Configuring the initial Gateway service
You must define your initial Gateway service before you configure the rest of your API Connect on-premises cloud. The Gateway service is a cluster of one or more of the gateway servers.
Before you begin
About this task
In the Cloud Manager, each server is added as a member of a service.
If you want to change these settings after you define the cloud, you must remove all of the Gateway servers first.
To configure the Cloud Manager settings for the initial Gateway service, complete the following steps:
- In the Cloud Manager, click Services.
- In the DataPower Services pane, click the Service Settings icon .
- Optional: To change the name of the Gateway service, enter a new value in the Display Name field.
In the Address field, enter the virtual IP address or host name that is to be used for inbound API calls, or of an external load balancer if one is being used.
If you have configured your API Connect cloud to use Dynamic DNS, you can specify the same host name in the Address field for two or more Gateway services, to give the appearance that the APIs that are deployed to the separate Gateway services are on the same Gateway. For more information, see Configuring multiple Gateway services to have the same host name.
- In the Port field, enter the API data port for inbound API calls.
- In the Port Base field, enter the reserved port base for internal traffic. Note that the Gateway service's Port Base value should represent a set of 10 ports and should not overlap with another cluster's set of 10 ports or with any ports in use by other non-API Management applications on the DataPower appliance.
In the Supported Application Types field, select the type of application traffic that can flow through this DataPower® Gateway service. The options are as follows:
- Production: this Gateway service is for use with production applications only.
- Development: this Gateway service is for use with development applications only.
- Both (default): this Gateway service supports both development and production applications.
You can select a TLS profile from the TLS Profile list to provide an SSL Private Key and Certificate to replace the self-signed certificate that has been automatically generated by API Connect. These are used to identify the HTTP/S Server that receives API calls made to this service. API Connect supports PCKS #12 files containing the key and certificate and those may be protected by a password.
By default, a self-signed certificate is used.
Configure TLS to secure API calls that are made to this Gateway service. You can specify a single TLS profile to secure all API calls, or you can use Server Name Indication (SNI) to specify which TLS profile should be used depending on the host name that the API is attempting to connect to. The SNI capability enables you to serve multiple TLS secure host names through the same Gateway service, using the same IP address and port, without requiring them to use the same TLS profile.
To specify a single TLS certificate, complete the following steps:
To use SNI, complete the following steps:
- Select TLS Profile.
- Select the required TLS profile from the list.
- Select Server Name Indication Profile.
- In the Hostname field enter a host name, and select the TLS Profile to be used when API calls are made to that host name.
- Click Add to map further host names to TLS profiles.
- Use the arrow keys to reorder the mappings as required. When an incoming API call is received, the list of mappings is searched in order until the first match is found.
If the incoming request contains a TLS SNI extension that consists of a host name, it is matched against the SNI hostname map, and the credentials of the TLS profile that corresponds to the first matching entry is returned. If no match is found in the SNI host name map, then the connection is terminated with an error. To avoid such a connection error, specify a wildcard (*) as the final entry in the host name map, mapped to a TLS profile that serves as a catchall, then if none of the other host names in the SNI host name map match, the wildcard (*) entry serves as a fallback.
If the incoming request does not contain a TLS SNI extension, the first wildcard (*) entry is chosen, and the credentials associated with that TLS profile are used for communication. If no wildcard (*) entry exists, the connection is terminated due to a lack of a TLS SNI extension in the request.For example, consider the following SNI mapping configuration:
Table 1. SNI mapping example 1 Host name TLS profile abc.domain.com TLS profile 1 *.domain.com TLS profile 2 * Default profile
If an API call to
abc.domain.comis received, TLS profile 1 is used. If an API call to
xyz.domain.comis received, TLS profile 2 is used. If the host name does not match `abc.domain.com` or `*.domain.com`, the wild card (*) entry is used. Specify a wild card (*) as the final entry in the table to explicitly handle any TLS client that does meet any of the previous mapping requirements.With the following mapping table, a request from a TLS client that uses a host name of
acme.comis rejected, because there is no matching wildcard (*) to handle that client:
Table 2. SNI mapping example 2 Host name TLS profile abc.domain.com TLS profile 1 *.domain.com TLS profile 2Important: You cannot change the SNI configuration for an existing Gateway service. If you need to change your SNI configuration you must recreate the Gateway service.
- Optional: You can add extra enforcement capabilities to your Gateway server by uploading an IBM DataPower exported configuration .zip file. For more information, see Configuring your Gateway server extensions.
- You can use the automatically generated cryptographic material, or provide your own.
If you configure two or more Gateway servers, you can choose which load balancing option to use. In the Load balancing section, select one of the following load balancing choices.
By setting the load balancing options for the Gateway service, the workload is distributed across multiple servers and ensures that the defined configuration runs as efficiently as possible. For more information, see Load balancing in IBM API Connect.Restriction: VLAN is not supported if you are using the Gateway as a load balancer option.
- Select External or no load balancer if you configure more than one Gateway server but you do not want to use the API Connect load balancing function. This option is selected by default.Important: You must configure your external load balancer separately. If you do not configure an external load balancer, no load balancing is done for inbound API calls.
- Select DataPower Gateway load balancer to use the API Connect load balancing function. Enter the unique (for the local network) Load Balancing group number for the Gateway service. Note: The load balancing settings for internal traffic are reused to load balance inbound API calls.
- Select External or no load balancer if you configure more than one Gateway server but you do not want to use the API Connect load balancing function. This option is selected by default.
- When you are finished, click Save.