Connecting API Gateway in Green Zone to API Gateway in DMZ
In this scenario, you can impose the threat protection rules in API Gateway Server (Standard Edition) located in the DMZ. In the API Gateway instance located in the green zone, you can configure the authentication, authorization, and mediation rules prior to routing the requests to the native API.
The following image describes the working method. The client requests are sent to the API Gateway instance in DMZ. These requests are present on the registration port. The green zone API Gateway listens to these requests through the Internal Server port, processes the request through the native service application and responds back to the API Gateway instance in DMZ. The API Gateway instance in DMZ responds to the external clients.
Important:
A connection between API Gateway Server in DMZ and the API Gateway Server in Green zone is available except when a request is being made to the API Gateway in green zone or a response is being returned from the API Gateway in green zone. In other words, DMZ API Gateway connection utilization is I/O bound. Therefore, if you expect large, simultaneous transactions, increase the number of registered connections accordingly.
To configure reverse invoke
1. Configure External and Registration ports on API Gateway in DMZ.
a. Log on to API Gateway as an Administrator user.
b. Expand the menu options icon, in the title bar, and select Administration.
c. Navigate to Security > Ports.
d. Click Add ports.
e. Select API Gateway external option from the Type drop-down menu.
f. Click Add.
g. Provide the required information in the API Gateway external listener configuration to configure the External port.
The important fields to be configured are External port, Alias, Protocol, Backlog, and Keep alive timeout. For more information on ports, see webMethods API Gateway User's Guide.
h. To configure two-way SSL, select HTTPS in the Protocol field and select one of the following options in the Client authentication field in the in API Gateway external listener configuration section.
Request client certificate. This option requests for a certificate from the client. However, even if the client does not provide a valid certificate, the connection is established.
Require client certificate. This option requests for a certificate from the client. If the client does not provide a valid certificate, the connection is not established. If you select this option, you must also configure the
Truststore alias field.
i. Provide the required information to configure the Registration port, in the API Gateway registration listener configuration section.
The important fields to be configured are Registration port, Alias, and Protocol. For more information on ports, see webMethods API Gateway User's Guide.
j. If you execute step h, perform the following steps to configure two-way SSL.
a. Select HTTPS in the Protocol field and select Require client certificate in the Client authentication field.
b. Configure the Keystore alias and Truststore alias fields.
2. Execute the following steps in the Green zone API Gateway.
a. Create an API Gateway internal port.
b. Select HTTPS in the Protocol field.
c. In the API Gateway external server section, enter the hostname of the DMZ API Gateway in the Host field.
d. Type the port number of the API Gateway registration port of DMZ API Gateway in the Port field.
e. In the Registration credentials section, provide the following information.
Keystore alias. Select a Keystore.
Key alias(signing). Select a Key alias.
Truststore alias. Select Truststore. If you select a Truststore, 2-way SSL is enabled.
3. Configure the internal port of the API Gateway in green zone with the Registration port of API Gateway in DMZ.
4. Configure Load Balancer URL in API Gateway present in the green zone.
a. Expand the menu options icon, in the title bar, and select Administration.
b. Navigate to General > Load Balancer.
Provide the configured external server host and port or an external Load Balancer URL. The API endpoints have this port for external consumers. If you have a Load Balancer, then the requests from the Load Balancer must be directed to API Gateway's External port.
For more information on load balancers, see .
5. Create an API in the internal API Gateway Server with routing protocol and endpoint as the Native API. For more information on how to create APIs, see
Creating an API. 6. You can now access the API by using the URL in the format http://externalserver:externalport/gateway/api-name/resource-path.
If the API Gateway in green zone runs out of registration connections, it issues the following error message:
number requests waiting for a registration connection.
Each connection consumes a thread, either from the API Gateway in green zone's common thread pool or from the internal listener's private thread pool, if one is defined. The consumed thread can only be used to process requests from API Gateway in DMZ.
If you have defined a private thread pool for the internal registration listener, the number of connections you can specify in the Max Connections box is limited to the maximum number of threads allowed in the private thread pool for this listener.
If you have multiple internal registration listeners, each with its own private thread pool, the same rule applies for each internal registration listener.
If you have not defined a private thread pool for an internal registration listener, a reasonable limit for the Max Connections box is 75% of the number of server threads specified in Server Thread Pool Max Threads box on the Settings > Resources page. If you have multiple internal registration listeners and none of them have private thread pools, the sum of all connections specified in the Max Connections boxes for these listeners should not exceed 75% of the number of server threads specified in Server Thread Pool Max Threads.
A thread remains open unless it is closed by a firewall, a network glitch, or an exception.
