This documentation is for WSO2 API Manager 2.6.0. View documentation for the latest release.

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleClick here for instructions to configure and start the Key Manager.

This section involves setting up the Key Manager node and enabling it to work with the other components in a distributed deployment.

Warning

Skip this step if you are using WSO2 Identity Server as the Key Manager and follow the instructions mentioned in Configuring WSO2 Identity Server as a Key Manager to configure and start the Key Manager.

  1. Open the <API-M_HOME>/repository/conf/api-manager.xml file in the Key Manager node and change the <ServerURL> element that appears under the <APIGateway> section, so that it points to the API Manager Gateway.  
    You need to add these configurations so that when a user is deleted or when the role of a user is updated in the Key Manager, it will update the Gateway cache by clearing the cache entries of a particular user. 
    • If you are working with a single Gateway in distributed set up, you need to replace [GATEWAY_SERVER_HOST] with the host of the Gateway node.
    • If you are working with Gateways in a High Availability (HA) setup that uses a shared file system (e.g., NFS), you need to replace [GATEWAY_SERVER_HOST] with the host of the Gateway load balancer node.
    • If you are working with Gateways in a High Availability (HA) setup that uses rsync, you need to replace [GATEWAY_SERVER_HOST] with the host of the Gateway Manager node.
    • You need to replace [port] with the management transport port. For more information, see Default Product Ports.

      Code Block
      <ServerURL>https://$[GATEWAY_SERVER_HOST]:[port]/services/</ServerURL>
  2. Configure the API key validator in the Key Manager.
    The Thrift protocol is normally enabled by default. However, if you have disabled the Thrift protocol, enable it as follows in the <API-M_HOME>/repository/conf/api-manager.xml file. 

    Localtab Group
    Localtab
    activetrue
    idsingle-Key-Manager-KM
    titleSingle Key Manager

    When you are using a single Key Manager, you need to add WSClient for the <KeyValidatorClientType> element to use the Web Service Client, and change <EnableThriftServer> to false to optimize performance.

    Code Block
    languagenone
    <APIKeyValidator>    
    	
        <KeyValidatorClientType>WSClient</KeyValidatorClientType>   
        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->
        ...
    </APIKeyValidator>
    Localtab
    idHA-Key-Manager-KM
    titleKey Manager with HA

    When you are using multiple Key Managers fronted by a load balancer, you need to add WSClient for the <KeyValidatorClientType> element to use the Web Service Client, and change <EnableThriftServer> to false to optimize performance.

    Code Block
    languagenone
    <APIKeyValidator>
    	...
    	<KeyValidatorClientType>WSClient</KeyValidatorClientType>    
     
        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->
        ...
    </APIKeyValidator>
    Tip

    If you wish to encrypt the Auth Keys (access tokens, client secrets, and authorization codes), see Encrypting OAuth Keys.

  3. Disable the Policy Deployer under the Throttling configurations.

    Code Block
    <ThrottlingConfigurations>
    		...
            <PolicyDeployer>
                <Enabled>false</Enabled>
    			...
            </PolicyDeployer>
    		...
        </ThrottlingConfigurations>
  4. Optionally, configure High Availability (HA) for the Key Manager.

    Warning

    These steps are ONLY applicable if you need to configure HA for the Key Manager.

    1. Make a copy of the active instance configured above and use this copy as the second Key Manager active instance.

    2. Configure a load balancer to front the two Key Manager nodes.
      For information on configuring the load balancer, see Configuring the Proxy Server and the Load Balancer.

  5. Configure the Key Manager to communicate with the Traffic Manager.

    Warning

    This is available only as a  WUM update and is effective from 30th September 2020 (2020-09-30). For more information on updating WSO2 API Manager, see Updating WSO2 API Manager.

    Localtab Group
    Localtab
    activetrue
    idsingle-TM-KM
    titleSingle Traffic Manager

    Configure the Key Manager with a single Traffic Manager as follows:

    Info

    9611 and 9711 are the Traffic Manager receiver ports for the binary type.

    1. Update the Throttling configurations as follows:

      Code Block
      languagexml
      <ThrottlingConfigurations>
      		<TrafficManager>
      			<Type>Binary</Type>
      			<ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
                  <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
                  <Username>${admin.username}</Username>
                  <Password>${admin.password}</Password>
      		</TrafficManager>        
      </ThrottlingConfigurations>
    2. Configure JMSConnectionParameters to connect to the broker running within the Traffic Manager.

      Code Block
      titleExample
      <JMSConnectionParameters>
         <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
         <transport.jms.DestinationType>topic</transport.jms.DestinationType>
         <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
      	<connectionfactory.TopicConnectionFactory>amqp://${admin.username}:${admin.password}@clientid/carbon?brokerlist='tcp://[traffic-manager-hostname]:${jms.port}?retries='5'%26connectdelay='50''</connectionfactory.TopicConnectionFactory>   
      </JMSConnectionParameters>
    Localtab
    idTM-HA-KM
    titleHA of Traffic Manager

    Configure the Key Manager with multiple Traffic Managers, which are fronted by a load balancer as follows:

    Follow the instructions below to configure the Key Manager to communicate with the Traffic Managers and to push token revocation events to both Traffic Manager instances.

    1. Configure the receiver URL group <ReceiverUrlGroup> and Authentication URL Group <AuthUrlGroup> values, which are under the <TrafficManager> element in the <API-M_HOME>/repository/conf/api-manager.xml file, in order to contain all the Traffic Manager receiver URLs.
      This is required when you have more than one Traffic Manager instance, and you are publishing to both as per the deployment pattern selected. As an example, if you are using two Traffic Manager instances and data should be published to both of them, the ReceiverUrlGroup and AuthUrlGroup should be configured as follows:

      Code Block
      titleExample
      <ThrottlingConfigurations>
         <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
      	<TrafficManager>
      		<Type>Binary</Type>
            	<ReceiverUrlGroup>{tcp://[Traffic-Manager-1-host]:9611}, {tcp://[Traffic-Manager-2-host]:9611}</ReceiverUrlGroup>
            	<!--ReceiverUrlGroup>tcp://${carbon.local.ip}:9612</ReceiverUrlGroup-->
            	<AuthUrlGroup>{ssl://[Traffic-Manager-1-host]:9711}, {ssl://[Traffic-Manager-2-host]:9711}</AuthUrlGroup>
            	<!--AuthUrlGroup>ssl://${carbon.local.ip}:9712</AuthUrlGroup-->
      		<Username>${admin.username}</Username>
      		<Password>${admin.password}</Password>
      	</TrafficManager>
      ...
      </ThrottlingConfigurations>

      [Traffic-Manager-1-host] and [Traffic-Manager-2-host] are the IPs/hostnames of two Traffic Manager nodes.

      Based on the above configuration, the Key Manager publishes events to both the Traffic Managers.

    2. Configure JMSConnectionParameters to connect to multiple brokers running within each Traffic Manager using fail over mechanism.

      Code Block
      titleExample
      <JMSConnectionParameters>
         <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
         <transport.jms.DestinationType>topic</transport.jms.DestinationType>
         <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
         <connectionfactory.TopicConnectionFactory>amqp://${admin.username}:${admin.password}@clientid/carbon?failover='roundrobin'%26cyclecount='2'%26brokerlist='tcp://[Traffic-Manager-1-host]:${jms.port}?retries='5'%26connectdelay='50';tcp://[Traffic-Manager-2-host]:${jms.port}?retries='5'%26connectdelay='50''</connectionfactory.TopicConnectionFactory>
      </JMSConnectionParameters>
  6. Add the following in the <API-M_HOME>/repository/conf/api-manager.xml file for each of the Key Manager nodes in the deployment.

    Code Block
    <TokenRevocationNotifier>
           <Enabled>true</Enabled>
    </TokenRevocationNotifier>
  7. Start the WSO2 API-M Key Manager node(s).
    Make sure to run the product optimizer either before starting the server or while starting the server, so that the resource utilization can be optimized on each of the nodes. For more information on product profile optimization, see Product Profiles.

Note

It is not recommended to share the Solr directory between the Store and Publisher servers. You need to have separate Solr directories for each of the latter mentioned servers so that they will perform Solr indexing separately.

Warning

If you get an error similar to the following in both or one of the nodes, check whether you have shared the Solr directory.

Code Block
org.apache.solr.common.SolrException: 
SolrCore 'registry-indexing' is not available due to init failure: Index locked for write for core registry-indexing

...