Runtime Policy Mapping Details
This section describes how the runtime policies and their property values defined and published from CentraSite are mapped into API Gateway.
A runtime policy is published from CentraSite to API Gateway when a Virtual Service associated with the policy is published from CentraSite to API Gateway.
Publishing of runtime policies from CentraSite to API Gateway is performed by invoking the API Gateway Deployer Service.
Evaluate Kerberos
You can secure Web Service APIs using client's Kerberos token credentials. This policy action:
![*](chapterTOC_bullet.png)
Identifies the application against either the Registered Applications list or the Global Applications list in
API Gateway.
![*](chapterTOC_bullet.png)
Validates the client's kerberos token against the list of users in the
Integration Server on which
API Gateway is running.
You can select the level at which the Kerberos identification and authentication should be enforced for APIs:
![*](chapterTOC_bullet.png)
Message level
![*](chapterTOC_bullet.png)
Transport layer
The Evaluate Kerberos policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the following policies under the Identify & Access stage in API Gateway:
![*](chapterTOC_bullet.png)
If this policy action is set to secure SOAP API at the message level at the message level using the parameter
Enforcement Point: Message Level in
CentraSite, then the policy
Inbound Authentication - Message with the parameter
Kerberos Token Authentication is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to secure SOAP or REST API at the transport layer using the parameter
Enforcement Point: Transport Level in
CentraSite, then the policy
Inbound Authentication - Transport with the parameter
Kerberos Token Authentication is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to identify the application (against a list of global or registered consumers) using the parameter
Identify Consumer: Global Consumers/ Registered Consumers, then the policy
Identify & Authorize Application is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to NOT identify the application (against a list of global or registered consumers) using the parameter
Identify Consumer: Do Not Identify, then the policy
Identify & Authorize Application is NOT included to the API's policy list in
API Gateway.
Enforcement Point: Message Level Security
The following table summarizes the mapping of the policy enforcement at the message level:
CentraSite | API Gateway | Notes |
Service Principal Name Form: ![*](chapterTOC_bullet.png) User | Service Principal Name Form: ![*](chapterTOC_bullet.png) Username | Beginning with version 10.1, the parameter Service Principal Name Form is removed from CentraSite and API Gateway. This is because the service principal name form set to Host or Hostbased is no longer supported in Integration Server. Therefore, whenever the Evaluate Kerberos policy is defined for an API in CentraSite or API Gateway, the service principal name form defaults to User or Username. |
Service Principal Name Form: ![*](chapterTOC_bullet.png) Host | Service Principal Name Form: ![*](chapterTOC_bullet.png) Hostbased |
Service Principal Name | Service Principal Name | |
Service Principal Password | Service Principal Password | |
Identify Consumer: ![*](chapterTOC_bullet.png) Do Not Identify | Not applicable | When the parameter Identify Consumer is set to Do Not Identify in CentraSite, the policy Identify and Authorize Application that is used to identify an application is NOT included to the API's list of policies in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Kerberos Token in the policy Identify and Authorize Application. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Kerberos Token in the policy Identify and Authorize Application. |
Enforcement Point: Transport Layer Security
The following table summarizes the mapping of the policy enforcement at the transport layer:
CentraSite | API Gateway | Notes |
Service Principal Name Form: ![*](chapterTOC_bullet.png) User | Service Principal Name Form: ![*](chapterTOC_bullet.png) Username | Beginning with version 10.1, the parameter Service Principal Name Form is removed from CentraSite and API Gateway. This is because the service principal name form set to Host or Hostbased is no longer supported in Integration Server. Therefore, whenever the Evaluate Kerberos policy is defined for an API in CentraSite or API Gateway, the service principal name form defaults to User or Username. |
Service Principal Name Form: ![*](chapterTOC_bullet.png) Host | Service Principal Name Form: ![*](chapterTOC_bullet.png) Hostbased |
Service Principal Name | Service Principal Name | |
Service Principal Password | Service Principal Password | |
Identify Consumer: ![*](chapterTOC_bullet.png) Do Not Identify | Not applicable | When the parameter Identify Consumer is set to Do Not Identify in CentraSite, the policy Identify and Authorize Application that is used to identify an application is NOT included to the API's list of policies in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Kerberos Token in the policy Identify and Authorize Application. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Kerberos Token in the policy Identify and Authorize Application. |
Evaluate HTTP Basic Authentication
You can secure Web Service APIs using HTTP basic authentication. This policy action:
![*](chapterTOC_bullet.png)
Identifies the application against either the Registered Applications list or the Global Applications list in
API Gateway.
![*](chapterTOC_bullet.png)
Validates the client's credentials contained in the request's Authorization header against the list of users in the
Integration Server on which
API Gateway is running.
The Evaluate HTTP Basic Authentication policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the following policies under the Identify & Access stage in API Gateway:
![*](chapterTOC_bullet.png)
If this policy action is set to identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Global Consumers/ Registered Consumers, then the policy
Identify & Authorize Application is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to NOT identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Do Not Identify, then the policy
Identify & Authorize Application is NOT included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to validate the client's credentials in the request's Authorization header against the list of users in
Integration Server using the parameter
Authenticate User set to
true in
CentraSite, then the policy
Inbound Authentication - Transport is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to NOT validate the client's credentials in the request's Authorization header against the list of users in
Integration Server using the parameter
Authenticate User set to
false in
CentraSite, then the policy
Inbound Authentication - Transport is NOT included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to NOT validate the client's credentials in the request's Authorization header (using the parameter
Authenticate User set to
false) and NOT identify the application (using the parameter
Identify Consumer set to
Do Not Identify), then the policy
Validate HTTP Headers is included to the API's policy list in
API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Do Not Identify | Not applicable | When the parameter Identify Consumer is set to Do Not Identify in CentraSite, the policy Identify and Authorize Application that is used to identify an application is NOT included to the API's list of policies in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Kerberos Token in the policy Identify and Authorize Application. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Kerberos Token in the policy Identify and Authorize Application. |
Authenticate User (check box) | Not applicable | ![*](chapterTOC_bullet.png) When the parameter Authenticate User check box is selected (set to true) in CentraSite, the policy Inbound Authentication - Transport with the parameter HTTP Basic Authentication that is used to secure the API at the transport layer is included to the API's list of policies in API Gateway. ![*](chapterTOC_bullet.png) When the parameter Authenticate User check box is NOT selected (set to false) in CentraSite, the policy Inbound Authentication - Transport that is used to secure the API at the transport layer is NOT included to the API's list of policies in API Gateway. Also, if the parameter Identify Consumer is set to Do Not Identify in CentraSite, the policy Validate HTTP Headers that is used to validate the presence of HTTP headers, or header values, or both in incoming API requests is included to the API's list of policies in API Gateway. |
Evaluate Client Certificate for SSL Connectivity
You can secure Web Service APIs using client's SSL certificate. This policy action identifies the application against either the Registered Applications list or the Global Applications list in API Gateway.
The Evaluate Client Certificate for SSL Connectivity policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Identify and Authorize Application under the Identify & Access stage in API Gateway
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to SSL Certificate in the policy Identify and Authorize Application. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to SSL Certificate in the policy Identify and Authorize Application. |
Evaluate Hostname
You can secure Web Service APIs using client's host name. This policy action identifies the application against either the Registered Applications list or the Global Applications list in API Gateway.
The Evaluate Hostname policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Identify and Authorize Application under the Identify & Access stage in API Gateway
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Hostname Address in the policy Identify and Authorize Application. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to Hostname Address in the policy Identify and Authorize Application. |
Evaluate IP Address
You can secure Web Service APIs using client's IP address. This policy action identifies the application against either the Registered Applications list or the Global Applications list in API Gateway.
The Evaluate Hostname policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Identify and Authorize Application under the Identify & Access stage in API Gateway
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to IP Address Range in the policy Identify and Authorize Application. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to IP Address Range in the policy Identify and Authorize Application. |
Evaluate XPath Expression
You can secure Web Service APIs using client's authentication credentials that are represented as an XPath expression. This policy action identifies the application against either the Registered Applications list or the Global Applications list in API Gateway.
The Evaluate XPath Expression policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Identify & Authorize Application under the Identify & Access stage in API Gateway as follows:
![*](chapterTOC_bullet.png)
If this policy action is set to identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Global Consumers/ Registered Consumers, then the policy
Identify & Authorize Application is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
But, if this policy action is set to NOT identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Do Not Identify, it is not possible to publish the API from
CentraSite to
API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Do Not Identify | Not applicable | When the parameter Identify Consumer is set to Do Not Identify in CentraSite, publishing of API form CentraSite to API Gateway fails with the following exception: Could not deploy the asset <asset_name> on given target <API Gateway_name>. To work around this issue, you have to set the value of the parameter Identify Consumer to either Global Consumers or Registered Consumers, and then publish the API to API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to XPath expression in the policy Identify and Authorize Application. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. Also, the parameter Identification Type is set to XPath expression in the policy Identify and Authorize Application. |
Namespace: ![*](chapterTOC_bullet.png) Prefix | Namespace: ![*](chapterTOC_bullet.png) Namespace Prefix | |
Namespace: ![*](chapterTOC_bullet.png) URI | Namespace: ![*](chapterTOC_bullet.png) Namespace URI | |
XPath Expression | Identification Query: ![*](chapterTOC_bullet.png) Query Expression | |
Evaluate OAuth2 Token
You can secure Web Service APIs using client's OAuth2 token credentials. This policy action identifies the application against either the Registered Applications list or the Global Applications list in API Gateway.
The Evaluate OAuth2 Token policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Identify & Authorize Application under the Identify & Access stage in API Gateway as follows:
![*](chapterTOC_bullet.png)
If this policy action is set to identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Global Applications / Registered Applications, then the policy
Identify & Authorize Application is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to NOT identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Do Not Identify, then the policy
Identify & Authorize Application is NOT included to the API's policy list in
API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Do Not Identify | Not applicable | When the parameter Identify Consumer is set to any of the three options in CentraSite, the policy Identify and Authorize Application that is used to identify an application is included to the API's list of policies in API Gateway. The parameter Identification Type is set to OAuth2 Token in the policy Identify and Authorize Application. Also, the policy is internally defined to identify the application against the Registered Applications list in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers |
Authenticate Access Token: ![*](chapterTOC_bullet.png) True ![*](chapterTOC_bullet.png) False | Not applicable | |
Usage of Do Not Identify with remote Integration Server acting as an OAuth 2.0 Authorization Server:
![*](chapterTOC_bullet.png)
In
CentraSite, when the parameter
Identify Consumer is set to
Do Not Identify, OAuth 2.0 validation occurs against a remote
Integration Server, which acts as an OAuth 2.0 authorization server. But the application is NOT identified against the list of OAuth 2.0 consumer applications in
CentraSite.
![*](chapterTOC_bullet.png)
In
API Gateway, when a remote
Integration Server acts as an OAuth 2.0 authorization server, each application in
API Gateway creates an OAuth 2.0 client in the remote
Integration Server. Any incoming request from the application is validated against the remote
Integration Server, which acts as an OAuth 2.0 authorization server. Also, the application is identified against the list of registered applications in
API Gateway.
![*](chapterTOC_bullet.png)
For the OAuth 2.0 clients in remote Integration Server that are not mapped to the OAuth 2.0 consumer applications in
CentraSite,
API Gateway offers a migration utility that uses the webMethods IS Service:
pub.apigateway.migration.remoteOauth.migrateRemoteOauthClients.
This service creates an application for each OAuth 2.0 client that contains an associated scope-id that is same as that of the API ID in API Gateway, and registers the created application to that API. API Gateway checks for the presence of scope-id against the ID of all APIs.
Note:
Software AG recommends you to invoke the webMethods IS Service only after you migrate all OAuth 2.0 APIs from CentraSite to API Gateway.
Pre-requisite: To run the webMethods IS Service is that a remote Integration Server should be configured as OAuth 2.0 authorization server in the Integration Server where API Gateway is running (in the Integration Server Administrator, go to Security -> Oauth -> Edit OAuth Global Settings -> Authorization server).
Evaluate WSS Username Token
You can secure SOAP APIs using client's WSS username token. This policy action:
![*](chapterTOC_bullet.png)
Identifies the application against either the Registered Applications list or the Global Applications list in
API Gateway.
![*](chapterTOC_bullet.png)
Validates the client's WSS username token against the list of users in the
Integration Server on which
API Gateway is running.
The Evaluate WSS Username Token policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the following policies under the Identify & Access stage in API Gateway as follows:
![*](chapterTOC_bullet.png)
If this policy action is defined for an API in
CentraSite, then the policy
Inbound Authentication - Message is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Global Applications / Registered Applications, then the policy
Identify & Authorize Application is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to NOT identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Do Not Identify, then the policy
Identify & Authorize Application is NOT included to the API's policy list in
API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Do Not Identify | Token Assertions: ![*](chapterTOC_bullet.png) Require WSS Username token | When the parameter Identify Consumer is set to Do Not Identify in CentraSite, the policy Identify and Authorize Application that is used to identify an application is NOT included to the API's list of policies in API Gateway. However, the policy Inbound Authentication - Message with the parameter Require WSS Username token that is used to enforce the SOAP message security is included to the API's list of policies in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications Token Assertions: ![*](chapterTOC_bullet.png) Require WSS Username token | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. The parameter Identification Type is set to WS Security Username token in the policy Identify and Authorize Application. Also the policy Inbound Authentication - Message with the parameter Require WSS Username token that is used to enforce the SOAP message security is included to the API's list of policies in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications Token Assertions: ![*](chapterTOC_bullet.png) Require WSS Username token | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. The parameter Identification Type is set to Require WSS Username token in the policy Identify and Authorize Application. Also the policy Inbound Authentication - Message with the parameter Require WSS Username token that is used to enforce the SOAP message security is included to the API's list of policies in API Gateway. |
Evaluate WSS X.509 Certificate
You can secure SOAP APIs using client's x.509 certificate. This policy action:
![*](chapterTOC_bullet.png)
Identifies the application against either the Registered Applications list or the Global Applications list in
API Gateway.
![*](chapterTOC_bullet.png)
Validates the client's x.509 certificate against the list of users the
Integration Server on which
API Gateway is running.
The Evaluate WSS X.509 Certificate policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the following policies under the Identify & Access stage in API Gateway as follows:
![*](chapterTOC_bullet.png)
If this policy action is defined for an API in
CentraSite, then the policy
Inbound Authentication - Message is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Global Applications / Registered Applications, then the policy
Identify & Authorize Application is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to NOT identify the application (against a list of global or registered Applications) using the parameter
Identify Consumer: Do Not Identify, then the policy
Identify & Authorize Application is NOT included to the API's policy list in
API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Identify Consumer: ![*](chapterTOC_bullet.png) Do Not Identify | Token Assertions: ![*](chapterTOC_bullet.png) Require X.509 Certificate | When the parameter Identify Consumer is set to Do Not Identify in CentraSite, the policy Identify and Authorize Application that is used to identify an application is NOT included to the API's list of policies in API Gateway. However, the policy Inbound Authentication - Message with the parameter WS Security X.509 Certificate that is used to enforce the SOAP message security is included to the API's list of policies in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Global Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Global applications Token Assertions: ![*](chapterTOC_bullet.png) Require X.509 Certificate | When the parameter Identify Consumer is set to Global Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a global consumer application is included to the API's list of policies in API Gateway. The parameter Identification Type is set to WS Security X.509 Certificate in the policy Identify and Authorize Application. Also the policy Inbound Authentication - Message with the parameter Require X.509 Certificate that is used to enforce the SOAP message security is included to the API's list of policies in API Gateway. |
Identify Consumer: ![*](chapterTOC_bullet.png) Registered Consumers | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications Token Assertions: ![*](chapterTOC_bullet.png) Require X.509 Certificate | When the parameter Identify Consumer is set to Registered Consumers in CentraSite, the policy Identify and Authorize Application that is used to identify a registered consumer application is included to the API's list of policies in API Gateway. The parameter Identification Type is set to WS Security X.509 Certificate in the policy Identify and Authorize Application. Also the policy Inbound Authentication - Message with the parameter Require X.509 Certificate that is used to enforce the SOAP message security is included to the API's list of policies in API Gateway. |
Require API Key Check
You can secure Web Service APIs using API Key authentication. This policy action identifies and validates the consumer against the list of registered applications in API Gateway.
The Require API Key Check policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Identify & Authorize Application in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Not applicable | Identification Type: ![*](chapterTOC_bullet.png) API Key | When the policy Require API Key Check is defined in CentraSite, the policy Identify and Authorize Application that is used to identify an application is included to the API's list of policies in API Gateway. The parameter Identification Type is set to API Key in the policy Identify and Authorize Application. |
Require Encryption
You can secure SOAP APIs using encryption. This policy action mandates that an XML element of the SOAP request message must be encrypted.
The Require Encryption policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Inbound Authentication - Message under the Identify & Access stage in API Gateway. The policy definition is mapped into the section Require Encryption.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Encrypt By: Element Namespace: ![*](chapterTOC_bullet.png) Prefix | Encrypted Elements Namespace: ![*](chapterTOC_bullet.png) Namespace Prefix | |
Encrypt By: Element Namespace: ![*](chapterTOC_bullet.png) URI | Encrypted Elements Namespace: ![*](chapterTOC_bullet.png) Namespace URI | |
Encrypt By: Element ![*](chapterTOC_bullet.png) Element Required to be Encrypted | Encrypted Elements ![*](chapterTOC_bullet.png) XPath | |
Encrypt By: Part Encrypt Part ![*](chapterTOC_bullet.png) Soap Body | Encrypted Parts ![*](chapterTOC_bullet.png) Entire SOAP Body ![*](chapterTOC_bullet.png) All SOAP Attachments | |
Encrypt By: Part Encrypt SOAP headers ![*](chapterTOC_bullet.png) Name | Encrypted Parts SOAP Header: ![*](chapterTOC_bullet.png) Header Name | |
Encrypt By: Part Encrypt SOAP headers ![*](chapterTOC_bullet.png) Namespace | Encrypted Parts SOAP Header: ![*](chapterTOC_bullet.png) Header Namespace | |
Require Signing
You can secure SOAP APIs using signature. This policy action mandates that an XML element of the SOAP request message must be signed.
The Require Signing policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Inbound Authentication - Message under the Identify & Access stage in API Gateway. The policy definition is mapped into the section Require Signature.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Sign By: Element Namespace: ![*](chapterTOC_bullet.png) Prefix | Signed Elements Namespace: ![*](chapterTOC_bullet.png) Namespace Prefix | |
Sign By: Element Namespace: ![*](chapterTOC_bullet.png) URI | Signed Elements Namespace: ![*](chapterTOC_bullet.png) Namespace URI | |
Sign By: Element ![*](chapterTOC_bullet.png) Element Required to be Signed | Signed Elements ![*](chapterTOC_bullet.png) XPath | |
Sign By: Part Sign Part ![*](chapterTOC_bullet.png) Soap Body | Signed Parts ![*](chapterTOC_bullet.png) Entire SOAP Body ![*](chapterTOC_bullet.png) All SOAP Attachments | |
Sign By: Part Sign SOAP headers ![*](chapterTOC_bullet.png) Name | Signed Parts SOAP Header: ![*](chapterTOC_bullet.png) Header Name | |
Sign By: Part Sign SOAP headers ![*](chapterTOC_bullet.png) Namespace | Signed Parts SOAP Header: ![*](chapterTOC_bullet.png) Header Namespace | |
Require SSL
You can secure SOAP APIs using SSL. This policy action mandates that client certificates must be sent only over a two-way SSL connection .
The Require SSL policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Require HTTP / HTTPS under the Transport stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Client Certificate Required (check box) | Protocol: ![*](chapterTOC_bullet.png) HTTP ![*](chapterTOC_bullet.png) HTTPS | ![*](chapterTOC_bullet.png) When the parameter Client Certificate Required check box is selected (set to true) in CentraSite, the policy Require HTTP / HTTPS with the parameter HTTPS is included (if not already included) to the API's list of policies in API Gateway. ![*](chapterTOC_bullet.png) When the parameter Client Certificate Required check box is not selected (set to false) in CentraSite, the default policy Require HTTP / HTTPS with the default parameter HTTP is included to the API's list of policies in API Gateway. |
Require Timestamps
You can secure SOAP APIs using timestamps. This policy action mandates that timestamp must be included in the SOAP message header.
The Require Timestamps policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Inbound Authentication - Message under the Identify & Access stage in API Gateway. The policy definition is mapped into the section Require Timestamp.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Not applicable | Token Assertions: ![*](chapterTOC_bullet.png) Require Timestamp | When the policy action Require Timestamps is included to the list of policies in a SOAP API, the corresponding policy Inbound Authentication - Message with the parameter Token Assertions set to Require Timestamp is included to the API's list of policies in API Gateway. |
Require WSS SAML Token
You can secure SOAP APIs using WS-Security SAML tokens. This policy action uses a SAML assertion token to validate the applications.
The Require WSS SAML Token policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Inbound Authentication - Message under the Identify & Access stage in API Gateway. The policy definition is mapped into the section Require SAML Token.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
| Token Assertions: ![*](chapterTOC_bullet.png) Require SAML Token | When the policy action Require WSS SAML Token is included to the list of policies in a SOAP API, the corresponding policy Inbound Authentication - Message with the parameter Token Assertions set to Require SAML Token is included to the API's list of policies in API Gateway. |
SAML Version: ![*](chapterTOC_bullet.png) SAML 1.1 ![*](chapterTOC_bullet.png) SAML 2.0 | SAML Version: ![*](chapterTOC_bullet.png) SAML 1.1 ![*](chapterTOC_bullet.png) SAML 2.0 | |
SAML Subject Confirmation: Bearer ![*](chapterTOC_bullet.png) WS Trust Version ![*](chapterTOC_bullet.png) VERSION_05_02 ![*](chapterTOC_bullet.png) VERSION_05_12 ![*](chapterTOC_bullet.png) Issuer Address ![*](chapterTOC_bullet.png) Metadata Reference Address ![*](chapterTOC_bullet.png) Key Size ![*](chapterTOC_bullet.png) Request Security Token Template Parameters ![*](chapterTOC_bullet.png) Key ![*](chapterTOC_bullet.png) Value | SAML Subject Confirmation: Bearer of Token ![*](chapterTOC_bullet.png) WS-Trust Version ![*](chapterTOC_bullet.png) WS-Trust 1.0 ![*](chapterTOC_bullet.png) WS-Trust 1.3 ![*](chapterTOC_bullet.png) Encrypt Signature ![*](chapterTOC_bullet.png) Issuer Address ![*](chapterTOC_bullet.png) Metadata Reference Address ![*](chapterTOC_bullet.png) Algorithm Suite ![*](chapterTOC_bullet.png) Basic128 ![*](chapterTOC_bullet.png) Basic128Rsa15 ![*](chapterTOC_bullet.png) Basic128Sha256 ![*](chapterTOC_bullet.png) Basic128Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic192 ![*](chapterTOC_bullet.png) Basic192Rsa15 ![*](chapterTOC_bullet.png) Basic192Sha256 ![*](chapterTOC_bullet.png) Basic192Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic256 ![*](chapterTOC_bullet.png) Basic256Rsa15 ![*](chapterTOC_bullet.png) Basic256Sha256 ![*](chapterTOC_bullet.png) Basic256Sha256Rsa15 ![*](chapterTOC_bullet.png) TripleDe ![*](chapterTOC_bullet.png) TripleDesRsa15 ![*](chapterTOC_bullet.png) TripleDesSha256 ![*](chapterTOC_bullet.png) Require Security Token Template Parameters ![*](chapterTOC_bullet.png) Key ![*](chapterTOC_bullet.png) Value | |
SAML Subject Confirmation: Holder of Key (Asymmetric) ![*](chapterTOC_bullet.png) WS Trust Version ![*](chapterTOC_bullet.png) VERSION_05_02 ![*](chapterTOC_bullet.png) VERSION_05_12 ![*](chapterTOC_bullet.png) Algorithm Suite ![*](chapterTOC_bullet.png) Basic128 ![*](chapterTOC_bullet.png) Basic128Rsa15 ![*](chapterTOC_bullet.png) Basic128Sha256 ![*](chapterTOC_bullet.png) Basic128Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic192 ![*](chapterTOC_bullet.png) Basic192Rsa15 ![*](chapterTOC_bullet.png) Basic192Sha256 ![*](chapterTOC_bullet.png) Basic192Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic256 ![*](chapterTOC_bullet.png) Basic256Rsa15 ![*](chapterTOC_bullet.png) Basic256Sha256 ![*](chapterTOC_bullet.png) Basic256Sha256Rsa15 ![*](chapterTOC_bullet.png) TripleDe ![*](chapterTOC_bullet.png) TripleDesRsa15 ![*](chapterTOC_bullet.png) TripleDesSha256 ![*](chapterTOC_bullet.png) Encrypt Signature ![*](chapterTOC_bullet.png) Yes ![*](chapterTOC_bullet.png) No ![*](chapterTOC_bullet.png) Layout ![*](chapterTOC_bullet.png) Lax ![*](chapterTOC_bullet.png) LaxTsFirst ![*](chapterTOC_bullet.png) LaxTsLast ![*](chapterTOC_bullet.png) Strict ![*](chapterTOC_bullet.png) Holder of Key Asymmetric Parameters ![*](chapterTOC_bullet.png) Initiator Token Inclusion ![*](chapterTOC_bullet.png) Always ![*](chapterTOC_bullet.png) AlwaysToInitiator ![*](chapterTOC_bullet.png) AlwaysToRecipient ![*](chapterTOC_bullet.png) Never ![*](chapterTOC_bullet.png) Once ![*](chapterTOC_bullet.png) Recipient Token Inclusion ![*](chapterTOC_bullet.png) Always ![*](chapterTOC_bullet.png) AlwaysToInitiator ![*](chapterTOC_bullet.png) AlwaysToRecipient ![*](chapterTOC_bullet.png) Never ![*](chapterTOC_bullet.png) Once ![*](chapterTOC_bullet.png) Issuer Address ![*](chapterTOC_bullet.png) Metadata Reference Address ![*](chapterTOC_bullet.png) Key Size ![*](chapterTOC_bullet.png) Request Security Token Template Parameters ![*](chapterTOC_bullet.png) Key ![*](chapterTOC_bullet.png) Value | SAML Subject Confirmation: Holder of Key - Public ![*](chapterTOC_bullet.png) WS-Trust Version ![*](chapterTOC_bullet.png) WS-Trust 1.0 ![*](chapterTOC_bullet.png) WS-Trust 1.3 ![*](chapterTOC_bullet.png) Encrypt Signature ![*](chapterTOC_bullet.png) Issuer Address ![*](chapterTOC_bullet.png) Metadata Reference Address ![*](chapterTOC_bullet.png) Algorithm Suite ![*](chapterTOC_bullet.png) Basic128 ![*](chapterTOC_bullet.png) Basic128Rsa15 ![*](chapterTOC_bullet.png) Basic128Sha256 ![*](chapterTOC_bullet.png) Basic128Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic192 ![*](chapterTOC_bullet.png) Basic192Rsa15 ![*](chapterTOC_bullet.png) Basic192Sha256 ![*](chapterTOC_bullet.png) Basic192Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic256 ![*](chapterTOC_bullet.png) Basic256Rsa15 ![*](chapterTOC_bullet.png) Basic256Sha256 ![*](chapterTOC_bullet.png) Basic256Sha256Rsa15 ![*](chapterTOC_bullet.png) TripleDe ![*](chapterTOC_bullet.png) TripleDesRsa15 ![*](chapterTOC_bullet.png) TripleDesSha256 ![*](chapterTOC_bullet.png) Require Security Token Template Parameters ![*](chapterTOC_bullet.png) Key ![*](chapterTOC_bullet.png) Value | |
SAML Subject Confirmation: Holder of Key (Symmetric) ![*](chapterTOC_bullet.png) WS Trust Version ![*](chapterTOC_bullet.png) VERSION_05_02 ![*](chapterTOC_bullet.png) VERSION_05_12 ![*](chapterTOC_bullet.png) Algorithm Suite ![*](chapterTOC_bullet.png) Basic128 ![*](chapterTOC_bullet.png) Basic128Rsa15 ![*](chapterTOC_bullet.png) Basic128Sha256 ![*](chapterTOC_bullet.png) Basic128Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic192 ![*](chapterTOC_bullet.png) Basic192Rsa15 ![*](chapterTOC_bullet.png) Basic192Sha256 ![*](chapterTOC_bullet.png) Basic192Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic256 ![*](chapterTOC_bullet.png) Basic256Rsa15 ![*](chapterTOC_bullet.png) Basic256Sha256 ![*](chapterTOC_bullet.png) Basic256Sha256Rsa15 ![*](chapterTOC_bullet.png) TripleDe ![*](chapterTOC_bullet.png) TripleDesRsa15 ![*](chapterTOC_bullet.png) TripleDesSha256 ![*](chapterTOC_bullet.png) Encrypt Signature ![*](chapterTOC_bullet.png) Yes ![*](chapterTOC_bullet.png) No ![*](chapterTOC_bullet.png) Layout ![*](chapterTOC_bullet.png) Lax ![*](chapterTOC_bullet.png) LaxTsFirst ![*](chapterTOC_bullet.png) LaxTsLast ![*](chapterTOC_bullet.png) Strict ![*](chapterTOC_bullet.png) Holder of Key Symmetric Parameters ![*](chapterTOC_bullet.png) Protection Token Inclusion ![*](chapterTOC_bullet.png) Always ![*](chapterTOC_bullet.png) AlwaysToInitiator ![*](chapterTOC_bullet.png) AlwaysToRecipient ![*](chapterTOC_bullet.png) Never ![*](chapterTOC_bullet.png) Once ![*](chapterTOC_bullet.png) Issuer Address ![*](chapterTOC_bullet.png) Metadata Reference Address ![*](chapterTOC_bullet.png) Key Size ![*](chapterTOC_bullet.png) Request Security Token Template Parameters ![*](chapterTOC_bullet.png) Key ![*](chapterTOC_bullet.png) Value | | |
| SAML Subject Confirmation: Holder of Key - Symmetric ![*](chapterTOC_bullet.png) WS-Trust Version ![*](chapterTOC_bullet.png) WS-Trust 1.0 ![*](chapterTOC_bullet.png) WS-Trust 1.3 ![*](chapterTOC_bullet.png) Encrypt Signature ![*](chapterTOC_bullet.png) Issuer Address ![*](chapterTOC_bullet.png) Metadata Reference Address ![*](chapterTOC_bullet.png) Algorithm Suite ![*](chapterTOC_bullet.png) Basic128 ![*](chapterTOC_bullet.png) Basic128Rsa15 ![*](chapterTOC_bullet.png) Basic128Sha256 ![*](chapterTOC_bullet.png) Basic128Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic192 ![*](chapterTOC_bullet.png) Basic192Rsa15 ![*](chapterTOC_bullet.png) Basic192Sha256 ![*](chapterTOC_bullet.png) Basic192Sha256Rsa15 ![*](chapterTOC_bullet.png) Basic256 ![*](chapterTOC_bullet.png) Basic256Rsa15 ![*](chapterTOC_bullet.png) Basic256Sha256 ![*](chapterTOC_bullet.png) Basic256Sha256Rsa15 ![*](chapterTOC_bullet.png) TripleDe ![*](chapterTOC_bullet.png) TripleDesRsa15 ![*](chapterTOC_bullet.png) TripleDesSha256 ![*](chapterTOC_bullet.png) Require Security Token Template Parameters ![*](chapterTOC_bullet.png) Key ![*](chapterTOC_bullet.png) Value | |
Validate SAML Audience URIs
You can secure SOAP APIs using Audience URIs. This policy action verifies whether any of the audience URI within a valid condition element in SAML assertion matches with any of the configured URIs .
The Validate SAML Audience URIs policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Inbound Authentication - Message under the Identify & Access stage in API Gateway. The policy definition is mapped into the section Validate SAML Audience URI.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Allowed URIs: ![*](chapterTOC_bullet.png) URI | Allowed URIs: ![*](chapterTOC_bullet.png) URI | |
Match Criteria: ![*](chapterTOC_bullet.png) Allow Sublevels | Match Criteria: ![*](chapterTOC_bullet.png) Allow Sublevels | |
Match Criteria: ![*](chapterTOC_bullet.png) Exact Match | Match Criteria: ![*](chapterTOC_bullet.png) Exact Match | |
Validate Schema
You can secure SOAP APIs using schema validation. This policy action validates XML request messages, response messages, or both, against the XML schema referenced in the API's WSDL.
The Validate Schema policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Validate Schema under the Request Processing or Request Processing stage in API Gateway as follows:
![*](chapterTOC_bullet.png)
If this policy action is defined to validate SOAP request messages with the parameter
Validate SOAP Message set to
Request in
CentraSite, then the policy
Validate Schema under the
Request Processing stage is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is defined to validate SOAP response messages with the parameter
Validate SOAP Message set to
Response in
CentraSite, then the policy
Validate Schema under the
Response Processing stage is included to the API's policy list in
API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Validate SOAP Message: ![*](chapterTOC_bullet.png) Request | Feature Name Feature Value: ![*](chapterTOC_bullet.png) True ![*](chapterTOC_bullet.png) False | When the parameter Validate SOAP Message is set to Request in CentraSite, the policy Validate Schema under Request Processing stage is included to the API's list of policies inAPI Gateway. |
Validate SOAP Message: ![*](chapterTOC_bullet.png) Response | Feature Name Feature Value: ![*](chapterTOC_bullet.png) True ![*](chapterTOC_bullet.png) False | When the parameter Validate SOAP Message is set to Response in CentraSite, the policy Validate Schema under Response Processing stage is included to the API's list of policies inAPI Gateway. |
HTTP Basic Authentication
This policy action uses basic HTTP authentication credentials to authenticate applications.
The HTTP Basic Authentication policy in CentraSite is mapped into the policy Outbound Authentication - Transport under the Routing stage in API Gateway. The parameter Authentication Scheme is set to Basic.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Authenticate Using: Custom Credentials ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Password ![*](chapterTOC_bullet.png) Domain | Authenticate using: Custom Credentials ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Password ![*](chapterTOC_bullet.png) Domain | |
Authenticate Using: Secure Alias ![*](chapterTOC_bullet.png) Alias Name | Authenticate scheme: Alias | |
Authenticate Using: Use Existing Credentials | Authenticate using: Incoming HTTP basic auth credentials | |
NTLM Authentication
This policy action uses NTLM credentials to authenticate applications.
The NTLM Authentication policy in CentraSite is mapped into the policy Outbound Authentication - Transport under the Routing stage in API Gateway. The parameter Authentication Scheme is set to NTLM.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Authenticate Using: Custom Credentials ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Password ![*](chapterTOC_bullet.png) Domain | Authenticate using: Custom Credentials ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Password ![*](chapterTOC_bullet.png) Domain | |
Authenticate Using: Secure Alias ![*](chapterTOC_bullet.png) Alias Name | Authenticate scheme: Alias | |
Authenticate Using: Transparent | Authenticate using: Transparent | |
Authenticate Using: Use Existing Credentials | Authenticate using: Incoming HTTP basic auth credentials | |
OAuth2 Authentication
This policy action uses basic OAuth 2.0 token credentials to authenticate applications.
The OAuth2 Authentication policy in CentraSite is mapped into the policy Outbound Authentication - Transport under the Routing stage in API Gateway. The parameter Authentication Scheme is set to OAuth2.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Authenticate Using: Custom Token ![*](chapterTOC_bullet.png) Custom Credential ![*](chapterTOC_bullet.png) OAuth2 Token | Authenticate using: Custom Credentials ![*](chapterTOC_bullet.png) Custom credentials ![*](chapterTOC_bullet.png) OAuth2 token | |
Authenticate Using: Secure Alias ![*](chapterTOC_bullet.png) Alias Name | Authenticate scheme: Alias | |
Authenticate Using: Use Existing Token | Authenticate using: Incoming OAuth token | |
Kerberos Authentication
This policy action uses Kerberos token credentials to authenticate applications.
You can select the level at which the Kerberos authentication should be enforced for APIs:
![*](chapterTOC_bullet.png)
Message level
![*](chapterTOC_bullet.png)
Transport layer
The Kerberos Authentication policy action in CentraSite is mapped into the following policies in API Gateway. In both cases, the parameter Authentication Scheme is set to Kerberos.
![*](chapterTOC_bullet.png)
If this policy action is set to authenticate SOAP APIs at the message level using the parameter
Enforcement Point: Message Level in
CentraSite, then the policy
Outbound Authentication - Message under the
Routing stage is included to the API's policy list in
API Gateway.
![*](chapterTOC_bullet.png)
If this policy action is set to authenticate SOAP and REST APIs at the transport layer using the parameter
Enforcement Point: Transport Level in
CentraSite, then the policy
Outbound Authentication - Transport under the
Routing stage is included to the API's policy list in
API Gateway.
Enforcement Point: Message Level Security
The following table summarizes the mapping of the policy enforcement at the message level:
CentraSite | API Gateway | Notes |
Authenticate Using: Custom Credentials ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) hostbased ![*](chapterTOC_bullet.png) username | Authenticate using: Custom Credentials ![*](chapterTOC_bullet.png) Client principal ![*](chapterTOC_bullet.png) Client password ![*](chapterTOC_bullet.png) Service principal ![*](chapterTOC_bullet.png) Service principal nameform ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased | |
Authenticate Using: Delegating Incoming Credentials ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) hostbased ![*](chapterTOC_bullet.png) username | Authenticate using: Delegating incoming credentials ![*](chapterTOC_bullet.png) Client principal ![*](chapterTOC_bullet.png) Client password ![*](chapterTOC_bullet.png) Service principal ![*](chapterTOC_bullet.png) Service principal nameform ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased | |
Authenticate Using: Secure Alias ![*](chapterTOC_bullet.png) Alias Name | Authenticate scheme: Alias | |
Authenticate Using: Use Existing Credentials ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) hostbased ![*](chapterTOC_bullet.png) username | Authenticate using: Incoming HTTP basic auth credentials ![*](chapterTOC_bullet.png) Service principal ![*](chapterTOC_bullet.png) Service principal nameform ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased | |
Enforcement Point: Transport Layer Security
The following table summarizes the mapping of the policy enforcement at the transport layer:
CentraSite | API Gateway | Notes |
Authenticate Using: Custom Credentials ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) hostbased ![*](chapterTOC_bullet.png) username | Authenticate using: Custom Credentials ![*](chapterTOC_bullet.png) Client principal ![*](chapterTOC_bullet.png) Client password ![*](chapterTOC_bullet.png) Service principal ![*](chapterTOC_bullet.png) Service principal nameform ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased | |
Authenticate Using: Delegating Incoming Credentials ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) hostbased ![*](chapterTOC_bullet.png) username | Authenticate using: Delegating incoming credentials ![*](chapterTOC_bullet.png) Client principal ![*](chapterTOC_bullet.png) Client password ![*](chapterTOC_bullet.png) Service principal ![*](chapterTOC_bullet.png) Service principal nameform ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased | |
Authenticate Using: Secure Alias ![*](chapterTOC_bullet.png) Alias Name | Authenticate scheme: Alias | |
Authenticate Using: Use Existing Credentials ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) hostbased ![*](chapterTOC_bullet.png) username | Authenticate using: Incoming HTTP basic auth credentials ![*](chapterTOC_bullet.png) Service principal ![*](chapterTOC_bullet.png) Service principal nameform ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased | |
SAML Authentication
This policy action uses SAML token credentials to authenticate applications.
The SAML Authentication policy in CentraSite is mapped into the policy Outbound Authentication - Message under the Routing stage in API Gateway. The parameter Authentication Scheme is set to SAML.
The SAML Issuer Communication details in CentraSite are mapped into the SAML issuer configuration page (go to <Username> > Administration > Security > SAML issuer) in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Not applicable | Authenticate scheme: Alias | |
Signing Alias | Signing configurations ![*](chapterTOC_bullet.png) Keystore alias ![*](chapterTOC_bullet.png) Key alias | This parameter refers to the authentication configurations that should be used for signing outbound messages. The parameter Signing Alias of CentraSite is mapped in to the parameter Key alias in API Gateway. The parameter Keystore alias is mapped in to the parameter Keystore alias as defined in the Keystore/Truststore configuration page (go to Username > Administration > General > Security) in API Gateway. |
Encryption Alias | Encryption configurations ![*](chapterTOC_bullet.png) Truststore alias ![*](chapterTOC_bullet.png) Certificate alias | This parameter refers to the authentication configurations that should be used for encrypting outbound messages. The parameter Encryption Alias of CentraSite is mapped in to the parameter Certificate alias in API Gateway. The parameter Truststore alias is mapped in to the parameter Truststore alias as defined in the Keystore/Truststore configuration page (go to Username > Administration > General > Security) in API Gateway. |
Issuer Communication Action![*](chapterTOC_bullet.png) Act as Delegation ![*](chapterTOC_bullet.png) Normal Client | SAML Issuer Configuration ![*](chapterTOC_bullet.png) Name ![*](chapterTOC_bullet.png) Act as Delegation ![*](chapterTOC_bullet.png) Normal Client | |
Issuer Communication Communicate Using: WSS Username (Message) ![*](chapterTOC_bullet.png) WSS Username Configuration ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Password | SAML Issuer Configuration Communicate using: WSS Username Authenticate using: Custom credentials ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Password | |
Issuer Communication Communicate Using: Kerberos Over Transport (Message) Authentication Mode: Custom Credentials ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) Host Based ![*](chapterTOC_bullet.png) Username Authentication Mode: Delegate Incoming Token ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) Host Based ![*](chapterTOC_bullet.png) Username | SAML Issuer Configuration Communicate using: Kerberos Authenticate using: Custom Credentials ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased Authenticate using: Delegate incoming credentials ![*](chapterTOC_bullet.png) Client Principal ![*](chapterTOC_bullet.png) Client Password ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased Authenticate using: Incoming HTTP basic auth credentials ![*](chapterTOC_bullet.png) Service Principal ![*](chapterTOC_bullet.png) Service Principal Form ![*](chapterTOC_bullet.png) Username ![*](chapterTOC_bullet.png) Hostbased | |
Endpoint | Endpoint URI | |
Applies to | Applies to | |
SAML Version ![*](chapterTOC_bullet.png) SAML 1.1 ![*](chapterTOC_bullet.png) SAML 2.0 | SAML Version ![*](chapterTOC_bullet.png) SAML 1.1 ![*](chapterTOC_bullet.png) SAML 2.0 | |
WS-Trust Version: ![*](chapterTOC_bullet.png) VERSION_05_02 ![*](chapterTOC_bullet.png) VERSION_05_12 | WS-Trust Version: ![*](chapterTOC_bullet.png) WS-Trust 1.0 ![*](chapterTOC_bullet.png) WS-Trust 1.3 | |
Signing Alias | Signing configurations: ![*](chapterTOC_bullet.png) Keystore alias ![*](chapterTOC_bullet.png) Key alias | This parameter refers to the authentication configurations that should be used for signing outbound messages. The parameter Signing Alias of CentraSite is mapped in to the parameter Key alias in API Gateway. The parameter Keystore alias is mapped in to the parameter Keystore alias as defined in the Keystore/Truststore configuration page (go to Username > Administration > General > Security) in API Gateway. |
Encryption Alias | Encryption configurations: ![*](chapterTOC_bullet.png) Truststore alias ![*](chapterTOC_bullet.png) Certificate alias | This parameter refers to the authentication configurations that should be used for encrypting outbound messages. The parameter Encryption Alias of CentraSite is mapped in to the parameter Certificate alias in API Gateway. The parameter Truststore alias is mapped in to the parameter Truststore alias as defined in the Keystore/Truststore configuration page (go to Username > Administration > General > Security) in API Gateway. |
Extended Parameters ![*](chapterTOC_bullet.png) Key Size ![*](chapterTOC_bullet.png) Key Type ![*](chapterTOC_bullet.png) Signature Algorithm ![*](chapterTOC_bullet.png) Encryption Algorithm ![*](chapterTOC_bullet.png) CanonicalizationAlgorithm ![*](chapterTOC_bullet.png) ComputedKeyAlgorithm ![*](chapterTOC_bullet.png) Encryption ![*](chapterTOC_bullet.png) ProofEncryption ![*](chapterTOC_bullet.png) KeyWrapAlgorithm ![*](chapterTOC_bullet.png) SignWith ![*](chapterTOC_bullet.png) EncryptWith | Request security token template parameters: ![*](chapterTOC_bullet.png) Key ![*](chapterTOC_bullet.png) Value | |
Set Media Type (Request Handling)
This policy action specifies the content type for a REST request.
The Set Media Type policy action under the Request Handling accordion in CentraSite mapped into the policy Set Media Type under the Transport stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Media Type: | Default Content-Type: | Though this policy is listed in the Policy catalog of a SOAP API, it is applicable only for a REST enabled SOAP API in API Gateway. |
Set Media Type (Response Processing)
This policy action specifies the content type for a REST response.
The Set Media Type policy action under the Response Processing accordion in CentraSite mapped into the policy Set Media Type under the Transport stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Media Type: | Default Accept Header: | Though this policy is listed in the Policy catalog of a SOAP API, it is applicable only for a REST enabled SOAP API in API Gateway. |
Request Transformation
This policy action specifies the XSLT transformation file to transform request messages from applications into a format required by the native API in the SOAP request before it is submitted to the native API.
The Request Transformation policy action under the Request Handling accordion is mapped into the policy XSLT Transformation under the Request Processing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Select Type: Transformation Alias ![*](chapterTOC_bullet.png) Alias Name | XSLT Transformation Alias | |
Select Type: Transformation File ![*](chapterTOC_bullet.png) Transformation File | XSLT Document ![*](chapterTOC_bullet.png) XSLT File ![*](chapterTOC_bullet.png) XSLT Features ![*](chapterTOC_bullet.png) Feature Name ![*](chapterTOC_bullet.png) Feature Value | Regardless of a XSLT file name, for example, PreProcessingXSLT.xsl defined in CentraSite, the XSLT file name is transformed into a default name, RequestProcessingXSLT_<X>.xsl in API Gateway. Here, X is an integer, which denotes the number of XSLT files that are mapped from CentraSite to API Gateway. Let us consider an API contains two Request Transformation polices, each defined with an unique XSLT file, PreProcessingXSLT1.xsl and PreProcessingXSLT2.xsl in CentraSite. When this API is published from CentraSite to API Gateway, the two Request Transformation polices are mapped into a single Request Transformation policy in API Gateway. The XSLT file names are transformed as RequestProcessingXSLT_1.xsl and RequestProcessingXSLT_2.xsl in API Gateway. |
Response Transformation
This policy action specifies the XSLT transformation file to transform response messages from native APIs into a format required by the application.
The Response Transformation policy action under the Response Processing accordion in CentraSite is mapped into the policy XSLT Transformation under the Response Processing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Select Type: Transformation Alias ![*](chapterTOC_bullet.png) Alias Name | XSLT Transformation Alias | |
Select Type: Transformation File ![*](chapterTOC_bullet.png) Transformation File | XSLT Document ![*](chapterTOC_bullet.png) XSLT File ![*](chapterTOC_bullet.png) XSLT Features ![*](chapterTOC_bullet.png) Feature Name ![*](chapterTOC_bullet.png) Feature Value | Regardless of a XSLT file name, for example, PostProcessingXSLT.xsl defined in CentraSite, the XSLT file name is transformed into a default name, ResponseProcessingXSLT_<X>.xsl in API Gateway. Here, X is an integer, which denotes the number of XSLT files that are mapped from CentraSite to API Gateway. Let us consider an API contains two Response Transformation polices, each defined with an unique XSLT file, PostProcessingXSLT1.xsl and PostProcessingXSLT2.xsl in CentraSite. When this API is published from CentraSite to API Gateway, the two Response Transformation polices are mapped into a single Response Transformation policy in API Gateway. The XSLT file names are transformed as ResponseProcessingXSLT_1.xsl and ResponseProcessingXSLT_2.xsl in API Gateway. |
Invoke webMethods Integration Server (Request Handling)
This policy action pre-processes the request messages and transforms the message into a format required by the native API, before API Gateway sends the requests to native APIs .
The Invoke webMethods Integration Server policy action under the Response Processing accordion in CentraSite is mapped into the policy Invoke webMethods IS under the Request Processing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Select Type: webMethods IS Service ![*](chapterTOC_bullet.png) webMethods IS Service | webMethods IS Service | |
Select Type: webMethods IS Service Alias ![*](chapterTOC_bullet.png) webMethods IS Service Alias | webMethods IS Service | |
Invoke webMethods Integration Server (Response Processing)
This policy action pre-processes the native API's response messages into a format required by the application, before API Gateway returns the responses to the application .
The Invoke webMethods Integration Server policy action under the Response Processing accordion in CentraSite is mapped into the policy Invoke webMethods IS under the Response Processing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Select Type: webMethods IS Service ![*](chapterTOC_bullet.png) webMethods IS Service | webMethods IS Service | |
Select Type: webMethods IS Service Alias ![*](chapterTOC_bullet.png) webMethods IS Service Alias | webMethods IS Service | |
Conditional Error Processing
This policy action returns the custom error message (and the native provider's service fault content) to the application when the native provider returns the service fault.
The Conditional Error Processing policy action under the Error Handling accordion in CentraSite is mapped into the policy Conditional Error Processing under the Error Handling stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Error Conditions Type: HTTP Header ![*](chapterTOC_bullet.png) Header Name ![*](chapterTOC_bullet.png) Header Value | Error Conditions Type: Header Error Criteria ![*](chapterTOC_bullet.png) Header Name ![*](chapterTOC_bullet.png) Header Value | |
Error Conditions Type: Status Code ![*](chapterTOC_bullet.png) Code | Error Conditions Type: Status Code Error Criteria ![*](chapterTOC_bullet.png) Code | |
Error Conditions Type: XPath Expression ![*](chapterTOC_bullet.png) XPath Expression ![*](chapterTOC_bullet.png) Namespaces ![*](chapterTOC_bullet.png) Prefix ![*](chapterTOC_bullet.png) URI ![*](chapterTOC_bullet.png) Value | Error Conditions Type: XPath Expression ![*](chapterTOC_bullet.png) XPath Expression ![*](chapterTOC_bullet.png) Namespace ![*](chapterTOC_bullet.png) Namespace Prefix ![*](chapterTOC_bullet.png) Namespace URI ![*](chapterTOC_bullet.png) Value | |
Pre-Processing Type: ESB ![*](chapterTOC_bullet.png) webMethods IS Service | Pre-Processing Type: Invoke webMethods Integration Server Service ![*](chapterTOC_bullet.png) webMethods IS Service | |
Pre-Processing Type: XSLT ![*](chapterTOC_bullet.png) Transformation File | Pre-Processing Type: XSLT Transformation XSLT Document ![*](chapterTOC_bullet.png) XSLT File ![*](chapterTOC_bullet.png) XSLT Features ![*](chapterTOC_bullet.png) Feature Name ![*](chapterTOC_bullet.png) Feature Value | |
Failure Message Content Type ![*](chapterTOC_bullet.png) json ![*](chapterTOC_bullet.png) text ![*](chapterTOC_bullet.png) xml Error Template Use as default (check box) | Failure Message Failure Messages ![*](chapterTOC_bullet.png) json ![*](chapterTOC_bullet.png) text ![*](chapterTOC_bullet.png) xml Error Template Use as default (check box) | |
Custom Error Variable Payload Type ![*](chapterTOC_bullet.png) Request ![*](chapterTOC_bullet.png) Response Name XPath Expression Namespaces ![*](chapterTOC_bullet.png) Prefix ![*](chapterTOC_bullet.png) URI | Custom Error Variable Payload Type ![*](chapterTOC_bullet.png) Request ![*](chapterTOC_bullet.png) Response Name XPath Expression Namespaces ![*](chapterTOC_bullet.png) Namespace Prefix ![*](chapterTOC_bullet.png) Namespace URI | |
Post-processing Type: XSLT ![*](chapterTOC_bullet.png) Transformation File | Pre-Processing Type: XSLT Transformation XSLT Document ![*](chapterTOC_bullet.png) XSLT File ![*](chapterTOC_bullet.png) XSLT Features ![*](chapterTOC_bullet.png) Feature Name ![*](chapterTOC_bullet.png) Feature Value | |
Send Native Provider Fault Message (check box) | Send Native Provider Fault Message (check box) | |
Require HTTP/HTTPS
This policy action specifies the HTTP and HTTPS protocol and the SOAP format for an API to accept and process the requests.
The Require HTTP / HTTPS policy action under the Request Handling > Protocol accordion in CentraSite is mapped into the policy HTTP / HTTPS under the Transport stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Protocol ![*](chapterTOC_bullet.png) HTTP ![*](chapterTOC_bullet.png) HTTPS | Protocol ![*](chapterTOC_bullet.png) HTTP ![*](chapterTOC_bullet.png) HTTPS | When the policy Require SSL is included to the API's policy list in CentraSite, the parameter HTTPS is selected in API Gateway. |
SOAP Version ![*](chapterTOC_bullet.png) SOAP 1.1 ![*](chapterTOC_bullet.png) SOAP 1.2 | SOAP version ![*](chapterTOC_bullet.png) SOAP 1.1 ![*](chapterTOC_bullet.png) SOAP 1.2 | |
Require JMS
This policy action specifies the JMS protocol and the SOAP format for an API to accept and process the requests.
The Require JMS policy action under the Request Handling > Protocol accordion in CentraSite is mapped into the policy Require JMS under the Transport stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
JMS Trigger | JMS Provider Endpoint Alias | When the policy Require SSL is included to the API's policy list in CentraSite, the parameter HTTPS is selected in API Gateway. |
SOAP Version ![*](chapterTOC_bullet.png) SOAP 1.1 ![*](chapterTOC_bullet.png) SOAP 1.2 | SOAP version ![*](chapterTOC_bullet.png) SOAP 1.1 ![*](chapterTOC_bullet.png) SOAP 1.2 | |
Enable REST Support
When a SOAP API with this policy action is published from CentraSite to API Gateway, API Gateway Deployer Service looks for the expose-as-rest policy element in the inSequence of the Virtual Service Definition (VSD).
The following example shows the inSequence of a VSD holding the policy element expose-as-rest:
<inSequence>
<expose-as-rest soap-version="soap11"/>
<http-config>
<authentication mode="anonymous"/>
</http-config>
<send>
<endpoint>
<address isAlias="false" optimize="none" passSecurityHeaders="false"
uri="https://test:8081/bayern/services/
BayernService.BayernServiceHttpsEndpoint/">
<connect-timeout>
<duration>30</duration>
</connect-timeout>
</address>
</endpoint>
</send>
</inSequence>
If the inSequence of the VSD holds the policy element expose-as-rest, then the API Gateway Deployer Service sets the isRESTInvokeEnabled flag to true for all operations of the SOAP API.
JMS Routing Rule
This policy action specifies the JMS provider queue to which the API Gateway submits the request, and the destination to which the API Gateway waits for the native SOAP API to return the response.
The JMS Routing Rule policy action under the Policy Enforcement > JMS Routing accordion in CentraSite is mapped into the policy JMS Routing under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Connection URL | Connection URL | |
Destination Name | Reply to Destination | |
Priority | Priority | |
Timeout (ms) | Timeout (ms) | |
Delivery Mode ![*](chapterTOC_bullet.png) Non Persistent ![*](chapterTOC_bullet.png) Persistent | Delivery Mode ![*](chapterTOC_bullet.png) Non Persistent ![*](chapterTOC_bullet.png) Persistent | |
Set Message Properties
This policy action specifies the JMS message properties that are to be sent to the native SOAP APIs.
The Set Message Properties policy action under the Policy Enforcement > JMS Routing accordion in CentraSite is mapped into the policy JMS Properties under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Property Name | JMS Property JMS Property Key | |
Property Value | JMS Property JMS Property Value | |
Set JMS Headers
This policy action specifies the JMS headers that are to be sent to the to the native SOAP APIs.
The Set JMS Headers policy action under the Policy Enforcement > JMS Routing accordion in CentraSite is mapped into the policy JMS Properties under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Header Name | JMS Property JMS Property Key | |
Header Value | JMS Property JMS Property Value | |
Log Invocation
This policy action enables logging of the incoming requests along with the request and response payloads to a specified destination.
The Log Invocation policy action under the Policy Enforcement > Logging and Monitoring accordion in CentraSite is mapped into the policy Log Invocation under the Traffic Monitoring stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Payloads ![*](chapterTOC_bullet.png) Request ![*](chapterTOC_bullet.png) Response | ![*](chapterTOC_bullet.png) Store Request Payload ![*](chapterTOC_bullet.png) Store Response Payload ![*](chapterTOC_bullet.png) Compress Payload Data | |
Log Generation Frequency ![*](chapterTOC_bullet.png) Always ![*](chapterTOC_bullet.png) On Failure ![*](chapterTOC_bullet.png) On Success | Log Generation Frequency ![*](chapterTOC_bullet.png) Always ![*](chapterTOC_bullet.png) On Failure ![*](chapterTOC_bullet.png) On Success | |
Send Log Data API Portal![*](chapterTOC_bullet.png) Audit Log CentraSite![*](chapterTOC_bullet.png) EDA / Database ![*](chapterTOC_bullet.png) ElasticSearch ![*](chapterTOC_bullet.png) E-mail ![*](chapterTOC_bullet.png) Local Log ![*](chapterTOC_bullet.png) SNMP | Send Log Data API Gateway API Portal![*](chapterTOC_bullet.png) Audit Log CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) E-mail ![*](chapterTOC_bullet.png) JDBC ![*](chapterTOC_bullet.png) Local Log: Log Level ![*](chapterTOC_bullet.png) Error ![*](chapterTOC_bullet.png) Info ![*](chapterTOC_bullet.png) Warn ![*](chapterTOC_bullet.png) SNMP | ![*](chapterTOC_bullet.png) Beginning with version 10.1, API Gateway supports the following destinations: ![*](chapterTOC_bullet.png) Audit Log CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) Email ![*](chapterTOC_bullet.png) Local Log ![*](chapterTOC_bullet.png) SNMP ![*](chapterTOC_bullet.png) The destination name for database is changed from EDA / Database in CentraSite to JDBC in API Gateway. Therefore, when the parameter Send Log Data is set to EDA / Database in CentraSite, the pool alias definition and the corresponding configurations are mapped into JDBC in API Gateway. ![*](chapterTOC_bullet.png) When the EDA / Database destination is selected in CentraSite, it also automatically selects the Digital Events destination in API Gateway. |
Monitor Service Performance
This policy action monitors the run-time performance conditions for an API, and sends alerts to a specified destination when the performance conditions are violated. However, this policy action monitors run-time performance for all applications.
The Monitor Service Performance policy action under the Policy Enforcement > Logging and Monitoring accordion in CentraSite is mapped into the policy Monitor Service Performance under the Traffic Monitoring stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Action Configuration: Name ![*](chapterTOC_bullet.png) Availability ![*](chapterTOC_bullet.png) Average Response Time ![*](chapterTOC_bullet.png) Fault Count ![*](chapterTOC_bullet.png) Maximum Response Time ![*](chapterTOC_bullet.png) Minimum Response Time ![*](chapterTOC_bullet.png) Successful Request Count ![*](chapterTOC_bullet.png) Total Request Count | Action Configuration: Name ![*](chapterTOC_bullet.png) Availability ![*](chapterTOC_bullet.png) Average Response Time ![*](chapterTOC_bullet.png) Fault Count ![*](chapterTOC_bullet.png) Maximum Response Time ![*](chapterTOC_bullet.png) Minimum Response Time ![*](chapterTOC_bullet.png) Successful Count ![*](chapterTOC_bullet.png) Total Request Count | |
Action Configuration: Operator ![*](chapterTOC_bullet.png) Equal To ![*](chapterTOC_bullet.png) Greater Than ![*](chapterTOC_bullet.png) Less Than | Action Configuration: Operator ![*](chapterTOC_bullet.png) Equal To ![*](chapterTOC_bullet.png) Greater Than ![*](chapterTOC_bullet.png) Less Than | |
Action Configuration: Value | Action Configuration: Value | |
Alert Parameters: Alert Interval (minutes) | Alert Interval: Unit: ![*](chapterTOC_bullet.png) Minutes ![*](chapterTOC_bullet.png) Hours ![*](chapterTOC_bullet.png) Days ![*](chapterTOC_bullet.png) Weeks | |
Alert for Consumer Applications | Consumer Applications | Names of the Consumer Applications in CentraSite are transformed into Application IDs in API Gateway. |
Alert Parameters: Alert Destination API Portal CentraSite![*](chapterTOC_bullet.png) EDA/Database ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) E-mail ![*](chapterTOC_bullet.png) Local Log: Log Level ![*](chapterTOC_bullet.png) Error ![*](chapterTOC_bullet.png) Info ![*](chapterTOC_bullet.png) Warn ![*](chapterTOC_bullet.png) SNMP | Alert Destination API Gateway API Portal CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) Email ![*](chapterTOC_bullet.png) JDBC ![*](chapterTOC_bullet.png) Local Log: Log Level ![*](chapterTOC_bullet.png) Error ![*](chapterTOC_bullet.png) Info ![*](chapterTOC_bullet.png) Warn ![*](chapterTOC_bullet.png) SNMP | ![*](chapterTOC_bullet.png) Beginning with version 10.1, API Gateway supports the following destinations: ![*](chapterTOC_bullet.png) Audit Log CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) Email ![*](chapterTOC_bullet.png) Local Log ![*](chapterTOC_bullet.png) SNMP ![*](chapterTOC_bullet.png) The destination name for database is changed from EDA / Database in CentraSite to JDBC in API Gateway. Therefore, when the parameter Send Log Data is set to EDA / Database in CentraSite, the pool alias definition and the corresponding configurations are mapped into JDBC in API Gateway. ![*](chapterTOC_bullet.png) When the EDA / Database destination is selected in CentraSite, it also automatically selects the Digital Events destination in API Gateway. |
Alert Parameters: Alert Message | Alert Message | |
Monitor Service Level Agreement
This policy action monitors the user-specified set of run-time performance conditions for an API, and sends alerts to a specified destination when the performance conditions are violated. This policy action monitors run-time performance for one or more specified applications.
The Monitor Service Level Agreement policy action under the Policy Enforcement > Logging and Monitoring accordion in CentraSite is mapped into the policy Monitor Service Level Agreement under the Traffic Monitoring stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Actions: Name ![*](chapterTOC_bullet.png) Availability ![*](chapterTOC_bullet.png) Average Response Time ![*](chapterTOC_bullet.png) Fault Count ![*](chapterTOC_bullet.png) Maximum Response Time ![*](chapterTOC_bullet.png) Minimum Response Time ![*](chapterTOC_bullet.png) Successful Request Count ![*](chapterTOC_bullet.png) Total Request Count | Action Configuration: Name ![*](chapterTOC_bullet.png) Availability ![*](chapterTOC_bullet.png) Average Response Time ![*](chapterTOC_bullet.png) Fault Count ![*](chapterTOC_bullet.png) Maximum Response Time ![*](chapterTOC_bullet.png) Minimum Response Time ![*](chapterTOC_bullet.png) Successful Count ![*](chapterTOC_bullet.png) Total Request Count | The Soft Limit configuration of Throttling Traffic Optimization policy action under the Policy Enforcement > Traffic Management accordion in CentraSite is mapped into this policy in API Gateway. |
Actions: Operator ![*](chapterTOC_bullet.png) Equal To ![*](chapterTOC_bullet.png) Greater Than ![*](chapterTOC_bullet.png) Less Than | Action Configuration: Operator ![*](chapterTOC_bullet.png) Equal To ![*](chapterTOC_bullet.png) Greater Than ![*](chapterTOC_bullet.png) Less Than | |
Actions: Value | Action Configuration: Value | |
Alert Parameters: Alert Interval (minutes) | Alert Interval Unit ![*](chapterTOC_bullet.png) Minutes ![*](chapterTOC_bullet.png) Hours ![*](chapterTOC_bullet.png) Days ![*](chapterTOC_bullet.png) Weeks | |
Alert for Consumer Applications | Consumer Applications | Names of the consumer applications in CentraSite are transformed into Application IDs in API Gateway. As a pre-requisite the appropriate consumer applications should be migrated from CentraSite toAPI Gateway. |
Alert Parameters: Alert Frequency ![*](chapterTOC_bullet.png) Every Time ![*](chapterTOC_bullet.png) Only Once | Alert Frequency ![*](chapterTOC_bullet.png) Every Time ![*](chapterTOC_bullet.png) Only Once | |
Alert Parameters: Alert Destination API Portal CentraSite![*](chapterTOC_bullet.png) EDA/Database ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) E-mail ![*](chapterTOC_bullet.png) Local Log: Log Level ![*](chapterTOC_bullet.png) Error ![*](chapterTOC_bullet.png) Info ![*](chapterTOC_bullet.png) Warn ![*](chapterTOC_bullet.png) SNMP | Alert Destination API Gateway API Portal CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) Email ![*](chapterTOC_bullet.png) JDBC ![*](chapterTOC_bullet.png) Local Log: Log Level ![*](chapterTOC_bullet.png) Error ![*](chapterTOC_bullet.png) Info ![*](chapterTOC_bullet.png) Warn ![*](chapterTOC_bullet.png) SNMP | ![*](chapterTOC_bullet.png) Beginning with version 10.1, API Gateway supports the following destinations: ![*](chapterTOC_bullet.png) Audit Log CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) Email ![*](chapterTOC_bullet.png) Local Log ![*](chapterTOC_bullet.png) SNMP ![*](chapterTOC_bullet.png) The destination name for database is changed from EDA / Database in CentraSite to JDBC in API Gateway. Therefore, when the parameter Send Log Data is set to EDA / Database in CentraSite, the pool alias definition and the corresponding configurations are mapped into JDBC in API Gateway. ![*](chapterTOC_bullet.png) When the EDA / Database destination is selected in CentraSite, it also automatically selects the Digital Events destination in API Gateway. |
Alert Parameters: Alert Message | Alert Message | |
Straight Through Routing
This policy action routes requests directly to a native endpoint that you specify.
The Straight Through Routing policy action under the Policy Enforcement > Routing accordion in CentraSite is mapped into the policy Straight Through Routing under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Route To: | Endpoint URI: | |
Endpoint Properties: SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | SOAP Optimization Method: ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | |
Endpoint Properties: HTTP Connection Timeout (seconds) | HTTP Connection Timeout (seconds) | |
Endpoint Properties: Read Timeout (seconds) | Read Timeout (seconds) | |
Endpoint Properties: SSL Configuration ![*](chapterTOC_bullet.png) Client Certificate Alias ![*](chapterTOC_bullet.png) Keystore Alias | SSL Configuration ![*](chapterTOC_bullet.png) Keystore Alias ![*](chapterTOC_bullet.png) Key Alias | |
Endpoint Properties: WS-Security Header ![*](chapterTOC_bullet.png) Pass all security headers ![*](chapterTOC_bullet.png) Remove processed security headers | Pass WS-Security Headers (check box) | ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Pass all security headers in CentraSite, the parameter Pass WS-Security Headers is selected in API Gateway. ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Remove processed security headers in CentraSite, the parameter Pass WS-Security Headers is NOT selected in API Gateway. |
Content Based Routing
This policy action routes specific types of messages to specific endpoints based on specific values that appear in the request message, if the native API is hosted at two or more endpoints. The requests are routed according to the content-based routing rules you define.
The Content Based Routing policy action under the Policy Enforcement > Routing accordion in CentraSite is mapped into the policy Content-based Routing under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Route To: | Default Route To: Endpoint URI | |
Endpoint Properties: SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | Default Route To : SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | |
Endpoint Properties: HTTP Connection Timeout (seconds) | Default Route To : HTTP Connection Timeout (seconds) | |
Endpoint Properties: Read Timeout (seconds) | Default Route To : Read Timeout (seconds) | |
Endpoint Properties: SSL Configuration ![*](chapterTOC_bullet.png) Client Certificate Alias ![*](chapterTOC_bullet.png) Keystore Alias | Default Route To: SSL Configuration ![*](chapterTOC_bullet.png) Keystore Alias ![*](chapterTOC_bullet.png) Key Alias | |
Endpoint Properties: WS-Security Header ![*](chapterTOC_bullet.png) Pass all security headers ![*](chapterTOC_bullet.png) Remove processed security headers | Default Route To : Pass WS-Security Headers (check box) | ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Pass all security headers in CentraSite, the parameter Pass WS-Security Headers is selected in API Gateway. ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Remove processed security headers in CentraSite, the parameter Pass WS-Security Headers is NOT selected in API Gateway. |
Not applicable | Rules : Name | Regardless of a rule name, for example, Custom Rule, defined in CentraSite, the rule name is transformed into a default name, Rule <X> in API Gateway. Here, X is an integer, which denotes the number of rules that are mapped from CentraSite to API Gateway. Let us consider an API contains the Context Based Routing policy action with two routing rules, each defined with an unique name, Custom Rule A and Custom Rule B in CentraSite. When this API is published from CentraSite to API Gateway, the two routing rules are mapped into the policy Context-based Routing in API Gateway. The rule names are transformed as Rule 1 and Rule 2 in API Gateway. |
Routing Rule: XPath Expression | Rules: XPath Expression | |
Routing Rule: Namespace ![*](chapterTOC_bullet.png) Prefix ![*](chapterTOC_bullet.png) URI | Rules: Namespace ![*](chapterTOC_bullet.png) Namespace Prefix ![*](chapterTOC_bullet.png) Namespace URI | |
Routing Rule: Route To | Rules: Route To | |
Load Balancing and Failover Routing
This policy action routes the requests across multiple endpoints, if the native API is hosted at two or more endpoints.
The Load Balancing and Failover Routing policy action under the Policy Enforcement > Routing accordion in CentraSite is mapped into the policy Load Balancer Routing under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Route To: | Endpoint URI | |
Endpoint Properties: SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | |
Endpoint Properties: HTTP Connection Timeout (seconds) | HTTP Connection Timeout (seconds) | |
Endpoint Properties: Read Timeout (seconds) | Read Timeout (seconds) | |
Endpoint Properties: SSL Configuration ![*](chapterTOC_bullet.png) Client Certificate Alias ![*](chapterTOC_bullet.png) Keystore Alias | SSL Configuration ![*](chapterTOC_bullet.png) Keystore Alias ![*](chapterTOC_bullet.png) Key Alias | |
Endpoint Properties: WS-Security Header ![*](chapterTOC_bullet.png) Pass all security headers ![*](chapterTOC_bullet.png) Remove processed security headers | Pass WS-Security Headers (check box) | ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Pass all security headers in CentraSite, the parameter Pass WS-Security Headers is selected in API Gateway. ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Remove processed security headers in CentraSite, the parameter Pass WS-Security Headers is NOT selected in API Gateway. |
Timeout (seconds) | Suspend duration (seconds) | |
Set Custom Headers
This policy action specifies the HTTP headers to authenticate application's requests before submitting to the native SOAP APIs.
The Set Custom Headers policy action under the Policy Enforcement > Routing accordion in CentraSite is mapped into the policy Custom HTTP Header under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Header Name | HTTP Header HTTP Header Key | |
Header Value | HTTP Header HTTP Header Value | |
Context Based Routing
This policy action routes specific types of messages to specific endpoints based on specific values that appear in the request message, if the native API is hosted at two or more endpoints. The requests are routed according to the context-based routing rules you define.
The Context Based Routing policy action under the Policy Enforcement > Routing accordion in CentraSite is mapped into the policy Context-based Routing under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Route To: | Default Route To: Endpoint URI | |
Endpoint Properties: SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | Default Route To : SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | |
Endpoint Properties: HTTP Connection Timeout (seconds) | Default Route To : HTTP Connection Timeout (seconds) | |
Endpoint Properties: Read Timeout (seconds) | Default Route To : Read Timeout (seconds) | |
Endpoint Properties: SSL Configuration ![*](chapterTOC_bullet.png) Client Certificate Alias ![*](chapterTOC_bullet.png) Keystore Alias | Default Route To: SSL Configuration ![*](chapterTOC_bullet.png) Keystore Alias ![*](chapterTOC_bullet.png) Key Alias | |
Endpoint Properties: WS-Security Header ![*](chapterTOC_bullet.png) Pass all security headers ![*](chapterTOC_bullet.png) Remove processed security headers | Default Route To : Pass WS-Security Headers (check box) | ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Pass all security headers in CentraSite, the parameter Pass WS-Security Headers is selected in API Gateway. ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Remove processed security headers in CentraSite, the parameter Pass WS-Security Headers is NOT selected in API Gateway. |
Routing Rule : Name | Rules : Name | Regardless of a rule name, for example, Custom Rule, defined in CentraSite, the rule name is transformed into a default name, Rule <X> in API Gateway. Here, X is an integer, which denotes the number of rules that are mapped from CentraSite to API Gateway. Let us consider an API contains the Context Based Routing policy action with two routing rules, each defined with an unique name, Custom Rule A and Custom Rule B in CentraSite. When this API is published from CentraSite to API Gateway, the two routing rules are mapped into the policy Context-based Routing in API Gateway. The rule names are transformed as Rule 1 and Rule 2 in API Gateway. |
Not applicable | Rules: Condition Operator ![*](chapterTOC_bullet.png) Or ![*](chapterTOC_bullet.png) And | |
Routing Rule: Condition ![*](chapterTOC_bullet.png) Variable ![*](chapterTOC_bullet.png) Consumer ![*](chapterTOC_bullet.png) Custom Context Variable ![*](chapterTOC_bullet.png) Date ![*](chapterTOC_bullet.png) IP Address ![*](chapterTOC_bullet.png) IPv6 Address ![*](chapterTOC_bullet.png) Predefined Context Variable ![*](chapterTOC_bullet.png) Time ![*](chapterTOC_bullet.png) Consumer | Rules: Condition ![*](chapterTOC_bullet.png) Variable ![*](chapterTOC_bullet.png) Consumer ![*](chapterTOC_bullet.png) Date ![*](chapterTOC_bullet.png) IPV4 ![*](chapterTOC_bullet.png) IPV6 ![*](chapterTOC_bullet.png) Predefined Context Variable ![*](chapterTOC_bullet.png) Custom Context Variable ![*](chapterTOC_bullet.png) Time ![*](chapterTOC_bullet.png) Variable Value | ![*](chapterTOC_bullet.png) Beginning with version 10.1, API Gateway supports custom context variables in a routing rule that you create. The custom context variable name in CentraSite is automatically prefixed with mx: in API Gateway. ![*](chapterTOC_bullet.png) For a list of the predefined context variables, see below. |
Routing Rule: Route To | Rules: Route To | |
The Predefined Context Variables
Display Name in CentraSite | Display Name in API Gateway |
Average Response Time | Not applicable |
Fault Count | Not applicable |
Minimum Response Time | Not applicable |
Maximum Response Time | Not applicable |
Success Count | Not applicable |
Total Count | Not applicable |
Client IP Address | Inbound IP |
Consumer | Consumer |
Inbound Content Type | Inbound Content Type |
Inbound HTTP Method | Inbound HTTP Method |
Inbound Protocol | Inbound Protocol |
Mediator Hostname | Gateway Hostname |
Mediator IP Address | Gateway IP |
Mediator Target Name | Not applicable |
Native Service Provider Error | Not applicable |
Native Service Response Message | Not applicable |
Outbound HTTP Method | Routing Method |
User | User |
Virtual Service Name | Not applicable |
Virtual Service Operation | Operation Name |
Virtual Service URI | Inbound Request URI |
Not applicable | Inbound Accept |
Dynamic Routing
This policy action routes the requests to dynamic endpoints based on specific criteria that you specify.
The Dynamic Routing policy action under the Policy Enforcement > Routing accordion in CentraSite is mapped into the policy Dynamic Routing under the Routing stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Route using: ![*](chapterTOC_bullet.png) Context Variable ![*](chapterTOC_bullet.png) Header ![*](chapterTOC_bullet.png) Header Name | Rule: Route Using ![*](chapterTOC_bullet.png) Context ![*](chapterTOC_bullet.png) Header ![*](chapterTOC_bullet.png) Header Name | |
Route Through | Default Route To: Endpoint URI | |
Default Route-To | Route To | |
Endpoint Properties: SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | Default Route To: SOAP Optimization Method ![*](chapterTOC_bullet.png) MTOM ![*](chapterTOC_bullet.png) None ![*](chapterTOC_bullet.png) SWA | |
Endpoint Properties: HTTP Connection Timeout (seconds) | Default Route To: HTTP Connection Timeout (seconds) | |
Endpoint Properties: Read Timeout (seconds) | Default Route To: Read Timeout (seconds) | |
Endpoint Properties: SSL Configuration ![*](chapterTOC_bullet.png) Client Certificate Alias ![*](chapterTOC_bullet.png) Keystore Alias | Default Route To: SSL Configuration ![*](chapterTOC_bullet.png) Keystore Alias ![*](chapterTOC_bullet.png) Key Alias | |
Endpoint Properties: WS-Security Header ![*](chapterTOC_bullet.png) Pass all security headers ![*](chapterTOC_bullet.png) Remove processed security headers | Default Route To: Pass WS-Security Headers (check box) | ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Pass all security headers in CentraSite, the parameter Pass WS-Security Headers is selected in API Gateway. ![*](chapterTOC_bullet.png) When the parameter WS-Security Header is set to Remove processed security headers in CentraSite, the parameter Pass WS-Security Headers is NOT selected in API Gateway. |
Authorize User
This policy action authorizes applications against a list of users and a list of groups registered in CentraSite or API Gateway.
The Authorize User policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Authorize User under the Identify & Access stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Perform authorization against: List of users ![*](chapterTOC_bullet.png) Users | List of Users | |
Perform authorization against: List of groups ![*](chapterTOC_bullet.png) Groups | List of Groups | |
Allow Anonymous Usage
This policy action specifies whether to allow all users to access the API without restriction.
The Allow Anonymous Usage policy action under the Policy Enforcement > Security accordion in CentraSite is mapped into the policy Identify & Authorize Application under the Identify & Access stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Allow Anonymous Usage ![*](chapterTOC_bullet.png) True ![*](chapterTOC_bullet.png) False | Allow anonymous | ![*](chapterTOC_bullet.png) When the parameter Allow Anonymous Usage is set to True in CentraSite, the parameter Allow anonymous is selected in API Gateway. ![*](chapterTOC_bullet.png) When the parameter Allow Anonymous Usage is set to False or if the policy action is NOT defined in CentraSite, the parameter Allow anonymous is NOT selected in API Gateway. |
Throttling Traffic Optimization
This policy action limits the number of API invocations during a specified time interval, and sends alerts to a specified destination when the performance conditions are violated. This action avoids overloading the back-end APIs and their infrastructure, to limit specific applications in terms of resource usage, and so on.
The Throttling Traffic Optimization policy action under the Policy Enforcement > Traffic Management accordion in CentraSite is mapped into the policy Throttling Traffic Optimization under the Traffic Monitoring stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Hard Limit: Rule Name ![*](chapterTOC_bullet.png) Total Request Count | Limit Configuration: Rule Name ![*](chapterTOC_bullet.png) Total Request Count | |
Hard Limit: Operator ![*](chapterTOC_bullet.png) Greater Than | Limit Configuration: Operator ![*](chapterTOC_bullet.png) Greater Than | |
Hard Limit: Value | Limit Configuration: Value | |
Hard Limit: Alert Message for Hard Limit | Alert Message | |
Soft Limit : Rule Name ![*](chapterTOC_bullet.png) Total Request Count | Action Configuration: Name ![*](chapterTOC_bullet.png) Total Request Count | Depending on the value specified for the parameter Consumer Applications, the Soft Limit configuration of this policy action in CentraSite is mapped into one of the following policies under the Traffic Monitoring stage in API Gateway: ![*](chapterTOC_bullet.png) If the value is set to a specific consumer, then this configuration is mapped into the policy Monitor Service Level Agreement. ![*](chapterTOC_bullet.png) If the value is set to Any consumer application, then this configuration is mapped into the policy Monitor Service Performance. |
Soft Limit : Operator ![*](chapterTOC_bullet.png) Greater Than | Action Configuration: Operator ![*](chapterTOC_bullet.png) Greater Than |
Soft Limit : Value | Action Configuration: Value |
Soft Limit : Alert Message for Hard Limit | Alert Message | |
Consumer Applications | Consumer Applications | Names of the consumer applications in CentraSite are transformed into Application IDs in API Gateway. |
Interval Value ![*](chapterTOC_bullet.png) Minutes ![*](chapterTOC_bullet.png) Hours ![*](chapterTOC_bullet.png) Days ![*](chapterTOC_bullet.png) Weeks | Alert Interval Unit: ![*](chapterTOC_bullet.png) Minutes ![*](chapterTOC_bullet.png) Hours ![*](chapterTOC_bullet.png) Days ![*](chapterTOC_bullet.png) Weeks | |
Frequency ![*](chapterTOC_bullet.png) Every Time ![*](chapterTOC_bullet.png) Only Once | Alert Frequency ![*](chapterTOC_bullet.png) Every Time ![*](chapterTOC_bullet.png) Only Once | |
Alert Destination API Portal CentraSite![*](chapterTOC_bullet.png) EDA/Database ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) E-mail ![*](chapterTOC_bullet.png) Local Log: Log Level ![*](chapterTOC_bullet.png) Error ![*](chapterTOC_bullet.png) Info ![*](chapterTOC_bullet.png) Warn ![*](chapterTOC_bullet.png) SNMP | Alert Destination API Gateway API Portal CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) E-mail ![*](chapterTOC_bullet.png) JDBC ![*](chapterTOC_bullet.png) Local Log: Log Level ![*](chapterTOC_bullet.png) Error ![*](chapterTOC_bullet.png) Info ![*](chapterTOC_bullet.png) Warn ![*](chapterTOC_bullet.png) SNMP | ![*](chapterTOC_bullet.png) Beginning with version 10.1, API Gateway supports the following destinations: ![*](chapterTOC_bullet.png) Audit Log CentraSite![*](chapterTOC_bullet.png) Digital Events ![*](chapterTOC_bullet.png) Elasticsearch ![*](chapterTOC_bullet.png) Email ![*](chapterTOC_bullet.png) Local Log ![*](chapterTOC_bullet.png) SNMP ![*](chapterTOC_bullet.png) The destination name for database is changed from EDA / Database in CentraSite to JDBC in API Gateway. Therefore, when the parameter Send Log Data is set to EDA / Database in CentraSite, the pool alias definition and the corresponding configurations are mapped into JDBC in API Gateway. ![*](chapterTOC_bullet.png) When the EDA / Database destination is selected in CentraSite, it also automatically selects the Digital Events destination in API Gateway. |
Service Result Cache
This policy action enables caching of the results of SOAP and REST API invocations based on specific criteria that you specify.
The Service Result Cache policy action under the Policy Enforcement > Traffic Management accordion in CentraSite is mapped into the policy Service Result Cache under the Traffic Monitoring stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Configure Caching based on: HTTP Header ![*](chapterTOC_bullet.png) Header Name ![*](chapterTOC_bullet.png) Add to Whitelist ![*](chapterTOC_bullet.png) Whitelist (Cache only for these values) | Cache Criteria: HTTP Header ![*](chapterTOC_bullet.png) Cache responses only for these values | |
Configure Caching based on: Path | No cache criteria | If none of the cache criteria is specified, then API Gateway internally uses the Path criteria for caching the API response. |
Configure Caching based on: XPath Expression ![*](chapterTOC_bullet.png) Namespace ![*](chapterTOC_bullet.png) Prefix ![*](chapterTOC_bullet.png) URI ![*](chapterTOC_bullet.png) XPath Expression ![*](chapterTOC_bullet.png) Add to Whitelist ![*](chapterTOC_bullet.png) Whitelist (Cache only for these values) | Cache Criteria: XPath Expression ![*](chapterTOC_bullet.png) Namespace ![*](chapterTOC_bullet.png) Prefix ![*](chapterTOC_bullet.png) URI ![*](chapterTOC_bullet.png) XPath Expression ![*](chapterTOC_bullet.png) Cache responses only for these values | |
Not applicable | Cache Criteria: Query Parameters ![*](chapterTOC_bullet.png) Parameter Name ![*](chapterTOC_bullet.png) Cache responses only for these values | |
Time to Live (e.g., 5d 4h 1m) | Time to Live (e.g.,5d 4h 1m) | |
Maximum Response Payload Size (in KB, -1 = unlimited) | Maximum Response Payload Size (in KB) | |
Identify Consumer (CentraSite Control)
A legacy policy action from version 8.2.2. This policy action:
![*](chapterTOC_bullet.png)
Identifies an application based on the kind of consumer identifier (IP address, HTTP authorization token, and so on.) you specify.
![*](chapterTOC_bullet.png)
Allows anonymous users to access the API.
The Identify Consumer action defined in a runtime policy in CentraSite Control and enforced on an API in CentraSite Business UI is mapped into the policy Identify and Authorize Application under the Identify & Access stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Anonymous Usage Allowed ![*](chapterTOC_bullet.png) Yes ![*](chapterTOC_bullet.png) No | Allow anonymous | ![*](chapterTOC_bullet.png) When the parameter Anonymous Usage Allowed is set to Yes in CentraSite, the parameter Allow anonymous is selected (set to True) in the policy Identify and Authorize Application. ![*](chapterTOC_bullet.png) When the parameter Anonymous Usage Allowed is set to No in CentraSite, the parameter Allow anonymous is NOT selected (set to False) in the policy Identify and Authorize Application. |
Identify User Using ![*](chapterTOC_bullet.png) IP Address | Identification Type ![*](chapterTOC_bullet.png) IP Address Range | |
Identify User Using ![*](chapterTOC_bullet.png) Token Derived from Host Name | Identification Type ![*](chapterTOC_bullet.png) Hostname Address | |
Identify User Using ![*](chapterTOC_bullet.png) Token Derived from HTTP Header | Identification Type ![*](chapterTOC_bullet.png) HTTP Basic Authentication | |
Identify User Using ![*](chapterTOC_bullet.png) Token Derived from WSS Header | Identification Type ![*](chapterTOC_bullet.png) WS Security Username token | |
Identify User Using ![*](chapterTOC_bullet.png) Token Derived from Custom XPATH | Identification Type ![*](chapterTOC_bullet.png) XPath expression | |
Identify User Using ![*](chapterTOC_bullet.png) Consumer Certificate | Identification Type ![*](chapterTOC_bullet.png) WS Security X.509 Certificate | |
Identify User Using ![*](chapterTOC_bullet.png) Client Certificate for SSL Connectivity | Identification Type ![*](chapterTOC_bullet.png) SSL Certificate | |
Note:
If this policy action is configured with Authorize Against Registered Consumer in CentraSite Control, the parameter Application Lookup Condition is set to Registered applications in the policy Identify and Authorize Application in API Gateway. If this policy action is NOT configured with Authorize Against Registered Consumer in CentraSite Control, then the parameter Application Lookup Condition is set to Global applications in the policy Identify and Authorize Application in API Gateway.
Authorize Against Registered Consumer (CentraSite Control)
A legacy policy action from version 8.2.2. This policy action authorizes requests against the Registered Applications list in API Gateway.
The Authorize Against Registered Consumer action defined in a runtime policy in CentraSite Control and enforced on an API in CentraSite Business UI is mapped into the policy Identify and Authorize Application under the Identify & Access stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Not applicable | Application Lookup Condition: ![*](chapterTOC_bullet.png) Registered applications | The parameter Application Lookup Condition is set to Registered applications in the policy Identify and Authorize Application. |
Note:
This policy action is dependent on the Identify Consumer action in CentraSite Control.
Require HTTP Basic Authentication (CentraSite Control)
You can secure Web Service APIs using HTTP basic authentication. This policy action validates the client's credentials contained in the request's Authorization header against the list of users in the Integration Server on which API Gateway is running.
The Require HTTP Basic Authentication action defined in a runtime policy in CentraSite Control and enforced on an API in CentraSite Business UI is mapped into the policy Inbound Authentication - Transport under the Identify & Access stage in API Gateway.
The following table summarizes the mapping of this policy action:
CentraSite | API Gateway | Notes |
Authentication Required | HTTP Basic Authentication | When the parameter Authentication Required is selected in CentraSite, the parameter HTTP Basic Authentication is selected (set to True) in the policy Inbound Authentication - Transport. |