1 Understanding API Management with the PRM Portals

This chapter provides an overview of Oracle Communications Services Gatekeeper application programming interface (API) management platform and its partner relationship management (PRM) portal applications.

About the Services Gatekeeper API Management Platform

You use the Services Gatekeeper API Management platform to create applications that subscribe to APIs for the services you expose. Through these applications, you can provide network quality of service (QoS) control, messaging, call control, big data analytics to internal developers, partners, and third-party developers.

The Services Gatekeeper API management platform processes all requests for the APIs associated with the services it supports. This processing included default actions you can take on messages, and options to create your own processing. For example, you can:

Normalize all incoming requests to a unified format for processing the requests.
Customize the message process flow as necessary.
Regulate the use of your network resources and communication web services.
Provide an API proxy for the services to expose by specifying the network address for the service.
Provide a documentation URL describing the service, for use by internal or third-party developers.

Services Gatekeeper supports the API management platform in both single-tier and multi-tier environments. By default, the API Management platform is deployed as a single layer, with the possibility to cluster nodes together. It can also be deployed in application-tier or service-tier clusters. See Services Gatekeeper Concepts for more information.

About the PRM Portals and Users

The Services Gatekeeper API platform supports the following web-based PRM portals that offer three different roles for managing APIs:

Partner and API Management Portal

You use the Partner and API Management Portal to:
- Create and manage APIs for use in applications.
  
  The APIs are configured from network service interfaces (created in Network Service Supplier Portal), communication service APIs, and Web service APIs provided by Service Gatekeeper.
- Review and approve applications that use the exposed APIs. These applications are created in Partner Portal.
- Manage partner groups and service level agreements.
- Configure rules as a chain or chains of actions and locate the actions in the application-initiated or service-initiated flow of the request, as appropriate.
Your network operators and enterprise customers work with Partner and API Management Portal. They create and manage APIs, approve partner applications, manage partner groups, and also manage partner and network service supplier accounts.

This document and the Online Help documentation refer to users of Partner and API Management Portal as partner managers.
Network Service Supplier Portal

Network service suppliers (NSSs) use Network Service Supplier Portal to provision network resources as network service interfaces. You then use Partner and API Management Portal to manage their network service interfaces, and use them to create APIs for partner applications.

NSSs can be in your group, in another group in your company, or from a separate entity (company) entirely. They use Network Service Supplier Portal for this, and gain access by completing an online registration request. The NSSs receive an email notification from the partner manager, approving or deleting the authorization request.

This document and the Online Help documentation refer to users of Network Service Supplier Portal as network service suppliers or NSSs.
Partner Portal

You use the Partner Portal to create applications. These applications represent services that you provide to your customers. You configure them from the network resources and communication web services running on the Services Gatekeeper.

Each partner application subscribes to one or more APIs exposed by Partner and API Management Portal. When active, a partner application can successfully handle associated HTTP requests and responses to maintain quality of service. Each contains logic targeted to improve customer satisfaction, such as setting the permissions for a request to exceed the quota limit.

Application developers require authorization to use Partner Portal. Each application developer completes an online registration request displayed by Partner Portal. The application developer receives an email notification from the partner manager announcing that the request was approved or denied.

This document and the Online Help documentation refer to users of Partner Portal as partners.

Figure 1-1 shows the users of the three portals and the data they create, access, and use in the Services Gatekeeper platform.

Figure 1-1 Services Gatekeeper PRM Portal Users and Data

How the API Management Platform Works

Services Gatekeeper uses the API Management platform to intercept and process the requests and responses in real-time, using actions that you specify. You configure these actions or chains of actions in the Partner and API Management Portal. You order the actions as necessary in the application-initiated or service-initiated flow of the traffic. When Services Gatekeeper receives a request message, it processes the incoming request and performs the actions that you have specified on it. For example, you can use actions to:

Maintain security (such as verifying the service level agreement).
Transform the message format as necessary (such as from JSON to XML format).
Any other custom tasks you configure for the message flow.

You can manage endpoint routing by customizing actions, such as Groovy injection methods, or by using Java-based service provider interface. These actions can provide specific logic for interacting with third-party APIs, filtering or modifying field values, and so on. See "Configuring Actions Chains to Manage API Traffic" for more information.

About the Elements that Control the Quality of Service

The quality of service a Partner Portal application provides to the end user depends on:

Application specifics in Partner Portal.
Network service specific in the Network Service Supplier Portal.
The API specifics in the Partner and API management Portals.

These factors determine quality of service:

Service interfaces exposed by the network
Maximum usage and throughput for the service exposed
The API methods subscribed to in an application
Service level agreements in effect for the API methods selected in an application
Request limits and quotas for the partner group (to which an application belongs)
Interceptors and action elements that act upon the request or response in real time

When an application developed using the PRM portals is in an active state, the API management platform receives the associated HTTP requests and proxies each request based on predefined rules set up in the portals.

About Developing APIs

The process required to provide your network services as APIs to be called in real time consists of the following tasks:

Configuring Network Service Interfaces to Expose Your Services
Configuring APIs to Expose Your Services For Use by Partner Applications
Subscribing to APIs to Enhance Partner Applications

Configuring Network Service Interfaces to Expose Your Services

Network service suppliers create network service interfaces from the network resources that they want to expose. As a network service supplier, you control how partner managers (and therefore, partners) use your network services by specifying the throughput capacity for the network resource in each network service interface you create. This helps safeguard the associated networks from external attacks, and the resources from being overloaded.

Network service suppliers create these interfaces in Network Service Supplier Portal and Services Gatekeeper make these interfaces available in Partner and API Management Portal. Partner managers work offline with you to ensure that the network services interfaces are optimally configured for use in the network.

For example, your network group wants to market a Web service that permits applications or games to store and retrieve high scores for their games. Your network service supplier creates an interface for such a service in Network Service Supplier Portal under the name of High Score Game RESTful web service and makes it available to the network operator (partner manager). For each interface, the network service supplier provides the access URL for the interface and also information about the accessible methods of the interface.

Configuring APIs to Expose Your Services For Use by Partner Applications

As a partner manager, you use Partner and API Management Portal to create and expose APIs using the available network service interfaces and Services Gatekeeper communication services. In addition, you manage the different versions of the APIs and the life cycles of your client applications.

You exercise full control over the resource throttling and security processes by configuring elements (such as maximum usage, throughput) in the APIs you expose. You can configure Services Gatekeeper to perform actions on both the API request and response traffic using the request and response actions chains.

Continuing with our example, you (as a partner manager) use the High Score RESTful Game web service network service interface to create and publish an API called High Score Game Notification API. You specify:

The maximum usage and throughput for the API service exposed.
Interceptors and action elements to act upon the request or response.
Information about the accessible methods.

Subscribing to APIs to Enhance Partner Applications

Partners (or application developers) use Partner Portal to create applications that subscribe to one or more APIs. Before registering the application, partners collect all the information necessary, including:

Name and description of the application.
The time period when the application is active.
The service to provide.
The rate at which the application provides the service.

As a partner, you register an application by entering the appropriate information about the application. You can select the APIs that provide the services your application when you create the application, or later. Your partner manager publishes the list of APIs that are available to the applications.

For each API, you specify a desired number of requests that the application sends to the network and the minimum number of requests it receives from the network within an allotted time. By doing so for each API you include in the application, you can tailor the quality of services you provide to your customers.

When you have configured an application, you submit the application registration request to your partner manager for approval. When your partner manager approves the application, Partner Portal displays the application registration approval notification. Then, you access the application in Partner Portal and set a traffic user password. The application is then available for you to make API changes, and is ready for use.

In our example, an online gaming application company owns a game called Textrocks. In order to enhance the user experience, the online gaming application company wants to upgrade that game with the ability to query for high scores. Your partner is associated with that online gaming application company. Your partner sees the High Score Game Notification API displayed in Partner Portal. The partner clicks the API, opens the API description document, and upgrades the Textrocks software by using the required methods of the High Score Game Notification API. After the partner manger approves the application, the partner sets up the traffic password and the API is then ready for use.

How Services are Deployed Using PRM Portal Applications

Figure 1-2 Steps in the PRM API Development Process

Description of ''Figure 1-2 Steps in the PRM API Development Process''

Figure 1-2 shows how the three PRM API portals deploy services in your network:

The network service supplier uses Network Service Supplier Portal to publish a network service interface.
Services Gatekeeper displays the network service interface in Partner and API Management Portal.
The partner manager uses the interface to create an API in Partner and API Management Portal.
The partner manager changes the status of the API to be published in Partner and API Management Portal.
Services Gatekeeper displays the API in Partner Portal.
The partner views the API in Partner Portal. The partner creates an application that subscribes to this API and specifies the desired request limit and quota. The partner submits the application to be registered for use.

The partner can also create an application without an API and subscribe to them later.
Services Gatekeeper displays the application registration request in Partner and API Management Portal.
The partner manager reviews the application registration request and approves it.

The partner manager may also deny a request based on service level agreements and resource-related factors, such as the resource requests and quotas in effect.
Services Gatekeeper displays the approval (or denial) of the application registration request in Partner Portal.
If the application registration request is approved, the partner sets the traffic user password in the application. This password enables tracking traffic usage in the network.

If the application registration request is rejected, the partner can change it and resubmit the application.

Understanding API Management Security

You need to consider these aspects of Services Gatekeeper API Management Security:

Securing the Services Gatekeeper administration, portal, and managed servers. For information, see the Services Gatekeeper Security Guide in general and the ”Deploying Services Gatekeeper in a Demilitarized Zone” chapter in particular.
Securing the traffic between web-based users and applications and Services Gatekeeper. For details, see ”Securing Network Traffic for APIs” in Services Gatekeeper Security Guide.
Securing Services Gatekeeper APIs from unauthorized access. See "Securing the Services Gatekeeper API Methods" for details.
Securing your API services (backend services) from unauthorized access. See "Securing the API Service" for details.
Securing web traffic by creating white list of IP addresses allowed to communicate with your REST-based APIs. See ”Protecting REST APIs with a White List of IP Addresses” in Services Gatekeeper Security Guide for details.

Using Cross-Origin Security with APIs

You can take advantage of browser validation features by using Cross-Origin Resource Security (CORS) to validate cross-origin resource requests. You do this per-API by configuring and adding the Services Gatekeeper CORS action in the API request action chain. You generally configure the allowed CORS origins, headers, and methods, and the action chain fails processing if the request message does not match the configuration. However, you also have to option to pass non-conforming request headers, which can then be configured to fail at the browser level.

See "Understanding the Default Actions" for a description of the options available. See Partner and API Management Portal Online Help for details about how to configure the CORS action.

About PRM Portal Service Level Agreements

Partner managers create partner groups and assign all partner accounts to a partner group.

When a partner manager creates a partner group, for example a partner group called Platinum, the partner manager sets up a service level agreement (SLA) for that partner group. A partner group SLA defines:

A partner group's request limit for a service. That is, the number of requests per second allowed.
The quota limit. That is, the number of requests the partner group can process.
The number of days for processing the requests allowed for that group.

The quota limit is an integer with a maximum value of 2147483648 requests.

When creating an API, the partner manager can restrict the availability of that service to specific partner groups, or expose the API to all partner groups. Private APIs are only visible and available to the members of the groups you specify.

If the partner manager makes an API public, the API is visible and available in Partner Portal for all partner accounts.

Services Gatekeeper provides a default partner group called sysdefault_sp_group. When a partner manager creates or approves a partner account, Services Gatekeeper assigns that partner account to sysdefault_sp_group. This default service provider group has a blank SLA and therefore no request limits or quota allotments. Until a newly created partner account is assigned to a different partner group, the partner who owns that account has no APIs available and cannot successfully register an application.

Partner managers can create any number of uniquely named partner groups and change the group assignment for a partner account. At any given time, a partner account is assigned to one partner group and the partner is notified whenever there is a change to the group assignment. Partner managers also manage the partner accounts and partner groups they create and, when necessary, delete them.

If a partner manager assigns a partner account to a different partner group, the partner manager must reconcile any discrepancies between the allowances stipulated by the SLA of the new partner group and the usage requirements of the applications associated with the partner account. See "Group Assignments for Partners and SLAs".

About Extending the PRM API Portals

Partner managers can extend and customize portals by adding new pages to the portals, and creating a new navigation entry points to enter these new pages. For more information, see "About Customizing PRM Portals".