WSO2 API Manager is a product that allows API providers to design publish and manage the lifecycle of APIs and API product managers to create API products from one or more APIs. It focuses on solving the most changing API management requirement such as API provisioning, API governance, API security, and API monitoring. WSO2 API Manager consists of two design-time components named as Publisher Portal and Developer Portal, on the other hand, it consists of three run time components named as API Gateway, API Key Manager and API Traffic Manager and one pluggable component of API Analytics.
The WSO2 API Manager 3.1.0 is the latest WSO2 API Manager release and is the successor of WSO2 API Manager 3.0.0. Most noticeable new features of this new release are new features for cloud-native capabilities, new features to improve the user experience, microgateway improvements, and some of the API Manager analytics improvements. In this blogpost we will tell you more about the new features.
WSO2 API Manager related new features
Integrating AWS Lambda with APIM
AWS lambda lets you run code without provisioning or managing servers in the AWS cloud. AWS lambda allows us to run our code in response to events, such as changes to data in an Amazon S3 bucket or an Amazon dynamo DB table or invoke your code using API calls made using AWS SDKs. With these capabilities in AWS, WSO2 API Manager uses the AWS SDK to call the lambda function using API calls to provide this feature.
When a new API is being created in the API publisher, we can configure the AWS lambda connection setting by adding an AWS lambda endpoint to the created API.
As AWS SDK is used to call the lambda function it needs credentials for authorization/authentication. The Access method tab allows us to define which method of credential is going to be used. It can be either a stored access key and secret or, if the API Manager is running is hosted on an AWS EC2 instance that has a permission to call AWS Lambda function, the IAM-role supplied temporary credentials.
The resource page allows configuring which HTTP method to use in our API, context path of our API, and the lambda function name. Also, there are some other settings related to the SDK we could use to optimize the lambda request. One such parameter is a timeout value that can be used to set the lambda request timeout.
Once the configuration is done, we can save and publish and consume the API in the usual way.
API Security Audit Integration
API security has become an important concern in recent times as organizations are more cautious about exposing raw, sensitive data via APIs. Therefore, it is important that APIs adhere to the OpenAPI specification (OAS) to ensure API security.
WSO2 API Manager has integrated with 42Crunch, the only enterprise API security platform, to bring in the ability to conduct a security audit on the OpenAPI specification definition of your APIS and to obtain an audit report for the same.
To get an audit report from 42Crunch for your OpenAPI specification you should first configure the API Manager to connect with 42Crunch. This configuration involves the below steps;
- Registering with 42Crunch, Creating an API collection there and then obtain an API token and the created collection ID.
- Configure the API Manager with obtained API token and collectionID. API Manager allows to configure this for all tenants by using the deployment.toml or for a specific tenant by using the tenant configuration which could be found in the registry under the path /_system/config/apimgt/applicationdata/tenant-conf.json.
- Running the audit report in the API publisher using the “Audit API” feature.
There are four sections in the audit report.
- Audit Score and Summary:
Overall score, the total number of errors, severity of vulnerabilities, scores given to the security and data validation sections.
- OpenAPI Format Requirements:
Any issues that exist due to the API definition not adhering to the OpenAPI specification.
Security issues identified against the API best practices defined by 42Crunch.
- Data Validation:
Issues that arise due to inadequate validation of input and output in an API definition.
API categories allow API publishers to select a category for the API so that when the API is published, the API will be categorized in the developer portal. It will appear as clickable links to the API consumers. In previous versions of API Manager categorization is achieved via the tags but when tags were defined, those needed to follow specific naming conventions. In the new version of API Manager categories can be defined without considering the naming convention from WSO2. The APIM administrator can now define category names using the admin dashboard.
AI-based Recommendations for the Developer Portal
The application developer is the one who consumes APIs from the API developer portal to develop his application. He chooses which APIs are to be used in his application and accordingly the developer subscribes to these APIs. With this new feature, which is based on AI technology, APIM analyzes and identifies the behavior of the consumer application and the feature will suggest the recommended APIs to the API developer which may useful to him when developing his application.
API Mocking Feature
WSO2 API Manager provides the prototype API feature where an API publisher can use the inline script to prototype the API. It will allow API publisher to get feedback from API consumers and also API consumers do not need to subscribe to the prototype API to consume it. In earlier release of API manager prototype API was presented with a default script which then had to be edited in order to allow the resource to return a response. This meant that the inline script of each resource had to be edited manually.
In this release the script of the prototype API is equipped with mock payload generation. According to the API definition, response code and the payload type the mock script is automatically generated. Furthermore, inline scripts of each resource can be further enhanced by users to suit the required outcome better. There is a list of inline script methods available to access the Synapse context predefined in a script variable named mc.
Once the generated mock payload scripts have been saved, the API can be deployed as a prototype.
GraphQL Try out Console for Developer Portal
This API Manager release comes with a new GraphQL user interface to try out GraphQL APIs. This new UI supports full GraphQL specification such as queries, mutations, subscriptions, fragments, unions, directives, multiple operations per query, etc. It can be considered as a web-based IDE for GraphQL as it also provides interactive schema documentation, real-time error highlighting and reporting for queries and variables. Automatic query and variables completion automatically adds required fields to queries and there is query history available using local storage.
API Operator for Kubernetes
The Kubernetes operator is an extension for Kubernetes that greatly simplifies the deployment of APIs in a Kubernetes cluster. It makes APIs a first-class citizen in the Kubernetes ecosystem. Similar to deploying microservices, you can now use this operator to deploy APIs for individual microservices or compose several microservices into individual APIs. The API Manager integrates with service meshes and provides a full-fledged management plane and control plane for managing, monitoring, and monetizing APIs and API products. The operator supports deploying recommended deployment patterns in Kubernetes. Introducing a new Custom Resource Definition called API Manager to efficiently and easily deploy patterns and the custom pattern in Kubernetes.
WSO2 API Microgateway New Features
This new APIM release also incorporates improvements and new features to the micro gateway which is part of the API Manager product. In this section we’ll highlight these.
With the microservices adaptation in organizations, secure communication between microservices are becoming more and more vital. With this new gRPC gateway feature the gateway now has an ability to expose gRPC services in a secure manner. gRPC is widely used in service to service communication. This feature is useful when enforcing security on service to service communication which is based on gRPC.
Tracing helps in identifying issues that can occur during the request phase. It provides insights to isolate which components are involved. New microgateway supports open tracing standard which breaks down the request flow through the microgateway during different phases such as authentication, authorization, throttling, backend service, responding to the client, etc. Per default Jaeger is a supported tracing system for this.
Java Interceptors for Message Transformation
The latest release now supports to implement the interceptors using Java language whereas earlier release supports only Ballerina language.
An interceptor can be used to manipulate the request or response before it is sent to the backend. Once the response comes back from the backend thena response-interceptor can be used to manipulate the response before its returned to the client.
Support for API Key Authentication and Issuing API Keys
When you have APIs that need less strict security mechanisms then Oauth2 you can now use a more long-lived API Key as security mechanism.
Also, new microgateway can issue API keys of JWT types.
Multiple JWT Issuer Support
The organization may have different identity providers so there can be different JWT token issues. New microgateway now support to work with multiple JWT token issues.
WSO2 API Manager Analytics new features
PDF Report Generation
Admin dashboard support to export the API usage report as a PDF format for a period of a month.
Widget generator tool
The analytics dashboard provides the widget generation tool which may use to develop a custom widget in your dashboard.
New release has a feature to view GraphQL analytics. Analytics can be filtered with GraphQL operations within the same API.
These are the new features of WSO2 API Manager 3.1.0. If you want to learn more about API Management in general, download our Advanced API white paper. For specific questions about this blog, leave a comment below!