Paired Deployment with Integration Server in Green Zone
This is a another scenario of paired deployment using reverse invoke in which you use an integration server in green zone.
In this scenario, you can configure threat protection, authentication, authorization, and mediation rules in the API Gateway instance present in DMZ.
The following image describes the working method. The client requests are sent to the API Gateway in DMZ. These requests are present on the registration port. The Integration Server in green zone listens to the registration port through the listener port, processes the requests, and responds back to the API Gateway instance in DMZ. The API Gateway instance in DMZ responds to the external clients.
To configure reverse invoke
1. Configure external and registration ports on API Gateway in DMZ.
a. Log on to API Gateway as an Administrator user.
b. Expand the menu options icon, in the title bar, and select Administration.
c. Navigate to Security > Ports.
d. Click Add ports.
e. Select API Gateway external option from the Type drop-down menu.
f. Click Add.
g. Provide the following information in the API Gateway external listener configuration to configure the External port.
External port. Specifies the port number you want to use for the external port.
Use a number that is not already in use. This is the port that clients connect to through your outer firewall.
Alias. Specifies an alias for the port.
An alias must be between 1 and 255 characters in length and include one or more of the following: letters (a -z, A-Z), numbers (0-9), underscore (_), period (.), and hyphen (-).
Description (optional). A description of the port.
Protocol. Specifies the protocol to use for this port (HTTP or HTTPS).
If you select HTTPS, additional security and credential boxes appear for which you have to provide the required values.
Bind address (optional). Specifies the IP address to which to bind this port.
Specify a bind address if your machine has multiple IP addresses and you want the port to use this specific address. If you do not specify a bind address, API Gateway picks one for you.
Backlog. Specifies the number of requests that can remain in the queue for an enabled port before
API Gateway begins rejecting requests.
The default is 200. The maximum value is 65535.
Keep alive timeout. Specifies when to close the connection if the server has not received a request from the client within this timeout value (in milliseconds) or when to close the connection if the client has explicitly placed a close request with the server.
The default value is 20000ms.
Note:
For more information on ports, see
Ports.
h. If you want to configure m-TLS, select HTTPS in the Protocol field under API Gateway external listener configuration and select one of the following options in the Client authentication field, in the in Security configuration section.
Request client certificate. This option requests for a certificate from the client. However, even if the client does not provide a valid certificate, the connection is established.
Require client certificate. This option requests for a certificate from the client. If the client does not provide a valid certificate, the connection is not established. If you select this option, you must also configure the following fields in the
Listener specific credentials section.
Keystore alias. Select a Keystore.
Key alias(signing). Select a Key alias.
Truststore alias. Select Truststore.
i. Provide the required information to configure the registration port, in the API Gateway registration listener configuration section.
The important fields to be configured are
Registration port,
Alias, and
Protocol. For more information on ports, see
Ports.
j. Configure the Keystore alias, Key alias, and Truststore alias fields. in the Listener specific credentials section.
2. Click Add.
3. Click the icon in the Enabled column next to the external and registration ports to enable them. The port is enabled and a success message appears.
4. Configure Load Balancer URL in API Gateway.
a. Expand the menu options icon, in the title bar, and select Administration.
b. Navigate to General > Load Balancer.
Provide the configured external port or an external Load Balancer URL. The API endpoints have this port for external consumers. If you have a Load Balancer, then the requests from the Load Balancer must be directed to API Gateway's External port.
For more information on load balancers, see
Clusters and Load Balancers.
5. In the green zone Integration Server, perform the following configurations to set up two-way SSL.
a. Navigate to Server > Ports.
b. Select the Registration Internal port of the API Gateway.
c. Click Edit HTTPS Port Configuration.
d. Select the Yes option in the Enable field.
e. Configure the fields, as required.
f. In the Registration credentials section, configure the Keystore Alias and Truststore Alias fields.
g. Select Require Client Certificates in the Client Authentication field.
h. Click Save Changes.
6. Configure API routing endpoints with registration port alias.
a. Create an API in API Gateway.
For more information on how to create APIs, see
Creating an API.
Here, the internal server is an Integration Server and to use the reverse invoke functionality, you must modify the routing endpoint of the API created on the API Gateway instance in DMZ as shown in the below syntax.
apigateway://{REG_PORT_ALIAS}/rest/api/resource
If the internal server is not an Integration Server, you can specify the routing endpoint as regular endpoint, where the service is hosted.
Note:
If the routing points to an API that resides in API Gateway, the end point is as follows.
apigateway://{REG_PORT_ALIAS}/gateway/api/resource which in turn invokes the native service.
7. Configure Internal Server Port on the Integration Server in green zone.
a. Configure the Internal Server Port in the Integration Server where the native API resides.
b. Provide the details of API Gateway and Registration port.
8. You can now access the API by using the URL in the format http://externalserver:externalport/gateway/api-name/resource-path.
Important: A connection between API Gateway Server in DMZ and the internal server in Green zone is available except when a request is being made to the internal server in green zone or a response is being returned from the internal server in green zone. In other words, DMZ API Gateway connection utilization is I/O bound. Therefore, if you expect large, simultaneous transactions, increase the number of registered connections accordingly.