API Manager for Vendorlink Chris Messner Goal is to give a good background on API Manager, what it is, why we’re moving towards it, the benefits, the migration plan/timeline Interactive session Ask questions at any time

“Oh no, Vendor ABC is hammering VendorLink again!” “I cannot determine which Vendor is causing the SQL Server to spike! Help!” “ABC Vendor is making hundreds of calls a minute and it’s killing my database! I wish I could prevent them from doing that!” “Vendor ABC is reporting that Student Snapshot is running slow, but when I call it with the test client it returns almost immediately. Is it really running slow or not?” “Oh no, Vendor ABC is hammering VendorLink again!” How many of us have uttered these words or thoughts at some point over the last few years.

Azure API Manager (APIM) What is it? Proxy service built by Microsoft Hosted on Microsoft’s Azure cloud platform How does it work? Provides a proxy over an existing API Applies policies to the incoming/outgoing requests Routes the request to appropriate backend service Policies: preliminary input validations and authorizations, adjust the HTTP Request prior to forwarding to backend, re-format outputs into different formats

Current Vendorlink Architecture Vendor application authenticates directly against each individual ITC using unique keys per

VendorLink APIM Architecture 3 parts of APIM: Admin Portal, Vendor API Portal, API Gateway

Admin portal Administrative portion of APIM Setup and configuration of actual proxy VendorLink APIs Necessary policies (routing, rate-limiting, ip whitelist) Activation and management of Vendor accounts and subscriptions Analytics Managed by Software Answers -Where all of the APIM administration is performed -Each VendorLink API has been setup in APIM -ITC Request routing policies are in place -Initially there will be no rate-limiting -To protect the APIs we will not make API publicly available and provide subscriptions only to approved Vendors -Analytics: overall health of APIM

Vendor API portal Vendor integration point Management of APIM Gateway Subscriber keys Direct access to VendorLink documentation Integrated test client Analytics -Where Vendor configure their subscription -APIM Gateway Subscriber Key management -200 pg User Guide becomes stale vs. Instantly updated documentation -Integrated Test Client that immediately has the configurations necessary to call APIs as soon as they are published to APIM -Analytics: Vendor drill down analytics

API Gateway Authenticate with Auth Server Call API Gateway Authenticates subscriber key Handles ITC routing Manages and applies API request policies -Initial authentication with PB Auth Server -Vendor applications integrate here -Authentication of APIM Gateway Subscriber Key -Policies applied here: ITC routing, Analytic mechanisim

Benefits of APIM Visibility into VendorLink usage -Aid VendorLink committee in knowing how to prioritize enhancement requests -Aid Development in knowing how/where to optimize

Benefits of APIM Ability to rate-limit Vendor requests -Types of rate-limiting (by itc, by vendor, by api) -Initially there will be no rate-limiting applied – can be added as needed

Benefits of APIM Built-in API documentation -API documentation built right into the API manager -Example of the documentation -Example of the URL format -Actual code samples of how to call the API -Sample request/response

Benefits of APIM Built-in API test client -Built-in test client -In the past we have had issues with firewalls and network (internal vs. external) with using the Rest Test Client. The Vendor API Portal test client will remove those as an issue and make the call exactly as a vendor would from outside the network.

Vendor Modifications Retrieve an OAuth token from centralized ProgressBook authentication server Increased efficiency OAuth 2.0 industry standard vs. VendorLink native HMAC approach Convert application to navigate to a single endpoint Url Single endpoint Single Vendor Id/Key -Simplified model allows for them to manage/maintain a single VendorKey managed by the Centralized Auth Server - Software Answers ProgressBook Support during migration process

Vendor Modifications HTTP Header changes for VendorLink call Remove VL-Authorization (used in HMAC) Remove Date (used in HMAC) Add Ocp-Apim-Subscription-Key (APIM subscriber key) Add Authorization (containing the OAuth token) Add Itc (request routing key) Provide IP Addresses of all client applications to ProgressBook Support

https://pbapi.azure-api.net/VendorLink/SisService/Version Headers Ocp-Apim-Subscription-Key: 2a84558b9090b3cdd112a Used by APIM Gateway to authenticate the subscriber itc: ITC-Routing-Key Used by APIM Gateway to route the request to the ITC Authorization: Bearer eyJ0eXAiOLCbG {truncated for brevity} Used by VendorLink application to authorize the user

ITC Perspective Continue to maintain data security via SIS Security Which Vendor’s can access your data What data each Vendor can access -ITCs still manage/protect their districts data

ITC Perspective Management of Vendor Key shifts to centralized ProgressBook Auth Server Vendor still needs to exist in Central and SIS ITC Vendor Key is no longer used by the Vendor VendorLink versioning transparent to Vendors New Operations will be added to Vendor API Gateway prior to the VendorLink release -Vendor still necessary in Central/SIS to allow for authentication/authorization -Vendor will no longer use the VendorKey that they received from the each of the ITCs

ITC Perspective Existing Vendor Integrations New Vendor Integrations Vendor completes the migration process on their side No intervention necessary from ITC staff New Vendor Integrations Syncer process continues to publish the VendorLink Users and Roles to the ITCs Continue to setup Vendors (Central & SIS) for security authorization purposes

ITC Perspective VendorLink test/play environments Configured as a separate Vendor Product in APIM Ability to expose VendorLink test/play environments externally -Necessary by v18.0 because of end of HMAC support -ITCs still control what vendor users have access to the environments so external exposure optional

What to do if… …you find the need to enforce a rate-limit on a vendor? Contact the ProgressBook Support Team (Software Answers) and provide the following details ITC Name Vendor Name Specify the Operation (GET Student Snapshot) OR All Operations Desired rate-limit (x calls / minute)

What to do if… …you have a vendor reporting issues connecting to VendorLink? Determine if the issue is with APIM or with the VendorLink application If call not in the VendorLink logs then potential issue w/ APIM Attempt identical call from the Integrated APIM Test Client Verify the request headers exist and are correct ProgressBook Support can help to further analyze specific issues

Migration Process Step Responsible Activity Status 1 Software Answers Complete VendorLink setup in ProgressBook Admin Portal Complete 2 Setup all Pristine Vendors in the Central Authentication Server 3 Email all Vendors to inform them of migration plan Spring 2017 4 Vendor Register for an account at the ProgressBook Vendor API Portal Spring 2017 - Summer 2018 5 Monitor ProgressBook Admin Portal for new accounts that need a VendorLink subscription 6 Perform necessary updates to client application to support/call the new ProgressBook API Gateway

Next Steps Visit the Vendor API Portal and register your ITC for a developer account Provide your test/play environment Url to ProgressBook Support prior to ProgressBook v18.0 release Become familiar with the Vendor API Portal Peruse the VendorLink documentation Use the Integrated Test Client

Questions?