Securing Genesis API

Owned by Ryan Davanzo
Last updated: Nov 24, 2020 by Patrick Murphy
3 min read

The Genesis API service endpoints are configured to use HTTP bindings by default. If necessary, the service endpoints can can be secured using SSL over HTTP, or HTTPS protocol.

Securing the data in Transit

  1. Obtain a SSL certificate for your host from a certificate authority or opt to use a self-signed certificate in a test environment.
  2. Set up SSL in IIS for the Genesis API application using IIS Manager. 
  3. Open bindings.config in the Genesis API application root directory. This file contains WCF binding configurations for transport security:
    1. wsHttpTransportSecurity for SOAP endpoints.
    2. webHttpTransportSecurity for REST endpoints.
  4. Open services.config in the Genesis API application root directory.

  5. Add a bindingConfiguration attribute to all REST endpoints with the value "webHttpTransportSecurity". 

    REST Endpoint Example
    <!-- IFoodAnalysisQueryService REST Service-->
  <service name="Esha.Genesis.Services.Rest.FoodAnalysisQueryRestService">
    <endpoint address="" 
              binding="webHttpBinding" 
              bindingConfiguration="webHttpTransportSecurity"
              contract="Esha.Genesis.Services.IFoodAnalysisQueryService"
              behaviorConfiguration="jsonBehavior" />
  </service>

  6. Modify bindingConfiguration attributes for all SOAP endpoints with the value "wsHttpTransportSecurity".

    SOAP Endpoint Example
    <!-- IFoodAnalysisQueryService SOAP Service-->
  <service name="Esha.Genesis.Services.Soap.FoodAnalysisQuerySoapService">
    <endpoint address="" 
              binding="wsHttpBinding" 
              bindingNamespace="http://ns.esha.com/2013/genesisapi"
              bindingConfiguration="wsHttpTransportSecurity"
              contract="Esha.Genesis.Services.IFoodAnalysisQueryService"
              behaviorConfiguration="Esha.Genesis.Services.Soap.FoodAnalysisQuerySoapService"/>
    <endpoint address="mex" 
              binding="mexHttpBinding" 
              contract="IMetadataExchange" />
  </service>

  7. Save and close services.config. 

  8. Open service endpoints in a browser using HTTPS to verify setup is complete.

User Authentication

Many of our customers use Basic Authentication.  This is the method ESHA employs for our customers using the API in ESHA Cloud.  This MS Doc may help with the changes that need to be done in IIS for basic authentication to be set up correctly.

As part of this, the bindings.config and service.config files in the API installation directory will need to changed. 

For REST, the changes in the should look like:

REST bindings.config
<!--Binding configurations for REST endpoint-->
    <webHttpBinding>
        <binding name="webHttpNoSecurity" maxReceivedMessageSize="2147483647">
            <security mode="None" />
        </binding>

        <binding name="webHttpTransportSecurity" maxReceivedMessageSize="2147483647">
            <security mode="Transport">
                <transport clientCredentialType="Basic" />
            </security>
        </binding>
    </webHttpBinding>

and the service.config should look like

REST service.config
<service name="Esha.Genesis.Services.Rest.LabelImageRestService">
        <endpoint address=""
                  binding="webHttpBinding"
                  bindingConfiguration="webHttpTransportSecurity"
                  contract="Esha.Genesis.Services.ILabelImageService"
                  behaviorConfiguration="jsonBehavior" />
    </service>