Understanding Services and Policies on the Gateway

At a high level, the basic unit of configuration in the gateway is the Service. For the Gateway, a Service is a logical construct that represents the sum of the API calls the client side can call to access the service that the Gateway is protecting.
gateway83
At a high level, the basic unit of configuration in the 
Layer7 API Gateway
 is the Service. For the Gateway, a Service is a logical construct that represents the sum of the API calls the client side can call to access the service that the Gateway is protecting.
Every service has a policy that implements an individual flow of data between the client and the back-end service. Policies may include other modular partial policies, known as encapsulated assertions. Typically, modular policies have specific roles in authentication and authorization, routing to back-end services, and orchestration of larger functions.
In the Policy Manager, a policy includes assertions that determine the authentication method, identity credentials, transport method, and routing method for the web service or XML application. The specific types of assertions, their relative location, and the other assertions determine the properties and validity of a policy. During processing, the Gateway scans each policy assertion from top to bottom, assigning a 'succeed' or 'fail' outcome to each. 
The following is the message processing model for a typical policy:
  1. Service request arrives.
  2. Request runs through the WS-Security processor, which does the following:
    • Decrypts encrypted sections and verifies WS-Security Signatures. The sign and/or encrypt order is chosen by the sender.
    • Optionally removes the default security header before routing.
  3. Request runs through the policy assertions:
    • Routing assertion sends a request to the service server.
    • Remainder of policy assertions are applied to the service response.
  4. Response run through the WS-Security decorator, which does the following:
    • Creates the default security header.
    • Applies the signatures specified by the policy.
    • Performs any encryption specified by the policy.
  5. Response is returned to the client.
A Gateway policy can include configuration items derived from data often held in disparate groups within an enterprise. The security architects, the authorization and authentication group, the network infrastructure team, the application developers, and the service architects all serve roles in defining the details necessary for a policy. For example: 
  • The authorization and authentication team maintains the group membership strategy for the LDAP server. 
  • The network infrastructure team maintains the IP addresses of routers and load balancers. 
  • The service architects have access to the service URLs of back-end services, XML Schema documents, WADL & WSDL documents, etc. 
  • The security architects decide whether HTTP basic credentials over anonymous SSL are sufficient security, or if Mutually Authenticated SSL is necessary.