Configuring DataPower Gateway (v5 compatible)

You can configure the DataPower® Gateway (v5 compatible) to prepare for a registration with the API Connect Management server.

About this task

After you install the API Gateway and set up its certificates, you must configure the gateway server for use with API Connect V12 Reserved Instance.

Procedure

  1. Open the DataPower WebGUI interface.
  2. Enable the XML management interface in the default domain, if required. The XML management interface is required for DataPower Gateway (v5 compatible). The XML management interface is optional for DataPower API Gateway.
    1. Search for XML management interface in the navigation search bar, and select it.
    2. Set the Administrative state to enabled.
    3. You can specify a different port number if you do not want to use the default of 5550.
    4. Select Apply to make the changes
    5. Save changes to the default domain by selecting Save Configuration.
  3. Create an application domain.
    This domain receives your traffic. The name of the DataPower domain where you configure the API Connect Gateway Service must be the same on each DataPower Gateway.
    1. Search for Application domain in the navigation search bar, and select it.
    2. Select Add to create the application domain.
    3. Enter a unique name for your domain.
    4. Ensure that enabled is selected for the Administrative state.
    5. Ensure that the default domain is listed in the Visible application domain list.
    6. Select Apply.
    7. Change to your new application domain by selecting Domain in the menu bar, and selecting the domain that you created.
    8. Select Save changes and switch domains.
      All of the remaining steps on the DataPower gateway must be done in the application domain that you created.
    9. Save changes to the domain by selecting Save Configuration.
  4. For the DataPower Gateway (v5 compatible) only: Enable statistics in the domain you created for API Connect.
    1. Search for and select Statistics settings in the navigation search.
    2. Select enabled for the Administrative state.
    3. Select Apply.
  5. Ensure that your deployment includes an NTP server to synchronize time between each of the DataPower Gateways.
    See Managing the NTP service in the DataPower documentation.
  6. Ensure that you have set a unique System Identifier for each v10 DataPower gateway. See Initializing the DataPower Gateway in the DataPower documentation.
  7. Create a self-signed certificate and private key to be used to protect the traffic between the management server and the API gateway service process. You can generate a certificate and private key using DataPower or by using other tools, such as OpenSSL. See Generating keys and certificates in the DataPower Gateway IBM documentation for instructions on how to create a crypto key with the DataPower tools.
  8. Upload your private crypto key file to the domain.

    For steps 5, 6, and 7, use the certificates that you set up in the previous task Setting up certificates for a self-managed gateway.

    1. Search for Crypto key in the navigation search bar, and select it.
    2. Select Add to create a key object.
    3. Create a unique name for the key object in the Name field.
    4. Select Upload....
    5. Browse for the key file (which must be a .pem or .p12 file) and select it.
    6. If you want to rename it, enter a new name for the file.
    7. Select Upload to move it to the server in the cert:// folder.
    8. Select Apply to save the changes.
  9. Upload your crypto certificate file to the domain.
    Note: If your certificate is signed by an Intermediate CA, you must include the entire chain in a single key file (either .pem or .p12) for uploading.
    1. Search for Crypto certificate in the navigation search bar, and select it.
    2. Select Add to create a certificate object.
    3. Create a unique name for the certificate object in the Name field.
    4. Select Upload....
    5. Browse for the key file (which must be a .pem or .p12 file) and select it.
    6. If you want to rename it, enter a new name for the file.
    7. Select Upload to move it to the server in the cert:// folder.
    8. Select Apply to save the changes.
  10. Associate the Crypto key with the Crypto certificate by setting the Identification credential.
    1. Search for Crypto Identification Credentials in the navigation search bar, and select it.
    2. Select Add.
    3. Enter a name for your credential.
    4. Ensure that the Administrative state has a value of enabled.
    5. In the Crypto Key field, select the name of the key object that you created from the drop-down menu.
    6. In the Certificate object field, select the name of the certificate object that you created from the drop-down menu.
    7. Select Apply to commit your changes.
  11. Create your TLS Client profile.
    1. Search for TLS Client profile in the navigation search bar, and select it.
    2. Select Add to create a client profile.
    3. Create a unique name for the profile in the Name field.
    4. Select your Identification credential from the drop-down list.
    5. Ensure that the value of Validate server certificate is set to off.
    6. Ensure that the value of Use SNI is set to on.
    7. Select Apply to save the changes.
  12. Configure your gateway peering object for the API Connect Gateway Service.
    This step is required when you set up a peer group of gateways, even if there is only a single gateway server in the gateway service.
    1. Search for Gateway peering in the navigation search bar, and select it.
    2. Select Add.
    3. Enter a unique name for your gateway peering object.
    4. Ensure that the Administrative state has a value of enabled.
    5. Select a local address for the communications among the members of the peer group.
    6. Select a local port for the communication.
      You can use the default value of 16380.
    7. Select a monitor port for the communication.
      You can use the default value of 26380.
    8. Because this procedure uses only one gateway, ensure that Peer group mode is not selected.
    9. Clear the Enable TLS check box. TLS is not needed for a single peer.
    10. Set the Persistence location value to Memory for either physical DataPower appliance or virtual DataPower appliance.
    11. Select Apply to commit your changes.
  13. Set the API Connect Gateway service to define the communication interface with the API Connect Management server and for API transactions.
    1. Search for API Connect Gateway service in the navigation search bar, and select it.
    2. Ensure that the Administrative state is set to enabled.
    3. In the Local address field, enter the IP address of the DataPower gateway to which you want the traffic from the API Connect Management server to be sent.
    4. Use the default port value of 3000 for the Local port.
    5. In the TLS client field drop-down list, select the name of the TLS client profile that you created.
    6. In the TLS server field drop-down list, select the name of the TLS server profile that you created.
    7. In the API gateway address field, enter the IP address for the DataPower gateway to which you want the API traffic sent.
    8. Use the default port value of 9443 for the API gateway port.
      If the port is not being used by another service, you can also change it to port 443 if you want API transactions to be sent to the default port for HTTPS.
    9. For DataPower Gateway (v5 compatible), select the gateway peering object that you created in Step 12.
    10. Select whether you want the DataPower Gateway (v5 compatible) or the DataPower API Gateway.
      When the option is selected, it enables the registration of a DataPower Gateway (v5 compatible) gateway.
  14. Optional: Configure Server Name Indication (SNI) profiles.
    SNI profiles allow different TLS certificates to be used for API transaction requests from different host names.