Introduction to Red Hat OpenShift API Management

  • Red Hat OpenShift API Management 1
  • Updated 22 March 2023
  • Published 27 August 2021

Introduction to Red Hat OpenShift API Management

Red Hat OpenShift API Management 1
  • Updated 22 March 2023
  • Published 27 August 2021

Learn about the features and functions available in the Red Hat OpenShift API Management cloud service.

What is OpenShift API Management

Red Hat OpenShift API Management is a cloud service for creating, securing, and publishing your APIs. The OpenShift API Management service is an add-on for Red Hat OpenShift Dedicated and Red Hat OpenShift Service on AWS. The service is based on the Red Hat 3scale API Management platform and also includes an implementation of Red Hat Single Sign-On.

Understanding Red Hat 3scale API Management

Application Programming Interface (API) management refers to the processes of distributing, controlling, and analyzing the APIs that connect applications and data across cloud environments.

Red Hat OpenShift API Management provides a management platform that allows users to share, secure, distribute, control, and monetize APIs. After setting up authentication and user accounts, OpenShift API Management developers, also referred to as API providers, can configure, and publish their APIs.

The main OpenShift API Management components include:

  • APIcast - the 3scale API gateway

  • Admin Portal - the 3scale console that API providers work in

  • Developer Portal - the interface for API consumers

  • Red Hat Single Sign-On - for authenticating access to the Developer Portal as well as to APIs

The following image shows how these components work together to provide the service.

OpenShift API Management architecture

OpenShift API Management architecture

API providers are developers who work in the 3scale Admin Portal, for which an administrator has given them accounts. API providers also work in the OpenShift Dedicated cluster to deploy applications, such as a backend for service API requests. API providers create and publish APIs, and can configure Red Hat Single Sign-On authentication to secure APIs. 3scale separates APIs into two main groups:

  • Backends are internal APIs bundled in a product. Backends grant API providers the freedom to map internal API organization structures to 3scale. A backend contains a private URL for an internal API. It is exposed through mapping rules and the public URL of one or more 3scale products.

  • Products are customer-facing APIs. Products facilitate the creation of robust yet simplified offerings for API consumers. A product includes application plans and configuration of the APIcast gateway. A product can bundle multiple backends.

When a 3scale product is ready for use, an API provider publishes it in the Developer Portal. API consumers visit the Developer Portal to subscribe to a plan that enables them to use the 3scale product that contains that API. Consumers can then call the API’s operations, subject to any usage policies that may be in effect.

Understanding Red Hat Single Sign-On

Red Hat Single Sign-On provides single sign-on (SSO) authentication to secure web applications. You use this SSO implementation to control access to 3scale Developer Portals and to 3scale API products. It is not supported as a company-wide SSO solution.

How to set up OpenShift API Management

A Red Hat OpenShift Dedicated cluster administrator sets up the cluster and identity provider and adds the OpenShift API Management service to a cluster. Then, you configure the service users.

If desired, you can customize APIcast, which is the interface that handles calls to a 3scale API product.

In Red Hat OpenShift API Management documentation, ignore content for 3scale Hosted (SaaS). It does not apply to OpenShift API Management.

Configure an identity provider

If an identity provider is already configured, there is no need to configure another one. Otherwise, you must choose and configure an identity provider, which can be LDAP, GitHub, GitHub Enterprise, Google, or OpenID Connect.


Add OpenShift API Management

Adding OpenShift API Management to a cluster makes the service available for use by 3scale API providers. You can add OpenShift API Management to an OpenShift Dedicated cluster, or to a OpenShift Service on AWS cluster.


Configure 3scale API provider account permissions

In the 3scale Admin Portal, configure account permissions so that API providers in your organization can create, configure, and launch 3scale API products.

When a new user logs in to the OpenShift Dedicated cluster by using the configured identity provider, the user automatically receives an OpenShift account with permission to access OpenShift API Management.

You manage these accounts in the 3scale Admin Portal.

By default, Single Sign-On is configured for 3scale in OpenShift API Management.


How to use OpenShift API Management

Use OpenShift API Management to create, secure, and publish your APIs.

Get started with 3scale

You can use the 3scale wizard to start learning about how to add and test a 3scale API product.


Create and configure an API

In the 3scale Admin Portal, create and configure an API to ensure that access is protected by API keys, tracked, and monitored by 3scale with basic rate limits and controls in place.

This involves the following steps:

  • Create API backends

  • Create API products

  • Create mapping rules and application plans to define a customer-facing API product

  • Capture metrics

  • Configure API access rules

Mapping rules define the metrics or methods to report. Application plans define the rules such as limits, pricing, and features for using an API product. An application subscribes to an application plan.


Configure APIcast policies

APIcast is the 3scale API gateway, which is the endpoint that accepts API product calls and routes them to bundled backends. OpenShift API Management provides APIcast staging for developing and testing APIs and also APIcast production, for published APIs.

APIcast policies are units of functionality that modify how APIcast operates. Policies can be enabled, disabled, and configured to control APIcast behavior. Use custom policies to add functionality that is not available in a default APIcast deployment.


Secure your API

If you want to secure your API by using OpenID and OAuth, then in the Red Hat Single Sign-On Admin Console, create a Red Hat Single Sign-On realm. An SSO realm is required to manage authentication for access to the Developer Portal and 3scale API products.

In the 3scale Admin Portal, set up authentication to control access to your API product and to the 3scale Developer Portal.


Set up a 3scale Developer Portal

A well-structured developer portal and great documentation are key elements to assure adoption. A developer portal is the main hub for managing interactions with API consumers and for API consumers to access their API keys in a secure way.

In the 3scale Admin Portal, add OpenAPI Specification 3.0 conforming documents for use in a Developer Portal. API consumers use the Developer Portal to access the APIs defined in these documents.

Then, configure the Developer Portal and add your APIs.


Set up monitoring and analytics for your API

You can designate methods in your API and add metrics to set access limits for any of an API product’s application plans. For an API backend, methods and metrics can be used to set access limits in the application plan of any API product that bundles the backend.


Launch the API product

After you have configured and secured your API and created a Developer Portal, you can launch your API so that consumers can begin to use it.


Monitor your API

After your API is launched, you can monitor metrics that indicate how it is being used. Knowing how a 3scale API product is used is a crucial step for managing traffic, provisioning for peaks, and identifying the users who most often send requests to the API product.


Get OpenShift API Management

To get OpenShift API Management, you can add it to your OpenShift Dedicated cluster or OpenShift Service on AWS cluster. To learn more, go to