This article is the first in a series from AVIO Consulting that will revolve around Oracle API Gateway.  As our customers move from APIs that are exposed and consumed entirely within their intranets to a technical landscape where they need to expose these services to partner companies, customers and the cloud, there is an ever increasing need for a first line of defense and governance for their APIs.  If you couple this with the explosion in the number of their own workers using mobile devices to connect to corporate IT resources, you can see how this would get any CIO’s attention.

In a 2012 Forrester survey of 70 senior-level decision makers at enterprises in the US, Canada, Germany and the UK between 100 and 1,499 employees,  they said that network security and customer data security topped their list of concerns. 

Oracle API Gateway is designed to address these concerns head on.  It’s a standards-based software security solution that is policy-driven and provides a first line of defense for SOA environments. 

It is a standalone software platform that does not run on WebLogic and should be deployed in your DMZ to guard against external threats such as Denial of Service (DOS) attacks, injection and malicious  code (like SQL or XPath injection), confidentiality integrity (like sniffing and parameter tampering), reconnaissance attacks (like directory reversal) and privilege escalation attacks (like race conditions and buffer overflow).

It also has extensive monitoring and reporting capabilities that can help give better visibility into the traffic details flowing to and from your intranet.  

Some of the key features offered by Oracle API Gateway are:

  • Provides a lightweight API gateway for securing and managing APIs
  • Connects mobile devices to existing enterprise systems
  • Extend authentication, authorization and risk policies to mobile, cloud and enterprise applications w/o changing backend apps
  • Provides data governance
  • SSO and Access Control for Cloud Applications
  • Regain visibility and demonstrate compliance with activity monitoring and security intelligence


Because Oracle API Gateway is an OEM packaging of Vordel API Gateway Server (acquired by Axway in 2013), you’ll find that there are many overlapping capabilities with OWSM, Oracle Service Bus and SOA Suite in general.  When setting up Oracle API Gateway, architects should have a clear vision of the responsibilities of each layer and tool in their environment.  For example, in SOA 12c, the ability to convert REST to SOAP can now be found not only in API Gateway, but in Service Bus and SOA Suite.  AVIO would generally recommend that this is done in the Service Bus.

The following are several key applications and web sites that are included with Oracle API Gateway’s installation:

Policy Studio

Along with the API Gateway Manager (which will be discussed next) this is perhaps the most important tool that Oracle API Gateway provides.  It is a graphical tool used to virtualize APIs and develop policies in a flow-chart style with a drag and drop UI that should be familiar to anyone who has worked with Service Bus or SOA Suite.  As you can see from the graphic below it has an extensive library of filters and pre-built policies.  In addition, the tool also allows developers to create their own java-based filter or policy which can be imported into Policy Studio for use in combination with pre-built components.

Policy Studio also allows administrators to manage listeners, external connections, certificates and keys, users and groups as well as other settings.  It can then deploy policies to the running Oracle API Gateway servers.

API Gateway Manager

This web-based administration console is critical for monitoring, managing and troubleshooting traffic flowing through the DMZ.  

It comes with a real-time dashboard showing message traffic by domain, group and API Gateway.  

It provides drill-down capabilities for administrators to view the actual content of messages.  It can provide details around the following areas: HTTP, Websocket, JMS, File Transfer, Directory and Performance:

The API Gateway runs with embedded Apache ActiveMQ 5.9 which serves as a native JMS provider.  This enables integration of external facing REST & SOAP Web services with backend systems thru asynchronous messaging.  This also enables asynchronous policy behavior. 

API Gateway Manager can be used to view queues and topics, messages on queues, and contents of individual JMS messages.

This tool also can be used for dynamically changing system settings such as logging levels, key property stores, admin users and credentials without having to do deployments from Policy Studio.  It should be noted that these settings will not persist if the API Gateway is restarted unless they are explicitly deployed from Policy Studio.

API Gateway Analytics

This web-based console provides the ability to monitor and report on all API Gateways in the domain over an extended time period.  It can help administrators to analyze what APIs are used, how often APIs are used, when APIs are used, and who is using APIs.  It can also schedule reports in PDF format to be emailed to specific users.

Configuration Studio

This graphical tool is used to promote API Gateway configuration between environments.  It can also specify environment-specific settings such as certificates, keys, users and groups.

API Gateway Explorer

This graphical tool, similar to SOAP UI, is used to test API performance, scalability, and security.  It can test both REST and SOAP-based services.  It can create test cases and stress tests.  It simplifies the management of certificates, keys and SOAP attachments.  

Additional documentation on Oracle API Gateway can be found at:

Be sure to look for upcoming articles from AVIO Consulting as we take a deeper look at Oracle API Gateway, a software solution that is quickly growing in importance as companies struggle to adapt to the challenges posed by mobile and cloud computing.

Please check out my blog posts for other articles around SOA process patterns, software development best practices and development methodologies.