Deploy API Gateway
As a prerequisite, configure the files that are present in your Mount directory. For more information, see Configuring the files in Mount directory.
Also, ensure that IBM PEM is connected to Subscription Monitor service. For more information, see Subscription monitor .
Deploying API Gateway
To deploy API gateway using docker, run the
command:
docker run --name="<container name>" --add-host=<host_name>:<IP address> -v <path to mount files>:/opt/IBM/Resources -v <path to logs>:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v / etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p <host_name or IP>:<SSL exposed port number>:9443 -dt <image name>:<version>To deploy API gateway using podman, run the command:
podman run --name="<container name>" --add-host=<host_name>:<IP address> -v <path to mount files>:/opt/IBM/Resources:z -v <path to logs>:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs:z -v / etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p <host_name or IP>:<SSL exposed port number>:9443 -dt <image name>:<version>Note: Enter the appropriate parameter values within the angle (
<>) brackets.Important: As the application name is case-sensitive, you must enter the application name in the same case as provided in the run command. Application="apigateway" is valid.
- If an API is configured with a hostname, then the API call from PEM Partner Repository or PEM Partner Provisioner fails as the application running inside the docker/podman container cannot resolve the hostname. To resolve the hostname, add the hostname mapping by adding
--add-host=<host_name>:<IP address>in the docker/podman run command, delete the old container, and create a new container by running the updated docker/podman run command. - If the firewall is activated, add all the ports that are used in the docker/podman run command to the host machine's firewall. For example, to open the port 19443 in the host machine, run the command:
firewall-cmd --zone=public --add-port=19443/tcp. The port 19443 gets added to the host machine's firewall.
| Parameter | Description |
|---|---|
| <container name> | User-defined container name. Note: If you reuse the container name, the docker/podman engine reports that the container with the same name is already in use. To resolve this, you can either delete the container by running the command,
docker rm <container name> or podman rm <container name>, or use a different container name. |
| <path to mount files> | The absolute path of the directory where the mount files are extracted. For the contents of the mount directory, see Mount Directory structure. |
| --add-host=<host_name>:<IP address> | You can add other hosts into the /etc/hosts file of the container by using one or more --add-host flags. |
| -v /etc/localtime:/opt/IBM/localtime:ro | Synchronizes the time zone of the container with the host machine time zone. |
| <path to logs> | The absolute path of the directory in your host machine that is mounted into the container's log path. |
| <host_name or IP> | The host name or the IP address where the container is running. |
| <SSL exposed port number> | The exposed SSL (HTTPS) port number for the application. |
| <image name>:<version> | The image name and version of the image that is downloaded from the repository and is used to deploy the application. |
Sample run command for SSL port
- Docker:
docker run --name="apigateway_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/apigateway:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p host_name:19443:9443 -p host_name:17286:7286 -dt registry.ng.bluemix.net/gold/pem:3.5.16 - Podman:
podman run --name="apigateway_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/apigateway:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p host_name:19443:9443 -p host_name:17286:7286 -dt registry.ng.bluemix.net/gold/pem:3.5.16
Note: Here, --add-host is optional.
Sample run command for non-SSL port
- Docker:
docker run --name="apigateway_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/apigateway:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p host_name:19443:9443 -p host_name:17286:7276 -dt registry.ng.bluemix.net/gold/pem:3.5.16 - Podman:
podman run --name="apigateway_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/apigateway:/opt/IBM/PEM_PR_PP_servers/usr/servers/apigateway/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="apigateway" -p host_name:19443:9443 -p host_name:17286:7276 -dt registry.ng.bluemix.net/gold/pem:3.5.16
Note: Here, --add-host is optional.
Log files
Log files help in analyzing and debugging the errors. You can find the log file in the
logs directory. For PEM Partner Provisioner-specific error messages, see the APIGateway_message.log file.
For trace-level log, IBM Support can contact and assist you in enabling the
trace-level log.Note: If you have not deleted or archived the existing container
logs directory, after deploying PEM Partner Provisioner, the
existing logs are rolled over, and the new container logs are
created.
Verifying the Docker/Podman run command
To verify whether the Docker run command is successful, run
docker logs <container name>. The following messages are displayed:License accepted successfully.Starting server apigateway.Server ApiGateway started with process ID 77.To verify whether the Podman run command is successful, run
podman logs <container name>. The following messages are displayed:License accepted successfully.Starting server apigateway.Server ApiGateway started with process ID 77.Configuring self-signed certificates
- Add certificates to the API Gateway keystore.
- Retrieve any self-signed certificates from the application containers before importing self-signed certificates in the gateway keystore. Note: Stop the API gateway containers before importing certificates.
- To import the certificates in the keystore available in the MountFiles directory, use the keytool command.
For Example,
keytool -import -trustcacerts -file <certificate file> -alias <alias> -keystore <Path to Keystore> -keypass <keystore password> - Restart the gateway container after certificates are imported. Note: If you use wildcard based certificates for hostname, then only one certificate needs to be imported, else import all application container certificates individually.
Disabling SSH Hostname Validation:
You can disable the hostname validation for certificates in API Gateway. Perform the following steps:
- In Setup.cfg set the apigateway.hostname_validation_required to false.Note: By default value of this property is true. This enables validation.
- Restart the gateway container.
Configuring the properties of Setup.cfg file
Configure the following properties:
- accept_license
- customer_id
- db_type
- db_driver
- db_host
- db_port
- db_name
- db_user
- db_password
- ssl_connection
- db_sslTrustStoreName
- db_sslTrustStorePassword
- testmode_db_port
- testmode_db_host
- testmode_db_name
- testmode_db_schema
- testmode_db_user
- testmode_db_password
- testmode_db_driver
- servers.ssl_protoco
- servers.enabled_cipher
- servers.jvm_option
- servers.keystore_password
- servers.keystore_alias
- servers.keystore_filename
- apigateway.pem_servers
- apigateway.pr_servers
- apigateway.max_file_size
- apigateway.max_request_size
- apigateway.hostname_validation_required
Example of Setup.cfg
values:
apigateway.pem_servers=https://pem-app-1:9443,https://pem-app-2:9443
apigateway.pr_servers=https://pr-app-1:9443,https://pr-app-2:9443
apigateway.max_file_size=1MB
apigateway.max_request_size=1MB
apigateway.hostname_validation_required="true"Important: To establish a connection to IBM subscription verification system, you must configure
proxy_host and proxy_port.