WSO2 API Manager 2.0.0Overview

Agenda

o Introduction

o Creating APIs

o Protecting APIs

o APIs Lifecycles

o Developer Portal

o Testing APIs

o API Gateway

o Deployment

o API Analytics

Introduction

APIs for Business Innovation

o API - Business capability offered via a digital channel

o Open internally and/or externally

o Monitored

o In some cases, monetized

o Fuel for rapid innovation, development of new apps

Image: thinkpublic/photopin cc

Image: thinkpublic/photopin cc

API Management Platform

WSO2 API Manager

o The only complete, 100% open source API Management solution

o A cleanly integrated system supporting API publishing, lifecycle management, developer portal, access control and analytics

o Backed by high performance gateway

o A single node supports more than 100 million requests/day

o eBay handles up to 4.6 billion requests per day at peak times (Cyber Monday)

WSO2 API Manager cont.

o Includes Social enablement such as ratings and tagging

o Supports single-sign on with Facebook, GoogleApps, etc.

o Named a Strong Performer in this space by Forrester in 2014 and 2015

o Best API Design across all vendors

o Best Solution Cost for on-premise solution

o Extremely Satisfied customers

o Available on-premise, as managed deployment and as SaaS application (API Cloud)

Competitive Advantage

o API Management is part of a complete platform

o Integration

o Security (Identity Management, Federated Identity)

o API Analytics

o Open Architecture

o Custom security tokens and grant types

o Custom store/developer’s portal user interface

o Custom user’s repositories

o Custom transports to back-end

o Available on-premise, as managed offering, as SaaS offering - Same code everywhere

Competitive Advantage cont.

o Scalable Architecture

o Each component (Gateway, Dev Portal, Admin Portal, Key Server) can be deployed and scaled separately

o Over 5000 TPS for a single node

o Business Model

o Subscriptions only for production systems - Makes cost very competitive

o Pricing is adapted to small, medium and enterprises customers

o Cost linked to instances, not to machine power

o No community vs. enterprise distinction

Typical Use Cases

o Expose APIs for internal consumption

o Manage APIs used in internal applications

o Internal Monetization

o Control Access to Cloud Services - Manage and secure access from internal applications to cloud services (e.g. SalesForce and Google Apps)

o APIs for public consumption

o Extend your business through APIs

o Integrate with partners and customers

API Manager Components

Creating APIs

Getting Started

o For REST - Start from existing API definition (Swagger 2.0) or start from scratch

o For SOAP - Start from WSDL and generate default mapping and definition

REST API Editing

o Basic editor to create the API structure

REST API Editing cont.

o Swagger editor (YAML-based) for advanced editing, configuration, etc.

API Documentation

Protecting APIs

API Access Tokens

o OAuth2 standard compliant

o Supports multiple Grant Typeso SAML, IWA/NTLMo Client credentials, Implicit,

Password

o Pre-generated Access Token - Mostly used for testing

o On-demand Access Token - Generated via API call to the Gateway, using any of the supported Grant Types

o Tokens can be refreshed/revoked via API calls as well

Pluggable OAuth Authorization Server

o OAuth token management is by default done with WSO2’s Key Server (based on WSO2’s Identity Server)

o Can be replaced by third-party authorization server, capable of creating, refreshing, validating, revoking OAuth tokens

Limiting Access to API Resources

o Achieved through OAuth scopes - Scope defines what can be accessed by a token

o How to request a token

grant_type=password&username=john&password=john123&scope=news_read news_write

Throttling & Rate Limiting

o Throttling o Regulates API traffico Makes APIs and applications available to consumers at different

service levelso Secures APIs against security attacks (e.g. DoS attacks)

o Throttling is controlled through tiers-based policies - A tier is defined by a time duration and a maximum no of requests during that duration

o Tiers can be applied at application, API and API resource levels

Throttling & Rate Limiting cont.

o At subscription time, API users can choose tiers they can subscribe to - This default behavior can be overridden through usage of workflows

o Throttling policies encompasses:o Standard usage quotas of total subscriptions and resourceso Rate limiting based complex, extensible and dynamic rules,

scenarios and events

o Complex throttling policies (with transport headers, IP addresses, etc.) can be created on the fly

o Facilitates blacklisting users/applications abusing rate limits

Throttling & Rate Limiting cont.

JWT Token Creation

o Using JSON Web Tokens (JWT) o Lightweighto Can be signedo Easy to parse and consumeo Standard

o JWT Structure {token info}.{claims list}.{signature}

o Base-64 or Base64 URL Encoded

o Contents of JWT are configurable

API Lifecycles

API Lifecycle Management

o Create new APIs from existing versions

o Deploy multiple versions in parallel

o Deprecate versions to remove them from store

o Retire them to un-deploy from gateway

o Keeps audit of lifecycle changes

o Supports custom lifecycles leveraging WSO2 Governance Registry

Developer Portal

Discover APIs

o Users can search APIs by name, provider, version number, context, description, meta-data from docs, etc.

o Tags to easily find all APIs related to a same domain

o Notifications on new API versions

Social Features

o Share with fellow developers via social media or mail

o Embed API link into blogs, Tweets, etc.

Forums

o Rich editor embedded within interface

o Forums are searchable and indexed

Customization

o All API store functionality available through REST API

o Customization through CSS, HTML5, JavaScript

Monetization

o Configurable payment schemes to monetize API usage

o Monetization rules are associated to Tiers

o Supports Free, Paid, Freemium models

o Usually coupled with 3rd party invoice/payment plans software (such as Zuora)

Testing APIs

Embedded API Console

o Part of Swagger tooling suiteo Integrates token access for fast testingo Gives direct access to Swagger definition of APIo Support Swagger schemas for predefined values

Testing via ReadyAPI’s SOAP UI

API Gateway

API Gateway Processing Workflow

Message Transformation and Mediation

o Custom mediation flows can be created by a developer and just engaged by API Creator

o Mediations flows can be created using Developer Studio and directly published to API Managero Full power of WSO2 ESB mediation languageo Graphical and Source view

o Mediations flows are tenant-specific (not visible/usable across tenants)

Workflows

o Provides extension point to engage custom workflow o Default sample implementation leverages WSO2 Business Process

Server but a simple Java-based implementation or another BPM engine can also be used

o Supports redirecting to third-party entities

o Available for user self-sign up, API subscription and application creation

Deployment

Component Deployment

o Out-of-the-box, all components are packaged togethero They can also be deployed separately in an HA scenario –

Active/Active, Active/Passive

Component Deployment cont.

Multi-tenancy

o Creation of multiple domains (tenants)

o Each domain can have their own store or publish APIs to a central store - This is transparent to consumers

o Typical Use Cases

o Segmenting publishers by business unit or partner and restricting editing rights by domain

o Create an API marketplace - one-stop store for domain APIs

o API Cloud heavily leverages this functionality

Recommended Deployment: API Facade Pattern

o API Gateway acts as simple reverse proxy, enforcing policies and collecting monitoring information

o Specific security checks/protection at edge of the network

o Invalid requests are stopped at the edge of the network

o Clear separation of concern between layers

o The mediation and API management layers scale independently

o You can combine the Façade and Mediation layers (if required) and run as a single architecture layer

WSO2 Platform Deployment Options

o Stand-alone serverso Private clouds:

e.g. Stratos, Kuberneteso Public Clouds:

e.g. AWSo Hybrid deployments

o Dedicated hosting of any WSO2-based solutions

o WSO2 operations team is managing the deployment and keeps it running

o 99.99% uptime SLAo Any AWS region of choiceo Can be VPNed to local networko Includes monitoring, backups,

patching, updates

o Shared public cloud,o Currently available for application

and API hosting (hosted API Manager and App Factory),

o Preset multitenant deployment in AWS US East run by WSO2,

o Month-to-month credit card payment

API Analytics

Analytics

o WSO2 API Manager out-of-the-box supports Google Analytics and WSO2 Analytics

Importance of API Management & Analytics Combinationo Build confidence in the API model

o Understand your customer - Not just the developer but also the end-user of APIs

o Helps manage services and versions - Understand when deprecated services can be retired

o Be notified when abnormal events take place

o Plan better

o Monitor the growth of aggregated API traffic

o Monitor the growth of specific apps

WSO2 Analytics Platform

WSO2 Analytics Platform cont.

o Out-of-the- box reports covering all aspects of

o Subscriber behavior

o API usage

o Performance

o Can publish your own events from any API and build your own dashboards

Reports for API Creators & Publishers

o Stats on APIs o Published APIs Over Time

o API Usage

o API Response Times

o API Last Access Times

o Usage by Resource Path

o Usage by Destination

o API Usage Comparison

o API Throttled Requests

o Faulty Invocations

o API Latency

o API Usage Across Geo

Locations

o API Usage Across User Agent

o Stats on Applicationso App Throttled Requests

o Applications Created Over Time

o Stats on Subscriptionso API Subscriptions

o Developer Signups Over Time

o Subscriptions Created Over

Time

Reports for API Creators & Publishers cont.

Reports for API Subscribers

o API Usage per Application

o Top Users per Application

o API Usage from Resource Path per Application

o Faulty Invocation per Application

Real-time API Behavior Analysis

o Leverages real-time analytics streaming engineo Detects fraudulent token usage - Indication of lost tokens via alerts on

abnormal token renewals and unseen source IP access (abrupt changes to geo-location)

o Supports API product managers to provide better customer serviceo Alerts when API response time is outside normal parameters, indicating a

potential SLA breacho Alerts when apps/users are throttled out for hitting the current subscription

tier - potential opportunity to proactively propose a tier upgrade or to adjust SLAs

o Detect when APIs are not used as expected

o Identifies erratic behavior and supports capacity planningo Alerts when a sudden spike/drop in the request count in a given duration for

an API resource – Possible indication of a system problemo Determining trends in increased response times – Indication of potential

issues with APIs or backend system capacity

Why Real-time Analytics for APIs ?

o Blacklist & whitelist verifications in real time

o Detect trends

o Detect incoherencies in trends

o Detect API calls sequences that you don’t want to allow

o Detect non-usage scenarios ( raise alerts on poor usage of a

certain API)

Example – Real-time Fraud Detection

Log Analysis

o Log Analysis through reports on low-level system operations:o Log events - Overall statistics of the types of log events created in a given

time periodo Application errors - Breakdown of error log events based on exception

category and error messageo Artifact deployment stats - Number of artifacts deployed in a given durationo Login failures - No of failed login attempts in a given durationo No of API failureso Access token-related issues

o Ability to view live log events on per-tenant basis

CONTACT US !