How To: OTK Solution Kit Installation

This is the second post in the blog series focusing on the OAuth Toolkit (OTK) kit. The first video was a more academic overview of the OAuth protocol and workflow.  This time we take a look at how to install the OTK solution kit, and how the OTK integrates with the API Gateway to provide easy implementation of OAuth security for API endpoints. 

The initial task is to download the OTK installation files from Broadcom support. They include database creation and update scripts, plus the OTK solution kit SSKAR file. 

Run a database script to create the OTK database with the token schema. MySQL, Oracle, and Cassandra databases are supported. 

Now open the Policy Manager of the API Gateway. Let the Gateway know how to interact with the OTK database by configuring the database connection properties. Next, install the OTK solution kit  SSKAR file through Manage Solution Kits option in the policy manager.

Once installed, the OTK solution kit provides you control over where to install each OTK component. For example, you can split components into DMZ and internal zones in a dual Gateway scenario. However, for simplicity, the video focuses on the single server installation.

Now that the OTK is installed, OTK specific assertions, and policy fragments are available. Policies are read-only.  Customization of a read-only policy is available by editing the corresponding “hash-policy” in the Customizations folder. For example, to customize default values for variables set in OTK Variable Configuration, edit the variables in #OTK Variable Configuration. This keeps all your custom values intact during future upgrades of the OTK when default policies are replaced by newer versions.

The video finishes by highlighting some key OTK assertions and policy fragments such as the OTK Require OAuth 2.0 Token policy fragment to enable OAuth validation and how to set up Identity Providers for authentication. We get a sense of how easy it is to perform common tasks by simply dragging and dropping pre-configured policy fragments and assertions into custom policies. 

blog written by Simon Crum

Aric Day

Aric Day

Aric is based in Minneapolis, MN and has been managing Enterprise API programs for more than 10 years as both an operations sysadmin and an api security consultant designing api integration standards. He currently serves Layer7 North American core accounts within the central and western regions. In previous roles he has worked as an automation and api security consultant with both Accenture and Best Buy. Aric has an engineering degree from the University of Minnesota. He is active as a youth hockey coach in winter and enjoys getting outdoors during the brief MN summer months.

Share With Your Network

Share on twitter
Share on linkedin
Share on facebook
Share on email
Share on print

More From The API Academy