Deploy API Gateway

As a prerequisite, configure the files that are present in your Mount directory.

For more information, seeConfiguring the files in Mount directory .

Also, ensure that IBM PEM is connected to Subscription Monitor service.

For more information, seeSubscription Monitor .

To deploy API gateway Deploy API Gateway, run the following command:

docker run --name="<container name>" --add-host=<host_name>:<IP address> -v <path to mount  files>:/opt/IBM/Resources -v <path to logs>:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v /  etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p <host_name or IP>:<SSL exposed port  number>:9443 -dt <image name>:<version>
Note: Enter the appropriate parameter values within the angle (<>) brackets.
Important: As the application name is case-sensitive, you must enter the application name in the same case as provided in the run command. Application="apigateway" is valid.
Here,
  • <container name> - refers to the user-defined container name.

    If you again use the container with the same name, the docker engine reports that the container with the same name is already in use. In such a situation, you can either delete the container by running the command, docker rm <container name> or use a different container name.

  • <path to mount files> - provide the absolute path of the directory where the mount files are extracted. For the contents of the mount directory, see Mount Directory structure.
  • --add-host=<host_name>:<IP address> - Can add other hosts into the /etc/hosts file of the container by using one or more --add-host flags.
  • -v /etc/localtime:/opt/IBM/localtime:ro - synchronizes the container's time zone with the host machine's time zone.
  • <path to logs> - this is the absolute path of the directory in your host machine that is mounted into the container's log path.
  • <host_name or IP> - provide the host name or the IP address where the container is running.
  • <SSL exposed port number> - the exposed SSL (https) port number for the application.
  • <image name>:<version> - refers to the image name and version of the image that is downloaded from the repository and used to deploy the application.
  • If an API is configured with a hostname, then the API call from PEM Partner Repository or PEM Partner Provisioner fails as the application running inside the docker container cannot resolve the hostname. To resolve the hostname, add the hostname mapping by adding --add-host=<host_name>:<IP address> in the docker run command, delete the old container, and create a new container by running the updated docker run command.
  • If the firewall is activated, add all the ports that are used in the Docker run command to the host machine's firewall. For example, to open the port 19443 in the host machine, run the command: firewall-cmd --zone=public --add-port=19443/tcp. The port 19443 gets added to the host machine's firewall.

Sample run command for SSL port

docker run --name="apigateway_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/apigateway:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p host_name:19443:9443 -p host_name:17286:7286 -dt registry.ng.bluemix.net/gold/pem:3.5.16
Note: Here, --add-host is optional.

Sample run command for non-SSL port

docker run --name="apigateway_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/apigateway:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p host_name:19443:9443 -p host_name:17286:7276 -dt registry.ng.bluemix.net/gold/pem:3.5.16
Note: Here, --add-host is optional.

Log files

Log files help in analyzing and debugging the errors. You can find the log files in the logs directory. For PEM Partner Provisioner-specific error messages, see the APIGateway_messages.log file. For trace-level log, IBM Support can contact and assist you in enabling the trace-level log.

Note: If you have not deleted or archived the existing container logs directory, after deploying PEM Partner Provisioner, the existing logs are rolled over, and the new container logs are created.

Verifying whether the Docker run command is successful

To verify whether the Docker run command is successful, run docker logs <container name>. The following messages are displayed:
License accepted successfully.Starting server apigateway.Server ApiGateway started with process ID 77.

Configuring self-signed certificates

  1. Add certificates to the API Gateway keystore.
  2. Retrieve any self-signed certificates from the application containers before importing self-signed certificates in the gateway keystore.
    Note: Stop the API gateway containers before importing certificates.
  3. To import the certificates in the keystore available in the MountFiles directory, use the keytool command.

    For Example,

    keytool -import -trustcacerts -file <certificate file> -alias <alias> -keystore <Path to Keystore> -keypass <keystore password>
  4. Restart the gateway container after certificates are imported.
    Note: If you use wildcard based certificates for hostname, then only one certificate needs to be imported, else import all application container certificates individually.

Disabling SSH Hostname Validation:

You can disable the hostname validation for certificates in API Gateway. Perform the following steps:

  1. In Setup.cfg set the apigateway.hostname_validation_required to false.
    Note: By default value of this property is true. This enables validation.
  2. Restart the gateway container.

Configuring the properties of Setup.cfg file

Configure the following properties:
  • accept_license
  • customer_id
  • db_type
  • db_driver
  • db_host
  • db_port
  • db_name
  • db_user
  • db_password
  • ssl_connection
  • db_sslTrustStoreName
  • db_sslTrustStorePassword
  • testmode_db_port
  • testmode_db_host
  • testmode_db_name
  • testmode_db_schema
  • testmode_db_user
  • testmode_db_password
  • testmode_db_driver
  • servers.ssl_protoco
  • servers.enabled_cipher
  • servers.jvm_option
  • servers.keystore_password
  • servers.keystore_alias
  • servers.keystore_filename
  • apigateway.pem_servers
  • apigateway.pr_servers
  • apigateway.max_file_size
  • apigateway.max_request_size
  • apigateway.hostname_validation_required
Example of Setup.cfg values:
apigateway.pem_servers=https://pem-app-1:9443,https://pem-app-2:9443
	apigateway.pr_servers=https://pr-app-1:9443,https://pr-app-2:9443
	apigateway.max_file_size=1MB
	apigateway.max_request_size=1MB
	apigateway.hostname_validation_required="true"

The above values configure the API Gateway to enable hostname validation. Ensure two servers are available for each PEM and PR for load balancing and also limit the max request and file size to 1MB.

Important: To establish a connection to IBM subscription verification system, you must configure proxy_host and proxy_port.