How to connect WSO2 API Manager with an External Key Manager Node?

A Key Manager is used for security and access token related operations. The API Gateway of API Manager connects with a Key Manager to check the validity of OAuth tokens, subscriptions and API invocations.

WSO2 API Manager product contains its own Key Manager Component. But if you need to separate out this Key Manager component from the API Manager, you can do it by following the steps provided in this guide.

You only need 2 packs of WSO2 API Manager for this purpose. Download it and make a copy of one. I will refer to API Manager pack 1 as APIM. This pack will contain the Gateway, Publisher, Store and Traffic Manager components of API Manager. Pack 2 that will act as the Key Manager will be named as APIM_KM.

Step 1 : Configure APIM_KM

• First carry out what we call “profile optimization” on APIM_KM pack. This will remove any unnecessary components and apps from the pack so that the Key Manager server can be started in its own profile. You can refer this for more details on WSO2 API Manager Product Profiles.
• First change the port offset of APIM_KM if you are planning to run both servers in the same machine. For that, open <APIM_KM_HOME>/repository/conf/carbon.xml and set the following element to 1.

<offset>1</offset>

• Then go to <APIM_KM_HOME>/bin and execute the following command for profile optimization.

./profileSetup.sh -Dprofile=api-key-manager

NOTE : This script is applicable only if you are using the latest versions of WSO2 API Manager from 2.5.0 onwards.

Step 2 : Share Databases (Should be done to both APIM and APIM_KM)

APIM_KM should point to the same databases as APIM. Therefore you need to share these databases among the 2.

• Follow this documentation in order to configure databases for both APIM and APIM_KM.
• What you simply have to do here is, after configuring databases for APIM, copy the relevant configurations (as given in the above documentation) from <APIM_HOME>/repository/conf/datasources/master-datasources.xml to <APIM_KM_HOME>/repository/conf/datasources/master-datasources.xml.
• At the same time configure <PRODUCT_HOME>/repository/conf/user-mgt.xml and <PRODUCT_HOME>/repository/conf/registry.xml for both packs as given in the above documentation. Consider APIM pack as the Gateway.
• Remember to add the relevant JDBC Driver to <APIM_KM_HOME>/repository/components/lib and <APIM_HOME>/repository/components/lib directories.

Step 3 : Configure connections among APIM and APIM_KM

Step 3.1 : Configure APIM_KM

• Open <APIM_KM_HOME>/repository/conf/api-manager.xml and configure the <ServerURL> under <APIGateway> to point to APIM as follows. APIM has the default port offset of 0. Hence the Gateway port is 9443.

<APIGateway>
     <Environments>
         <Environment type="hybrid" api-console="true">
             <Name>Production and Sandbox</Name>
             <Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
             <!-- Server URL of the API gateway -->    
             <ServerURL>https://localhost:9443/services/</ServerURL>             
             ...
         </Environment>
    </Environments>
</APIGateway>

• In <APIM_KM_HOME>/repository/conf/api-manager.xml, configure the API Key Validator as follows. Here uncomment the <ThriftServerPort> element and set the port as 10398. Note that the <EnableThriftServer> element is true.

<APIKeyValidator>
      ...  <KeyValidatorClientType>ThriftClient</KeyValidatorClientType>   <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<!--ThriftClientPort>10397</ThriftClientPort--><EnableThriftServer>true</EnableThriftServer>
<ThriftServerHost>localhost</ThriftServerHost>
<ThriftServerPort>10398</ThriftServerPort>
      ...
</APIKeyValidator>

• Disable the Policy Deployer under the Throttling configurations as follows in <APIM_KM_HOME>/repository/conf/api-manager.xml.

<PolicyDeployer>
            <Enabled>false</Enabled>          <ServiceURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
</PolicyDeployer>

Step 3.2 : Configure APIM

• Open <APIM_HOME>/repository/conf/api-manager.xml and configure the <ServerURL> to point to APIM_KM as follows. Note that the port is 9444 because we configured a port offset of 1 for APIM_KM in Step 1 above. Make sure the <ThriftServerHost> element gives the host of APIM_KM. It is localhost in our case.

<APIKeyValidator>
        <ServerURL>https://localhost:9444/services/</ServerURL>
        ...
        <ThriftServerHost>localhost</ThriftServerHost>
        ...
</APIKeyValidator>

• Make sure that the <KeyValidatorClientType> element under <APIKeyValidator> is ThriftClient.
• In APIM, disable the Thrift Server to optimize performance as follows.

<EnableThriftServer>false</EnableThriftServer>

• Uncomment the <ThriftClientPort> element and configure the value given to <ThriftServerPort> in APIM_KM, as the Thrift Client Port in APIM as follows.

<ThriftClientPort>10398</ThriftClientPort>

Step 4 : Start APIM_KM and APIM servers

• After doing all the above configurations, now we have to start the 2 servers.
• First start APIM_KM with the command below because we are going to start it in profile mode. Go to bin directory of APIM_KM.

./wso2server.sh -Dprofile=api-key-manager

• Finally start APIM with the command below.

./wso2server.sh

Now you can verify whether it works by creating and invoking an API through APIM. If it works successfully, you have succeeded in connecting WSO2 API Manager with an external Key Manager node.

You can use the same steps with modifications if you want to connect API Manager with other types of Key Managers.

Cheers!