Setting Up Open Banking API Manager Deployment

This page guides you through setting up a clustered deployment of WSO2 Open Banking API Manager.

You can install multiple instances of WSO2 products in a cluster to ensure that if one instance becomes unavailable or is experiencing high traffic, another instance will seamlessly handle the requests. For complete information on distributed deployment concepts, see Understanding the Distributed Deployment of WSO2 API Manager .

Creating a cluster of WSO2 Open Banking API Manager instances involves a standard two-node cluster. To ensure that the instances share governance registry artifacts, you must create a JDBC mount.

At a high level, use the given options to cluster API Manager with a minimum of two nodes. The first section includes instructions on setting up databases. The second section involves setting up a standard two node cluster, the third section involves setting up the API Manager server in a clustered environment and additional configurations if you need to set up a load balancer to front your cluster.

In a standard WSO2 Open Banking 2.0.0 deployment, users can skip the steps mentioned below.

Configuring the user store
Configuring the datasources
Mounting the registry

Click here to find more information on the steps...

Configuring the user store

WSO2 products allow you to configure multiple user stores to store your users and their roles. Your user store can be one of the following:

A Directory Service that can communicate over LDAP protocol like OpenLDAP
Active Directory
A database that can communicate over JDBC

Note: The instructions in this page demonstrate configuring a JDBC user store. The user store configurations are available in the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file. Point all the cluster nodes to the same user store.

For more information on how to set up other types of user stores, see Configuring User Stores.

Configuring the datasources

Create databases. See Working with databases in the WSO2 API Manager documentation for database scripts and more information.
This documentation demonstrates deployment with user management database (WSO2UM_DB) and an identity database (WSO2AM_DB).

Configure the datasource for the databases in both nodes of your cluster in the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file that contains database related configurations.
For instructions on how to configure the datasource depending on the type of database you created, see Changing default databases in the WSO2 API Manager documentation. Following is a sample configuration of the user management, identity, and registry databases for a MySQL database. Make sure you update your datasource configurations accordingly.

# for user management data
[[datasource]]
id="WSO2UM_DB"
url = "jdbc:mysql://localhost:3306/openbank_userdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
jmx_enable=false
pool_options.maxActive = "150"
pool_options.maxWait = "60000"
pool_options.minIdle = "5"
pool_options.testOnBorrow = true
pool_options.validationQuery="SELECT 1"
pool_options.validationInterval="30000"
pool_options.defaultAutoCommit=false
 
# for registry and user manager data
[database.local]
url = "jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE"
username = "wso2carbon"
password = "wso2carbon"
driver = "org.h2.Driver"
 
[database.shared_db.pool_options]
maxActive = "50"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
validationInterval="30000"
defaultAutoCommit=false
 
# for api manager data
[database.apim_db]
url = "jdbc:mysql://localhost:3306/openbank_apimgtdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
 
[database.apim_db.pool_options]
maxActive = "150"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
#Use below for oracle
#validationQuery="SELECT 1 FROM DUAL"
validationInterval="30000"
defaultAutoCommit=false

# for getting statistics to API Manager
[[datasource]]
id="WSO2AM_STATS_DB"
url = "jdbc:mysql://localhost:3306/openbank_apimgt_statsdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
jmx_enable=false
pool_options.maxActive = "150"
pool_options.maxWait = "60000"
pool_options.minIdle = "5"
pool_options.testOnBorrow = true
pool_options.validationQuery="SELECT 1"
pool_options.validationInterval="30000"
pool_options.defaultAutoCommit=false
 
# for apim-config registry
[database.config]
url = "jdbc:mysql://localhost:3306/openbank_am_configdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
 
[database.config.pool_options]
maxActive = "150"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
validationInterval="30000"
defaultAutoCommit=false
 
# for registry data
[database.shared_db]
url = "jdbc:mysql://localhost:3306/openbank_govdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
 
[database.shared_db.pool_options]
maxActive = "150"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
validationInterval="30000"
defaultAutoCommit=false

Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and configure open_banking_database in both nodes of your cluster.

[open_banking_database]
config.url = "jdbc:mysql://localhost:3306/openbank_openbankingdb?autoReconnect=true&useSSL=false"
config.username = "root"
config.password = "root"
config.driver = "com.mysql.jdbc.Driver"
 
[open_banking_database.config.pool_options]
maxActive = "150"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
#Use below for oracle
#validationQuery="SELECT 1 FROM DUAL"
validationInterval="30000"
defaultAutoCommit=false

Mounting the registry

Mount the governance and configuration registry in the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file to share the registry across all nodes in the cluster. For more information on mounting the registry, see Understanding the WSO2 API Manager architecture.

Given below are default configurations. Make sure to update them in both nodes according to your requirement:

[governance_data]
cache_id="root@jdbc:mysql://localhost:3306/openbank_govdb?autoReconnect=true&useSSL=false"
enable_cache=true
path="/_system/governance"
 
[config_data]
cache_id="root@jdbc:mysql://localhost:3306/openbank_govdb?autoReconnect=true&useSSL=false"
enable_cache=true
path="/_system/config"

The production recommendation is to disable automatic versioning of resources as this can be an extremely expensive operation. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and add the following configurations to disable automatic resource versioning.

[versioning_configuration]
enable_version_resources_on_change=false

In the Registry browser, verify that the governance collection is shown with the symlink icon.

Start the API Manager server. See Starting up and verifying product nodes for more information.
Log in to the Management Console.
Navigate to Home > Registry > Browse.

Changing hostnames and ports

Configure the API Manager node1 using the following steps.

Go to the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and configure the proxy ports as follows:

[transport.http.properties]
port="9443"
proxyPort="443"
 
[transport.https.properties]
port="9763"
proxyPort="80"

By default, WSO2 products identify the hostname of the current machine through the Java API. However, this value sometimes yields erroneous results in some environments. Therefore, users are recommended to configure hostname. The following procedure explains how to change the hostname and management hostname of WSO2 OB APIM as required for your production environment.
1. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and define the hostname for your server.
```
[server]
hostname = "wso2.obapim.com"
```
2. This hostname is used by the WSO2 OB APIM cluster. It must be specified in the /etc/hosts file as:
  127.0.0.1 wso2.obapim.com
3. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and configure the following:
1. 1. Locate the [apim.devportal] property and add the url tag to configure the Store URL, which is used to access the Store web app from the Publisher application.
  2. Locate the [[apim.gateway.environment]] tag and add the given properties to configure the environment by defining the endpoint URL for both the REST APIs and Web Socket (WS) APIs that are hosted in the API Gateway.
    [[apim.gateway.environment]] type = "hybrid" display_in_api_console = true http_endpoint = "http://gateway.wso2.com" https_endpoint = "https://gateway.wso2.com" ws_endpoint = "ws://gateway.wso2.com"
Generate a keystore, export the public certificate from the keystore, and import that certificate to the client-truststore.jks file.
For more information, see Creating New Keystores in the WSO2 Administration Guide.

Follow all the configuration steps that were done in node1 for node2 as well.

Enabling artifact synchronization

Deployment artifact synchronization can be done using rsync, which is a file copying tool. These changes must be done in the manager node and in the same directory.

Create a file named workers-list.txt, somewhere in your machine, that lists all the worker nodes in the deployment. The following is a sample of the file where there are two worker nodes.

Different nodes are separated by newlines.
workers-list.txt
```
ubuntu@192.168.1.1:~/setup/192.168.1.1/as/as_worker/repository/deployment/server
ubuntu@192.168.1.2:~/setup/192.168.1.2/as/as_worker/repository/deployment/server
```

Create a file to synchronize the <WSO2_OB_APIM_HOME>/repository/deployment/server folders between the manager and all worker nodes.

You must create your own SSH key and define it as the pem_file. Alternatively, you can use an existing SSH key. For information on generating and using the SSH Keys, go to the SSH documentation. Specify the manager_server_dir depending on the location in your local machine. Change the logs.txt file path and the lock location based on where they are located in your machine.

rsync-for-carbon-depsync.sh

#!/bin/sh

manager_server_dir=~/wso2as-5.2.1/repository/deployment/server/
pem_file=~/.ssh/carbon-440-test.pem


#delete the lock on exit
trap 'rm -rf /var/lock/depsync-lock' EXIT 

mkdir /tmp/carbon-rsync-logs/


#keep a lock to stop parallel runs
if mkdir /var/lock/depsync-lock; then
  echo "Locking succeeded" >&2
else
  echo "Lock failed - exit" >&2
  exit 1
fi


#get the workers-list.txt
pushd `dirname $0` > /dev/null
SCRIPTPATH=`pwd`
popd > /dev/null
echo $SCRIPTPATH


for x in `cat ${SCRIPTPATH}/workers-list.txt`
do
echo ================================================== >> /tmp/carbon-rsync-logs/logs.txt;
echo Syncing $x;
rsync --delete -arve "ssh -i  $pem_file -o StrictHostKeyChecking=no" $manager_server_dir $x >> /tmp/carbon-rsync-logs/logs.txt
echo ================================================== >> /tmp/carbon-rsync-logs/logs.txt;
done

Create a Cron job that executes the above file every minute for deployment synchronization. Do this by running the following command in your command line.

You can only run the Cron job on one given node (master) at a given time. If you switch the Cron job to another node, you must stop the Cron job on the existing node and start a new Cron job on the new node after updating it with the latest files.
```
*   *  *   *   *     /home/ubuntu/setup/rsync-for-depsync/rsync-for-depsync.sh
```

Configuring the Proxy Server and the Load Balancer

A load balancer or reverse proxy is required to map external traffic with ports and URLs that WSO2 APIM uses internally. Follow the instructions below to configure load balancing together with reverse proxying.

Create a SSL certificate for the load balancer

This step is only applicable for a High Availablity (HA) setup where multiple nodes are fronted by a load balancer.

Create a SSL certificate for the load balancer using the following instructions...

Create the Server Key.

sudo openssl genrsa -des3 -out <key_name>.key 1024

Submit the certificate signing request (CSR).

sudo openssl req -new -key <key_name>.key -out server.csr

Remove the password.

sudo cp <key_name>.key <key_name>.key.org 
sudo openssl rsa -in <key_name>.key.org -out <key_name>.key

Sign your SSL Certificate.

sudo openssl x509 -req -days 365 -in server.csr -signkey <key_name>.key -out <certificate_name>.crt

Configure the load balancer/reverse proxy server
In the following instructions, you are instructed to use NGINX to handle the load balancing requirements.

Although the following section instructs you to use NGINX as the load balancer, you can use any load balancer in your deployment based on your preference.

What is NGINX?

NGINX is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server. For more information, see https://www.nginx.com/.

Carry out the following steps to configure the load balancer to front multiple nodes...

Install NGINX in a server configured in your cluster.

The NGINX version that you need to install varies based on the WSO2 OB APIM components that the load balancer is fronting.

Deployment	API-M Nodes	LB	Reason
Single all-in-one deployment	N/A	NGINX Community	This deployment does not need Sticky Sessions (Session Affinity).
Active-active deployment using single all-in-one nodes	N/A	NGINX Plus	This deployment requires Sticky Sessions, but NGINX Community version does not support it. You can use `ip_hash` as the sticky algorithm.
Distributed deployment	Gateway with a single Gateway Manager	NGINX Community version	The Gateway node in this deployment does not need Sticky Sessions.
	Gateway with multiple Gateway Managers	NGINX Plus	The Gateway Manager nodes require Sticky Sessions, but NGINX Community version does not support it. You can use `ip_hash` as the sticky algorithm. Sticky Sessions are needed for port 9443 in the Gateway, and not needed for the pass through ports in the Gateway (8243, 8280).

For more information on installing NGINX, see NGINX community version and NGINX Plus.

Copy the key and certificate files that you generated in step 1 - (4.) to the /etc/nginx/ssl/ location.
Configure NGINX to direct the HTTP and HTTPs requests based on your deployment.
1. Run the following command to identify the exact location of the <NGINX_HOME> directory. Inspect the output and identify the --prefix tag as it provides the location of the <NGINX_HOME> directory.
```
 nginx -V
```
2. Update the ngnix.conf file with the required NGINX configuration given below. If not, you can create a file with the .conf suffix and copy it to the <NGINX_HOME>/conf.d directory.
  - All ports are default ports assuming no port offsets are used.
  - The key and the certificate for SSL is assumed to be at the <NGINX_HOME>/ssl/ location. The placeholders {cert_name} and {key_name} are the name of the certificate and key generated.
  - The directories used for access and error logs should be created if they do not exist.
  The ports and URLs that are used internally by API Manager are given below:
  Usage
  URL
  Port
  HTTPS Servlet (UI Consoles)
  localhost
  9443
  NIO transport (HTTP API Traffic)
  localhost
  8280
  NIO transport (HTTPS API Traffic)
  localhost
  8243
  Restart the NGINX server:
```
sudo service nginx restart
```
  You do not need to restart the server if you are simply making a modification to the VHost file. The following command is sufficient in such cases.
  sudo service nginx reload

Starting up and verifying product nodes

If both nodes are running on the same server, set the port offset to avoid port conflicts.

Click here to see how it is done

By default, the Open Banking API Manager server port offset is 0. So if you're running both API Manager nodes in the same server the port offset can be as follows:

OB_APIM_NODE1: offset 0

OB_APIM_NODE2: offset 1

Changing the offset for default ports

When you run multiple WSO2 products, multiple instances of the same product, or multiple WSO2 product clusters on the same server or virtual machines (VMs), you must change their default ports with an offset value to avoid port conflicts. The default HTTP and HTTPS ports (without offset) of a WSO2 product are 9763 and 9443 respectively. Port offset defines the number by which all ports defined in the runtime such as the HTTP/S ports will be changed. For example, if the default HTTP port is 9763 and the port offset is 1, the effective HTTP port will change to 9764. For each additional WSO2 product instance, you set the port offset to a unique value. The default port offset is 0.

There are two ways to set an offset to a port:

Pass the port offset to the server during startup. The following command starts the server with the default port incremented by 1:
```
./wso2server.sh -DportOffset=1
```
Set the Ports configuration in <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml with the desired value as follows:
```
[server]
offset = 1
```

Usually, when you offset the port of the server, all ports it uses are changed automatically. However, there are few exceptions as follows in which you have to change the ports manually according to the offset. The following table indicates the changes that occur when the offset value is modified.

WSO2 Server instance	PortOffset	Sample Default Port Value
WSO2 Product 1	0	9443
WSO2 Product 2	1	9444
WSO2 Product 3	2	9445
WSO2 Product 4	3	9446
WSO2 Product 5	4	9447

Start Nginx.
Go to <WSO2_OB_APIM_HOME>/bin and start the nodes using the following command on both nodes:
```
./wso2server.sh
```
Access the Management console using the following URL: https://wso2.obapim.com/carbon.

Usage	URL	Port
HTTPS Servlet (UI Consoles)	localhost	9443
NIO transport (HTTP API Traffic)	localhost	8280
NIO transport (HTTPS API Traffic)	localhost	8243