Advantages of API Gateway for managing SSL

Through SSL (SSLv3, TLS v1.1/1.2), API Gateways such as Forum Sentry rapidly secure your APIs that shuttle XML, JSON, HTML, SOAP and Big Data.  API Gateways typically sit in front of  your IT components such as web servers, application servers, ESBs and message queues.

Although most infrastructure components have SSL facilities that can be configured, however, enabling such facilities pose the following issues for enterprises:

  • Difficult to configure and manage:  The command line keytool utility in Java or OpenSSL toolkit has to be used to generate, issue, view and maintain key pairs through the PKI lifecycle.
  • Certificate expense for each node:  Unless you maintain your own root certificate, each key pair has to go through a registration process with a Certificate Authority that can cost $1000/server from a vendor such as Symantec.
  • Load on each server for SSL termination:  Once SSL is turned on with a recommend key-size of 2048-bit or higher, the web server or application server is subject to an order-of-magnitude higher processing load than without SSL.  This results in higher latency and slower response times.

Using API Gateways such as Forum Sentry for centralized management of API security alleviates these issues.  With a few simple steps, Administrators can enable SSL for their API traffic without touching the back end web or application server.

  • Centralized key life-cycle management including key generation, validation, and revocation is controlled simply through point and click mechanisms.  Administrator are not burdened with time consuming and difficult to use command line tools.  Administrators also have deep granular control over cryptographic algorithms and protocols for Securing APIs using SSL.  This results more consistent, controlled and stronger security for enterprise applications.
  • Many web or application servers can be front-ended by a single Forum Sentry SSL policy that uses a single certificate.  Using fewer certificates in a centralized API Gateway with point-and-click policies lowers the expense of ongoing PKI life-cycle management.  Also, fewer certificates have to be purchased by eliminating the need for a certificate for each individual web or application server in your infrastructure.
  • Using a state-of-the-art, dedicated crypto card, Forum Sentry accelerates terminates and initiates SSL connections and removes the burden from the application servers.  To stay below corporate latency thresholds, fewer hardware severs have to be purchased and provisioned by enabling Forum Sentry to handle SSL handshakes.

The first step in securing your APIs, whether they shuttle XML, JSON, XML, HTML or Big Data is to enable SSL security.  Once the communication layer is secured, security and compliance personnel along with enterprise application architects should focus on more granular content-level security to provide privacy and integrity for data at rest.