Configuring API security

You must define access to API resources to control what can be accessed by users when calling an API.

When calling an API, you must pass through the following two levels of security:

  • Authentication with a user ID, a certificate or both. The login API is called before any other API is called.
  • Authorization, which verifies which resources you can access.
Note: If you're running Sterling Order Management System components as Web services with API security enabled, you must expose the Login API as a Web service. Additionally, you must call the Login API, capture the security token that is generated at login, and then set the token as the "tokenId" in YFSEnvironment. For details about the YFSEnvironment interface, see the IBM Sterling® Order Management: Javadoc.