Securing Microservices in Bluemix with IBM API Management (Part 3)

Ideally all microservices would delegate their security concerns so that the two-pizza team can concentrate on the functional requirements of the service rather get distracted by the ancillary non-functional requirements.  Being able to offload the security burden from each and every microservice implementation is a big deal.

IBM API Management

Screen Shot 2015-12-03 at 1.53.34 PMAt first glance I was hoping that using a service like IBM API Management (APIM) would provide the API security gateway capabilities to secure Bluemix hosted microservices.

As parts 1 and 2 have illustrated, when a RESTful microservice is hosted in Bluemix it will be publicly exposed. Even if using APIM to secure this API, the App implementing the REST services still has a public route. Therefore requests could easily circumvent APIMs enforcement and monitoring by simply calling the service directly rather than using the APIM URL. Unfortunately this means embedding security within each CF App is unavoidable. 

APIM has no means to discover Worker or Service processes in Bluemix. APIM cannot participate in pub-sub messaging behind the firewall. In short APIM can only send HTTP/S requests to routable endpoints.

The initial approach has the App implementing the microservice mandate SSL mutual authentication as a simple way to ensure that the service would only accept requests from APIM, effectively shutting the door on the alternate route directly to the service. Unfortunately, since these services sit behind an SSL terminator, the App never sees HTTPS traffic.

The value of IBM API Management as an API gateway to microservices hosted within Bluemix is diminished by these limitations.

Ironically APIM is better suited for securing APIs hosted outside of Bluemix conveniently hidden behind a firewall and reachable only via VPN or Secure Gateway.

APIM-Bluemix-Microservices

Scenario 1:

Forcing Requests through API Management

The IBM API Management service isn’t limited to just securing APIs. Monitoring, throttling, developer discovery, versioning and request/response transformation are other use cases.

In this first scenario I’ve had to add basic authentication to all my service operations to ensure they can only be invoked via APIM. However, let’s say I don’t actually want to require authentication in order to use the API.  In APIM I make sure that the APIM path does not require authentication,

Screen Shot 2015-12-03 at 2.05.17 PM
Some operations require authentication while others do not.

while providing the basic auth credentials to the request that APIM makes to the secured microservice.

Screen Shot 2015-12-03 at 2.00.41 PM
APIM initiates a new request to the service provider with credentials.

So users attempting to invoke the service directly via

https://privatescoutpopcorn.mybluemix.net/status

will be unauthorized whereas users calling the operation via APIM

https://api.apim.ibmcloud.com/cxvorg-dev/sb/ba/status

will succeed because APIM knows the functional ID and password protecting the service.

The APIM endpoint consists of:

api.apim.ibmcloud.com/<organization>-<space>/<environment>/<API basepath>/<operation>

Where

  • <organization> and <space> is where you bound the service in Bluemix
  • <environment> is the API deployment environment (default is sandbox or ‘sb’)
  • <API basepath> and <operation> is specified as part of the the API definition

Screen Shot 2015-12-03 at 3.38.14 PM

Screen Shot 2015-12-03 at 3.40.50 PM

Scenario 2:

Basic Auth Users and Functional IDs

It is possible to have APIM require from the user one set of credentials while supplying the service provider with a different set.  Ensure the API operation requires authentication (checked) and that the authentication endpoint is defined (in APIM API section).

Screen Shot 2015-12-03 at 3.56.23 PM
The Authentication URL points to an operation that ONLY authenticates basic auth credentials and no more.

The authentication endpoint will be provided the basic auth credentials supplied by the user. The only purpose of this endpoint is to handle authentication for ALL operations marked as requiring authentication. It should not access, add or modify any resources whatsoever. Unfortunately this authentication endpoint will have no insight as to the requested operation, neither the verb (GET, PUT, DELETE, etc) nor the resource. It is strictly about authentication. Authorization plays no part here.  It will be called exclusively by APIM to determine if the requesting user is authenticated. If so, APIM will invoke the operation using a functional ID and password not known to the end user.

APIM-Bluemix-Microservices-basicauth

Scenario 3:

Basic Authentication Pass-through

Of course you are not forced to implement a separate Basic Auth endpoint. You could simply pass the user supplied credentials directly onto the service provider. Make sure that Authentication is unchecked for the API operation. This will avoid having APIM check with the special basic auth endpoint as in scenario 2. Next have APIM simply proxy the request to the service provider. This way the user credentials will be passed along to the endpoint for authentication.

Screen Shot 2015-12-03 at 4.43.37 PM

In the continuation of this series I will delve into the OAuth authentication options provided by the IBM API Management service.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s