Lab 3.1: Review and Deploy AS3 Declaration

  1. In Postman, expand the Arcadia Finance >> Dev >> Test API >> Deploy DEV w/ OAS folder and select on Deploy DEV w/ OAS. Do not send this payload just yet.
../../_images/postman-deploydev.png

2. In the declaration, we are deploying a new security policy called arcadia_dev_policy. Near the bottom, you can see we are defining this policy by calling a json file. Let’s take a look at this policy file

  1. In the Components section click Access under the App Server (Ubuntu) and select Web Shell or SSH if you provided your own keypair.
  2. In the CLI type:
cat /home/ubuntu/repo/arcadia/dev/policy-api-arcadia-dev.json
../../_images/ubuntu-policyjson.png

This is a basic Owasp Top 10 policy based on our Production instance with one difference.

Notice at the bottom we are referencing an OpenAPI file. Let’s review this file.

  1. From CLI type:
bashless /home/ubuntu/repo/arcadia/dev/arcadia-oas3-dev.json

Hit SPACE or Enter to scroll through the file and review the settings. The paths and parameters should look familiar as you’ve already used them in Postman. Hit Q when you’re done.

Now that you have examined how the declaration ties these files together, it’s time to start your repo service and deploy the Development VIP

  1. In Ubuntu cd /home/ubuntu and type:
./start-web-server.sh

and hit Enter a couple times

../../_images/ubuntu-startwebserver.png
  1. From Postman click Arcadia Finance >> Dev >> Test API >> Deploy Dev w/ OAS and hit Send (will take a few seconds)

You should get a 200 OK response with the details of your deployment.

../../_images/postman-results.png
  1. Verify the deployment was a success by clicking the Arcadia Finance >> Dev >> Test API >> DEV - Buy stocks request and hit Send (JSON response body should indicate Success)
  2. In the BIG-IP select the new arcadia-dev partition at the top-right
../../_images/big-ip-arcadia-dev.png
  1. Go to Security >> Application Security > Security Policies and click on the arcadia_dev_policy

Unlike our previously reviewed arcadia-prod policy, notice how now we are referencing an OpenAPI file in the security policy

../../_images/big-ip-swagger.png

11. Under Application Security go to URLs >> Allowed URLs No more wildcard paths allowed since this is for API gateway enforcement not just basic web security.

12. Select /trading/rest/buy_stocks.php URL and click URL Parameters at the top. Notice how there are no wildcard parameters and parameters names are now defined.

../../_images/big-ip-urls-buystocks.png

You have successfully created a web application firewall policy using AS3 Declaration.