WSO2 API Manager is a complete solution for publishing APIs, creating and managing a developer community and for routing API traffic in a scalable manner. It leverages the integration, security and governance components from the WSO2 Enterprise Service Bus, WSO2 Identity Server, and WSO2 Governance Registry. In addition, as it is powered by the WSO2 Business Activity Monitor (BAM), the WSO2 API Manager is ready for massively scalable deployments immediately.
...
Application access tokens are generated at the application level and valid for all APIs that you associate to the application. These tokens have a fixed expiration time, which is set to 60 minutes 3600 seconds by default. You can change this to a longer time, even for several weeks. Consumers can regenerate the access token directly from the API Store. To change the default expiration time, you open the <APIM_HOME>/repository/conf/identity.xml
file and change the value of the element <ApplicationAccessTokenDefaultValidityPeriod>
. If you set a negative value, the token never expires. This value only applies to the new applications you create.
Application user access token
...
- Open the API Publisher (
https://<hostname>:9443/publisher)
and log in asapicreator
. Click the Add link and provide the information given in the table below. Click Implement once you are done.
Field Sample value Name PhoneVerificationContext/phoneverifyVersion 1.0.0 Visibility Public Resources URL pattern CheckPhoneNumber Request types GET, POST, OPTIONS Give the following information in the Implement tab that opens and click Manage once you are done.
Field Sample value Implementation method Backend Endpoint type HTTP Production endpoint In this guide, we work with a service exposed by the Cdyne services provider. We use their phone validation service, which has SOAP and REST interfaces. Endpoint is http://ws.cdyne.com/phoneverify/phoneverify.asmx.
This sample service has two operations as
CheckPhoneNumber
andCheckPhoneNumbers
. Let's useCheckPhoneNumber
here.Endpoint security scheme Non Secured (If secured, user is asked for credentials of the backend service) Click Manage to go to the
Manage
tab and provide the following information.Field Value Description Tier Availability Bronze/Gold/Silver/Unlimited The API can be available at different level of service; you can select multiple entries from the list. At subscription time, the consumer chooses which tier they are interested in. Tip Tip: For resources that have methods requiring authentication (i.e., Auth Type is not NONE), you set None as the Auth type of
OPTIONS
to support CORS (Cross Origin Resource Sharing) between the API Store and Gateway.Once you are done, click Save and Publish. Go to the API Store (
https://<hostname>:9443/store
) and note that the API you just published is listed there.
Adding API documentation
After saving the API, click on its thumbnail in the API Publisher to open it.
Click on the API's Docs tab and click the Add New Document link.
The document options appear. Note that you can create documentation inline, via a URL or as a file. For inline documentation, you can edit the content directly from the API publisher interface. You get several documents types:
- How To
- Samples and SDK
- Public forum / Support forum (external link only)
- API message formats
- Other
Create a 'How To,' using in-line content as the source. The document name is
SimpleClient
and click the Add Document button.Once the document is added, click Edit Content link associated with it to opens an embedded editor.
Enter your API's documentation.
Versioning the API
Let's create a new version of this API.
- Log in to the API Publisher as
apicreator
if you are not logged in already. - Click on the
PhoneVerification
API and then the Copy button that appears in its Overview tab. Give a new version number (e.g., 2.0.0) and click Done.
Tip Tip: The Default Version option means that you make this version the default in a group of different versions of the API. A default API can be invoked without specifying the version number in the URL. For example, if you mark http://host:port/youtube/2.0 as the default version when the API has 1.0 and 3.0 versions as well, requests made to http://host:port/youtube/ get automatically routed to version 2.0.
If you mark any version of an API as the default, you get two API URLs in its Overview page in the API Store. One URL is with the version and the other is without. You can invoke a default version using both URLs.
If you mark an unpublished API as the default, the previous default, published API will still be used as the default until the new default API is published (or prototyped).
A new version of the API is created. It is a duplication of all the original API, including its documentation. The PhoneVerification 2.0.0
API is now ready to be published. This is typically done by a user in the publisher
role.
Publishing the API
...
- Propagate Changes to API Gateway: Used to define an API proxy in the API Gateway runtime component, allowing the API to be exposed to the consumers via the API Gateway. If this option is left unselected, the API metadata will not change and you will have to manually configure the API Gateway according to the information published in the API Store.
- Deprecate Old Versions: If selected, any prior versions of the API will be set to the DEPRECATED state automatically.
- Require Re-Subscription: Invalidates current user subscriptions, forcing users to subscribe again.
Adding interactive documentation
The API Manager provides facility to add interactive documentation support through the integration of Swagger. Swagger is a specification and a complete framework implementation for describing, producing, consuming, and visualizing RESTful Web services. In Swagger, when APIs are described in simple static JSON representation, they can be loaded through the Swagger UI, which in turn provides the interactive documentation.
When an API is created, the JSON representation of that API is automatically generated and saved into the registry as API definition. This definition describes the API with the information provided at the API creation level. You can customize the automatically generated API definition as follows:
...
When the Swagger definition of the API opens, document the parameters required by the API Console.
For example, the PhoneVerification
API requires a telephone number and a license key. You can document this by adding the following under the parameters section of the GET method:
Code Block |
---|
parameters:
- description: Request Body
name: body
allowMultiple: false
required: true
type: string
paramType: body
- description: Give the phone number to be validated
name: PhoneNumber
type: string
required: "True"
paramType: query
- description: "Give the license key. If you don't have any, enter 0"
name: LicenseKey
type: string
required: "True"
paramType: query |
...
Subscribing to the API
You subscribe to APIs using the API Store Web application.
The API you published earlier is available in the API Store. Self sign up to the API Store using the Sign-up link.
After subscription, log in to the API Store and click the API you published earlier (PhoneVerification 2.0.0).
- Note that you can see the subscription option in the right hand side of the UI after logging in. Select the default application and
Bronze
tier, and click Subscribe.
Applications
An application is a logical collection of one or more APIs, and is required when subscribing to an API. You can subscribe to multiple APIs using the same application. Instead of using the default application, you can also create your own by selecting the New Application... option in the above drop-down list or by going to the My Applications menu in the top menu bar.
- Once the subscription is successful, go to My Subscriptions page.
- In the My Subscriptions page, click the Generate buttons to generate production and sandbox access tokens and consumer key/secret pairs for the API.
Invoking the API
To invoke an API, you can use the integrated Swagger interactive documentation support (or any other simple REST client application or curl).
- Log in to the API Store (
https:/
/<YourHostName>:9443/store
). Click the APIs menu in the API Store and then click on the API that you want to invoke. When the API opens, go to its API Console tab.
Note the changes you did in the Swagger definition earlier displayed on the console. For example, expand the GET method and see the two parameters that you added:
Let's invoke this API using the API Console.On the API Console, give values to the
PhoneNumber
andLicenseKey
and click Try it Out to invoke the API.Tip Tip: If you cannot invoke the API's HTTPS endpoint (causes the SSLPeerUnverified exception), it could be because the security certificate issued by the server is not trusted by your browser. To resolve this issue, access the HTTPS endpoint directly from your browser and accept the security certificate.
Note the response for the API invocation. As we used a valid phone number in this example, the response is valid.
You have invoked an API using the Swagger API console.
Monitoring APIs and viewing statistics
Both the API publisher and store provide several statistical dashboards. Some of them are as follows:
- Number of subscriptions per API (across all versions of an API)
- Number of API calls being made per API (across all versions of an API)
- The subscribers who did the last 10 API invocations and the APIs/versions they invoked
Usage of an API and from which resource path (per API version)
- Number of times a user has accessed an API
- The number of API invocations that failed to reach the endpoint per API per user
- API usage per application
- Users who make the most API invocations, per application
- API usage from resource path, per application
Configuring statistics
Do the following if you are on a Windows environment:
JDK 1.6.* or 1.7
Note If you install JDK in Program Files in the Windows environment, avoid the space by using PROGRA~1 when specifying environment variables for JAVA_HOME and PATH. Else, the server throws an exception.
- Cygwin (http://www.cygwin.com): This is required only if you are using Windows. WSO2 BAM analytics framework depends on Apache Hadoop, which requires Cygwin in order to run on Windows. Install at least the basic net (OpenSSH,tcp_wrapper packages) and security related Cygwin packages. After Cygwin installation, update the PATH variable with
C:/cygwin/bin
and restart BAM.
Steps below explain how to configure WSO2 BAM 2.4.1 with the API Manager.
...
Do the following changes in <APIM_HOME>/repository/conf/api-manager.xml
file:
- Enable API usage tracking by setting the
<APIUsageTracking>
element to true - Set the Thrift port to 7614
- Uncomments and set the data source used for getting BAM statistics in
<DataSourceName>
element. - Set <BAMServerURL> to tcp://<BAM host IP>:7614/ where <BAM host IP> is the machine IP address. Do not use localhost unless you're in a disconnected mode.
Code Block | ||
---|---|---|
| ||
<APIUsageTracking>
<!-- Enable/Disable the API usage tracker. -->
<Enabled>true</Enabled>
<PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>
<ThriftPort>7614</ThriftPort>
<BAMServerURL>tcp://<BAM host IP>:7614/</BAMServerURL>
<BAMUsername>admin</BAMUsername>
<BAMPassword>admin</BAMPassword>
<!-- JNDI name of the data source to be used for getting BAM statistics. This data source should
be defined in the master-datasources.xml file in conf/datasources directory. -->
<DataSourceName>jdbc/WSO2AM_STATS_DB</DataSourceName>
</APIUsageTracking> |
Specify the datasource definition in <APIM_HOME>/repository/conf/datasources/master-datasources.xml
file as follows.
...
language | xml |
---|
...
Adding interactive documentation
The API Manager provides facility to add interactive documentation support through the integration of Swagger. Swagger is a specification and a complete framework implementation for describing, producing, consuming, and visualizing RESTful Web services. You describe APIs in simple, static JSON representation through the Swagger API definition in the API Store. When an API is created, the JSON representation of that API is automatically generated and saved in the registry. This definition reflects the information you provide at the API creation stage. You can customize it as follows:
- Open the API Publisher (
https://<hostname>:9443/publisher)
and log in asapicreator
if you haven't done so already. - Click the
PhoneVerification
API to open it and then click the Edit link right next to the API's name. This opens the API in its edit mode. - Click the Edit Swagger Definition button.
When the Swagger definition of the API opens, navigate to the GET method, add the following parameters to it and remove the existing body parameter. The code is given below:
Anchor thisStep thisStep Code Block parameters: - description: Give the phone number to be validated name: PhoneNumber type: string required: "True" paramType: query - description: "Give the license key. If you don't have any, enter 0" name: LicenseKey type: string required: "True" paramType: query
- Click Save once the changes are done. In a later section, we will see how these parameters appear to subscribers in the API Console of the API Store.
Versioning the API
Let's create a new version of this API.
- Log in to the API Publisher as
apicreator
if you are not logged in already. - Click on the
PhoneVerification
API and then the Copy button that appears in its Overview tab. Give a new version number (e.g., 2.0.0) and click Done.
Tip Tip: The Default Version option means that you make this version the default in a group of different versions of the API. A default API can be invoked without specifying the version number in the URL. For example, if you mark http://host:port/youtube/2.0 as the default version when the API has 1.0 and 3.0 versions as well, requests made to http://host:port/youtube/ get automatically routed to version 2.0.
If you mark any version of an API as the default, you get two API URLs in its Overview page in the API Store. One URL is with the version and the other is without. You can invoke a default version using both URLs.
If you mark an unpublished API as the default, the previous default, published API will still be used as the default until the new default API is published (or prototyped).
A new version of the API is created. It is a duplication of the original API, including its documentation. The PhoneVerification 2.0.0
API is now ready to be published. This is typically done by a user in the publisher
role.
Publishing the API
- Log in to the API Publisher as
apipublisher
that you created earlier in this guide. - Click on the
PhoneVerification
API version 2.0.0. Note that you now see a tab by the name Lifecycle in the API Publisher. - Go to the Lifecycle tab and select the state as
PUBLISHED
from the drop-down list.
The three checkboxes mean the following:- Propagate Changes to API Gateway: Used to define an API proxy in the API Gateway runtime component, allowing the API to be exposed to the consumers via the API Gateway. If this option is left unselected, the API metadata will not change and you will have to manually configure the API Gateway according to the information published in the API Store.
- Deprecate Old Versions: If selected, any prior versions of the API that are published will be set to the DEPRECATED state automatically.
- Require Re-Subscription: Invalidates current user subscriptions, forcing users to subscribe again.
- Go to the API Store (
https://<hostname>:9443/store)
using your browser and note that thePhoneVerification 2.0.0
is visible under the APIs menu.
Subscribing to the API
You subscribe to APIs using the API Store.
Self sign up to the API Store using the Sign-up link.
After signing up, log in to the API Store and click the API that you published earlier (
PhoneVerification 2.0.0
).Note that you can now see the subscription options on the right hand side of the UI. Select the default application and
Bronze
tier, and click Subscribe.- Once the subscription is successful, choose to go to the My Subscriptions page.
In the My Subscriptions page, click the Generate buttons to generate access tokens that you need to invoke the API.
Tip Tip: You can set a token validity period in the given text box. By default, it is set to one hour. If you set a minus value (e.g., -1), the token will never expire.
Invoking the API
Let's invoke the API using the integrated Swagger-based API Console.
Click the APIs menu in the API Store and then click on the API that you want to invoke. When the API opens, go to its API Console tab.
Expand the GET method of the resource
CheckPhoneNumber
. Note the parameters that you added in this step now appearing with their descriptions in the console.Give sample values to the
PhoneNumber
andLicenseKey
and click Try it Out to invoke the API.Tip Tip: If you cannot invoke the API's HTTPS endpoint (causes the SSLPeerUnverified exception), it could be because the security certificate issued by the server is not trusted by your browser. To resolve this issue, access the HTTPS endpoint directly from your browser and accept the security certificate.
Note the response for the API invocation. As we used a valid phone number in this example, the response is valid.
You have invoked an API using the API Console.
Monitoring APIs and viewing statistics
Both the API publisher and store provide several statistical dashboards. Some of them are as follows:
- Number of subscriptions per API (across all versions of an API)
- Number of API calls being made per API (across all versions of an API)
- The subscribers who did the last 10 API invocations and the APIs/versions they invoked
Usage of an API and from which resource path (per API version)
- Number of times a user has accessed an API
- The number of API invocations that failed to reach the endpoint per API per user
- API usage per application
- Users who make the most API invocations, per application
API usage from resource path, per application
Tip |
---|
If you are on Windows, note the following:
|
Steps below explain how to configure WSO2 BAM 2.5.0 with the API Manager. Let's do the configurations first.
Do the following changes in
<APIM_HOME>/repository/conf/api-manager.xml
file:- Enable API usage tracking by setting the
<APIUsageTracking>
element to true - Set the Thrift port to 7614
- Uncomments and set the data source used for getting BAM statistics in
<DataSourceName>
element. - Set <BAMServerURL> to tcp://<BAM host IP>:7614/ where <BAM host IP> is the machine IP address. Do not use localhost unless you're in a disconnected mode.
Code Block language xml <APIUsageTracking> <!-- Enable/Disable the API usage tracker. --> <Enabled>true</Enabled> <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass> <ThriftPort>7614</ThriftPort> <BAMServerURL>tcp://<BAM host IP>:7614/</BAMServerURL> <BAMUsername>admin</BAMUsername> <BAMPassword>admin</BAMPassword> <!-- JNDI name of the data source to be used for getting BAM statistics. This data source should be defined in the master-datasources.xml file in conf/datasources directory. --> <DataSourceName>jdbc/WSO2AM_STATS_DB</DataSourceName> </APIUsageTracking>
- Enable API usage tracking by setting the
Specify the datasource definition in
<APIM_HOME>/repository/conf/datasources/master-datasources.xml
file as follows.
Next, prepare BAM to collect and analyze statistics from API manager.Code Block language xml <datasource> <name>WSO2AM_STATS_DB</name> <description>The datasource used for getting statistics to API Manager</description> <jndiConfig> <name>jdbc/WSO2AM_STATS_DB</name> <name>WSO2AM_STATS_DB</name></jndiConfig> <description>The datasource used for getting statistics to API Manager</description><definition type="RDBMS"> <configuration> <jndiConfig> <!-- <name>jdbc/WSO2AM_STATS_DB</name> JDBC URL to query the database --> </jndiConfig> <definition type="RDBMS"> <url>jdbc:h2:<BAM_HOME>/repository/database/APIMGTSTATS_DB;AUTO_SERVER=TRUE</url> <configuration> <username>wso2carbon</username> <!-- JDBC URL to<password>wso2carbon</password> query the database --> <url>jdbc:h2:<BAM_HOME>/repository/database/APIMGTSTATS_DB;AUTO_SERVER=TRUE</url><driverClassName>org.h2.Driver</driverClassName> <username>wso2carbon<<maxActive>50</username>maxActive> <password>wso2carbon<<maxWait>60000</password>maxWait> <driverClassName>org.h2.Driver</driverClassName><testOnBorrow>true</testOnBorrow> <validationQuery>SELECT <maxActive>50<1</maxActive>validationQuery> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
- Download WSO2 BAM 2.4.1 or later from location: http://wso2.com/products/business-activity-monitor.
Change port offset of BAM to 3 by editing the file
<BAM_HOME>/repository/conf/carbon.xml
file (search for the offset node).Code Block language html/xml <Offset>3</Offset>
This increments all ports used by the server by 3, which means the BAM server will run on port 9446. Port offset is used to increment the default port by a given value. It avoids possible port conflicts when multiple WSO2 products run in same host.
- Do the following changes in
<BAM_HOME>/repository/conf/datasources/bam_datasources.xml
file:- Copy/paste
WSO2_AMSTATS_DB
definition from API Manager'smaster-datasources.xml
file. You edited it in step 2. Replace the port of
WSO2BAM_CASSANDRA_DATASOURCE
in URL (jdbc:cassandra://localhost:9163/EVENT_KS
). Note that localhost is used here; not the machine IP.Note - Do not edit the
WSO2BAM_UTIL_DATASOURCE
, which is using the offset - Cassandra is bound by default on localhost, unless you change the data-bridge/data-bridge-config.xml file
- Do not edit the
- Copy/paste
- Copy the file
<APIM_HOME>/statistics/API_Manager_Analytics.tbox
to directory<BAM_HOME>/repository/deployment/server/bam-toolbox
.
If this folder is not in the BAM installation directory by default, create it. The toolbox describes the information collected, how to analyze the data, as well as the location of the database where the analyzed data is stored.Open<validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
Save the database driver JAR inside both
<AM_HOME>/repository/components/lib
and<BAM_HOME>/repository/components/lib
folders.Next, prepare BAM to collect and analyze statistics from API manager.
- Download WSO2 BAM 2.5.0 or later from location: http://wso2.com/products/business-activity-monitor.
Change port offset of BAM to 3 by editing the file
<BAM_HOME>/repository/conf/carbon.xml
file (search for the offset node).Code Block language html/xml <Offset>3</Offset>
This increments all ports used by the server by 3, which means the BAM server will run on port 9446. Port offset is used to increment the default port by a given value. It avoids possible port conflicts when multiple WSO2 products run in same host.
- <Nodes>localhost:9163</Nodes>
In
<BAM_HOME>/repository/conf
/etc/hector-config.xml file and change the port to localhost:9163. You must add the other nodes too when configuring a clustered setup.Code Block language xml /datasources/bam_datasources.xml
file, copy/pasteWSO2_AMSTATS_DB
definition from API Manager'smaster-datasources.xml
file. You edited it in step 2. Restart the BAM server by running
<BAM_HOME>/bin/wso2server.[sh/bat]
.
Viewing statistics
...
Let's see the statistics now.
Generate some traffic via the API Gateway (invoke the Cdyne API we use in this guide) and wait a few seconds.
...
- Connect to the API Publisher as a creator or publisher.
In the publisher role, you are able to see all stats and as creator, you see stats specific to the APIs you create. - Click the Statistics menu. We show the sample statistics here, but you will see graphs specific to your instance.
- Similarly, API subscribers can also see statistics though the API Store. Click the Statistics menu as follows:
...
This concludes the API Manager quick start. You have set up the API Manager and taken a look at its common usecasesgone through the basic usecases of the product. For more advanced usecases, please see the User Guide and the Admin Guide of the API Manager documentation.