By Mamoon Yunus | Date posted: February 5, 2014
In this tutorial, you will learn how to rapidly protect your corporate APIs by providing a centralized SSL policy for your service. We will use three components for this tutorial: (i) TempConvert – a publicly available service that will be the corporate service that you plan to protect through SSL (ii) Forum Sentry to enable centralized API security via an SSL policy (iii) SOAPSonar used as a testing tool. Download and install Forum Sentry and SOAPSonar to follow this tutorial.
Load the service description for TempConvert by entering the URL in the Capture WSDL field shown in SOAPSonar interface below. You can then invoke and test the service to ensure that it is working as expected. Entering 28 degrees Fahrenheit returns -2.22 degrees Celsius.
Log into the Forum Sentry web-based administrator and select Gateway –> WSDL Policies from the navigation panel. Enter the URL for the TempConvert service description shown in the interface below.
Forum Sentry walks you through a quick process to setup a Listener Policy with the Listener IP and Listener Port recommended for the listener that now acts as the front end for your corporate service, TempConvert. The users of your services, coming in from outside your corporate perimeter, interact with Forum Sentry Listener Policy that centralizes the data security functions without permitting direct access to your internal corporate systems. In the interface shown below, the Virtual Directory Path is modified to hide implementation details for your corporate services. For TempConvert, the .asmx extension advertises a .NET implementation. Such details should be hidden for externally facing services to mitigate threat vectors. The Remote Policies point to the Host and Port where TempConvert lives and runs.
Once the API service description policies are loaded through the WSDL files, Forum Sentry displays details of all the services available. The Virtual URI is where the traffic come into Forum Sentry and the Physical URI is where the service is physically hosted. As shown in the screenshot below, the services and related message input and output message types are displayed for the services that are loaded into Forum Sentry. At this point, you are ready to start sending traffic through Forum Sentry. To expose the service description file (WSDL) via Forum Sentry, click on TempConvertSOAP under PORT and select check Enable WSDL access.
In SOAPSonar, load the service description exposed via Forum Sentry by inserting the Virtual URI along with the ?WSDL into the Capture WSDL as shown in the screenshot below. Notice that in the left-hand navigation panel, two tree views are visible, one for SOAPSonar interacting with the TempConvert service directly (tempconvert.asmx) and the other interacting via Forum Sentry (SecureService).
You are now ready to start locking down your services. The first step is to enable SSL so that all external communication with your corporate service is at least protected during communication. To enable SSL, you’ll need to generate keys and set up and SSL policy. These steps are described in the following tutorials:
Once you have generated keys and configured an SSL policy, you can simply associate the SSL policy with the Listener Policy by going to Gateway –> Network Policies and selecting your SSL Termination Policy. The Listener has now been converted from HTTP to HTTPS and listens on port 443.
The request through Forum Sentry using the SOAPSonar configuration has to be modified to use HTTPS and port 443 as show in the screenshot below.
As shown in this tutorial, with a few simple point-and-click steps, you can protect your APIs by first enabling SSL using Forum Sentry. There are significant advantages of using a centralize API Gateway for SSL including better management, reduced cost and superior performance.
Read more about Advantages of API Gateway for Managing SSL.