My recent interest in SAP API Management has led me to tutorials like this one. This tutorial is made on a previous version of the API Management Service. Below I describe some parts that are slightly different, so you can have a smooth start!
About the tutorial
The tutorial I want to revisit is about connecting the SAP ES4 Gateway demo system. We want to expose the OData data services using API Management. You can register for this system here. Note that this tutorial still uses the ES4 system, ES5 is currently also available. Additionally, this tutorial starts with checking and setting of roles for the Developer and API portal. It’s important to still check if these are in place.
API provider registration
The API provider represents a backend system of which web services can be discovered and used. In order to create an API provider, navigate to the API portal and press the create button under the API provider tab. On the connection tab the correct SSL port needs to be set. On the authentication tab we need to provide the previously registered account details. The important difference is in the Catalog Service settings: we need to check the Trust all checkbox in order to have the API discovery working properly (this has to do with old TLS settings). Also, it’s vital to register a correct prefix and URL. The settings are displayed below.
The create button for the API provider:
The connection tab:
The authentication tab:
The catalog service settings tab with the Trust all option checked:
API and policy creation
At this point we can create the API, select the previously created API Provider and press discover without any problems. I’ve chosen the GWDEMO service, as shown below. If preferred, you can change the API base path as well.
The next step in the tutorial is to require the API key to be checked. This API key is automatically generated when a developer generates an application for your API, basically you make it a private API. You can create this policy by setting the policy screen in edit mode, selecting pre-flow on the left side and choosing the Security Policy Verify API key on the right side. A pre-flow policy is executed before the request or response is send to its destination. Then you need to configure where the API Key would be found. We want to have it in the request header in an entry called API key, note that the type-ahead defaults to this. So this is a bit different than the tutorial. The results are displayed below.
The api tab and create button:
The service discovery when creating the API:
The Verify API Key policy configuration:
The config XML is as follows:
<!–Specify in the APIKey element where to look for the variable containing the api key–>
<VerifyAPIKey async=’true’ continueOnError=’false’ enabled=’true’
<APIKey ref=’request.header.APIKey ‘/>
Testing the API with APIkey header:
Besides the changed details the tutorial can be followed without any problems. The real value is in the demonstration of the service discovery through SAP Gateway: SAP API management takes an important position in governance of these services. Also, it’s important to test a lot with the pre/post-flow policies. This gives you a better view of the possibilities.
Good luck on your API Management journey!