I am working on WSO2-3.0.0 version deployment patterns. Can anybody provide me details on how to configure wso2am-3.0.0 pattern 2 deployment?
I found this page https://apim.docs.wso2.com/en/latest/install-and-setup/deploying-wso2-api-manager/deployment-patterns/#wso2-api-manager-deployment-patterns. But doesn't contain sufficient details on how to deploy the setup
You can refer to the distributed deployment details[1]. So in pattern-2, you have a single server which runs as publisher, devportal and traffic manager. So you can refer to [1] and do all the required changes that single server that is mentioned in publisher, devportal and traffic manager.
[1] - https://apim.docs.wso2.com/en/latest/install-and-setup/deploying-wso2-api-manager/distributed-deployment/deploying-wso2-api-m-in-a-distributed-setup/
Related
We are planning to implement CDC in our project and Pact is being considered as primary candidate. Currently I am working on a POC to set up end to end flow with CI/CD integration with GitLab. I have couple of questions related to Authentication/Authorization/security.
Consumer - Pact Broker: Consumers here are external partners. I see client side certificates as an option. I am not able to find much documentation or info on Web for the options available. Pact broker will be hosted in AWS. Can we place this behind a gateway?
Pact Broker and Provider: Both components are part of our infrastructure. In this case I understand that we will be generating a GitLab trigger token which will be passed as part of future requests to Provider pipeline. We will be using same token every time.
Could you please advise options available in both cases to make the communication more secure.
Thanks in advance.
We are planning to implement CDC in our project and Pact is being considered as primary candidate.
Good choice! :)
I have couple of questions related to Authentication/Authorization/security
The OSS broker doesn’t have any security controls other than basic auth and read-only/read-write access permissions (which isn’t very appropriate for external use for obvious reasons). There is basic support for redacting credentials in the UI, but you can still get them through API calls (even for read-only accounts).
Consumer - Pact Broker: Consumers here are external partners. I see client side certificates as an option. I am not able to find much documentation or info on Web for the options available. Pact broker will be hosted in AWS. Can we place this behind a gateway?
Where did you see that client certificates were supported? I’m sorry to say that is incorrect.
You can definitely put it behind a gateway/reverse proxy type thing: https://docs.pact.io/pact_broker/configuration/#running-the-broker-behind-a-reverse-proxy
You would need to add your own authentication layer for this purpose, so using a an API gateway for this that might be a good starting point.
Pact Broker and Provider: Both components are part of our infrastructure. In this case I understand that we will be generating a GitLab trigger token which will be passed as part of future requests to Provider pipeline. We will be using same token every time.
The provider side authentication is the same as consumer.
Alternatively, we have created Pactflow, which is a commercial version of the OSS Broker designed for enterprise use which has a full security model wrapped over the OSS broker including API tokens, and secrets, teams management and other useful features (see https://pactflow.io/features/ for more). We are also almost ready release CI users and fine-grained permissions management.
We'd like to create a custom APIM profile that only install/enables the Publisher, Key Manager and Traffic Manager on a single jvm. The gateway (manager and worker nodes) and Store will be running on separate JVMs.
How can I create a new profile?
And also, the docs state that the profiles only enable/disable the osgi bundles belonging to a profile, but that the web applications are still available (and I quess the web services too, since they are packages as .war archives). Can I remove the unused web apps on the different profiles? E.g. remove the gateway and publisher web apps on the store instance. Is this documented somewhere?
Thanks,
Danny
We'd like to create a custom APIM profile that only install/enables
the Publisher, Key Manager and Traffic Manager on a single jvm. The
gateway (manager and worker nodes) and Store will be running on
separate JVMs. How can I create a new profile?
Running multiple profiles in one server hasn't supported.
Can I remove the unused web apps on the different profiles?
Yes, you can remove the WARs specific to other profiles.
I am setting up the API Manager in a cluster and have one version of the store and one version of the publisher which are clustered so they update each other on change. I also have the gateway setup up in a master and worker cluster. All of this I found out how to do on the wso2 site. The issue is I want to cluster the key manager as well for higher load but I can't find any documentation on how to cluster the key manager specifically. I assume it's not just a case of running more than one behind a load balancer as they need to know when the tokens etc have changed?
Any help would be appreciated
Please follow this documentation on API Manager clustering. Please follow Configuring the connections among the components -> Key Manager section and Configuring component features section accordingly. This blog post explains when IS is used as Key Manager. But the explanation might be helpful to you to understand when using several urls.
I have configured 2 wso2 api gateways (say gw1 and gw2) behind a load balancer (say lb1) . I have configured publisher in another node( say pub1). In pub1 box /etc/hosts file I have api gateway url to that of lb1. Now whenever I update or add a new api on pub1 it does not get immediately reflected on both gw1 and gw2, it gets reflected on one of the two. Is there a way programtically force api manager to refresh the list of published api's?
You need us deployment synchronizer to sync the artifacts across the gateway nodes. In your scenario, one gateway will need to be treated as the manager whilst the other one as the worker node.
Pls refer the documentation here on how to configure deployment synchronizer.
I would like to deploy wso2 products in aws using beanstalk.
Theoretically it should be possible by following the instructions for deploying in webapp mode.
http://wso2.org/project/carbon/3.2.2/docs/admin_guide.html#webappmode
Has anyone managed to achieve this?
What steps were required?
Following the document [1] you shared should work.
However, unless you really have a requirement, it is not that encouraged to run WSO2 Products in web app mode. This is because the Web app container will limit the WSO2 products, where WSO2 Products can function independently in stand-alone mode. Running WSO2 stand-alone over the EC2 might be more appropriate.
[1] http://wso2.org/project/carbon/3.2.2/docs/admin_guide.html#webappmode