When an API call hits the API gateway, the Gateway carries out security checks to verify if the token is valid. During these verifications, the API Gateway extracts parameters such as access token, API and API version that are passed on to it. Since the entire load of traffic to APIs goes through the API Gateway, this verification process needs to be fast and efficient in order to prevent overhead and delays. The API Manager uses caching for this purpose, where the validation information is cached with the token, API name and version, and the cache is stored in either the API Gateway or the key manager server.
Caching at API Gateway
If caching is available at API Gateway side, when a request hits the Gateway it first populates the cached entry for a given token, and if a cache entry does not exist in cache, it calls the key manager server. This process is carried out using Web service calls. Once the key manager server returns the validation information, it is stored in the Gateway. Since the API Gateway issues a Web service call to the key manager server only if it does not have a cache entry, this method reduces the number of Web service calls to the key manager server, and is much faster than the alternative method.
Caching at Key Manager Server
In this method, the cache is maintained at the key manager server rather than the API Gateway. As a result, for each and every API call that hits the API Gateway, the Gateway issues a Web service call to the key manager server. If the cache entry is available in the key manager server, it is returned to the Gateway. Else, the database will be checked for the validity of the token.
This method has low performance compared to the earlier one, but the the advantage of this method over the other is that we do not have to store any security-related information at the Gateway side.
By default caching is enabled at the Gateway side as it is the faster method. If you want to change this default configuration, enable caching at the key manager server side by using the instructions below.
- Disable caching at API Gateway by adding the following entry to APIGateway section of <APIM_HOME>/repository/conf/api-manager.xml file.
- Enable key manager server-side caching by adding the following entry to APIKeyManager section of the api-manager.xml file.
- The API Manager generates JWT tokens for each validation information object. Usually JWT tokens also get cached with the validation information object, but you might want to generate JWT per each call. You can do this by enabling JWT caching at key manager server. Add the following entry to APIKeyManager section of the api-manager.xml file.
Also add the following entry at the root level of the api-manager.xml file.