Oracle® Fusion Middleware
Part 7. API Gateway instances

HTTP services groups should consist of at least one HTTP interface together with at least one relative path. The HTTP interface determines which TCP port the API Gateway instance listens on, while you can use the relative path to map a request received on a particular path (request URI) to specific policies. You can add several HTTP interfaces to the groups, in which case requests received on any one of the opened ports are processed in the same manner. For example, http://[HOST]:8080/test and http://[HOST]:8081/test requests can both be processed by the same policy (mapped to the /test relative path).

Similarly, you can add multiple relative paths to this HTTP services group, where each path is bound to a specific policy or chain of policies. For example, if a request is made to http://[HOST]:8080/a, it is processed by Policy A; whereas if a request is made to http://[HOST]:8080/b, it is handled by Policy B. As a side-effect of this configuration, requests made to the other interface are also processed by the same policy, meaning that a request made to http://[HOST]:8081/b is also handled by Policy B.

Effectively, this means that relative paths configured under the HTTP services group are bound to all HTTP interfaces configured for that group. If you have two interfaces listening on ports 8080 and 8081, requests to http://[HOST]:8080/a and http://[HOST]:8081/a are handled identically by the API Gateway instance.

What happens if you want to distinguish between receiving requests on the two different ports? For example, you want requests to http://[HOST]:443/a to be processed by an SSL Validation policy, while requests for http://[HOST]:8080/a to be handled by a standard Schema Validation policy.

The addition of a new HTTP services group can resolve this issue. The new SSL HTTP Services Group opens a single HTTPS interface that listens on port 443, and is configured with a relative path of /a to handle requests on this path. The configuration is summarized in the following table:

With this configuration, when you receive a request on http://[HOST]:8080/a, it is handled by the Schema Validation Policy. But when you get a request to the SSL port on http://[HOST]:443/a it is processed by the SSL Validation Policy. Using HTTP services groups in this way, you can configure the API Gateway instance to dispatch requests received on the same path (for example, /a) to different policies depending on the port on which the request was accepted.

By default, the API Gateway ships with preconfigured HTTP services groups (for example, Default Services and Management Services). By default, Management Services are not displayed in the Policy Studio, but can be displayed using the Preferences menu. The Default Services group contains some general purpose default policies for use with an out-of-the-box installation of the API Gateway. In addition to the preconfigured service groups, you can add new HTTP services groups to dispatch requests to different policies, based on the port on which the requests are received. For more details on the default Management Services group, see the section called “Management services”.

To add a service group, perform the following steps:

When an HTTP service group is created, you can configure it with the HTTP services described in this topic.

The following fields on the Network tab are common to both the HTTP Interface and HTTPS Interface dialogs, and must be configured for both types of interface:

Port:

The port number that the API Gateway instance listens on for incoming HTTP requests.

Address:

The IP address or host of the network interface on which the API Gateway instance listens. For example, you can configure the instance to listen on port 80 on the external IP address of a machine, while having a Web server running on the same port but on the internal IP address of the same machine. By entering *, the instance listens on all interfaces available on the machine hosting the API Gateway.

Protocol:

Select the Internet Protocol version that this Interface uses. You can select IPv4, IPv6, or both of these protocol versions. Defaults to IPv4.

Trace level:

The level of trace output. The possible values in order of least verbose to most verbose output are:

The default trace level is read from the system settings.

Enable interface:

Deselect this setting to disable this HTTP interface. This setting is enabled by default.

The fields on the Traffic Monitor tab are common to the HTTP Interface and HTTPS Interface dialogs. To override the system-level settings at HTTP or HTTPS interface level, select Override settings for this port, and configure the relevant options. For more details, see the API Gateway Administrator Guide.

The following fields on the Advanced tab are common to both the HTTP Interface and HTTPS Interface dialogs, and must be configured for both types of interface:

Backlog:

When the API Gateway instance is busy handling concurrent requests, the operating system can accept additional incoming connections. In such cases, a backlog of connections can build up while the operating system waits for the instance to finish handling current requests.

The specified Backlog value is the maximum number of connections the API Gateway instance allows the operating system to accept and queue up until the instance is ready to read them. The larger the backlog, the larger the memory usage. The smaller the backlog, the greater the potential for dropped connections.

Idle Timeout:

The API Gateway supports the use of HTTP 1.1 persistent connections. The Idle Timeout is the time that the API Gateway instance waits after sending a response over a persistent connection before it closes the connection. Defaults to 60000 milliseconds (60 seconds).

Typically, a client tells the instance that it wants to use a persistent connection. The instance acknowledges this instruction and decides to keep the connection open for a certain amount of time after sending the response to the client. If the client does not reuse the connection by sending up another request within the Idle Timeout period, the instance closes the connection.

Active Timeout:

When the API Gateway instance receives a large HTTP request, it reads the request off the network as it becomes available. If the time between reading successive blocks of data exceeds the Active Timeout, the instance closes the connection. Defaults to 60000 milliseconds (60 seconds).

This guards against a client closing the connection while in the middle of sending data. Imagine the client's network connection is pulled out of the machine while in the middle of sending data to the instance. When the instance has read all the available data off the network, it waits the Active Timeout period of time before closing the connection.

Maximum Memory per Request:

The maximum amount of memory in bytes that the API Gateway instance allocates to each request. For more details, see General settings in the API Gateway Administrator Guide.

Input Encodings:

Click the browse button to specify the HTTP content encodings that the API Gateway can accept from peers. The available content encodings include gzip and deflate. By default, the content encodings configured in the Default Settings are used. You can override this setting at the HTTP interface level and in the Remote Host Settings. For more details, see the topic on Compressed content encoding.

Output Encodings:

Click the browse button to specify the HTTP content encodings that the API Gateway can apply to outgoing messages. The available content encodings include gzip and deflate. By default, the content encodings configured in the Default Settings are used. You can override this setting at the HTTP interface level and in the Remote Host Settings. For more details, see the topic on Compressed content encoding.

Transparent Proxy - allow bind to foreign address:

Enables the use of the API Gateway as a transparent proxy on Linux systems with the TPROXY kernel option set. When selected, the value in the Address field can specify any IP address, and incoming traffic for the configured address/port combinations is handled by the API Gateway. For more details and an example, see Configure a transparent proxy.

Include correlation ID in headers:

Specifies whether to insert the correlation ID in outbound messages. For the HTTP transport, this means that an X-CorrelationID header is added to the outbound message. This is a transaction ID that is tagged to each message transaction that passes through the API Gateway, and which is used for traffic monitoring in the API Gateway Manager web console.

You can use the correlation ID to search for messages in the console. You can also access the its value using the id message attribute in an API Gateway policy. An example correlation ID value is Id-54bbc74f515d52d71a4c0000. This setting is selected by default.

Threat Protection Settings:

Select whether to Protect this interface with Threat Protection rules using Apache ModSecurity. This is a toolkit for real-time HTTP traffic monitoring, logging, and access control, which helps to mitigate application-level threats to APIs. The ModSecurity engine is embedded in API Gateway to provide API firewalling. This setting is not selected by default. When this is selected, all traffic is processed by the ModSecurity engine, and threats are rejected based on the configured rules. For more details, see the API Gateway Administrator Guide.

Configuring Conditions for an HTTP Interface

You can configure the API Gateway to bring down an active HTTP interface if certain conditions fail to hold. For example, the HTTP interface can be brought down if a remote host is not available or if a physical network interface on the machine on which the API Gateway is running loses connectivity to the network. For more details, see the Configure conditions for HTTP interfaces topic.

You must complete the same fields for an HTTPS interface on the Network tab as for an HTTP interface, with the addition of the following setting:

X.509 Certificate:

Click the X.509 Certificate button to select the certificate that the API Gateway uses to authenticate itself to clients during the SSL handshake. The list of certificates currently stored in the Certificate Store is displayed. Select a single certificate from this list.

You can configure clients to authenticate to the API Gateway on the Mutual Authentication tab. The following options are available:

Client certificates are typically issued by a Certificate Authority (CA). In most cases, the CA includes a copy of its certificate in the client certificate so that consumers of the certificate can decide whether or not to trust the client based on the issuer of the certificate.

A chain of CAs can also issue the client certificate. For example, a top-level organization-wide CA (for example, Company CA) may have issued department-wide CAs (for example, Sales CA, QA CA, and so on), and each department CA is then responsible for issuing all department members with a client certificate. In such cases, the client certificate may contain a chain of one or more CA certificates.

Maximum depth of client certificate chain:

You can use this field to configure how many CA certificates in a chain of one or more are trusted when validating the client certificate. By default, only one issuing CA certificate is used, and this certificate must be checked in the list of trusted root certificates. If more than one certificate is used, only the top-level CA must be considered trusted, while the intermediate CA certificates are not.

Root Certificate Authorities trusted for mutual authentication:

Select the root CA certificates that the API Gateway considers trusted when authenticating clients during the SSL handshake. Only certificates signed by the CAs selected here are accepted.

You can complete the following settings on the Advanced (SSL) tab:

Check that the SSL certificate's Subject CN resolves to network address:

When this setting is selected the API Gateway attempts to resolve the SSL certificate's Subject Common Name (CN) to the network address configuring the SSL interface. If the Subject CN cannot be resolved to the network address, a warning is output in the error traces. This setting is selected by default. You can deselect this setting to disable checking the certificate's Subject CN.

SSL Server Name Identifier (SNI):

You can specify the host names requested by clients in the SSL Server Name Identifier (SNI) table. SNI is an optional TLS feature where the client indicates to the server the host name used to resolve the server address. This enables a server to present different certificates for clients to ensure the correct site is contacted.

For example, the server IP address is 192.168.0.1. The DNS is consulted by clients to resolve a host name to an address, and the server address is contacted using TCP/IP. If both www.acme.com and www.anvils.com resolve to 192.168.0.1, without SNI, the server does not know which host name the client uses to resolve the address, because it is not party to the client DNS name resolution. The server may certify itself as either service, but when the connection is established, it does not know which host name the client connects to.

With SNI, the client provides the name of the host (for example, www.anvils.com) in the initial SSL exchange, before the server presents its certificate in its distinguished name (for example, CN=www.anvils.com). This enables the server to certify itself correctly as providing a service for the client's requested host name.

To specify an SNI, perform the following steps:

Ciphers:

You can specify the ciphers that the server supports in the Ciphers field. The server selects the highest strength cipher (that is also supported by the client) from this list as part of the SSL handshake. For more information on the syntax of this setting, see the OpenSSL documentation.

SSL session cache size:

Specifies the number of idle SSL sessions that can be kept in memory. Defaults to 32. If there are more than 32 simultaneous SSL sessions, this does not prevent another SSL connection from being established, but means that no more SSL sessions are cached. A cache size of 0 means no cache, and no outbound SSL connections are cached.

At DEBUG level or higher, the API Gateway outputs trace when an entry goes into the cache, for example:

DEBUG   09:09:12:953 [0d50] cache SSL session 11AA3894 to support.acme.com:443

If the cache is full, the output is as follows:

DEBUG   09:09:12:953 [0d50] enough cached SSL sessions 11AA3894 to 
support.acme.com:443 already

Ephemeral DH key parameters:

The Diffie Hellman (DH) key agreement algorithm is used to negotiate a shared secret between two SSL peers. This enables two parties without prior knowledge of each other to jointly establish a shared secret key over an insecure communication channel. The Ephemeral DH key parameters setting specifies the parameters used to generate the DH keys.

When DH key parameters are not specified, the SSL client uses the public RSA key in the server's certificate to encrypt data sent to the SSL server, and establish a shared secret with the server. However, if the RSA key is ever discovered, any previously recorded encrypted conversations can be decrypted. DH key agreement offers Perfect Forward Secrecy (PFS) because there is no such key to be compromised.

There are two options when setting the DH parameters: you can enter a number (for example, 512), and the server automatically generates DH parameters with a prime number of the correct size. Alternatively, you can paste the Base64 encoding of an existing serialized DH parameters file. You can use standard DH parameters based on known good prime numbers. OpenSSL ships with the dh512.pem and dh1024.pem files. For example, you can set the DH parameters to the following Base64-encoded string in pdh512.pem:

-----BEGIN DH PARAMETERS-----
MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1X
pKgVfAgEC
-----END DH PARAMETERS-----

The DH parameters setting is required if the server is using a DSA-keyed certificate, but also has an effect when using RSA-based certificates. DH (or similar) key agreement is required for DSA-based certificates because DSA keys cannot be trivially used to encrypt data like RSA keys can.

SSL Protocol Options:

You can configure the following SSL protocol options: