In the multi-tenanted environment (create and work with tenants), Registry Database is required to share the information in this database between the Gateway and Key Manager components.
So in the above line Which information need to be shared and where it need to be shared?
There is no special DB configurations for Multi-tenancy, Tenant related information will be stored in same DBs. And when you are clustering APIM you need to share databases among the nodes irrespective of tenant usage. You can refer this guide for clustering.
What is basically says is you need to do step 8.c and 11 in Installing and configuring the databases section in API Manager clustering guide for gateway and keymanager nodes as well.
Related
I have multiple wso2-is server set up as my dev, staging and prod environment.
And I would want to have a functionality wherein I can export all the configuration from some server ( say dev ) to some other server ( say staging ) to make both the server identical i.e both the server would have same database configurations, same tenants, same service providers and same identity providers and so on.
From the documentation here, I know that I can create service providers and identity providers using XML files, so in turn, I can share the XML files to sync SPs and IdPs between servers.
But is there a standard way to achieve that? Like, from the management console or so?
It even seems possible that syncing between [IS-HOME]/repository directory would ensure that the servers are identical, But are there any caveats for this approach?
There is no standard way to sync the service provider configurations among different environment, as of now. This issue is reported to track the feature requirement and its a work in progress at the moment and you can expect it in a future release.
One possible solution you can use to achieve your target is, retrieving the service provider from the Admin service and create the same service provider in other environment.
You can use the file based service provider configurations to achieve this target. But with that approach, you will not be able to see the service providers added from the configuration files in the management console. Next limitation you will face is you can add saml based inbound authentication configurations only through the config files ( such as OAuth 2.0 / OIDC inbound authentication configurations)
To answer your last question, you can't sync the [IS-HOME]/repository folder to achieve this. The reason you were able to observe this behavior seems to be you are using the inbuilt H2 database and its in [IS-HOME]/repository/database folder. With your file sync, you have actually synced the databases.
Try for example on Pivotal the Elefant SQL or Redis services: You can create multiple service keys with different names, but they contain the same secrets.
I would have thought that in creating different keys I would be able to revoke them independently. Is that only possible for some services?
The behavior depends on the service broker implementation. The recommended approach is to generate unique values for every binding and service key. Not all service brokers do that though.
For reference, see the open service broker API here -> https://github.com/openservicebrokerapi/servicebroker/blob/v2.13/spec.md#credentials
I know, for example, that the Pivotal MySQL Service Broker follows this advice and generates unique credentials for each binding and service key.
https://github.com/cloudfoundry/cf-mysql-broker
Hope that helps!
I would like to have a cluster of gateway in api manager. I saw the documents how to split the 4 components with mysql, I saw also the document explaining how to cluster the api gateway (Mgt / Worker) but I miss some information: Is it necessary that both clusters connect to the same database or each cluster can/must have is own database?
A image is better than words:
So what I would like to do is to have 1 KeyManager, 1 store and 1 publisher and 2 Gateways. SO when I publish 1 endpoint it is available on both gateways (I will use host file the specify hostnames instead of ip). I don't know if it is possible that kind of configuration.
Another possibility is to have a shared keyManager between both wso2 servers. When the user has his authorization key he can use both wso2 servers.
You should share databases among clusters. Basically there are 3 databases used. UserDB, registryDB, APImanager DB.
If you want to allow same users to login/publish APIs (for example) you must share UserDB among clusters. Same thing applies to other DBs too.
When you cluster the gateway you should consider following
if your are using muti-tenancy
then point all gateway nodes should be pointed to usermgt db and registry db
if no muti-tenancy
all gaetway nodes should be pointed to registry db(because there you will have tier.xml ,so when adding custom tier.xml it should be synced with all gateway nodes)
gateway doesn't use apimgt db , but you need to have the config of apimgt db which points to default h2 db,other wise you will get error when start the gateway node.
I have two instances of wso2 api manager running on two different servers.Both of them are referring to same UM_DB . I created a role by logging with admin credentials on one server .After that i checked for the role on other server by logging with admin credentials again.I found that there was role existing on other server but permission that i provided for that role does not exist on another server.Is that a bug with wso2 api manager or I missed something in configuration..?
You want to deploy two APIM instances in a cluster. It is better to refer the APIM clustering guide to setup it properly. There are tow things you need to understand.. when your deploying APIM in cluster
You must point both instance in to same database. There are can be three logical databases i.e UM, Registry and AM database. These three can be an one physical DB. However must pointed to same by the both instance.
You must configure the Hazelcast based clustering using axis2.xml file. This is required because, APIM uses Hazelcast based implementation to distribute the data in the caches. Sometime, In your scenario, i guess you have not configured this. Therefore permission tree has not been distributed between two nodes. Therefore lot of data that is stored in the caches for high performance. therefore please make sure to configure this properly.
I guess this would help you.
I have a number of different SOA services that use different approaches for storing configuration data for the service. For example the configuration data is stored in database tables, property files, and jndi.
I would like to standardize my approach to storing configuration data. Is the carbon registry an acceptable place to store all the configuration data for my services?
Can I just store this data directly in the carbon registry, or should I be looking to just use the WSO2 Governance Registry for this data?
What does WSO2 Governance Registy give me that is not provided by directly using the carbon registry?
" Is the carbon registry an acceptable place to store all the
configuration data for my services?"
The best practice would be,
Store the Resource Metadata in Registry and run-time data in a database.
Is the carbon registry an acceptable place to store all the
configuration data for my services?"
Yes, you can store the configurations in the registry. Generally, configurations will be stored in the config space, and the resources which are having governance aspect will go to governance registry space
"What does WSO2 Governance Registry give me that is not provided by
directly using the carbon registry?
Store, manage and search any kind of enterprise asset, including services, APIs, policies, projects or applications. You can extend the predefined asset metadata or create your own
Navigate through assets using taxonomies
Access and manage assets via a REST API, supporting the integration with enterprise initiative such as DevOps
Describe relationships between assets such as dependencies, usage or associations and perform impact analysis
Attach custom life cycle to assets and engage custom actions when an asset transitions from one state to the next
Secure the access to assets via a fine-grained permission model
Leverage social tools such as ratings and comments to enable better communication between asset providers and consumers
Notify users of any asset changes via email or a notification system of your choice
Integrate with mediation engines such as WSO2 Enterprise Service Bus or others via UDDI and REST for dynamic discovery of services and APIs endpoints
There are plenty of advantages of using G-Reg, To see the full list please find this post or offcial G-Reg page.