+
+

Configuring Security in Anypoint DataGraph

You must set up authentication so Anypoint DataGraph can access the GET endpoints of the APIs that you add to the unified schema. Authentication allows DataGraph to make requests to those APIs when you run queries.

Optionally, you can also set up mutual authentication (mTLS) between your APIs and DataGraph.

Supported Authentication Methods

When adding a new API schema to the unified schema, or when promoting an API schema to another environment, you must configure one of the following authentication methods:

  • No Auth

    Use if your API is public.

  • Basic Auth

    Use if you authenticate to your API using the basic authentication header, or a username and password.

    For example:

    curl "http://localhost/myResource" -u myUser:myPassword

    or

    curl GET 'http://localhost/myResource' \
    --header 'Content-Type: application/json' \
    --data-raw '{
      "username": "myUser",
      "password": "myPassword"
    }'
  • Pass-through authentication

    Use if you authenticate to your API by passing authorization headers.

    You must supply:

    • A Query Header Name: The name of the HTTP header sent with the initial query to the unified schema.

    • An API Header Name: The header name passed through to the underlying API. This is useful if you want to rename the query header before passing it through to the underlying API.

  • Client ID enforcement via headers

    Use if you authenticate to your API by passing client_id and client_secret headers.

    For example:

    curl "http://localhost/myResource" -H "client_id:1234" -H "client_secret:abcd"
  • Client ID enforcement via query parameters

    Use if you authenticate to your API by passing client_id and client_secret query params.

    For example:

    curl "http://localhost/myResource?client_id=1234&client_secret=abcd"
  • OAuth 2.0 Client Credentials

    Use if you authenticate to your API by passing OAuth 2.0 client_id, client_secret, and authorization server values.

    For example:

    curl --request POST \
      --url 'https://YOUR_DOMAIN/oauth/token' \
      --header 'content-type: application/x-www-form-urlencoded' \
      --data 'grant_type=authorization_code&client_id=YOUR_CLIENT_ID&code_verifier=CODE_VERIFIER&code=AUTHORIZATION_CODE&redirect_uri=https://YOUR_APP/callback'
  • Custom

    Use if you authenticate to your API using custom header parameters and values.

Any other authentication methods to access your added API, such short-lived token methods, are not supported.

Configuring Mutual Authentication in DataGraph

Mutual authentication (mTLS) ensures that Datagraph and the underlying APIs in your unified schema can create secure, verified connections.

If an API requires mTLS, configure mTLS when adding the API to the unified schema or when promoting the API to another environment. To do so, provide the following:

  • A keystore that contains:

    • A public certificate signed by your organization’s root certificate authority (CA)

    • The private key used to generate the certificate signing request (CSR)

    • The password for the encrypted private key

Optionally, to allow your API to be reached by your unified schema, you can add a truststore and provide the certificate bundle that contains your root CA.

Anypoint Platform stores the keystore and the truststore in PEM files in the Secrets Manager.

If you enable mTLS for an API with a self-signed certificate, DataGraph won’t be able to establish a TLS connection with that API.

Configure mTLS for an API Added to the Unified Schema

If you need to configure mTLS for an API that you’ve added to the unified schema, you can do so on the API details page by adding a keystore.

You can also add a truststore to allow your API to be reached by your unified schema.

If the API already has a keystore or truststore, you can remove either and add new ones on the API details page. To do so, click Remove and add a new one.
  1. Click List of APIs added and select the API that has the URL you want to edit.

  2. Click API details.

  3. Select Configure Keystore and provide the following:

    • A public certificate signed by your organization’s β€œroot” certificate authority (CA)

    • The private key used to generate the certificate signing request (CSR)

    • The password for the encrypted private key

  4. Optionally, select Configure Truststore and provide a link to the certificate bundle that contains your root CA.

  5. Click Save.

Was this article helpful?

πŸ’™ Thanks for your feedback!

Edit on GitHub
Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!