2.1.4 Configure API Outbound Authentication - Axway-API-Management-Plus/apim-cli GitHub Wiki

This controls how the API-Manager itself authenticates themselves to the API-Service-Provider. The following is supported today: API-Key, HTTP-Basic, HTTP Digest, Custom-Policy, OAuth & SSL.

Please note: As of now only the Default Authentication-Device is supported. That means, you cannot combine multiple Authentictation devices and link it to the API.

To configure API-Outbound Authentication an "AuthenticationProfile" can be configured in the API-Contract.

This is an example using API-Key to be send to the Downstream application:

{
   "name":"My API-Name",
   "path":"/the/path/to/your/API",
   "state":"published",
   "version":"1.0.5",
   "organization":"API Development",
   "authenticationProfiles":[
      {
         "name":"_default",
         "isDefault":"true",
         "parameters":{
            "apiKey":"4249823490238490",
            "apiKeyField":"KeyId",
            "httpLocation":"QUERYSTRING_PARAMETER"
         },
         "type":"apiKey"
      }
   ]
}

The following types are supported: none (used if nothing is configured), http_basic, http_digest, apiKey, oauth, ssl

Configure a default authentication profile

You must configure at least one authentication profile with isDefault=true to be assigned to your API automatically. If not the authentication profile is configured only, but without referencing it in the outboundProfile it will not be used by your API.
If no default authentication-profile is configured the following message is logged:
THERE NO DEFAULT authenticationProfile CONFIGURED. Auto-Creating a No-Authentication outbound profile as default!

Depending on the type, the following parameters are required:

HTTP-Basic / HTTP-Digest

         "parameters":{
            "username":"user1",
            "password":"password1"
         },
         "type":"http_basic"

Please note: Please read more here about password handling.

API-Key

         "parameters":{
            "apiKey":"4249823490238490",
            "apiKeyField":"KeyId",
            "httpLocation":"QUERYSTRING_PARAMETER or HEADER"
         },
         "type":"apiKey"

OAuth

         "parameters":{
            "providerProfile":"<Name-of-configured-OAuth-Profile>",
            "ownerId":"${authentication.subject.id}"
         },
         "type":"oauth"

SSL

         "parameters":{
            "source":"file",
            "certFile":"../certificates/clientcert.pfx",
            "password":"myClientCertPW",
            "trustAll":true
         },
         "type":"ssl"

The APIM-CLI is trying to the load the given keystore and by that validates, that the password is correct.
It might be, that Swagger-Promote can't determine the Keystore-Type automatically and fails with the following error message:
Error message using type: PKCS12 Error-Message: null.

In that case, please tell Swagger-Promote the correct Keystore-Type using the following format: "certFile":"../certificates/clientcert.pfx:PKCS12"

Depending on your environment the following types might be valid: JKS, JCEKS, PKCS12, CASEEXACTJKS, DKS