How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

hi Steve,

Thanks for the clarification!

The requirement is needed in our gateway for every api that comes in we would like to call symantec, what is the best way to achieve this? can the wrapper function be called as pre hook global policy?

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

hi Steve,

Thanks for the clarification!

The requirement is needed in our gateway for every api that comes in we would like to call symantec, what is the best way to achieve this? can the wrapper function be called as pre hook global policy?

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

Thank you Steve for detailed reply to Nirmalya' s question. But we are still on Data power 10.5.0.x ,in such a case what would be the best way to make a call to Symantec from APIC? Also ,can you please suggest if there is a way to call Symantec without using the processing rule of Datapower? Thank you!

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

Hi Vijaya,
The multistep module's callRule function exists in 10.5.0.x.  You can always use that function to call a processing rule from an APIC GatewayScript policy, but you'll need to learn and implement the "heavy lifting" the new functions in 10.6.0.x do for you.  The new functions in 10.6.0.x just wrap this callRule function to handle what you'd need to implement yourself for every type of rule you'd like to call and thus makes calling a processing rule much simpler, really down to creating an options object and calling the wrapper functions that handle all of the nuts and bolts.  Specifically for what I'd think an anti-virus called rule would require:

- reading your input message from the API Gateway context and passing that into your called rule as the INPUT context to that called rule
- handle any called rule aborts if the antivirus action fails and translate that to a reject of your API Assembly flow

Of course the wrapper functions do more than just those two things, such as passing headers back and forth between the APIGW context and the called rule, placing the OUTPUT context of the called rule into an APIGW context message, passing properties in a var://context/msRuleContext/properties variable that the called rule can use to dynamically control its behavior, and since it is a generic function, it provides the ability to allow the code using the functions to specify callback functions which are executed pre-call, post-call, and in error situations if custom handling or validation is required.  The sample policies I referenced earlier are a good reference to see how the called rule and the APIGW GatewayScript code interact once you eventually migrate to 10.6.0.x and beyond.

Best Regards,
Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Tue October 08, 2024 10:12 PM
From: vijaya k
Subject: Antivirus Scan in API Connect

Thank you Steve for detailed reply to Nirmalya' s question. But we are still on Data power 10.5.0.x ,in such a case what would be the best way to make a call to Symantec from APIC? Also ,can you please suggest if there is a way to call Symantec without using the processing rule of Datapower? Thank you!

------------------------------
vijaya k

Original Message:
Sent: Mon October 07, 2024 08:51 AM
From: Steve Linn
Subject: Antivirus Scan in API Connect

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Fri October 04, 2024 01:50 AM
From: Nirmalya Mukherjee
Subject: Antivirus Scan in API Connect

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

------------------------------
Nirmalya Mukherjee
------------------------------

------------------------------
vijaya k

Original Message:
Sent: Wed October 09, 2024 09:23 AM
From: Steve Linn
Subject: Antivirus Scan in API Connect

Hi Vijaya,
The multistep module's callRule function exists in 10.5.0.x.  You can always use that function to call a processing rule from an APIC GatewayScript policy, but you'll need to learn and implement the "heavy lifting" the new functions in 10.6.0.x do for you.  The new functions in 10.6.0.x just wrap this callRule function to handle what you'd need to implement yourself for every type of rule you'd like to call and thus makes calling a processing rule much simpler, really down to creating an options object and calling the wrapper functions that handle all of the nuts and bolts.  Specifically for what I'd think an anti-virus called rule would require:

- reading your input message from the API Gateway context and passing that into your called rule as the INPUT context to that called rule
- handle any called rule aborts if the antivirus action fails and translate that to a reject of your API Assembly flow

Of course the wrapper functions do more than just those two things, such as passing headers back and forth between the APIGW context and the called rule, placing the OUTPUT context of the called rule into an APIGW context message, passing properties in a var://context/msRuleContext/properties variable that the called rule can use to dynamically control its behavior, and since it is a generic function, it provides the ability to allow the code using the functions to specify callback functions which are executed pre-call, post-call, and in error situations if custom handling or validation is required.  The sample policies I referenced earlier are a good reference to see how the called rule and the APIGW GatewayScript code interact once you eventually migrate to 10.6.0.x and beyond.

Best Regards,
Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Tue October 08, 2024 10:12 PM
From: vijaya k
Subject: Antivirus Scan in API Connect

Thank you Steve for detailed reply to Nirmalya' s question. But we are still on Data power 10.5.0.x ,in such a case what would be the best way to make a call to Symantec from APIC? Also ,can you please suggest if there is a way to call Symantec without using the processing rule of Datapower? Thank you!

------------------------------
vijaya k

Original Message:
Sent: Mon October 07, 2024 08:51 AM
From: Steve Linn
Subject: Antivirus Scan in API Connect

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Fri October 04, 2024 01:50 AM
From: Nirmalya Mukherjee
Subject: Antivirus Scan in API Connect

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

------------------------------
Nirmalya Mukherjee
------------------------------

Hi Vijaya,

In 10.5.0.x you'll need to use the multistep module's callRule function.  See https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=apis-multistep-module.  I've worked with this function on some internal projects (sorry, I can't share those as examples) but there is work to do to pass data from the API Gateway context to be the INPUT context of your multistep processing rule, and you'll need to handle the result of the rule to put things back into the API Gateway context if needed, and you will need to handle aborted called rules to generate an exception in your API.  This was the impetus to the callRuleWrapper function in 10.6.0.x, which greatly simplified this feature to providing a JSON object to tell the wrapper function how to behave, but the function did all of the heavy lifting, including using the ms.callRule function under the covers.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module.

So in 10.5.0.x you must use a GatewayScript policy that does the ms.callRule function yourself.  I don't have any complex examples that I can share, but the 10.5.0 doc link does have a very simple example where the contexts are created and hard coded values are set.  In your use case, you'll need to pass your payload (from a context.get('message.body') or session.message.body.readAsBuffer function) in the input context setup for the ms.callRule.  Since your use case doesn't need to be handling all situations generically as the ms.callRuleWrapper function does, you'd probably just need to know if your called rule aborted with the AV check failing the rule, or if it succeeded.  I wouldn't see a need to take any called rule output and store it back into the API Gateway context for example.  In the async function of ms.callRule an abort of the rule would result in the error object being present, so you can check for that and then do your error handling in that case.

As for your question about calling a rule from a UDP, the UDP would simply contain a GatewayScript policy that is using the multistep module as a straight up GatewayScript policy would do.

Best Regards,
Steve Linn 

------------------------------
vijaya k

Original Message:
Sent: Wed October 09, 2024 09:23 AM
From: Steve Linn
Subject: Antivirus Scan in API Connect

Hi Vijaya,
The multistep module's callRule function exists in 10.5.0.x.  You can always use that function to call a processing rule from an APIC GatewayScript policy, but you'll need to learn and implement the "heavy lifting" the new functions in 10.6.0.x do for you.  The new functions in 10.6.0.x just wrap this callRule function to handle what you'd need to implement yourself for every type of rule you'd like to call and thus makes calling a processing rule much simpler, really down to creating an options object and calling the wrapper functions that handle all of the nuts and bolts.  Specifically for what I'd think an anti-virus called rule would require:

- reading your input message from the API Gateway context and passing that into your called rule as the INPUT context to that called rule
- handle any called rule aborts if the antivirus action fails and translate that to a reject of your API Assembly flow

Of course the wrapper functions do more than just those two things, such as passing headers back and forth between the APIGW context and the called rule, placing the OUTPUT context of the called rule into an APIGW context message, passing properties in a var://context/msRuleContext/properties variable that the called rule can use to dynamically control its behavior, and since it is a generic function, it provides the ability to allow the code using the functions to specify callback functions which are executed pre-call, post-call, and in error situations if custom handling or validation is required.  The sample policies I referenced earlier are a good reference to see how the called rule and the APIGW GatewayScript code interact once you eventually migrate to 10.6.0.x and beyond.

Best Regards,
Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Tue October 08, 2024 10:12 PM
From: vijaya k
Subject: Antivirus Scan in API Connect

Thank you Steve for detailed reply to Nirmalya' s question. But we are still on Data power 10.5.0.x ,in such a case what would be the best way to make a call to Symantec from APIC? Also ,can you please suggest if there is a way to call Symantec without using the processing rule of Datapower? Thank you!

------------------------------
vijaya k

Original Message:
Sent: Mon October 07, 2024 08:51 AM
From: Steve Linn
Subject: Antivirus Scan in API Connect

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Fri October 04, 2024 01:50 AM
From: Nirmalya Mukherjee
Subject: Antivirus Scan in API Connect

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

------------------------------
Nirmalya Mukherjee
------------------------------

Hi Vijaya,

In 10.5.0.x you'll need to use the multistep module's callRule function.  See https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=apis-multistep-module.  I've worked with this function on some internal projects (sorry, I can't share those as examples) but there is work to do to pass data from the API Gateway context to be the INPUT context of your multistep processing rule, and you'll need to handle the result of the rule to put things back into the API Gateway context if needed, and you will need to handle aborted called rules to generate an exception in your API.  This was the impetus to the callRuleWrapper function in 10.6.0.x, which greatly simplified this feature to providing a JSON object to tell the wrapper function how to behave, but the function did all of the heavy lifting, including using the ms.callRule function under the covers.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module.

So in 10.5.0.x you must use a GatewayScript policy that does the ms.callRule function yourself.  I don't have any complex examples that I can share, but the 10.5.0 doc link does have a very simple example where the contexts are created and hard coded values are set.  In your use case, you'll need to pass your payload (from a context.get('message.body') or session.message.body.readAsBuffer function) in the input context setup for the ms.callRule.  Since your use case doesn't need to be handling all situations generically as the ms.callRuleWrapper function does, you'd probably just need to know if your called rule aborted with the AV check failing the rule, or if it succeeded.  I wouldn't see a need to take any called rule output and store it back into the API Gateway context for example.  In the async function of ms.callRule an abort of the rule would result in the error object being present, so you can check for that and then do your error handling in that case.

As for your question about calling a rule from a UDP, the UDP would simply contain a GatewayScript policy that is using the multistep module as a straight up GatewayScript policy would do.

Best Regards,
Steve Linn 

------------------------------
vijaya k

Original Message:
Sent: Wed October 09, 2024 09:23 AM
From: Steve Linn
Subject: Antivirus Scan in API Connect

Hi Vijaya,
The multistep module's callRule function exists in 10.5.0.x.  You can always use that function to call a processing rule from an APIC GatewayScript policy, but you'll need to learn and implement the "heavy lifting" the new functions in 10.6.0.x do for you.  The new functions in 10.6.0.x just wrap this callRule function to handle what you'd need to implement yourself for every type of rule you'd like to call and thus makes calling a processing rule much simpler, really down to creating an options object and calling the wrapper functions that handle all of the nuts and bolts.  Specifically for what I'd think an anti-virus called rule would require:

- reading your input message from the API Gateway context and passing that into your called rule as the INPUT context to that called rule
- handle any called rule aborts if the antivirus action fails and translate that to a reject of your API Assembly flow

Of course the wrapper functions do more than just those two things, such as passing headers back and forth between the APIGW context and the called rule, placing the OUTPUT context of the called rule into an APIGW context message, passing properties in a var://context/msRuleContext/properties variable that the called rule can use to dynamically control its behavior, and since it is a generic function, it provides the ability to allow the code using the functions to specify callback functions which are executed pre-call, post-call, and in error situations if custom handling or validation is required.  The sample policies I referenced earlier are a good reference to see how the called rule and the APIGW GatewayScript code interact once you eventually migrate to 10.6.0.x and beyond.

Best Regards,
Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Tue October 08, 2024 10:12 PM
From: vijaya k
Subject: Antivirus Scan in API Connect

Thank you Steve for detailed reply to Nirmalya' s question. But we are still on Data power 10.5.0.x ,in such a case what would be the best way to make a call to Symantec from APIC? Also ,can you please suggest if there is a way to call Symantec without using the processing rule of Datapower? Thank you!

------------------------------
vijaya k

Original Message:
Sent: Mon October 07, 2024 08:51 AM
From: Steve Linn
Subject: Antivirus Scan in API Connect

Hi Nirmalya,
Since the API Connect Gateway is running on DataPower, you can have a DataPower processing rule that contains the Antivirus action called by an API Connect Assembly using the GatewayScript multistep module.  There is some heavy lifting required in DataPower 10.5.0.x, but in 10.6.0.x we made it easier by having a wrapper function that you can setup that call with metadata specified in a JSON object.  See https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=apis-multistep-module and in particular, the callRuleWrapperInit and callRuleWrapper functions.  We also have numerous example UDPs that exercise this module for accessing processing rules that contain Processing Rule actions such as AAA, CryptoBin, and XML Sign/Verify/Encrypt/Decrypt actions.  See https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies and in particular, the SAMLAssertion is using AAA, SOAP Encrypt/Decrypt is using the XML Encrypt/Decrypt actions, and the pkcs7-policies are using the CryptoBin actions.  You should be able to use those examples as a template to create a user defined policy for an AntiVirus policy in the API Gateway.

Best Regards,

Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Fri October 04, 2024 01:50 AM
From: Nirmalya Mukherjee
Subject: Antivirus Scan in API Connect

How to mimic DataPower antivirus scan functionality (Symantec) in API Connect?

------------------------------
Nirmalya Mukherjee
------------------------------