How to do API Protection with 3scale API Manager?
Hi everyone,
I want to protect API calls via the API protection with F5. It uses a swagger OpenAPI Spec file 2.0 or 3.0 to control all the methods - urls and more.
The API calls are managed by the Red Hat 3Scale API Manager, but we can't seem to find this swagger file. How would we best approach this? Also, let's say we have the swagger file, and something changes to it, how do we update that? While also retaining custom addition/signature exclusions? for this, the more automation the better :).
I found that F5 and 3Scale did some kind of colaboration but verry little is found to actually implement it. https://www.f5.com/pdf/partners/red-hat-3scale-api-gateways.pdf
Any input is welcome on how to tackle this problem. Thanks in advance!
Hi Cypher ,
The approach I would take to a scenario like this is to include responses in your Policy Builder (if you have that set for the policy).
This will mean that you have a way of 'tracking' the URIs that are sent in the responses.
At a very basic level, API discovery technologies will have a API schema (which in your case you don't), and then monitor the responses sent back from the origin servers. The drift between these is the 'shadow APIs'. This is not all of the mechanisms in API discovery, but just giving you some ideas on how you can implement a similar type of control with AWAF.
By the way your comment about APIs being onboarded and offboarded is a concern, this is the very thing that needs to have a level of control - at least to a transparent/logging level. In most not all scenarios, you should not be creating too many Hostname or differfent URI endpoints in production regularly, as it may be the services that host those URIs that can change daily, etc. But if you are in a situation where the URI endpoints and Hostnames terminating on the API gateway change quite frequently, then definitely having a policy that tracks responses is a good measure as a start.
Also, to point out, that the gateway vendor should not matter in this scenario as at a foundational level you are in front of something that speaks HTTP, URIs, JSON, etc.