Announcing API7 Enterprise 3.6.0
March 25, 2025
We're thrilled to announce the release of API7 Enterprise 3.6.0, which delivers enhanced security features. The changes include support for configuring mTLS for upstreams, utilizing environment variables for SSO configuration, and basic authentication in the API7 Portal. This release also removed the runtime configurations for streamlined service templates.
Enhance Security: Configure mTLS for Upstreams
API7 Enterprise now supports mTLS configuration between the API gateway and upstreams to enhance security and prevent unauthorized access.
Problem:
Certain upstream services, due to their inherent high security and sensitivity, require strict access controls. These requirements apply to the API gateway as well, where all proxied client requests must undergo rigorous authentication. This ensures that only authorized entities can access these critical resources, including the API gateway.
Solution:
API7 Enterprise 3.6.0 introduces enhanced mutual TLS (mTLS) for upstreams, which is commonly used within zero-trust security frameworks to authenticate users, devices, and servers within an organization. It also plays a crucial role in securing APIs.
This two-way certificate verification ensures that both the API gateway and the upstream service mutually validate each other's credentials. This robust mTLS mechanism ensures that only authorized API requests can exchange data securely.
For maximum flexibility, you can leverage SSL and CA certificates to meet a variety of security requirements. The same certificate can be utilized for both client-gateway and gateway-upstream communications, or distinct certificates can be configured for specific use cases.
See the guide of Configure mTLS between API7 Enterprise and Upstream for step by step tutorial.
Secure Sensitive Data: Utilizing Environment Variables for SSO Configuration
Problem:
Directly embedding sensitive Single Sign-On (SSO) tokens within API7 Enterprise configuration may create security risks by exposing credentials to unauthorized users. This practice also results in operational inefficiencies, as updating or rotating tokens becomes a cumbersome, error-prone manual process.
Solution:
Using environment variables for SSO-sensitive data such as tokens, provides a robust solution. It securely stores and references these sensitive credentials outside the application's core codebase, thus mitigating risks and streamlining maintenance.
API7 Portal Integrates with Basic Authentication
Problem:
API7 Portal previously only supported key authentication for accessing API resources. Though effective, this single-method approach limited developers working in environments with diverse security. Modern development often involves APIs demanding adaptable access controls and authentication protocols. The reliance on only one method constrained developers needing to meet specific compliance standards or integrate with systems requiring alternative security measures. This inflexibility complicated efficient API access management across different projects and security contexts.
Solution:
We've introduced Basic Authentication as an additional option within API7 Portal, which can be used concurrently with key authentication for the same API product.
This gives developers flexibility to to choose either method or any other valid authentication credential when accessing API resources, ensuring seamless integtation with sustems requiring different authentication protocols while adhering to wider compliance standards.
Refer to the doc to learn more about how to use API7 Portal, starting with productize your services.
Streamlined Service Templates: Runtime Configurations Removed
To enhance template reusability across gateway groups, we've removed service runtime configurations from service templates. This breaking change simplifies the publishing process without affecting existing published services.
Problem:
Users found configuring runtime settings (upstream, host, plugins, etc.) in templates or during publishing burdensome and inefficient. This process was inefficient due to non-reusable settings and the need for frequent, separate modifications.
Solution:
By removing runtime configurations from templates, we've made them more reusable across gateway groups. The publishing process is now simpler, with runtime settings handled separately, streamlining your workflow while preserving existing published service configurations.
See the renewed guide to publish service.
Getting started with API7 Enterprise 3.6.0
Want to learn more? Dive into our documentation for more technical details. See API7 Enterprise 3.6.0 Release Note
If you have any questions about API7 Enterprise 3.6.0, reach out to us on LinkedIn or X!