IBM API Management

IBM API Management

Developer(s)	IBM
Initial release	2.0 [1] 12 July 2013; 11 years ago (2013-07-12)
Stable release	4.0.2 [2] / 22 July 2015; 9 years ago (2015-07-22)
Operating system	Virtual appliance
Available in	Simplified Chinese, Traditional Chinese, US English, French, German, Italian, Japanese, Korean, Brazilian Portuguese, Spanish [3]
Type	Virtual appliance
License	Commercial
Website	http://www.ibm.com/software/products/en/api-management

IBM API Management^[4] (IBM APIM) is an API Management platform for use in the API Economy. IBM API Management enables users to create, assemble, manage, secure and socialize web application programming interfaces (APIs).

It runs as a Virtual appliance on a Virtual machine and uses the IBM WebSphere DataPower SOA Appliances as gateways.

It provides a developer portal for application developers and to view published APIs. An administration portal allows users to establish policies for APIs such as self-registration, quotas, key management and security policies. An analytics engine provides role-based analytics for API owners, solution administrators and application developers in order to manage APIs and ensure service levels are being achieved.

Swagger and WSDL documents can be loaded and parsed into APIs. APIs can be created by describing the input and output in the API Manager User Interface by configuration. APIs can then be decorated with additional data in the form of tags, binary documentation and documentation URLs. APIs can proxy an existing API or use an assembly where a flow is created. In such an assembly flow it is possible to call out to other services, transform response data, redact information and map response data from external APIs to the response of the API.

Plans can be created which specify rate limits, whether sign ups need to be approved, and a collection of APIs to offer to developers. Plans can be published to a specific environment.

An environment consists of a developer portal and API gateway. Plans published to an environment can be visible in the developer portal, enabling developers to sign up to plans and use the APIs contain within. API business owners can customize their developer portal with their branding to advertise, market, socialize and sell APIs. Plans published to an environment can be invoked on the API gateway, delegating to the API gateway responsibility for rate limits, rejecting unknown users and scalability. The API Gateway is one or more IBM DataPower Gateway devices.

The API gateway collects invocation metrics which are available for analysis in the developer portal and API Manager user interfaces. Example metrics collected are API usage, success and failures.

The product has REST based APIs for accessing and manipulating users, developer organizations, apps, subscriptions. The product has REST based APIs for accessing information about plans, APIs and analytics.

The Advanced Developer Portal can be extended with custom content and themes.

Version 40 20 introduced the following new capability:

Enhanced support for Swagger 2.0

• Add external documentation to an API
• Deprecate a REST API operation
• Specify the protocol schemes an API supports
• Add Swagger extensions to an API

Additional enhancements

• Specify the OPTIONS HTTP method.
• Enable cross-origin resource sharing (CORS) support for an API.
• Supports DataPower 7.2.
• The Topology Administrator can manage the IBM API Management infrastructure but cannot invite or administer users.
• When an API is defined, it can be specified whether the API will be enforced by the IBM API Management gateway or by a third party gateway.
• The configuration of API security has been revised in line the Swagger 2.0 security model. Security is configured by creating security schemes that are applied to APIs and their operations.
• All OAuth tokens can be revoked, or tokens for a particular user, that were issued before a specific date.
• Case of user names can be ignored during authentication.
• API analytics data is now displayed in the Advanced Developer Portal user interface.
• When defining a user registry for authenticating access to the Cloud Management Console user interface, LDAP and Authentication URL are now supported.
• Gateway policies can be created, made them available to an environment, and applied to REST or SOAP APIs.

Version 40 10 introduced the following new capability:

Define a failover timeout for the configuration database

• A configuration database failover timeout can be defined to specify how many seconds a secondary management server should wait before taking over as the primary when the primary server cannot be reached.

Enhancements to Swagger 2.0 compliance

• Additional information can be added to describe an API; for example, contact and license details. If a Swagger file is downloaded for the API, the additional information is written to the info field.
• Tags can be added to APIs and API operations for ease of grouping by application developers. These tags are labels that can be used by application developers to organize and search for APIs in the Developer Portal. If a developer downloads the Swagger file for the API, the additional tag details are written to the tags field.

Update a REST API from a Swagger definition file

• A revision of a REST API can be updated by uploading a Swagger definition file.

New System user role in the Cloud Management Console user interface

• A user who is assigned the System user role can access all system APIs and can log into the Cloud Management Console, but cannot access the API Manager or Developer Portal user interfaces.

Advanced Developer Portal clustering

• The Advanced Developer Portal appliances can be clustered for high availability.

SSL Mutual Authentication for front-side connectivity

• SSL Mutual Authentication can be used to secure the connection between an API client and the API Management gateway that manages the API.

Support for the PATCH and HEAD methods

• When defining the HTTP method type for an API operation, in addition to the GET, PUT, POST, and DELETE methods, the PATCH and HEAD method types can be specified.

The API URL path is not required to be unique

• The URL path that is specified when composing an API is no longer required to be unique. Furthermore, the full URL path for the operation, which is formed from the base path of the containing API followed by the operation path, does not have to be unique. However, if it is not unique then an application is required to identify itself with a client ID when calling the operation.

Add multiple security keys to an application

• When using the Advanced Developer Portal, a user can add further client ID/client secret pairs to an application in addition to the pair that is provided by default when an application is created.

Terminology changes

IBM API Management Version 4.0.1 introduced the following terminology changes:

• Previous term -> New term
• Plan version -> Plan revision
• API version -> API revision
• API resource -> API operation
• API tag -> API category

Version 4 introduced the following new capability:

Lifecycle & Governance

• Swagger based API creation: Allows APIs to be imported from Swagger, deployed, and invoked without requiring any manual configuration steps in the API.
• Co-Publish: Co-publish and supersede plans, and manage plan subscription migrations.
• Promotion Approval: Environment based configuration for approving plan lifecycle changes.
• Enforced: Option to just publish APIs and not gateway enforce them.
• Policy for SOAP: Ability to add and modify policies for SOAP Services.
• Discover: Manage REST & SOAP services from System z and custom registries.

Assembly

• Error handling: Ability to map SOAP faults returned from a Web Service Invoke call into a Response.

Analytics

• Analytics API: Ability to extract analytics data with a REST API to integrate with billing, monetization or business analytics systems.

Security

• Mutual Authentication: Out of the box support for custom certificates for back-end endpoints, LDAP, and SMTP servers.

Advanced Developer Portal

• Multi-factor authentication: Enabled in the developer portal.
• Search: Out of the box support for search and developer management.
• Categorization: Flexible multi-level classification of Plans and APIs.
• CAPTCHA: Support to prevent automated programs from accessing the portal to enroll users.
• Password Lockout

This release added the following enhancements:

• APIs allowing a custom Developer Portal
• Configuration allowing or disallowing self-sign on
• Multiple Gateway clusters on one DataPower device
• Summary statistics of the number of API calls across environments, the number of developers, and the amount of storage used for payload logging
• Import a Swagger file to define a REST API
• Discover a REST API definition from a custom registry
• Debug an API assembly flow inside the editor
• Clone an API
• New Management view to manage plans
• Simplified installation
• New API plans provide a mechanism for grouping API resources and making them visible as a unit for use by developers
• Targeted API visibility means that a plan can be published to all consumers or published to selected consumer organizations or communities
• API resources become visible in the developer portal only to users who belong to organizations where one or more plans that contain the resources are published.

This release contained the following components:

• The IBM API Management Environment Console
• The IBM API Management API Manager
• The IBM API Management Developer Portal

The IBM API Management Environment Console

• Used to define development, test, or production environments
• Use DataPower Gateway Appliances running firmware Version 6.0 or later to act as the API gateway
• Use WebSphere Cast Iron Assembly Appliances running firmware Version 6.4 or later to perform data orchestrations

The IBM API Management API Manager

• Define, import, export APIs
• Assemble APIs through configuration
• Support for creating REST APIs from SOAP-based services, DB2, SQL server, Oracle, salesforce.com, and HTTP data sources
• Secure APIs by using a combination of API key and secret, and authenticate application users by using HTTP basic authentication or OAuth 2.0
• API versioning
• Analytics about API usage
• Manage developer API applications and requests

The IBM API Management Developer Portal

• Create a company developer portal
• Create a self-service developer registration process

• InfoWorld

• IBM API Management Knowledge Center
• IBM API Management Support Portal
• IBM API Management developer center