Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 5

When an API call hits the API Gateway, the Gateway carries out security checks to verify if the token is valid. During these verifications, the API Gateway extracts parameters such as access token, API and API version that are passed on to it. Since the entire load of traffic to APIs goes through the API Gateway, this verification process needs to be fast and efficient in order to prevent overhead and delays. The API Manager uses caching for this purpose, where the validation information is cached with the token, API name and version, and the cache is stored in either the API Gateway or the Key Validator serverkey manager server.

This section covers the following:

Table of Contents
maxLevel3
minLevel3

...

When caching is enabled at the Gateway and a request hits the Gateway, it first populates the cached entry for a given token. If a cache entry does not exist in cache, it calls the Kay Validator key manager server. This process is carried out using Web service calls. Once the Key Validator key manager server returns the validation information, it gets stored in the Gateway. Because the API Gateway issues a Web service call to the Key Validator server key manager server only if it does not have a cache entry, this method reduces the number of Web service calls to the Key Validator serverkey manager server. Therefore, it is faster than the alternative method.

...

  1. In the api-manager.xml file of the Key Validator key manager node, point the revoke endpoint as follows:

    Code Block
    languagexml
    <RevokeAPIURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeAPIURL>
  2. In the API Gateway, point the Revoke API to the OAuth application deployed in the Key Validator key manager node. For example,

    Code Block
    languagexml
    <api name="_WSO2AMRevokeAPI_" context="/revoke">
            <resource methods="POST" url-mapping="/*" faultSequence="_token_fault_">
                <inSequence>
                    <send>
                        <endpoint>
                            <address uri="https://keymgt.wso2.com:9445/oauth2/revoke"/>
                        </endpoint>
                    </send>
                </inSequence>
                <outSequence>
                    <send/>
                </outSequence>
            </resource>
            <handlers>
                <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
            </handlers>
    </api>

...

Code Block
<EnableGatewayResourceCache>true</EnableGatewayResourceCache>

...

Key Manager cache

The following caches are available: 

Table of Contents
maxLevel4
minLevel4

...

In a typical API Manager deployment, the Gateway is deployed in a DMZ while the Key Validator Manager is in MZ. By default, caching is enabled at the Gateway. If you do not like to cache token related information in a leniently secured zone, you can do that on the Key Validator Manager side. In this method, for each and every API call that hits the API Gateway, the Gateway issues a Web service call to the Key Validator Manager server. If the cache entry is available in the Key Validator Manager server, it is returned to the Gateway. Else, the database will be checked for the validity of the token.

...

  • Disable caching at the API Gateway by adding the following entry to the APIGateway section of the <APIM_HOME>/repository/conf/api-manager.xml file.

    Code Block
    languagexml
    <EnableGatewayKeyCache>false</EnableGatewayKeyCache>
  • Enable the Key Validator Manager cache by adding the following entry under the <APIKeyValidator> element to the APIKeyManager section of the api-manager.xml file.

    Code Block
    <EnableKeyMgtValidationInfoCache>true</EnableKeyMgtValidationInfoCache>

...

You sometimes pass certain enduser attributes to the backend using JSON Web Tokens (JWT). If you enable JWT generation, the token is generated in the Key Validator server Manager server for each validation information object and is sent as part of the key validation response. Usually, the JWT also gets cached with the validation information object, but you might want to generate JWTs per each call. You can do this by enabling JWT caching at the Key Validator serverkey manager server. Add the following entry under the <APIKeyValidator>to APIKeyManager section of the <APIM_HOME>/repository/conf/api-manager.xml file. 

...

Tip

You must disable caching at the Key Validator Manager server side in order to generate JWTs per each call. Disabling the JWT cache only works if you have enabled the Key Validator Manager cache, which is disabled by default.

...