REST gateway: Security configuration

To access a data grid through the REST gateway, the user must be authenticated to the WebSphere® DataPower® XC10 Appliance, regardless of whether the data grid has security enabled. The application client must always provide a basic authorization header with the authorized user ID and password in the HTTP headers of the HTTP request. To access data grids through the REST gateway, provide the user ID and password in an authorization header.

Authentication and authorization

To access to a data grid map through the REST gateway, the user or user group must be authenticated and authorized to access the specified data grid in the URI. Even if you do not have security configured on the data grid, you must configure the user group you are using to communicate through the REST gateway to have all access to the data grid. For more information about configuring access to the data grid, see Enabling security for data grids . The application client must provide a basic authorization header with the authorized user ID and password in the HTTP headers of the HTTP request.

Authorization: Basic <base64 encoded string of “userid:password”>

For more information about the basic authorization header format, see Wikipedia: Basic access authentication.

Secured data grids

You can use the REST gateway in a secured data grid configuration. To access the secured data grids, provide the user ID and password in an authorization header. The user must be authenticated and authorized to access the specified data grid in the URI. You can assign the following access to users or user groups by clicking the name of the default access type that is displayed in the user interface:

Table 1. Access permission list and descriptions
Access Permission	Description
all	Read, query, update, insert, remove and invalidate data in the data grid, and create dynamic maps. Appliance administrators have all permission by default.
create	Read, query, update, or insert data in the data grid, and create dynamic maps in the data grid.
write	Read or query data from the data grid. When using the REST interface, the write permission offers no additional permissions over the read permission.
read	Read or query data from the data grid.

Transport security

Clients that are using the REST Gateway can use the HTTPS protocol if transport security is required.

Audited REST gateway operations

Audit activity is captured by the appliance. User activity for a set of auditable objects is preserved to ensure that adequate audit coverage is available. For more information about downloading audit information for the data grid, see Downloading auditing data. When you access the data grid with any of the following REST operations, you can download audit information such as when the operation was run, who ran the operation, or what IP address was used to make the REST request:

collectives
catalogs
apps
applianceZones
xsservers
xscontainers
zonemappings
importexport
configfileupload
scheduledexport
catalogserverproperties
ldap
trace.zip
traceSpec
traceSpecDataCache
aggregateInterfaces
audit.csv
audit.xls
audit.html
audit
ethernetInterfaces
groupsusers
iphosts
ips
snmp
testLDAPGroup
testLDAPUser
trapSubscribers
trapSubscriptions
usageReporting
audit.zip
ping
progress
config.zip
configfileupload
sslfileupload
ssltruststore
utilizationReporting
communities

If you enable remote logging, audited REST gateway operations are sent to the remote syslog server. For more information about enabling remote logging, see Sending WebSphere DataPower XC10 Appliance log records to a remote UNIX system with syslog.