Setting Up API Discovery

Published April 5, 2023 | Last modified December 9, 2024

Objective

This document provides instructions on configuring API Discovery on the F5® Distributed Cloud Platform. This core capability is essential for dynamically identifying and monitoring your application's API endpoints.

Prerequisites

Concepts

  • API Discovery: The process of dynamically identifying and classifying all API endpoints within your application, including Inventory, Discovered, and Shadow APIs. It involves both detecting APIs from traffic and integrating OpenAPI Specifications to create API definitions.
  • Sensitive Data Discovery: This feature identifies and masks sensitive data such as Personally Identifiable Information (PII) within API traffic. This helps ensure data privacy and compliance with regulations.
  • Code Scanning API Discovery: This process involves analyzing your application's source code to identify all API endpoints, including those not observable through runtime traffic. By examining code repositories, it uncovers hidden or deprecated APIs, providing a complete API inventory and aiding in security assessments.
  • API Crawling: A discovery technique that independently simulates user behavior to detect exposed APIs within your web applications. It focuses on identifying shadow APIs that are not monitored by traditional API discovery methods or code scanning, providing a more comprehensive view of your API landscape.

Configuration

The configuration process is divided into two sections: API Discovery and API Protection.

ActivityDescription
Find HTTP Load BalancerLocate the specific HTTP Load Balancer where API Discovery will be enabled.
Enable API Discovery from TrafficEnable API Discovery on the identified HTTP Load Balancer.
Enable API Discovery from CodeUpload OpenAPI Specification files, create API definitions, and apply them to the load balancer.
Enable API Discovery from API CrawlingEnable API Discovery on the identified web applications using crawling.

Set Up API Discovery

Step 1: Find your HTTP Load Balancer.
  • Log into Console.
Figure: Console Homepage

Figure: Console Homepage

  • Click Web App & API Protection.

  • Select your namespace.

Figure: Select Namespace

Figure: Select Namespace

  • Click Manage > Load Balancers > HTTP Load Balancers and locate your HTTP load balancer in the list.
Figure: Load Balancers

Figure: Load Balancers

Step 2: Enable API Discovery.
Figure: Manage Load Balancer Configuration

Figure: Manage Load Balancer Configuration

  • For the target load balancer, click ... > Manage Configuration in the Action column.

  • Click Edit Configuration in the top right section of the page.

  • Scroll down to the API Protection section.

  • Select Enable from the API Discovery drop-down menu. This will also expose the API discovery settings.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • Select your desired option from the Learn From Traffic With Direct Response drop-down menu. By default, API Discovery learns only from traffic with 2xx (successful) responses. You can choose to select Enable Learning From Redirect Traffic to also learn from traffic with 3xx (redirect) responses.

  • Use the Purge Duration for Inactive Discovered APIs field to specify how often to delete inactive discovered APIs. The purging occurs after the number of days you specify expires.

  • Scroll to the bottom of the page and click Save and Exit.

Step 3: Add Code Scanning API Discovery.
Figure: Add Code Base Integration

Figure: Add Code Base Integration

  • Navigate to Manage > API Management > Code Base Integration.

  • Click Add Code Base Integration.

Figure: Add Code Base Integration Form

Figure: Add Code Base Integration Form

  • Enter a name for this integration and optionally enter labels and a description.

  • Select the code base you want to integrate (GitHub, GitLab, azure, etc.) from the Code Base drop-down menu.

  • Based on your selected code base, you will need to add the required integration information (i.e. API key/username + password) to the Console. You can obtain integration information for your code base as described in one of the options shown below.

Azure Repos Integration

In Azure DevOps:

  • Create a personal access token in Azure DevOps (Under User Settings > Personal Access tokens ).

  • Click New Token.

  • Set a label F5 integration.

  • Scopes: Ensure Custom defined is selected and select the following options:

    • Code: Read

    • User Profile: Read

  • Click Create. Then copy your newly created personal access token into the paste buffer.

Bitbucket Cloud/Server Integration

In Bitbucket:

  • Create an app password in Bitbucket.

  • Set a label F5 integration.

  • Select the following permissions:

    • Code: Read
    • Workspace: Read
    • Project: Read
    • Repositories: Read
    • Pull Requests: Read
    • Webhooks: Read

  • Click Create. Then copy your newly created app password into the paste buffer.

Back in Distributed Cloud Console done one of the following:

  • Bitbucket Cloud Integration: Enter your Bitbucket username into the Bitbucket Username field.

  • Bitbucket Server Integration: Fill in the Bitbucket Server URL and BitBucket Server Username fields.

GitHub or GitHub Enterprise Integration

In GitHub:

  • Generate a new token (classic or fine-grained) in GitHub (Settings > Developer Settings > Personal Access tokens).

  • Set a Note F5 integration.

  • Set expiration date.

  • Configure the scopes as follow:

    • Classic token

      • Read_api
      • User > read:user
      • User > user:email

    • Fine-grained

      • Repository permission > Contents:read-only
      • Repository permissions > Metadata:read-only

Click Generate Token. Then copy your newly created token into the paste buffer.

Back in Distributed Cloud Console done one of the following:

  • GitHub Integration: Enter your GitHub username into the GitHub Username field.

  • GitHub Enterprise Integration: Fill in the GitHub Hostname and GitHub Username fields.

GitLab Cloud or GitLab Enterprise Integration

In GitLab:

  • Create an access token (Under Preferences > Access Tokens).

  • Set a label F5 integration.

  • Set expiration date

  • Configure the scope as follows:

    • Read_api
    • Read_repository
    • Read_user

Click Create Personal access token. Then copy your newly created token into the paste buffer.

Back in Distributed Cloud Console, if you selected GitLab Enterprise Integration, Enter your GitLab URL in the GitLab URL` field.

In Distributed Cloud Console:

  • Click Configure to bring up the Secret Type form. You can either Blindfold your token/password or you can store it in the clear.

  • Paste your token/password into either the Secret to Blindfold or Secret field.

  • Click Apply to save your token.

  • Click Save and Exit.

  • Go back to your load balancer (from Step 1) and scroll down to the API Protection section.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • Make sure API discovery is enabled and click Configure under API Repositories. This will bring up an empty list of code base integrations. Click Add Item to start the list.

  • Select the code base you created above.

  • Select the API repositories you wish to include from the code base.

Figure: Select Code Base

Figure: Select Code Base

  • Scroll to the bottom and click Save and Exit.

  • You can now see in the API inventory the source of detection of an API endpoints. (Note: it can take up to two hours for the discovery process to run and show results).

Figure: Monitor API Endpoints

Figure: Monitor API Endpoints

Step 4: Set Up API Crawling.
  • Click Manage > Load Balancers > HTTP Load Balancers and locate your HTTP load balancer in the list.
Figure: Load Balancers

Figure: Load Balancers

Figure: Manage Load Balancer Configuration

Figure: Manage Load Balancer Configuration

  • For the target load balancer, click ... > Manage Configuration in the Action column.

  • Click Edit Configuration in the top right section of the page.

  • Scroll down to the API Protection section.

  • Select Enable from the API Crawling drop-down menu (API Discovery must be enabled to see the API Crawling drop-down menu). This will also expose the Domains to Crawl list.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • For each domain you want to crawl,

    • Click Add Item in the Domains to Crawl list.
    • Enter the domain you want to crawl. Optionally you can click in the Domain field and then click See Suggestions.
    • Enter the username in the User field.
    • To enter the password, click Configure to bring up the Secret Type form. You can either Blindfold your token/password or you can store it in the clear.
      • Paste your token/password into either the Secret to Blindfold or Secret field.
      • Click Apply to save your secret (password).
    • Click Apply to save your domain to the Domains to Crawl list.

  • Scroll to the bottom of the page and click Save and Exit.

  • Scanning will begin shortly. You will soon (up to 4 hours) start seeing results in your API Endpoints page for this load balancer under the Discovery Source column.

Figure: Monitor API Endpoint Sources

Figure: Monitor API Endpoint Sources

Limitations

Discovery From Code

  • Code scan intervals:

    Type of ScanFrequency
    Discovering new repositoriesonce a day
    Scanning existing repositoriesonce a day
    Checking integration token validityevery 5 minutes

  • Supported languages and frameworks:

    LanguageFrameworks
    JavaEE,
    Spring
    .NetVersions 7.0, 6.0, 5.0, 3.1
    PythonFlask,
    Django - function-based views
    JavascriptExpress,
    Hapi
    GoGin

  • Supported SCM platforms:

    • Azure Repos
    • Bitbucket Cloud
    • Bitbucket Server
    • GitHub
    • GitHub Enterprise
    • GitLab
    • GitLab Enterprise

  • Code base integration will scan repos from the organization level, not from the user level.

Discovery from Crawling

  • API Crawling currently doesn't support MFA.

  • Scan interval: Monthly, triggered upon each configuration change/setup.

  • Scan Requirements: API crawling requires credentials; it cannot run without them.

  • Scan Time: Scans may take up to 4 hours to complete. If expected results are not visible after 4 hours, please contact our support team.

On this page: