Integrating the Akana API gateway with the Cequence Unified API Protection (UAP) platform involves two phases. In the first phase, deploy Akana to the nodes. In the second phase, create a set of security policies that Akana uses to connect with the Cequence UAP platform.
Deploying Akana
Before you start, verify that your compute environment meets the following prerequisites.
- For optimal performance, use virtual machines with 4 vCPUs, 16GB of RAM, and 50GB of available storage.
- The virtual machines must have at least one fixed IPv4 address.
- Verify that a current version of MySQL is available, including the Java connector driver.
- Verify that a current version of Elasticsearch is available.
- Install the Akana API gateway according to the instructions provided by Akana.
- Edit the recipes/pm-cm-all.json file to add the following line:
{"location":"oauth.json"},
- In the internal/properties/pm-cm-all.properties file, replace all instances of the string "YOUR_PUBLIC_IPv4_DNS" with the string "localhost" or the fully qualified domain name (FQDN) that corresponds to the IPv4 address of the Akana host.
- On hosts with a home directory other than /home/ubuntu, edit the pm-cm-all.properties and nd-cm-all.properties files to replace all instances of the string /home/ubuntu with the actual home directory in use.
- Copy the internal/properties/pm-cm-all.properties and internal/properties/nd-cm-all.properties files to the properties/ folder.
Installing the Policy Manager and Community Manager
Run the following command to install the Property Manager and Community Manager utilities to the same container.
bin/jython.sh -Dorg.slf4j.simpleLogger.logFile=System.out -m akana.container \
--recipe recipes/pm-cm-all.json --props properties/pm-cm-all.properties
The Policy Manager and Community Manager consoles are available a few minutes after installation. The Admin console for the Policy Manager is at FQDN:9001/admin. The user console for the Policy Manager is at FQDN:9001/console.
The Developer Portal is available at FQDN:9901/akana or FQDN:9900/akana.
Installing the Network Director
Run the following command to install the Network Director utility to the a container.
bin/jython.sh -Dorg.slf4j.simpleLogger.logFile=System.out -m akana.container \
--recipe recipes/register-container.json --props properties/nd-cm-all.properties
The Network Director Admin console is available at FQDN:9915/admin.
Deploying a Cequence Policy
From the Developer Portal, create a new deployment zone. Consult Akana documentation for details on the Developer Portal.
Creating the Cequence OAuth Client
From the Developer Portal, create a new app. Set the visibility to Private. Use the Cequence client ID as the App ID. Use the Cequence Client Secret as the Shared Secret. The version ID is 1.
Creating the Cequence API Security Script
This procedure involves importing a script. See Akana documentation on adding a script for details.
- Log in to the Policy Manager console as a tenant organization administrator.
- From API Platform Tenants, select your tenant.
- Click Scripts > Add Script.
- Type CequenceAPISecurityScript as the script name, then click Next.
- From the Language drop-down selector, click JavaScript.
- Paste the code from the scripts/CequenceAPISecurityScript-min.js file in the script field, then click Finish.
- Click Close.
Creating the Cequence OAuth Client Policy
This procedure creates a policy that calls the Cequence authorization endpoint for an access token, then uses that bearer token with Edge service requests in the Authorization header.
- Log in to the Policy Manager console as a tenant organization administrator.
- From the organization tree, select API Platform Tenants.
- Click a tenant.
- Click Policies > Operational Policies.
- Click Add Policy.
- From the drop-down, click OAuth Client Policy, then click Next.
- Type Cequence OAuth Client Policy as the policy name.
- Click Finish.
- Click Close.
- From the Policy page, click Modify.
- Make the following modifications to the policy.
Type "profile email" for the scope.
Use "client_credentials" as the grant type.
From the HTTP Verb drop-down, select POST.
Use your Auth endpoint as the Provider Location.
Specify "application/x-www-form-urlencoded" as the Provider Content Type.
From the drop-down, set the value of HTTP/1.1 Chunked Encoding to True. - Click Next.
- To enable auditing, select the Generate Audit Data and On Error Only checkboxes.
- Click Finish, then click Close.
- Click Activate Policy, then click OK.
Configuring Cache Time-to-Live for Access Tokens
- Log in to the Network Director console as an administrative user.
- Click Configuration > com.akana.policy.oauth.client.
- Set both Time-to-Live values to one minute less than the expiry time of the Cequence access token.
As a best practice, set the expiry time of the Cequence access token to ten hours (36000 seconds) and the Time-to-Live values to 35940 seconds (9 hours 59 minutes). - Click Apply Changes, then click OK.
Configuring the Cequence Edge Service
The Cequence Edge API uses the Cequence OAuth Client Policy to add Authorization headers with the cached access token to any requests made to that API.
- Log in to the Developer Portal as an administrative user.
- Click APIs > Add API.
- Type Cequence Edge Service as the API name.
- Type your Cequence Edge endpoint.
- In Advanced Options, set Visibility to Private.
- Click Save.
- Click JSON.
- Paste the contents of the docs/oas/cequence-edge-oas-3.json file in the text field, then click Save.
- Click Implementations, then select an implementation.
- Click Deployments > Edit.
- For each deployment zone, delete the default HTTP0 endpoint in order to have exactly one HTTPS endpoint for each deployment zone.
- Click Save.
- Click Identities > Edit.
- Click Specify Outbound Identities > Add.
- Make the following changes.
For the Source Identity, select Static User.
For the User Defined Category, type GrantTypeCredentials.
For the user name, type the Cequence client ID.
For the password, type the Cequence client secret. - Click Finish, then click Save.
- Refresh the Policy Manager console page, then click API Platform Tenants.
- Select a tenant.
- Select the Cequence Edge Service.
- Expand the Services section and select Cequence_Edge_Service_1_Live.
- Note the value of the Service QName field in the Service Overview section for later use.
- Note the value of the Interface Name field in the Interfaces and Bindings section for later use.
Attaching the Cequence OAuth Client policy
- Log in to the Developer Portal as an administrative user.
- Click API Platform Tenants.
- Select a tenant.
- Select the Cequence Edge Service.
- Expand the Services section and select Cequence_Edge_Service_1_Live_Target.
- Click Manage.
- In Tenant Operational Policies, select the Cequence OAuth Client Policy checkbox, then click Apply.
Creating a Cequence API Security Policy
The Cequence API security policy sends data from the APIs the policy affects to Cequence for analysis. Consult Akana documentation on policy scripts for details on Akana policies.
- Log in to the Policy Manager console as a tenant administrator.
- Select API Platform Tenants.
- Select a tenant.
- Click Policies.
- Click Operational Policies.
- Click Add Policy.
- From the drop-down selector, select Public Operational Script Policy as the policy type.
- Click Next.
- Type Cequence API Security Policy as the name of the policy.
- Click Finish, then click Close.
- From the Policy Overview page, click Modify.
- From the Language drop-down selector, select JavaScript.
- Expand the Imports section.
- In the Tenant Scripts section, select the CequenceAPISecurityScript checkbox.
- Click <<.
- In the Expression: Code Editor field, paste the contents of the policies/CequenceAPISecurityPolicy.js file.
- Replace the variables CEQUENCE_EDGE_SERVICE_QNAME and CEQUENCE_EDGE_SERVICE_INTERFACE in the pasted JavaScript code with the QName and Interface Name values noted at the end of the Configuring the Cequence Edge Service procedure.
- From the Function drop-down selector, select Post-Policy Auditing.
- Click Finish, then click Close.
- Click Activate Policy, then OK.