This document provides an overview of the API economy and IBM API Management. It discusses the growth of APIs and how they allow organizations to open up assets and data for new business channels. The document then defines what a business API is and provides examples. It discusses how APIs have evolved from SOA services and provides public API examples from the insurance industry. The rest of the document discusses IBM API Management, including its architecture, key capabilities, deployment options, and how to structure an API initiative.
51. Intuitively and iteratively define
APIs and associated policies
Rapidly assemble APIs via
configuration, not coding
Minimize risk with industry leading
security & scalability
Define
API
Developer
Assemble
Meter
SecureDeploy,
Test & Debug
Monitor
Scale
Version
51
API Developer: Create, Secure & Version APIs
Simple interface accelerates iterative API development & deployment
52. API Developer:
Assemble New APIs Through Configuration
Assemble a new API
by combining multiple
REST or SOAP
services into a
composite API
Provide examples of
the request and
response messages,
headers and
parameters
Drag and connect
linking the request and
response messages
Transform the
message elements
with a click
53. API Providers & Consumers:
Test API readiness with Ready! API plugin
Export:
Define new APIs in
Ready! API product
by uploading
Swagger, WADL,
RAML, WSDL, etc.,
and then test the
API.
Commit to a full
range of tests –
functional, load,
security
When ready, click a
button to
Export API to insert
the tested API into
API Manager UI
Import:
Use Ready! API
testing platform to
Import SOAP &
REST API
definitions directly
from IBM API Mgmt
Dev portal for
unit/functional
testing, load testing,
service virtualization
& more
Select any API from
Dev Portal
Auto-generate test
suite
Validate
functionality and &
API Consumers API Providers
55. API Provider: “Productize” APIs using Plans
Introduce API Trial Use
Free, limited plans can
be made available
alongside premium plans
For example, a free plan
could be unrestricted,
and a premium plan
restricted
Include multiple APIs
and Resources per
Plan
Version your Plans
Apply Rate Limit by
Plan or Resource
Reject calls when limit
reached
56. API Provider: Publish your APIs to multiple
developer portals
Multiple Developer Portals
API Manager
API Provider
App Developers
In group 1
App Developers
in group 2
Securely share APIs/Plans with various
select developer communities
Fine grained plan deployment
Non-disruptive Publish: Replace a currently
published version of a Plan without any
disruption in API availability
57. API Provider: Gain Business Insights
• Pinpoint key
market
fluctuations and
find correlations
related to your
business
• Analytics for both
API provider and
application
developer:
• Analyze
performance of
APIs
• Enables chargeback
or billing for API
consumption
58. App Developer: Register application
Register new
application
Request
security keys
with enhanced
privacy
Deferred
retrieval of
client secret
59. App Developer: Analyze App Performance,
Get notified
Monitor most
active
applications and
APIs
Rate limit
developer
notifications
60. IT Admin: Manage Overall Environment*
At-a-glance
server
utilization
metrics
Management &
Gateway Server
utilization -
CPU, Memory,
Disk
Usage over
time available
by drilling down
* Not applicable to SaaS
61. Enabling businesses to join the API Economy
IBM API Management - on-cloud & on-premise
Engage with app developers through portals
• API exploration
• Self-service sign up
• Interactive API testing
• App & Key management
• API usage analytics
• Rate limit notification
• Multiple dev communities
• Build custom portal with blogs, forums
• Define & Secure REST & SOAP APIs, Publish to multiple
developer portals & users, Analyze API usage &
performance
• A resilient integrated API runtime gateway infrastructure
with IBM DataPower Gateway for enforcement of runtime
policies to secure & control API traffic
• Seamlessly move APIs & Plans from public to private cloud
or on-prem for complete flexibility
Define, publish & manage APIs
• OAuth security management
• Backend service discovery
• API lifecycle management
• API subscription management
• Data transformation/redaction
• Rate limiting at Plan/Resource level
• API user & Plan management
• API deployment to Gateway
• API security enforcement
• API Analytics to gain business
insight
• Custom roles & role-based access
control
Manage API environment
• Administer & scale system
resources
• Monitor runtime health
• Multi-tenancy
REST APIs to extend/customize
• Developer Portal
• User onboarding
• Integration with API testing
tools (SoapUI NG Pro,
Ready! API)
• Integration with Content
Management System
(Drupal)
Editor's Notes
Update your name and contact information
Also you can personalize the title by adding their company name and logo to the slide.
the fact is that by dec 2013, it crossed 10000 api
shows the xponential growth of APIs, almost doubling every 5 months
In the past, private data, software and code could be reasonably protected behind a network perimeter of security & control. With the rise of mobile, that perimeter can no longer be the most important line of defense when it comes to security threats & IT control. Organizations must develop mobile security & control strategies that go beyond the perimeter of the enterprise and into the mobile sphere. Similarly, as the API economy continues to expand, organizations are realizing that they are providing services to new users, new stakeholders that may or may not fit into the security & control realms that have been previously established.
The dramatic growth in adoption of mobile, cloud, and social computing presents many security & control challenges for the multi-channel enterprise. There exists an increased demand to be able to control access to systems and resources that were previously only available from within the enterprise. However, as these applications are opened up to new business channels, and made accessible across the Internet, enterprises must control who is accessing those systems and under what context.
In addition to the SoE discussion we’ve had today, it’s important to note that SoR will continue to be important for many applications. Our goal is to continue to provide the middleware that supports reliable Systems of Record, to build a platform for rapidly building Systems of Engagement, and to provide tools that integrate the two environments. This is where products like WMB, DataPower, WAS and MQ will continue to provide value for our customers.
Let’s look at the Cars.com mobile app as an example.
Cars.com is a consumer of APIs, and has assembled several 3rd party apis together to form the base function of their cars app.
For example, they use a Map Provider API to provide a “store locator function”
APIs from a car dealer data aggregator for availability of certain makes and models.
They use APIs from a Bank to offer Loan calculators and origination
Auto insurance from an Insurance companies APIs
And can imagine them using the new Xtify API from IBM to provide notifications, that a car they were looking for was now found.
Now, let’s look at the API Economy from the Providers perspective
The Bank can extend it’s reach beyond customers doing on-line banking.
By offering an API, that includes Mortgage Calculators, Lon Origination, On-line Payment, and Account Query
the bank can reach new mobile app providers link Cars.com (automotive sales), Zillow (on line real-estate), and Mint (financial data aggregator)
Which…
You as an API Provider need to make sure you focus on not only providing secure and managed APIs but also ensuring a self-service and rich developer experience for your API consumers
IBM API Mgmt provides the management platform, while IBM DataPower provides the API Gateway to enforce API security and control . IBM APIM sits on a server as a virtual appliance, while DataPower can be a virtual appliance or a physical appliance
* Not applicable for on cloud offering
This is a common pattern for exposing APIs to External Developers and Partners.
For API requests, DataPower acting as the API Gateway sits in the DMZ. It can also be used as a consolidated Load Balancer or optionally, an external Load Balancer could be facing it.
The API Gateway, in the DMZ, needs access to Internal Services, the User Registry used for Authentication and the Management Cluster. For that firewall ports need to be opened as shown in the picture. The Management Cluster also needs access to the Gateway Clusters to configure them (and monitor their status).
In this case of Extenral APIs, the API Portal also needs to be externalized. That can be achieved by using a Revert Proxy or DataPower, proxying external Portal requests through the DMZ.
When exposing Internal and External APIs, supporting Internal and External Developers, a good alternative is to host the Gateway Clusters in the Trusted Zone. A Load Balancer of a DataPower Security Gateway would sit in the DMZ to provide external access to the same cluster
When exposing Internal and External APIs, supporting Internal and External Developers, a good alternative is to host the Gateway Clusters in the Trusted Zone. A Load Balancer of a DataPower Security Gateway would sit in the DMZ to provide external access to the same cluster
This option shows an alternative of separating Environments in different Gateway Clusters. Sandbox and Testing environments are published to an internal Gateway Cluster, while the production systems for APIs are configured as different clusters.
Easy out of the box setup.
LDAP or internal identity provider support.