Configure API Manager settings in Policy Studio

Policy Studio enables you to configure a range of settings that apply to API Manager and the underlying API Gateway. This topic describes how to create a Policy Studio project with API Manager configuration, and how to configure each of the API Manager settings.

Create a Policy Studio project with API Manager configuration

To create a Policy Studio project with API Manager configuration, perform the following steps:

  1. Ensure that your API Gateway installation has already been configured for API Manager using the setup-apimanager script. For more details, see Configure API Manager settings in Policy Studio.
  2. Create a project from one of the following:
    • API Gateway instance
    • API Gateway configuration directory
    • .fed, .pol, or .env file

For more details on creating projects, see the Get Started section in the API Gateway Policy Developer Guide.

Configure API Manager server settings

In the Policy Studio tree, select Environment Configuration > Server Settings > API Manager to configure the settings described in this topic.

Alerts

The Alerts settings enable you to configure runtime alerts, which call specified policies to handle the alert event. For example, the policy might send an email to an interested party, or forward the alert to an external notification system. Sample policies are provided as a starting point for custom development.

You can enable or disable alerts in the API Manager web interface. You can change the policy that is executed when an alert is generated on this screen. For more details, see API management alerts.

API Listeners

The API Listeners settings enable you to configure API Gateway listeners to service API Manager-registered APIs. Defaults to Portal Listener.

Note   This screen only displays listeners that do not have a relative path resolver on the / relative path. For more details on API Gateway listeners, relative paths, and resolvers, see the API Gateway Policy Developer Guide.

API Promotion

The API Promotion settings enable you to configure an optional policy that is invoked when APIs registered in API Manager are promoted between environments (for example, from a test or sandbox environment to a live production environment).

To select a promotion policy, click the browse button on the right, and select a policy that you have already created. By default, no API promotion policy is selected. For more details, see Promote managed APIs between environments.

API Connectors

The API Connectors settings enable you to configure client authentication profiles to use with specific API connectors and plugins. For example, this includes connecting to Cloud APIs such as Salesforce.com and Google. A preconfigured plugin for Salesforce.com APIs is provided by default.

For more details, see Cloud application connectors.

Identity Provider

The Identity Provider settings enable you to integrate API Manager with a wide range of external user repositories. For example, this includes third-party identity providers such as Apache Directory, OpenLDAP, Microsoft Active Directory, and so on. To enable integration, select Use external identity provider, and configure the following set of custom policies:

  • Account authentication policy:
    Click the browse button, and select the required authentication policy that is invoked whenever a user tries to log in to API Manager. This setting is mandatory.
  • Account information policy:
    Click the browse button, and select the required information policy that is invoked on first login to seed the user profile in API Manager. This setting is mandatory. For more details, see Configure external LDAP identity providers.
  • Account creation success (optional):
    Click the browse button, and select an optional policy that is invoked when a new user has been registered with API Manager.
  • Account creation failure (optional):
    Click the browse button, and select an optional policy that is invoked when an attempt to register a new account with API Manager has failed.

API Manager provides sample external identity provider configuration. For more details, see Configure external LDAP identity providers.

Note   The Identity Provider settings are used only to configure integration of API Manager with external user repositories. All other API Manager data is stored using a Key Property Store (KPS) in an Apache Cassandra cluster. For more details, see the API Gateway Key Property Store User Guide.

Monitoring

The Monitoring settings allow you to configure monitoring metrics in API Manager:

  • Enable monitoring:
    Select whether to enable monitoring metrics displayed on the Monitoring tab in API Manager. Monitoring is enabled by default.
  • Use the following database:
    Click the browse button to configure the connection to the database that stores the monitoring metrics. For more details, see Configure database connections in the API Gateway Policy Developer Guide.

For more details on monitoring, see Monitor APIs and applications in API Manager.

OAuth Outbound Credentials

The OAuth Outbound Credentials setting enables you to configure optional client credentials for use with OAuth outbound authentication. These enable clients to request an OAuth access token using only their client credentials with the authorization specified in the header. By default, no credentials are configured.

For more details, see the following:

OAuth Token Information Policies

The OAuth Token Information Policies setting enables you to configure optional policies used by external OAuth security devices in API Manager. These include custom policies used to obtain and extract token information from external OAuth providers. By default, no policies are configured.

For more details, see the following:

OAuth Token Stores

The OAuth Token Stores settings enable you to configure OAuth token stores for the OAuth security devices used by API Manager-registered APIs. Click Add to configure an OAuth access token store. To add a store, right-click Access Token Stores, and select Add Access Token Store. Defaults to OAuth Access Token Cache.

For more details on OAuth, see the API Gateway OAuth User Guide.

Quota Settings

The Quota Settings enable you to configure how quota information is stored. Quotas enable you to manage the maximum message traffic rate that can be sent by applications to APIs. For more details on configure quotas in API Manager, see Administer APIs in API Manager.

You can configure the following settings in Policy Studio:

  • Send warning if API usage reaches:
    Enter the % of System Quota and % of Application Quota that must be reached before warnings are sent to the API administrator. Both API usage values default to 80 per cent. For more details, see Manage quotas.
  • Where to store quota data:
    Select In external storage or In memory only. This setting defaults to In external storage, and to keep the quota in memory only if the time window is below 30 seconds. In this case, if the API administrator configures a quota in API Manager with a time window below 30 seconds, the data is stored in memory instead of in external storage. Alternatively, to never use external storage, select In memory only to store data in memory in all cases.
  • If you select In external storage, you must specify an external storage mechanism:
    • Automatic (adapt to KPS storage configuration): The data is stored externally as configured in the Key Property Store (KPS). This is the default option. For more details, see the API Gateway Key Property Store User Guide.
    • Use database: To store your data in a relational database, select this option, and specify the database connection that you want to use in Environment Configuration > External Connections > Database Connections. For more details, see the API Gateway Policy Developer Guide.
    • Use Cassandra: To store your data in an Apache Cassandra database, select this option. For more details, see Install Apache Cassandra in the API Gateway Installation Guide.
    • Cassandra consistency levels:
      When Use Cassandra is selected, you can configure Read and Write consistency levels for the Cassandra database. These settings control how up-to-date and synchronized a row of data is on all of its replicas. For high availability, you must ensure that the Cassandra read and write consistency levels are both set to QUORUM.

For more details on consistency levels, see the following

Note   Quota data is not shared for those quotas created in API Manager with a time window less than the value configured in Policy Studio, irrespective of the storage selected. This could impact on throttling in an HA environment, where multiple API Gateways are servicing requests and contributing to total message counts.

Inbound Security Policies

The Inbound Security Policies settings enable you to configure the custom security policies that can be applied to APIs registered in API Manager. These policies enable you to perform custom policy-based authentication on front-end APIs.

API Manager provides a number of built-in authentication policies to secure APIs (for example, API keys and OAuth 2.0), which you can select when creating front-end APIs. You can extend the built-in authentication policies with custom authentication policies that have been developed in Policy Studio.

For example, a custom policy could use CA SiteMinder to authenticate client application requests to APIs. In addition, custom authentication policies can specify a message that is displayed in the API Catalog informing application developers of the authentication mechanism to use when accessing the API.

To configure your custom inbound security policies, click Add, and select the appropriate policies in the dialog. The configured polices are added to the list.

Note   Inbound security policies must set the authentication.subject.id message attribute to match the client ID set in the external credentials of the application.

For details on how to create polices, see the API Gateway Policy Developer Guide.

For details on applying inbound security policies to front-end APIs, see Virtualize REST APIs in API Manager

Request Policies

The Request Policies settings enable you to configure optional request processing policies for virtualized APIs in API Manager. For example, you could use the configured policies to check request messages for authentication or authorization. To configure request policies, click Add, and select policies in the dialog. By default, no request policies are configured.

Note   Request Policies, Response Policies, and Routing Policies apply to APIs registered using the API Manager, and do not apply to policies registered using Policy Studio. These policies enable policy developers to implement enterprise-specific request policies in Policy Studio that can be applied to multiple APIs in API Manager.

For details on how to create polices, see the API Gateway Policy Developer Guide.

Response Policies

The Response Policies settings enable you to configure optional response processing policies for virtualized APIs in API Manager. For example, you could use the configured policies to validate or transform outbound response messages. To configure response policies, click Add, and select policies in the dialog. By default, no response policies are configured.

For details on how to create polices, see the API Gateway Policy Developer Guide.

Routing Policies

The Routing Policies settings enable you to configure custom routing policies for virtualized APIs in API Manager. For example, you could use the configured policies to route to a back-end JMS service. To configure routing policies, click Add, and select policies in the dialog. By default, no routing policies are configured, and the default URL-based routing policy is used. For more details, see Customize the default API Manager routing policy for all APIs.

For detailed examples of using custom routing policies based on API key and OAuth, see Configure custom API Manager routing policies.

For more details on how to create API Gateway polices in Policy Studio, see the API Gateway Policy Developer Guide.

SMTP Server

Under SMTP Server settings, to send emails (for example, for user registration or client application approval), you must configure an SMTP server for API Manager in the Policy Studio. The default setting is Portal SMTP server on localhost.

Note   You must ensure that API Manager is configured with the SMTP server used by your organization to generate emails for user registration or client application approval.

For example, to configure your SMTP server, perform the following steps:

  1. Click the browse button on the on the right of the SMTP Server field.
  2. Right-click Portal SMTP, and select Edit.
  3. Complete the SMTP settings in the dialog. The following example settings use the Gmail SMTP server:
    • Name: Name for your SMTP server (for example, Acme Portal SMTP Server).
    • SMTP Server Hostname: Hostname of your SMTP server (for example, smtp.gmail.com).
    • Port: SMTP server port number (for example, 465).
    • User Name: Your email user name (for example, joe.bloggs@gmail.com).
    • Password: Your email password.

For more details on SMTP configuration, see the API Gateway Policy Developer Guide.

Note   When finished updating your API Manager configuration, remember to click Apply Changes at the bottom of the window, and then Deploy in the toolbar.

Customize the default API Manager routing policy for all APIs

You can customize the default URL-based routing used by API Manager by modifying the default Connect To URL filter in Policy Studio. To edit this default policy, select PoliciesGenerated PoliciesREST APIs > Templates > Default URL-based Routing, and double-click the Connect to URL filter in the policy canvas on the right.

For example, under Settings > Failure > Call connection policy on failure, you could configure a custom policy with a Reflect message filter that modifies the default 500 response code to 503 when the API Manager runtime cannot connect to a back-end service. Updating this default routing policy modifies how API Manager manages connection failures globally for all APIs, without needing to modify each API.

Note   After updating this default routing policy, you do not need to restart the underlying API Gateway, redeploying the updated configuration is sufficient.

For more details on how to create API Gateway polices in Policy Studio, see the API Gateway Policy Developer Guide.

Configure API Manager in network protected by an HTTP proxy

If you are using API Manager in a network protected by an HTTP proxy that requires authentication, you must perform some additional configuration steps.

Configure a proxy server

For API Manager to connect to the back-end API through a proxy, the routing policy used must be configured with a proxy server. For example, perform the following steps:

  1. In the Policy Studio tree, select Policies > Generated PoliciesREST APIs > Templates > Default URL-based Routing.
  2. Double-click the Connect to URL filter to edit it, and select the Settings tab.
  3. Select Proxy > Send via proxy.
  4. In the Proxy Server field, browse to the configured proxy server. If a proxy server has not already been configured, right-click Proxy Servers, and select Add a Proxy Server. For more details, see the API Gateway Policy Developer Guide.
  5. Click Deploy in the toolbar to deploy the updated configuration.

Update the JVM settings

The following JVM setting is also required when importing the API in API Manager. This is because API Manager uses Java to download the API:

Related Links