Using the API Manager, you can configure custom workflows that get invoked at the event of a user signup, application creation, registration, subscription, etc. You do these configurations in the workflow-extensions.xml
as described in the previous sections.
However, in a multi-tenant API Manager setup, not all tenants have access to the file system and not all tenants want to use the same workflow that the super admin has configured in the api-manager.xml
file. For example, different departments in an enterprise can act as different tenants using the same API Manager instance and they can have different workflows. Also, an enterprise can combine WSO2 API Manager and WSO2 Business Process Server (BPS) to provide API Management As a Service to the clients. In this case, each client is a separate enterprise represented by a separate tenant. In both cases, the authority to approve business operations (workflows) resides within a tenant's space.
To allow different tenants to define their own custom workflows without editing configuration files, the API Manager provides configuration in tenant-specific locations in the registry, which you can access through the UI.
The topics below explain how to deploy a BPEL/human task using WSO2 BPS and how to point them to services deployed in the tenant spaces in the API Manager.
Deploying a BPEL and a HumanTask for a tenant
Only the users registered in the BPS can deploy BPELs and human tasks in it. Registration adds you to the user store in the BPS. In this guide, the API Manager and BPS use the same user store and all the users present in the BPS are visible to the API Manager as well. This is depicted by the diagram below:
Figure: API Manager and BPS share the same user and permission store
Warning |
---|
If you are using WSO2 BPS 3.2.0, please copy the This patch is built into the BPS version 3.5.0 onwards. |
Follow the steps below to deploy a BPEL and a human task for a tenant in the API Manager:
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Sharing the user/permission stores with the BPS and API Manager
...
Create a database for the shared user and permission store as follows:
Code Block | ||
---|---|---|
| ||
mysql> create database workflow_ustore;
Query OK, 1 row affected (0.00 sec) |
Tip |
---|
Make sure you copy the database driver (in this case, mysql driver) to the /repository/components/lib folder before starting each server. |
...
Run the <APIM_HOME>/dbscripts/mysql.sql
script (the script may vary depending on your database type) on the database to create the required tables.
Open the <APIM_HOME>/repository/conf/datasources/master-datasources.xml
and create a datasource pointing to the newly created database. For example,
...
language | xml |
---|
...
Using the API Manager, you can configure custom workflows that get invoked at the event of a user signup, application creation, registration, subscription, etc. You do these configurations in the workflow-extensions.xml
as described in the previous sections.
However, in a multi-tenant API Manager setup, not all tenants have access to the file system and not all tenants want to use the same workflow that the super admin has configured in the api-manager.xml
file. For example, different departments in an enterprise can act as different tenants using the same API Manager instance and they can have different workflows. Also, an enterprise can combine WSO2 API Manager and WSO2 Business Process Server (BPS) to provide API Management As a Service to the clients. In this case, each client is a separate enterprise represented by a separate tenant. In both cases, the authority to approve business operations (workflows) resides within a tenant's space.
To allow different tenants to define their own custom workflows without editing configuration files, the API Manager provides configuration in tenant-specific locations in the registry, which you can access through the UI.
The topics below explain how to deploy a BPEL/human task using WSO2 BPS and how to point them to services deployed in the tenant spaces in the API Manager.
Deploying a BPEL and a HumanTask for a tenant
Only the users registered in the BPS can deploy BPELs and human tasks in it. Registration adds you to the user store in the BPS. In this guide, the API Manager and BPS use the same user store and all the users present in the BPS are visible to the API Manager as well. This is depicted by the diagram below:
Figure: API Manager and BPS share the same user and permission store
Warning |
---|
If you are using WSO2 BPS 3.2.0, please copy the This patch is built into the BPS version 3.5.0 onwards. |
Follow the steps below to deploy a BPEL and a human task for a tenant in the API Manager:
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Sharing the user/permission stores with the BPS and API Manager
Create a database for the shared user and permission store as follows:
Code Block language sql mysql> create database workflow_ustore; Query OK, 1 row affected (0.00 sec)
Tip Make sure you copy the database driver (in this case, mysql driver) to the /repository/components/lib folder before starting each server.
Run the
<APIM_HOME>/dbscripts/mysql.sql
script (the script may vary depending on your database type) on the database to create the required tables.Open the
<APIM_HOME>/repository/conf/datasources/master-datasources.xml
and create a datasource pointing to the newly created database. For example,Code Block language xml <datasource> <name>USTORE</name> <description>The datasource used for API Manager database</description> <jndiConfig> <name>jdbc/ustore</name> </jndiConfig> <definition type="RDBMS"> <configuration> <maxActive>50</maxActive> <maxWait>60000</maxWait> <url>jdbc:mysql://127.0.0.1:3306/workflow_ustore?autoReconnect=true&relaxAutoCommit=true</url> <testOnBorrow>true</testOnBorrow> <username>root</username> <validationQuery>SELECT 1<<password>root</validationQuery>password> <validationInterval>30000</validationInterval><driverClassName>com.mysql.jdbc.Driver</driverClassName> <<maxActive>50</configuration>maxActive> </definition> </datasource>
- Repeat step 3 in the BPS as well.
- Point the datasource name in
<maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
- Repeat step 3 in the BPS as well.
Point the datasource name in
<APIM_HOME>/repository/conf/user-mgt.xml
to the new datasource. (note that the user store is configured using the<UserStoreManager>
element).Tip If you already have a user store such as the lDAP in your environment, you can point to it from the
user-mgt.xml
file, instead of the user store that we created in step1.In the following example, the same JDBC user store (that is shared by both the API Manager and the BPS) is used as the permission store as well:
Code Block language xml <Configuration> <AddAdmin>true</AddAdmin> <AdminRole>admin</AdminRole> <AdminUser> <UserName>admin</UserName> <Password>admin</Password> </AdminUser> <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root --> <Property name="dataSource">jdbc/ustore</Property> </Configuration>
- Repeat step 5 in the BPS as well.
...
Create a separate database for the registry:
Code Block language sql mysql> create database workflow_regdb; Query OK, 1 row affected (0.00 sec)
Run the
<APIM_HOME>/dbscripts/mysql.sql
script (the script may vary depending on your database type) on the database to create the required tables.Note From WSO2 Carbon Kernel 4.4.6 onwards there are two MySQL DB scripts available in the product distribution. Click here to identify as to which version of the MySQL script to use.
script to use.
Create a new datasource in
<APIM_HOME>/repository/conf/datasources/master-datasources.xml
as done before:Code Block language xml <datasource> <name>REG_DB</name> <description>The datasource used for API Manager database</description> <jndiConfig> <name>jdbc/regdb</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://127.0.0.1:3306/workflow_regdb?autoReconnect=true&relaxAutoCommit=true</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <name>jdbc<maxActive>50</regdb</name>maxActive> </jndiConfig> <definition type="RDBMS"> <maxWait>60000</maxWait> <configuration> <testOnBorrow>true</testOnBorrow> <url>jdbc:mysql://127.0.0.1:3306/workflow_regdb?autoReconnect=true&relaxAutoCommit=true</url> <validationQuery>SELECT 1</validationQuery> <username>root</username> <validationInterval>30000</validationInterval> <password>root</password> </configuration> </definition> </datasource>
Add the following entries to
<APIM_HOME>/repository/conf/registry.xml
:Code Block language xml <dbConfig <driverClassName>com.mysql.jdbc.Driver</driverClassName>name="sharedregistry"> <dataSource>jdbc/regdb</dataSource> <maxActive>50<</maxActive>dbConfig> <remoteInstance url="https://localhost:9443/registry"> <maxWait>60000<<id>mount</maxWait>id> <dbConfig>sharedregistry</dbConfig> <testOnBorrow>true</testOnBorrow> <readOnly>false</readOnly> <validationQuery>SELECT 1<<enableCache>true</validationQuery>enableCache> <registryRoot>/</registryRoot> <validationInterval>30000<</validationInterval>remoteInstance> <!-- This defines the </configuration>mount configuration to be used </definition> </datasource>
Add the following entries to
<APIM_HOME>/repository/conf/registry.xml
:Code Block language xml <dbConfig name="sharedregistry"> <dataSource>jdbc/regdb</dataSource> </dbConfig> <remoteInstance url="https://localhost:9443/registrywith the remote instance and the target path for the mount --> <mount path="/_system/config" overwrite="true"> <id>mount<<instanceId>mount</id>instanceId> <dbConfig>sharedregistry</dbConfig><targetPath>/_system/nodes</targetPath> </mount> <mount path="/_system/governance" overwrite="true"> <readOnly>false</readOnly> <enableCache>true</enableCache><instanceId>mount</instanceId> <registryRoot>/</registryRoot><targetPath>/_system/governance</targetPath> </remoteInstance> <!-- This defines the mount configuration to be used with the remote instance and the target path for the mount --> <mount path="/_system/config" overwrite="true"> <instanceId>mount</instanceId> <targetPath>/_system/nodes</targetPath> </mount> <mount path="/_system/governance" overwrite="true"> <instanceId>mount</instanceId> <targetPath>/_system/governance</targetPath> </mount>
Repeat the above three steps in the BPS as well.
Create a new datasource in <APIM_HOME>/repository/conf/datasources/master-datasources.xml
as done before:
language | xml |
---|
Creating a BPEL
In this section, you create a BPEL that has service endpoints pointing to services hosted in the tenant's space. This example uses the Application Creation workflow.
Set a port offset of 2 to the BPS using the
<BPS_HOME>/repository/conf/carbon.xml
file. This prevents any port conflicts when you start more than one WSO2 products on the same server.Log in to the API Manager's management console (
https://localhost:9443/carbon
) and create a tenant using the Configure -> Multitenancy menu.Create a copy of the BPEL located in
<APIM_HOME>/business-processes/application-creation/BPEL
.Extract the contents of the new BPEL archive.
Copy
ApplicationService.epr
andApplicationCallbackService.epr
from<APIM_HOME>/business-processes/epr
folder to the folder extracted before. Then, rename the two files asApplicationService-Tenant.epr
andApplicationCallbackService-Tenant.epr
respectively.Open
ApplicationService-Tenant.epr
and change thewsa:Address
tohttp://localhost:9765/services/t/<tenant domain>/ApplicationService
.Point the
deploy.xml
file of the extracted folder to the new .epr files provided in the BPEL archive. For example,Code Block language xml <invoke partnerLink="AAPL"> <service name="applications:ApplicationService" port="ApplicationPort"> <endpoint xmlns="http://wso2.org/bps/bpel/endpoint/config" endpointReference="ApplicationService-Tenant.epr"></endpoint> </service> </invoke> <invoke partnerLink="CBPL"> <service name="callback.workflow.apimgt.carbon.wso2.org:WorkflowCallbackService" port="WorkflowCallbackServiceHttpsSoap11Endpoint"> <endpoint xmlns="http://wso2.org/bps/bpel/endpoint/config" endpointReference="ApplicationCallbackService-Tenant.epr"></endpoint> </service> </invoke>
Zip the content and create a BPEL archive in the following format:
Code Block ApplicationApprovalWorkFlowProcess_1.0.0-Tenant.zip |_ApplicationApprovalWorkFlowProcess.bpel |_ApplicationApprovalWorkFlowProcessArtifacts.wsdl |_ApplicationCallbackService-Tenant.epr |_ApplicationService-Tenant.epr |_ApplicationsApprovalTaskService.wsdl |_SecuredService-service.xml |_WorkflowCallbackService.wsdl |_deploy.xml
- Log into the BPS as the tenant admin and upload the BPEL.
/mount>
Repeat the above three steps in the BPS as well.
Creating a BPEL
In this section, you create a BPEL that has service endpoints pointing to services hosted in the tenant's space. This example uses the Application Creation workflow.
Set a port offset of 2 to the BPS using the
<BPS_HOME>/repository/conf/carbon.xml
file. This prevents any port conflicts when you start more than one WSO2 products on the same server.Log in to the API Manager's management console (
https://localhost:9443/carbon
) and create a tenant using the Configure -> Multitenancy menu.Create a copy of the BPEL located in
<APIM_HOME>/business-processes/application-creation/BPEL
.Extract the contents of the new BPEL archive.
Copy
ApplicationService.epr
andApplicationCallbackService.epr
from<APIM_HOME>/business-processes/epr
folder to the folder extracted before. Then, rename the two files asApplicationService-Tenant.epr
andApplicationCallbackService-Tenant.epr
respectively.Open
ApplicationService-Tenant.epr
and change thewsa:Address
tohttp://localhost:9765/services/t/<tenant domain>/ApplicationService
.Point the
deploy.xml
file of the extracted folder to the new .epr files provided in the BPEL archive. For example,Code Block language xml <invoke partnerLink="AAPL"> <service name="applications:ApplicationService" port="ApplicationPort"> <endpoint xmlns="http://wso2.org/bps/bpel/endpoint/config" endpointReference="ApplicationService-Tenant.epr"></endpoint> </service> </invoke> <invoke partnerLink="CBPL"> <service name="callback.workflow.apimgt.carbon.wso2.org:WorkflowCallbackService" port="WorkflowCallbackServiceHttpsSoap11Endpoint"> <endpoint xmlns="http://wso2.org/bps/bpel/endpoint/config" endpointReference="ApplicationCallbackService-Tenant.epr"></endpoint> </service> </invoke>
Zip the content and create a BPEL archive in the following format:
Code Block ApplicationApprovalWorkFlowProcess_1.0.0-Tenant.zip |_ApplicationApprovalWorkFlowProcess.bpel |_ApplicationApprovalWorkFlowProcessArtifacts.wsdl |_ApplicationCallbackService-Tenant.epr |_ApplicationService-Tenant.epr |_ApplicationsApprovalTaskService.wsdl |_SecuredService-service.xml |_WorkflowCallbackService.wsdl |_deploy.xml
- Log into the BPS as the tenant admin and upload the BPEL.
Creating a Tenant for Authentication
Step 1: Create a registry resource in the tenant's configuration registry
- Start the BPS server If it is not started already.
- Navigate to Registry>Browse in the Main menu of the management console and click on
/_system/config.
Click on Entries>Add Resource and fill the form using the values listed below for guidance. See Adding a Resource for more information.
Method Name Media Type Create Text Content TaskCoordination text/plain - Click Add to finish adding the resource.
Step 2: Create username and password registry properties and define credentials
Click on the registry resource you created (Task Coordination) found under the Entries section.
Add two new registry properties for the resource called "Username" and "Password", and define the tenant coordination user credentials. To do this, click Properties>Add New Property and enter the following values. See Managing Properties for more information.
Username Property Password Property Name: username Name: password Value: (username value) Value: (password value) Click Add to finish adding the property.
Creating a human task
Similar to creating a BPEL, create a HumaTask that has service endpoints pointing to services hosted in the tenant's space.
...
You have now completed configuring the Application Creation workflow for a tenant. Whenever a tenant user logs in to the tenant store and create an application, the workflow will be invoked. You log in to the Admin Portal (https://<Server Host>:9443/admin
) as the tenant admin and browse Application Creation menu to see all approval tasks have been created for newly created applications.