Before you set up API protection, make sure that
basic system configuration is complete including configuring network interfaces, routes,
VLANs, self IPs, DNS, and NTP.
An API protection profile
specifies the URI paths, servers, and default properties of the API. You can create it
manually by adding the necessary paths and servers. You can also develop custom
responses to API calls, use a relevant single sign-on configuration, and specify log
On the Main tab, click
For Name, type a name for the API protection profile.
If you are protecting a pool of API servers, select Use
If selected, the default server specified on the Paths tab is ignored.
For Authorization, you can add none, one, or both of the
Basic: Validates user logins that use HTTP or HTTPS
protocol. For HTTP Basic mode, the credential must be checked using an APM
AAA server. You can use different AAA servers
depending on any request criteria, geolocation, time, path, source IP, and
2.0: Validates user logins using OAuth 2.0 to issue tokens
to the client after successfully authenticating the resource owner. For
OAuth mode, token validation (introspection) can be performed internally if
JWKs are available and Java Web tokens used, OR externally against an
external OAuth AS.
When either option is selected, the per-request policy creates a macro
named OAuth Scope Check AuthZ to handle the
authentication. Despite the name, this subsession macro is usually used for
handling both HTTP Basic and OAuth.
Access Policy Manager creates an API protection
profile and opens new tabs where you can manually add paths, servers, and responses. In
addition, Access Policy Manager automatically develops a per-request policy that is
associated with the protection profile. You can adjust the policy as needed using the
visual policy editor to access all of the features per-request policies
You can manually develop the policy as needed. For
example, you can
- Add paths
- Add servers
- Create responses
- Specify log settings
- Add SSO configurations
If the API changes, locate the API profile in the list, then
click Edit to edit the associated per-request