IBM-API-Connect-Security-Overview

IBM API Connect Security with Basic Authentication and LDAP

In this tutorial we’ll learn to implement define security in IBM API Connect and how to apply these definitions to APIs. This blog is first of the series where will try and cover almost all the aspects of security in IBM API Connect and how to implement each one of those in APIs. In this first instalment, We’ll learn how to implement IBM API Connect Security with Basic Authentication and LDAP user registry.

If you landed over here directly, I will recommend you to go over my previous posts on installation, setup and writing the simplest APIs in IBM API Connect. Links are below –

Prologue to this tutorial

In my previous blog, I have already covered how to create a basic API and publish the same to developer portal, how to create consumer app and test it same. I won’t cover any of that in the current tutorial. Instead, I will develop this post on top of the same API that I created previously.I will show you how to implement IBM API Connect Security with Basic Authentication and LDAP user registry.

Brief on IBM API Connect Security

IBM API Connect provides has made it very simple to handle security. There are simple two steps in the security process –

  • Create one or more security definitions
  • Apply one of more of these security definitions to the API.

Optional Note: You can specify whether or not an API Operation inherits the security definitions that have been created in the containing API. You can pick and choose or define and apply a new one applicable for the operation

IBM-API-Connect-Security-Overview

IBM-API-Connect-Security-Overview

IBM API Connect Security Definition

There are three types of security definitions available in IBM API Connect –

Type Description
Basic Authentication LDAP User Registry  – User credentials are validated against LDAP user registry

Authentication URL – User credentials are validated by a REST Authentication service. If the user is authenticated,  APIc expects an HTTP 200 OK response status code. Anything else leads to authentication failure and access is denied.

NOTE: If you apply a basic security definition, you cannot also apply an OAuth2.0 security definition.

API Key Application must provide a client-id OR a client-id and client-secret. If requirement is that an application must provide both a client ID and client secret, we need to create two API key security definitions, one for each type of credentials. Client id and secret can be part of http header or query parameter. We need to specify in the definition as to where the client will pass it.
OAuth 2.0 Oauth2.0 token based authentication framework.

Technology Stack

Followings are the list of technologies used in this tutorial –

Online LDAP user registry

In order to use BASIC Authentication, we need to have a user registry that uses Lightweight Directory Access Protocol (LDAP). If you have a non-LDAP user registry, instead you Authentication URL. However, as part of this learning, let’s concentrate on LDAP enabled user registry.

As part of this tutorial, I have used an online LDAP Test Server. Click on this link to learn more about it. These amazing folks have actually helped us eliminate the need to download, install and configure an LDAP sever for testing. Even for you, If you just need is to test authentication against a few identities, you may use this online utility. But nevertheless, I recommend you to visit their site and learn about this wonderful test server.

Followings are details from the above mentioned link –

Create LDAP registry in API Manager portal

  • If you are not already logged in, it’s to logon to the api manager portal (https://apim/apim is the url in this context)
  • In the left navigation pane, select Admin and select the Security tab. Thereafter click on the User registries.

    ibm-apic-apim-ldap-user-registry

    ibm-apic-apim-ldap-user-registry

  • Select LDAP Registry (API Security Only).

    There other options as well. For more detail on all these options you can head to ibm knowledge centre link here.

  • A New LDAP Configuration window will pop up. Populate the fields as below –
  • After populating all the above fields, click on Test Bind & Get Base DN button.

    ibm-apic-apim-new-ldap-configuration-test-beind

    ibm-apic-apim-new-ldap-configuration-test-bind

  • Once successfully connected, the list of Base DNs will be populated. Select dc=example,dc=com as the Base DN from the drop down for our example.
  • Populate the prefix as (uid= and suffix as )
  •  Keep the Use Authorization group turned off.
  • Well, that’s it. We are done with the LDAP configuration. However, we must test our settings and configurations. In order to do so, we will populate one sample user and its password in the corresponding fields and press Test configuration button. In this example, I have populated Username as gauss and Password as password 
  • My test gave a success.

    ibm-apic-apim-ldap-configuration-test-result

    ibm-apic-apim-ldap-configuration-test-result

  • Click on Create button now. Bingo!! a new we just created a new LDAP registry in IBM API Connect.

Create Basic Authentication security definition

  • In the navigation pane of apim portal, select Draft menu item and then select APIs. Select the relevant API which in our case is order 1.0.0 that we created in previous tutorial.
  • New new window will open up, select Security Definition section.
  • Select the plus icon in the Security Definition section and select Basic.

    ibm-apic-apim-select-basic-security-definition

    ibm-apic-apim-select-basic-security-definition

  • At this point, a new security definition will be created. Go ahead and populate the fields as follows –

    ibm-apic-apim-basic-authentication-security-definition

    ibm-apic-apim-basic-authentication-security-definition

  • Next, move to the Security section. Check the basic authentication security definition that we just created.
  • Click on Save icon on the top right corner of the window.

    ibm-apic-apim-apply-basic-authentication-security-definition

    ibm-apic-apim-apply-basic-authentication-security-definition

  • We are done applying the new Basic Authentication security definition to our orders API.

Test the API from APIM portal

  • So far so good; we created the API security definition and applied the security definition to the API. Now, we must test it as API developer before someone consumes it.
  • So, click on the Assemble tab and click on the Test icon.
  • Republish the product orderproduct 1.0.0 to Sandbox catalogue.
  • Click and select the operation get /order from the drop down.
  • You will notice that a new Authorization section is populated; provide a username and corresponding password. For simplicity, I have already listed the list of users and their password in beginning. Provide one of your choice. For my testing purpose, I have used Username einstein and Password password
  • Hit the Invoke button.
  • You will notice the successful result. So, this tells us our LDAP configuration is perfect.

IBM Developer Portal and Test the API as a consuming app

  • Now, we will test our API as a consuming application.
  • As part of previous tutorial, we have already created an APP.
  • Let’s login to the developer portal and refresh the API page; we will notice that there is an additional security definition added for basic authentication.
  • Next, we will test this API as a consuming application. If you recall, previously we have already tested the API with client id and client secret using curl command. Here, we will just add basic authentication header.
  • For my testing, I am using user-name as newton and password as password.
  • Base64 encode newton:password using any online utility website like https://www.base64encode.org/
  • In the curl command, add a new header called Authorization like below
  • Once executed, we will see the mock result.
  • That’s it. 🙂

Conclusion

In this tutorial, we learnt about IBM API Connect Security basics. We walked step by step through the process of creating LDAP based authentication mechanism. Hope this helps your learning. 🙂

2

No Responses

Write a response

This site uses Akismet to reduce spam. Learn how your comment data is processed.