About WSO2 API Manager
What is WSO2 API Manager?
WSO2 API Manager is a complete solution for creating, publishing and managing all aspects of an API and its life cycle. See About API Manager.
What is the open source license of the API Manager?
Apache Software License Version 2.0
How do I download and get started quickly?
Go to http://wso2.com/products/api-manager to download the binary or source distributions. See Tutorials.
Is there commercial support available for WSO2 API Manager?
It is completely supported from evaluation to production. See WSO2 Support.
What are the default ports opened in the API Manager?
See Default Ports of WSO2 Products.
What are the technologies used underneath WSO2 API Manager?
The API Manager is built on top of WSO2 Carbon, an OSGi based components framework for SOA. See components.
Can I get involved in APIM development activities?
Not only are you allowed, but also encouraged. You can start by subscribing to dev@wso2.org and architecture@wso2.org mailing lists. Feel free to provide ideas, feedback and help make our code better. For more information on contacts, mailing lists and forums, see Getting Support.
What is the default communication protocol of the API Manager?
The default communication protocol is Thrift.
Installation and startup
What are the minimum requirements to run WSO2 API Manager?
Minimum requirement is Oracle Java SE Development Kit (JDK). See Installation Prerequisites.
What Java versions are supported by the API Manager?
Oracle JDK 1.6.23 and above and JDK 1.7.*.
How do I deploy a third-party library into the API Manager?
Copy any third-party JARs to <APIM_HOME>/repository/components/lib
directory and restart the server.
Do you provide automated installation scripts based on Puppet or similar solutions?
Yes. For information, contact us.
Is it possible to connect the API Manager directly to an LDAP or Active Directory where the corporate identities are stored?
Yes. You can configure the API Manager with multiple user stores. See Configuring User Stores.
Can I extend the management console UI to add custom UIs?
Yes, you can extend the management console (default URL is https://localhost:9443/carbon
) easily by writing a custom UI component and simply deploying the OSGi bundle.
I don't want some of the features that come with WSO2 API Manager. Can I remove them?
Yes, you can do this using the Features menu under the Configure menu of the management console (default URL is https://localhost:9443/carbon
).
How can I change the memory allocation for the API Manager?
The memory allocation settings are in <APIM_HOME>/bin/wso2server.sh
file.
I don't want all the components of the API Manager up when I start the server. How do I start up only selected ones?
Even though the API Manager bundles all components together, you can select which component/s you want to start by using the -Dprofile command at product startup. See Product Profiles for more information.
Deployment and clustering
Where can I look up details of different deployment patterns and clustering configurations of the API Manager?
See WSO2 clustering and deployment guide.
What is the recommended way to manage multiple artifacts in a product cluster?
For artifact governance and lifecycle management, we recommend you to use a shared WSO2 Governance Registry instance.
Is it recommended to run multiple WSO2 products on a single server?
This is not recommend in a production environment involving multiple transactions. If you want to start several WSO2 products on a single server, you must change their default ports to avoid port conflicts. See Changing the Default Ports with Offset.
Can I install features of other WSO2 products to the API Manager?
Yes, you can do this using the management console. The API Manager already has features of WSO2 Identity Server, WSO2 Governance Registry, WSO2 ESB etc. embedded in it. However, if you require more features of a certain product, it is recommended to use a separate instance of it rather than instal its features to the API Manager.
How can I set up a reverse proxy server to pass server requests?
See Adding a Reverse Proxy Server.
Functionality
I cannot see all the APIs that I published on the API Store. Why is this?
If you have multiple versions of an API published, only the latest version is shown in the API Store. To display multiple versions, set the <DisplayMultipleVersions>
element to true
in <APIM_HOME>/repository/conf/api-manager.xml
file.
When editing an API's resource's parameters, how can I add multiple options to the parameter Response Content Type?
You cannot do this using the UI. Instead, edit the Swagger definition of the API as content_type: ["text/xml","text/plain"]
for example.
Why are the changes I did to the resource parameter
Response Content Type
of a published API not reflected in the API Store after saving?
If you edited the Response Content Type using the UI, please open the API's Swagger definition, do your changes and save. Then the changes should be reflected back in the API Store. This will be fixed in a future release.
I have set up the API Manager with WSO2 BAM to collect and analyze runtime statistics. But, the 'API Usage by Destination' graph shows no data. Why is this?
To populate this graph, you must enable destination-based usage tracking manually. See Viewing API Statistics on how to do that.
How can I add more features to the API Manager server and extend its functionality?
You can install any WSO2 component to the API Manager. See the Installing Features section in the WSO2 Carbon docs for more information.
How do I change the pass-through transport configurations?
If you have enabled the pass-through transport, you can change its default configurations by adding the following under the <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
element in the <PRODUCT_HOME>/repository/conf/axis2/axis2.xml
file. Be sure to stop the server before editing the file.
If you are using JDK 1.6, add the parameter given below:
<transportReceiver name="passthru-https" class="org.wso2.carbon.transport.passthru.PassThroughHttpSSLListener"> <parameter name="HttpsProtocols">TLSv1</parameter> ...... </transportReceiver>
If you are using JDK 1.7, add the parameter given below:
<transportReceiver name="passthru-https" class="org.wso2.carbon.transport.passthru.PassThroughHttpSSLListener"> <parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter> ...... </transportReceiver>
If I want to extend the default API Manager server by installing new features, how can I do it?
See Feature Management in the WSO2 Carbon documentation.
How can I preserve the CDATA element tag in API responses?
Set the javax.xml.stream.isCoalescing
property to false
in the <APIM_HOME>/XMLInputFactory.properties
file. Here's an example:
<XacuteResponse xmlns="http://aaa/xI"> <Rowset> <Row> <outxml><![CDATA[<inSequence> <send> <endpoint> <address uri="http://localhost:8080/my-webapp/echo"/> </endpoint> </send> </inSequence>]]></outxml> </Row> </Rowset> </XacuteResponse>
Authentication and security
How can I manage authentication centrally in a clustered environment?
You can enable centralized authentication using a WSO2 Identity Server based security and identity gateway solution, which enables SSO (Single Sign On) across all the servers.
How can I manage the API permissions/visibility?
To set visibility of the API only to selected user roles in the server, see API Visibility.
How can I add security policies (UT, XACML etc.) for the services?
This should be done in the backend services in the Application Server or WSO2 ESB.
How can I enable self signup to the API Store?
See how to enable self signup.
How can I disable self signup capability to the API Store? I want to engage my own approval mechanism.
To disable the self signup capability, open the APIM management console and click the Resources -> Browse menu. The registry opens. Navigate to/_system/governance/apimgt/applicationdata/sign-up-config.xml
and set <SelfSignUp><Enabled>
element to false. To engage your own signup process, see Adding a User Signup Workflow.
Is there a way to lock a user's account after a certain number of failed login attempts to the API Store?
If your identity provider is WSO2 Identity Server, this facility comes out of the box. If not, install the identity-mgt feature to the API Manager and configure it. For information, see Account Lock/Unlock page in the Identity Server documentation.
How do I change the default admin password and what files should I edit after changing it?
To change the default admin password, log in to the management console with admin/admin credentials and use the "Change my password" option. After changing the password, do the following:
Change the following elements in <APIM_HOME>/repository/conf/api-manager.xml
file:
<AuthManager> <Username>admin</Username> <Password>newpassword</Password> </AuthManager> <APIGateway> <Username>admin</Username> <Password>newpassword</Password> </APIGateway> <APIKeyManager> <Username>admin</Username> <Password>newpassword</Password> </APIKeyManager>
Go to the Resources -> Browse menu in the management console to open the registry and update the credentials in /_system/governance/apimgt/applicationdata/sign-up-config.xml
registry location.
How can I recover the admin password used to log in to the management console?
Use <APIM_HOME>/bin/chpasswd.sh
script.
How can I manage session timeouts for the management console?
To configure session timeouts, see Configuring the session time-out.
How can I add the authentication headers to the message going out of the API Gateway to the backend?
Uncomment the <RemoveOAuthHeadersFromOutMessage>
element in the <APIM_HOME>/repository/conf/api-manager.xml
file and set its value to false
.
Can I give special characters in the passwords that appear in the configuration files?
If the config file is in XML, take care when giving special characters in the user names and passwords. According to XML specification (http://www.w3.org/TR/xml/), some special characters can disrupt the configuration. For example, the ampersand character (&) must not appear in the literal form in XML files. It can cause a Java Null Pointer exception. You must wrap it with CDATA (http://www.w3schools.com/xml/xml_cdata.asp) as shown below or remove the character:
<Password> <![CDATA[xnvYh?@VHAkc?qZ%Jv855&A4a,%M8B@h]]> </Password>
How to protect my product server from security attacks caused by weak ciphers such as the Logjam attack (Man-in-the-Middle attack)?
You can disable weak ciphers as described in Disable weak ciphers in the WSO2 Carbon documentation.
Troubleshooting
Why do I get the following warning: org.wso2.carbon.server.admin.module.handler.AuthenticationHandler - Illegal access attempt while trying to authenticate APIKeyValidationService?
Did you change the default admin password? If so, you need to change the credentials stored in the <APIKeyValidator>
element of the <APIM_HOME>/repository/conf/api-manager.xml
file of the API Gateway node/s.
Have you set the priority of the SAML2SSOAuthenticator
handler higher than that of the BasicAuthenticator
handler in the authenticators.xml file? If so, the SAML2SSOAuthenticator
handler tries to manage the basic authentication requests as well. Set a lower priority to the SAML2SSOAuthenticator
than the BasicAuthenticator
handler as follows:
<Authenticator name="SAML2SSOAuthenticator" disabled="false"> <Priority>0</Priority> <Config> <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter> <Parameter name="ServiceProviderID">carbonServer</Parameter> <Parameter name="IdentityProviderSSOServiceURL">https://localhost:9444/samlsso</Parameter> <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter> <Parameter name="ISAuthnReqSigned">false</Parameter> <!-<Parameter name="AssetionConsumerServiceURL">https://localhost:9443/acs</Parameter>-> </Config> </Authenticator>
I hit the DentityExpansionLimit
and it gives an error as {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error while getting Recently Added APIs Information. What is the cause of this?
This error occurs in JDK 1.7.0_45 and is fixed in JDK 1.7.0_51 onwards. See here for details of the bug.
In JDK 1.7.0_45, all XML readers share the same XMLSecurityManager
and XMLLimitAnalyzer
. When the total count of all readers hits the entity expansion limit, which is 64000 by default, the XMLLimitanalyzer's total counter is accumulated and the XMLInputFactory
cannot create more readers. If you still want to use update 45 of the JDK, try restarting the server with a higher value assigned to the DentityExpansionLimit.
I get a Hostname verfiication failed
exception when trying to send requests to a secured endpoint. What should I do?
Set the <parameter name="HostnameVerifier">
element to AllowAll
in <APIM_HOME>/repository/conf/axis2/axis2.xml
file's HTTPS transport sender configuration. For example, <parameter name="HostnameVerifier">AllowAll</parameter>
.
This parameter verifies the hostname of the certificate of a server when the API Manager acts as a client and does outbound service calls.
When I add new users or roles, I get an error message as 'Entered user name is not conforming to policy'. What should I do?
This is because your user name or password length or any other parameter is not conforming to the RegEx
configurations of the user store. See Managing Users and Roles.
When I call a REST API, I find that a lot of temporary files are created in my server and they are not cleared. This takes up a lot of space. What should I do?
There might be multiple configuration context objects created per each API invocation. Please check whether your client is creating a configuration context object per each API invocation. Also, configure a HouseKeeping task in the <APIM_HOME>/repository/conf/carbon.xml
file to clear the temporary folders. For example.
<HouseKeeping> <AutoStart>true</AutoStart> <!-- The interval in *minutes*, between house-keeping runs --> <Interval>10</Interval> <!-- The maximum time in *minutes*, temp files are allowed to live in the system. Files/directories which were modified more than "MaxTempFileLifetime" minutes ago will be removed by the house-keeping task --> <MaxTempFileLifetime>30</MaxTempFileLifetime> </HouseKeeping>
General questions
Can I implement an API facade with the API Manager?
You can use the API Manager and WSO2 ESB to implement an API facade architecture pattern. WSO2 recommends this architecture if you are performing heavy mediation in your setup. For implementation details of an API facade, see implementing an API facade with WSO2 API management platform.
As the API Manager does not have the ESB's GUI to perform mediation functions, you need to use the XML-based source view for configuration. Alternatively, you can create the necessary mediation sequences using the GUI of the ESB, and copy them from the ESB to the API Manager.
Also see the following use cases in WSO2 ESB documentation for more information on REST to SOAP conversion.
How can I write automated test scripts for the API Manager?
Use WSO2 Test Automation Framework (TAF) as explained in Writing a Test Case for API Manager.