Loading...
Implementing centralized authentication and authorization before OpenShift using IBM webMethods API Gateway
The bank was running its microservices on an OpenShift (Kubernetes-based) platform, with each service handling authentication and authorization through a custom IAM integration. This approach resulted in distributed security management and limited the ability to block unauthorized requests before they reached the OpenShift environment. The organization needed a centralized security architecture to enforce access control earlier in the request flow.
IBM webMethods API Gateway was deployed on a virtual machine outside the OpenShift environment to act as a centralized API security layer. The gateway was integrated with the bank’s existing identity provider, and all OpenShift services were placed behind it. As a result, all incoming requests were authenticated and authorized before reaching OpenShift.
In the banking sector, strict security and regulatory requirements make identity and access management a critical part of microservices architectures. OpenShift, as a Kubernetes-based container platform, provides scalability and agility, but security controls must be placed at the correct architectural layer.
In this project, the customer protected its OpenShift-based microservices using a custom IAM solution embedded in each service. Over time, this increased operational complexity and made centralized security management difficult.
In the existing architecture, authentication and authorization were handled individually within each microservice running on OpenShift. Distributing security responsibilities across application code made centralized control difficult and prevented early interception of unauthorized traffic. As the number of microservices increased, this approach became increasingly hard to scale and maintain.
This architecture introduced several technical challenges:
To address these challenges, a platform-centric security architecture was adopted, decoupling security concerns from application logic. The goal was to enforce authentication and authorization at a centralized layer before traffic entered the OpenShift environment.
The following technical approach was implemented:
This architecture enabled the bank to protect its OpenShift-based microservices with a centralized and consistent security layer. Authentication and authorization were handled at the API Gateway level, reducing security risks and allowing development teams to focus on application logic. Unauthorized access was blocked before reaching the container platform.
A centralized API Gateway layer was introduced to authenticate and authorize all inbound traffic before it reached the OpenShift cluster. This ensured that security controls were enforced at a single, consistent control point.
Previously, each microservice maintained its own IAM integration, increasing development and operational complexity. By moving authentication and authorization responsibilities to the gateway, microservices were simplified and security policies were centralized.
The API Gateway was integrated with the bank’s existing enterprise Identity Provider. As a result, the OpenShift cluster was fully protected from unauthorized access, and security enforcement became easier to manage and audit.
Decoupling security from application code was a key objective for us. By introducing IBM webMethods API Gateway in front of OpenShift, we centralized authentication and authorization while significantly reducing the burden on our microservice teams.