api-manager | Help front-end and back-end devolopers | REST library

1.The subscription key based approach is below.

You can define a subscription key on each of the environmen. In the below example i am creating a subscrption named dev on dev environment and prod on prod environment. You can check this link to understand how to create a subscription key. Once you creaete subscription keys on all three environment. You can add the following policy to your inbound policies.

Make sure to update the pom file for your project you implemented with okta-jwt-verifier and okta-jwt-verifier-impl dependency. You should add dependencies in pom.xml like below. Check only versions of using jars.

The following answer applies if you are running the API Manager and Identity Server with separated User Stores configured. Apply the following configurations on top of the instructions mentioned in the Docs and try out the scenario.

1. Add two roles in the Identity Server named publisher and creator without any permissions and assign both to the User that you are using to log in. You can skip this part if you already have roles assigned to the User in the Identity Server to do a Role Mapping in the API Manager server.

2. Open the Service Provider you have created in the Identity Server and go to Inbound Authentication Configuration > SAML2 Web SSO Configuration and click on Edit. Tick the Enable Attribute Profile and Include Attributes in the Response Always and Update

3. Expand the Claim Configuration of the Service Provider that is created in the Identity Server and select the Use Local Claim Dialect option. Then, click on Add Claim URI and in the appeared drop-down select http://wso2.org/claims/role and tick the Mandatory Claim. Once done, update the configurations.

4. Open the Identity Provider that is created under the API Manager server and expand the Role Configuration section.

   • Click on Add Role Mapping and enter the following
     • Identity Provider Role: publisher (use the correct role name that you have assigned in the Identity Server)
     • Local Role: Internal/publisher
   • Click on Add Role Mapping and enter the following
     • Identity Provider Role: creator (use the correct role name that you have assigned in the Identity Server)
     • Local Role: Internal/creator

   Update the configurations.

Once the configurations are saved, now try logging into the Publisher Portal of the API Manager with the specific user.

You can enable the HTTP Access Logs if you are in need to log the incoming API requests in your environment. However, as mentioned in the Docs this will affect the server's performance a little.

If you are looking to log any specific information about the incoming API requests, you can develop a Synapse mediator or a handler and engage with the APIs that you would like to log. You can also, use the same implementation to enable it globally to log the required information for all the API requests which API Manager receives. You can refer to the following sample Log Handler for reference: Custom API Log Handler.

Following are the documentations to write custom mediators and handlers

• Writing Custom Handlers
• Class Mediator

WSO2 API Manager uses the Feign OKHTTP Client to communicate with Keycloak servers. The OKHTTP client requires the public cert with SAN entries as the same as CN.

The default public cert of the Keycloak doesn't contain any SAN values. Therefore, when trying to communicate with the Keycloak, the Feign client starts to throw SSL exceptions. To overcome this, you can follow this documentation, creating a new Keystore for the Keycloak and import that cert into the client-truststore.jks of the API Manager. The mentioned keytool commands generate the Keystore and certs with SAN entries.

Given is the same Keytool command from the API Manager Docs.

As per the shared TOML configurations, a separate UM DB has been configured in both WSO2 IS-KM and API Manager servers. However, only the IS-KM is configured to use the WSO2USER_DB with the following configurations

I got the source of the 16e from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding#directives

chunked

Data is sent in a series of chunks. The Content-Length header is omitted in this case and at the beginning of each chunk you need to add the length of the current chunk in hexadecimal format, followed by '\r\n' and then the chunk itself, followed by another '\r\n'. The terminating chunk is a regular chunk, with the exception that its length is zero. It is followed by the trailer, which consists of a (possibly empty) sequence of entity header fields.

The problem turned out to be the content-type. I was sending the value "application/soap+xml" and changed that to "text/xml" by adding the line below in the xml config file for the api found in /repository/deployment/server/synapse-configs/default/api/

I guess you haven't disabled hostname verification in Synapse level. This can be done using the following config in the deployment.toml

As @RrR said I needed to put the throttling configuration in deployment.toml: