Skip to content

Production Deployment Checklist

Given below is a checklist that will guide you to set up your production environment for WSO2 API-M.

Guideline Details
Security hardening

Guidelines for hardening the security of a WSO2 deployment in a production environment can be discussed under three high-level categories:

  • Product-level security
  • OS-level security
  • Network-level security

Hostname
By default, WSO2 products identify the hostname of the current machine through the Java API. However, it is recommended to configure the hostname by setting the hostname parameter in the deployment.toml file.
[server]
hostname="localhost"
Related links
Registry and governance

The API-M runtime uses a database registry for persistent storage of configurations. It is recommended to switch to a database like Oracle, MySQL, or MSSQL.

Note that the default setup does not include database backup procedures. The production setup should obviously need to have regular database backup procedures configured.

Performance Tuning

Most of the performance tuning recommendations are common to all WSO2 products. However, each WSO2 product may have additional guidelines for optimizing the performance of product-specific features.

  • Performance Tuning - WSO2 API-M runtime
  • Performance tuning - WSO2 Micro Integrator
Firewalls

The following ports must be accessed when operating within a firewall:

API-M Ports
  • 9443 - Used by the management console and services that use the servlet transport.
  • 9763 - Used by the services that use servlet transport.
  • 9999 - Used for JMX monitoring.
  • 8280 - Default HTTP port used by ESB for proxy services.
  • 8243 - Default HTTPS port used by ESB for proxy services.
Micro Integrator Ports
  • 8290 - Default HTTP port used by the Micro Integrator for proxy services and APIs.
  • 8253 - Default HTTPS port used by the Micro Integrator for proxy services and APIs.
  • 9164 - Default HTTPS port used by the Micro Integrator Management APIs.
Proxy servers If the runtime is hosted behind a proxy such as ApacheHTTPD, you can configure the runtime to use the proxy server. See the following topics for instructions:
HTTP header size

Starting from U2 update level 35, the default value of maxHttpHeaderSize on both the HTTP and HTTPS connectors in <API-M_HOME>/repository/conf/tomcat/catalina-server.xml is 32 KB (32768 bytes), increased from the previous default of 8 KB (8192 bytes).

This value must not be set to less than 32 KB (32768 bytes), specifically on the API Control Plane (ACP) node in a distributed deployment (or on the single node in an all-in-one deployment), if Multi-Option Authentication is used for portal (Publisher, DevPortal, Admin) logins in federated authentication flows.

If set lower, the /commonauth redirect from the external Identity Provider carries the full OAuth scope list in the request URI, and the combined size of the request line and headers exceeds the buffer. Tomcat then rejects the request with a 400 Bad Request or 414 Request-URI Too Long error, breaking the federated login flow.

If you need to override the value via deployment.toml, keep it at or above the default:

[transport.http.properties]
maxHttpHeaderSize = 32768

[transport.https.properties]
maxHttpHeaderSize = 32768

If a reverse proxy, load balancer, ingress controller, or CDN is deployed in front of API-M, ensure its header and URL size limits are also aligned to at least 32 KB — otherwise the request will be rejected at the front tier before it reaches API-M.

High availability

Configure your deployment with high availability. Refer the recommended deployment patterns and select an option that fits your requirements.

In the cloud native deployment, high availability should be achieved via the container orchestration system (Kubernetes).

Data backup and archiving Implement a backup and recovery strategy for your system.