DEV Community: Aditya Singh

Trigger email in DataPower

Aditya Singh — Mon, 30 Sep 2024 00:44:34 +0000

The article is now moved to my website https://adityasingh-lab.github.io/

Installing IBM API Connect Toolkit on Windows (Designer/UI)

Aditya Singh — Wed, 25 Sep 2024 16:13:34 +0000

Hello Tech Enthusiast,

Discussing toolkits, IBM API Connect (hereafter referred as APIC) provides an offline toolkit designed for development purposes, which includes an offline UI, also known as the Designer toolkit, and command-line enabled commands to automate deployment processes (CI/CD).

We can either download it from IBM Fix Central or best case, use APIC Cloud/Manager UI homepage. Here, I'm using API Manager UI to install.

I will also provide guidance on automating deployment in upcoming articles. Stay tuned.

Installation

On APIC Manager UI homepage and click 'Download toolkit'. I prefer to set up the credentials in the first step as well, as this allows the designer UI to run immediately after installation.

Download API Designer credentials (designer_credentials.json).
Update environment variable to designer_credentials.json. Run following command from windows CMD (need admin to run). You can do the same from windows gui.

setx APIC_DESIGNER_CREDENTIALS <folderpath>\designer_credentials.json /m

In case permission issue, we can use temporary set instead of setx variable.
Next, on the step-1 Download toolkit, select the windows operating system. It will download toolkit-loopback-designer-windows.zip file.
Extract the content and you can see two files as api_designer-win.exe and apic.exe {command line toolkit}.
Double click the api_designer-win.exe and follow the prompt (Next / Install).

After installation, it would request to Connect to cloud

open the designer and it would ask you to 'Open a Directory'. If this is your first time, create a project directory in your local windows folder and select it.

[Part 3/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

Aditya Singh — Wed, 25 Sep 2024 12:21:35 +0000

Hello Tech Enthusiasts,

Refer previous parts of this series Part 1 and Part 2.

This is final article of our series focusses on the validation of JWT tokens using the APIC v10 jwt-validate policy.

Update API to Validate JWT token

- Select the API ‘JWT Generation and Validation’ and go to Gateway polices tab.

- Drag gatewayscript policy to operation-switch case 1.

- Copy-paste following code

var jwttoken = context.request.header.get('Authorization');

//remove Bearer from the token
context.set('input-jwt', jwttoken.replace(/^Bearer /g, ''));

- Drag `jwt-validate` and fill the form

JSON WebToken (JWT): input-jwt
Output Claims: decoded.claims
Issuer Claim: apic'for more than one claim, enter regrex pattern (PCRE)'
Audience Claim: id1
Verify Crypto Object: personal_sandbox_tlsp-jwt-keyprofileV1.0.0-ca-0

- Drag ‘set-variable’ and copy the following yaml to source

                - jwt-validate:
                    version: 2.0.0
                    title: jwt-validate
                    jwt: input-jwt
                    output-claims: decoded.claims
                    iss-claim: apic
                    aud-claim: id1
                    jws-crypto: personal_sandbox_tlsp-jwt-keyprofileV1.0.0-ca-0
                    jwe-crypto: ''

- Create Catch policy for error handling

    catch:
      - errors:
          - RuntimeError
        execute:
          - set-variable:
              version: 2.0.0
              title: set-variable
              actions:
                - set: message.status.code
                  value: 400
                  type: number
                - set: message.status.reason
                  value: Bad Request
                  type: string
                - set: message.body
                  value: $(jwt-validate.error-message)
                  type: string

- Save and Publish the API to sandbox catalog

API file

swagger: '2.0'
info:
  title: JWT Generation and Validation
  x-ibm-name: jwt-generation-and-validation
  version: 1.0.0
  description: >
    This API has two parts 

    1. Generate JWT: The generate operation takes care of generating jwt token
    and setting that to response payload Authorization header

    2. 
x-ibm-configuration:
  cors:
    enabled: true
  gateway: datapower-api-gateway
  type: rest
  phase: realized
  enforced: true
  testable: true
  assembly:
    execute:
      - operation-switch:
          version: 2.0.0
          title: operation-switch
          case:
            - operations:
                - verb: get
                  path: /generate
              execute:
                - jwt-generate:
                    version: 2.0.0
                    title: jwt-generate
                    jwt: ''
                    iss-claim: request.headers.iss-claim
                    exp-claim: 60
                    description: //This policy is to generate JWT token for client request.
                    jws-alg: RS256
                    jws-crypto: personal_sandbox_tlsp-jwt-keyprofileV1.0.0-key
                    jti-claim: true
                    aud-claim: request.headers.aud-claim
            - operations:
                - verb: get
                  path: /validate
              execute:
                - gatewayscript:
                    version: 2.0.0
                    title: gatewayscript
                    source: >-
                      var jwttoken =
                      context.request.header.get('Authorization');


                      context.set('input-jwt', jwttoken.replace(/^Bearer /g,
                      ''));
                - jwt-validate:
                    version: 2.0.0
                    title: jwt-validate
                    jwt: input-jwt
                    output-claims: decoded.claims
                    iss-claim: apic
                    aud-claim: id1
                    jws-crypto: personal_sandbox_tlsp-jwt-keyprofileV1.0.0-ca-0
                    jwe-crypto: ''
                - set-variable:
                    version: 2.0.0
                    title: set-variable
                    actions:
                      - set: message.body
                        value: $(decoded.claims)
                        type: string
                      - set: message.headers.Content-Type
                        value: application/json
                        type: string
                    description: >-
                      This policy is setting response body from the extracted
                      jwt verification
          otherwise: []
    catch:
      - errors:
          - RuntimeError
        execute:
          - set-variable:
              version: 2.0.0
              title: set-variable
              actions:
                - set: message.status.code
                  value: 400
                  type: number
                - set: message.status.reason
                  value: Bad Request
                  type: string
                - set: message.body
                  value: $(jwt-validate.error-message)
                  type: string
  properties:
    target-url:
      value: http://example.com/operation-name
      description: The URL of the target service
      encoded: false
  activity-log:
    enabled: true
    success-content: activity
    error-content: payload
basePath: /securetoken
paths:
  /generate:
    get:
      responses:
        '200':
          description: success
          schema:
            type: string
  /validate:
    get:
      responses:
        '200':
          description: success
          schema:
            type: string
securityDefinitions:
  clientID:
    type: apiKey
    in: header
    name: X-IBM-Client-Id
security:
  - clientID: []
schemes:
  - https

Testing (Success Scenario)

- Add new GET Request in Postman

- Add X-IBM-Client-Idin header

- In Scripts section, copy paste following code to pre-request to GET /validate request:

var jwtToken = pm.globals.get("jwt_token");

pm.request.headers.add({
    key: "Authorization",
    value: jwtToken

}
)

- First trigger GET /generate request first from Postman to fetch JWT in Authorization

- Now trigger GET /validate request from Postman and verify success 200 Ok with JWT payload details

Testing (Failure Scenario)

Scenario 1: Token is expired

Response received:
JWT validation failed, because the JWT has expired at Sun Sep 08 2024 21:52:31 GMT+0100 (British Summer Time).

Scenario 2: Token Header is tampered

Scenario 3: Token payload is tampered

Scenario 4: Token signature is tampered

[Part 2/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

Aditya Singh — Wed, 25 Sep 2024 07:30:48 +0000

Hello Tech Enthusiasts,

Please refer to the previous article, Part 1, to understand how we generate and upload certificates in IBM API Connect.

This article continues focusses on the generation of JWT tokens using the APIC v10 jwt-generate policy.

Login to APIC Manager console and go to develop tab. Create new API using OpenAPI 2.0. You can use OpenAPI 3.0 as well as jwt-generate policy remains the same.
Give the Title as ‘JWT Generation and Validation’ and base path ‘/securetoken’. Select next and create the API
Delete the blank path and create following path with ‘get’ Operations. I’m using get here, but it may vary according to your requirement. For now, I’m keeping it simple.

Navigate to the Gateway tab and drag the operation-switch into the assembly section.
Construct two cases based on the operations as follows

For generate part, drag the jwt-generate in the assembly section and fill the forms as following:

Empty the JSON Web Token as we prefer the response to be sent tin Authorization header.
Issuer Claim: request.headers.iss-claim
Audience Claim: request.headers.aud-claim
Reduce the validity period to 60seconds to facilitate the testing of both successful and failure scenarios easily.
Cryptographic Algorithm: RS256
Sign Crypto Object: personal_sandbox_tlsp-jwt-keyprofileV1.0.0-key

Click Save and Publish the API.

For simplicity, I’m only using X-IBM-Client-Id as client validation. Let’s generate JWT token now

When using Postman, consider automating the token process with JavaScript instead of copying and pasting the token manually.

Select the Request in Postman and go to Scripts tab. Add following JavaScript to the ‘post-response section’

let access_token = pm.response.headers.get("Authorization");
pm.globals.set("jwt_token", access_token);

Let’s move to now Part 3 of validation of above generated token.

[Part 1/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

Aditya Singh — Wed, 25 Sep 2024 07:21:36 +0000

Hello Tech Enthusiasts,

You’re here to address the challenge of securing your APIs with JWT generation/validation policy in IBM API Connect. This series of articles will concentrate on the widely requested use of X.509 RSA certificates/keys for signing and verification. I’ll tackle this with a straightforward method, and if you have a more complex requirement, leave your comments, and I’ll craft an article for it. In part 1 of this series, we’ll generate a certificate using DataPower cryptographic tools and upload it to the IBM API Connect Manager UI. Parts-2 and Part-3 will focus on JWT generation and validation, respectively.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. Refer JSON Web Token Introduction — jwt.io.

Also, do refer IBM Named a Leader in the 2023 Gartner Magic Quadrant for API Management — IBM Blog.

Prerequisites

IBM API Connect — v10.0.5.x (hereafter referred as APIC)
IBM DataPower Gateway (API Gateway) — 10.5.0.x. (hereafter referred as DataPower)
Postman — 11.11.1: For testing JWT generation and validation. Feel free to use any testing tool you prefer.
Certificate/Key Pair: I’ve utilized DataPower cryptographic tools to generate self-sign certificate, but OpenSSL is also an option. In case you’re using pre-defined certificate, you can ignore the step-1

Step 1: Generate Self-Sign Certificate

In BAU world, operation team does uses DataPower Crypto tools on day-to-day basis to generate CSR/key pair for CA signed certificate request other than openssl. Here are quick steps:

Login to DataPower web console (Prefer New UI as the existing is now deprecated. Something I’ll miss for sure!)
Search for Crypto tools and fill out Common-Name (keeping other fields empty and rest setting to default). Click Submit.

The certificates are stored in temporary folder. Download the public/private certificate.

Step 2: Upload the Certificate in APIC TLS Profile

Go to api-manager-ui → Resources → TLS
Create a new Keystore ‘JWT Keystore’ and upload private and public key
Create a TLS Client Profile ‘JWT Keyprofile’ and select ‘JWT Keystore’
Go to Manage → Catalog (I’m using Sandbox as my catalog here) → Catalog setting → TLS client profiles.
Click Edit and select ‘JWT-Keyprofile’

The aforementioned step will generate cryptographic certificate and key objects in DataPower (refer to the screenshot below). These will be utilized in the generation and validation of JWTs.

The file names are in following format:
private-key file: <apim-organization>_<catalog>_tlsp-<apim-tlsclientprofile>V<version>-key

public-cert file: <apim-organization>_<catalog>_tlsp-<apim-tlsclientprofile>V<version>-ca-<sequence number>

In my case,

apim-organization : personal
catalog: sandbox
apim-clientprofile: jwt-keyprofile (what we created in above steps)
version: 1.0.0 (you can see this from api-manager ui)
cert sequence number: This should 0. The incremental is based on in case you add truststore file as well.

Decomposed vs. Microservices

Aditya Singh — Mon, 09 Sep 2024 22:52:42 +0000

Decomposed and Microservices are related concepts, but they are used in different contexts and have distinct meanings.

Decomposed
General Meaning: The term “decomposed” refers to breaking down something into smaller, more manageable parts. This can apply to various fields, such as biology, chemistry, and problem-solving.

In Software: Decomposing a monolithic application involves breaking it down into smaller, more manageable components or services. This process is essential for transitioning to a microservices architecture.

Microservices
Definition: Microservices are an architectural style that structures an application as a collection of small, independent services. Each service is designed to perform a specific business function and can be developed, deployed, and scaled independently.

Benefits

Scalability: Easily scale individual services based on demand.
Flexibility: Different teams can work on different services simultaneously.
Resilience: Failure in one service does not necessarily affect the entire system.
Faster Deployment: Independent services can be deployed without affecting the whole application.

Comparison

Decomposition Process: Decomposing a monolithic application is often the first step towards implementing a microservices architecture. It involves identifying and isolating different functionalities within the monolith and converting them into independent services.
Implementation: While decomposition is a broader concept, microservices specifically refer to the architectural style that results from this decomposition. Microservices require careful planning, including defining service boundaries, managing inter-service communication, and ensuring data consistency.

DEV Community: Aditya Singh

Trigger email in DataPower

Installing IBM API Connect Toolkit on Windows (Designer/UI)

Installation

[Part 3/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

Update API to Validate JWT token

- Select the API ‘JWT Generation and Validation’ and go to Gateway polices tab.

- Drag gatewayscript policy to operation-switch case 1.

- Copy-paste following code

- Drag jwt-validate and fill the form

- Drag ‘set-variable’ and copy the following yaml to source

- Create Catch policy for error handling

- Save and Publish the API to sandbox catalog

API file

Testing (Success Scenario)

- Add new GET Request in Postman

- Add X-IBM-Client-Idin header

- In Scripts section, copy paste following code to pre-request to GET /validate request:

- First trigger GET /generate request first from Postman to fetch JWT in Authorization

- Now trigger GET /validate request from Postman and verify success 200 Ok with JWT payload details

Testing (Failure Scenario)

Scenario 1: Token is expired

Scenario 2: Token Header is tampered

Scenario 3: Token payload is tampered

Scenario 4: Token signature is tampered

[Part 2/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

[Part 1/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

Prerequisites

Step 1: Generate Self-Sign Certificate

Step 2: Upload the Certificate in APIC TLS Profile

Decomposed vs. Microservices

- Drag `jwt-validate` and fill the form