API Management 2018.1 and DataPower 7.7

2019-08-05 03:59发布

问题:

I am trying to add DataPower 7.7 into API Management 2018.1.

I need to configure API Connect Gateway Service in DataPower (new APIC 2018.1 doesn't work with XML Management Service).

After configuration I got an error:

8:07:19 mgmt    notice  959         0x00350015  apic-gw-service (default): 
Operational state down

8:07:19 apic-gw-service error   959         0x88e00001  apic-gw-service 
(default): Unexpected queue error: Domain check failed! Please ensure that 
the 'default' domain exists and is enabled. Also, please verify that the API 
Gateway Service is configured with the correct domain and SOMA credentials.

8:07:19 apic-gw-service error   959         0x88e000a0  apic-gw-service 
(default): Failed to initialize gateway environment: datapower

DP version is 7.7.

Please suggest, if you have any information or manuals.

Note: Domain exists, main services are enabled

回答1:

It's hard to tell what exactly the problem is based on the log messages shown above.

Update to original answer: See also the documentation that is now available in the IBM API Connect Knowledge Center: https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/tapic_install_datapower_gateway.html

However, here are the basic steps for configuring a DataPower gateway to work with API Connect 2018.x.

You will need to ensure:

  • DataPower is running DP 7.7.0.0 or higher.
  • You have the AppOpt license installed. (Use the “show license” command in the DataPower CLI to confirm.)
  • You have a shared certificate and a private key for securing the communication between the API Connect management server and the gateway.

On DataPower, you need to:

  • Create an application domain. All of the subsequent configuration should be done in the application domain.
  • Enable statistics
  • Upload your private key and shared certificate to the cert:// directory in the application domain.
  • Create a crypto key object, a crypto certificate and a crypto identification credentials object using your key and certificate.
  • Create an SSL client profile and an SSL server profile that reference the crypto identification credential object.
  • Configure a gateway-peering object.
  • Configure and enable the API Connect Gateway Service in the application domain.

At that point, you should be able to configure the gateway in the API Connect cloud manager.

Here are the DataPower CLI commands to create a basic configuration. In the configuration below, IP address 1.1.1.1 represents a local IP address on your DataPower appliance. Traffic from the API Connect management server to the gateway will be sent to port 3000. API requests will go to port 9443 (but you can change it to the more standard port, 443, if you prefer.)

For a production environment, you will want to build on this configuration to ensure you are running with at least 3 gateways in the peer group, but this will get you started.

Create the application domain called apiconnect

top; configure terminal;
domain apiconnect; visible default; exit;
write mem 

Use the Web GUI to upload your private key and shared certificate to the cert:// folder in the apiconnect domain

Then run these commands to create the configuration in the apiconnect domain

  switch apiconnect       
  statistics 

  crypto
    key gw_to_apic cert:///your-privkey.cer
    certificate gw_to_apic cert:///your-sscert.cer
    idcred gw_to_apic gw_to_apic gw_to_apic
    ssl-client gwd_to_mgmt
      idcred gw_to_apic
      no validate-server-cert
    exit 
    ssl-server gwd_to_mgmt
      idcred gw_to_apic
      no request-client-auth
      validate-client-cert off 
    exit 
  exit

  gateway-peering apic
    admin-state enabled
    local-address 1.1.1.1 
    local-port 15379
    monitor-port 25379
    priority 100
    enable-ssl off
    enable-peer-group off
    persistence local
  exit

  apic-gw-service
    admin-state enabled
    local-address 0.0.0.0
    local-port 3000
    api-gw-address 0.0.0.0
    api-gw-port 9443
    v5-compatibility-mode on
    gateway-peering apic
    ssl-server gwd_to_mgmt
    ssl-client gwd_to_mgmt
  exit

  write mem


回答2:

The problem you are seeing is an issue with creating your api connect service in the default domain. To work around just put your Api Gateway Service in a domain other than default.