Configuring a Distributed API-M Deployment with Key Manager Separated from the Control Plane¶
The WSO2 API-M server can be deployed as an all-in-one deployment or as a distributed deployment. In the distributed setup, the API-M server profiles are deployed as separate API-M nodes.
Given below are the API-M nodes you can have in a distributed deployment.
Tip
To enable high availability, you need a minimum of two nodes running each profile.
API-M Node (Profile) | Description |
---|---|
Gateway Worker Node | API-M nodes running the Gateway profile. |
Control Plane Node | API-M nodes running the Control Plane profile. The Control Plane includes the Traffic Manager, Key Manager, Publisher, and Developer Portal components. |
Key Manager Node (Optional) | If required you can configure a separate API-M node to run the Key Manager component. That is, the Control Plane nodes run the Traffic Manager, Publisher, and Developer Portal, while the Key Manager runs on a separate node. |
Step 1 - Install WSO2 API-M¶
To install and set up the API-M servers:
- Download the WSO2 API Manager.
- Create copies of the API-M distribution for the individual profiles.
Step 2 - Install and configure the databases¶
You can create the required databases for the API-M deployment in a separate server and point to the databases from the respective nodes.
For information, see Installing and Configuring the Databases.
Step 3 - Configure your deployment with production hardening¶
Ensure that you have taken into account the respective security hardening factors (e.g., changing and encrypting the default passwords, configuring JVM security, etc.) before deploying WSO2 API-M.
For more information, see Production Deployment Guidelines.
Step 4 - Create and import SSL certificates¶
Create an SSL certificate for each of the WSO2 API-M nodes and import them to the keystore and the truststore. This ensures that hostname mismatch issues in the certificates will not occur.
Note
The same primary keystore should be used for all API Manager instances to decrypt the registry resources. For more information, see Configuring the Primary Keystore.
For more information, see Creating SSL Certificates.
Step 5 - Configure API-M Analytics¶
API Manager Analytics is delivered via the API Manager Analytics cloud solution. You need to configure the API Manager Gateway to publish analytics data to the cloud.
See the instructions on configuring the API Gateway with the cloud-based analytics solution.
Step 6 - Configure and start the profiles¶
Let's configure the API-M nodes in the deployment.
Configure the Key Manager nodes¶
Follow the steps given below to configure the Key Manager nodes to communicate with the Control Plane.
-
Open the
<API-M_HOME>/repository/conf/deployment.toml
file of the Key Manager node. -
Add the following configurations to the deployment.toml file.
# Event Listener configurations [[event_listener]] id = "token_revocation" type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name = "org.wso2.is.notification.ApimOauthEventInterceptor" order = 1 [event_listener.properties] notification_endpoint = "https://[control-plane-LB-host]/internal/data/v1/notify" username = "${admin.username}" password = "${admin.password}" 'header.X-WSO2-KEY-MANAGER' = "default" # Traffic Manager configurations [apim.throttling] username= "$ref{super_admin.username}" password= "$ref{super_admin.password}" service_url = "https://[control-plane-LB-host]/services/" throttle_decision_endpoints = ["tcp://control-plane-1-host:5672", "tcp://control-plane-2-host:5672"] [[apim.throttling.url_group]] traffic_manager_urls = ["tcp://control-plane-1-host:9611"] traffic_manager_auth_urls = ["ssl://control-plane-1-host:9711"] [[apim.throttling.url_group]] traffic_manager_urls = ["tcp://control-plane-2-host:9611"] traffic_manager_auth_urls = ["ssl://control-plane-2-host:9711"]
# Event Listener configurations [[event_listener]] id = "token_revocation" type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name = "org.wso2.is.notification.ApimOauthEventInterceptor" order = 1 [event_listener.properties] notification_endpoint = "https://[control-plane-host]:${mgt.transport.https.port}/internal/data/v1/notify" username = "${admin.username}" password = "${admin.password}" 'header.X-WSO2-KEY-MANAGER' = "default" # Traffic Manager configurations [apim.throttling] username= "$ref{super_admin.username}" password= "$ref{super_admin.password}" service_url = "https://control-plane-host:9443/services/" throttle_decision_endpoints = ["tcp://control-plane-host:5672"] [[apim.throttling.url_group]] traffic_manager_urls=["tcp://control-plane-host:9611"] traffic_manager_auth_urls=["ssl://control-plane-host:9711"]
-
If required, encrypt the Auth Keys (access tokens, client secrets, and authorization codes), see Encrypting OAuth Keys.
-
Follow the steps given below to configure High Availability (HA) for the Key Manager nodes:
-
Create a copy of the API-M Key Manager node that you just configured. This is the second node of the API-M Key Manager cluster.
-
Configure a load balancer fronting the two Key Manager nodes in your deployment. For instructions, see Configuring the Proxy Server and the Load Balancer.
-
Sample configuration for the Key Manager¶
[server]
hostname = "km.wso2.com"
server_role = "control-plane"
[user_store]
type = "database_unique_id"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[database.apim_db]
type = "mysql"
hostname = "db.wso2.com"
name = "apimgt_db"
port = "3306"
username = "apiadmin"
password = "apimadmin"
[database.shared_db]
type = "mysql"
hostname = "db.wso2.com"
name = "shared_db"
port = "3306"
username = "apimadmin"
password = "apimadmin"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[truststore]
file_name = "client-truststore.jks"
type = "JKS"
password = "wso2carbon"
[[event_handler]]
name="userPostSelfRegistration"
subscriptions=["POST_ADD_USER"]
[[event_listener]]
id = "token_revocation"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
name = "org.wso2.is.notification.ApimOauthEventInterceptor"
order = 1
[event_listener.properties]
notification_endpoint = "https://[control-plane-LB-host]/internal/data/v1/notify"
username = "${admin.username}"
password = "${admin.password}"
'header.X-WSO2-KEY-MANAGER' = "default"
# Traffic Manager configurations
[apim.throttling]
username= "$ref{super_admin.username}"
password= "$ref{super_admin.password}"
service_url = "https://[control-plane-LB-host]/services/"
throttle_decision_endpoints = ["tcp://control-plane-1-host:5672", "tcp://control-plane-2-host:5672"]
[[apim.throttling.url_group]]
traffic_manager_urls = ["tcp://control-plane-1-host:9611"]
traffic_manager_auth_urls = ["ssl://control-plane-1-host:9711"]
[[apim.throttling.url_group]]
traffic_manager_urls = ["tcp://control-plane-2-host:9611"]
traffic_manager_auth_urls = ["ssl://control-plane-2-host:9711"]
[server]
hostname = "km.wso2.com"
server_role = "control-plane"
[user_store]
type = "database_unique_id"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[database.apim_db]
type = "mysql"
hostname = "db.wso2.com"
name = "apimgt_db"
port = "3306"
username = "apiadmin"
password = "apimadmin"
[database.shared_db]
type = "mysql"
hostname = "db.wso2.com"
name = "shared_db"
port = "3306"
username = "apimadmin"
password = "apimadmin"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[truststore]
file_name = "client-truststore.jks"
type = "JKS"
password = "wso2carbon"
[[event_handler]]
name="userPostSelfRegistration"
subscriptions=["POST_ADD_USER"]
[[event_listener]]
id = "token_revocation"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
name = "org.wso2.is.notification.ApimOauthEventInterceptor"
order = 1
[event_listener.properties]
notification_endpoint = "https://cp.wso2.com:9443/internal/data/v1/notify"
username = "${admin.username}"
password = "${admin.password}"
'header.X-WSO2-KEY-MANAGER' = "default"
# Traffic Manager configurations
[apim.throttling]
username= "$ref{super_admin.username}"
password= "$ref{super_admin.password}"
service_url = "https://cp.wso2.com:9443/services/"
throttle_decision_endpoints = ["tcp://cp.wso2.com:5672"]
[[apim.throttling.url_group]]
traffic_manager_urls=["tcp://cp.wso2.com:9611"]
traffic_manager_auth_urls=["ssl://cp.wso2.com:9711"]
Configure the Gateway nodes¶
Configure the Gateway to communicate with the Control Plane and the Key Manager nodes.
Follow the instructions given below to configure the Gateway node so that it can communicate with the Control Plane node:
-
Open the
<API-M_HOME>/repository/conf/deployment.toml
file of the Gateway node. -
Add the following configurations to the deployment.toml file.
-
Connecting the Gateway to the Control Plane node:
# Event Hub configurations [apim.event_hub] enable = true username = "$ref{super_admin.username}" password = "$ref{super_admin.password}" service_url = "https://[control-plane-LB-host]/services/" event_listening_endpoints = ["tcp://control-plane-1-host:5672", "tcp://control-plane-2-host:5672"] # Traffic Manager configurations [apim.throttling] throttle_decision_endpoints = ["tcp://control-plane-1-host:5672", "tcp://control-plane-2-host:5672"] [[apim.throttling.url_group]] traffic_manager_urls = ["tcp://control-plane-1-host:9611"] traffic_manager_auth_urls = ["ssl://control-plane-1-host:9711"] [[apim.throttling.url_group]] traffic_manager_urls = ["tcp://control-plane-2-host:9611"] traffic_manager_auth_urls = ["ssl://control-plane-2-host:9711"]
# Event Hub configurations [apim.event_hub] enable = true username = "$ref{super_admin.username}" password = "$ref{super_admin.password}" service_url = "https://[control-plane-host]:${mgt.transport.https.port}/services/" event_listening_endpoints = ["tcp://control-plane-host:5672"] # Traffic Manager configurations [apim.throttling] throttle_decision_endpoints = ["tcp://control-plane-host:5672"] [[apim.throttling.url_group]] traffic_manager_urls = ["tcp://control-plane-host:9611"] traffic_manager_auth_urls = ["ssl://control-plane-host:9711"]
Info
Event hub configuration is used to retrieve Gateway artifacts. Using
event_listening_endpoints
, the Gateway will create a JMS connection with the event hub that is then used to subscribe for API/Application/Subscription and Key Manager operations-related events. Theservice_url
points to the internal API that resides in the event hub that is used to pull artifacts and information from the database.- Connecting the Gateway to the Key Manager node:
-
Add the following configurations to the deployment.toml file to configure the Gateway environment. Change the
gateway_labels
property based on your Gateway environment.Info
Once an API is deployed/undeployed, the Control Plane will send a deploy/undeploy event to the Gateways. Using this configuration, the Gateway will filter out its relevant deploy/undeploy events and retrieve the artifacts.
-
Enable JSON Web Token (JWT) if required. For instructions, see Generating JSON Web Token.
-
Add the public certificate of the private key (that is used for signing the tokens) to the truststore under the "gateway_certificate_alias" alias. For instructions, see Create and import SSL certificates.
Note
This is not applicable if you use the default certificates, which are the certificates that are shipped with the product itself.
-
Follow the steps given below to configure High Availability (HA) for the API-M Gateway:
-
Create a copy of the API-M Gateway node that you just configured. This is the second node of the API-M Gateway cluster.
-
Configure a load balancer fronting the two Gateway nodes in your deployment. For instructions, see Configuring the Proxy Server and the Load Balancer.
Note
To keep custom runtime artifacts deployed in the Gateway, add the following configuration in the
<API-M_HOME>/repository/conf/deployment.toml
file of the Gateway nodes. -
Open the
deployment.toml
files of each Gateway node and add the cluster hostname. For example, if the hostname isgw.am.wso2.com
the configuration will be: -
Specify the following incoming connection configurations in the
deployment.toml
files of both nodes. -
Open the server's
/etc/hosts
file and map the hostnames to IPs.Format:
Example:
-
Sample configuration for the Gateway¶
[server]
hostname = "gw.wso2.com"
node_ip = "127.0.0.1"
server_role = "gateway-worker"
[user_store]
type = "database_unique_id"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[database.shared_db]
type = "mysql"
hostname = "db.wso2.com"
name = "shared_db"
port = "3306"
username = "sharedadmin"
password = "sharedadmin"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[truststore]
file_name = "client-truststore.jks"
type = "JKS"
password = "wso2carbon"
[transport.http]
properties.port = 9763
properties.proxyPort = 80
[transport.https]
properties.port = 9443
properties.proxyPort = 443
# key manager implementation
[apim.key_manager]
service_url = "https://km.am.wso2.com/services/"
[apim.sync_runtime_artifacts.gateway]
gateway_labels =["Default"]
# Event Hub configurations
[apim.event_hub]
enable = true
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
service_url = "https://cp.am.wso2.com/services/"
event_listening_endpoints = ["tcp://apim-cp-1:5672", "tcp://apim-cp-2:5672"]
# Traffic Manager configurations
[apim.throttling]
throttle_decision_endpoints = ["tcp://apim-cp-1:5672", "tcp://apim-cp-2:5672"]
[[apim.throttling.url_group]]
traffic_manager_urls=["tcp://apim-cp-1:9611"]
traffic_manager_auth_urls=["ssl://apim-cp-1:9711"]
[[apim.throttling.url_group]]
traffic_manager_urls=["tcp://apim-cp-2:9611"]
traffic_manager_auth_urls=["ssl://apim-cp-2:9711"]
[server]
hostname = "gw.wso2.com"
node_ip = "127.0.0.1"
server_role = "gateway-worker"
offset=0
[user_store]
type = "database_unique_id"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[database.shared_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE"
username = "wso2carbon"
password = "wso2carbon"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[truststore]
file_name = "client-truststore.jks"
type = "JKS"
password = "wso2carbon"
# Key Manager configuration
[apim.key_manager]
service_url = "https://km.wso2.com:9443/services/"
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
# Traffic Manager configurations
[apim.throttling]
throttle_decision_endpoints = ["tcp://cp.wso2.com:5672"]
[[apim.throttling.url_group]]
traffic_manager_urls=["tcp://cp.wso2.com:9611"]
traffic_manager_auth_urls=["ssl://cp.wso2.com:9711"]
# Event Hub configurations
[apim.event_hub]
enable = true
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
service_url = "https://cp.wso2.com:9443/services/"
event_listening_endpoints = ["tcp://cp.wso2.com:5672"]
[apim.sync_runtime_artifacts.gateway]
gateway_labels =["Default"]
Configure the Control Plane nodes¶
Follow the steps given below to configure the Control Plane nodes to communicate with the Gateway and the Key Manager.
-
Open the
<API-M_HOME>/repository/conf/deployment.toml
file of the Control Plane node. -
Add the following configurations to the deployment.toml file.
Connecting the Control Plane to the Key Manager node:
Connecting the Control Plane to the Gateway node:
[[apim.gateway.environment]] name = "Default" type = "hybrid" display_in_api_console = true description = "This is a hybrid gateway that handles both production and sandbox token traffic." show_as_token_endpoint_url = true service_url = "https://[api-gateway-LB-host]/services/" ws_endpoint = "ws://[api-gateway-LB-host-or-ip]:9099" wss_endpoint = "wss://[api-gateway-LB-host-or-ip]:8099" http_endpoint = "http://[api-gateway-LB-host]" https_endpoint = "https://[api-gateway-LB-host]"
[[apim.gateway.environment]] name = "Default" type = "hybrid" display_in_api_console = true description = "This is a hybrid gateway that handles both production and sandbox token traffic." show_as_token_endpoint_url = true service_url = "https://[api-gateway-host]:9443/services/" ws_endpoint = "ws://[api-gateway-host]:9099" wss_endpoint = "wss://[api-gateway-host]:8099" http_endpoint = "http://[api-gateway-host]:${http.nio.port}" https_endpoint = "https://[api-gateway-host]:${https.nio.port}"
Info
This configuration is used for deploying APIs to the Gateway and for connecting the Developer Portal component to the Gateway if the Gateway is shared across tenants. If the Gateway is not used in multiple tenants, you can create a Gateway Environment using the Admin Portal.
Note that in the above configurations, the
service_url
points to the9443
port of the Gateway node, whilehttp_endpoint
andhttps_endpoint
points to thehttp
andhttps nio ports
(8280 and 8243).Add Event Hub Configurations:
Info
Enabling TLS/SSL for event hub JMS communications
If required, you can enable TLS/SSL for the JMS communications of event hub. Update your event hub configurations to include the following for this purpose.
To enable secure broker connections add the following configuration to the Control Plane node.[apim.event_hub] enable = true jms.username = "<username>" jms.password = "<password>" jms.ssl = "true'&ssl_cert_alias='<certificate_alias_in_truststore>'&trust_store='<path_to_trust_store>'&trust_store_password='<truststore_password>'&key_store='<path_to_key_store>'&key_store_password='<keystore_password>" ssl = "true'&ssl_cert_alias='<certificate_alias_in_truststore>'&trust_store='<path_to_trust_store>'&trust_store_password='<truststore_password>'&key_store='<path_to_key_store>'&key_store_password='<keystore_password>" event_listening_endpoints = ["tcp://control-plane-host:8672"]
[broker.transport.amqp.ssl_connection] enabled = true port = 8672 ssl_enabled_protocols = "TLSv1,TLSv1.2" ciphers = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" [broker.transport.amqp.ssl_connection.keystore] location = "repository/resources/security/wso2carbon.jks" password = "wso2carbon" cert_type = "SunX509" [broker.transport.amqp.ssl_connection.truststore] location = "repository/resources/security/client-truststore.jks" password = "wso2carbon" cert_type = "SunX509"
# Event Hub configurations [apim.event_hub] enable = true username= "$ref{super_admin.username}" password= "$ref{super_admin.password}" service_url = "https://localhost:${mgt.transport.https.port}/services/" event_listening_endpoints = ["tcp://localhost:5672"] event_duplicate_url = ["tcp://apim-cp-2:5672"] [[apim.event_hub.publish.url_group]] urls = ["tcp://control-plane-1-host:9611"] auth_urls = ["ssl://control-plane-1-host:9711"] [[apim.event_hub.publish.url_group]] urls = ["tcp://control-plane-2-host:9611"] auth_urls = ["ssl://control-plane-2-host:9711"]
# Event Hub configurations [apim.event_hub] enable = true username= "$ref{super_admin.username}" password= "$ref{super_admin.password}" service_url = "https://localhost:${mgt.transport.https.port}/services/" event_listening_endpoints = ["tcp://localhost:5672"] [[apim.event_hub.publish.url_group]] urls = ["tcp://control-plane-host:9611"] auth_urls = ["ssl://control-plane-host:9711"]
Info
As there are two event hubs in a HA setup, each event hub has to publish events to both event streams. This will be done through the event streams created with
apim.event_hub.publish.url_group
. The token revocation events that are received to an event hub will be duplicated to the other event hub usingevent_duplicate_url
. -
If required, encrypt the Auth Keys (access tokens, client secrets, and authorization codes), see Encrypting OAuth Keys.
-
Optionally, add the following configuration to enable distributed cache invalidation within the Control Plane nodes.
-
Follow the steps given below to configure High Availability (HA) for the Control Plane:
-
Create a copy of the API-M Control Plane node that you just configured. This is the second node of the API-M Control Plane cluster.
-
Configure a load balancer fronting the two Control Plane nodes in your deployment. For instructions, see Configuring the Proxy Server and the Load Balancer.
-
Sample configuration for the Control Plane¶
[server]
hostname = "api.am.wso2.com"
node_ip = "127.0.0.1"
server_role="control-plane"
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
[user_store]
type = "database_unique_id"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[database.apim_db]
type = "mysql"
hostname = "db.wso2.com"
name = "apim_db"
port = "3306"
username = "apimadmin"
password = "apimadmin"
[database.shared_db]
type = "mysql"
hostname = "db.wso2.com"
name = "shared_db"
port = "3306"
username = "sharedadmin"
password = "sharedadmin"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[truststore]
file_name = "client-truststore.jks"
type = "JKS"
password = "wso2carbon"
[[apim.gateway.environment]]
name = "Default"
type = "hybrid"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "https://[api-gateway-LB-host]/services/"
ws_endpoint = "ws://[api-gateway-LB-host]:9099"
wss_endpoint = "wss://[api-gateway-LB-host]:8099"
http_endpoint = "http://[api-gateway-LB-host]"
https_endpoint = "https://[api-gateway-LB-host]"
[apim.devportal]
url = "https://api.am.wso2.com/devportal"
[transport.https.properties]
proxyPort = 443
[apim.cors]
allow_origins = "*"
allow_methods = ["GET","PUT","POST","DELETE","PATCH","OPTIONS"]
allow_headers = ["authorization","Access-Control-Allow-Origin","Content-Type","SOAPAction","apikey","Internal-Key"]
allow_credentials = false
# Event Hub configurations
[apim.event_hub]
enable = true
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
service_url = "https://api.am.wso2.com/services/"
event_listening_endpoints = ["tcp://localhost:5672"]
event_duplicate_url = ["tcp://apim-cp-2:5672"]
[[apim.event_hub.publish.url_group]]
urls = ["tcp://apim-cp-1:9611"]
auth_urls = ["ssl://apim-cp-1:9711"]
[[apim.event_hub.publish.url_group]]
urls = ["tcp://apim-cp-2:9611"]
auth_urls = ["ssl://apim-cp-2:9711"]
# key manager implementation
[apim.key_manager]
service_url = "https://[key-manager-LB-host]/services/"
username= "$ref{super_admin.username}"
password= "$ref{super_admin.password}"
[[event_listener]]
id = "token_revocation"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
name = "org.wso2.is.notification.ApimOauthEventInterceptor"
order = 1
[event_listener.properties]
notification_endpoint = "https://localhost:${mgt.transport.https.port}/internal/data/v1/notify"
username = "${admin.username}"
password = "${admin.password}"
'header.X-WSO2-KEY-MANAGER' = "default"
[server]
hostname = "cp.wso2.com"
node_ip = "127.0.0.1"
server_role = "control-plane"
offset=0
[user_store]
type = "database_unique_id"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[database.apim_db]
type = "mysql"
hostname = "db.wso2.com"
name = "apim_db"
port = "3306"
username = "apimadmin"
password = "apimadmin"
[database.shared_db]
type = "mysql"
hostname = "db.wso2.com"
name = "shared_db"
port = "3306"
username = "sharedadmin"
password = "sharedadmin"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[apim.devportal]
url = "https://cp.wso2.com:9443/devportal"
# key manager implementation
[apim.key_manager]
service_url = "https://km.wso2.com:9443/services/"
username= "$ref{super_admin.username}"
password= "$ref{super_admin.password}"
# Gateway configuration
[[apim.gateway.environment]]
name = "Default"
type = "hybrid"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "https://gw.wso2.com:9443/services/"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://gw.wso2.com:9099"
wss_endpoint = "wss://gw.wso2.com:8099"
http_endpoint = "http://gw.wso2.com:8280"
https_endpoint = "https://gw.wso2.com:8243"
# Event Listener configurations
[[event_listener]]
id = "token_revocation"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
name = "org.wso2.is.notification.ApimOauthEventInterceptor"
order = 1
[event_listener.properties]
notification_endpoint = "https://localhost:${mgt.transport.https.port}/internal/data/v1/notify"
username = "${admin.username}"
password = "${admin.password}"
'header.X-WSO2-KEY-MANAGER' = "default"
# Event Hub configurations
[apim.event_hub]
enable = true
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
service_url = "https://cp.wso2.com:9443/services/"
event_listening_endpoints = ["tcp://cp.wso2.com:5672"]
[[apim.event_hub.publish.url_group]]
urls = ["tcp://cp.wso2.com:9611"]
auth_urls = ["ssl://cp.wso2.com:9711"]
Step 7 - Start the API-M nodes¶
Once you have successfully configured all the API-M nodes in the deployment, you can start the servers.
-
Start the Key Manager nodes
Open a terminal, navigate to the
<API-M-KEY-MANAGER-HOME>/bin
folder, and execute the following command: -
Starting the Gateway nodes
Open a terminal, navigate to the
<API-M-GATEWAY-HOME>/bin
folder, and execute the following command: -
Start the Control Plane nodes
Open a terminal, navigate to the
<API-M-CONTROL-PLANE-HOME>/bin
folder, and execute the following command:
For more information on starting API-M profiles, see API-M Profiles.