Registering a gateway service

A gateway service is required to handle incoming traffic for APIs.

Before you begin

Before registering a Gateway service in Cloud Manager, the DataPower® API Connect Gateway Service has to either be installed as a subsystem in your Kubernetes cluster or enabled on the DataPower appliance. For a Kubernetes environment, see Installing the Gateway subsystem into a Kubernetes environment. For appliances, see Configuring API Connect Gateway Service for more information.

Also complete the following task:

About this task

A Gateway service represents a cluster of gateway servers that host published APIs and provide the API endpoints used by client applications. Gateways execute API proxy invocations to backend systems and enforce API policies including client identification, security and rate limiting.

One of the following roles is required to register and manage a gateway services:

  • Administrator
  • Topology Administrator
  • Owner
  • A custom role with the Topology:Manage permission
Note: You can also register, and manage, gateway services by using the developer toolkit CLI; for details, see apic gateway-services.

Procedure

Complete the following steps to configure a Gateway service for your cloud:

  1. In the Cloud Manager, click TopologyTopology.
  2. From the Availability Zone that will contain the Gateway service, select Register Service.
  3. On the Configure Service page, select DataPower Gateway as the service type. Select the Gateway type that you want to create, either DataPower Gateway (v5 compatible) or DataPower API Gateway. For a description of the gateway types, see API Connect gateway types
  4. Enter the values to configure the Gateway service. You will need to obtain the endpoints from your deployment configuration. For a Kubernetes environment, the endpoints are configured by the following values in the apicup installation script. For an appliance, the endpoint is configured in DataPower.

Field Description
Title (required) Enter a descriptive title for the gateway service. This title will be displayed on the screen.
Name (required) This field is auto-populated by the system and used as the internal field name.
Summary (optional) Enter a brief description.
Management Endpoint: Endpoint (required) Enter the API Connect Gateway Service endpoint.
  • For a Kubernetes environment, the Management Endpoint is the endpoint entered for the command set gwy apic-gw-service. See Installing the Gateway subsystem into a Kubernetes environment for more information.
  • For an appliance, the Management Endpoint is the Management address to the API Connect Gateway Service shown in the gateway service connection diagram. For one gateway, this takes the form http://<ip-address-for-gateway>:3000. For multiple gateways, it would be the address:port of the load balancer
Management Endpoint: TLS Client Profile (optional) Specify the TLS Client profile to use when contacting the gateway through the management endpoint.
API Invocation Endpoint and SNI: API Endpoint Base (required) Enter the base portion of the URL that maps to the base portion of the URL for incoming API traffic. It is a public FQDN with additional paths that are specific to your API calls. For example: https://api.mycompany.com
API Invocation Endpoint and SNI:Server Name Indication - Host Name For supporting Server Name Indication (SNI) at the API Endpoint Base. The default hostname of '*' is required to allow all hosts. Enter other host names as needed. Wild card format is supported. The SNI capability enables you to serve multiple TLS secure host names through the same Gateway service, using the same IP address and port, without requiring them to use the same TLS profile.
Note: To allow requests from clients that don't support SNI, you must include a host name value of '*'.
API Invocation Endpoint and SNI: TLS Server Profile The TLS server profile that supports the given hostname for SNI.
OAuth Shared Secret (optional) For sites using native OAuth providers, enter the shared secret that will be used by all API calls going through the gateway.
Note: The specified shared secret must be 64 characters (64 bytes) in length, prefixed with 0x, and must consist only of hexadecimal characters. For example: 0xa354282f227c10250511ae9c9e8c7ed9f4f1bd0d7c04cb6d5bd178f8c62296e3
The following diagram illustrates the gateway service connection:
Gateway service connection on DataPower

  1. When you are finished, click Save.

Results

The Gateway service is added to the appropriate Availability Zone for your cloud.

What to do next

If you want to change the TLS Profile from Cloud Manager, for SNI Mapping of API Invocation endpoint, it is automatically changed in the associated Gateway. You do not need to do a removal or re-registration of the Gateway service.

Add additional gateway services. Add one or more analytics services. Add one or more portal services. Associate the gateway service with an analytics service. Set the visibility for the gateway.