Configuring Signature Verification for Backend Services

Usage Guidelines

• An API can only be bound with one signature key in a given environment, but each signature key can be bound to multiple APIs.
• An API can be bound with only one policy of the same type.
• Policies are independent of APIs. A policy takes effect for an API only after they are bound to each other. When binding a policy to an API, you must specify an environment where the API has been published. The policy takes effect for the API only in the specified environment.
• After you bind a policy to an API, unbind the policy from the API, or update the policy, you do not need to publish the API again.
• Taking an API offline does not affect the policies bound to it. The policies are still bound to the API if the API is published again.
• Policies that have been bound to APIs cannot be deleted.

Procedure

Figure 1 Signature key process flow

1. Create a signature key on the APIG console.
2. Bind the signature key to an API.
3. APIG sends signed requests containing a signature in the Authorization header to the backend service. The backend service can use different programming languages (Java, Go, Python, JavaScript, C#, PHP, C++, and C) to sign each request, and check whether the two signatures are consistent.

Creating a Signature Key Policy

1. Go to the APIG console.
2. Select a dedicated gateway at the top of the navigation pane.

3. In the navigation pane, choose API Management > API Policies.
4. On the Policies tab, click Create Policy.
5. On the Select Policy Type page, select Signature Key in the Traditional Policy area.
6. Set the policy information.

   Table 1 Signature key parameters

   Parameter	Description
   Name	Signature key name.
   Type	Authentication type. Options: HMAC, Basic auth, AES, and Public key. Public key is available only if public_key_enable has been turned on on the Parameters page of the gateway.
   Signature Algorithm	Select an AES signature algorithm. Options: aes-128-cfb aes-256-cfb
   Key	Set the key based on the signature key type you have selected. If Type is HMAC, enter the key of the key pair used for app authentication. If Type is Basic auth, enter the username used for basic authentication. If Type is set to AES, enter the key used for AES authentication. If Type is Public key, enter the public key used for authentication.
   Secret	Enter the secret information based on the key type you have selected. If Type is HMAC, enter the secret of the key pair used for app authentication. If Type is Basic auth, enter the password used for basic authentication. If Type is set to AES, enter the vector used for AES authentication. If Type is Public key, enter the private key used for authentication.
   Confirm Secret	Enter the secret again.

7. Click OK.

   After the policy is created, perform the operations described in Binding the Policy to APIs for the policy to take effect for the API.

Binding the Policy to APIs

1. Click a policy name to go to the policy details page.
2. Select an environment and click Select APIs.
3. Select the API group, environment, and required APIs.

   APIs can be filtered by API name or tag. The tag is defined during API creation.

4. Click OK.
   • If an API no longer needs this policy, click Unbind in the row that contains the API.
   • If there are multiple APIs that no longer need this policy, select these APIs, and click Unbind above the API list. You can unbind a policy from a maximum of 1000 APIs at a time.

Verifying the Signing Result

Sign each backend request by following the instructions in Signature Algorithm, and check whether the backend signature is consistent with the signature in the Authorization header of the API request.