This topic provides instructions on how to configure the multiple Gateways in WSO2 API Manager (WSO2 API-M) in a distributed deployment to facilitate high availability (HA). The instructions in this topic are based on the Distributed Deployment of API Manager and these configurations will only work if the configurations in that topic are done correctly. For instance, all datasource configurations are already done for the Gateway in that topic and hence do not need to be repeated here.
The following sections provide specific instructions on configuring the Gateway cluster.
Gateway deployment pattern
The configurations in this topic will be done based on the following pattern. This pattern is used as a basic Gateway cluster where the worker nodes and manager nodes are separated.
Step 1 - Configure the load balancer
NGINX is used for this scenario, but you can use any load balancer that you prefer here. The following are the configurations that need to be done for the load balancer.
Use the following steps to configure Nginx as the load balancer for WSO2 products.
- Install Nginx using the following command.
$sudo apt-get install nginx
Configure Nginx Plus to direct the HTTP requests to the two worker nodes via the HTTP 80 port using the
http://am.wso2.com/<service>
. To do this, create a VHost file (am.http.conf
) in the/etc/nginx/conf.d/
directory and add the following configurations into it.upstream wso2.am.com { sticky cookie JSESSIONID; server xxx.xxx.xxx.xx4:9763; server xxx.xxx.xxx.xx5:9763; } server { listen 80; server_name am.wso2.com; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass http://wso2.am.com; } }
Configure Nginx Plus to direct the HTTPS requests to the two worker nodes via the HTTPS 443 port using
https://am.wso2.com/<service>
. To do this, create a VHost file (am.https.conf
) in the/etc/nginx/conf.d/
directory and add the following configurations into it.upstream ssl.wso2.am.com { sticky cookie JSESSIONID; server xxx.xxx.xxx.xx4:9443; server xxx.xxx.xxx.xx5:9443; } server { listen 443; server_name am.wso2.com; ssl on; ssl_certificate /etc/nginx/ssl/wrk.crt; ssl_certificate_key /etc/nginx/ssl/wrk.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://ssl.wso2.am.com; } }
Configure Nginx Plus to access the Management Console as
https://mgt.am.wso2.com/carbon
via HTTPS 443 port. This is to direct requests to the manager node. To do this, create a VHost file (mgt.am.https.conf
) in the/etc/nginx/conf.d/
directory and add the following configurations into it.server { listen 443; server_name mgt.am.wso2.com; ssl on; ssl_certificate /etc/nginx/ssl/mgt.crt; ssl_certificate_key /etc/nginx/ssl/mgt.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://xxx.xxx.xxx.xx3:9443/; } error_log /var/log/nginx/mgt-error.log ; access_log /var/log/nginx/mgt-access.log; }
Restart the Nginx Plus server.
$sudo service nginx restart
Tip: You do not need to restart the server if you are simply making a modification to the VHost file. The following command should be sufficient in such cases.
sudo service nginx reload
Step 2 - Create SSL certificates
Create SSL certificates for both the manager and worker nodes using the instructions that follow.
- In the sample configurations given under Step 1 - Configure the Load Balancer, the names of ssl key and the certificate for the manager node is mgt.key and mgt.crt, and for worker node its wrk.key and wrk.crt respectively. Please uset these names for <key_name> and <certificate_name> when you are generating keys and certificates.
- While creating keys, enter the host name (
am.wso2.com
ormgt.am.wso2.com
) as the Common Name.
Create the Server Key.
$sudo openssl genrsa -des3 -out <key_name>.key 1024
Certificate Signing Request.
$sudo openssl req -new -key <key_name>.key -out server.csr
Remove the password.
$sudo cp <key_name>.key <key_name>.key.org $sudo openssl rsa -in <key_name>.key.org -out <key_name>.key
Sign your SSL Certificate.
$sudo openssl x509 -req -days 365 -in server.csr -signkey <key_name>.key -out <certificate_name>.crt
Copy the key and certificate files generated in above step 4 to
/etc/nginx/ssl/
location.
You have now configured the load balancer to handle requests sent to am.wso2.com
and to distribute the load among the worker nodes in the worker
sub-domain of the wso2.am.domain
cluster.
You are now ready to set up the cluster configurations. The next step is to configure the Gateway manager.
Step 3 - Configure the Gateway manager
Management nodes specialize in management of the setup. Only management nodes are authorized to add new artifacts into the system or make configuration changes. Management nodes are usually behind an internal firewall and are exposed to clients running within the organization only. This section involves setting up the Gateway node and enabling it to work with the other components in the distributed setup.
Step 3.1 - Configure the common configurations
Carryout the following configurations on the Gateway manager node.
Note that these configurations are common to the Gateway Manager and Gateway Worker nodes.
- Open the
<API-M_HOME>/repository/conf/api-manager.xml
file in the Gateway node. Modify the api-manager.xml file as follows. This configures the connection to the Key Manager component.
<APIKeyValidator> <ServerURL>https://<IP of the Key Manager>:9443/services/</ServerURL> <Username>admin</Username> <Password>admin</Password> ... </APIKeyValidator>
Change admin password
To change the admin password go to Changing the super admin password. See the note given under step 2 for instructions to follow if your password has special characters.
Configure key management related communication.
If you need to enable JSON Web Token (JWT) you have to enable it in all Gateway and Key Manager components.
For more information on enabling JWT, see Generating JSON Web Token.
Step 3.2 - Configure the carbon.xml file
The following configurations are done in the <GATEWAY_MANAGER_HOME>/repository/conf/carbon.xml
file.
- Open
<GATEWAY_MANAGER_HOME>/repository/conf/carbon.xml
. - Locate the
<HostName>
tag and add the cluster host name:<HostName>am.wso2.com</HostName>
- Locate the
<MgtHostName>
tag and uncomment it. Make sure that the management host name is defined as follows:<MgtHostName> mgt.am.wso2.com </MgtHostName>
Step 3.3 - Configure the catalina-server.xml file
Specify the following configurations in the catalina-server.xml
file located in the <GATEWAY_MANAGER_HOME>/repository/conf/tomcat/
directory.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9763" proxyPort="80" -------- /> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" proxyPort="443" -------- />
The TCP port
number is the value that this Connector
will use to create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address.
Step 3.4 - Map the hostnames to IPs
Open the server's /etc/hosts
file and add the following.
<GATEWAY-WORKER-IP> am.wso2.com
In this example, it would look like this:
xxx.xxx.xxx.xx4 am.wso2.com
Once you replicate these configurations for all the manager nodes, your Gateway manager is configured. Next configure the Gateway worker.
Step 4 - Configure the Gateway worker
Worker nodes specialize in serving requests to deployment artifacts and and reading them. They can be exposed to external clients.
Step 4.1 - Configure the common configurations
Carryout the following configurations on the Gateway worker node.
Macro lookup error: excerpt "common-gw-steps" was not found on page "Distributed Deployment of the Gateway" (with ID 32736398) in space "AM210".
If you're experiencing issues please see our Troubleshooting Guide.
Step 4.2 - Configure the carbon.xml file
- Open
<GATEWAY_WORKER_HOME>/repository/conf/carbon.xml
on each worker node. Specify the host name as follows.
<HostName>am.wso2.com</HostName>
You can configure the Deployment Synchronizer, which is also done in the
carbon.xml
file.
Step 4.3 - Configure the catalina-server.xml file
Make the following configuration changes in the catalina-server.xml file which is found in the <GATEWAY_WORKER_HOME>/repository/conf/tomcat/
directory.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9763" proxyPort="80" -------- /> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" proxyPort="443" -------- />
In the next section, we will map the host names we specified to real IPs.
Step 4.4 - Map the hostnames to IPs
Open the server's /etc/hosts
file and add the following.
<GATEWAY-MANAGER-IP> mgt.am.wso2.com
In this example, it would look like this:
xxx.xxx.xxx.xx3 mgt.am.wso2.com
Step 5 - Optionally configure Hazelcast
You can seamlessly deploy WSO2 API Manager using local caching in a clustered setup without Hazelcast clustering. However, there are edge case scenarios where you need to enable Hazelcast clustering. To identify whether you need Hazelcast clustering and to configure Hazelcast clustering if needed, see Working with Hazelcast Clustering.
Step 6 - Start the Gateway Nodes
Step 6.1 - Start the Gateway manager
Comment the following configurations in the
<API-M_HOME>/repository/conf/api-manager.xml
file.<JMSEventPublisherParameters> <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial> <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url> <transport.jms.DestinationType>topic</transport.jms.DestinationType> <transport.jms.Destination>throttleData</transport.jms.Destination> <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers> <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName> </JMSEventPublisherParameters>
Start the Gateway manager by typing the following command in the terminal.
sh <GATEWAY_MANAGER_HOME>/bin/wso2server.sh
Step 6.2 - Start the Gateway worker
It is recommendation is to delete the <API-M_HOME>/repository/deployment/server
directory and create an empty server directory in the worker node. This is done to avoid any SVN conflicts that may arise. Note that when you do this, you may have to restart the worker node after you start it in order to avoid an error.
Update the
<API-M_HOME>/repository/conf/api-manager.xml
file by commenting out the following configurations.<JMSEventPublisherParameters> <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial> <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url> <transport.jms.DestinationType>topic</transport.jms.DestinationType> <transport.jms.Destination>throttleData</transport.jms.Destination> <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers> <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName> </JMSEventPublisherParameters>
Start the Gateway worker by typing the following command in the terminal.
sh <GATEWAY_WORKER_HOME>/bin/wso2server.sh -Dprofile=gateway-worker
The additional
-Dprofile=gateway-worker
argument indicates that this is a worker node specific to the Gateway. This parameter basically makes a server read-only. A node with this parameter will not be able to do any changes such as writing or making modifications to the deployment repository, etc. Starting this node as a Gateway worker ensures that Store and Publisher related functionality is disabled. This parameter also ensures that the node starts as the worker profile, where the UI bundles will not be activated and only the back end bundles will be activated once the server starts up. See API Manager product profiles for more information on the various product profiles available in API Manager.