Configuring Access Mode for a Port
This section describes how to allow or deny access of ports by ESB services and folders. If you allow access by default, you can specify the services for which the access has to be denied; and, if you deny access by default, you can specify the services for which the access has to be allowed.
Important:
When performing the following procedure, do not log into the server through the port you want to change, if you are selecting Deny by default. The procedure involves temporarily denying access to all services through the port. If you log on through the port you want to change and then deny access to all services through it, you will be locked out of the server. Instead, log on through a different existing port or create a new port to log on through.
To configure access mode for a port
1. Expand the menu options icon , in the title bar, and select Administration. 2. Select Security > Ports.
The ports page lists all the ports configured with API Gateway, if any.
3. Click the Accessmode button for the port that you want to configure the access mode.
The options to configure the port access mode are displayed.
4. Select one of the following options:
Allow by default. To allow access of the port, by default.
Deny by default. To deny access of the port, by default.
The port is enabled or denied for access by all ESB services and folders.
5. Optional. Perform one of the following:
If you have selected
Allow by default, provide the ESB services or folder for which you want to deny access to the port in the
Add Folders and Services to Deny List field and click
Add. Repeat this step to add the required folders and services to the list. You can also edit or delete the entered values by clicking the respective action next to the required value.
If you have selected
Deny by default, provide the ESB services or folder for which you want to allow access to the port in the
Add Folders and Services to Allow List field and click
Add. Repeat this step to add the required folders and services to the list. You can also edit or delete the entered values by clicking the respective action next to the required value.
6. Click Save.
The changes are saved.
API Gateway services to be exposed for API Portal and client communication
If you have configured port access restrictions to allow access only to the APIs hosted on the API Gateway (say with /gateway/, /ws/ , and so on), then ensure that you also provide access to the following APIs in case the APIs are protected by security policies such as OAuth, OpenId or JWT. Allowing access to these endpoints is important for API Portal and API consumers to access API Gateway to retrieve the tokens.
/invoke/pub.apigateway.oauth2:getAccessToken
/invoke/secure.apigateway.oauth2:approve
/invoke/pub.apigateway.oauth2:authorize
/invoke/pub.apigateway.oauth2/authorize
/invoke/pub/apigateway/openid/getOpenIDToken
/invoke/pub/apigateway/openid/openIDCallback
/invoke/pub/apigateway/jwt/getJsonWebToken
/invoke/pub/apigateway/jwt/certs
/invoke/pub/apigateway/jwt/configuration
/invoke/pub/apigateway/jwt/thirdPartyConfiguration
Additionally, the following REST API endpoints are exposed by API Gateway, which are required from the API Portal to access API Gateway. This is to ensure that while you only allow required REST API endpoints, API Portal functionalities continue to work without any impact.
API Portal invokes the following two internal APIs of API Gateway:
Token request endpoint (rest/apigateway/accesstokens)
JWT request endpoint (/rest/pub/apigateway/jwt/getJsonWebToken?app_id)