Skip to end of metadata
Go to start of metadata

Introduction

This page describes how to create and configure a new security profile. 

Create a Security Profile

To access the Security Profiles page, log in to the Harmony portal and select the API Manager card. Click on My APIs in the upper left corner and select Security Profiles in the dropdown.

The Security Profiles page displays a repository of all your profiles. The first time you access Security Profiles, this page will be blank. Click Create New Profile to get started.

Upon clicking Create New Profile the View/Edit Security Profile page opens: 

TIP: 

  • Required fields are indicated by a red asterisk following the field name: 
  • Click the information icon  above any field to view the related tool tip.
  • Profile Name: Enter a descriptive name to use to identify the profile
  • Environment: Each security profile applies to only one environment. The profile may apply to one API or multiple APIs within the environment. Select the environment the profile will be applied to from the dropdown. To learn more about the relationship of environments to security profiles, see Harmony API Security.
  • Description: Enter an optional description for the profile. This description will appear in the profile index and may be useful to help project collaborators identify the profile.
  • Authentication Type:  Use the dropdown to select either Anonymous, Basic, or OAuth 2.0 authentication. 
    • Anonymous: Select this type if no HTTP authentication is required. If you do not assign a profile, the API authentication is set to anonymous by default, and anyone can access the API. Additional security options are available under Logging, Rate Limits and Trusted IP Ranges to limit such access.
    • Basic: Select this type to use basic HTTP authentication. This option requires you to enter a Username and Password in the profile. The username and password are case sensitive. The same username and password must be entered to access the API at runtime. SSL encryption is enabled by default at the API level (see Harmony API Security for additional information). Additional security options are available under Logging, Rate Limits and Trusted IP Ranges

      NOTE: If you need additional instructions on how to use HTTP header information or Basic Authentication, please refer to https://en.wikipedia.org/wiki/Basic_access_authentication

    • OAuth 2.0: OAuth 2.0 authentication protocol uses authorization tokens to prove the identity between an API consumer and a 3rd party service provider. 
      • OAuth Provider: Use the dropdown to select either Google, Salesforce, Okta as the identity provider. Additional required fields will display:

      • Google: Google requires a Client ID and a Client Secret to be entered into the security profile. The redirect URLs configured in the profile must also be copied into Google.  See Configuring OAuth 2.0 with Google for detailed instructions.
      • Salesforce: Salesforce requires a Consumer Key and a Consumer Secret to be entered into the security profile. The redirect URLs configured in the profile must also be copied into the Connected App within Salesforce. See Configuring OAuth 2.0 with Salesforce for detailed instructions.
      • Okta: Okta requires a Client ID and a Client Secret to be entered into the security profile. The redirect URLs configured in the profile must also be copied into Web Application within Okta.  See Configuring OAuth 2.0 with Okta for detailed instructions.
      • Authorized Domains: Enter multiple domain names separated by commas to restrict access to white-listed domains. 

        NOTE: Multiple security profiles can be assigned to an API, but restrictions apply based on authentication types. Refer to Harmony API Security for additional information.

  • Logging:  For every hit on the API, the security profile used to access the API is identified in the log in the User set to field.  You can select the Custom Request Header to override the default. The logs are available to view on the API Logs page. 

    • The default value in the User set to field in the log is determined by the authentication type selected in the security profile.  The default value displays directly to the right of Logging on the View/Edit Security Profile page and is automatically selected.
      • Anonymous: If Anonymous authentication is selected, the User set to value in the log is Anonymous.
      • Username: If Basic authentication is selected, the User set to value in the log is the Username required to access the API. If the user failed to provide the proper credentials, but Anonymous access was enabled, then the User set to value in the log will be Anonymous.
      • OAuth2.0: If OAuth 2.0 authentication is selected, the User set to value in the log is OAuth2.0.  
    • Custom Request Header:  Select this option to override the User set to field using the value assigned to the specified custom field in the request header (i.e. in the case of a single application key being used). You are required to enter the name of the field in the Custom Request Header Field.
  • Trusted IP Ranges:  Select No Restriction or Trust requests only from the following IP ranges.
    • No Restriction: By default, an API and any profile assigned to an API allow access from any IP address.
    • Trust requests only from the following IP ranges: Select this option to limit access to one IP address, a specific range of IP addresses, or multiple ranges of IP addresses. Selecting this option displays the range fields: 

      • Enter an IP address in the Start of Range and in the End of Range fields to define the range.
      • Click the + Add another IP range link to insert a new blank row in the table, then fill out the fields. Continue until all desired IP ranges have been set up. See Harmony API Security for additional information.
      • To delete a range, hover over the row and select the delete icon .
      • To disable the IP restrictions, select No RestrictionThe ranges will no longer display on the page, but API Manager remembers the previously restricted ranges.  
      • To enable previous lP restrictions again later, select Trust requests only from the following IP ranges. The previously restricted ranges are remembered and display automatically when restrictions are enabled again.
  • Rate Limits:  Click the Rate Limits checkbox. A warning message displays advising you of the consequences if rate limits are applied to this profile.  You will be required to click Continue in the message and enter the number of hits in the Hits Per Minute field to complete setting up rate limits. Click Continue in the warning message to clear the checkbox. Rate limiting enforces a maximum number of hits this profile can make against all assigned APIs during a period of one minute.   See Harmony API Security for additional information.

  • Save: Click this button to save the profile. 
  • Cancel: Click the Cancel link to close the View/Edit Security Profile page without saving the information.

Edit an Existing a Security Profile

  • Existing security profiles are displayed in the Security Profiles index table
  • Click the edit icon  on the appropriate row in the index table.
  • The profile creation page displays the existing assigned settings and options to make any changes. See Security Profile Creation and Configuration for additional information regarding all settings and options.
  • These options are available at the bottom of the page while editing:

    • Select Save to save the changes you made.
    • Select Cancel to close the profile without saving any changes.
    • Click Delete Profile to delete the profile and remove it from the index.
      • A popup message displays requiring you to click Continue to confirm and complete the deletion. 
      • If the profile is assigned to one or more APIs, a popup message displays indicating you must first assign a different profile to the APIs before deleting it. Click Dismiss to close the popup.

Delete an Existing a Security Profile

  • Existing security profiles are displayed in the Security Profiles index table.
  • Click the delete icon  on the appropriate row in the index table.
  • A popup message displays requiring you to click Continue to confirm and complete the deletion. 
  • If the profile is assigned to one or more APIs, a popup message displays indicating you must first assign a different profile to the APIs before deleting it. Click Dismiss to close the popup.

Next Steps

After you save a security profile, you can assign it to one or more APIs that are published in the environment the profile is assigned to.  Learn more in API Creation and Configuration.

On This Page

Related Topics

Last updated:  Nov 25, 2019


  • No labels