API Gateway - OFM Canberra October 2014

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Oracle API Gateway

Damien McAullayOracle Fusion MiddlewareOctober 2014

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 2

Defining APIs …

• APIs are the face of enterprise applications and processes• From the APIs’ consumers’ perspective, they are the applications• Organizations can use different APIs to create optimized applications for

customers, partners & employees• It is imperative that organizations apply the same rigor to applications

lifecycle management to API lifecycle management


What is an API Gateway or API Management?

• Every API requires a supporting infrastructure to make sure the APIs are properly managed, delivered & secured

• OAG provides an enterprise platform for API delivery removing the needs for APIs owners to build repeatedly one-off support infrastructure

• APIs enable enterprises to deliver business services via Cloud, mobile or partners channels


Oracle API Gateway – What/How?

• API transformation and protocol switch• API control & runtime governance• API scalability and reliability• API security – AAA and Threats mitigation• API monitoring – routing and throttling• API development lifecycle• API administration


Fine Grained AuthZ and Data Redaction

• Name & Contact Info

• Masked SSN

• Primary Physician

• Insurance

Response


• Masked SSN


• Insurance

•Payment History

Response



• Health History

Response

Legacy

Patient Record

Application

Legacy

Patient Record

Application

Existing API ReturnsName & Contact Info

SSN

Physician Info

Existing Conditions

Prescriptions

Health Records

Insurance

Payment History

Existing API ReturnsName & Contact Info

SSN

Physician Info

Existing Conditions

Prescriptions

Health Records

Insurance

Payment History

Entitlements Server

Help desk

Doctor

AccountingPEPPEP

PDPPDP

Oracle APIGateway


Client Oriented Requests & Throttling• Client-based policies for the same web service end-point– Policy A for Client 1 and Policy B for Client 2

• Client-based throttling– Allow 100 transactions per second (TPS) for Client 1 and 250 TPS for Client 2

• Client-based service-level agreement (SLA) alarms• Hiding service operations from certain clients• Client can be identified through– IP address, SAML attributes, SOAP/transport headers– Identity attribute lookup after authentication– Device IDs / IDContext Attributes


API Key Management

Corporate DMZ

Unified Agent

SOAP/REST and Legacy Web Services

Security Gateway

HR

CRM

Talent

APIKey_AWS APIKey_Salesforce

API Key + Web Service Request


Oracle API Gateway – Where?

First Line Of Defense

Shared Services Layer

End PointSecurityHTTP,

SOAP, REST,XML, JMS

HTTP, SOAP, REST, XML, JMS

Service BusOWSM Agent

OWSM Agent

DMZ

WS-Security,Basic Auth,Digest,X509, UNT,SAML, KerberosSign & Encrypt

OWSM Agent

OWSM Agent

OWSM Agent

OWSM Agent

WS-Security,Basic Auth,Digest,X509, UNT,SAML, KerberosSign & Encrypt

OAG

Intranet

Applications


Concepts and Architecture – Logical Components


Concepts and Architecture – Policy Studio and OAG Manager

OAG INSTANCE 1 OAG INSTANCE 3STOCK CONTROL APIs GROUP

OAG INSTANCE 2 OAG INSTANCE 4PAYMENT APIs

GROUP

PHYSICAL / VIRTUAL MACHINE 1 PHYSICAL / VIRTUAL MACHINE 2

DOMAIN

ADMIN NODE MANAGER NODE MANAGER

OAGMANAGER

POLICY STUDIO

MANAGESMANAGES


Concepts and Architecture – Configuration Parts


Concepts and Architecture – Lifecycle Management


Concepts and Architecture – Lifecycle Management


Demo

Software

API Gateway - OFM Canberra October 2014