Registering a gateway service
A gateway service is required to handle incoming traffic for APIs.
Before you begin
About this task
A gateway service represents a cluster of gateway servers that host published APIs and provide the API endpoints used by client applications. Gateways execute API proxy invocations to backend systems and enforce API policies including client identification, security and rate limiting.
One of the following roles is required to register and manage DataPower gateway services:
- Administrator
- Topology Administrator
- Owner
- A custom role with the
Topology:Manage
permission
Procedure
Complete the following steps to configure a DataPower gateway service for your cloud:
Field | Description |
---|---|
Title (required) | Enter a descriptive display title for the DataPower gateway service. |
Name (required) | This field is populated for and is used as the internal field name. |
Summary (optional) | Enter a brief description. |
Management endpoint on the gateway service: Endpoint (required) | Enter the API Connect Gateway Service
endpoint.
|
Management endpoint on the gateway service: TLS client profile (required) | Specify the TLS client profile to use when the management subsystem initiates communication
with the gateway. The client profile contains the TLS client certificate that is presented to the
gateway when establishing a secure connection. Important:
|
Management endpoint on the gateway service: Use in-cluster communucation | If you want to use in-cluster communication between the management and
gateway subsystems, then enable this switch. For more information about this option, see In-cluster
or external communication between subsystems. If you are not sure, then leave this switch
disabled (the default). |
Management endpoint on the gateway service: Use JWT for gateway authentication to analytics service | If you plan to associate an analytics service with this gateway, and you want to use JWT authentication between the gateway and analytics service, then enable this switch. If this switch is not enabled, then mutual TLS authentication is used between the gateway and analytics service. For more information about JWT security, see Enable JWT security instead of mTLS |
Use LDAP connection pool | Enable this option when you want to optimize LDAP user registry processing by enabling LDAP
connection pooling. Connection pooling reduces overhead and improves performance by maintaining a
pool of connections and assigning them as needed. When a connection is closed, it is returned to the
connection pool for future use. Note: LDAP connection pooling is supported only with the DataPower
API Gateway v10.6.0.0 or later. You cannot enable LDAP connection pooling during the initial
registration of the DataPower API Gateway service. Instead, complete the registration steps and
click Save; then edit the registration to enable the use of connection pools.
Configure the following settings for the connection pool:
|
Enable AI Gateway | For the new DataPower API Gateway service, AI Gateway is enabled by
default in API Connect v10.0.9.0. When AI Gateway service is
enabled, it allows you to access AI Gateway policies directly
on the DataPower API Gateway. For
details, see Using the
AI Gateway to support APIs for AI applications.
Note: The AI Gateway toggle in gateway
service is not supported if you already have a custom gateway extension deployed. However, you can
manually enable the AI Gateway extension while
retaining your existing gateway extension on the gateway service. For details, see Enabling AI Gateway on gateway service
extensions. Even after following this procedure to apply AI Gateway extensions, a current
limitation is that APIC UI and CLI will still show that
Enable AI Gateway flag is
not enabled on this gateway.When you disable AI Gateway, the following
actions occur:
|
API invocation endpoint: API endpoint base (required) | Enter the base portion of the URL that maps to the base portion of the URL for incoming API
traffic. It is a public FQDN with additional paths that are specific to your API calls. For example:
https://api.mycompany.com Note: If you are using the DataPower API Gateway, HTTP/2 is enabled
automatically on the API invocation endpoint.
If you are using the DataPower Gateway (v5 compatible), HTTP/2 is not supported on the API invocation endpoint. |
API invocation endpoint: Server Name Indication (SNI) - Host name | For supporting Server Name Indication (SNI) at the API Endpoint Base. The default hostname
of '*' is required to allow all hosts. Enter other host names as needed. Wild card format is
supported. The SNI capability enables you to serve multiple TLS secure host names through the same
Gateway service, using the same IP address and port, without requiring them to use the same TLS
profile. Note: To allow requests from clients that don't support SNI, you must include a host
name value of '*'.
|
API invocation endpoint: Server Name Indication (SNI) - TLS server profile |
The TLS server profile that supports the given hostname for SNI. The server profile that is selected here contains the server certificate that is presented to callers of the APIs you publish on the gateway. By default this profile is set to Default TLS server profile. Best practice is to create your own TLS server profile that contains the certificate you want on your API invocation endpoint. For more information about configuring TLS server profiles, see TLS profiles overview. Restriction: If you are using the DataPower API Gateway, HTTP/2 is enabled
automatically on the API invocation endpoint. Therefore, using a TLS server profile that supports
only TLS protocol version 1.3 is not supported and will result in the gateway being unable to
receive API traffic. You must use a TLS server profile that includes TLS protocol version 1.2 as one
of its supported protocols.
This restriction does not apply if you are using the DataPower Gateway (v5 compatible), which does not support HTTP/2. |
OAuth shared secret (optional) | For sites using native OAuth providers, enter the shared secret that will be used by all
API calls going through the gateway. Note: The specified shared secret must be 64 characters (64
bytes) in length, prefixed with
0x , and must consist only of hexadecimal
characters. For example:
0xa354282f227c10250511ae9c9e8c7ed9f4f1bd0d7c04cb6d5bd178f8c62296e3 |
Associate OpenTelemetry configuration (optional) | You can use this option to choose the OpenTelemetry configuration to be associated with the gateway service. You can set this property only after your gateway service is created, and only if the service supports this feature, See Associating an OpenTelemetry configuration with a gateway service |