Configure and secure API Portal

This section describes some additional configuration you might want to perform after installation, including settings to help secure Joomla! and API Portal.

For details on how to configure the look and feel of your API Portal end-user interface, see the API Portal Administrator Guide.

Configure the SSL certificate

To enable SSL on API Portal, you must configure Apache database to use the correct certificate.

Configure the Apache database in software installation

  1. Open the /etc/httpd/conf.d/apiportal.conf file.
  2. Change SSLCertificateFile and SSLCertificateKeyFile to point to your CA certificate and key files.
  3. Restart Apache.

For more details on API Portal certificate management, see the API Management Security Guide.

Disable TLS 1.0 and TLS 1.1 on Apache

On an API Portal software installation, the Apache web server has TLS versions 1.0 and 1.1 enabled in addition to the TSL 1.2 that API Portal uses. Because TLS 1.0 and 1.1 have security vulnerabilities, it is recommended to disable them.

  1. To check which TLS versions are enables, scan your API Portal port:
  2. sslscan <API Portal IP address>:<your https port>

    By default, API Portal uses port 443 for secure connections.

  3. To disable TLS 1.0. and 1.1, open the following file:
  4. /etc/httpd/conf.d/apiportal.conf
  5. Add the following SSL protocol definition for the secure connection:
  6. <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile "/etc/httpd/conf/server.crt"
        SSLCertificateKeyFile "/etc/httpd/conf/server.key"
    
        SSLProtocol TLSv1.2
        Header always append X-Frame-Options SAMEORIGIN
         ...
    </VirtualHost>	
    
  7. Restart Apache.
  8. Run the sslscan again on your API Portal port to check that TLS 1.0 and 1.1 have been disabled.

Protect Joomla! from direct Internet access

To counter a session fixation vulnerability in Joomla!, it is recommended that you protect the Joomla! Administrator Interface (JAI) from direct Internet access.

  1. Open the file /etc/httpd/conf.d/security.conf.
  2. Add an access restriction directive for the /administrator location. Specify the internal IP address range that is allowed to access JAI. For example:
  3. ServerTokens ProductOnly
    ServerSignature Off
      <Location /administrator>
        Order deny,allow
        deny from all
        allow from 10.232.14.
      </Location>

  4. To restart the web server configuration, enter the following:
  5. # /etc/init.d/apache2 reload

Limit the number of Joomla! failed login attempts

By default, Joomla! allows unlimited failed login attempts, which might pose a security risk. To protect Joomla! from brute force attacks, you can limit the number of failed login attempts that Joomla! allows:

  1. Log in to the Joomla! Administrator Interface (JAI) (https://<API Portal_host>/administrator).
  2. Click Extensions > Plugins.
  3. Locate and click the plugin LoginGuard Basic.
  4. Enter a value in seconds for how long the user account is locked.
  5. Enter a value for the number of failed login attempts before the account is locked.
  6. Ensure that you select Username in the Lock byfield.
  7. Set the Status of the plugin to Enabled, and click Save & Close.

Joomla! is now protected. To protect API Portal from unlimited failed login attempts, you must also configure API Portal login protection.

Limit the number of API Portal failed login attempts

To protect API Portal from brute force attacks, you can limit the number of failed login attempts that API Portal allows:

  1. In the JAI, click Components > API Portal > Login Protection.
  2. Click Yes to enable login protection for API Portal.
  3. Enter a value for the number of failed login attempts before a ReCaptcha is displayed.
  4. Enter a value for the number of failed login attempts before the user account is locked.
  5. Enter a value in seconds for how long the user account is locked.
  6. Click Save.

Add trusted OAuth hosts

To restrict API Portal users from accessing unauthorized OAuth endpoints, you can enter a list of permitted OAuth hosts in the OAuth whitelist:

  1. In the JAI, click Components > API Portal > OAuth Whitelisting.
  2. Enter the host names or IP addresses of the trusted OAuth hosts (separated by new lines). Do not enter API Manager hosts as these are added to the whitelist automatically.
  3. Click Save.

Only requests to the hosts in the whitelist are now allowed.

Do not save login and password

When you log in to JAI do not allow the web browser to save or remember your login and password.

Change the location of API Portal log files

By default, API Portal saves the Apache log files in the htdocs directory. To increase the protection, you can configure a different location in your file system where to save the log files. Ensure that Apache has permission to write to the selected location.

To configure a different log directory:

  1. In the JAI, click System > Global Configuration.
  2. On the System tab, enter the new location in the Path to Log Folder field.
  3. Click Save.

Configure Redis cache settings

If you are using Redis cache to cache APIs for API Portal, you can control how long data is preserved in the cache:

  1. In the JAI, click Components > API Portal > Additional Settings.
  2. In Cache Timeout, enter how long (in seconds) APIs are preserved in the cache.
  3. Click Save.

You can also use the Purge cache button to clear the cache at any time.

Configure terms and conditions text

To modify the API Portal Terms & Conditions content, edit the following file:

/opt/axway/apiportal/htdoc/components/com_apiportal/views/terms/tmpl/default.php

To customize the copyright notice that is displayed at the bottom of the API Portal pages, edit the following file:

/opt/axway/apiportal/htdoc/templates/purity_iii/tpls/blocks/footer.php

Related Links