Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When an API call hits the API Gateway, the Gateway carries out security checks to verify if the token is valid. During these verifications, the API Gateway extracts parameters such as access token, API, and API version that are passed on to it. Since the entire load of traffic to APIs goes through the API Gateway, this verification process needs to be fast and efficient in order to prevent overhead and delays. The WSO2 API Manager uses caching for this purpose, where the validation information is cached with the token, API name, and version, and the cache is stored in either the API Gateway or the key manager Key Manager server.

This section covers the following:

Table of Contents
maxLevel3
minLevel3

Tip

Apart from response caching, all the other caches are enabled by product. When the WSO2 API Manager components are clustered, they work as distributed caches. This means that a change done by one node is visible to another node in the cluster.

...

When c aching is enabled at the Gateway and a request hits the Gateway, it first populates the cached entry for a given token. If a cache entry does not exist in cache, it calls the key manager serverKey Manager server. This process is carried out using Web service calls. Once When the key manager Key Manager server returns the validation information, it gets stored in the Gateway. Because When API Gateway caching is enabled, as the API Gateway issues a Web service call to the key manager server Key Manager server only if it does not have a cache entry, this method reduces the number of Web service calls to the key manager Key Manager server. Therefore, it is faster than the alternative method.

By default, the API Gateway cache is enabled by setting the <EnableGatewayKeyCache> element to true in <APIM_HOME>/repository/conf/api-manager.xml file:

...

To remove old tokens that might still remain active in the Gateway cache, you need to configure the <RevokeAPIURL> element in api-manager.xml file, by providing the URL of the Revoke API that is deployed in the API Gateway node. The revoke API invokes the cache clear handler, which extracts information form from transport headers of the revoke request and clears all associated cache entries. If there's a cluster of API Gateways in your setup, provide the URL of the revoke API deployed in one node in the cluster. This way, all revoke requests route to the OAuth service through the Revoke API.

Given Follow the instructions below is how to configure this in a to clear API Gateway caching in a distributed API Manager setup.

  1. In the api-manager.xml file of the API Store node, point the revoke endpoint as follows:

    Code Block
    languagexml
    <RevokeAPIURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeAPIURL>
  2. In the API Gateway, point the Revoke API to the OAuth application deployed in the key manager Key Manager node. For example, 

    Code Block
    languagexml
    titleExample
    <api name="_WSO2AMRevokeAPI_" context="/revoke">
            <resource methods="POST" url-mapping="/*" faultSequence="_token_fault_">
                <inSequence>
                    <send>
                        <endpoint>
                            <address uri="https://keymgt.wso2.com:9445/oauth2/revoke"/>
                        </endpoint>
                    </send>
                </inSequence>
                <outSequence>
                    <send/>
                </outSequence>
            </resource>
            <handlers>
                <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
            </handlers>
    </api>

...

Users can make requests to an API by calling any one of the HTTP methods of the API's resources. The API Manager uses the resource cache at the Gateway node to store the API's resource-level parameters (Auth type and throttling level). The cache entry is identified by a cache key, which is based on the API's context, version, request path, and HTTP method. Caching avoids the need to do a separate back-end call to check the Auth type and throttling level of a resource, every time a request to the API comes. It improves performance.

...

By default, the resource cache is enabled by setting the <EnableGatewayResourceCache> element to true in the <APIM_HOME>/repository/conf/api-manager.xml file:

...

The following caches are available: 

Table of Contents
maxLevel4
minLevel4

Key cache

In a typical WSO2 API Manager deployment, the Gateway is deployed in a DMZ, while the Key Manager is in MZ. By default, caching is enabled at the Gateway. If you do not like to cache token related information in a leniently secured zone, you can do that on the Key Manager side. In this method, for each and every API call that hits the API Gateway, the Gateway issues a Web service call to the Key Manager server . If for every API call that hits the API Gateway. If the cache entry is available in the Key Manager server, it is returned to the Gateway. ElseOtherwise, the database will be checked for the validity of the token.

This method has low performance compared to the earlier one, but when using the Key cache, you do not have to store any security-related information at the Gateway side. Using this  It is not recommended to use the key cache combined with the Gateway cache is not recommended

Anchor
KeyCache
KeyCache
Follow the instructions below to enable Key cache: 

  1. Disable caching at the API Gateway

...

  1. .
    Add the following entry under the <APIGateway>

...

  1. element in

...

  1. the <APIM_HOME>/repository/conf/api-manager.xml file.

    Code Block
    languagexml
    <EnableGatewayKeyCache>false</EnableGatewayKeyCache>
  2. Enable the Key Manager cache

...

  1. .
    Add the following entry under the <
    APIKeyValidator> element in the api-manager.xml file.

    Code Block
    <EnableKeyMgtValidationInfoCache>true</EnableKeyMgtValidationInfoCache>

JWT cache

You sometimes pass certain enduser attributes to the backend using need to use JSON Web Tokens (JWT) when you need to pass certain end-user attributed to the back-end. If you enable  JWT generation, the token is generated in the Key Manager server for each validation information object and is sent as part of the key validation response. Usually, the JWT also gets cached with the validation information object, but you might may want to generate JWTs per for each call. You , and you can do this by enabling JWT caching at key manager Key Manager server.

  1. Enable JWT caching at Key Manager server as follows:
    Add the following entry under the <APIKeyValidator>

...

  1. element in the <APIM_HOME>/repository/conf/api-manager.xml

...

  1.  file.

...

  1. Code Block
    languagehtml/xml
    <EnableJWTCache>true</EnableJWTCache>

...

  1. Note
    • You must disable caching at the Key Manager server side in order to generate JWTs

...

    • for each call.
    • Disabling the JWT cache only works if you have enabled the Key Manager cache, which is disabled by default.

...

  1. Enable token generation

...

  1. .
    Set the following entry to true at the root level of the api-manager.xml file.

    Code Block
    languagehtml/xml
    <APIConsumerAuthentication> 
        <EnableTokenGeneration>true</EnableTokenGeneration> 
    </APIConsumerAuthentication>

OAuth cache

The OAuth token is saved in this cache, which is enabled by default. Whenever a new OAuth token is generated, it is saved in this cache to prevent constant database calls. Unless an OAuth expires or is revoked, the same token is sent back for the same user. Therefore, you do not need to change this cached token most of the time. 

...

To change the default response caching settings, edit the following cache mediator properties in <APIM_HOME>/repository/resources/api_templates/velocity_template.xml file:  

PropertyDescription
collector
  • true : specifies that the mediator instance is a response collection instance
  • false: specifies that the mediator instance is a cache serving instance

max MessageSize  

Specifies the maximum size of a message to be cached in bytes. An optional attribute, with the default value set to unlimited.
maxSize Defines the maximum number of elements to be cached

hashGenerator

Defines the hash generator class.

When caching response messages, a hash value is generated based on the request's URI, transport headers and the payload (if available). WSO2 has a default REQUESTHASHGenerator class written to generate the hash value. See sample here.

If you want to change this default implementation (for example, to exclude certain headers), you can write a new hash generator implementation by extending the REQUESTHASHGenerator and overriding its getDigest() method. Once done, add the new class as the hashGenerator attribute of the <cache> element in the velocity_template.xml file.

API Store cache

The API Store has several caches to reduce the page-load times and increase its responsiveness when multiple users access it simultaneously.

...