Securing a REST API by using HTTPS

Secure the communications between a REST API and an HTTP client by enabling HTTPS.

Before you begin

Create a REST API in the IBM® App Connect Enterprise Toolkit. Follow the instructions in Creating a REST API. This makes the REST API available to be configured for HTTPS.
Create the integration server to which you want to deploy the REST API. Follow the instructions in Creating an integration server.
Decide which HTTP Listener you want to use for HTTPS messages. For information about which listener to use for HTTPS messages, see HTTP listeners.
Set up a public key infrastructure (PKI) to configure the keystores, truststores, passwords, and certificates to enable SSL communication. Follow the instructions in Setting up a public key infrastructure. This results in the integration server or integration node being configured for the PKI.

About this task

Secure the communications between a REST API and an HTTP client by enabling HTTPS. You can enable HTTPS just for encryption, or you can also configure a REST API for client authentication (mutual authentication).

This task uses some of the same substeps as enabling a message flow with HTTPInput and HTTPReply nodes to use HTTPS, as described in Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS).

Procedure

To enable HTTPS for a REST API, complete the following steps:

Configure the integration server or integration node to use SSL.
Complete one of the following substeps, depending on which HTTP listener you have chosen to use for HTTPS messages:
- If you are using the integration node listener: Configure the integration node to use SSL
- If you are using the integration server listener: Configure the integration server to use SSL
In the Application Development view, which is under the REST API project, open the REST API Description for the REST API for which you want to enable HTTPS.
Under Security Options, select Enable HTTPS in the REST API Description.

Results

Your REST API is secured by using HTTPS.

What to do next

You can complete the following optional tasks:
- Secure your REST API by authenticating users with HTTP Basic Authentication, see Securing a REST API by using HTTP Basic Authentication.
- If your REST API is going to be used by client-side code that is running in a web browser, you might have to configure Cross-Origin Resource Sharing, see Permitting web browsers to access a REST API by using Cross-Origin Resource Sharing.
Package and deploy your REST API to an integration server, see Packaging and deploying a REST API.