WSO2 API Manager

From EWIKI
Jump to navigation Jump to search

WSO2API Manager: Download from WSO2

Basic Funtionality

Simple Startup

Start as is: unzip and run start script.

mh@Aspire756:~/work/wso2am-1.3.1/bin$ ./wso2server.sh 
...
[2013-04-15 20:27:11,413]  INFO - CarbonCoreActivator Starting WSO2 Carbon...
...
[2013-04-15 20:27:29,343]  INFO - PassThroughHttpSSLListener Pass-through HTTPS Listener started on port : 8243
[2013-04-15 20:27:29,343]  INFO - PassThroughHttpListener Starting Pass-through HTTP Listener...
[2013-04-15 20:27:29,346]  INFO - PassThroughHttpListener Pass-through HTTP Listener started on port : 8280
[2013-04-15 20:27:29,467]  INFO - RegistryEventingServiceComponent Successfully Initialized Eventing on Registry
[2013-04-15 20:27:30,315]  INFO - JMXServerManager JMX Service URL  : service:jmx:rmi://localhost:11111/jndi/rmi://localhost:9999/jmxrmi
[2013-04-15 20:27:30,315]  INFO - StartupFinalizerServiceComponent Server           :  WSO2 API Manager-1.3.1
[2013-04-15 20:27:30,316]  INFO - StartupFinalizerServiceComponent WSO2 Carbon started in 29 sec
[2013-04-15 20:27:30,768]  INFO - CarbonUIServiceComponent Mgt Console URL  : https://localhost:9443/carbon/
[2013-04-15 20:27:30,769]  INFO - CarbonUIServiceComponent API Publisher Default Context : http://localhost:9763/publisher
[2013-04-15 20:27:30,769]  INFO - CarbonUIServiceComponent API Store Default Context : http://localhost:9763/store

This as-is configuration uses an embedded H2 database.

Publish

WSO2AM-Publish.png

Subscribe

WSO2AM-Subscribe.png

Configuration

Works only with Sun JDK

OpenJDK causes: PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID

Switch JVM:

sudo update-alternatives --config java

Switch JVM temporarily

export PATH=/opt/Oracle_Java/jdk1.7.0_17/bin/:$PATH
export JAVA_HOME=/opt/Oracle_Java/jdk1.7.0_17/

DB

download the mysql-connector.jar and copy it to repository/components/lib

mysql

 create database wso2am_umdb;
 grant all on wso2am_umdb.* TO wso2am@localhost identified by "secret";
 use wso2am_umdb;
 source mysql.sql;
 
 create database wso2am_regdb;
 grant all on wso2am_regdb.* TO wso2am@localhost identified by "secret";
 use wso2am_regdb;
 source mysql.sql;
 
 create database wso2am_apimgtdb;
 grant all on wso2am_apimgtdb.* TO wso2am@localhost identified by "secret";
 use wso2am_apimgtdb;
 source mysql.sql;

Distributed Deployment

ref

Master Registry Node

repository/conf/datasources/master-datasources.xml

 <datasources-configuration xmlns:svns="http://org.wso2.securevault/configuration">

    <providers>
        <provider>org.wso2.carbon.ndatasource.rdbms.RDBMSDataSourceReader</provider>
    </providers>

    <datasources>

 	<datasource>
	   <name>WSO2AM_DB</name>
            <jndiConfig>
                <name>jdbc/WSO2AM_DB</name>
                <properties>
                    <property name="java.naming.factory.initial"></property>
                    <property name="java.naming.provider.url"></property>
                </properties>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:mysql://localhost:3306/wso2am_apimgtdb</url>
			<driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    	<username>wso2am</username>
		    	<password>secret</password>
                	<maxActive>50</maxActive>
        		<maxWait>10000</maxWait>
        	        <testOnBorrow>true</testOnBorrow>
        	        <validationQuery>SELECT 1</validationQuery>
        	        <validationInterval>30000</validationInterval>		
                </configuration>
            </definition>
        </datasource>

 	<datasource>
	   <name>WSO2REG_DB</name>
            <jndiConfig>
                <name>jdbc/WSO2_RegDB</name>
                <properties>
                    <property name="java.naming.factory.initial"></property>
                    <property name="java.naming.provider.url"></property>
                </properties>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:mysql://localhost:3306/wso2am_regdb</url>
                    	<username>wso2am</username>
		    	<password>secret</password>
   			<driverClassName>com.mysql.jdbc.Driver</driverClassName>
                	<maxActive>50</maxActive>
        		<maxWait>10000</maxWait>
        	        <testOnBorrow>true</testOnBorrow>
        	        <validationQuery>SELECT 1</validationQuery>
        	        <validationInterval>30000</validationInterval>		
                </configuration>
            </definition>
        </datasource>

 	<datasource>
	   <name>WSO2UM_DB</name>
            <jndiConfig>
                <name>jdbc/WSO2UM_DB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
			<url>jdbc:mysql://localhost:3306/wso2am_umdb?autoReconnect=true&relaxAutoCommit=true</url>
                    	<username>wso2am</username>
		    	<password>secret</password>
   			<driverClassName>com.mysql.jdbc.Driver</driverClassName>
                	<maxActive>50</maxActive>
        		<maxWait>10000</maxWait>
        	        <testOnBorrow>true</testOnBorrow>
        	        <validationQuery>SELECT 1</validationQuery>
        	        <validationInterval>30000</validationInterval>		
                </configuration>
            </definition>
        </datasource>

         <datasource>
            <name>WSO2AM_STATS_DB</name>
            <description>The datasource used for getting statistics to API Manager</description>
            <jndiConfig>
                <name>jdbc/WSO2AM_STATS_DB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:h2:<!-- Full path to JDBC database -->;AUTO_SERVER=TRUE</url>
                    <username>wso2carbon</username>
                    <password>wso2carbon</password>
                    <driverClassName>org.h2.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
         </datasource>

    </datasources>

 </datasources-configuration>

repository/conf/api-manager.xml

 ...
 <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>
 ...

repository/conf/user-mgt.xml

 <UserManager>

    <Realm>

        <Configuration>
            <AdminRole>admin</AdminRole>
            <AdminUser>
                 <UserName>admin</UserName>
                 <Password>admin</Password>
            </AdminUser>
            <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
            <Property name="dataSource">jdbc/WSO2_RegDB</Property>
            <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
        </Configuration>

        <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
 	    <Property name="dataSource">jdbc/WSO2UM_DB</Property>
	    <Property name="ReadOnly">false</Property>
	    <Property name="IsEmailUserName">false</Property>
	    <Property name="DomainCalculation">default</Property>
            <Property name="PasswordDigest">SHA-256</Property>
            <Property name="StoreSaltedPassword">true</Property>
            <Property name="UserNameUniqueAcrossTenants">false</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
	    <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
	    <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
	    <Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
	    <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
	    <Property name="maxFailedLoginAttempt">0</Property>
	</UserStoreManager>

        <AuthorizationManager
            class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
            <Property name="AdminRoleManagementPermissions">/permission</Property>
	    <Property name="AuthorizationCacheEnabled">true</Property>
        </AuthorizationManager>

    </Realm>

 </UserManager>

repository/conf/registry.xml

 <?xml version="1.0" encoding="utf-8"?>
 <wso2registry>

    <!-- These are used to define the DB configuration and the basic parameters to be used for the registry -->
    <currentDBConfig>wso2registry</currentDBConfig>
    <readOnly>false</readOnly>
    <enableCache>true</enableCache>
    <registryRoot>/</registryRoot>

    <!-- This defines the default database and its configuration of the registry -->
    <dbConfig name="wso2registry">
	<dataSource>jdbc/WSO2_RegDB</dataSource>
 	<userName>wso2am</userName>
	<password>secret</password>
	<driverName>com.mysql.jdbc.Driver</driverName>
	<maxActive>80</maxActive>
	<maxWait>6000</maxWait>
	<minIdle>5</minIdle>
    </dbConfig>
 ...

Start Registry Master

First start requires the setup parameter to clean an re-setup the registry: ./wso2server.sh -Dsetup

API Gateway (ESB) in DMZ

Copy the WSO2AM directory tree to a different location to start the gateway setup, e.g.:

cp -R wso2am-1.3.1 wso2am-1.3.1gw1

Enable clustering on the all Hosts

Edit $(GOV_REG_HOME)/repository/conf/axix/axis.xml and $(GW_HOME)/repository/conf/axix/axis.xml

...
   <clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true">
...

Create Gateway Worker

To strip all the web GUIs go to $(GW_HOME)/bin and run:

ant createWorker

Copy org.wso2.carbon.apimgt.keymgt.stub_4.0.5.jar from other API-Manager to $(GW_HOME)/repository/components/plugins

Port Offset

If you are running different WSO2 products on the same server you can define a port offset in the carbon.xml:

 ...
 <Ports>
        <!-- Ports offset. This entry will set the value of the ports defined below to
         the define value + Offset.
         e.g. Offset=2 and HTTPS port=9443 will set the effective HTTPS port to 9445
         -->
        <Offset>2</Offset>
 ...

Gateway's repository/conf/registry.xml

 <wso2registry> 
	<currentDBConfig>wso2registry</currentDBConfig> 
	<readOnly>false</readOnly> 
	<registryRoot>/</registryRoot> 

	<dbConfig name="wso2registry"> 
		<url>jdbc:mysql://localhost:3306/wso2am_regdb</url> 
		<userName>wso2am</userName> 
		<password>secret</password> 
		<driverName>com.mysql.jdbc.Driver</driverName> 
		<maxActive>80</maxActive> 
		<maxWait>60000</maxWait> 
		<minIdle>5</minIdle> 
	</dbConfig> 

	<dbConfig name="configRegistry"> 
		<url>jdbc:mysql://localhost:3306/wso2am_regdb</url> 
		<userName>wso2am</userName> 
		<password>secret</password> 
		<driverName>com.mysql.jdbc.Driver</driverName> 
		<maxActive>80</maxActive> 
		<maxWait>60000</maxWait> 
		<minIdle>5</minIdle> 
	</dbConfig> 

	<remoteInstance url="https://localhost:9443/registry"> 
		<id>configRegistryInstance</id> 
		<dbConfig>configRegistry</dbConfig> 
		<readOnly>false</readOnly> 
		<registryRoot>/</registryRoot> 
	</remoteInstance> 

	<mount path="/_system/config" overwrite="true"> 
		<instanceId>configRegistryInstance</instanceId> 
		<targetPath>/_system/nodes</targetPath> 
	</mount> 

	<versionResourcesOnChange>true</versionResourcesOnChange> 

	<staticConfiguration> 
		<versioningProperties>true</versioningProperties> 
		<versioningComments>true</versioningComments> 
		<versioningTags>true</versioningTags> 
		<versioningRatings>true</versioningRatings> 
	</staticConfiguration> 
 </wso2registry>

remaining problem:

CarbonServerManager Waiting for required OSGiAxis2Service: org.wso2.carbon.apimgt.gateway-1.0.7

Tests

/var/www/mh/test.php:

<?php	
foreach (getallheaders() as $name => $value) {
    echo "$name: $value\n";
}
?>

On Unix shell

Test "API" script:

mh@Aspire756:/var/www/mh$ curl -H "Authorization: Bearer ulqg2IU_L6mdIzfQNOPCX9f3O3ga" http://localhost/mh/test.php
User-Agent: curl/7.27.0
Host: localhost
Accept: */*
Authorization: Bearer ulqg2IU_L6mdIzfQNOPCX9f3O3ga

Test via API-Gateway:

mh@Aspire756:/var/www/mh$ curl -k  -H "Authorization: Bearer OHBC4MT0zJa0bDbN9hPuUd3QJvsa" https://localhost:8243/mh/1.1/test.php
<amt:fault xmlns:amt="http://wso2.org/apimanager/throttling">
<amt:code>900800</amt:code>
<amt:message>Message Throttled Out</amt:message>
<amt:description>You have  exceeded your quota</amt:description>
</amt:fault>

mh@Aspire756:/var/www/mh$ curl -k  -H "Authorization: Bearer ulqg2IU_L6mdIzfQNOPCX9f3O3ga" https://localhost:8243/mh/1.1/test.php 

Authorization: Basic d2lsbGk6c2VjcmV0==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Host: localhost:80
Connection: Keep-Alive
 
mh@Aspire756:/var/www/mh$ curl -k  -H "Authorization: Bearer geratenerTokeIstNatuerlichFalsch" https://localhost:8243/mh/1.1/test.php
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900901</ams:code>
<ams:message>Invalid Credentials</ams:message>
<ams:description>Access failure  for API: /mh, version: 1.1 with key: geratenerTokeIstNatuerlichFalsch</ams:description>
</ams:fault>

Tenancy

To identify the API user in the backend system may be required. The WSO2AM offers the JWT (JSON Web Token) to do this. It can easily combined with BasicAuth (restriction: AM comes always with the same user).

JWT Configuration

repository/conf/carbon.xml

<APIConsumerAuthentication>
   <SecurityContextHeader>X-JWT-Assertion</SecurityContextHeader>
   <ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
   <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
   <SignatureAlgorithm>NONE</SignatureAlgorithm>
   <EnableTokenGeneration>true</EnableTokenGeneration>
</APIConsumerAuthentication>

Result HTTP Header

Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: null
assertion:  eyJ0eXAiOiJKV1QifQ==.eyJpc3MiOiJ3c2...ZlcnlvbmUsYWRtaW4ifQ==.
Authorization: Basic YWRtaW46YWRtaW4=
Cookie: menuPanel=visible; menuPanelType=main; i18next=de-DE; JSESSIONID=CA91CA3949C2DBEF588C27EAC886914B
X-JWT-Assertion: eyJ0eXAiOiJKV1QifQ==.eyJpc3MiOiJ3c...bmUsYWRtaW4ifQ==.
V1: {"typ":"JWT"}
V2: {
  "iss":"wso2.org/products/am",
  "exp":1368182011873,
  "http://wso2.org/claims/subscriber":"admin",
  "http://wso2.org/claims/applicationname":"Arrival",
  "http://wso2.org/claims/apicontext":"/tst",
  "http://wso2.org/claims/version":"1.2",
  "http://wso2.org/claims/tier":"Unlimited",
  "http://wso2.org/claims/enduser":"admin", 
  "http://wso2.org/claims/role":"everyone,admin"}
Host: localhost:80
Connection: Keep-Alive
User-Agent: Synapse-HttpComponents-NIO

Proxy Configuration

Accessing API Manager-via-Proxy

CI/CD

Further reading: API Store Theme