MuleSoft Accelerators - Common Services

As of Release 1.4, all APIs use the HTTPS protocol by default for secure
communications. Most APIs provided by the solution can also be secured by
applying the Client ID enforcement policy in API Manager; the
Basic Authentication policy is also supported.

CloudHub load balancers and HTTPS

Applications that expose API endpoints or make calls to other APIs will do
so via the HTTPS protocol. To simplify deployment, listeners use a self-signed
certificate provided by the accelerator-common-core library. While this
approach works fine when using the shared CloudHub load balancer in the
target deployment region, the certificate will generally need to be
replaced if running under a Dedicated Load Balancer.

Apply API Manager policy

This section describes the procedure to enable the Client ID enforcement
policy for a deployed API.

Your organization must have API Manager included in your Anypoint subscription in order to proceed.

Create the managed API instance

The simplest way to create a managed API instance is from an existing Exchange asset. Here are the steps:

1. Download the API RAML Definition asset from the MuleSoft Exchange and upload it to your own Exchange instance. Be sure to select the correct business group.

2. In API Manager, select the same business group and choose a target environment. Click the Manage API button and select the Manage API from Exchange option.

3. In the API Name field, start typing the name of the API to manage. The asset type and version fields should populate automatically.

4. Scroll down to the Mule version option and enable it. Clear the contents of the Implementation URI field.

5. To make the API easier to find later, expand the Advanced options section and enter the full display name of the API in the Label field (e.g., Acclelerator Jira Experience API).

6. Click Save to create the API instance. On the summary page, copy down the API ID value found under the Autodiscovery label.

Request access to the API

Locate the API asset in Exchange and select the Request access option from the menu located in the top right corner of the asset page (may be hidden under the "three dots" menu). Select the API you created earlier and choose an application to use (create one if necessary). Be sure to copy down the client ID and client secret values.

In your local Maven settings.xml file (the one you configured specifically for the accelerator deployments), set the values of the accelerator-api.client-id and accelerator-api.client-id properties in the CloudHub-DEV profile to the values copied above.

For a higher degree of security, create a separate application for each API consumer. For API to API calls you will need to add each client ID/secret pair to your deployment profile and update the property name references in the pom.xml file for the consuming API.

Enabling support for API Manager in applications

Each application must include a configuration element corresponding to the API ID it is implementing. The accelerator applications already include support for this, you just need to update them as follows:

1. In the implementation project, open the global.xml file found under the src/main/mule folder.

2. When the editor opens, select the Configuration XML tab to reveal the XML source.

3. Locate the api-gateway:autodiscovery element and uncomment it. Leave the values as they are.

4. In the property file under src/main/resources/properties representing the target deployment environment (e.g., DEV.yaml), locate the autodiscoveryID property and set it to the value copied from the API ID value, above. Be sure to keep the double-quotes (all YAML config properties must be defined in quotes).

5. Deploy the updated application and monitor the log file. Just before the Your application is started message there should be one similar to the following:

   API ApiKey{id='16422525'} is now unblocked (available).

6. Verify status of the API instance in API Manager now shows as "Available".

Applying the policy

The following steps describe how to apply the Client ID enforcement policy to a specific API.

1. In API Manager, locate the API to apply the policy to and click the version label to bring up the API settings page.

2. Select the Policies item from the left navigation menu and click the Apply New Policy button.

3. Select the latest version of the Client ID enforcement policy and click Configure Policy.

4. In the policy configuration page, choose the HTTP Basic Authentication Header option for the Credentials origin setting.

5. Click the Apply button to create and apply the policy to the API.

The policy should take effect after a few moments.

Automated policies

An easier way to apply policies to all APIs is to deploy them as Automated policy. Existing applications will be updated, while new deployments will automatically get the policy. The steps for configuring the policies themselves remain the same.