Configure web-based settings in API Manager

This topic describes how to configure the options available on the Settings tab in the API Manager web console.

Account settings

You can configure the following settings for your account:

General

Configure the following:

Image: Click to add a graphical image for the account (for example, .png, .gif, or .jpeg file).
Login name: Enter a user login name for the account. The default is apiadmin. This is the default API administrator user suplied by API Manager.
Email: Enter an email address for the account. The default is apiadmin@localhost.
Enabled: Select whether the account is enabled. The apiadmin account is enabled by default.
Created on: Displays the date and time at which the account was created.
Current state: Displays the state of the account. The apiadmin account is Approved by default.

Membership

Configure the following:

Role: Displays the membership role of the account. The default apiadmin account has an API Manager Administrator role.

Additional attributes

Configure the following:

Phone: Enter a contact phone number for the account.
Description: Enter a description for the account. The default apiadmin account is described as API Administrator.

Password

Configure the following:

Change password: Click to change the current password for the account.

Note

It is strongly recommended that you change the default password for security reasons.

API administrators can change the password for any internal (non-on-boarded) API Manager user. Organization administrators can change the password for any internal user associated with their organization. External user passwords on-boarded from external identity providers cannot be changed.

Further information

For more details on user and application management, see Administer APIs in API Manager.

API Manager settings

You can configure the following settings on the API Manager tab:

API Manager settings

Configure the following:

Application title: Enter the title to be displayed in the browser tab for API Manager. Defaults to Oracle API Manager. This setting is required.
External host: Enter the host name that API Manager is available on. Defaults to the API Manager IP address.
Email reply to: Enter the reply to address for email sent from API Manager (for example, the automatically generated emails sent when user accounts are created). Defaults to no-reply@oracle.com.
Email bounce: Enter the email address used to receive messages about the non-delivery of automatically generated email. Defaults to apiadmin@localhost.
Demo mode: Select whether demo mode is enabled. When enabled, API Manager automatically generates random data, and displays metrics on the Monitoring tab without needing to send traffic through the API Gateway. Demo mode is disabled by default.

General settings

Configure the following:

User registration: Select whether automatic user registration is enabled. This is enabled by default.
Forgot password: Select whether to allow users to ...
Minimum password length: Select the minimum number of characters required for user passwords. Defaults to 6.
Auto-approve user registration: Select whether automatic approval of user registration requests is enabled. This is enabled by default.
Auto-approve applications: Select whether automatic approval of client applications is enabled. This is enabled by default.
Enable OAuth scopes per application: Select whether to enable OAuth scopes at the level of the client application. This allows the API administrator to create application-level scopes to permit access to OAuth resources that are not covered by API-level scopes. This is not enabled by default. For more details, see the API Gateway OAuth User Guide.

Organization administrator delegation

Configure the following:

Delegate user management: Select whether organization administrators can create or remove users, and approve user registration requests. This is enabled by default.
Delegate application management: Select whether organization administrators can create or remove applications, and approve requests from users to create applications. This is enabled by default.

API registration

Configure the following:

API default virtual host: Enter a host and port on which all registered and published APIs are available. The specified host must be DNS resolvable.
API promotion via policy: Select whether APIs can be promoted using a policy specified in Policy Studio. For more details, see API Promotion in Policy Studio.
Enabling the API promotion via policy setting forces a reload of API Manager, and you must log in again. A Promote API option is also then added to the Frontend API management menu. This setting is disabled by default.
For an overview of API promotion, see Promote managed APIs.

Further information

For more details on user and application management workflows, see Administer APIs in API Manager.

Alerts

You can use API Manager to enable or disable alert notifications for specific events (for example, when an application request is created, or an organization is created). When an alert is generated by API Manager, you can execute a custom policy to handle the alert (for example, to send an email to an interested party, or to forward the alert to an external notification system).

You can use the alert settings in Policy Studio to select which policies are configured to handle each event. For more details, see API management alerts.

Remote hosts

The remote host settings enable you to dynamically configure connection settings to back-end servers that are invoked by front-end APIs. API Administrators can edit all remote hosts in all organizations.

Required settings

Configure the following required settings:

Name: Enter the remote host name (for example, www.google.com).
Port: Enter the TCP port to connect to on the remote host. Defaults to 80.
Maximum connections: Enter the maximum number of connections to the remote host. If the maximum number of connections is reached, the underlying API Gateway waits for a connection to drop or become idle before making another request. Defaults to -1, which means there is no limit.
Organization: The organization to which the remote host belongs. This is only displayed for API administrators.

General settings

Configure the following optional settings:

Allow HTTP 1.1: The underlying API Gateway uses HTTP 1.0 by default to send requests to a remote host. This prevents any anomalies if the destination server does not fully support HTTP 1.1. If the API Gateway is routing to a remote host that fully supports HTTP 1.1, you can use this setting to enable the API Gateway to use HTTP 1.1. This is disabled by default.
Include Content-Length in request: When this option selected, the underlying API Gateway includes the Content-Length HTTP header in all requests to this remote host. This is disabled by default.
Include Content-Length in response: When this option selected, the underlying API Gateway includes the Content-Length HTTP header in all responses to this remote host. This is disabled by default.
Send SNI TLS extension to server: Adds a Server Name Indication (SNI) field to outbound TLS/SSL calls that shows the name the client used to connect. For example, this is useful if the server handles several different domains, and needs to present different certificates depending on the name the client used to connect. This is disabled by default.
Verify server's certificate matches requested hostname: Ensures that the certificate presented by the server matches the name of the remote host connected to. This prevents host spoofing and man-in-the-middle attacks. This setting is enabled by default.

Advanced settings

Configure the following advanced settings:

Connection timeout: If a connection to this remote host is not established within the time specified in this field, the connection times out and fails. Defaults to 30000 milliseconds (30 seconds). This setting is required.
Active timeout: When the underlying API Gateway receives a large HTTP request, it reads the request off the network when it becomes available. If the time between reading successive blocks of data exceeds the active timeout, the API Gateway closes the connection. This prevents a remote host from closing the connection while sending data. Defaults to 30000 milliseconds (30 seconds). This setting is required.
Transaction timeout: A configurable transaction timeout that detects slow HTTP attacks (slow header write, slow body write, slow read) and rejects any transaction that keeps the worker threads occupied for an excessive amount of time. The default value is 240000 milliseconds. This setting is required.
Idle timeout: The underlying API Gateway supports HTTP 1.1 persistent connections. The idle timeout is the time that API Gateway waits after sending a message over a persistent connection to the remote host before it closes the connection. Defaults to 15000 milliseconds (15 seconds). Typically, the remote host tells the API Gateway that it wants to use a persistent connection. The API Gateway acknowledges this, and keeps the connection open for a specified period of time after sending the message to the host. If the connection is not reused by within the Idle Timeout period, the API Gateway closes the connection. This setting is required.
Include correlation ID in headers: Specifies whether to insert the correlation ID in outbound messages. This means that an X-CorrelationID header is added to the outbound message. This is a transaction ID that is attached to each message transaction that passes through API Gateway, and which is used for traffic monitoring in the API Gateway Manager web console. You can use the correlation ID to search for messages in the web console, and you can also access its value from a policy using the id message attribute. This setting is selected by default. This setting is enabled by default.

Further information

The remote host settings available in API Manager are a subset of the settings available in Policy Studio. For more details on remote hosts, see the API Gateway Policy Developer Guide.