Protect Your API Proxy by Adding Application Key Verification

Beginner

20 min.

SAP Integration Suite, Beginner, Cloud, Tutorial, SAP Business Technology Platform, Security, SAP API Management

Protect your API Proxy with a first simple policy -- the Verify API Key policy.

You will learn

SAP Integration Suite, API Management offers several out of the box policies which help you protect, model and “work” with your APIs. One of the security related Policies is the “Verify API Key” Policy.

Meredith HassettJuly 19, 2021

Created by

August 22, 2017

Contributors

Prerequisites

Tutorials: Add the API Proxy to a product

In this tutorial you will learn how to protect your API Proxy with the “Verify API Key” Policy. This policy allows you to add a simple protection via a so called API Key. Only calls which send a valid API Key along with the main request will be allowed to call the API Proxy.

Optional

When you now open the API Proxy in a browser you will get an error message stating that you need to pass an API Key in the header APIKey.

Step 1
It is important to understanding the API policy flow so you gain an understanding of why a policy is applied at a certain time in the flow. For instance, access policies should be verified before the API call to reduce using resources unnecessarily. The entire request/response cycle is divided up, first into segments, then within each segment, into processing stages.
Where do you check the fundamentals requirements of an Incoming Request?
Step 2
When creating a policy, you will need to know how the information is available in the policy and policy editor. Understand how the Policy Designer accesses the proxy flow by reading this blog post.
When looking at the stages of the request flow in the Policy Editor, which policies are shown?
All policies assigned to the entire flow
All policies assigned to the selected endpoint system
All policies assigned to the selected stage in the endpoint
Step 3
Edit a policy and assign it to your proxy flow. This blog will ensure you know how to identify the proper stage to add a policy, as well as how to assign a policy to the flow.
What is the value for ref in the the APIKey tag for the CheckAPIKey Policy?
Step 4
You will look at assigning multiple policies to various processing stages, and how the outcome of one policy can be used to influence the behavior of another policy.
Which property do you set when creating a policy to determine if you should check the response or request?
Step 5
Open the SAP API Management API Portal (you can get the URL from Enable the SAP Integration Suite, API Management Service).
Step 6
From the Hamburger Menu in the upper left corner and click on Develop.
Step 7
Select the API GWSAMPLE_BASIC created in a previous step in the this tutorial series.
Step 8
In the upper right corner click on Policies to open the policy information for the API.
Step 9
In the Policy Editor, click on Edit.
Step 10
Select the PreFlow from the ProxyEndpoint on the left hand side.
Step 11
On the right hand, find the Security Policies section under the Policies pane. Find the Verify API Key policy and click the + next to the policy name.
Step 12
Enter the Policy Name CheckAPIKey and click on Add.
Step 13
In the Code Editor found in the bottom pane, look for the <APIKey ... /> tag. Replace the string variable_containing_api_key with request.header.APIKey.
Step 14
Click on Update to apply the new policies.

Click on Save to save the changes to the API and enforce the new policies.