550 likes | 708 Views
CON8696 - Unlocking the Value of Your Enterprise IT Assets Through APIs. Tim E. Hall Vice President, Product Management Oracle Fusion Middleware. Program Agenda. Overview of API Management Trends and Challenges, Yesterday, Today, and Tomorrow Choosing your Delivery Model & Terms of Service
E N D
CON8696 - Unlocking the Value of Your Enterprise IT Assets Through APIs Tim E. HallVice President, Product Management Oracle Fusion Middleware
Program Agenda • Overview of API Management • Trends and Challenges, Yesterday, Today, and Tomorrow • Choosing your Delivery Model & Terms of Service • People, Process, & Tools • Learning from the Past • Unlocking the Value • Components of API Management • How to extend your investment to address API Management
New Requirements Business User Empowerment Mobile Computing Cloud Computing
Current Trends: Organizations Are Rapidly Leveraging REST-based APIs • Streamlined Operations and Maintenance • Empower the Mobile Workforce • Improved Employee Productivity • Enable Better Customer Service • Enable Better Responsiveness • Capture New Revenue Opportunities Business Drivers for “API” Exposure Security and Lifecycle Management are the primary barriers to adoption
What is an Service?API!? What is a Service? Terminology, style, and reach Policies Artifacts Metadata Artifacts Metadata Policies
What to Offer? API or Mobile App? API: Open Consumption Mobile App: Closed Consumption Offering?
What to Offer? API or Mobile App? • Offering Services • Mobile App? • API? • Hybrid? • How much of the user-experience do you want to control? • How do you provide access for Developers? • Do you monetize your API? API: Open Consumption Mobile App: Closed Consumption Offering?
Terms of Service Formal Agreement is Required • Defines the Responsibilities • of the API Provider such as: • Uptime & Availability • Response Time • Support • Limitation of Liability • Defines the Responsibilities of the API Developer such as: • Security & Testing • Use Limits • Financial Obligations ($)
Monetization of APIs Should I charge for my API? • Free • Provide unfettered access to content because it drives business • Deliver a capability and monetize the transaction itself Capability Content Free API • Fee-based • Content itself has value – you can’t give it away • Premium capability or revenue “sharing” Fee-Based Content Capability
Example: Content Monetizing APIs • Fee-Based • Digital Media • Financial Data • Other High Value Data • Free • Location Information • Product Catalog
Example: Capability Monetizing APIs • Free • Simple offerings • Indirect monetization (Ads) • B2B Supply Chains • Fee-Based • Premium offering • Proprietary Network Services • Payment Gateways
Capabilities & Tools What is API Management? • Breakdown the various aspects of the solution; requirements • Determine which parts you have • Determine which parts you need Lifecycle Management API Management Security
Capabilities & Tools What is API Management? • Breakdown the various aspects of the solution; requirements • Determine which parts you have • Determine which parts you need Design Time Runtime Lifecycle Management API Management Identity Mgmt Security Mgmt &Monitoring Audit
Capabilities & Tools Definition What is API Management? Creation • Breakdown the various aspects of the solution; requirements • Determine which parts you have • Determine which parts you need Content Mgmt Design Time Container Runtime Lifecycle Management Orchestration Community Mgmt API Management Virtualization Identity Mgmt Security Gateway Mgmt &Monitoring AuthN Audit AuthZ Problem Isolation Provisioning Key/Token Mgmt Analytics
Capabilities & Tools Definition What is API Management? Creation • Breakdown the various aspects of the solution; requirements • Determine which parts you have • Determine which parts you need Content Mgmt Design Time Container Runtime Lifecycle Management Orchestration Community Mgmt API Management Virtualization Identity Mgmt Security Gateway Mgmt &Monitoring AuthN Audit AuthZ Problem Isolation Provisioning Key/Token Mgmt Analytics Capacity Billing
Comparing API Management & SOA Governance Terminology & Perspectives • API Management • Catalog of available APIs • Automation to support consumption by developer • Developer specific usage reporting • SOA Governance • Catalog of available assets, services, artifacts • Automation to support creation process • Transaction-level drill-down and issue triage External Internal Lifecycle Security Monitoring Platform • Limited “infliction” of technology on consumers • Organization dictates technology options & alternatives
What is the core issue? People! API Management and SOA Governance share the same goal Developer Community Management Communication Engagement Doc. Support On-boarding Blogs Terms of Service Error Handling Version Mgmt Access Mgmt Pricing Events Examples Forums Social Media
Process: Adoption Patterns & Stakeholders For Initial Projects Portfolio ERP, Legacy App Portfolios Service/API Ownership DRIVEN BY PROJECTS Project Execution Operations Lifecycle Management Enforce Service Levels Enforce Policies Artifacts Blueprints & Patterns Architecture
Process: Adoption Patterns & Stakeholders For SOA Governance & API Management (Broader Adoption) Portfolio People Service/API Portfolios Roles & Responsibilities ERP, Legacy App Portfolios Organizational Owner Service/API Ownership DRIVEN BY INITIATIVES Project Execution Operations Lifecycle Management Enforce Service Levels Shared Artifacts Enforce Policies Architectural Standards Enforce Platform Decisions Shared Foundation APIs Blueprints & Patterns Technology Architecture
Process: Adoption Patterns & Stakeholders For SOA Governance & API Management (Increased Maturity) Financial Portfolio People Service Funding Model Projects Portfolios Service Usage Fees EA Group End to End Platform Funding Service/API Portfolios Roles & Responsibilities ERP, Legacy App Portfolios Organizational Owner Service/API Ownership Capacity Planning DRIVEN BY EXECUTIVES Project Execution Operations Lifecycle Management Enforce Service Levels Shared Artifacts Enforce Policies Strategic Platform Reference Architectures Data Ownership Architectural Standards Enforce Platform Decisions Data Standards Shared Foundation Srvcs Blueprints & Patterns Technology Data Quality Architecture Information/Content
The Enterprise Architect’s Challenge Coordinate lifecycle setup across the infrastructure Restrict, throttle and manage Web services and REST APIs Coordinate on-boarding of developers Extend common Access and Authorization policies to all systems Connect mobile devices to existing enterprise systems Communicate, communicate, communicate…
Does this sound familiar? Early Adoption of APIs eerily similar to Web services Lack of documentation Exposure of underlying data model Current API Adoption Challenges Inconsistency of rules & behavior Security complexity
Why invest in a catalog? We only have one API! Expand Over Time Start Simple Developer Community Management
Quick Review SOA Governance and Lifecycle Management Creation Efficiency, Reuse & Consolidation Definition Business/IT Alignment Architects Designers BusinessOwners Developers & Integrators Artifacts Metadata Policies Monitoring & Management Production Assurance for SLAs Security Systematic Enforcement of Policy Security Engineers IT Operations Release Management Consumer Provisioning
API Management Reference Architecture SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers REST Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt JWTOAM, SMBasic Auth, X.509 API Clients • What we have today in Oracle Fusion Middleware 11g • Support for RESTful services in Service Bus • Mediate security and other protocol differences between mobile client and target services (e.g. expose SOAP web service via RESTful interface) • Result caching of (read-mostly) target service invocations • Throttling of traffic to target services • Lifecycle Management and coordination across various infrastructure teams through Enterprise Repository • Consumption reports available through EM Cloud Control
API Management Reference Architecture Automated Harvesting of SOA Composites, Services, etc. created Design-time Activities of Provider 1 SOAP/RESTand LegacyWeb Services Enterprise Repository Protocols HTTP, SOAP, REST, XML JMSFTP Developers SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers Service Bus REST Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt JWTOAM, SMBasic Auth, X.509 Architect requests creation of REST-based proxy API Clients 3 Automated Harvesting of REST-based proxy 2 4 Architect adds terms of service, along with any additional documentation and metadata for REST-based API. API now ready for consumption!
API Management Reference Architecture Developer: Design-time Activities SOAP/RESTand LegacyWeb Services Enterprise Repository Protocols HTTP, SOAP, REST, XML JMSFTP Developers SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers Service Bus REST Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt API Portal Optional: Provider reviews & approves request for access JWTOAM, SMBasic Auth, X.509 API Clients 2 Developer browses the catalog and requests access to an API 1 Access Token Returned to Developer 3
API Management Reference Architecture Runtime Activities Developer builds & publishes Mobile App Protocols HTTP, SOAP, REST, XML JMSFTP Usage reports can be accessed & reviewed SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers 2 User interacts with mobile app 3 1 REST JWTOAM, SMBasic Auth, X.509 API Clients Usage Reports
API Management Reference Architecture Questions at the edge SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers Protocols HTTP, SOAP, REST, XML JMSFTP Developer Portal REST Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt JWTOAM, SMBasic Auth, X.509 API Clients API Gateway
API Management Reference Architecture Developer Portal Protocols HTTP, SOAP, REST, XML JMSFTP Enterprise Repository Custom API Portal SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers Service Bus API Gateway REST Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt JWTOAM, SMBasic Auth, X.509 API Clients Custom Portal invokes exposed APIs for: Developer Facing Content, User Registration, Application Registration, custom workflows 1
API Management Reference Architecture Extended Solution with Oracle API Gateway SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers Protocols HTTP, SOAP, REST, XML JMSFTP Enterprise Repository REST Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt API Portal JWTOAM, SMBasic Auth, X.509 API Clients Service Bus Oracle API Gateway
Oracle API Gateway Key Capabilities • XML/API Threat Protection • Client-based throttling • REST API security (JSON schema validations, OAuth 2.0 Authorization server and client etc.) • API Key Management • Access control for heterogeneous deployment environments (.NET, Microsoft AD, Kerberos to SAML scenarios etc.) • Native and out-of-box integration with Oracle Access Management (OAM 11gR2 / OES 11gR2 etc.) and non-Oracle Access Management solutions (CA, IBM, RSA, Entrust, Microsoft etc.) • Support for Multiple Protocols (FTP/SFTP/JMS etc.)
API Management Reference Architecture Repository API Portal 1 3 SOAP/RESTand LegacyWeb Services Protocols HTTP, SOAP, REST, XML JMSFTP Developers 4 Service Bus REST Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt JWTOAM, SMBasic Auth, X.509 API Clients API Gateway 2 • Oracle Enterprise Repository • Provides: • Back-office API catalog, content prep environment • API-Service dependency analysis • API lifecycle management • Oracle API Gateway • Exposes API’s to the external world, provides: • API Key generation/validation • Access enforcement • Rate Limiting / Client Throttling • Response caching • API virtualization in the DMZ • Security token & protocol mediation • Firewalling, method/parameter whitelisting • API aggregation & mash-up • API usage measurement & reporting • API Portal • External developer portal, sits on top of API repository & API gateway - provides: • “API marketplace” • Self service registration, onboarding • API documentation, forums, blogs, support • API testing tools • API Key delivery • Visualization of runtime usage metrics / monitoring • Bill presentment • Oracle Service Bus • Directly accessed by internal clients, provides: • Access enforcement • Routing, mediation, service throttling, response caching, versioning - abstracts backend services • Rich connectivity • Heavy duty payload transformations • API virtualization, protocol & security translation for internal apps 4 3 2 1
Oracle Enterprise Repository The System of Record
Sample API Developer Portal Simplified Access Sample API Developer Portal
Sample API Developer Portal User Registration Sample API Developer Portal
Sample API Portal Integration with OER User Management
Leverage OER for Asset/Artifact Model Simplified Access
Leverage OER as Content Repository for Portal Lifecycle Management
Sample API Developer Portal API Browsing – Content from OER Sample API Developer Portal
Sample API Developer Portal API Browsing
Sample API Developer Portal Testing
Sample API Developer Portal Testing
Sample API Developer Portal Reference Architecture Sample API Developer Portal Custom RESTful Wrapper for OER REX APIs Oracle Service Bus w/ Proxy Services(Test Instances) Oracle Enterprise Repository EJB Legacy Implementation (Test Instances) Custom Code Oracle Fusion Middleware Products Leveraged