April 13th, 2012

Tech Talk Tuesday: Caching & API Optimization

Written by

Geoff Duck Tech Talk TuesdayHere we go again – time for another Tech Talk Tuesday. It’s live, unscripted, interactive and it’s going to be awesome – especially if you love to talk Caching & API Optimization.

We’ve simplified SOAP to REST, we’ve explained OAuth and now, during this interactive one-hour event, we’ll be discussing how open API publishers can optimize the delivery and performance of their APIs using techniques like caching. But it’s a live event, so you never know what might happen, with questions coming fast and from all over the globe.

If you haven’t joined us in the past – take a look at these episodes here on our official Layer 7 YouTube page. They’ll give you a good idea of what Tech Talk Tuesday is all about.

Our special guest this week is Geoff Duck, a Senior Developer and innovative superstar at Layer 7. He’s smart, good looking and thinks fast on his feet. He regularly works with Layer 7 customers, helping them implement API management and SOA governance best practices – so here‘s your chance to interact live with one of our top developers.

We look forward to seeing you there. Get your questions ready and then, on Tuesday (at 9am PST), simply go to our Facebook page, click the Livestream tab and hit play. It’s super easy.

See you Tuesday!

April 11th, 2012

Beyond OAuth – Emerging Standards for API Access Control


Beyond OAuthOAuth 2.0 seems to be on everybody’s minds these days. I can’t remember an emerging standard picking up interest so fast. The Layer 7 OAuth Toolkit evolved through three stages over the last couple of years and I’m proud to say that I was involved right from the beginning. It was first developed out of necessity, using existing elements of the Layer 7 SecureSpan Gateway platform – a testament to the flexibility of that platform. Then, leveraging precious feedback from numerous architects applying OAuth with our Gateway, the OAuth Toolkit matured; became a product of its own. Today, we’re witnessing the third evolution phase: OAuth is making its way to the very core of the SecureSpan Gateway platform.

I mention these different evolution phases because I noticed how different engineers working at these different levels – and in some cases isolated from each other (I travel a lot) – identified very similar patterns relating to implementing API access control using OAuth. I’m talking about interaction patterns between various components involved, including for example a token issuer, an API consumer, a policy enforcement point etc. These parties need to discover information at runtime relating to tokens and identities; tokens need to be stored somewhere and managed. It just seems logical that this information would be exchanged via open APIs themselves. Integrating these logical components via APIs means that you can easily separate them as needed and manage their mutual trust. For example, implement the OAuth protocol in a DMZ perimeter zone but store tokens and associated state in the trusted network. API-based integration between these different logical components also facilitates the integration of existing IT assets into a new OAuth-enabled system.

I recognize many of these patterns in emerging standards building on top of OAuth 2.0, such as OpenID Connect and User Mediated Access (UMA). Coincidence? Obviously not. I expect these emerging standards to be among the new focuses while building the next generation API management infrastructure.

April 10th, 2012

Faking the Cloud in API Management

API Management - Infrastructure Versus SaaSThe CEO of competitor API management provider Mashery recently mentioned a post I wrote discussing tradeoffs of infrastructure-based versus service-based solutions when it comes to API management. Unintentionally, my original post has apparently hit a nerve.

Oren suggests that a “true” Cloud solution can only be SaaS-based. While Amazon Web Services, among others, may take umbrage at that definition, I am also a little confused by Oren’s statement since, by most definitions Mashery, is not a SaaS. Typically, a SaaS provides self-enrollment and self-service aspects. Mashery may let you manage your APIs in the Cloud like Layer 7 or Apigee but it doesn’t do this without help from engagement consultants. In that way, they are more akin to IBM than Salesforce.

In the end, our customers don’t get too caught up in Cloud semantics. Some of our customers want to own a solution, others “rent”. Some want a solution in a data-center, others in a public Cloud. We understand that different deployment models are needed to accommodate different needs. If a Cloud deployment is what you are after, try several vendors, verify what you get and compare each solution’s strengths.

April 9th, 2012

Big Data & API Management

Written by

Big DataThe hottest IT trends of 2012 are shaping up to be Cloud, mobile and “big data”. The links between API management, Cloud and mobile are clear. The links between API management and big data – a concept that creates capabilities for capturing and analyzing previously unimaginable amounts of unstructured data – are less obvious but no less significant. I see two key areas of synergy…

First of all, in the three-tier architecture of the Web, the line was typically blurry between the presentation and logic tiers and concrete between logic and data. Big data now blurs the line between logic and data. Combine this with the fact that the mobile app development paradigm fragments the presentation platform and it is evident that the API will become the concrete and consistent border in application processing flows. In this context, API management will prove vital in enforcing security, collecting business metrics and normalizing protocols.

Second, big data allows analytics to be performed in the scope of real-time data retrieval. This will create another wave of real-time integration needs in enterprises of every size. More real-time integration means more APIs with higher volumes. The common protocol for exposing big data on the network is REST using either JSON or XML formats. Again, this will mean a greater necessity for API management tools and techniques and a compound benefit in their usage.

Simply put, mobile, Cloud and big data are driving a new era of enterprise IT and API management will provide amplified value for companies embracing these trends.

April 5th, 2012

Simplifying SOAP-to-REST Conversion

Written by

SOAP-to-Rest RemappingEarlier this week, Layer 7 CTO Scott Morrison presented our second Tech Talk Tuesday meet-up on Facebook, which concentrated on Simplifying REST Adaptation. For those of you who missed the live event, the recording is now available in the Layer 7 Resource Library. For those of you who attended, I thought I’d provide some detailed information on how Layer 7 facilitates bulk conversion of SOAP-based Web services to RESTful APIs.

We’ve previously provided some insight into the process of translating between REST and SOAP in a tutorial on our Web site. In that tutorial, we demonstrated how our policy language lends itself to a simple way of defining the conversion process, making converting REST to SOAP a fairly trivial exercise. However, if you have tens or hundreds of existing SOAP services, translating them all to REST might seem somewhat daunting.

Luckily, a Layer 7 Gateway can also help to make that process considerably easier – and I’m going to show you how. I’ll be walking you through a wizard that makes it simple to (a) upload your Web services to the Gateway as WSDLs and then (b) customize how you want the REST version of each service to look.

First, you upload your WSDL.

SOAP-to-REST Step 1

Then, configure how you would like to present your REST interface.

SOAP-to-REST Step 2a

Each operation can be customized with the type of HTTP method used.

SOAP-to-REST Step 2b

Once you submit your configuration, you’re ready to go!

At the end of the wizard, sample HTML-based documentation is provided that can be used for presenting the REST endpoint to your clients. This documentation is the first step in presenting the details of your new RESTful API via the Layer 7 API Portal.

SOAP-to-REST Step 3b1

Here’s an example of the same operation above that was converted to a HTTP GET style.

SOAP-to-REST Step 3b2

Finally, we also provide a sample WADL based on the parameters that you specify.

SOAP-to-REST Step 3c

Once you login to the Layer7 Policy Manager, you’ll find a predefined policy that does all the conversion from REST to SOAP.

SOAP-to-REST Step 4

From here, you can add any additional policy enforcement requirements as you see fit.