APIs that are set up within the same environment.
Only projects and operations deployed within the same environment as the desired API (URL) will be available to create the API.
Assume the classic configuration of one Development environment and one Production environment.
- Each API and each profile required are created within the Development environment with the URL for each API referencing the Development environment. This collection of APIs and profiles will be used during the development and testing processes. The Accounting and Finance profiles are both assigned to 2 of the APIs. Only the Finance profile is assigned to 1 of the APIs. Only the Operations profile is assigned to 7 of the APIs.
- Once testing is completed in the Development environment, the projects and operations are deployed into the Production environment. Each required API (10 APIs) and each required profile (3 profiles) will then need to be created within the Production environment. The name of each API and each profile can be the same as the collection in the Development environment for continuity and cross reference (as well as the versioning). However, the URL for each API will reference the Production environment, and will be a distinct and separate URL from the representative API in the Development environment. The Accounting and Finance profiles will need to be assigned to the 2 specific APIs in the Production environment and the Finance profile will also need to be assigned to one additional specific API. Only the Operations profile will need to be assigned to the remaining 7 APIs in the Production environment..
4. Profile Authentication
- Profiles can be set for Anonymous, Basic Authentication (standard Login/Password), or OAuth 2.0 (OAuth 2.0 is available for Google only at this time).
- Anonymous Authentication:
- This option allows for access by anyone, however, additional security options are available under Logging, Rate Limits and Trusted IP Ranges sections to limit such access.
- Basic Authentication:
- This option allows a username and password to be set up within the profile. The same username and password must be entered to access the API at runtime. Additional security options are available under Logging, Rate Limits and Trusted IP Ranges.
- If you need additional information on how to use HTTP header information or Basic Authentication, please refer to https://en.wikipedia.org/wiki/Basic_access_authentication.
- OAuth 2.0 for Google
- This option requires the OAuth 2.0 Identity Provider credentials to be validated to access the API at runtime.
- Google requires a Client ID and a Client Secret to be set up within the profile. The redirect URL configured within the profile must also be copied into the credentials in Google.
5. Logging/Auditing at Profile Level
- For every hit on the API, the profile used to access the API is recorded in a log. The log is available to view through API Analytics.
- This option records every hit as Anonymous in the log if the profile is set to Anonymous authentication.
- This option records every hit in the log as the Username required by the profile, if the profile is set to Basic authentication. If the user fails to provide proper credentials, but Anonymous access was also enabled on the API, then Anonymous will be entered into the log.
- Custom Request Header: To override the logging behavior above and audit using a value from the request header (i.e. in the case of a single application key being used), you can enter the name of the field the value of which will be recorded in the log.
6. Rate Limiting at Profile Level
By default, the profile may access the API up to the org allowance for hits across all APIs within a minute. If the org allowance is 10 hits per minute, only 10 hits within a minute will be allowed across all APIs.
Rate limiting is enabled by checking the box in the Rate Limits section of the profile and selecting a number of hits in the List Box. This limit is per profile, not per org or API.
- Rate Limiting enforces a maximum number of hits this particular profile can make against all assigned APIs during a period of one minute.
- When enabled, the system does additional checks on every hit (a request to a valid URL) in order to reject calls over the limit you have set. As such, all calls for this user will sustain additional performance overhead and the user may experience an increased number of rejects.
- Once the limit
- Note that attempts against invalid URLs (i.e. Error 404) are not counted against any of the limits and allowances.
The org allowance is 10 hits per minute. If the org has 10 APIs and each API receives 1 hit within a minute, the limit has been reached and additional hits to any API within the minute will be rejected.
The org allowance is 10 hits per minute. If the org has 10 APIs and one API receives 10 hits within a minute, the limit has been reached and additional hits to any API within the minute will be rejected.
- The org allowance is 10 hits per minute. The org has 10 APIs. An authentication profile assigned to 1 API limits the number of hits to 5 per minute. If this API is accessed through that profile 5 times within the minute, any additional access to the API through that profile will be rejected. Only 5 hits are available across all of the remaining 9 APIs. If 5 of the remaining APIs receive 1 hit each, all 10 of the hits have been used and additional hits to any of the APIs within the minute will be rejected.
- The org allowance takes precedence over any limit set within a profile. The org allowance is 10 hits per minute. The org has 10 APIs. An authentication profile assigned to 1 API limits the number of hits to 5 per minute. If this API is accessed through that profile 2 times within the minute and 8 of the remaining APIs receive 1 hit each, all 10 of the hits have been used. Any additional hits to any of the APIs within the minute will be rejected.
7. IP Range Restriction at Profile Level
- By default, the API and/or profile do not limit access to any set range of IP addresses.
- Access can be set to only a single IP or a range of IP addresses in the Trusted IP Ranges section of the profile.
- Select the radio button labeled “Trust requests only from the following IP ranges, block all others”.
- Enter the Start IP Address and End IP Address in the appropriate boxes.
- Click the “+ Add IP Range” link to add an additional range of IP addresses. Continue until all desired ranges have been set up.
- If a user tries to access your API via a profile that is limited to certain IP ranges, their IP will be checked against the allowed range(s). Access from any IP that is outside of the range(s) set up will be rejected.
8. Optional SSL Only Mode at the API Level
- By default every API supports both HTTP and HTTPS transfer.
- You can forward HTTP traffic to ensure all communication is encrypted by enabling SSL Only (click the checkbox) in the Settings section of the API.
- The identity of the HTTPS URL is verified by Symantec Class 3 Secure Server SHA256 SSL CA.
- The connection to the HTTPS URL is encrypted with modern cryptography (TLS 1.2 encryption, the connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism).
Last updated: Oct 05, 2018