WSO2 API Microgateway for WSO2 Open Banking

The WSO2 API Microgateway is a lightweight message processor for APIs. The API Microgateway is used for message security, transport security, routing, and other common API Management related quality of services. It can process incoming and outgoing messages while collecting information required for usage metering and throttling capabilities. The API Microgateway natively supports scaling in highly decentralized environments including microservice architecture. An immutable, ephemeral Microgateway fits well with the microservice architecture.

Setting up API Microgateways close to your backend servers and on-premise deployments not only reduces network latency but also adds additional security as you can run it in a fully controlled environment with a selected set of APIs. You can run the API Microgateway in a regional data centre, in the same server instance as your service implementation, or even in your local workstation.

The API microgateways are placed as follows when placed in a deployment diagram.

Before you begin:

Download and set up the WSO2 Open Banking 2.0 solution.
Install and set up Docker in your servers.

Download Microgateway Docker images for WSO2 Open Banking Australia. WSO2 Open Banking contains Docker images for each API in the Consumer Data Standards (CDS) specification. The Docker images are available in the Docker Hub.

Click here to see the docker images and available links...

API	Docker Image	Docker Hub link
Consumer Data Standards API	docker.wso2.com/wso2-obmg-au-cds:1.2.0_2.0.0	<TBD>
CDS Customer API	docker.wso2.com/wso2-obmg-au-cds-customer:1.3.0_2.0.0	https://docker.wso2.com/tags.php?repo=wso2-obmg-au-cds-customer
CDS Discovery API	docker.wso2.com/wso2-obmg-au-cds-discovery:1.3.0_2.0.0	https://docker.wso2.com/tags.php?repo=wso2-obmg-au-cds-discovery
Dynamic Client Registration API	docker.wso2.com/wso2-obmg-au-cds-dcr:1.2.0_2.0.0	<TBD>
CDS Admin API	docker.wso2.com/wso2-obmg-au-cds-admin:1.2.0_2.0.0	<TBD>
CDS Arrangement API	docker.wso2.com/wso2-obmg-au-cdr-arrangement:1.0.0_2.0.0	<TBD>

The following section explains how to try out the Consumer Data Standards API using WSO2 API Microgateway:

Pull the Docker image for Consumer Data Standards API from the Docker registry.
Run the Docker image using the commands below:
For a sandbox environment, instead of productionEndpoint_prod_endpoint_0, you can use this flag with the above run command:
sandboxEndpoint_sand_endpoint_0=<SANDBOX_ENDPOINT_URL>
All the configurations related to WSO2 API Microgateway and WSO2 Open Banking are available in the micro-gw.conf file.
1. Get the container Id of the Docker image with the API:
```
docker ps
```
2. Copy the micro-gw.conf file from the Docker image to the host:
```
docker cp <CONTAINER_ID>:/home/ballerina/conf/micro-gw.conf <DEST_PATH>
```
Configure the micro-gw.conf file:

The microgateway is available in the port defined below, by default it's set to 9095:
```
[listenerConfig]
  httpsPort = 9095
```
To run multiple Microgateway Docker images parallelly on the same server, update the below configurations accordingly so that the ports used by each Docker container are unique:

For example:

To run both wso2-obmg-au-cds-accounts and wso2-obmg-au-cds-transactions Microgateway Docker images parallelly, update the configurations as shown below:
Configure the hostname of your WSO2 Open Banking Identity and Access Manager server in the following configuration:
```
[keyManager]
  serverUrl = "https://<WSO2_OB_IAM_HOST>:9446"
```

Configure the hostname of your WSO2 Open Banking API Manager server in the following configuration:

[apiManager]
  serverUrl = "https://<WSO2_OB_APIM_HOST>:9443"

[openbanking.iam]
  serverUrl = "https://<WSO2_OB_IAM_HOST>:9446"

If the Admin APIs are being deployed using the Microgateway Docker image, update the below configurations based on the deployment:
Configure encryption/decryption key for ID permanence under the [openbanking.au] tag. By default, the secret key value is "wso2".

This is available only as a WUM update and is effective from March 24, 2021 (03-24-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.
```
[openbanking.au.id.permanence]
  secretKey = <SECRET_KEY>
```
To remove the Auth header from the authentication filter, set the following configuration to true. For throttling purposes, set the value to false.

This is available only as a WUM update and is effective from May 13, 2021 (05-13-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.
```
[authConfig]
  removeAuthHeaderFromOutMessage = false
```
For the Unattended traffic, 20 sessions per day, per customer, per data recipient policy
This is available only as a WSO2 Update and is effective from September 14, 2021 (09-14-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.
Add the following configuration to enable the policy:
[openbanking.au.unattendedSessionCountThrottling] enable = true
To avoid sending the Auth header to the back end, add the following configuration under the [openbanking] tag and set the value to true.

This is available only as a WUM update and is effective from May 13, 2021 (05-13-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.
- This is only available for wso2-obmg-au-cds docker images.
```
[openbanking.authConfig]
  removeAuthHeaderFromOutMessage = true
```
Add custom filters using the following configuration:
```
[openbanking.au.filters]
  <FilterName>="Fully qualified class name"
```
- You can configure filters; add custom filters and skip certain filters with the following configurations:
  
  This is available only as a WUM update and is effective from May 18, 2021 (05-18-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

Copy the updated micro-gw.conf file to the Docker image:

docker cp  <PATH_TO_UPDATED_micro-gw.conf> <CONTAINER_ID>:/home/ballerina/conf/micro-gw.conf

If you have a distributed deployment, exchange the certificates as explained in Setting Up Servers-Exchanging the certificates.
Add any additional certificates to the client truststore of the Docker image:
1. Get the container Id of the Docker image with CDS API:
```
docker ps
```
2. Copy the ballerinaTruststore.p12 file from the Docker image to the host:
```
docker cp <CONTAINER_ID>:/home/ballerina/wso2/runtime/bre/security/ballerinaTruststore.p12 <DEST_PATH>
```
3. Use the keytool commands and add the relevant certificates (regulatory certificates, server certificates) to the copied ballerinaTruststore.p12 file. The password to access the keystore is ballerina.
```
keytool -import -alias <CERT_ALIAS> -file <CERT_TO_ADD> -keystore ballerinaTruststore.p12 -storepass ballerina
```
4. Copy the updated client trustore to the Docker image:
```
docker cp  <PATH_TO_UPDATED_ballerinaTruststore.p12> <CONTAINER_ID>:/home/ballerina/wso2/runtime/bre/security/ballerinaTruststore.p12
```
Run the Docker image using the commands below:
- <PRODUCTION_ENDPOINT_URL> : Endpoint URL of the production server. For a sandbox environment, instead of productionEndpoint_prod_endpoint_0, use the sandboxEndpoint_sand_endpoint_0=<SANDBOX_ENDPOINT_URL> flag.
- <PROJECT_NAME>: Name of Docker image without the registry hostname.
- <PUBLISHED_PORT>: The port which the Docker image is exposed.
- <HTTPS_PORT>: httpsPort configured in the micro-gw.conf file.
- <WSO2_OB_SOLUTION_VERSION>: The version of the WSO2 Open Banking solution.
  
  To view logs:
  
  Execute the command below:
Invoke the endpoints using the proper server hostname and port of your WSO2 API Microgateway (WSO2 API MG) server.
For example:
- When you are using the regular gateway - https://<WSO2_OB_APIM_HOST>:8243/cds-au/v1/banking/accounts/
- When you are using WSO2 API Microgateway - https://<WSO2_OB_API_MG>:9095/cds-au/v1/banking/accounts/
For more information on invoking the API, see Consumer Data Standards API v1.2.0.