Configuring API Manager
WSO2 Open Banking Accelerator contains TOML-based configurations. All the server-level configurations of the
API Manager instance can be applied using a single configuration file, which is the deployment.toml
file.
Configuring deployment.toml¶
Follow the steps below to configure the deployment.toml
file and set up the default open banking flow for WSO2 API
Manager.
Tip
If you want to customize and learn more about TOML configurations, see API Manager Configuration Catalog for open banking.
-
Replace the
deployment.toml
file as explained in the Setting up the servers section. -
Open the
<APIM_HOME>/repository/conf/deployment.toml
file. -
Set the hostname of the API Manager:
[server] hostname = "<APIM_HOST>"
-
Configure super admin credentials.
[super_admin] username = "<APIM_SUPER_ADMIN_USERNAME>" password = "<APIM_SUPER_ADMIN_PASSWORD>" create_admin_account = true
-
Configure the following configs to enable email as username.
[tenant_mgt] enable_email_domain = true [realm_manager] data_source= "WSO2UM_DB" [user_store] type = "database_unique_id" class = "org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager"
-
Update the datasource configurations with your database properties, such as the username, password, JDBC URL for the database server, and the JDBC driver.
- Given below are sample configurations for a MySQL database. For other DBMS types and more information, see Setting up databases.
[database.shared_db] url = "jdbc:mysql://localhost:3306/am_configdb?autoReconnect=true&useSSL=false" username = "root" password = "root" driver = "com.mysql.jdbc.Driver"
[database.apim_db] url = "jdbc:mysql://localhost:3306/apimgtdb?autoReconnect=true&useSSL=false" username = "root" password = "root" driver = "com.mysql.jdbc.Driver"
[database.config] url = "jdbc:mysql://localhost:3306/am_configdb?autoReconnect=true&useSSL=false" username = "root" password = "root" driver = "com.mysql.jdbc.Driver"
[[datasource]] id="WSO2UM_DB" url = "jdbc:mysql://localhost:3306/userdb?autoReconnect=true&useSSL=false" username = "root" password = "root" driver = "com.mysql.jdbc.Driver"
-
Update the following configurations with the hostname of the Identity Server.
[apim.key_manager] service_url = "https://<IS_HOSTNAME>:9446/services/" username = "<IS_SUPER_ADMIN_USERNAME>" password = "<IS_SUPER_ADMIN_PASSWORD>"
-
Disable subscription validation as follows.
[apim.key_manager] allow_subscription_validation_disabling = true
-
Configure the following to skip dropping the AUTH header from gateway and to configure allowed scopes.
[apim.oauth_config] enable_outbound_auth_header = true white_listed_scopes = ["^device_.*", "openid", "^FS_.*", "^TIME_.*"]
-
Configure the admin username for following features as follows.
[apim.throttling] username = "$ref{super_admin.username}@carbon.super" [apim.throttling.policy_deploy] username = "$ref{super_admin.username}@carbon.super" [apim.throttling.jms] password = "$ref{super_admin.password}" username = "am_admin!wso2.com!carbon.super"
-
Add the following config to support JWT content type.
[[blocking.custom_message_formatters]] class = "org.apache.axis2.format.PlainTextFormatter" content_type = "application/jwt" [[blocking.custom_message_builders]] class = "org.apache.axis2.format.PlainTextBuilder" content_type = "application/jwt" [[custom_message_formatters]] class = "org.apache.axis2.format.PlainTextFormatter" content_type = "application/jwt" [[custom_message_builders]] class = "org.apache.axis2.format.PlainTextBuilder" content_type = "application/jwt"
-
Add following to configure transport layer configs.
[transport.passthru_https.sender.parameters] HostnameVerifier = "AllowAll" [passthru_http] "http.headers.preserve"="Content-Type,Date" [transport.passthru_https.listener.parameters] HttpsProtocols = "TLSv1.2" PreferredCiphers = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
-
Enable certificate chain validation as the following.
[apimgt.mutual_ssl] enable_certificate_chain_validation = true
-
Enable certificate revocation validation as follows.
[transport.passthru_https.listener.cert_revocation_validation] enable = true allow_cert_expiry_validation = true allow_full_cert_chain_validation = false cache_delay = 1000 cache_size = 1024
-
Add the following configurations to enable the external service extension.
[financial_services.extensions.endpoint] enabled = true allowed_extensions = ["pre-process-application-creation", "pre-process-application-update"] base_url = "<EXTERNAL_SERVICE_URL>" retry_count = 5 connect_timeout = 5000 read_timeout = 5000 [financial_services.extensions.endpoint.security] # supported types : Basic-Auth or OAuth2 type = "Basic-Auth" username = "<EXTERNAL_SERVICE_USERNAME>" password = "<EXTERNAL_SERVICE_PASSWORD>"
Starting servers¶
-
Go to the
<APIM_HOME>/bin
directory using a terminal. -
Run the
api-manager.sh
script as follows:./api-manager.sh