Deployment overview for endpoints and certificates
Refer to this diagram to view the connections and dataflow among the API Connect subsystems, including the endpoints and custom certificates, and the mutual TLS points.
Introduction
When deploying API Connect, you will create one or more endpoints for the subsystems and then configure certificates or mutual TLS for most endpoints. Figure 1 shows the endpoints for each subsystem by name, the name of the certificate that secures the endpoint, and whether mutual TLS is required. It also shows the ports consumed by the endpoints, which are standard for HTTP and HTTPS.
Configuring endpoints
The endpoints are configured by the Install Assist program using the APICUP installer. They are set for each subsystem. Endpoints are also entered when configuring the Topology for the Gateway, Portal, and Analytics subsystems in Cloud Manager.
For instructions on configuring endpoints and installing into a Kubernetes environment, see Installing API Connect into a Kubernetes environment.
Instructions for installing into an IBM Cloud Private environment are here: Deploying to an IBM Cloud Private environment.
|
Subsystem |
Endpoints | Description | Certificates |
|---|---|---|---|
| Management | cloud-admin-ui | Configured using APICUP installer. Endpoint on the management server for communication with the Cloud Manager user interface. | cloud-admin-ui |
| api-manager-ui | Configured using APICUP installer. API Manager URL endpoint on the management server for communication with the API Manager user interface. | api-manager-ui | |
| consumer-api | Configured using APICUP installer. Platform REST API endpoint for running consumer APIs on the management server. | consumer-api | |
| platform-api | Configured using APICUP installer. Platform REST API endpoint for running admin and provider APIs on the management server. | platform-api | |
| Portal | portal-admin | Configured using APICUP installer. Corresponds to Management Endpoint entered in Cloud Manager. Requires a TLS profile configured with mutual TLS. | mutual TLS |
| portal-www | Configured using APICUP installer. Portal Web site URL entered in Cloud Manager. Used publicly to access Portal. | portal-www-ingress | |
| Analytics | analytics-client | Configured using APICUP installer. Corresponds to Management Endpoint entered in Cloud Manager. Requires a TLS profile configured with mutual TLS. | mutual TLS |
| analytics-ingestion | Configured using APICUP installer. The analytics-ingestion endpoint is used by the Gateway service to push data to the Analytics service. Requires a TLS profile configured with mutual TLS. | mutual TLS | |
| Gateway | apic-gw-service | Configured using APICUP installer. This is the endpoint the gateway uses for network communication. Enter this endpoint as the Management Endpoint entered in Cloud Manager. | apic-gw-service-ingress |
| api-gateway | Configured using APICUP installer. This is the endpoint the gateway uses for API traffic. Enter this endpoint as the API Invocation Endpoint in Cloud Manager. | api-gateway-ingress |
Configuring certificates
The certificates are configured by the Install Assist program using the APICUP installer. The certificates for the endpoints are usually configured as custom certificates as described in Setting custom certificates.
Configuring mutual TLS
Mutual TLS is configured for TLS profiles in Cloud Manager. See Creating a TLS Server Profile.
Configuring a proxy
If a Developer Portal is deployed externally to the management server zone, it does not have access to the consumer and product APIs. You need to configure a proxy to enable communication. For more information, see Configuring a proxy.