1.3 How Secure API Manager Works

There are two points of integration between Secure API Manager and Access Manager. The following graphic depicts how Access Manager ensures that all requests that come to the API Gateway are authorized requests through the use of OAuth2 tokens.

The second integration point allows you to control who has access to which APIs through the use of the Access Manager scopes and roles. For more information, see Understanding How Secure API Manager Uses the Access Manager Scopes and Roles to Determine API Access in the NetIQ Secure API Manager 1.0 API Management Guide.

The following graphic depicts the management of the APIs through Secure API Manager.

Figure 1-5 API Management in Secure API Manager

  1. Developers add or create the APIs through the Publisher and combine and use the available APIs in the Store.

  2. End users execute an application or service through a browser or a mobile device. The application or service makes a call to the API stored in the API Gateway component of Secure API Manager.

  3. The API Gateway component of Secure API Manager takes the API request and sends a request to the OAuth application in Access Manager, that you create during the configuration phase, for an authorization token for the API. Access Manager ensures that the API request is a valid request and issues a token for authorization of the API.

  4. The API Gateway receives the approval or denial for the API authorization request from Access Manager and then allows the API in the API Gateway to execute or deny access to the API. The execution of the API provides an additional feature or function to the application or service that the end user is running.

This process ensures that Secure API Manager accepts only valid requests. This type of access control ensures that no denial of service attacks can take down the system. The second level of access control allows Secure API Manager to integrate with Access Manager to use the Access Manager scopes and roles to limit who has access to which API or API endpoint. For more information, see Understanding How Secure API Manager Uses the Access Manager Scopes and Roles to Determine API Access in the NetIQ Secure API Manager 1.0 API Management Guide.