melbourne api management seminar

API Management Breakfast Seminar

Francois Lascelles Chief Architect

Devon Winkworth Solutions Architect, APAC

Mike Amundsen Principal API Architect

Agenda

API Management

Overview and Trends

Reaching out to Developers – B2D

Publishing and Consuming APIs

Engaging & Supporting Developers and Reporting the Results

Break

OAuth – the next step in Access Control

Solving Mobile Challenges

Customers Success Stories

Summary and Wrap up

Challenges for the Modern Enterprise

Build a Developer Channel with Open APIs

Cloud Access & Integration Connect Enterprise to Mobile Apps

BYOD Employee Enablement

Field Enablement

API Developer Communities

Smart Grid

Login

Password SaaS Access

IaaS Integration & Governance

Hybrid Private / Public

Burst to the Cloud

Real-time Supply Chain

X-agency information sharing

Media Syndication

Trading Platforms

Publish Public APIs Reliably

Build Developer Ecosystems

Monetize Internal Information

Socialize Applications

X-Departments / X-Agency Connectivity

Why APIs? The Rebirth of Applications

Customers & Partners

Enterprise API

Traditional “Closed” APIs

Divisions

Cloud

Partners

Mobile

Enterprise

API

The New “Open” API

Divisions

Cloud

Partners

Mobile

Open

API

Cloud

Partners

Mobile

Divisions

Open

API

Third Parties are Key

API Management Scope

API Lifecycle

Discovery, documentation

Developer onboarding

Performance, scaling

Integration

Access control

SLA enforcement

Threat protection

Analytics

Monetization

Developer Portal

API Gateway

Developer

App

API

API Management Infrastructure

Agenda

API Management

Overview and Trends




Break




Summary and Wrap up

Attending to the Hockey Sticks

More Devices

More Apps

More APIs

API Developers

Developers are your target audience

They need great tools to use your API

They know what works

And they tell others about it

Developers are your Target Audience

APIs

Developers

Apps

Users

They need great tools to use your API

Docs

Getting started

Sandbox

Registration

Samples

Developers know what works…

30 min to a quick win or else

“It was easy for me to get started with this API.”

Make them look good to peers and superiors

“Hey, I know just the API we can use to solve this problem.”

Make it easy for them to use/promote your API

“Company X has a great API, you should try it.”

Make it hard for them to mis-use/break your API

“This API is very intuitive.”

…And they tell others about it.

Conferences

100+ developers, designers, project leaders

Code-a-thons

100- developers, API publishers, API hosts

Meetups

Local developers, designers, leadership

- User Groups (~50)

- Pub Nights (~25)

Online

Wide range of highly targeted communities

- Forums

- Chat rooms

- Social media

Reaching out means…

Know your target audience

Give them the tools they need…

To do their jobs well…

So they will spread the good word.

Agenda

API Management

Overview and Trends




Break




Summary and Wrap up

Example: Australia Sports API

Sample API: Professional sports information aggregation

- Teams

- News

- Results

Layer 7 Gateway

Security Control

Authorization &

Authentication

Data Leak Prevention

Attack Prevention Browser Exploit Blocking Transformations

Rate Limiting API Key Management

Traffic Control

SOAP REST

XML JSON

Ensure Privacy & Security Compliance: Optimize API Traffic:

Demo: Exposing an API with the Layer 7 Gateway

API

endpoint

REST Client

Policy Manager

Gateway

Layer 7 Gateway Capabilities

•Authentication: for different IAM, SAML, Oauth,

•Authorization including Oauth, XACML

•Token translation / SAML STS

•Horizon call back into enterprise

• Identity federation across service zones

Access Control

•API threat protection

•XML / JSON schema validation

•Data filtering, redaction

•Data privacy: message- and field-level encryption

•Data integrity: digital signatures, hashing, validation

Security

•Throttling, rate limiting, x-cluster message counter

•Prioritization, traffic shaping and QoS

•Content caching to reduce latency overhead

•Monitoring, reporting on API usage

•Activity reporting to IT management systems

Metering/SLA

•Format conversion: SOAP/REST/JSON/XML

•Protocol mediation: HTTP(S), messaging, file-based, SSH

•Dynamic content- and context-based routing

•Composite services: in-line callouts, message enrichment

•Workflow: fan-in, fan-out, looping, synch/asynch

Abstraction/Mediation

Layer 7 Gateway Form Factors

Packaged virtual image of hardware appliance

“VMWare-ready” certified

Open Virtualization Format (OVF)

Instantiate from your AMI catalog

Integrate with EC2, RDS, Auto Scale, ELB

VMWare Virtual Appliance

Software AWS Virtual Appliance

Hardware Appliance

Rack mountable 1-U device

Common criteria EAL 4+ certification, FIPS 140/2 level 3

Optional hardware accelerator modules for XML, crypto

Software installation for Linux or Solaris based systems

Agenda

API Management

Overview and Trends




Break




Summary and Wrap up

Onboarding Reporting

Layer 7 API Portal Objectives

Developer

Enrollment

API Docs

Forums API Explorer

Rankings Analytics

Quotas

45%

28%

Task Tracking

Drive Developer Adoption: Provide Insight for all Stakeholders:

Demo: API Portal

Developer portal

- Discover an API

- Try the API

- Register as a developer

- Register an application

- Get an API key

- Metrics

- Community

Demo

Layer 7 API Portal Capabilities

•Self-service registration and colleague enrollment

•Plans are provided to help you stratify developers into tiers

•Account managers assigned to help manage specific, high‐value partners

•Manage the generation of API keys/OAuth secrets for each developer application

Developer Management

•Discussion Forums, integrated messaging, FAQs, Announcements to foster community among developers

•API Documentation, sample code/applications

•API Explorer to allow you to submit queries and see API responses interactively

•Reports that measure API usage, application usage and API latency

Developer Support

•Out‐of‐the‐box templates for API documents, landing pages, etc.

•Content can be versioned and rolled back

•Personalized default dashboard for all developer and publisher users

•Look and feel easily changed (i.e. logos, fonts, colors, etc.)

•Control access to documentation and forums based on API status (i.e. private vs. public)

Content Management

•Account tiers defined to allow for developer grouping and actions

•Define unique and/or standard plans for each API

•Define quotas, rate limits and other features for each API plan

•Applications tracked as they move from development to test to production

•Application usage measured providing developer understanding and info for planning

Business Management

Time for a Break!!

Agenda

API Management

Overview and Trends




Break




Summary and Wrap up

API access control

You got an API key, now what?

- An app is sometimes identified at runtime by including its API key in

a query parameter

- (that doesn’t count as access control)

- Typically, the user of the mobile app needs to be authenticated

- Standard: OAuth 2.0

- Multiple grant types possible

- Opaque, bearer tokens is the most common approach

OAuth Toolkit

API Protection

OAuth 1 OAuth 2

OpenID Connect 2 & 3-legged OAuth

Better Integration

– Leverage Existing Assets

Faster Time to Market

Scaling

– Interpreted vs. Stateful Tokens

– Caching

Anatomy of an OAuth handshake

Subscriber

(resource owner)

OAuth Authorization Server

+access token

+autz code

This is a shared secret

Authorization endpoint

Token endpoint

Mobile App

(client)

1

1

2

(one of many possible grant types illustrated)

consent

Why exchange a secret with an OAuth authorization

server in the first place?

A: In order to consume an API OAuth Provider

OAuth Authorization Server

OAuth Resource Server

Consume REST API

With access token from handshake

API endpoint

access token -> app, user

Enforce access control policies

OAuth: Leverage existing identity, existing SSO

SSO Policy Server

API Management

- Get SSO cookie, integrate with policy server

(web agent)

- Associate SSO cookie with access token

SSO token

Check SSO session

Maintain my SSO

experience!

<handshake>

Token Monitoring, Revocation

Track usage of live tokens

Integrate with portals, BI, provider tooling through open API

Expose token revocation to the right parties

FAIL!

compromise

check

Dev portal

Subscriber portal

exploit

revoke

revoke

revoke

API Provider

Token Management Look for

unusual

usage

patterns

BI

Agenda

API Management

Overview and Trends




Break




Summary and Wrap up

A lightweight, low-latency mobile gateway for solving critical mobile challenges in the

following areas:

Layer 7 Mobile Access Gateway

Demo - Mobile Access Gateway

Mobile Access Gateway

- http/websocket/xmpp/push

- Mobile notification hookup

(APNS, Android)

- Targeted notifications

Demo

Layer 7 Mobile Access Gateway Capabilities

•Map Web SSO & SAML to mobile-friendly OAuth, OpenID Connect and JSON Web Tokens

•Create granular access policies at user, app and device levels

•Build composite access policies combining geolocation, message content etc.

•Simplify PKI-based certificate delivery and provisioning

Identity

•Protect REST, SOAP and OData APIs against DoS and API attacks

•Proxy API streaming protocols like HTML5 Web Sockets and XMPP messaging

•Enforce FIPS 140-2 grade data privacy and integrity

•Validate data exchanges, including all JSON, XML, header and parameter content

Security

•Surface any legacy application or database as RESTful APIs

•Quickly map between data formats such as XML and JSON

•Recompose & virtualize APIs to specific mobile identities, apps and devices

•Orchestrate API mashups with configurable workflow

Adoption

•Cache calls to backend applications

•Recompose small backend calls into efficiently aggregated mobile requests

•Compress traffic to minimize bandwidth costs and improve user experience

•Pre-fetch content for hypermedia-based API calls

Optimisation

•Proxy and manage app interactions with social networks

•Broker call-outs to cloud services like Salesforce.com

•Bridge connectivity to iPhone, Windows and Android notification services

• Integrate with legacy applications using ESB capabilities

Integration

Agenda

API Management

Overview and Trends




Break




Summary and Wrap up

Financial Services Communications Public Sector Select Others

Layer 7 API Management Implemented at 200+ Enterprise and

Government Customers

1

Case Study: Publishing Telecom APIs

Problem: publicly exposing Telecom APIs presents some unique challenges around

how they get packaged, secured and managed for easy consumption

Solution: SecureSpan Networking Gateway policy-based controls allowed Orange to

define the message, identity and interface level security for their APIs; track usage;

monitor interface health; and update APIs without breaking client applications

Results: Orange has created an agile IT platform on which to develop new offerings

faster and at less cost by reusing/recomposing existing services

Making Nursery [Telecom APIs]

available to local, 3rd world

partners has allowed Orange to

overcome many of the barriers

that had previously limited our

growth in emerging markets.

Benoît Herard, Orange Labs

“

“

Case Study: APIs Expanding Market Reach

Problem: wanted to securely expose existing services to third party developers in

order to expand their market reach

Solution: Layer 7 API Proxy allows Alaska to securely expose and manage their

APIs, while caching Sabre requests

Results: significantly grew market reach, while controlling costs associated with

constantly pulling data from Sabre to service Developer requests

Problem: reduce cost and delay in processing Medicaid member information by

bringing the process online

Solution: SOA Gateway allows iPad application to securely connect to backend

APIs; provides data routing & guards APIs against intrusion with strict authentication,

authorization and comprehensive threat protection

Results: improves Amerigroup’s health care coverage and member services, while

increasing the effectiveness and efficiency of its Medicaid program

Case Study: APIs Enabling the Enterprise

Case Study: Publishing Information Service APIs

Problem: allow customers and partners to use Google Apps to access multiple,

existing information services

Solution: CloudControl authorizes users and applies rate limiting; converts REST

queries to SOAP, and provides API aggregation & orchestration

Results: implemented business logic in policy (not code), decreasing maintenance

costs; customers and partners can now obtain richer results to their queries from

their platform of choice, simplifying and speeding information gathering

Layer 7 offered us the closest fit to our

business requirements in a single

product. No other vendor was even

close.

SOA Architect, World’s leading publisher of

science and health information

““

Case Study: SaaS & Mobile Integration

Problem: securely integrate to SaaS services such as Salesforce.com and

Workday, as well as secure mobile payments for Mastercard’s MoneySend service

Solution: Layer 7 securely gates all interactions with cloud-based SaaS providers

and mobile applications, authenticating and authorizing all inbound/outbound

interactions

Results: users manage only a single login/password for all systems; administrators

manage a single LDAP, thereby enhancing security and lowering administration costs

Agenda

API Management

Overview and Trends




Break




Summary and Wrap up

Challenges for the Modern Enterprise

Build a Developer Channel with Open APIs

Cloud Access & Integration Connect Enterprise to Mobile Apps

BYOD Employee Enablement

Field Enablement

API Developer Communities

Smart Grid

Login

Password SaaS Access

IaaS Integration & Governance

Hybrid Private / Public

Burst to the Cloud

Real-time Supply Chain

X-agency information sharing

Media Syndication

Trading Platforms

Publish Public APIs Reliably

Build Developer Ecosystems

Monetize Internal Information

Socialize Applications

X-Departments / X-Agency Connectivity

Layer 7 – One Solution for 4 Hybrid Problem Spaces

Across Divisions & Partners

Cloud Access

Outside Developer Communities

Across Mobile

Simplify Information Sharing

Enable Centralized Shared Services

Improve B2B

Bridge ESB Domains

Mobile Developer Onboarding

BYOD

Mobile application management

App security

Help Enterprises Connect To

The Cloud

Help Service Providers Deliver

New Services

Deploy Security-as-a-cloud

Service

Build a developer channel

Monetize information assets

Improve customer reach

Improve customer retention SOA Gateway

CloudConnect Mobile Access Gateway

API Portal

Established Leader

“Layer 7 SecureSpan is strong across the board. SecureSpan SOA Gateway

scored well in all of the major functional evaluation categories…It has the

broadest array of form factors and one of the strongest strategies for

virtualization and cloud-based deployment.”

“[Layer 7 has a] …. complete offering, with good coverage of general SOA governance (on-premises and in the cloud), B2B, ESB and API management

functionality…[The Company is] fast-moving, well on its way to implementing its good vision for SOA governance and the related marketplaces.”

Gartner Magic Quadrant

For SOA & API Governance Technologies, Oct 2011

niche players visionaries

challengers leaders

ab

ilit

y t

o e

xecu

te

Software AG

Oracle IBM

Progress Software

Layer 7

SOA Software

Tibco Software

HP

Vordel

Crosscheck Networks

Managed Methods

Intel

Mashery

WS02

Additional Notable Recognition

The Forrester Wave:

SOA & API Application Gateways, Nov 2011

Strong

Weak

Risky

Bets Contenders

Strong

Performers

Strong Weak Strategy

Leaders

Vordel Intel

Forum Systems

Progress Software

Software AG

Tibco Software

Bee Ware

Market Presence

IBM

Current

Offering

[email protected]

+ 61 413 776 428

For more information contact:

Colman McCaffery

Thank You

melbourne api management seminar

Technology

api developers developers

great api

api publishers

api docs

apithis api

supporting developers

agenda api management

developers b2d publishing