Configuration Provisioning
The Administration configuration for Microgateway is provisioned in one of the following ways:
From the default settings file,
system-settings.yml, which is used for starting a
Microgateway server.
From the user-defined custom settings YAML file, which is used when you want to include some custom settings that needs to override the default settings. The user-defined custom settings YAML file is passed as an argument using the -c option during
Microgateway startup.
Note:
From release 10.4, the administration configuration settings are no longer picked up from input archive files.
Default settings file: system-settings.yml
When you start Microgateway server the default settings are read from the system configuration file, which is under config/system-settings.yml and contains the following entries:
faults: contains variables for error handling during runtime.
extended_settings: various kinds of settings for runtime.
gateway_destination:
API Gateway settings for logging into
API Gateway.
key_store: Keystore settings for establishing HTTPS connections.
trust_store: Truststore settings for HTTPS handshake for specific policies.
system: internal settings.
To enable the policy enforcement on a Microgateway the following configurations need to be provisioned in Microgateway:
extended
apiFault
elasticsearchDestinationConfig
gatewayDestinationConfig
Note:
The external Elasticsearch configuration is optional, and needs to be specified if you have such an Elasticsearch in your environment. You require an external Elasticsearch if you have the Log Invocation policy enforced where Elasticsearch destination is selected. You have to specify the external Elasticsearch configuration settings in the user-defined custom settings YAML file.
The system settings file should not be modified. Any specific changes required are specified in the custom settings file.
The default configuration file system-settings.yml looks as follows:
---
faults:
default_error_message: "API Gateway encountered an error.
Error Message: $ERROR_MESSAGE. Request Details: Service - $SERVICE,
Operation - $OPERATION, Invocation Time:$TIME, Date:$DATE,
Client IP - $CLIENT_IP, User - $USER and Application:$CONSUMER_APPLICATION"
native_provider_fault: "false"
extended_settings:
defaultEncoding: "UTF-8"
apiKeyHeader: "x-Gateway-APIKey"
apig_MENConfiguration_tickInterval: "60"
events.collectionQueue.size: "10000"
events.collectionPool.minThreads: "1"
events.collectionPool.maxThreads: "8"
gateway_destination:
sendPolicyViolationEvent: "true"
key_store:
type: JKS
provider: SUN
location: config/keystore.jks
password: password
system:
version: "10.4.0.0.303"
---
User-defined Custom settings YAML file
If you have certain custom settings that you want Microgateway to use by overriding the default settings specified in the system-settings.yml file, you can provision these configuration settings from a user-defined custom settings YAML file. You can create the custom settings file as required. If a particular setting value is not present in the custom settings YAML file, then the appropriate value is taken from the default config/system-settings.yml file. The custom settings YAML file contains the configuration values for starting Microgateway and the settings for replacing the system-settings.yml.
The configuration values for starting a Microgateway are as follows in this table.
Configuration values | Settings |
ports | Ports configuration section |
| http. HTTP port exposed by Microgateway. |
| https. HTTP port exposed by Microgateway. |
| key_alias. Key alias for exposing the server certificate on the HTTPS port. |
api_gateway | API Gateway configuration section |
| url. API Gateway URL. |
| user. API Gateway user. |
| password. API Gateway user password. |
| dir. API Gateway installation folder. |
| download_settings. Flag to control the download of settings. |
api_endpoint | API endpoint section |
| base_path. Base path of the APIs exposed by Microgateway. |
admin_api | Admin API section |
| user. Microgateway user for authenticating requests against the Admin API section. |
| password. Microgateway user password. |
| admin_path. base path of the Admin API. |
| downloads. Asset provisioning section. |
| apis. APIs to download from API Gateway. |
| applications. Applications to download form API Gateway. |
| policies. Global policies to download form API Gateway. |
archive | Archive section |
| file. Archives to be loaded during startup. |
policies | Policy configuration section |
| user_auth. Configuring user configuration. |
logging | Logging configuration section |
| level. Logging level. |
| path. File system path for storing log files. |
applications_sync | Application synchronization section |
| enabled. Flag to enable application synchronization. |
| applications_to_sync. Applications to synchronize. |
| polling_interval_secs. Polling interval in seconds. |
| connection_timeout_secs. Connection time in seconds when synchronizing applications. |
A sample user-defined custom settings YAML file looks as follows:
ports:
http: 7000
archive:
file: /tmp/myarchive.zip
fault:
...
extended_settings:
...
gateway_destination:
...
es_destination
protocol: "http"
hostName: "<name of the ElasticSearch host>"
port: "9240"
userName: ""
password: ""
indexName: "gateway_default_analytics"
metricsPublishInterval: "60"
sendErrorEvent: "false"
sendLifecycleEvent: "false"
sendPerformanceMetrics: "false"
sendPolicyViolationEvent: "true"
sendAuditlogPackageManagementEvent: "false"
sendAuditlogPlanManagementEvent: "false"
sendAuditlogApplicationManagementEvent: "false"
sendAuditlogAliasManagementEvent: "false"
sendAuditlogRuntimeDataManagementEvent: "false"
sendAuditlogPolicyManagementEvent: "false"
sendAuditlogApprovalManagementEvent: "false"
sendAuditlogUserManagementEvent: "false"
sendAuditlogAdministrationEvent: "false"
sendAuditlogGroupManagementEvent: "false"
sendAuditlogAccessProfileManagementEvent: "false"
sendAuditlogAPIManagementEvent: "false"
sendAuditlogPromotionManagementEvent: "false"
Reading Settings from API Gateway
You can read and use the settings from API Gateway during the startup of the Microgateway server, by using the parameter download_settings from the YAML configuration file. The default value of the parameter is false.
# API Gateway configuration
api_gateway:
url: http://hostname:port
user: Administrator
password: password
dir: /opt/softwareag/IntegrationServer/instances/default
download_settings: true | false
You can also specify download_settings as a command line option during Microgateway startup as follows:
-Shortcut, --Name | Default | Description |
-ds, --download_settings | false | Download the settings from API Gateway. |
Creating Individual Settings Files
You can create a custom configuration file including all the settings. These settings are pulled from a specified API Gateway.
Use the following command to create a settings file:
./microgateway.sh downloadSettings options
where you can use the various command line options detailed in the Command Line Reference.
Example: Use the following command within CLI to create the custom settings YAML file:
./microgateway.sh downloadSettings -gw gateway-url -gwu user
-gwp password [--config config-file] --output filename
If you do not specify any input settings while creating the custom settings YAML file, then the custom settings file created contains all the API Gateway setting entries, such as fault, extended_settings, and so on. The following invocation creates a custom settings YAML file by downloading settings from the API Gateway running on apigateway-host:
./microgateway.sh downloadSettings -gw http://apigateway-host:5555 -gwu Administrator
-gwp password --output config/custom-settings.yml
If you have specified an input settings file, the input settings are merged with the settings downloaded form API Gateway. The following invocation creates a merged settings file, custom-settings.yml:
./microgateway.sh downloadSettings -gw http://apigateway-host:5555 -gwu Administrator
-gwp password --config my-config.yml --output config/custom-config.yml
Security Settings
The security settings can be pulled from API Gateway directly or can be configured in the custom settings YAML file. The security settings pulled directly from API Gateway take precedence over the security settings configured in the custom settings YAML file.
A sample configuration file with the aliases looks as follows:
---
security_settings:
providers:
- !<clientMetadataMapping>
id: "PingFederate"
name: "PingFederate"
type: "clientMetadataMapping"
owner: "Administrator"
providerName: "PingFederate"
implNames:
grant_types: "grantTypes"
logo_uri: "logoUrl"
scope: "restrictedScopes"
client_secret: "secret"
redirect_uris: "redirectUris"
client_name: "name"
client_id: "clientId"
extendedValues: {}
extendedValuesV2:
- endpointType: "CLIENT_REGISTRATION"
key: "restrictScopes"
value: "true"
- endpointType: "CLIENT_UPDATE"
key: "restrictScopes"
value: "true"
- !<clientMetadataMapping>
id: "OKTA"
name: "OKTA"
type: "clientMetadataMapping"
owner: "Administrator"
providerName: "OKTA"
implNames: {}
extendedValues: {}
extendedValuesV2: []
auth_servers:
- !<authServerAlias>
id: "local"
name: "local"
description: "Gateway default authorization server"
type: "authServerAlias"
owner: "Administrator"
localIntrospectionConfig:
issuer: "JWTISSUER"
remoteIntrospectionConfig:
introspectionEndpoint: "http://localhost:5555/invoke/pub.oauth/instrospectToken"
clientId: "introspection-client"
clientSecret: "********************************"
user: "Administrator"
tokenGeneratorConfig:
audience: "SAG"
expiry: 30
algorithm: "RS256"
accessTokenExpInterval: 3600
authCodeExpInterval: 3600
sslConfig:
keyStoreAlias: "DEFAULT_IS_KEYSTORE"
keyAlias: "ssos"
metadata: {}
authServerScopes:
- "Test_LocalOauth"
- "Dev_LocalOauth"
supportedGrantTypes:
- "authorization_code"
- "password"
- "client_credentials"
- "refresh_token"
- "implicit"
oauthTokens: []
---