Hi Experts,

I am using webMethods Api Gateway 10.5. I am in need to create a REST API for which i need to put authentication at API GW layer using user id and password being passed from the source system while calling the API. What should be the policy to be used and how to implement it in API Gateway.

Thanks in advance

Regards,
Debapriyo

You need to configure the “Identify & Authorize Application” under “Identify & Access” stage (Refer the screenshot below). API Gateway supports variety of identification/authentication types like HTTP Basic Authentication, API Key, JWT, Oauth, OpenID etc.

From my understanding of your scenario, you can choose “HTTP Basic Authentication” to authenticate the userid/password from the client. The users need to be already configured in API Gateway or you can authenticate against the LDAP users if you have configured LDAP in the API Gateway.

Based on the “Application Lookup condition” you define, you might need to create an application and define the username in the application and register the application to the API. Request you to go through the documentation if you need more information on “Application Lookup condition”.

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/7dc50bd6666aff0ebe5337eb8d66d6fa9c15375e_2_1035x475.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/7dc50bd6666aff0ebe5337eb8d66d6fa9c15375e_2_1380x634.png 2x" data-dominant-color="E7EEF2">

image1905×876 92.6 KB

Hope this answers your question.

Regards,
Vallab

Hi,

Thanks @Vallab_Chandrasekaran2 for the guidance. So I have selected the HTTP Basic Auth (Registered application) as my current need is to authenticate via user-id and password.

On the other side i have created an application and in the other identifier section is selected username as below:

I have also registered the application in the API. Now while calling and validating from the SOAPUI I am using the

• Auth header ==> to pass the username
• Header ==> x-Gateway-APIKey field to pass the API key of the application

Still getting error as below:
[POL:evaluatePolicy]I—> No matching application found for the API : <<service_name>> and Identifier type: token and value Default.

Anything I am missing at my side?

Regards,
Debapriyo

Hi Debapriyo Dasgupta,

What you tried should have worked. Can you please share the product version and the fix level?

Also, please try the scenario without the API Key header (with only Authorization header) and let me know if it works. If it still doesn’t work, please share the screenshot of the application-API association and trace level logs with trace enabled for the below two components.

1. 0102 IAM (Identity and Access Management)
2. 0300 Gateway Commons

Regards,
Vallab

Hi @Vallab_Chandrasekaran2 ,

So for the version and fix level
Product version : 10.5.0.0
WmAPIGateway fix : APIGateway_10.5.0.3.121, APIGateway_10.5.0.5.210, APIGateway_10.5.0.6.244

The API works smoothly when I simply use API Key header (without HTTP Basic auth).

When I changed the Identify & auth policy with only HTTP Basic Auth i am back to the square one. Below are the screenshots

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/90f05fcbfbcb7e3b9946b6da6fda637b4d9f0fdf_2_1035x466.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/90f05fcbfbcb7e3b9946b6da6fda637b4d9f0fdf.png 2x" data-dominant-color="EEF0F2">

image1140×515 36.1 KB

Application Registered

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/00dfa3f9aeaeb23b4166a93a4083e5862e677bd5_2_1035x133.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/00dfa3f9aeaeb23b4166a93a4083e5862e677bd5_2_1380x178.png 2x" data-dominant-color="F6F8F9">

image1576×204 12.2 KB

Application details

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/9ca8a3b82b55e43b6f6db71610652ca48d198830_2_1035x541.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/9ca8a3b82b55e43b6f6db71610652ca48d198830.png 2x" data-dominant-color="FDFDFE">

image1047×549 19.6 KB

==== Logs with the suggested trace on =====
logsnippet.txt (12.5 KB)

Let me know what else we can try to achieve the desired outcome.

Also I can see the possibility to put username in application, but what about password as well??

Thanks in advance.

Regards,
Debapriyo

Hi Debapriyo,

Few more questions.

1. You mentioned 10.5 fix 3, fix 5 and fix 6 as current fix levels. Are these 3 servers clustered or running as stand-alone?

2. Reg your question below

The application cannot have password. The application is defined for the purpose of identifying a consumer from the request. For example, when you send a request with the “testAdmin” user you mentioned above, API Gateway tries to map this username to identify an application and then check if this application is associated to the API (based on the policy configuration).

However the authentication of the user is done against the API Gateway user management as I already mentioned in my first reply. You need to either define the username/password in API Gateway User Management or you should link LDAP which handles the user authentication.

Please confirm if you have already done the above step.

Regards,
Vallab

Hi Vallab,

Ok i got my miss-out. I didn’t create user in the API GW IS

Now that i have created a local user with the name testAdmin, this is working fine with userid and password authentication. Even i played around with IP filtering auth option which was also fine.

Thanks a lot for your support. Have a great day.

Regards,
Debapriyo