WSO2 API Manager - Switching to WSClient for key validation - Why/What/How?
WSO2 API Manager has 3 main components. API Publisher/Subscriber UI apps, API gateway and API key manager.
API Component Overview - What is key manager?
Publisher/Subscriber UI - Used for publishing and consuming APIs. These 2 are portal type webapps that give full control over creation/subscription through a nice UI. Bonus point - There’s a REST API too for completely automating everything. See Publisher API and Store API.
API Gateway - Expose a given API definition through the gateway. For API consumers, they see the API Gateway endpoint for all APIs from UI. Runtime API calls hit gateway directly.
API Key Manager - Handle OAuth key validation
For all API calls at runtime, API gateway calls key manager to do OAuth key validation. For performance you can enable caching at the gateway level as well as the key manager level. Caching at the gateway prevents HTTPS calls to key manager until cache expiry for a cache token. Caching at key manager prevent DB calls for cached tokens.
Why change to WSClient?
Since API gateway and key manager are 2 separate components (truly distributed) they talk to each other via API calls. Out of the box this API call happens via Thrift. When API Manager starts up you’ll see there’s a Thrift server that listens to requests. See below,
[2016-02-168 12:15:52,219] INFO - APIKeyMgtServiceComponent Setting default carbon host for thrift key management service: 192.168.50.1 [2016-02-16 12:15:52,289] INFO - APIKeyMgtServiceComponent Started thrift key mgt service at port:10397
This is fine when the server is running on a single machine. Also translate to you’re testing/playing around. On a production environment with high availability, it’s recommended to switch to WSClient for key validation. In an HA setup you’ll have at least 2 nodes for each component. Why do you want to switch?
Load balancing is difficult to do with Thrift. Need to TCP passthrough to begin with
WSClient (through web service calls) performance is in par with Thrift API calls
How to change?
In <API Manager>/repository/conf/api-manager.xml look for <APIKeyValidator>. Find following two entries. Here are the default values for those,
<KeyValidatorClientType>ThriftClient</KeyValidatorClientType> <EnableThriftServer>true</EnableThriftServer>
Change the above values to WSClient and false. Entries should look like following after the change
<KeyValidatorClientType>WSClient</KeyValidatorClientType> <EnableThriftServer>false</EnableThriftServer>
In api-manager.xml, under <APIKeyValidator> element, change ServerURL to point to key manager URL. Usually this URL point to the load balancer that’s responsible for distributing load among key manager nodes













