You can configure the DataPower® API
Gateway to prepare for
a registration with the API Connect Management server.
About this task
- These instructions provide the basic steps for configuring a gateway service with a single
gateway server. The lowest-level configuration objects are created first, then used in other
configuration objects. The procedures for configuring the two types of gateways are very similar, so
only one procedure is provided. Any specific differences are identified.
-
Adding gateways to configure a peering environment is similar to creating the first gateway, and
is recommended for resiliency in a production environment. A minimum of three gateway servers in a
gateway service is recommended for high availability. See Gateway peering for more information about configuring
additional gateways for peering. See Providing gateway service for API Connect in the DataPower Gateways IBM Knowledge
Center content for more details about the DataPower settings and
procedures.
Procedure
To configure a DataPower gateway to communicate with
API Connect, complete
the following steps:
-
Open the DataPower
WebGUI interface.
Most of the configuration procedure is done in the DataPower WebGUI interface, not in
the Blueprint Console.
-
Enable the XML management interface in the default domain, if required. The XML
management interface is optional for DataPower API
Gateway.
-
Search for XML management interface in the navigation search bar, and select it.
-
Set the Administrative state to enabled.
-
You can specify a different port number if you do not want to use the default of
5550
.
-
Select Apply to make the changes
-
Save changes to the default domain by selecting Save
Configuration.
-
Create an application domain.
This domain receives your traffic.
-
Search for Application domain in the navigation search bar, and select
it.
-
Select Add to create the application domain.
-
Enter a unique name for your domain.
-
Ensure that enabled is selected for the Administrative state.
-
Ensure that the default domain is listed in the Visible application
domain list.
-
Select Apply.
-
Change to your new application domain by selecting Domain in the menu
bar, and selecting the domain that you created.
-
Select Save changes and switch domains.
All of the remaining steps on the DataPower gateway must be done in the
application domain that you created.
-
Save changes to the domain by selecting Save Configuration.
- Ensure that your deployment includes an NTP server to synchronize time between each of
the DataPower Gateways.
- Ensure that you have set a unique Appliance name (
System Identifier
) for
each DataPower gateway. See Initializing the DataPower
Gateway.
-
Create a self-signed certificate and private key to be used to protect the traffic between the
management server and the API gateway service process. You can generate a certificate and private
key using DataPower or by using other tools, such as OpenSSL. See Generating keys and certificates in the DataPower Gateway IBM documentation for
instructions on how to create a crypto key with the DataPower tools.
- Upload your private crypto key file to the domain.
-
Search for Crypto key in the navigation search bar, and select it.
-
Select Add to create a key object.
-
Create a unique name for the key object in the Name field.
-
Select Upload....
-
Browse for the key file (which must be a .pem or .p12
file) and select it.
-
If you want to rename it, enter a new name for the file.
-
Select Upload to move it to the server in the
cert:// folder.
-
Select Apply to save the changes.
-
Upload your crypto certificate file to the domain.
Note: If your certificate is signed by an Intermediate CA, you must include the entire chain in a
single key file (either .pem or .p12) for
uploading.
-
Search for Crypto certificate in the navigation search bar, and select
it.
-
Select Add to create a certificate object.
-
Create a unique name for the certificate object in the Name field.
-
Select Upload....
-
Browse for the key file (which must be a .pem or .p12
file) and select it.
-
If you want to rename it, enter a new name for the file.
-
Select Upload to move it to the server in the
cert:// folder.
-
Select Apply to save the changes.
-
Associate the Crypto key with the Crypto certificate by setting the Identification
credential.
-
Search for Crypto Identification Credentials in the navigation search
bar, and select it.
-
Select Add.
-
Enter a name for your credential.
-
Ensure that the Administrative state has a value of enabled.
-
In the Crypto Key field, select the name of the key object that you created from the drop-down
menu.
-
In the Certificate field object, select the name of the certificate object that you created
from the drop-down menu.
-
Select Apply to commit your changes.
-
Create your SSL Client profile.
-
Search for SSL Client profile in the navigation search bar, and select
it.
-
Select Add to create a client profile.
-
Create a unique name for the profile in the Name field.
-
Select your Identification credential from the drop-down list.
-
Ensure that the value of Validate server certificate is set to
off.
-
Select Apply to save the changes.
-
Create your SSL Server profile.
-
Search for SSL Server Profile in the navigation search bar, and select
it.
-
Select Add to create a server profile.
-
Create a unique name for the profile in the Name field.
-
Select your Identification credential from the drop-down list.
-
Ensure that the value of Request client authentication is set to
off.
-
Select Apply to save the changes.
-
For the DataPower API
Gateway only: Define a
configuration sequence.
The API Connect
gateway service uses the configuration sequence to configure DataPower to implement the APIs that
are defined in API Connect.
-
Search for Configuration sequence in the navigation search bar, and
select it.
-
Select Add.
-
Enter a name for your configuration sequence.
The name apic-config
is not allowed because it is already used internally.
-
Ensure that the Administrative state has a value of enabled.
-
Ensure that the value in the Location profiles field is set to
local:///
This is the default value, so you might not need to change it.
- Select the Access profile. See Configuring the access profile for a configuration sequence in
the DataPower Gateway IBM Knowledge
Center for instructions on how to create access profiles.
-
Change the value of the Configuration execution interval field to
3000.
The other fields can retain their default settings.
-
Select Apply to commit your changes.
-
Configure your gateway peering object for the API Connect Gateway Service.
This step is required when you set up a peer group of gateways, even if there is only a single
gateway server in the gateway service.
-
Search for Gateway peering in the navigation search bar, and select
it.
-
Select Add.
-
Enter a unique name for your gateway peering object.
-
Ensure that the Administrative state has a value of enabled.
-
Select a local address for the communications among the members of the peer group.
-
Select a local port for the communication.
You can use the default value of 16380.
-
Select a monitor port for the communication.
You can use the default value of 26380.
-
Because this procedure uses only one gateway, ensure that Peer group
mode is not selected.
-
Clear the Enable SSL checkbox. SSL is not needed for a single
peer.
- Set the Persistence location value to
Memory
for either physical
DataPower appliance or virtual DataPower appliance.
-
Select Apply to commit your changes.
- Configure your gateway peering object for rate limit information.
Note: Version 2018.4.1.7 or later is required.
-
Search for Gateway peering in the navigation search bar, and select
it.
-
Select Add.
-
Enter a unique name for your gateway peering object.
-
Ensure that the Administrative state has a value of enabled.
-
Select a local address for the communications among the members of the peer group.
-
Select a local port for the communication.
Use a unique port, different than the ports used for communication by other gateway peering
objects.
-
Select a monitor port for the communication.
Use a unique port, different than the ports used for monitoring by other gateway peering
objects.
-
Because this procedure uses only one gateway, ensure that Peer group
mode is not selected.
-
Clear the Enable SSL checkbox. SSL is not needed for a single
peer.
- Set the Persistence location value to
Memory
for either physical
DataPower appliance or virtual DataPower appliance.
-
Select Apply to commit your changes.
- Configure your gateway peering object for subscription
information.
Note: Version 2018.4.1.7 or later is required.
-
Search for Gateway peering in the navigation search bar, and select
it.
-
Select Add.
-
Enter a unique name for your gateway peering object.
-
Ensure that the Administrative state has a value of enabled.
-
Select a local address for the communications among the members of the peer group.
-
Select a local port for the communication.
Use a unique port, different than the ports used for communication by other gateway peering
objects.
-
Select a monitor port for the communication.
Use a unique port, different than the ports used for monitoring by other gateway peering
objects.
-
Because this procedure uses only one gateway, ensure that Peer group
mode is not selected.
-
Clear the Enable SSL checkbox. SSL is not needed for a single
peer.
- Set the Persistence location value to
Memory
for either physical
DataPower appliance or virtual DataPower appliance.
-
Select Apply to commit your changes.
- Configure the gateway peering manager.
Note: Version 2018.4.1.7 or later is required.
- Search for Gateway Peering Manager in the navigation search bar, and select
it.
- Set the Administrative state to enabled.
- In the pull-down menu next to API Connect Gateway Service, select the gateway peering
object configured in Step 13 for the API Connect Gateway Service.
- In the pull-down menu next to Rate Limit, select the gateway peering object configured
in Step 14 for rate limit
information.
- In the pull-down menu next to Subscription, select the gateway peering object
configured in Step 15
for subscription.
- Select Apply to commit your changes.
-
Set the API Connect
Gateway service to define the communication interface with the API Connect Management
server and for API transactions.
-
Search for API Connect Gateway service in the navigation search bar, and
select it.
-
Ensure that the Administrative state is set to enabled.
-
In the Local address field, enter the IP address of the DataPower gateway to which you want
the traffic from the API Connect Management
server to be sent.
-
Specify a value for Local Port. You can use the default port value of 3000, or specify a
different port value.
Note: The Local port specifies the port through which API Connect connects to manage the API Connect
Gateway Service. Use this port when you configure a Gateway Service on API Connect. Beyond this
port, the gateway service uses two additional consecutive ports after the defined local port to bind
to a loopback address. Therefore, you must ensure that there are no conflicts on all three
consecutive ports that start from the defined local port.
-
In the SSL client field drop-down list, select the name of the SSL client profile that
you created.
-
In the SSL server field drop-down list, select the name of the SSL server profile that
you created.
-
In the API gateway address field, enter the IP address for the DataPower gateway to which you want
the API traffic sent.
-
Use the default port value of 9443 for the API gateway port.
If the port is not being used by another service, you can also change it to port 443 if you
want API transactions to be sent to the default port for HTTPS.
-
For DataPower API
Gateway, set the
Gateway Peering to
(none)
. When no gateway peering object is configured
for the DataPower API
Gateway, the peering
configuration defined in the Gateway Peering Manager configuration is used.
-
Select whether you want the DataPower Gateway (v5
compatible) or the DataPower API
Gateway.
When the option is selected, it enables the registration of a DataPower Gateway (v5
compatible) gateway. Clear
it to enable a DataPower API
Gateway.
-
Register the gateway service in the API Connect Cloud Manager
console:
-
Open the API Connect Cloud Manager console.
-
Navigate to Configure Topology.
-
Select Register Service.
-
Select DataPower API Gateway for the DataPower API
Gateway.
-
Add a title, name, and summary for the gateway connection.
- Optional:
Configure the OAuth Shared Secret.
This setting allows OAuth tokens to be shared across multiple gateway services.
-
Enter one of the following values in the API Invocation Endpoint field:
- IP address of the load balancer for the API transactions
- IP address or host name of one of the gateways
For example:https://192.0.2.0:9443/
-
Enter the one of the following values in the Management Endpoint field:
- IP address of the load balancer for the management server traffic set to port 3000
- IP address or hostname of one of the gateways
For example:https://192.0.2.0:3000/
-
Select the default TLS Client Profile
- Optional:
Configure Server Name Indication (SNI) profiles.
SNI profiles allow different TLS certificates to be used for API transaction requests from
different host names.