search

Building a Secure Service With IBM API Management on IBM Bluemix


Developing secure APIs with IBM API Management and IBM Bluemix is really simple and in this blog post I will provide an overview of the key steps you need to follow to get your secure APIs published in a custom catalog on Bluemix for other developers to use.

Creating APIs with IBM API Management eliminates many of the mundane tasks associated with creating APIs. For example, with IBM API Management you can finely manage who can subscribe to and view your APIs without having to write any of this code yourself. IBM API Management also provides automatic metering, analytics and versioning control so you can easily see how your APIs are being used without you having to create specialized code yourself.

One of the big benefits to using IBM API Management involves security and access control. Prior to IBM API Management developers often had to implement their own security and access control mechanisms for their APIs. With IBM API Management you don’t need to worry about doing this as IBM API Management takes care of all those details. You only need to focus on developing the API.

In this blog post I am going to explain how to secure and expose APIs from a Bluemix application via IBM API Management.  To do this we will use an existing application called Stock Quotes. You can find the source code to the application in the Stock Quotes project out on IBM DevOps Services. The Stock Quotes application contains a number of APIs that are used to get stock symbols, stock quotes, and company news. I will be walking you through the general process of making APIs available using IBM API Management and if you want to  you can go ahead and fork the project and try out all of the APIs and publish them to your own custom catalog on Bluemix.

The Stock Quotes application uses other Bluemix services: AlchemyAPI, MongoLabs, and IBM Insights for Twitter. So be sure to bind these services when you deploy the application on Bluemix. Additionally, the Stock Quotes application requires that you establish a Mongo database with all the companies and corresponding stock symbols that you wish to be able to lookup. Be sure to read through the project description to understand the requirements and necessary configuration for using the Stock Quotes application, see README.md.

  1. Create Basic authentication credentials for accessing your APIs. We will use these credentials to establish a secure connection from IBM API Management to the internal implementation of the APIs. These credentials will not be given out to end-users. IBM API Management will automatically generate end-user credentials for you as developers bind your APIs to their applications.
  2. Make sure to set the SERVICE_ID and SERVICE_SECRET environment variables with the Basic authentication values you generated. In each service we will check to make sure that the credentials are valid. For example, this code fragment shows a check to make sure that the header contains the correct credentials.

    Checking the basic authentication credentials

    Checking Basic Authentication Credentials

  3. To make our service secure we will reject calls over HTTP and only allow calls over HTTPS. For example, this code fragment shows HTTP calls being redirected to HTTPS.

    Redirect HTTP calls to HTTPS

    Redirecting HTTP Call to HTTPS

  4. Publish the application to Bluemix.
  5. From the Bluemix service catalog create an instance of IBM API Management.
  6. Launch the IBM API Management dashboard.
  7. Create an API Plan for the services you will expose. For example, you could create a Basic Plan for accessing your services.

    IBM API Management Plan Definition

    IBM API Management Plan Definition

  8. Configure a route to your API, the version, and type of security for accessing your API. As I said earlier IBM API Management will take care of generating credentials to access your services. By default IBM API Management will use client id for security. You can go ahead and change the default settings to include client id and client secret if you wish to have a greater level of security.

    API Security Settings

    API Security Settings

  9. Define the API access method, request parameters, and response for your API. For example, this API uses the GET method and has one required parameter.

    Defining the API Method

    Defining the API Method

  10. Connect the public API route to your internal secure API. In this example we are going to use the compose option from IBM API Management to connect to one of the APIs in the Stock Quotes application. The key point to remember is that you need to fill in the Basic authentication credentials that you generated earlier and make sure the connection is using HTTPS.

    Secure API Connection

    Secure API Connection

  11. Map the input request parameters from the public API that you are exposing to the request parameters of the internal implementation in the Stock Quotes application. For example, I am mapping the symbols parameter from the public API to my internal implementation that will handle the request.

    Mapping API Request Parameters

    Mapping API Request Parameters

  12. Map the internal API response to the public API. With IBM API Management you can select which elements to return from your internal API implementation to the public API. For example, I can select a subset of elements to return.

    Mapping API Response

    Mapping API Response

  13. To start the process of making your API available to others you need to add the API to the plan you created earlier. For example, here I am adding the stock news API to my plan.

    Adding the API to a Plan

    Adding the API to a Plan

  14. The last step in getting your APIs exposed is to publish and stage your plan by selecting your subscribers and publishing the plan. For example, here I am selecting a few Bluemix organizations that I wish to expose my APIs to.

    Exposing and Publishing Your APIs

    Exposing and Publishing Your APIs

After you have published your APIs you can find them under the Custom APIs category. For example, here you can see all the Stock Quotes APIs that users can select and bind to their applications. When a developer binds one of your APIs to their application the credentials for accessing the API will be automatically generated by IBM API Management and will be accessible from the VCAP environment variable.

Custom APIs in the Bluemix Catalog.

Custom APIs in the Bluemix Catalog

I hope this short post helps you get going with creating your own APIs on Bluemix using IBM API Management.

  1. […] to a Bluemix organization. For more details on how to do that you can see my earlier blog post on building secure APIs on Bluemix. The important thing to remember about connecting your public API on IBM API Management […]

  2. very nice blogs!!! i have to learning for lot of information for this sites…Sharing for wonderful information. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

close
search
Latest Tweets

Hi, guest!

settings

menu