Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

API Gateway Standalone With TLS and OAuth Enabled for Securing an API

DZone's Guide to

API Gateway Standalone With TLS and OAuth Enabled for Securing an API

APIs are a big part of any web application. So, naturally, they're a juicy target for any would-be cyber attacker. Read on to learn how to secure your APIs.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Image title

You are exposing your API. Want to make it safer? Follow these steps to enable OAuth2.0 for your exposed API that should have both authorization and authentication. 

  • Download API Gateway Standalone 2.2.0 for a 30 day Trial. 
  • Set tje Client Id and the Client Secret of an Organization in API Gateway
    • Open \api-gateway-standalone-2.2.0\conf\wrapper.confWrapper.conf
    • Insert the client_id and the client_secret of the organization, using your Anypoint Platform Account, in ‘wrapper.conf’ file (copied from: Anypoint Platform -> Access Management -> Organization).Platform-AccessManagemet
  • Create a Keystore
    • Open “Command Prompt” with Administrative Permission (caution: if you skip this step, the program throws an exception ‘Access Denied’) and move to C:\Program Files\Java\jdk1.8.0_111\bin.
    • Use the command  keytool -genkey -alias serverkey -keyalg DSA -keystore keystore.jks to create a keystore and set the required details (Password and KeyPassword are set here).Keytool in Java
  • Set Keystore in API Gateway
    • Copy the created keystore in the path: \api-gateway-standalone-2.2.0\conf 
    • Open: \api-gateway-standalone-2.2.0\domains\api-gateway\mule-domain-config.xml
    • Insert Keystore’s path, password, and Key password in ‘mule-domain-config.xml’mule-domain-config.xml
  • Deploy a sample Mule project in API Gateway.
    • A sample Mule project you've developed cannot be directly deployed to a standalone API Gateway. It will throw a “Config not found” error. When deploying to the cloud, it internally converts you project to the required format. Right click the project folder at Anypoint Studio and click Anypoint Platform->Deploy to Cloud.
    • From Anypoint Platform, download the zip file and extract it. Now, it will be in the format accepted by Standalone API Gateway.           
    • Copy the downloaded project to \api-gateway-standalone-2.2.0\apps.
    • Move to ‘\api-gateway-standalone-2.2.0’ & execute the command.\bin\gateway. Now our app will be deployed.
    • Preventive Measures:
      • Avoid port conflicts by changing the port number (if this issue arises). If not, an “Address already in bind/ Address already in use : JVM Bind” error will be thrown. (Recommendation: Use 8090 for default local port and  in \domains\Gateway use  8083 for HTTP Gateway, 8082 for HTTPS Gateway, and path as /). Strictly, don’t use 8081.
      • If ‘KeepRAML Base URI’ is found in config XML of HTTP Listener, remove it. Otherwise, a “Not Allowed” error will be thrown while building locally.
      • Ensure port 8082 is open. Otherwise, while building the gateway, it will throw an error like: “API Gateway failed, if not configured properly.”Deployment_Status
    • If successfully deployed, now http://localhost:8090/console/ will work fine.
  • API Gateway with HTTPS
    • In the Anypoint Platform, configure an endpoint by specifying the port number as 8082, the path as / and HTTPS. Download a proxy for the API Gateway 2.x.x. Then, download a zip file.
    • Move the zip file to \api-gateway-standalone-2.2.0\apps.gateway_deployment
    • If successfully deployed, now https://localhost:8082/console will work fine.
  • Import the OAuth2 Provider Template Module
    • Copy keystore.jks into src/main/resources.
    • Set https.port = 8084 (say) in common.properties.
    • In mule.dev.properties:
      • Key.store.password=mule123
      • Key.store.key.password=mule123
      • Key.store.path=keystore.jks
      • Admin.name=anyname
      • Admin.password=anypassword
      • Validate.endpoint.path=validate
      • Authorization.endpoint.path=authorize
      • Access.token.endpoint.path=access_token
      • Scopes=
      • Supported.grant.types=AUTHORIZATION_CODE  IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALS CLIENT_CREDENTIALSproperties_oauth2.0
    • In userValidation.xml, remove READ scope from the OAuth Provider Module.
    • If API Gateway 2.2.0 is not installed, install it. Include the organisation’s client id and client secret in Anypoint Studio’s mule-project.xml file. Then run the Mule application:Client_id_in_Studio
    • Hit https://localhost:8084/access_token in Postman as shown. You must specify:
      • Grant_type as “client_credentials”
      • Organisation’s client_id
      • Organisation’s client_secret
    • Note : This operation is unsafe. Later, we will change the “Grant_type” as “IMPLICIT” and provide only “Client ID”(for a client) which is safe. An access token will be internally gotten by the client when requested for the API. No need to hit OAuth Provider in order to get an access token. It will be achieved through the following steps.get_access_token_via_postman
    • Access token is gotten as a result from the OAuth Provider.
  • Provide API with OAuth – Steps
    • Open \api-gateway-standalone-2.2.0\domains\api-gateway\mule-domain-config.xml. Comment HTTP Config
    • Find api.raml inside \apps\<project folder>. Update RAML for OAuth2.0. Insert security schemes and 'secured by' statements for the corresponding APIs.RAML_with_OAuth2.0
    • Execute the command .\bin\gateway.deployment_after_RAML_update
    • In the Anypoint Platform, apply policies such as:
      • CORS
      • OAuth 2.0 Access Token Enforcement using an external provider (here, use the endpoint: https://localhost:8084/validate).
  • Client Access to OAuth Enabled API
    • On hitting the API, it will result in the message, “Error Missing Access Token.” Now our service expects access tokens (say: https://localhost:8082/).
    • To get the client ID, make a request for API Access by creating an application. The client will have details such as:
      • Client Id
      • Client SecretImage title
    • https://localhost:8082/console (preferably IE, in case of a TLS error). This URL will be given to clients.
      • Select Security Scheme : OAuth 2.0
      • Authorization Grant : Implicit
      • Client ID : <client id of the registered app>console_view_after_RAML_update
    • On clicking GET, it will open a client app which requests a username and password to connect with the OAuth Provider (here, username: anyname; password: anypassword).
      • A Ping API will be opened where you can fill in the necessary details.Image title
      • Response is retrieved as shown below:Sample_response
      • If the username and password are correct, then the server internally sends an access token and the client uses the token internally as an argument and we get the desired response. So the server and client can both be accessed securely.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
mulesoft ,api gateway ,security ,oauth2 ,tokens

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}