In this tutorial we’ll learn to implement define security in IBM API Connect and how to apply these definitions to APIs. This blog is first of the series where will try and cover almost all the aspects of security in IBM API Connect and how to implement each one of those in APIs. In this first instalment, We’ll learn how to implement IBM API Connect Security with Basic Authentication and LDAP user registry.
If you landed over here directly, I will recommend you to go over my previous posts on installation, setup and writing the simplest APIs in IBM API Connect. Links are below –
- Installation of IBM API Connect in personal system
- Setting up IBM API Connect for use
- Step by step tutorial on write]ing your first and simplest API in IBM API Connect
Prologue to this tutorial
In my previous blog, I have already covered how to create a basic API and publish the same to developer portal, how to create consumer app and test it same. I won’t cover any of that in the current tutorial. Instead, I will develop this post on top of the same API that I created previously.I will show you how to implement IBM API Connect Security with Basic Authentication and LDAP user registry.
Brief on IBM API Connect Security
IBM API Connect provides has made it very simple to handle security. There are simple two steps in the security process –
- Create one or more security definitions
- Apply one of more of these security definitions to the API.
IBM API Connect Security Definition
There are three types of security definitions available in IBM API Connect –
|•LDAP User Registry – User credentials are validated against LDAP user registry
•Authentication URL – User credentials are validated by a REST Authentication service. If the user is authenticated, APIc expects an HTTP 200 OK response status code. Anything else leads to authentication failure and access is denied.
NOTE: – If you apply a basic security definition, you cannot also apply an OAuth2.0 security definition.
|Application must provide a client-id OR a client-id and client-secret. If requirement is that an application must provide both a client ID and client secret, we need to create two API key security definitions, one for each type of credentials. Client id and secret can be part of http header or query parameter. We need to specify in the definition as to where the client will pass it.
|Oauth2.0 token based authentication framework.
Followings are the list of technologies used in this tutorial –
IBM API Connect 220.127.116.11 (installed in personal laptop)
https://mockable.io for back end service mocking
Online LDAP Server (ldap.forumsys.com:389) [More on this below]
Online LDAP user registry
In order to use BASIC Authentication, we need to have a user registry that uses Lightweight Directory Access Protocol (LDAP). If you have a non-LDAP user registry, instead you Authentication URL. However, as part of this learning, let’s concentrate on LDAP enabled user registry.
As part of this tutorial, I have used an online LDAP Test Server. Click on this link to learn more about it. These amazing folks have actually helped us eliminate the need to download, install and configure an LDAP sever for testing. Even for you, If you just need is to test authentication against a few identities, you may use this online utility. But nevertheless, I recommend you to visit their site and learn about this wonderful test server.
Followings are details from the above mentioned link –
Bind DN: cn=read-only-admin,dc=example,dc=com
Bind Password: password
NOTE:- All user passwords are password
Followings are the individual Users (uid) in the two different Groups (ou):
Create LDAP registry in API Manager portal
- If you are not already logged in, it’s to logon to the api manager portal (https://apim/apim is the url in this context)
- In the left navigation pane, select Admin and select the Security tab. Thereafter click on the User registries.
- Select LDAP Registry (API Security Only).
- A New LDAP Configuration window will pop up. Populate the fields as below –
1234567891011Display Name: my test ldap serverName: my-test-ldap-serverDescription: This is my test LDAP serverHostname: ldap.forumsys.comPort: 389LDAP Version: Version 3Turn off TLSTurn off case sensitive user nameSelect Search (DN) tabAdmin DN: cn=read-only-admin,dc=example,dc=comPassword: password
- After populating all the above fields, click on Test Bind & Get Base DN button.
- Once successfully connected, the list of Base DNs will be populated. Select dc=example,dc=com as the Base DN from the drop down for our example.
- Populate the prefix as (uid= and suffix as )
- Keep the Use Authorization group turned off.
- Well, that’s it. We are done with the LDAP configuration. However, we must test our settings and configurations. In order to do so, we will populate one sample user and its password in the corresponding fields and press Test configuration button. In this example, I have populated Username as gauss and Password as password
- My test gave a success.
- Click on Create button now. Bingo!! a new we just created a new LDAP registry in IBM API Connect.
Create Basic Authentication security definition
- In the navigation pane of apim portal, select Draft menu item and then select APIs. Select the relevant API which in our case is order 1.0.0 that we created in previous tutorial.
- New new window will open up, select Security Definition section.
- Select the plus icon in the Security Definition section and select Basic.
- At this point, a new security definition will be created. Go ahead and populate the fields as follows –
1234Name: basicAuthenticationDescription: Basic AuthenticationAuthenticate using: Select User registry option buttonUser Registry: Select my test ldap server from the dropdown
- Next, move to the Security section. Check the basic authentication security definition that we just created.
- Click on Save icon on the top right corner of the window.
- We are done applying the new Basic Authentication security definition to our orders API.
Test the API from APIM portal
- So far so good; we created the API security definition and applied the security definition to the API. Now, we must test it as API developer before someone consumes it.
- So, click on the Assemble tab and click on the Test icon.
- Republish the product orderproduct 1.0.0 to Sandbox catalogue.
- Click and select the operation get /order from the drop down.
- You will notice that a new Authorization section is populated; provide a username and corresponding password. For simplicity, I have already listed the list of users and their password in beginning. Provide one of your choice. For my testing purpose, I have used Username einstein and Password password
- Hit the Invoke button.
- You will notice the successful result. So, this tells us our LDAP configuration is perfect.
IBM Developer Portal and Test the API as a consuming app
- Now, we will test our API as a consuming application.
- As part of previous tutorial, we have already created an APP.
- Let’s login to the developer portal and refresh the API page; we will notice that there is an additional security definition added for basic authentication.
- Next, we will test this API as a consuming application. If you recall, previously we have already tested the API with client id and client secret using curl command. Here, we will just add basic authentication header.
- For my testing, I am using user-name as newton and password as password.
- Base64 encode newton:password using any online utility website like https://www.base64encode.org/
- In the curl command, add a new header called Authorization like below
Shell1curl --request GET --url https://datapower/orders/sb/orders/order --header 'accept: application/json' --header 'x-ibm-client-secret: YOUR_CLIENT_SECRET' --header 'x-ibm-client-id: YOUR_CLIENT_ID' --header 'Authorization: Basic bmV3dG9uOnBhc3N3b3Jk' --insecure
- Once executed, we will see the mock result.
- That’s it. 🙂
In this tutorial, we learnt about IBM API Connect Security basics. We walked step by step through the process of creating LDAP based authentication mechanism. Hope this helps your learning. 🙂