SupportDocumentationManagement SystemeSight Unified ICT Management SystemeSightDeveloper DocumentsNBI documents

eSight 22.1.0 Self-service Integration Development Guide (Standard Edition) 02

Configuring API Management

Configuring API Management

Configuring Client Certificate Authentication for API Management (GUI Mode)

When a third-party system interconnects with eSight using the API gateway, the third-party system certificate is not verified by default. For higher security requirements, you can enable verification on the third-party system certificate and import the certificate to the certificate management services. You need to update the certificate before it expires.

Prerequisites

You have obtained the trust certificate of the third-party system.

Run the following command to convert the certificate in .pfx format to the .cer format supported by APIGWService:

openssl pkcs12 -in *.pfx -out CA.cer -nokeys -cacerts

If the following information is displayed, enter the PFX certificate password:

Enter Import Password:

Procedure

  1. On the eSight O&M plane, choose System Management > Northbound > NBI from the main menu.
  2. In the navigation pane, choose API Gateway > General Configuration.
  3. In the Secure Connection area, set Verify certificate to Yes.

    • To verify the common name (CN) or subject alternative name (SAN) in the certificate, you need to enable Verify CN/SAN.
    • If CN/SAN verification is enabled, eSight will verify the CN and SAN of the third-party system identity certificate. To improve communication security, you are advised to enable CN/SAN verification.

  4. Import the trust certificate of the third-party system to the trust certificates of APIGWService.

    1. On the eSight O&M plane, choose System Management > Certificate > Service Certificate from the main menu.
    2. In the navigation pane, choose Service Certificate Management and click the APIGWService card.
    3. On the APIGWService Certificates page, click the Trust Certificate tab and click Import.
    4. On the Import Trust Certificate page, enter related information.
      • You are advised to set Certificate alias to a value different from existing certificate aliases in the trust certificate list.
      • If Certificate format is set to PKCS12 or JKS, enter the password for the certificate file in the Certificate password text box.
    5. Click Submit.
    6. In the High Risk dialog box, read the information carefully and confirm whether to import the certificate.
      • If yes, select I understand the risks and want to continue, click OK, and go to 4.g.
      • If no, click Cancel.
    7. In the dialog box that is displayed, click OK.

Enabling or Disabling HTTP for Northbound API Management (GUI Mode)

In new installation scenarios, the northbound API gateway uses HTTPS to communicate with third-party systems by default. In upgrade scenarios, if HTTP is used in the earlier version, it will be inherited. HTTP may also be used in scenarios where third-party systems are interconnected. Therefore, eSight provides the function of enabling and disabling HTTP. HTTPS is recommended because it is more secure than HTTP.

After HTTP is configured, the client authentication function becomes invalid.

Procedure

  1. On the eSight O&M plane, choose System Management > Northbound > NBI from the main menu.
  2. In the navigation pane, choose API Gateway > General Configuration.
  3. In the Secure Connection area, disable Enable HTTPS.
  4. In the Warning dialog box, read the information carefully and confirm whether to use HTTP. Click OK.
  5. Click Apply.
  6. In the High Risk dialog box, read the information carefully and determine whether to apply the configuration.

    • If yes, select I understand the risks and want to continue, click OK, and go to 7.
    • If no, click Cancel.

  7. In the dialog box that is displayed, click OK.

Configuring the Limit of Concurrent Connections and Connection Frequency for One IP Address (GUI Mode)

After the service is deployed, the concurrent connections and connection frequency for one IP address are not limited by default. You can configure the limit of concurrent connections and frequency of connections that one external IP address can establish with the server to prevent denial of service (DoS) and Challenge Collapsar (CC) attacks. You are advised to set the connection frequency to at least 20 times per second.

Procedure

  1. On the eSight O&M plane, choose System Management > Northbound > NBI from the main menu.
  2. In the navigation pane, choose API Gateway > Access Configuration.
  3. In the Global Traffic Control Policy area, set the maximum number of requests and connection frequency.
  4. Click Apply in the lower right corner.
  5. In the High Risk dialog box, read the information carefully and determine whether to apply the global traffic control policy.

    • If yes, select I understand the risks and want to continue, click OK, and go to 6.
    • If no, click Cancel.

  6. Click OK.
Translation
Favorite
Download
Update Date:2023-05-17
Document ID:EDOC1100296944
Views:16589
Downloads:22
Average rating:0.0Points

Related Documents

Digital Signature File

digtal sigature tool