Creating an application

Edit online

Create an application that defines the precise identifiers by which messages from a particular application are recognized at run time and authenticated by webMethods API Gateway.

Before you begin

You must have the Manage applications functional privilege to perform this task.

Procedure

  1. Open the menu options and select Applications.
  2. Click Create application.
  3. Provide the following information in the Basic information section.
    Field Description
    Name Type a name for the application.
    Version Version of the application. By default it is 1.0 but can be modified to a required value.
    Owner Name of the team who owns the application.

    The application owner can view all details of the application, which includes the API access key. If you specify a team as the application owner, then all members of the team can view the API access key. Owner field is visible only after you save the application.

    Note: You cannot modify the ownership details of the applications you create through Developer Portal.
    Description Type a description of the application.
    Requestor comment Specify your comments. This field is visible only when the approval configuration for Create application is enabled in the Administration > General > Approval Configuration > Create application section.

    One of the following approvers can approve the pending requests for an application.

    • List of users and user groups of the teams that the application is associated with. Specify the required users and user groups in the Approvers section of the Basic information tab when you create or edit the corresponding team.
    • List of users and user groups of the teams that the application is associated with. Specify the required users and user groups in the Team Administrators section of the Basic information tab when you create or edit the corresponding team. This set of users is applicable only if the Include team administrators as approvers option is selected.
  4. Click Continue to Identifiers.
    Alternatively, you can click Identifiers. You can save the application by clicking Save at this stage and add the Identifiers and APIs later.
  5. Provide the following information in the Identifiers section.
    Field Description
    IP address range Provide the IP address range or range of trusted IPv4 or IPv6 addresses that identify requests from a particular application. You can add more range options by clicking +Add and adding the required information.
    Partner identifier Specifies the third-party partner’s identity.
    Client certificates Click Browse and select the client certificate or certificate chain to be uploaded. The client certificate specifies the X.509 certificates that requests from a particular application.
    Note: webMethods API Gateway supports .cer and .pem certificates for identifying consumer applications. You can add multiple certificates by clicking +Add.
    Claims Provide a set of claims for the JWT and OpenID clients. A claim is a unique identifying information that identifies requests from a particular consumer application. The claim set is identified by a unique Name and is defined as a name-value pair that consists of a Claim name and a Claim value. You can add more claims and claims sets by clicking +Add and adding the required information.
    Header key Specify the HTTP header key to identify the requests from an application.
    Header value Specify the HTTP header value to identify the requests from an application. You can add multiple header key and value by clicking +Add.
    Other identifiers Select one of the options to identify requests from a particular application and provide the following values.
    • Hostname. Specify the hostname.
    • Token. The token that is required to identify requests from an application.
    • Username. The username credential to identify requests from an application.
    • WS-Security username. The WSS username to identify requests from an application.
    • Payload identifier. The payload identifier that is required to identify requests from an application.
  6. Click Continue to APIs. Alternatively, you can click APIs. For more information on Registering an API with consumer applications see. Registering an API with consumer applications.
    Click Save at this stage if needed and add the APIs later.
  7. Type a keyword to find the required API and click + to add the API.
    Adding an API to the application enables the application to access the API. An API developer while invoking the API at run time, must provide the access token or identification token for webMethods API Gateway to identify the application.
  8. Type the required Requestor comment.
  9. Click Continue to Advanced.
    You can save the application by clicking Save at this stage and add the APIs later.
  10. Specify the origin from which the responses originate to be allowed during response processing for the application.
  11. Click +Add to add the origin. You can add multiple origins by using +Add.
  12. Click Continue to Authentication.
    You can save the application by clicking Save at this stage and add the Authentication strategy later.
  13. Click Create strategy.
    A strategy is a way to authenticate the incoming request and provides multiple authentication mechanisms or multiple authorization servers for a single authentication scheme. You can create multiple strategies that an API authorizes for an application.
  14. Select one of the following Authentication schemes.
    • OAUTH2. Provide the following information.
      Field Description
      Name Provide the name for the strategy.
      Description Provide a description to describe the strategy.
      Authentication server Specify the authentication server. The available values are local, which is the default server or any other configured external authorization server.
      Audience Provide a value or URI, the intended recipient of the authorization server scope. The application that receives the token verifies that the audience value is correct and rejects any tokens that are intended for a different audience.
      Generate Credentials Enable the toggle button to generate the client dynamically in the authorization server and provide the following information.
      • Application Type. Select one of the client types.
        • Confidential. A confidential client is an application that can keep a client password confidential to the world. This client password is assigned to the client app by the authorization server. This password is used to identify the client to the authorization server to avoid fraud. An example of a confidential client might be a web app, where no one but the administrator can get access to the server, and see the client password.
        • Public. A public client is an application that is not capable of keeping a client password confidential. For instance, a mobile phone application or a desktop application with the client password embedded inside it. Such an application might get cracked, and might reveal the password. The same is true for a JavaScript application that runs in the users browser. The user can use a JavaScript debugger to look into the application, and see the client password.
      • Application profile. Specify the application type.
        • WEB. A web application is an application that runs on a web server. In reality, a web application typically consists of both a browser part and a server part. The client password might be stored on the server and is thus confidential.
        • USER_AGENT. A user agent application is for instance, a JavaScript application that runs in a browser. The browser is the user agent. A user agent application might be stored on a web server, but the application runs only in the user agent after the application is downloaded.
      • Token lifetime. Specify the token lifetime in seconds for which the token is active.
      • Token refresh limit. Specify the number of times that you can use the refresh token to get a new access token.
      • Redirect URIs. Specify the URIs that the authorization server can use to redirect the resource owner's browser during the grant process. You can add multiple URIs by clicking +Add.
      • Grant type. Specify the grant type to be used to generate the credentials. Available options can be authorization_code, password, client_credentials, refresh_token, and implicit, which are dynamically populated from the authorization server. For example, if the authorization server does not support client credentials, the option is not available in the options list.
      • Scopes. Select the scopes that are to be mapped for the authentication strategy.
      Note: webMethods API Gateway 10.15 or higher versions, you must select scopes from the authorization server that must be associated with the strategy.
      Client ID Specify the Client identifier for a client application available in the authorization server that identifies the client application in the authorization server to map the client to the webMethods API Gateway application.
      Note: This parameter is required if you have a client application available in the authorization server and do not want to dynamically create a client.

    • JWT. Provide the following information.

      Field Description
      Name Provide the name for the strategy.
      Description Provide a description to describe the strategy.
      Authentication server Specify the authentication server. The possible values are local, which is the default server or any other configured external authorization server.
      Audience Provide a value or URI, the intended recipient of the authorization server scope. The application that receives the token verifies that the audience value is correct and rejects any tokens that are intended for a different audience.
      HMAC algorithm Select if the authorization server is returning a JWT with HMAC algorithm and provide the shared secret value to validate the JWT.

    • OPENID. Provide the following information.

      Field Description
      Name Provide the name for the strategy.
      Description Provide a description to describe the strategy.
      Authentication server Specify the authentication server. The available values are local, which is the default server or any other configured external authorization server.
      Audience Provide a value or URI, the intended recipient of the authorization server scope. The application that receives the token verifies that the audience value is correct and rejects any tokens that are intended for a different audience.
  15. Click Add. The strategy is configured and listed in the Strategies table.
    Note: You can generate a new Client ID and Client Secret for an existing strategy. However, after the credentials are generated for a strategy, it can no longer be removed. The Generate credentials toggle is disabled in the UI when you update a strategy.
  16. Click Save.
    The application is created and listed in the list of applications in the Manage applications page after an approval.

What to do next

  • View the list of applications in the Manage applications page from where you can create, delete, and select an application to view its details.

    A list of all registered applications and subscriptions appear.

    • app icon denotes application. When you select an application you can see the Application details page displays the basic information that contains details, such as name, description, owner, and creation time, identifiers, and access tokens. Also, you can see the list of APIs registered for the application, advanced configurations, and authentication strategies configured for the application.

      Application credentials, such as, API Keys or OAuth client secrets are visible only to the application owner. All other users can see only an encrypted value. Since Developer Portal and webMethods API Gateway do not support a central user management, webMethods API Gateway users cannot see the application credentials of the application that are requested through Developer Portal.

    • subscriptions denotes subscription. When you select subscription you can view the applications and the associated package, plan, used quota, start time, end time, and the remaining period of the subscription.
      Note: You cannot create a subscription from the subscription details page. To create a subscription, use the subscription API. For details about creating subscriptions by using a REST API, see Subscription Management. You can also create a subscription from the Developer Portal.
  • Regenerate an API access key in the Application details page. Click refresh oauth token the API access key is regenerated and the new API access key appears in the API access key field.
  • Modify the details of an application from the application details page. Click Edit and modify the required fields in the application details page and click Save.
    Note: You cannot modify the ownership details of the applications you create through Developer Portal.
  • Suspend an application when it is no more in use. When you open Applications set Active to off for the respective application to suspend the application. Alternatively, you can click Suspend in the application details page and click Yes in the confirmation dialog box.
  • Activate a suspended application from the application details page when you want the application back in function and associated with APIs. When you open Applications set Inactive in the application details page and click Yes in the confirmation dialog box, the application resumes.