Manual Chapter : Protecting APIs with Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.1.2, 14.1.0
Manual Chapter

Protecting APIs with Access Policy Manager

Overview: Protecting APIs with Access Policy Manager

If you want to manually configure API protection, this section describes the tasks required. For a simpler automated setup procedure, you can instead follow the steps in the API Protection template using Access > Guided Configuration . You can still customize the components when you use Guided Configuration.

The manual procedure for implementing API protection includes the following tasks:

  • Creating an API protection profile
  • Adding servers, paths, and responses to the API protection profile
  • Optionally, add a single sign-on configuration and log settings
  • Associate the API protection profile with a virtual server
  • If needed, edit the per-request policy automatically created for API protection

Creating an API protection profile using an OpenAPI Spec file

Before you set up API protection, make sure that basic system configuration is complete including configuring network interfaces, routes, VLANs, self IPs, DNS, and NTP. For this task, you need to have an OpenAPI 2.0 spec file that describes the API.
An API protection profile specifies the URI paths, servers, and default properties of the API. You can easily create it using an OpenAPI spec file. You can develop custom responses to API calls, use a relevant single sign-on configuration, and specify log settings.
  1. On the Main tab, click Access > API Protection > Profile .
  2. Click Create.
  3. For Name, type a name for the API protection profile.
  4. For OpenAPI File, browse to select the file.
  5. If using HTTPS, select the name of SSL Profile.
  6. For DNS Resolver Mode, select whether to query DNS nameservers using IPv4, IPv6, or IPv6 Prefer (both).
  7. For DNS Resolver, select the name of the DNS resolver to use for converting web links.
    If you need to create a DNS resolver, click Network > DNS Resolvers .
  8. If you are protecting a pool of API servers, select Use Pool.
    To use this option, specify the pool to use in the virtual server.
  9. For Authorization, you can add one or both of the following:
    • HTTP Basic: Validates user logins that use HTTP or HTTPS protocol.
    • OAuth 2.0: Validates user logins using OAuth 2.0 to issue tokens to the client after successfully authenticating the resource owner.
  10. Click Save.
    Access Policy Manager creates an API protection profile and opens new tabs. The profile includes paths, servers, properties, and responses using the details specified in the OpenAPI spec file.
The API protection profile is created. In addition, Access Policy Manager automatically develops a per-request policy that is associated with the protection profile.
You can adjust the policy as needed using the visual policy editor to access all of the features per-request policies provide. For example, you can
  • Add or delete paths
  • Modify path information, such as changing the server
  • Add or modify servers
  • Add or modify responses
  • Add or modify log settings
  • Add or modify SSO configuration

If the API changes, you can manually make changes to the API profile.

Creating an API protection profile without an OpenAPI Spec file

Before you set up API protection, make sure that basic system configuration is complete including configuring network interfaces, routes, VLANs, self IPs, DNS, and NTP.
An API protection profile specifies the URI paths, servers, and default properties of the API. You can create it manually by adding the necessary paths and servers. You can also develop custom responses to API calls, use a relevant single sign-on configuration, and specify log settings.
  1. On the Main tab, click Access > API Protection > Profile .
  2. Click Create.
  3. For Name, type a name for the API protection profile.
  4. If you are protecting a pool of API servers, select Use Pool.
    If selected, the default server specified on the Paths tab is ignored.
  5. For Authorization, you can add none, one, or both of the following:
    • HTTP Basic: Validates user logins that use HTTP or HTTPS protocol. For HTTP Basic mode, the credential must be checked using an APM AAA server. You can use different AAA servers depending on any request criteria, geolocation, time, path, source IP, and so on.
    • OAuth 2.0: Validates user logins using OAuth 2.0 to issue tokens to the client after successfully authenticating the resource owner. For OAuth mode, token validation (introspection) can be performed internally if JWKs are available and Java Web tokens used, OR externally against an external OAuth AS.
    When either option is selected, the per-request policy creates a macro named OAuth Scope Check AuthZ to handle the authentication. Despite the name, this subsession macro is usually used for handling both HTTP Basic and OAuth.
  6. Click Save.
Access Policy Manager creates an API protection profile and opens new tabs where you can manually add paths, servers, and responses. In addition, Access Policy Manager automatically develops a per-request policy that is associated with the protection profile. You can adjust the policy as needed using the visual policy editor to access all of the features per-request policies provide.
You can manually develop the policy as needed. For example, you can
  • Add paths
  • Add servers
  • Create responses
  • Specify log settings
  • Add SSO configurations

If the API changes, locate the API profile in the list, then click Edit to edit the associated per-request policy.

Adding servers to an API protection profile

You add servers to an API protection profile so you need to have created a profile. Also, if the URL is HTTPS, you need to have a server SSL profile (or use the default serverssl profile). Create SSL profiles using Local Traffic > Profiles > SSL > Server .
You create paths to define different endpoints to access services provided by the API. If you used an OpenAPI Spec file, a server is automatically created and listed on the Paths tab. If creating the protection profile manually, you need to add the necessary API servers.
  1. On the Main tab, click Access > API Protection > Profile .
  2. Click the name of the API protection profile to which you want to add servers.
  3. On the Paths tab, in the Servers section, click Create.
    The Server Properties section opens where you define the servers.
  4. For Name, type a name for the API server.
  5. For URL, type the full path to the server. For example, https://store.order.io/v1.
  6. From the SSL Profile list, select an SSL profile for initiating secure connections to the server, or use one of the defaults provided.
  7. From the Server list, select the name of the API server.
    The server must be listed in the Servers section below.
  8. Click Active to make this path available.
  9. Click Add to add the path to the profile.
  10. Add as many servers as are needed.
  11. In the Properties section, from the Default Server list, select the name of the API server to use by default.
  12. From DNS Resolver Mode, select whether the DNS resolver uses IPv4, IPv6, or IPv6 Prefer (both).
  13. From DNS Resolver, select the DNS resolver the server uses to resolve addresses.
  14. Click Save.
The servers are listed on the Paths tab of the API protection profile.

Adding paths to an API protection profile

You add paths to an API protection profile so you need to have created a profile. You also need to have specified one or more API servers on the Paths tab.
You create paths to define different endpoints to access services provided by the API. If you used an OpenAPI Spec file, the paths are automatically imported and listed on the Paths tab. If creating the protection profile manually, you need to add the paths to each of the API services. In either case, you can adjust the paths as needed.
  1. On the Main tab, click Access > API Protection > Profile .
  2. Click the name of the API protection profile to which you want to add paths.
  3. On the Paths tab, in the Paths section, click Create.
    The Path Properties section opens where you define the paths for the APIs being protected.
  4. For URI, type the URI for the path you are creating starting with /. For example, /user/login.
    The URI pattern can use asterisk * wildcards to represent a segment of an API path; wildcards do not go beyond the path segment boundaries, and are not regular expressions. For example, /f5/util/*.
  5. From the Method list, select the method allowed for this API operation.
    The server must be listed in the Servers section below.
  6. From the Server list, select the name of the API server for this type of request.
    The server must be listed in the Servers section below.
  7. Click Active to make this path available.
  8. Click Add to add the path to the profile.
  9. Add as many paths as are required to support the API.
  10. Click Save.
The paths are listed on the Paths tab of the API protection profile. Note that deleting a path on the Paths tab does not delete the path from the profile in the visual policy editor. So it is recommended that you edit the paths in the editor.

Creating API responses

You create responses in an API protection profile so you need to have created a profile.
You can create responses that indicate the results of processing an API request. If you used an OpenAPI Spec file that includes responses when creating the API protection profile, the responses are automatically imported and listed on the Responses tab. If developing the protection profile manually, you need to create the responses that you want to use. In either case, you can add, delete, or edit the responses as needed.
  1. On the Main tab, click Access > API Protection > Profile .
  2. Click the name of the API protection profile to which you want to add responses.
  3. On the Responses tab, click Create.
    The API Response Properties section opens where you define the responses for the APIs being protected.
  4. For Name, type a name for the response.
  5. For Status Code, type the 3-digit HTTP status code resulting from the attempt to satisfy the API request. For example, 404 or %{perflow.oauth.scope.status_code}.
  6. For Status, type a short textual description of the status code. For example, Invalid input or %{perflow.oauth.scope.status_string}.
  7. If specifying headers for the response, for Headers, click +, then type the name-value pairs for the header that appears in the API response.
    You can specify multiple response headers, if needed, to allow the server to provide additional information about the response.
  8. To add text for the response, type it in Body.
    The message in the body may include a file or resource.
  9. Click Add to add the response to the profile.
  10. Add as many responses as are required to support the APIs.
  11. In the Properties section, for Default Response, select the response to use by default.
  12. Click Save.
The responses are listed on the Resonses tab of the API protection profile.

Specifying access control for API protection

You can specify access control including an existing SSO configuration and log settings in an API protection profile. In addition, you can edit the per request policy the system creates for API protection.
  1. On the Main tab, click Access > API Protection > Profile .
  2. Click the name of the API protection profile you want to work on.
  3. Click the Access Control tab.
  4. From SSO Configuration, select the SSO configuration to use for API Protection.
    Note: If using Single Sign-On with API protection, you can use only the following SSO authentication methods:
    • HTTP Basic
    • Kerberos
    • OAuth Bearer
    To add an SSO Configuration, go to Access > Single Sign-On . See Access Policy Manager: Single Sign-On Concepts and Configuration.
  5. From Log Settings, select the format to use for logs, or use the default-log-setting.
    To configure custom log settings, refer to Logging and Reporting in the Access Policy Manager: Network Access Guide.
  6. Click Save.
  7. To see the per-request policy that was developed for API protection, click Edit.
    The visual policy editor opens in a new tab and shows the policy contents. You can edit the policy as needed to customize it for API protection. See Access Policy Manager: Visual Policy Editor.
The specified SSO configuration and log settings are associated with the API protection profile.

Creating a virtual server for API protection

You create a virtual server to act as the traffic destination address. Then you associate an API protection profile so that the system can apply API protection to incoming API requests. The virtual server can have only one protection profile assigned to it.

If you have already created a virtual server, simply assign the API protection profile to it. No other access policy can be associated with that virtual server.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination Address/Mask setting, confirm that the Host button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 80 (for HTTP) or 443 (for HTTPS), or select HTTP or HTTPS from the list.
  6. From the HTTP Profile list, select http.
  7. In the API protection area, from the API Protection Profile list, select the protection profile that you configured earlier.
  8. Optional: Customize other settings as needed. For example, if you selected Use Pool in the protection profile, specify the Default Pool in the Resources section.
  9. Click Finished.
The virtual server is created and the API protection profile is associated with it. API requests directed through the virtual server are protected by the profile.

Editing an API protection per-request policy

When you create an API protection profile, the system automatically develops a per-request policy based on the settings you provided. You can edit the per-request policy later to add or remove servers, paths, responses, or to otherwise customize the policy for your networking environment.
  1. On the Main tab, click Access > API Protection > Profile .
  2. Click Edit in the Per-Request Policy column for the API protection profile.
    The visual policy editor opens in a new tab and shows the policy contents. You can edit the policy as needed to customize it for API protection.
  3. To see how requests are classified using the paths and methods added in the API protection profile, locate Classify API Request (RCA), the Request Classification Agent. For example:
  4. Click Classify API Request (RCA) to display the properties.
    You can edit the paths here.
    Note: Adding or modifying paths in the API protection profile adds them to the Classify API Request (RCA) in the visual policy editor. But deleting or modifying paths in the profile on the Paths tab does not delete or modify the path in the editor. So we recommend modifying or deleting paths in the editor.
    The Classify API Request object reads connection data and can steer the request to a specific policy branch. The branch can contain any logic you like, and generally it terminates in an Allow or Reject ending.
  5. Click any other object to view and edit properties. Click the + between objects to see which options are available to add to the policy.
See Access Policy Manager: Visual Policy Editor for details on editing policies.