2.1 Understanding the Flow of Communications through Secure API Manager

The Secure API Manager components communicate securely through SSL. This means that you must have a trusted root certificate or use the self-signed certificate on the appliance to deploy Secure API Manager. Secure API Manager does not allow non-SSL communication between the different components.

Secure API Manager uses Access Manager to create OAuth tokens that allow secure access to the APIs. The following graphic depicts the flow of information between Secure API Manager and Access Manager.

Figure 2-1 Secure API Manager Communication Flow

API developers create and add APIs to the API Gateway through the Lifecycle Manager. The developers must have access to the Lifecycle Manager. The Lifecycle Manager provides the ability to test the APIs, maintain a lifecycle of the APIs, and control the number of authorizations to the APIs through the throttling policies.

After the developers create or add the APIs to the API Gateway, the flow of communication occurs in the following manner:

  1. The application or service makes a call to the APIs stored in the API Gateway.

  2. The API Gateway contacts the Identity Provider in Access Manager to obtain the OAuth token to ensure that the application or service is approved to make the call to the APIs.

  3. The Identity Provider validates the request and sends an OAuth token back to the API Gateway. The API Gateway then uses that token to make the authorized API calls to provide the additional functionality to the service or application through the APIs. For more information, see Configuring Secure API Manager in the NetIQ Secure API Manager 1.1 Administration Guide.

You must ensure that the applications and services can communicate with and receive information from the API Gateway. You must also ensure that the API Gateway can communicate with and receive information from the Identity Provider in Access Manager.