Software AG Products 10.11 | Administrating API Gateway | Security Configuration | Ports | Configuring Access Mode for a Port
 
Configuring Access Mode for a Port
The access mode of a port determines whether APIs can be invoked through the port or not. This section explains the steps required to configure the access mode of ports.
You can either allow or deny the access of all APIs through a port. When you allow access of APIs using a port by default, you can specify a list of APIs that must be denied access over the port. Also, if you deny the access of APIs using a port, you can specify a list of APIs that can be allowed to access using the port.
This configuration is applicable for REST, SOAP, and OData APIs.
Important:
When performing the following procedure, do not log into the server through the port you want to change, if you are selecting Deny by default. The procedure involves temporarily denying access to all APIs through the port. If you log on through the port you want to change and then deny access to all APIs through it, you will be locked out of the server. Instead, log on through a different existing port or create a new port to log on through.
*To configure access mode for a port
1. Expand the menu options icon , in the title bar, and select Administration.
2. Select Security > Ports.
The ports page lists all the ports configured with API Gateway.
3. Click the Accessmode button for the port that you want to configure the access mode.
The options to configure the port access mode are displayed.
4. Select one of the following options:
*Allow by default. To allow access of the port, by default.
*Deny by default. To deny access of the port, by default.
The port is enabled or denied for access by all APIs.
5. Optional. Perform one of the following:
*If you have selected Allow by default, provide the APIs for which you want to deny access through the port in the Add APIs to Deny List field and click + Add. Repeat this step to add the required APIs to the list. You can also edit or delete the entered values by clicking the respective action next to the required value.
*If you have selected Deny by default, provide the APIs for which you want to allow access through the port in the Add APIs to Allow List field and click + Add. Repeat this step to add the required APIs to the list. You can also edit or delete the entered values by clicking the respective action next to the required value.
To allow or deny access of all versions of an API through a port, specify the API in the following format:
*apiName or apiName/ - For REST and OData APIs.
*ws/apiName or /ws/apiName/ - For SOAP APIs.
For example, if you select Deny by default and provide ws/echo in Add APIs and services to Allow List, then all versions of this SOAP API can be accessed through the port.
If you specify an API in the apiName or ws/apiname format in the Allow list, then you must invoke the API using the protocol://host:port/ws/apiname format; and if you specify in the apiName/or /ws/apiname/ format, then you must invoke the API using the protocol://host:port/ws/apiname/ format.
To allow or deny access of a particular version of an API through port, specify the API in the following format:
*apiName/version or apiName/version/ - For REST and OData APIs
*ws/apiName/version or /ws/apiName/version/ - For SOAP APIs.
For example, if you select Allow by default and provide calc/1.0 in Add APIs and services to Deny List, then the 1.0 version of the API Calc will be denied to access through the port.
If you specify an API in the apiName/version or ws/apiname/version format in the Allow list, then you must invoke the API using the protocol://host:port/ws/apiname/version format; and if you specify in the apiName/version/ or /ws/apiname/version/ format, then you must invoke the API using the protocol://host:port/ws/apiname/version/ format.
The API names along with their version numbers specified in the Allow and Deny lists must exactly match the required API names.
Note:
Even if an API has custom endpoints, you must provide the apiName and not the custom endpoint paths in the Allow and Deny lists.
6. Click Save.
The changes are saved.
Note:
To enforce this configuration on REST and OData APIs, when accessed through the HTTP and HTTPS ports, set the value of the pg.security.honourPortAccessModeSettings extended setting as true. To enforce this configuration on SOAP APIs, set the watt.server.portAccess.axis2 setting as true. For information on configuring an extended setting, see Configuring Extended Settings.
API Gateway services to be exposed for API Portal and client communication
If you have configured port access restrictions to allow access only to the APIs hosted on the API Gateway (say with /gateway/, /ws/ , and so on), then ensure that you also provide access to the following APIs in case the APIs are protected by security policies such as OAuth, OpenId or JWT. Allowing access to these endpoints is important for API Portal and API consumers to access API Gateway to retrieve the tokens.
*/invoke/pub.apigateway.oauth2:getAccessToken
*/invoke/secure.apigateway.oauth2:approve
*/invoke/pub.apigateway.oauth2:authorize
*/invoke/pub.apigateway.oauth2/authorize
*/invoke/pub/apigateway/openid/getOpenIDToken
*/invoke/pub/apigateway/openid/openIDCallback
*/invoke/pub/apigateway/jwt/getJsonWebToken
*/invoke/pub/apigateway/jwt/certs
*/invoke/pub/apigateway/jwt/configuration
*/invoke/pub/apigateway/jwt/thirdPartyConfiguration
Additionally, the following REST API endpoints are exposed by API Gateway, which are required from the API Portal to access API Gateway. This is to ensure that while you only allow required REST API endpoints, API Portal functionalities continue to work without any impact.
API Portal invokes the following two internal APIs of API Gateway:
*Token request endpoint (rest/apigateway/accesstokens)
*JWT request endpoint (/rest/pub/apigateway/jwt/getJsonWebToken?app_id)