Citrix Application Delivery Management service

Add policies to an API definition

You can select a policy to an API resource. The policies allow you to define the traffic selection criteria to authenticate an API request. Also, it allows you to configure API security policies to the API traffic.

Perform the following steps to add a policy to an API definition:

  1. Navigate to Applications > API Gateway > Policy.

  2. Click Add.

  3. Specify the name for a policy group.

  4. Select a Deployment from the list.

  5. Select an Upstream Service from the list for which you want to configure policies.

  6. Click Add to select traffic selectors and a policy type.

    Traffic selector - You can use any of the following options to specify a traffic selection criteria:

    • API Resources – Select an API resource and its methods for which you want to apply a policy. You can search API resources and methods with a key word.

      Traffic selector

      In this example, the API resources with /user that have the POST method are listed.

    • Custom Rule – In this tab, you can add multiple methods with a path prefix in a custom rule. API resources that match the specified path prefix and a method applies an authentication policy to an incoming API request.

      Custom policy rule

      In this example, all API resources with a prefix /pet and the POST method apply an authentication policy.

    Policy – Select a policy from the list that you want to apply to the selected API resource and method:

    • No-Auth – This policy returns success as an authentication result.

    • Auth – Basic – This policy uses local authentication if external authentication fails.

    • Oauth – Jason Web Token (JWT) Validation – This policy uses an access token to access an API. To use this policy, specify the following:

      JWKS URI - The URL of an endpoint that has JWKs (JSON Web Key) for JWT (JSON Web Token) verification

      Issuer - The identity (usually a URL) of the authentication server.

      Audience - The identity of the service or application for which the token is applicable.

      JWT authentication

    • Rate Limit – Specify the maximum load given to the selected API resource. With this policy, you can monitor the API traffic rate and take preventive actions.

      Rate limit Policy

    • WAF - This policy prevents security breaches, data loss, and possible unauthorized modifications to websites that access sensitive business or customer information.

      Before you cofigure a WAF policy, create a WAF profile in Citrix ADM using the StyleBook. Specify the WAF profile name.

      WAF Policy

    • BOT - This policy identifies bad bots and protect your appliance from advanced security attacks.

      Before you cofigure a BOT policy, create a BOT profile in Citrix ADM using the StyleBook. Specify the BOT profile name.

      BOT Policy

  7. Optional, you can move policy types to set a priority. The policy types with higher priority apply first.

  8. Click Save to add a policy. If you want to apply the policy immediately, click Save & Apply.

Add policies to an API definition