This documentation is for WSO2 API Manager 1.7.0 View documentation for the latest release.
FAQ - API Manager 1.7.0 - WSO2 Documentation

All docs This doc
Skip to end of metadata
Go to start of metadata

General API Manager questions

What is WSO2 API Manager?

WSO2 API Manager is a complete solution for creating, publishing and managing all aspects of an API and its life cycle. See About API Manager.

What is the open source license of the API Manager?

Apache Software License Version 2.0

How do I download and get started quickly?

Go to to download the binary or source distributions. See Getting Started.

Is their commercial support available for WSO2 API Manager?

It is completely supported from evaluation to production. See WSO2 Support.

What are the default ports opened in the API Manager?

See Default Ports of WSO2 Products.

What are the technologies used underneath WSO2 API Manager?
Can I get involved in APIM development activities?

Not only are you allowed, but also encouraged. You can start by subscribing to [email protected] and [email protected] mailing lists. Feel free to provide ideas, feedback and help make our code better. For more information on contacts, mailing lists and forums, see Getting Support.

Installation questions

What are the minimum requirements to run WSO2 API Manager?

Minimum requirement is Oracle Java SE Development Kit (JDK). See Installation Prerequisites.

What Java versions are supported by the API Manager?

See Installation Prerequisites.

How do I deploy a third-party library into the API Manager?

Copy any third-party JARs to <APIM_HOME>/repository/components/lib directory and restart the server.

Do you provide automated installation scripts based on Puppet or similar solutions?

Yes. For information, contact us.

Is it possible to connect the API Manager directly to an LDAP or Active Directory where the corporate identities are stored?

Yes. You can configure the API Manager with multiple user stores. See  Configuring User Stores.

Can I extend the management console UI to add custom UIs?

Yes, you can extend the management console (default URL is https://localhost:9443/carbon) easily by writing a custom UI component and simply deploying the OSGi bundle.

I don't want some of the features that come with WSO2 API Manager. Can I remove them?

Yes, you can do this using the Features menu under the Configure menu of the management console (default URL is https://localhost:9443/carbon).

How can I change the memory allocation for the API Manager?

The memory allocation settings are in <APIM_HOME>/bin/ file.  

Clustering and deployment questions

Where can I look up details of different deployment patterns and clustering configurations of the API Manager?

See WSO2 clustering and deployment guide.

What is the recommended way to manage multiple artifacts in a product cluster?

For artifact governance and lifecycle management, we recommend you to use a shared WSO2 Governance Registry instance.

Is it recommended to run multiple WSO2 products on a single server?

This is not recommend in a production environment involving multiple transactions. If you want to start several WSO2 products on a single server, you must change their default ports to avoid port conflicts. See Changing the Default Ports with Offset.

Can I install features of other WSO2 products to the API Manager?

Yes, you can do this using the management console. The API Manager already has features of WSO2 Identity Server, WSO2 Governance Registry, WSO2 ESB etc. embedded in it. However, if you require more features of a certain product, it is recommended to use a separate instance of it rather than instal its features to the API Manager.

Authentication and security questions

How can I manage authentication centrally in a clustered environment?

You can enable centralized authentication using a WSO2 Identity Server based security and identity gateway solution, which enables SSO (Single Sign On) across all the servers.

How can I manage the API permissions/visibility?

To set visibility of the API only to selected user roles in the server, see API Visibility.

How can I add security policies (UT, XACML etc.) for the services?

This should be done in the backend services in the Application Server or WSO2 ESB.

How can I disable self signup capability to the API Store? I want to engage my own approval mechanism.

To disable the self signup capability, set <SelfSignUp><Enabled> element to false in the <APIM_HOME>/repository/conf/api-manager.xml file.

Is there a way to lock a user's account after a certain number of failed login attempts to the API Store?

If your identity provider is WSO2 Identity Server, this facility comes out of the box. If not, install the identity-mgt feature to the API Manager and configure it. For information, see Account Lock/Unlock page in the Identity Server documentation.

Functionality questions

How do I change the default admin password and what files should I edit after changing it?

To change the default admin password, log in to the management console with admin/admin credentials and use the "Change my password" option. After changing the password, change the following elements in <APIM_HOME>repository/conf/api-manager.xml file:



How can I recover the admin password used to log in to the management console?

Use <APIM_HOME>/bin/ script.

Troubleshooting questions

Why do I get the following warning: org.wso2.carbon.server.admin.module.handler.AuthenticationHandler - Illegal access attempt while trying to authenticate APIKeyValidationService?
  • Did you change the default admin password? If so, you need to change the credentials stored in the <APIKeyManager> element of the <APIM_HOME>/repository/conf/api-manager.xml file of the API Gateway node/s.
  • Have you set the priority of the SAML2SSOAuthenticator handler higher than that of the BasicAuthenticator handler in the authenticators.xml file? If so, the SAML2SSOAuthenticator handler tries to manage the basic authentication requests as well. Set a lower priority to the SAML2SSOAuthenticator than the BasicAuthenticator handler as follows:

    <Authenticator name="SAML2SSOAuthenticator" disabled="false">
          <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
          <Parameter name="ServiceProviderID">carbonServer</Parameter>
          <Parameter name="IdentityProviderSSOServiceURL">https://localhost:9444/samlsso</Parameter>
          <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
          <Parameter name="ISAuthnReqSigned">false</Parameter>
          <!-<Parameter name="AssetionConsumerServiceURL">https://localhost:9443/acs</Parameter>->
I hit the DentityExpansionLimit and it gives an error as {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error while getting Recently Added APIs Information. What is the cause of this?

This error occurs in JDK 1.7.0_45 and is fixed in JDK 1.7.0_51 onwards. See here for details of the bug.

In JDK 1.7.0_45, all XML readers share the same XMLSecurityManager and XMLLimitAnalyzer. When the total count of all readers hits the entity expansion limit, which is 64000 by default, the XMLLimitanalyzer's total counter is accumulated and the XMLInputFactory cannot create more readers. If you still want to use update 45 of the JDK, try restarting the server with a higher value assigned to the DentityExpansionLimit.

When I call a REST API, I find that a lot of temporary files are created in my server and they are not cleared. This takes up a lot of space. What should I do?

There might be multiple configuration context objects created per each API invocation. Please check whether your client is creating a configuration context object per each API invocation. Also, configure a HouseKeeping task in the <APIM_HOME>/repository/conf/carbon.xml file to clear the temporary folders. For example.

        <!-- The interval in *minutes*, between house-keeping runs --> 

        <!-- The maximum time in *minutes*, temp files are allowed to live in the system. Files/directories which were modified more than 
         "MaxTempFileLifetime" minutes ago will be removed by the house-keeping task --> 

General technology questions

Does the API Manager use Thrift and where can I find information about it?

That the default communication protocol of Key Manager is Thrift. See for information on Thrift.

  • No labels