User Management Console

User Roles and Groups in API Portal

API Portal provides predefined roles that you can assign to users and groups defined in an organization. You can also create custom roles as needed. Users or groups who have roles receive all permissions associated with the roles.

The following is a list of the roles and function privileges in API Portal that apply to API users and administration. For complete information about the predefined roles and creating custom roles in API Portal, see the API Portal User Management help, available from http://*API\_Portal\_host:port*/umc/help/en/handling/index.htm.

API Portal User Roles and Groups Description
API Administrator Users with this role can start and stop API Portal, manage API Portal users, customize the API Portal user interface to reflect the organization’s own branding and look and feel, and switch configuration sets to customize views in API Portal. API Administrators can create and remove private communities and can also manage all communities. API Administrators can add and remove users from a community and define community administrators or revoke the community administrator role from a user.
API Provider An API provider is allowed to publish APIs to API Portal. These users are registered in CentraSite, API Gateway and APIs are published to API Portal.
API Consumer An API consumer is allowed to browse the portal, request API access tokens, and test (evaluate) available APIs.
API User Registration Approvers This is a group of users who are notified when there is a user registration request for a new user. This group of users are assigned permissions to approve or reject any user registration requests.
API Consumption Approvers This is a group of users who are notified when there is a request for API consumption. This group of users are assigned permissions to approve any API consumption request.
Public Community This is a group that an on-boarded user is added to, by default.

In addition to these roles, technical users exist to facilitate communication between systems and applications to ensure that credentials stay the same. A technical user is not associated with a specific user. Rather, a technical user represents a set of credentials and authorizations that is authenticated against an internal list of users, and not with an external set of authentications (for example, Active Directory or LDAP). API Portal administrators create technical users in API Portal, and CentraSite administrators specify the technical user credentials when they register an API Portal instance in CentraSite. Guest users are anonymous users who can browse and test the APIs available in API Portal. When a guest user decides to use an API, the user must register and request an access token.

Note: As a best practice, Software AG recommends using a technical user to publish APIs to API Portal.

Importing LDAP Users and User Groups into User Management Console

You can import users and user groups from the LDAP system.

To import LDAP users and user groups from the LDAP system

  1. Log on to UMC as an API Portal Administrator.

  2. Click User management.
    The list of users is displayed.

  3. Click Additional functions.

  4. Click Start LDAP import.
    The button is active only if an LDAP system is configured on the server.

  5. Select whether you want to import only users or user groups and associated users.

  6. Select if you want to use the default filter or create a custom one.

  7. Click Preview to check how many users or user groups are imported.
    The number is displayed, as well as up to 100 elements to be imported in alphabetical order.

  8. Click Start import.
    The users are transferred from the LDAP system according to the selected options. The imported users can now log on to API Portal.

Synchronizing LDAP Users or User Groups with User Management Console

You can synchronize LDAP users and user groups with UMC.

To synchronize LDAP users or user groups with UMC

  1. Log on to UMC as an API Portal Administrator.

  2. Click Configuration.

  3. Click the arrow next to LDAP.
    This lists various configuration options available.

  4. Click General settings > Advanced settings.

  5. Click Edit.

  6. Select Import user at login and Import user groups when synchronizing.

  7. Click Save.
    The user synchronizes to UMC on the user’s first login to API Portal.

Password Policy for API Portal Users

A password policy is a set of rules designed to enhance security by encouraging users to employ strong passwords and use them properly. This is configured through the User Management Console (UMC). The password policy compliance is checked in the following scenarios:

The following parameters can be configured in the Configuration > Password policy section under various categories in UMC. Alternatively, you can also configure this in the Configuration > All section by setting the parameters mentioned. The table lists the parameters, description and their corresponding properties:

Parameter Description
Minimum length under Password policy > General. Specifies the minimum length of a password.
Valid input: Integer > 0
Property
com.aris.umc.password.length.min
Maximum length under Password policy > General. Specifies the maximum length of a password.
Valid input: Integer > 0
Property
com.aris.umc.password.length.max
Minimum number of lowercase letters under Password policy > General. Specifies the minimum number of lowercase alphabets in a password.
Valid input: Integer > 0
Property
com.aris.umc.password.characters.lowercase.min
Allow uppercase letters under Password policy > General. Specifies whether the uppercase alphabets are allowed in a password.
Valid input: true, false
Property
com.aris.umc.password.characters.uppercase.allowed
Minimum number of uppercase letters under Password policy > General. Specifies the minimum number of uppercase alphabets in a password.
Valid input: Integer > 0
Property
com.aris.umc.password.characters.uppercase.min
Allow numbers under Password policy > General. Specifies whether numbers are allowed in a password.
Valid input: true, false
Property
com.aris.umc.password.characters.numeric.allowed
Minimum number of numbers under Password policy > General. Specifies the minimum number of numerals that must be contained in a password.
Valid input: Integer > 0
Property
com.aris.umc.password.characters.numeric.min
Allow special characters under Password policy > General. Specifies whether special characters are allowed in a password.
Valid input: true, false
Property
com.aris.umc.password.characters.special.allowed
Minimum number of special characters under Password policy > General. Specifies the minimum number of special characters in a password.
Valid input: Integer > 0
Property
com.aris.umc.password.characters.special.min
Special characters under Password policy > General. Specifies which characters are special characters.
Valid input: String
Property
com.aris.umc.password.characters.special.set
Activate expiring passwords under Password policy > Expiring passwords. Specifies whether passwords are set to be valid only for a specific amount of time. This is defined for a single tenant. Once the password has expired, the user is directed to a website enabling the password to be changed. Thereafter, the user is redirected to the application.
Valid input: true, false
Property
com.aris.umc.password.expiry.active
Password lifetime under Password policy > Expiring passwords. Specifies the period of time after which a password expires.
Valid input: Integer > 0
Property
com.aris.umc.password.expiry.days
Force change after reset under Password policy > Advanced settings. Specifies whether a user must change the password if it was reset (and sent through an e-mail).
Valid input: true, false
Property
com.aris.umc.password.change.forceAfterReset
Force different password under Password policy > Advanced settings. Specifies whether the new password must differ from the old one.
Valid input: true, false
Property
com.aris.umc.password.change.forceDifference
Force change before first login under Password policy > Advanced settings. Specifies whether a user must change the password upon first login.
Valid input: true, false
Property
com.aris.umc.password.change.forceOnFirstLogin
Activate reset confirmation under Password policy > Advanced settings. Specifies whether a user must confirm a password reset.
Valid input: true, false
Property
com.aris.umc.password.reset.confirmation.active
Link lifetime under Password policy > Advanced settings. Specifies the time in seconds during which a user can click the link sent by e-mail in order to confirm the password.
Valid input: Integer > 0
Property
com.aris.umc.password.reset.confirmation.ttl

Configuring password policy for Users

You can configure the password policy to enhance security by encouraging users to employ strong passwords. You should have API Portal Administrator privileges to configure the password policy.

  1. Log on to UMC as an administrator.

  2. Click Configuration.

  3. Click Password policy.

  4. Click the required category.
    Available categories are General, Expiring passwords, and Advanced settings.

  5. Click to edit the parameters.

  6. Provide values for various parameters as required.

  7. Click Save.
    This saves the configuration applied for the password policy.

Configuring LDAP Servers

LDAP enables information from a distributed, location-independent and hierarchical database in a network to be queried and modified. You can use multiple LDAP servers with API Portal. Any existing LDAP data needs to be deleted manually if you wish not to have the data. You can configure a single or multiple LDAP servers.

To configure LDAP servers

  1. Log on to UMC as an administrator.

  2. Click Configuration.

  3. Click the arrow next to LDAP.
    This lists various configuration options available.

  4. Click General settings.

  5. Click Edit.

  6. Select Activate LDAP.
    Select this option if you want to configure just one LDAP server.

  7. Select Activate multiple LDAP integration.
    Select this option if you want to configure multiple LDAP servers.

  8. Click Save.

  9. You can add LDAP servers in one of the following ways:

    • You can add individual LDAP server and repeat the following steps to add multiple LDAP servers.

      a. Click Add.
      The Add LDAP server dialog opens.

      b. Provide the required information:
      - ID of LDAP server.
      - Display name of the LDAP server.
      - LDAP server URL.
      - LDAP server fallback URL
      - User name of the user who has access to the LDAP content.
      - Password of this user.
      - Specify whether or not SSL should be used and in which mode.
      - Specify whether the host names and certificates should be verified.
      - Specify the connection timeout.
      - Specify the read timeout.
      - Click Save.

    • You can configure LDAP servers by importing a configuration file. The configuration file can have configuration details for one or more LDAP servers.

      a. Click to import a configuration file.

      b. Click Select file.

      c. Select the required file.

      d. Click Open.

      e. Click Upload.
      The configuration file is uploaded and the configuration applied.

      Note: The uploaded configuration file overwrites the existing LDAP configuration.

  10. Click the arrow next to LDAP.
    It displays the LDAP servers added below the General settings option. Click on individual LDAP servers to view the details of the LDAP server and test the connection by clicking .
    You can download the configured LDAP servers information as a configuration file by clicking the export icon.

When there are multi LDAPs configured, a user has to login with ldap_id\user_id during login.

Enabling Multi-factor Authentication

API Portal provides multi-factor authentication (MFA) that requires the use of two or more authentication factors to verify a user’s identity for a login. Authentication factors can be classified into knowledge factors (what the user knows, for example, password), possession factors (what the user has, for example, security token) and inherence factors (what the user is, for example, biometric verification). The authentication mechanism validates each factor thus adding another layer of security during a user log on.

API Portal uses a combination of username, password, and a one-time password (OTP) as authentication factors to verify the user’s identity. The user receives the OTP in one of the following ways:

You can enable this feature in the API Portal user management console.

Any user when on-boarded onto API Portal receives a secret token through an email, when MFA is enabled. The user can use this secret token to generate an OTP, using an external client like Google Authenticator, which in turn is used to log onto API Portal.

To enable multi-factor authentication

  1. Log on to UMC as an administrator.

  2. Click Configuration.

  3. Click Security > Multi-factor authentication in the left navigation pane.

  4. Click .

  5. Select Use multi-factor authentication to enable it.
    Alternatively, you can also set the configuration property com.aris.umc.authentication.multiFactor.active as true under Configuration > All section. You can provide a value for Clock skew intervals or use the configuration property com.aris.umc.authentication.multiFactor.clockSkew to set the interval for which the generated OTP is valid. Each interval is 30s.

    Note: When you enable MFA and if you want few users to be excluded from MFA, you can add the multiple users separated with comma, under the Excluded users. By default all the system users are included in this list.

  6. To generate and send out a secret token to users who were onboard before enabling multi-factor authentication, do the following:

    a. Click Configuration.

    b. Click All in the left navigation pane.

    c. Ensure that the property com.aris.umc.notification.otpSecretChanged.enabled is set to true.

    d. Click User management in the title navigation bar.

    e. Click the required user.

    f. Click Generate token secret.
    A new token is generated and sent to the respective user.

    Note: The user receives a mail with the token secret which can be used to generate an OTP to log on to API Portal.

These steps must be performed for every user who was onboarded before MFA was enabled.

Configuring SAML 2.0 for a Consumer User

If an API Consumer needs to login to API Portal with SAML authentication, the user needs to have API Consumer role even before the first login. API Consumer role can be assigned by API Administrator using UMC.

To configure SAML for a consumer user

  1. Log on to UMC as an administrator.

  2. Click Configuration.

  3. Click SAML in the left navigation pane.

  4. In the General section provide the following information:

    a. Identity provider ID: The ID that was used while configuring Single sign-on.

    b. Service provider ID: The ID that was used while configuring Single sign-on.

    c. Single sign-on URL: The SingleSignOnService location POST url from SSO configuration. Alternatively, you can change the property key in the Configuration section as com.aris.umc.saml.identity.provider.sso.url

  5. Click Keystore.

  6. Provide the required information for Keystore value, Alias, Password, and Type.

  7. Click to upload the keystore that was created while configuring Single Sign-on.

  8. Click Truststore.

  9. Provide the required information for Truststore value, Alias, Password, and Type.

  10. Click to upload the truststore that was created while configuring Single Sign-on.

  11. Activate SAML by selecting Use SAML in the General section.
    Alternatively, you can change the property com.aris.umc.saml.active to value true to activate SAML.

Implementing Secure Password Policies

If the API Portal default password policy does not comply with your security requirements, you can change the password policy settings.

To change the password policies

  1. Start a web browser and go to the API Portal User Management Console (UMC) application at: http://*host:port*/umc.

  2. Click Configuration.

  3. Select Password policy > General in the left navigation pane.
    The current password policy settings are shown.

  4. Click the edit icon to modify the properties and modify the properties as needed.
    To see a description of each property, hover your cursor over the property name.

Sending Email Notifications

API Portal can send email messages to notify administrators and users about important events and to convey status information.

API Portal can send user management related email messages to notify users about:

API Portal can also reply to user requests for forgotten passwords.

To enable API Portal to send email notifications, you have to register your SMTP server and set the sender’s email address.

Configuring the SMTP Mail Server Connection for using the User Management Component

You can customize your system configuration to meet your requirements at runtime without having to restart the system. You carry out this part of the configuration in the User Management component. You must have the technical configuration function privilege.

To register the SMTP mail server and set the sender’s email address using the user management component

  1. Log on to the User Management Component.
    http://host:port/umc

  2. Click Configuration.

  3. Select SMTP > Connection in the left navigation pane.

  4. Type the SMTP mail server address, including the domain or type the Host name.
    For example: API_Portal@MyCompany.com

  5. Type the port number of SMTP server. For example, 25.

  6. Define the sender’s email address. You configured the SMTP Mail Server Connection using the User Management Component.