||
Skip to end of metadata
Go to start of metadata

This configuration uses a pre-packaged WSO2 Identity Server 5.2.0 with WSO2 API Manager 2.0.0. This pre-packaged version is different to WSO2 Identity Server 5.2.0 because the configurations required to connect the Identity Server as the Key Manager of the API Manager are already packaged in it. You do not have to configure them manually. 

Tip: WSO2 recommends that you use the pre-packaged WSO2 Identity Server 5.2.0 with WSO2 API Manager 2.0.0 as most of the configurations already exist in the pre-packaged version.

Step 1 - Set up the databases

In a typical production environment, it is possible that databases are already set up for the deployment. However, you need to have databases created for the registry and API management. This example uses MySQL to create the databases, but you can use any of the supported databases. See Setting up the Physical Database for more information on setting up different databases.

  1. Create the following databases in the MySQL database server. 
    • apimgt

    • userstore
    • registry

  2. Create a user ‘apiuser’ with password ‘apimanager’. Grant all permissions for this user in the above three databases. For example:

    grant all on apimgt.* TO apiuser@localhost identified by "apimanager";
    grant all on userstore.* TO apiuser@localhost identified by "apimanager"; 
    grant all on registry.* TO apiuser@localhost identified by "apimanager";

About the userstore

It can be preferable to use an LDAP to store users. This is different to the userstore database you create here. This userstore database is for storing permissions and internal roles, while the LDAP stores users and their role mapping.

 

About MySQL drivers

Download the MySQL JDBC driver. Make sure you add the MySQL JDBC driver to both servers. I.e., copy the .jar file into the <PRODUCT_HOME>/repository/components/lib directory.

Step 2 - Download WSO2 APIM and WSO2 IS

  • Download the pre-packaged WSO2 Identity Server and unzip it.  <IS_HOME> will refer to the root folder of the unzipped WSO2 IS pack.
  • Download WSO2 API Manager from here and unzip it. <APIM_HOME> will refer to the root folder of the unzipped WSO2 API-M pack.

Step 3 - Optionally, configure port offset for WSO2 APIM or WSO2 IS

This is only required if you running WSO2 API Manager on the same Virtual Machine (VM) as the WSO2 Identity Server.

What is port offset?

The port offset feature allows you to run multiple WSO2 products, multiple instances of a WSO2 product, or multiple WSO2 product clusters on the same server or virtual machine (VM). The port offset defines the number by which all ports defined in the runtime such as the HTTP/S ports will be offset. For example, if the HTTP port is defined as 9763 and the portOffset is 1, the effective HTTP port will be 9764. Therefore, for each additional WSO2 product, instance, or cluster you add to a server, set the port offset to a unique value (the default is 0).

Open the <PRODUCT_HOME>/repository/conf/carbon.xml file and change the offset to 1. This increments the product's default port by one. <PRODUCT_HOME> refers to the product to which you are configuring a port offset and it can be either <IS_HOME> or <APIM_HOME>.

carbon.xml
<Offset>1</Offset>

Step 4 - Configure the Identity Server

  1.  Open the <IS_HOME>/repository/conf/datasources/master-datasources.xml file and add the following datasources.

    Ensure that you keep the 'WSO2_CARBON_DB' datasource the way it is and simply add the following datasources in the master-datasources.xml file. Also, note that the WSO2AM_DB is already added in the master-datasources.xml file so you do not need to add it again. However, you must edit this datasource to point to your new database as this still points to the default H2 database.

    master-datasources.xml
    <datasource>
        <name>WSO2AM_DB</name>
        <description>The datasource used for API Manager database</description>
        <jndiConfig>
            <name>jdbc/WSO2AM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>  <url>jdbc:mysql://localhost:3306/apimgt?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
                <defaultAutoCommit>false</defaultAutoCommit>
            </configuration>
        </definition>
    </datasource>
     
    <datasource>
        <name>WSO2REG_DB</name>
        <description>The datasource used for registry</description>
        <jndiConfig>
            <name>jdbc/WSO2REG_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
    <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>
     
    <datasource>
        <name>WSO2UM_DB</name>
        <description>The datasource used for user management</description>
        <jndiConfig>
            <name>jdbc/WSO2UM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
       <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
                </url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>

    The following diagram illustrates how databases are shared between IS and APIM as per the above configuration.

    • WSO2REG_DB - This is used to keep the registry information. The registry database is shared between WSO2 IS as the Key Manager and WSO2 APIM to share artifacts such as, meta data configurations, policies, and API details.

    • WSO2UM_DB - This is used to store the permissions (i.e., permission store) and the internal roles of the users. 

    • WSO2AM_DB - This will be used to keep the identity data and API-related data. This includes OAuth tokens and keys. When serving key-validation requests, the key manager validates whether there are subscriptions made by the particular key. For this WSO2AM_DB should be accessed.

    • LDAP - This stores the users and their role mapping. You do not need to configure the datasource configuration in the master-datasources.xml file for this.
  2. Make the following change to the <IS_HOME>/repository/conf/registry.xml file. Create the registry mounts by inserting the following sections into the registry.xml file. 

    When doing this change, do not replace the existing <dbConfig> for "wso2registry". Simply add the following configuration to the existing configurations.

    registry.xml
    <dbConfig name="govregistry">
            <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
    
    <remoteInstance url="https://localhost">	
            <id>gov</id>
            <dbConfig>govregistry</dbConfig>
    		<cacheId>apiuser@jdbc:mysql://localhost:3306/registry</cacheId>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
    </remoteInstance>
    
    <mount path="/_system/governance" overwrite="true">
            <instanceId>gov</instanceId>
            <targetPath>/_system/governance</targetPath>
    </mount>
    
    <mount path="/_system/config" overwrite="true">
           <instanceId>gov</instanceId>
           <targetPath>/_system/config</targetPath>
    </mount>
  3. Change the datasource in the user-mgt.xml file found in the <IS_HOME>/repository/conf/ directory to point to the WSO2UM_DB.

    user-mgt.xml configurations
    <Realm>
            <Configuration>
    			...
    			<Property name="dataSource">jdbc/WSO2UM_DB</Property>
            </Configuration>
    		...
    </Realm>

     

  4. Make sure you add the user store configuration correctly in the <IS_HOME>/repository/conf/user-mgt.xml file so that both the Identity Server and API Manager point to the same user store. For more information on configuring user stores, see here.

    You must change the <UserStoreManager> element here since the internal LDAP user store is used by default. The <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> code block needs to be removed or modified and the right code block must be used. You could alternatively use the embedded LDAP in the Identity Server as your user store.

  5. JWT configuration must be done in the <IS_HOME>/repository/conf/api-manager.xml file in the Identity Server. See here for more information on JWT Token generation. Enable the ClaimsRetrieverImplClassConsumerDialectURI and SignatureAlgorithm. Set SignatureAlgorithm to NONE. 

Step 5 - Configure the API Manager

  1. Point to the WSO2 Identity Server so that it acts as the Key Manager of the API Manager in <APIM_HOME>/repository/conf/api-manager.xmlfile. 

    1. Change the ServerURL of the AuthManager to point to IS.
      <ServerURL>https://${IS_SERVER_HOST}:{port}/services/</ServerURL>
    2. Change the ServerURL of the APIKeyValidator to point to IS.
      <ServerURL>https://${IS_SERVER_HOST}:{port}/services/</ServerURL>
    3. Change the KeyValidatorClientType from ThriftClient to WSClient.
    4. Change EnableThriftServer to false.

    The following is an example of how this configuration would look like:

    api-manager.xml
    <APIKeyValidator>
            <ServerURL>https://localhost:9443{+portoffset}/services/</ServerURL>
            <Username>${admin}</Username>
            <Password>${admin}</Password>
            ...
    </APIKeyValidator>

    For example, if the port offset is 1 the server URL is as follows:

    https://localhost:9444/services/
  2. Open the <APIM_HOME>/repository/conf/datasources/master-datasources.xml file and add the followingdatasources.

    master-datasources.xml
    <datasource>
        <name>WSO2AM_DB</name>
        <description>The datasource used for API Manager database</description>
        <jndiConfig>
            <name>jdbc/WSO2AM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>  <url>jdbc:mysql://localhost:3306/apimgt?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
    			<defaultAutoCommit>false</defaultAutoCommit>
            </configuration>
        </definition>
    </datasource>
    
    <datasource>
        <name>WSO2REG_DB</name>
        <description>The datasource used for registry and user manager</description>
        <jndiConfig>
            <name>jdbc/WSO2REG_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
    <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>
     
    <datasource>
        <name>WSO2UM_DB</name>
        <description>The datasource used for registry and user manager</description>
        <jndiConfig>
            <name>jdbc/WSO2UM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
       <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
                </url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>
  3. Open the user-mgt.xml file found in the <APIM_HOME>/repository/conf directory and change the permissiondatasource.

    1. Add thedatasourceconfiguration as indicated below.

      user-mgt.xml configurations
      <Realm>
              <Configuration>
      			...
      			<Property name="dataSource">jdbc/WSO2UM_DB</Property>
              </Configuration>
      		...
      </Realm>
    2. Configure the <UserStoreManager> section of the <AM_HOME>/repository/conf/user-mgt.xml file of the API Manager.

      Make sure you add the user store configuration correctly. This is the same configuration that you did in the Identity Server. For more information on how to do this, see here.

  4. Make sure you add the user store configuration correctly. This is the same configuration that you did in the Identity Server and the easiest way to configure this is to copy over the configurations you did in the <IS_HOME>/repository/conf/user-mgt.xml file. For more information on how to configure this, see here .

    Note: If you are using the embedded LDAP that comes with the IS, then you need to point to this user store from API Manager. You can copy this configuration from the <IS_HOME>/repository/conf/user-mgt.xml file.

    When copying configurations, note that you must update the port numbers. For instance, when configuring the ConnectionURL property, you must update the port number as it will point to the port number of the Identity Server when starting up if you copy it directly.

  5. Create the registry mounts. Open the <APIM_HOME>/repository/conf/registry.xml file and insert the following configurations. 

    registry.xml
    <dbConfig name="govregistry">
           <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
    
    <remoteInstance url="https://localhost">	
           <id>gov</id>
           <dbConfig>govregistry</dbConfig>
    	   <cacheId>root@jdbc:mysql://10.20.30.42:3306/registrydb</cacheId>
           <readOnly>false</readOnly>
           <enableCache>true</enableCache>
           <registryRoot>/</registryRoot>
    </remoteInstance>
    
    <mount path="/_system/governance" overwrite="true">
           <instanceId>gov</instanceId>
           <targetPath>/_system/governance</targetPath>
    </mount>
    
    <mount path="/_system/config" overwrite="true">
           <instanceId>gov</instanceId>
           <targetPath>/_system/config</targetPath>
    </mount>
  6. Run the following scripts for the respective databases. This creates some tables in the databases that may be required.
    • For apimgt run <APIM_HOME>/dbscripts/apimgt/mysql.sql
    • For userstore run <APIM_HOME>/dbscripts/mysql.sql
    • For registry run <APIM_HOME>/dbscripts/mysql.sql

Step 6 - Start the servers

Start both the WSO2 API Manager and WSO2 Identity Server to see the changes in question

  1. Start the WSO2 Identity Server for the changes to take effect.
    sh <PRODUCT_HOME>/bin/wso2server.sh

    Tip: You may notice the following error messages when starting up the server. This occurs since some API Manager directories are not available in the Identity Server. These are not critical errors, so they can be ignored. Alternatively, you can create the listed directories in the Identity Server pack.

    [2015-09-26 22:59:20,821] ERROR {org.wso2.carbon.apimgt.impl.utils.APIUtil} - Custom sequence template location unavailable for custom sequence type in : repository/resources/customsequences/in
    [2015-09-26 22:59:20,821] ERROR {org.wso2.carbon.apimgt.impl.utils.APIUtil} - Custom sequence template location unavailable for custom sequence type out : repository/resources/customsequences/out
    [2015-09-26 22:59:20,821] ERROR {org.wso2.carbon.apimgt.impl.utils.APIUtil} - Custom sequence template location unavailable for custom sequence type fault : repository/resources/customsequences/fault

  2. Start the WSO2 API Manager.
  • No labels