SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.
Collecting and analyzing API logs can help identify the damage caused and expose the cloud attacks. OWASP that represents a broad consensus about the most critical security risks to web applications documents the best practices to be followed for API logging.
In this blog we will use Message Logging Policy to log the API interactions happening on SAP Cloud Platform API Management to a Third Party Logging server.In the blog we have used Loggly as the Third Party Logging server, alternatively other logging server like Splunk could be used.
This blog is a continuation of the API Security best practices blog series and in the previous blog Threat protection against injection attacks for OData/REST APIs was covered.
In this section we would use Message Logging Policy to log the following API interactions:-
In the above JavaScript code snippet we gather some common API interactions points like unique request id, system time stamp, Target Response Time, API Response Time etc.
With this we have successfully applied a Message Logging Policy to log the API interactions to a Third Party logging server like Loggly.
Collecting and analyzing API logs can help identify the damage caused and expose the cloud attacks. OWASP that represents a broad consensus about the most critical security risks to web applications documents the best practices to be followed for API logging.
In this blog we will use Message Logging Policy to log the API interactions happening on SAP Cloud Platform API Management to a Third Party Logging server.In the blog we have used Loggly as the Third Party Logging server, alternatively other logging server like Splunk could be used.
This blog is a continuation of the API Security best practices blog series and in the previous blog Threat protection against injection attacks for OData/REST APIs was covered.
More best practices covered in API Security Best Practices blog series.Prerequisites
- SAP Cloud Platform API Management tenant.
- Loggly tenant.
Customer Token from Loggly tenant
- Sign in to your Loggly tenant.
- Navigate to the Source Setup and then click on the tab Customer Tokens to fetch your Loggly token. This token would have to be used in the Message Logging Policy later in the section Log API Interactions.
Launch API Portal
- Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).
- Navigate to the Services tab, search for API Management service tile and click to open API Management service.
- Click on the link Access API Portal to open API Portal.
Log API Interactions
In this section we would use Message Logging Policy to log the following API interactions:-
- API Proxy Name
- Unique message Id
- System timestamp
- Target Response time
- API Response time
Refer Rate limit API calls blog to create an API Proxy to an OData API from SAP Gateway and applying an API Rate limit using Quota policy. In this blog we would be extending the same to add the support for logging all API interactions to Third Party Log server.
- Navigate to the Define from the hamburger icon, then select the tab APIs. Select the API Proxy to which API Rate limiting was applied.
- Click on the Policies button of the selected API Proxy.
- Click on the Edit button from the Policy designer and then from Scripts tab click on the +button to add the JavaScript file for creating the log message data structure.
- In the Create Script dialog provide the name of the JavaScript file say logmessage and then select Create from the Script drop down. Finally click on the Add button.
- Select the newly added JavaScript file logmessage and in the Script Resource copy paste the following code snippet.
var logdata = {
requestId : context.getVariable("messageid"),
currentSystemTime : context.getVariable("system.time"),
requestStartTime : context.getVariable("client.received.end.time"),
targetResponseTime : context.getVariable("target.received.end.timestamp") - context.getVariable("target.sent.start.timestamp"),
apiResponseTime : context.getVariable("system.timestamp") - context.getVariable("client.received.end.timestamp"),
targetResponseEndTime : context.getVariable("target.received.end.time")
}In the above JavaScript code snippet we gather some common API interactions points like unique request id, system time stamp, Target Response Time, API Response Time etc.
Note that the above JavaScript is just a sample snippet and this snippet would have to be adjusted to log other parameters based on your enterprise need.- Select PostFlow from the ProxyEndPoint section and then click on the + button next to the JavaScript Policy available under the Extensions Policies segment.
- In the Create policy screen specify the policy name say generatelogmessage, select Stream as Outgoing Response and then click on the Add button.
- Select the policy newly added generatelogmessage policy then add the following policy snippet to invoke the logmessage JavaScript file.
<Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" xmlns='http://www.sap.com/apimgmt'>
<ResourceURL>jsc://logmessage.js</ResourceURL>
</Javascript>
- Click on the + button next to the Message Logging Policy available under the Extensions Policies segment to log the generated log message to a Third Party logging server.
- In the Create policy screen specify the policy name say logToLoggly, select Stream as Outgoing Response and then click on the Add button.
- Select the policy newly added logToLoggly policy then add the following policy snippet to log the generated log data into a Loggly tenant.
Note that in this blog, we have used Loggly as the third party logging server, alternatively any other logging server like Splunk can also be used.
<MessageLogging async="false" continueOnError="true" enabled="true" xmlns='http://www.sap.com/apimgmt'>
<Syslog>
<Message>[YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN@41058 tag="{apiproxy.name}"] {sapapim.logmessage}</Message>
<Host>logs-01.loggly.com</Host>
<!-- This is default port value -->
<Port>514</Port>
<Protocol>TCP</Protocol>
</Syslog>
</MessageLogging>
- Edit the policy snippet added to post log message to Loggly server, specify your customer token configured in the Loggly tenant as explained in section Customer Token from Loggly tenant by replacing the text YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN (highlighted in previous screenshot) with your Loggly customer token.
- Click on the Update button to save the Policy changes
- Click on the Save button to save the changes to API Proxy.
With this we have successfully applied a Message Logging Policy to log the API interactions to a Third Party logging server like Loggly.
Finally testing the flow
- Navigate to the Test tab from the hamburger icon
- From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test.
- Click on the Authentication: None link and select Basic Authentication to set the user credential to connect to the SAP Gateway ES4 system
- Enter your user credential to the SAP Gateway ES4 system and click on the OK button
- Click on the Send button to invoke the API.
- Logon to your Loggly tenant and then click on the Dashboard tab. The latest log message would be appear in the dashboard.
- Click on the latest log message as shown in the screen shot above to view the log data in details.
Further Reads
- Next part of the API security best practices blog series – Threat Protection against SQL injection a...
- Previous part of the API security best practices blog series – XML Threat protection against injecti...
- API Security Best Practices
- For more blogs on SAP Cloud Platform API Management visit us at SAP Community
- SAP Managed Tags:
13 Comments
