IBM API Management

IBM API Management
Developer(s)	IBM
Initial release	2.0 12 July 2013;10 years ago
Stable release	v10.0.5 / 30 June 2023;7 months ago
Operating system	Virtual appliance Docker
Available in	Simplified Chinese, Traditional Chinese, US English, French, German, Italian, Japanese, Korean, Brazilian Portuguese, Spanish
Type	Virtual appliance
License	Commercial
Website	http://www.ibm.com/software/products/en/api-management

Last updated February 26, 2024

IBM API Management^[4] (with version 5 renamed to IBM API Connect) is an API Management platform for use in the API Economy. IBM API Connect enables users to create, assemble, manage, secure and socialize web application programming interfaces (APIs).

It provides a developer portal for application developers and to view published APIs. An administration portal allows users to establish policies for APIs such as self-registration, quotas, key management and security policies. An analytics engine provides role-based analytics for API owners, solution administrators and application developers in order to manage APIs and ensure service levels are being achieved. There is also a service called Cloud Manager where the platform is set up with servers, clusters, gateways, user repositories, etc.

Swagger (now called OpenAPI) and WSDL documents can be loaded and parsed into APIs. APIs can be created by describing the input and output in the API Manager User Interface by configuration. APIs can then be decorated with additional data in the form of tags, binary documentation and documentation URLs. APIs can proxy an existing API or use an assembly where a flow is created. In such an assembly flow it is possible to call out to other services, transform response data, redact information and map response data from external APIs to the response of the API.

Plans can be created which specify rate limits, whether sign ups need to be approved, and a collection of APIs to offer to developers. Plans can be published to a specific environment.

An environment consists of a management server (with management console and developer portal) and an API gateway. Plans published to an environment can be visible in the developer portal, enabling developers to sign up to plans and use the APIs contain within. API business owners can customize their developer portal with their branding to advertise, market, socialize and sell APIs. Plans published to an environment can be invoked on the API gateway, delegating to the API gateway responsibility for rate limits, rejecting unknown users and scalability. The API Gateway is one or more IBM DataPower Gateway devices.

The API gateway collects invocation metrics which are available for analysis in the developer portal and API Manager user interfaces. Example metrics collected are API usage, success and failures.

APIs

The product has REST based APIs for accessing and manipulating users, developer organizations, apps, subscriptions. The product has REST based APIs for accessing information about plans, APIs and analytics.

Extension points

The Advanced Developer Portal can be extended with custom content and themes.

Version history

Source:^[5]

Version 4.0.3.0 (November 2015)

Version 4.0.3 introduced the following new capability:

Redirect capabilities for OAuth authentication

Access Code Flow and Implicit Flow OAuth schemes now support authentication through pages hosted external to IBM API Management. Through this capability, you can authenticate your users during an OAuth 2.0 scheme by using methods that are not otherwise supported by API Management. For more information, see Authenticating and authorizing through a redirect URL.

Advanced Developer Portal enhancements

You can now configure your Advanced Developer Portal front page to differ for users with different roles, including enhancing and personalizing the individual experience for unauthenticated users who visit your portal site. For more information, see Configurable role-based front pages.
With increased capacity to customize flood control, profanity filtering and forum access control you can now further manage the security for your Advanced Developer Portal site. For more information, see Flood control, Profanity filtering, and Controlling access to forums .
You can now link to your social media sites from anywhere in the Advanced Developer Portal, and customize the appearance and positioning of the links to your sites, increasing your visibility to users of your Advanced Developer Portal and allowing them to engage. For more information, see Linking to social media sites.

User-defined policy enhancements

You can now set variables to a specified string value by using the setVariable template. You can then retrieve these values by using the function getVariable(). You can also use the payloadType() function to determine what type of payload (XML or JSONx) will be returned by the payloadRead() function. For more information about these enhancements, and all the DataPower processing rules and actions that can be applied to user-defined policies, see Implementing your policy.

Auditing and logging enhancements

Enhancements to auditing and logging now provide the ability to retrieve audit events from the management node programmatically. This enhancement allows a syslog collector to be configured to accept the messages and write them to an external data store for further processing or archiving, or both. For more information see Syslog auditing and your cloud and Syslog configuration.

Version 4.0.2.0 (July 2015)

Version 40 20 introduced the following new capability:

Enhanced support for Swagger 2.0

Add external documentation to an API
Deprecate a REST API operation
Specify the protocol schemes an API supports
Add Swagger extensions to an API

Additional enhancements

Specify the OPTIONS HTTP method.
Enable cross-origin resource sharing (CORS) support for an API.
Supports DataPower 7.2.
The Topology Administrator can manage the IBM API Management infrastructure but cannot invite or administer users.
When an API is defined, it can be specified whether the API will be enforced by the IBM API Management gateway or by a third party gateway.
The configuration of API security has been revised in line the Swagger 2.0 security model. Security is configured by creating security schemes that are applied to APIs and their operations.
All OAuth tokens can be revoked, or tokens for a particular user, that were issued before a specific date.
Case of user names can be ignored during authentication.
API analytics data is now displayed in the Advanced Developer Portal user interface.
When defining a user registry for authenticating access to the Cloud Management Console user interface, LDAP and Authentication URL are now supported.
Gateway policies can be created, made them available to an environment, and applied to REST or SOAP APIs.

Version 4.0.1.0 (May 2015)

Version 40 10 introduced the following new capability:

Define a failover timeout for the configuration database

A configuration database failover timeout can be defined to specify how many seconds a secondary management server should wait before taking over as the primary when the primary server cannot be reached.

Enhancements to Swagger 2.0 compliance

Additional information can be added to describe an API; for example, contact and license details. If a Swagger file is downloaded for the API, the additional information is written to the info field.
Tags can be added to APIs and API operations for ease of grouping by application developers. These tags are labels that can be used by application developers to organize and search for APIs in the Developer Portal. If a developer downloads the Swagger file for the API, the additional tag details are written to the tags field.

Update a REST API from a Swagger definition file

A revision of a REST API can be updated by uploading a Swagger definition file.

New System user role in the Cloud Management Console user interface

A user who is assigned the System user role can access all system APIs and can log into the Cloud Management Console, but cannot access the API Manager or Developer Portal user interfaces.

Advanced Developer Portal clustering

The Advanced Developer Portal appliances can be clustered for high availability.

SSL Mutual Authentication for front-side connectivity

SSL Mutual Authentication can be used to secure the connection between an API client and the API Management gateway that manages the API.

Support for the PATCH and HEAD methods

When defining the HTTP method type for an API operation, in addition to the GET, PUT, POST, and DELETE methods, the PATCH and HEAD method types can be specified.

The API URL path is not required to be unique

The URL path that is specified when composing an API is no longer required to be unique. Furthermore, the full URL path for the operation, which is formed from the base path of the containing API followed by the operation path, does not have to be unique. However, if it is not unique then an application is required to identify itself with a client ID when calling the operation.

Add multiple security keys to an application

When using the Advanced Developer Portal, a user can add further client ID/client secret pairs to an application in addition to the pair that is provided by default when an application is created.

Terminology changes

IBM API Management Version 4.0.1 introduced the following terminology changes:

Previous term -> New term
Plan version -> Plan revision
API version -> API revision
API resource -> API operation
API tag -> API category

Version 4.0.0.0 (March 2015)

Version 4 introduced the following new capability:

Lifecycle & Governance

Swagger based API creation: Allows APIs to be imported from Swagger, deployed, and invoked without requiring any manual configuration steps in the API.
Co-Publish: Co-publish and supersede plans, and manage plan subscription migrations.
Promotion Approval: Environment based configuration for approving plan lifecycle changes.
Enforced: Option to just publish APIs and not gateway enforce them.
Policy for SOAP: Ability to add and modify policies for SOAP Services.
Discover: Manage REST & SOAP services from System z and custom registries.

Assembly

Error handling: Ability to map SOAP faults returned from a Web Service Invoke call into a Response.

Analytics

Analytics API: Ability to extract analytics data with a REST API to integrate with billing, monetization or business analytics systems.

Security

Mutual Authentication: Out of the box support for custom certificates for back-end endpoints, LDAP, and SMTP servers.

Advanced Developer Portal

Multi-factor authentication: Enabled in the developer portal.
Search: Out of the box support for search and developer management.
Categorization: Flexible multi-level classification of Plans and APIs.
CAPTCHA: Support to prevent automated programs from accessing the portal to enroll users.
Password Lockout

Version 3 (May 2014)

This release added the following enhancements:

APIs allowing a custom Developer Portal
Configuration allowing or disallowing self-sign on
Multiple Gateway clusters on one DataPower device
Summary statistics of the number of API calls across environments, the number of developers, and the amount of storage used for payload logging
Import a Swagger file to define a REST API
Discover a REST API definition from a custom registry
Debug an API assembly flow inside the editor
Clone an API
New Management view to manage plans
Simplified installation
New API plans provide a mechanism for grouping API resources and making them visible as a unit for use by developers
Targeted API visibility means that a plan can be published to all consumers or published to selected consumer organizations or communities
API resources become visible in the developer portal only to users who belong to organizations where one or more plans that contain the resources are published.

Version 2.0 (June 2013)

This release contained the following components:

The IBM API Management Environment Console
The IBM API Management API Manager
The IBM API Management Developer Portal

The IBM API Management Environment Console

Used to define development, test, or production environments
Use DataPower Gateway Appliances running firmware Version 6.0 or later to act as the API gateway
Use WebSphere Cast Iron Assembly Appliances running firmware Version 6.4 or later to perform data orchestrations

The IBM API Management API Manager

Define, import, export APIs
Assemble APIs through configuration
Support for creating REST APIs from SOAP-based services, DB2, SQL server, Oracle, salesforce.com, and HTTP data sources
Secure APIs by using a combination of API key and secret, and authenticate application users by using HTTP basic authentication or OAuth 2.0
API versioning
Analytics about API usage
Manage developer API applications and requests

The IBM API Management Developer Portal

Create a company developer portal
Create a self-service developer registration process

Related Research Articles

Informix is a product family within IBM's Information Management division that is centered on several relational database management system (RDBMS) and multi-model database offerings. The Informix products were originally developed by Informix Corporation, whose Informix Software subsidiary was acquired by IBM in 2001.

Db2 is a family of data management products, including database servers, developed by IBM. It initially supported the relational model, but was extended to support object–relational features and non-relational structures like JSON and XML. The brand name was originally styled as DB2 until 2017, when it changed to its present form.

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.

WebSphere Application Server (WAS) is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM's WebSphere software suite. It was initially created by Donald F. Ferguson, who later became CTO of Software for Dell. The first version was launched in 1998. This project was an offshoot from IBM HTTP Server team starting with the Domino Go web server.

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

A web framework (WF) or web application framework (WAF) is a software framework that is designed to support the development of web applications including web services, web resources, and web APIs. Web frameworks provide a standard way to build and deploy web applications on the World Wide Web. Web frameworks aim to automate the overhead associated with common activities performed in web development. For example, many web frameworks provide libraries for database access, templating frameworks, and session management, and they often promote code reuse. Although they often target development of dynamic web sites, they are also applicable to static websites.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

SharePoint is a web-based collaborative platform that integrates natively with Microsoft 365. Launched in 2001, SharePoint is primarily sold as a document management and storage system, although it is also used for sharing information through an intranet, implementing internal applications, and for implementing business processes.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

OpenSocial is a public specification that outlines a set of common application programming interfaces (APIs) for web applications. Initially designed for social network applications, it was developed collaboratively by Google, MySpace and other social networks. It has since evolved into a runtime environment that allows third-party components, regardless of their trust level, to operate within an existing web application.

OpenAM is an open-source access management, entitlements and federation server platform. Now it is supported by Open Identity Platform Community.

The Grid and Cloud User Support Environment (gUSE), also known as WS-PGRADE /gUSE, is an open source science gateway framework that enables users to access grid and cloud infrastructures. gUSE is developed by the Laboratory of Parallel and Distributed Systems (LPDS) at Institute for Computer Science and Control (SZTAKI) of the Hungarian Academy of Sciences.

IBM WebSphere Service Registry and Repository (WSRR) is a service registry for use in a Service-oriented architecture.

Canigó is the name chosen for the Java EE framework of the Generalitat de Catalunya.

Backend as a service (BaaS), sometimes also referred to as mobile backend as a service (MBaaS), is a service for providing web app and mobile app developers with a way to easily build a backend to their frontend applications. Features available include user management, push notifications, and integration with social networking services. These services are provided via the use of custom software development kits (SDKs) and application programming interfaces (APIs). BaaS is a relatively recent development in cloud computing, with most BaaS startups dating from 2011 or later. Some of the most popular service providers are AWS Amplify and Firebase.

Google APIs are application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration to other services. Examples of these include Search, Gmail, Translate or Google Maps. Third-party apps can use these APIs to take advantage of or extend the functionality of the existing services.

Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by a worldwide community of contributors, and the trademark is held by the Cloud Native Computing Foundation.

Web API security entails authenticating programs or users who are invoking a web API.

API management is the process of creating and publishing web application programming interfaces (APIs), enforcing their usage policies, controlling access, nurturing the subscriber community, collecting and analyzing usage statistics, and reporting on performance. API Management components provide mechanisms and tools to support developer and subscriber communities.

References

↑ "WebSphere product lifecycle dates". IBM. Retrieved 7 April 2012.
↑ "IBM Support".
↑ IBM API Management V4 announcement
↑ IBM marketing website.
↑ IBM Knowledge Center.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "WebSphere product lifecycle dates". IBM. Retrieved 7 April 2012.

[2] "IBM Support".

[3] IBM API Management V4 announcement

[4] IBM marketing website.

[5] IBM Knowledge Center.

[1]

[2]

[3]

[4]

[5]

Developer(s)	IBM
Initial release	2.0 ^[1] 12 July 2013;10 years ago (2013-07-12)

Stable release	v10.0.5 ^[2] / 30 June 2023;7 months ago (2023-06-30)

Operating system	Virtual appliance Docker
Available in	Simplified Chinese, Traditional Chinese, US English, French, German, Italian, Japanese, Korean, Brazilian Portuguese, Spanish ^[3]
Type	Virtual appliance
License	Commercial
Website	http://www.ibm.com/software/products/en/api-management