Configuring the management subsystem
Specify configuration properties for your management subystem, and create an ISO.
Before you begin
About this task
Use the apicup installation utility to specify configuration settings for your
management subsystem.
Procedure
- Ensure that you obtained the distribution file and have a project directory, as described in First steps for deploying in a VMware environment.
-
Change to the project directory.
cd myProject -
Create a management subsystem.
Where:apicup subsys create mgmt management- mgmt is the name of your management server that you are creating. You can assign it any name, as long as the identifier consists of lowercase alphanumeric characters or '-', with no spaces, starts with an alphabetic character, and ends with an alphanumeric character.
managementindicates that you are creating a management microservice.
The API Connect Helm charts are deployed into the default namespace. You do not need to specify a namespace.
Tip: At any time, you can view the current management subsystem values in the apiconnect-up.yml by running theapicup subsys getcommand:
If you have not yet configured the subsystem, the command might return errors. Also, if you have not updated the value, a default value is listed, if there is one that is available.apicup subsys get mgmtAfter configuration is complete, you can view output similar to the following sample:
Appliance settings ================== Name Value Description ---- ----- ------ additional-cloud-init-file (Optional) Path to additional cloud-init yml file data-device sdb VM disk device (usually `sdb` for SCSI or `vdb` for VirtIO) default-password $6$rounds=4096$vtcqpAVK$dzqrOeYP33WTvTug38Q4Rld5l8TmdQgezzTnkX/PFwkzTiZ2S0CqNRr1S4b08tOc4p.OEg4BtzBe/r8RAk.gW/ (Optional) Console login password for `apicadm` user, password must be pre-hashed dns-servers [8.8.8.8] List of DNS servers extra-values-file (Optional) Path to additional configuration yml file k8s-pod-network 172.16.0.0/16 (Optional) CIDR for pods within the appliance k8s-service-network 172.17.0.0/16 (Optional) CIDR for services within the appliance public-iface eth0 Device for API/UI traffic (Eg: eth0) search-domain [subnet1.example.com] List for DNS search domains ssh-keyfiles [/home/vsphere/.ssh/id_rsa.pub] List of SSH public keys files traffic-iface eth0 Device for cluster traffic (Eg: eth0) Subsystem settings ================== Name Value Description ---- ----- ------ deployment-profile n1xc4.m16 Deployment profile (n1xc2.m16/n3xc4.m16) for analytics, (n1xc4.m16/n3xc4.m16) for management, (n1xc2.m8/n3xc4.m8) for portal license-use production License use (production/nonproduction) multi-site-ha-enabled false Multi site HA enabled multi-site-ha-mode active Multi site HA mode (active/passive) replication-peer-fqdn Replication peer fully qualified name (replication endpoint of active mode site) site-name Site name, used in k8s resource names test-and-monitor-enabled false Test and Monitor enabled Endpoints ========= Name Value Description ---- ----- ------ api-manager-ui api-manager-ui.testsrv0231.subnet1.example.com FQDN of API manager UI endpoint cloud-admin-ui cloud-admin-ui.testsrv0231.subnet1.example.com FQDN of Cloud admin endpoint consumer-api consumer-api.testsrv0231.subnet1.example.com FQDN of consumer API endpoint hub FQDN of Test and Monitor hub endpoint, only required if Test and Monitor is enabled management-replication FQDN of Management replication endpoint, only required if HA is enabled platform-api platform-api.testsrv0231.subnet1.example.com FQDN of platform API endpoint turnstile FQDN of Test and Monitor turnstile endpoint, only required if Test and Monitor is enabled - For production environments, specify
deployment-profile=n3xc4.m16.apicup subsys set mgmt deployment-profile=n3xc4.m16The
deployment-profile=n3xc4.m16parameter indicates that you are deploying in high availability (HA) mode for a production environment. Thedeployment-profile=n1xc4.m16indicates a system for use in development and testing. For more information, see Requirements for initial deployment on VMware. - Specify the license version you purchased.
apicup subsys set mgmt license-use=<license_type>The license_type must be either
productionornonproduction. If not specified, the default value isnonproduction. - Optional:
Configure backups of the subsystem. Note that once you set up scheduled
backups, you can also run backups on-demand. Follow the instructions in Configure your Management subsystem backup. Important: It is highly recommend that you configure backups and also take additional steps to ensure that your configuration and data can be restored in the event of a disaster event. See Disaster recovery of the management subsystem on VMware.
- Optional:
Configure your logging.
Logging can be configured at a later time, but you must enable it before installation to capture the log events from the installation.
- Complete the procedure at Configuring remote logging for a VMware deployment.
-
Enter the following command to create the log file:
apicup subsys set mgmt additional-cloud-init-file=config_file.yml
-
Enter the following commands to update the
apiconnect-up.yml with the information for your environment:
-
Set your search domain. Multiple search domains should be separated by
commas.
apicup subsys set mgmt search-domain=your_search_domainWhere your_search_domain is the domain of your servers, entered in all lowercase. Setting this value ensures that your searches also append these values, which are based on your company's DNS resolution, at the end of the search value. A sample search domain is mycompany.example.com.
Ensure that the value for your_search_domain is resolved in the system's /etc/resolv.conf file to avoid "502" errors when accessing the Cloud Manager web site. For example:
# Generated by resolvconf search your_search_domain ibm.com other.domain.com -
Set your domain name servers (DNS).
Supply the IP addresses of the DNS servers for your network. Use a comma to separate multiple server addresses.
apicup subsys set mgmt dns-servers=ip_address_of_dns_server[,ip_address_of_another_dns_server_if_necessary] -
Use
apicupto set your endpoints.You can use wildcard aliases or host aliases with your endpoints.Optionally, you can specify all endpoints with one
apicupcommand.Note: You cannot specify the underscore character "_" in domain names that are used in endpoints. See API Connect configuration on VMware.Table 1. Management subsystem endpoints Setting Endpoint host description platform-apiPlatform API endpoint. The host where your platform API calls are routed. apicup subsys set mgmt platform-api=platform-api.hostname.domainconsumer-apiConsumer API endpoint. The host where your consumer API calls are routed. apicup subsys set mgmt consumer-api=consumer-api.hostname.domaincloud-admin-uiCloud admin user interface API endpoint. The host where your cloud administrator user-interface API calls are routed. apicup subsys set mgmt cloud-admin-ui=cloud-admin-ui.hostname.domainapi-manager-uiAPI Manager user interface endpoint. The host where your API Manager API calls are routed. apicup subsys set mgmt api-manager-ui=api-manager-ui.hostname.domainhub The core microservice components for the Automated API behavior testing capability. apicup subsys set mgmt hub hub.hostname.domainturnstile Allows for communication between the Test pods and the API Management subsystem. apicup subsys set mgmt turnstile turnstile.hostname.domain
-
Set your search domain. Multiple search domains should be separated by
commas.
-
Set a Public key.
apicup subsys set mgmt ssh-keyfiles=path_to_public_ssh_keyfileSetting this key enables you to use ssh with this key to log in to the virtual machine to check the status of the installation. You will perform this check in later in Deploying the management subsystem OVA file.
-
Set the password that you enter to log into your Management appliance for the first time.
- Important: Review the requirements for creating and using a hashed password. See Setting and using a hashed default password.
-
If you do not have a password hashing utility, install one.
Operating system Command Ubuntu, Debian, OSX If the mkpasswd command utility is not available, download and install it. (You can also use a different password hashing utility.) On OSX, use the command: gem install mkpasswd.Windows, Red Hat If necessary, a password hashing utility for the Windows operating system, like OpenSSL -
Create a hashed password
Operating system Command Ubuntu, Debian, OSX mkpasswd --method=sha-512 --rounds=4096 passwordWindows, Red Hat For example, using OpenSSL: openssl passwd -1 password. Note that you might need to add your password hashing utility to your path; for exaample, on Windows:set PATH=c:\cygwin64\bin;%PATH% -
Set the hashed password for your subsystem:
apicup subsys set mgmt default-password='hashed_password'
- Optional:
If the default IP ranges for the API Connect Kubernetes pod and the service
networks conflict with IP addresses that must be used by other processes in your deployment, modify
the API Connect values.
You can change the IP ranges of the Kubernetes pod and the service networks from the default values of 172.16.0.0/16 and 172.17.0.0/16, respectively. In the case that a /16 subnet overlaps with existing IPs on the network, a Classless Inter-Domain Routing (CIDR) as small as /22 is acceptable. You can modify these ranges during initial installation and configuration only. You cannot modify them once an appliance has been deployed. See API Connect configuration on VMware.
-
Update the IP range for the Kubernetes pod
apicup subsys set mgmt k8s-pod-network='new_pod_range'Where new_pod_range is the new value for the range.
-
Update the IP range for Service networks.
apicup subsys set mgmt k8s-service-network='new_service_range'Where new_service _range is the new value for the range.
-
Update the IP range for the Kubernetes pod
-
Add your hosts.
apicup hosts create mgmt hostname.domainname hd_passwordWhere the following are true:- hostname.domainname is the fully qualified name of the server where you are hosting your Management service, including the domain information.
- hd_password is the password that the Linux Unified Key Setup uses to encrypt
the storage for your Management service. This password is hashed when it is stored on the server or
in the ISO. Note that the password is base64 encoded when stored in
apiconnect-up.yml.
Repeat this command for each host that you want to add.
Note: Host names cannot be changed on a cluster after the initial installation. -
Create your interfaces.
apicup iface create mgmt hostname.domainname physical_network_id host_ip_address/subnet_mask network_gateway_ip_addressWhere physical_network_id is the network interface ID of your physical server. The value is most ofteneth0. The value can also beethx, wherexis a number identifier.The format is similar to the following example:
apicup iface create mgmt myHostname.domain eth0 192.0.2.10/255.255.255.0 192.0.2.1.Note: Thenetwork_gateway_ip_addressis the network gateway (not a DataPower Gateway). If you are creating multiple network interfaces, each one must be on a different subnet with a different gateway. - Optional:
Use apicup to view the configured hosts:
apicup hosts list mgmt testsrv0231.subnet1.example.com Device IP/Mask Gateway eth0 1.2.152.231/255.255.254.0 1.2.152.1Note: This command might return the following messages, which you can ignore:* host is missing traffic interface * host is missing public interfaceNote: If you are configuring two data center deployment, continue with the installation instructions in Installing a two data center deployment.
- Optional:
Verify that the configuration settings are valid.
apicup subsys get mgmt --validateThe output lists each setting and adds a check mark after the value once the value is validated. If the setting lacks a check mark and indicates an invalid value, reconfigure the setting. See the following sample output.
Appliance settings ================== Name Value ---- ----- additional-cloud-init-file ✔ data-device sdb ✔ default-password $6$rounds=4096$vtcqpAVK$dzqrOeYP33WTvTug38Q4Rld5l8TmdQgezzTnkX/PFwkzTiZ2S0CqNRr1S4b08tOc4p.OEg4BtzBe/r8RAk.gW/ ✔ dns-servers [8.8.8.8] ✔ extra-values-file ✔ k8s-pod-network 172.16.0.0/16 ✔ k8s-service-network 172.17.0.0/16 ✔ public-iface eth0 ✔ search-domain [subnet1.example.com] ✔ ssh-keyfiles [/home/vsphere/.ssh/id_rsa.pub] ✔ traffic-iface eth0 ✔ Subsystem settings ================== Name Value ---- ----- deployment-profile n1xc4.m16 ✔ license-use production ✔ multi-site-ha-enabled false ✔ multi-site-ha-mode active ✔ replication-peer-fqdn ✔ site-name ✔ test-and-monitor-enabled false ✔ Endpoints ========= Name Value ---- ----- api-manager-ui api-manager-ui.testsrv0231.subnet1.example.com ✔ cloud-admin-ui cloud-admin-ui.testsrv0231.subnet1.example.com ✔ consumer-api consumer-api.testsrv0231.subnet1.example.com ✔ hub ✔ management-replication ✔ platform-api platform-api.testsrv0231.subnet1.example.com ✔ turnstile ✔ -
Create your ISO file.
apicup subsys install mgmt --out mgmtplan-outThe
In this example, the ISO file is created in the myProject/mgmtplan-out directory.--outparameter and value are required.If the system cannot find the path to your software that creates ISO files, create a path setting to that software by running a command similar to the following command:
Operating system Command Ubuntu, Debian, OSX export PATH=$PATH:/Users/your_path/Windows, Red Hat set PATH="c:\Program Files (x86)\cdrtools";%PATH% - Deploy the subsystem ISO. Continue with Deploying the management subsystem OVA file.