CLI command file extensions

Extend DataPower® API Gateway behavior with CLI commands in .cfg files.

You apply an extension to a DataPower API Gateway by uploading one or more .cfg files that define the required extension behavior. These .cfg files contain DataPower API Gateway CLI commands. For details of the full set of CLI commands that are available, see the DataPower API Gateway CLI command documentation.

You package the .cfg files in a .zip file, together with any additional required files that are referenced from CLI commands; for example, a .json file that contains the OpenAPI definition for an API. The .cfg files are processed in alphanumeric order by file name.
  • All the .cfg files must be at the root of the .zip file. If you are attempting to use an API Connect Version 2018 gateway extension that has files in sub-directories, see Gateway extensions manifest for information on how to deploy multiple extensions in a single package.
  • On macOS, run the zip command on the command line with the following flags:
    -x ".DS_Store" -x "__MACOSX"

    Including the flags prevents the auto-generated .DS_Store and __MACOSX files from being added to the zip.

You upload the extension .zip file to an API Connect Gateway service, and enable the extension, as described in Configuring your Gateway server extensions. Gateway server extensions can be deployed without having to restart the DataPower API Gateway.

To control how gateway extensions are applied to the DataPower API Gateway, you can include a Gateway extensions manifest as a manifest.json file. The manifest allows you to deploy multiple extensions of different types in a single package. For more information, see Gateway extensions manifest.

Using CLI commands in a Gateway extension

Although you can use any DataPower API Gateway CLI commands in your extension .cfg files, typically you use commands that modify API Connect objects that have previously been deployed to the DataPower API Gateway.

When API Connect objects are deployed to a DataPower API Gateway, .cfg are created on the Gateway that define the configuration of those objects. By examining those .cfg on the Gateway, you can determine the precise names of API Connect objects that you want to modify, and the current values of the properties of those objects. You can access these .cfg files by completing the following steps:

  1. Log in to the DataPower administrative user interface; for the Graphical Interface, select WebGUI rather than Blueprint Console.
  2. Switch to the DataPower application domain for API Connect if necessary.
  3. Under Files and Administration, click File Management.
  4. Expand the temporary: folder to locate the .cfg files. The files for API Connect objects are named according to their containing provider organization and Catalog, as follows:
    The prefix 20 controls the position of the file in the overall processing sequence, which is in alphanumeric order by file name.
    • Do not modify these files directly in the DataPower API Gateway file system. Instead, use the gateway extension mechanism described on this page.
    • Do not apply gateway extension modifications to configuration in the local:/config-sequence.cfg file.
    • Do not use Gateway server extensions to modify objects that cause the apic-gw-service object to restart, such as TLS Profiles, and Gateway Peering. Extensions that cause the apic-gw-service object to restart, lead to unpredictable behavior in the Gateway service.
Note: Modifying a .cfg file triggers the execution of all other .cfg files that run commands on the same object.

Config-Sequence tracks all of the objects that it manages through the .cfg files. Any change to a .cfg file that causes config-sequence to run commands on an object automatically executes all other .cfg files that run commands on the same object.

Example: If a new product is published to catalog A, then the .cfg file for that collection in temporary://config will be modified by the apic-gw-service to reflect the new product. Because that .cfg file was changed, config-sequence will execute every other .cfg file that also runs operations on catalog A, in the sequence of locations defined in the config-sequence object. If there are 2 .cfg files in the same location that run commands on catalog A, they run in alphabetical order.

Example 1 - change the scope of the rate limit for a Plan

Suppose the DataPower API Gateway configuration for a Plan has the following CLI command:
api-plan myorg_sandbox_financial-services_1.0.0_basic
The api-plan command has the following syntax:
api-plan plan_name
and creates a Plan of the specified name, or modifies a Plan of the same name if it already exists. By using the specified name, you can add api-plan commands in your Gateway extension .cfg files to modify the Plan.
Note: The names of API Connect objects in the DataPower API Gateway configuration are derived from their configuration in API Connect. For example, a Plan name has the following structure:
  • provider-org-name is the name of the provider organization.
  • catalog-name is the name of the Catalog in that provider organization.
  • product-name is the name of the Product that contains the Plan.
  • product-version is the version of the Product.
  • plan-name is the name of the Plan.
The default scope to which a Plan rate limit applies is per application. To change this setting on the Plan in this example, so that the rate limit scope is per client ID, add the following command to a .cfg in your Gateway extension:
api-plan myorg_sandbox_financial-services_1.0.0_basic
  rate-limit-scope per-client-id
For more information on configuring Plans by using DataPower API Gateway CLI commands, see API Plan commands.

Example 2 - add a path to an API definition

The .cfg file in this example performs the following actions:
  1. Uses the top and configure terminal commands to reset CLI processing.
  2. Uses the api-operation command as follows:
    1. Creates a new operation called bank_branches_get_operation.
    2. Uses the reset command to set all properties to their default values.
    3. Sets the operation method to GET.
  3. Uses the api-path command as follows:
    1. Creates a new path called bank_branches_path.
    2. Uses the reset command to set all properties to their default values.
    3. Sets the path URL segment to /details.
    4. Adds the previously created operation bank_branches_get_operation to the path.
  4. Uses the api-definition command as follows:
    1. Modifies the existing API definition called myorg_sandbox_myapi_1.0.0.
      Note: The name of the API definition was derived from its configuration in API Connect when it was published to the DataPower API Gateway, and has the following structure:
      • provider-org-name is the name of the provider organization.
      • catalog-name is the name of the Catalog in that provider organization.
      • api-name is the name of the API definition in API Connect.
      • api-version is the version of the API.
    2. Adds the previously created path bank_branches_path to the API definition.
      Note: The reset command is not used here because that would reset all the current settings on the myorg_sandbox_myapi_1.0.0 API definition, whereas the requirement is to add a new path to the existing configuration of the API definition.
The .cfg file is as follows:
top; configure terminal

api-operation bank_branches_get_operation
  method GET

api-path bank_branches_path
  path "/details"
  operation bank_branches_get_operation

api-definition myorg_sandbox_myapi_1.0.0
  path bank_branches_path
For more information on the DataPower API Gateway CLI commands used in this example, see the following pages:

Gateway extension limitations

This section details the limitations of the extensions to the DataPower API Gateway.
  • If you use an extension to create a user-defined policy and then delete the extension, the extension cfg's are removed from the filesystem, but the configuration sequence will not remove referenced objects created by the cfg's. For the policy objects to be cleaned up, you must first send an extension update that explicitly removes the user-defined policy from apic-gw-service, as in the following example.
        no user-defined-policies udp-basic_1.0.0
    Note: This limitation does not apply only to user-defined policies, but any object customization that adds a reference to another object.
  • user-defined-policy-yaml policies that use or reference another policy can be deployed only after the referenced policy has been advertised to API Manager. The deploy type must be set to deferred and the Gateway Service must be restarted.
  • Deleting an extension that is used to create a user-defined policy using a .cfg file does not remove the policy reference in the apic-gw-service object. The policy is not removed from the assembly palette until a reboot or restart of the Gateway pod. To properly remove the policy, send an apic extensions:update command that explicitly removes the policy from the apic-gw-service prior to sending the apic extensions:delete command.
  • v5 policies that contain files outside of the /policy directory are not supported. If multiple v5 policies reference the same file outside the /policy directory, the last applied policy will overwrite the file and will be used by all policies that reference it. Removing any policy that contains the file will cause the file to be deleted and may cause errors for the remaining policies that use it.
  • If an extension contains or references objects and files that are also referenced by other objects outside of the extension, deleting the extension can cause errors that are difficult to troubleshoot.
  • It is possible to delete an extension that is referenced by published APIs. This may cause those API requests to return errors.
  • For an extension type of user-defined-policy, extra assembly functions may be present in the DataPower import .zip file, even if there is no .yaml file to indicate their presence. Using these functions without declaring them using a .yaml file is not supported. A policy .yaml file is required for each policy you want to advertise to API Manager.
  • Extension type user-defined-policy-yaml may leak generated Gatewayscript .js files in temporary:/js/ or .xslt files when deleted.
  • Extension types that use SOMA imports must use new objects with no overrides. If you override a singleton or shared object using an extension of this type, then the object will not be restored to its previous state when the extension is deleted, and those objects may be missing after the extension is deleted. You must then restore any needed objects.