IBM API Management

IBM API Management (with version 5 renamed to IBM API Connect) is an API Management platform for use in the API Economy. IBM API Connect enables users to create, assemble, manage, secure and socialize web application programming interfaces (APIs).

It runs as a Virtual appliance on a Virtual machine and uses the IBM WebSphere DataPower SOA Appliances as gateways.

It provides a developer portal for application developers and to view published APIs. An administration portal allows users to establish policies for APIs such as self-registration, quotas, key management and security policies. An analytics engine provides role-based analytics for API owners, solution administrators and application developers in order to manage APIs and ensure service levels are being achieved. There is also a service called Cloud Manager where the platform is set up with servers, clusters, gateways, user repositories, etc.

Swagger (now called OpenAPI) and WSDL documents can be loaded and parsed into APIs. APIs can be created by describing the input and output in the API Manager User Interface by configuration. APIs can then be decorated with additional data in the form of tags, binary documentation and documentation URLs. APIs can proxy an existing API or use an assembly where a flow is created. In such an assembly flow it is possible to call out to other services, transform response data, redact information and map response data from external APIs to the response of the API.

Plans can be created which specify rate limits, whether sign ups need to be approved, and a collection of APIs to offer to developers. Plans can be published to a specific environment.

An environment consists of a management server (with management console and developer portal) and an API gateway. Plans published to an environment can be visible in the developer portal, enabling developers to sign up to plans and use the APIs contain within. API business owners can customize their developer portal with their branding to advertise, market, socialize and sell APIs. Plans published to an environment can be invoked on the API gateway, delegating to the API gateway responsibility for rate limits, rejecting unknown users and scalability. The API Gateway is one or more IBM DataPower Gateway devices.

The API gateway collects invocation metrics which are available for analysis in the developer portal and API Manager user interfaces. Example metrics collected are API usage, success and failures.

APIs
The product has REST based APIs for accessing and manipulating users, developer organizations, apps, subscriptions. The product has REST based APIs for accessing information about plans, APIs and analytics.

Extension points
The Advanced Developer Portal can be extended with custom content and themes.

Version history
Source:

Version 4.0.3.0 (November 2015)
Version 4.0.3 introduced the following new capability:

Redirect capabilities for OAuth authentication
 * Access Code Flow and Implicit Flow OAuth schemes now support authentication through pages hosted external to IBM API Management. Through this capability, you can authenticate your users during an OAuth 2.0 scheme by using methods that are not otherwise supported by API Management. For more information, see Authenticating and authorizing through a redirect URL.

Advanced Developer Portal enhancements
 * You can now configure your Advanced Developer Portal front page to differ for users with different roles, including enhancing and personalizing the individual experience for unauthenticated users who visit your portal site. For more information, see Configurable role-based front pages.
 * With increased capacity to customize flood control, profanity filtering and forum access control you can now further manage the security for your Advanced Developer Portal site. For more information, see Flood control, Profanity filtering, and Controlling access to forums.
 * You can now link to your social media sites from anywhere in the Advanced Developer Portal, and customize the appearance and positioning of the links to your sites, increasing your visibility to users of your Advanced Developer Portal and allowing them to engage. For more information, see Linking to social media sites.

User-defined policy enhancements


 * You can now set variables to a specified string value by using the setVariable template. You can then retrieve these values by using the function getVariable. You can also use the payloadType function to determine what type of payload (XML or JSONx) will be returned by the payloadRead function. For more information about these enhancements, and all the DataPower processing rules and actions that can be applied to user-defined policies, see Implementing your policy.

Auditing and logging enhancements


 * Enhancements to auditing and logging now provide the ability to retrieve audit events from the management node programmatically. This enhancement allows a syslog collector to be configured to accept the messages and write them to an external data store for further processing or archiving, or both. For more information see Syslog auditing and your cloud and Syslog configuration.

Version 4.0.2.0 (July 2015)
Version 40 20 introduced the following new capability:

Enhanced support for Swagger 2.0
 * Add external documentation to an API
 * Deprecate a REST API operation
 * Specify the protocol schemes an API supports
 * Add Swagger extensions to an API

Additional enhancements
 * Specify the OPTIONS HTTP method.
 * Enable cross-origin resource sharing (CORS) support for an API.
 * Supports DataPower 7.2.
 * The Topology Administrator can manage the IBM API Management infrastructure but cannot invite or administer users.
 * When an API is defined, it can be specified whether the API will be enforced by the IBM API Management gateway or by a third party gateway.
 * The configuration of API security has been revised in line the Swagger 2.0 security model. Security is configured by creating security schemes that are applied to APIs and their operations.
 * All OAuth tokens can be revoked, or tokens for a particular user, that were issued before a specific date.
 * Case of user names can be ignored during authentication.
 * API analytics data is now displayed in the Advanced Developer Portal user interface.
 * When defining a user registry for authenticating access to the Cloud Management Console user interface, LDAP and Authentication URL are now supported.
 * Gateway policies can be created, made them available to an environment, and applied to REST or SOAP APIs.

Version 4.0.1.0 (May 2015)
Version 40 10 introduced the following new capability:

Define a failover timeout for the configuration database


 * A configuration database failover timeout can be defined to specify how many seconds a secondary management server should wait before taking over as the primary when the primary server cannot be reached.

Enhancements to Swagger 2.0 compliance

Update a REST API from a Swagger definition file
 * Additional information can be added to describe an API; for example, contact and license details. If a Swagger file is downloaded for the API, the additional information is written to the info field.
 * Tags can be added to APIs and API operations for ease of grouping by application developers. These tags are labels that can be used by application developers to organize and search for APIs in the Developer Portal. If a developer downloads the Swagger file for the API, the additional tag details are written to the tags field.
 * A revision of a REST API can be updated by uploading a Swagger definition file.

New System user role in the Cloud Management Console user interface


 * A user who is assigned the System user role can access all system APIs and can log into the Cloud Management Console, but cannot access the API Manager or Developer Portal user interfaces.

Advanced Developer Portal clustering


 * The Advanced Developer Portal appliances can be clustered for high availability.

SSL Mutual Authentication for front-side connectivity


 * SSL Mutual Authentication can be used to secure the connection between an API client and the API Management gateway that manages the API.

Support for the PATCH and HEAD methods


 * When defining the HTTP method type for an API operation, in addition to the GET, PUT, POST, and DELETE methods, the PATCH and HEAD method types can be specified.

The API URL path is not required to be unique


 * The URL path that is specified when composing an API is no longer required to be unique. Furthermore, the full URL path for the operation, which is formed from the base path of the containing API followed by the operation path, does not have to be unique. However, if it is not unique then an application is required to identify itself with a client ID when calling the operation.

Add multiple security keys to an application


 * When using the Advanced Developer Portal, a user can add further client ID/client secret pairs to an application in addition to the pair that is provided by default when an application is created.

Terminology changes

IBM API Management Version 4.0.1 introduced the following terminology changes:


 * Previous term -> New term
 * Plan version -> Plan revision
 * API version -> API revision
 * API resource -> API operation
 * API tag -> API category

Version 4.0.0.0 (March 2015)
Version 4 introduced the following new capability:

Lifecycle & Governance


 * Swagger based API creation: Allows APIs to be imported from Swagger, deployed, and invoked without requiring any manual configuration steps in the API.
 * Co-Publish: Co-publish and supersede plans, and manage plan subscription migrations.
 * Promotion Approval: Environment based configuration for approving plan lifecycle changes.
 * Enforced: Option to just publish APIs and not gateway enforce them.
 * Policy for SOAP: Ability to add and modify policies for SOAP Services.
 * Discover: Manage REST & SOAP services from System z and custom registries.

Assembly


 * Error handling: Ability to map SOAP faults returned from a Web Service Invoke call into a Response.

Analytics


 * Analytics API: Ability to extract analytics data with a REST API to integrate with billing, monetization or business analytics systems.

Security


 * Mutual Authentication: Out of the box support for custom certificates for back-end endpoints, LDAP, and SMTP servers.

Advanced Developer Portal


 * Multi-factor authentication: Enabled in the developer portal.
 * Search: Out of the box support for search and developer management.
 * Categorization: Flexible multi-level classification of Plans and APIs.
 * CAPTCHA: Support to prevent automated programs from accessing the portal to enroll users.
 * Password Lockout

Version 3 (May 2014)
This release added the following enhancements:


 * APIs allowing a custom Developer Portal
 * Configuration allowing or disallowing self-sign on
 * Multiple Gateway clusters on one DataPower device
 * Summary statistics of the number of API calls across environments, the number of developers, and the amount of storage used for payload logging
 * Import a Swagger file to define a REST API
 * Discover a REST API definition from a custom registry
 * Debug an API assembly flow inside the editor
 * Clone an API
 * New Management view to manage plans
 * Simplified installation
 * New API plans provide a mechanism for grouping API resources and making them visible as a unit for use by developers
 * Targeted API visibility means that a plan can be published to all consumers or published to selected consumer organizations or communities
 * API resources become visible in the developer portal only to users who belong to organizations where one or more plans that contain the resources are published.

Version 2.0 (June 2013)
This release contained the following components:


 * The IBM API Management Environment Console
 * The IBM API Management API Manager
 * The IBM API Management Developer Portal

The IBM API Management Environment Console


 * Used to define development, test, or production environments
 * Use DataPower Gateway Appliances running firmware Version 6.0 or later to act as the API gateway
 * Use WebSphere Cast Iron Assembly Appliances running firmware Version 6.4 or later to perform data orchestrations

The IBM API Management API Manager


 * Define, import, export APIs
 * Assemble APIs through configuration
 * Support for creating REST APIs from SOAP-based services, DB2, SQL server, Oracle, salesforce.com, and HTTP data sources
 * Secure APIs by using a combination of API key and secret, and authenticate application users by using HTTP basic authentication or OAuth 2.0
 * API versioning
 * Analytics about API usage
 * Manage developer API applications and requests

The IBM API Management Developer Portal


 * Create a company developer portal
 * Create a self-service developer registration process