Configure Published API Projects in API Gateway

Configure the published API by updating the context variables in API Gateway to reflect your environment and by specifying the role mappings.

Verify Prerequisites

Ensure that you have completed the following prerequisites:

Configuration Workflow

Complete these steps for every API you publish to API Gateway:
  1. The API Gateway administrator configures the published API.
  2. The API Gateway administrator tests the published API.
  3. (Optional) The API Gateway administrator exposes the published API from API Gateway to the Portal (CA API Management SaaS or CA API Developer Portal).
  4. (Optional) The API consumer accesses the published APIs using the Portal (CA API Management SaaS or CA API Developer Portal).

Review and Confirm the Context Variables to Reflect your Environment

  1. In the Policy Manager, expand the LiveAPICreator/LAC Projects folder and open the published API project by double-clicking the project name.
  2. Display comments within the project by clicking Show Comments.
  3. Expand the All assertions must evaluate to true // LAC-00-Project Configuration policy.
  4. Review and confirm the following context variables are set as indicated:


Expression value: https


Expression value: 8443


Expression value: ${gateway.cluster.hostname}

Expression value: The URL fragment for your published API project.

Example: demo


Expression value: Your current API version.

Example: v1.


Expression value: Your API Server name.

Example: lacserver1.


 Expression value: 8081


Expression value: https


Expression value: rest/default

Set up API Access Permissions

Set up API access permissions by mapping groups retrieved from an identity provider which is configured in API Gateway to Live API Creator roles. The reference LiveApiCreator service includes reference policy fragments that illustrate how to map API Gateway groups to Live API Creator roles. Customize the reference policy to reflect your system landscape by configuring and enabling the API Gateway-identity provider groups to Live API Creator roles.

Complete one of the following:

  • If you are configuring a simple mapping of API Gateway groups to Live API Creator roles based on API Gateway Internal Identity Provider (IIP), configure a simple internal identity provider.
  • If you are have configured an Lightweight Directory Access Protocol (LDAP) identity provider in API Gateway using the Policy Manager, configure the LDAP identity provider.

Configure a Simple Internal Identity Provider

  1. In the Policy Manager, from the LiveApiCreator/LAC Projects folder, open your published API project.
  2. Under the Project Configuration policy fragment, open and modify the following context variables:


    Set the expression to 'simple'.


    Adjust the value to reflect your user and group configuration.

    Note: As a reference point, the value for this context variable illustrates how the internal admin user is mapped to the internal, hard-coded API Gateway-defined Developer and Documentation groups.


    Adjust the expression value to reflect your API-Gateway-group-to-Live-API-Creator role mapping.

    Note: As a reference point, the value for this context variable illustrates how the Developer group is mapped to the Live API Creator-defined API Owner role. Similarly, the Documentation group is mapped to the Live API Creator-defined API Documentation role. If you do not adjust the expression value for this context variable, then API Gateway uses the expression value of the project.simpleRoleMapping.defaultRole context variable as the Live API Creator-defined API Documentation role.

Configure the LDAP Identity Provider

  1. In Policy Manager, open the Project Configuration policy fragment, set the value of the project.roleMappingType context variable to 'ldap'.
  2. Complete one of the following:
    • If your API project includes roles that do not match the LDAP groups, adjust the value of the project.simpleRoleMapper.userRoles context variable to match the LDAP groups to the Live API Creator role.

Note: The value of the project.simpleRoleMapper.users context variable dynamically populates based on a user's LDAP group membership by way of the (cn=${authenticatedUser.login}) LDAP search filter. This search filter sets the ldapGroups context variable using the LDAP 'memberOf' attribute.

    • If your API project includes roles that match the LDAP groups, your users' LDAP groups are passed through to API Server.  No additional configuration is needed.
    • If you are using an identity provider different from LDAP, such as Microsoft Active Directory (MSAD), adjust the value of the ldapGroups context variable from 'memberOf' to an attribute that returns the users group membership.

Activate the Updated API Project in API Gateway

In Policy Manager, save and activate the API.

Next Steps

Now that you have configured your published API in API Gateway, you can consume the published API. For more information, see Consume the Published API Project in API Gateway.