Configuration Catalog for API Manager¶
The configuration model of WSO2 API Manager is based on the toml
format. The <APIM_HOME>/repository/conf/deployment.toml
file is the single source used to configure and tune various features.
This document describes all the configuration parameters that are used in API Manager for WSO2 Open Banking.
Instructions for use¶
Select the configuration sections, parameters, and values that are required for your use and add them to the
.toml
file.
Server¶
[server]
hostname = "localhost"
node_ip = "127.0.0.1"
#offset=0
mode = "single" #single or ha
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
#discard_empty_caches = false
server_role = "default"
[server]
Required
This includes configurations required for deploying an API Manager server node.
hostname
string Required
"localhost"
"localhost","127.0.0.1","<any-ip-address>","<any-hostname>"
The hostname of the machine hosting the API Manager instance.
node_ip
string Required
127.0.0.1
The IP address of the machine hosting the API Manager instance.
offset
integer
0
Port offset allows you to run multiple WSO2 products, multiple instances of a WSO2 product, or multiple WSO2 product clusters on the same server or virtual machine (VM). Port offset defines the number by which all ports defined in the runtime such as the HTTP/S ports will be offset. For example, if the default HTTP port is 9443 and the port offset is 1, the effective HTTP port will be 9444. Therefore, for each additional WSO2 product instance, set the port offset to a unique value so that they can all run on the same server without any port conflicts.
mode
string Required
single
single,ha
Defines the type of deployment, whether it is a single node deployment or a High Availability (HA) cluster.
base_path
string Required
${carbon.protocol}://${carbon.host}:${carbon.management.port}
Defines the base path URL to access the server.
discard_empty_caches
boolean
FALSE
true,false
Set this property to true, in order to discard empty caches.
server_role
string Required
default
"default","api-devportal","api-key-manager","api-publisher","gateway-worker","traffic-manager"
The profile name of the API Manager instance.
Super admin¶
[super_admin]
username = "[email protected]"
password = "wso2123"
create_admin_account = true
[super_admin]
Required
This includes the configurations related to the super admin user.
username
string Required
[email protected]
The username of the super admin user.
password
string Required
wso2123
The password of the super admin user.
create_admin_account
boolean Required
TRUE
true,false
Set this to true, to create a new user with the super admin details given.
User management database¶
[realm_manager]
data_source= "WSO2UM_DB"
[realm_manager]
Required
This includes the datasource configurations for the user management database.
data_source
string Required
WSO2UM_DB
The datasource used by the user manager.
User store¶
[user_store]
type = "database_unique_id"
class = "org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager"
[user_store]
Required
This includes the configurations related to the user store.
type
string Required
database_unique_id
Configure the type of the user store.
class
string Required
org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager
Configure the user store manager class. The default primary user store configuration is for JDBC user stores.
User store properties¶
[user_store.properties]
UsernameJavaRegEx = "a-zA-Z0-9@._-{3,30}$"
UsernameJavaScriptRegEx = "^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,4}$"
SCIMEnabled = false
IsBulkImportSupported = false
LeadingOrTrailingSpaceAllowedInUserName = false
UsernameWithEmailJavaScriptRegEx = "^[\\S]{3,30}$"
[user_store.properties]
Required
UsernameJavaRegEx
string Required
a-zA-Z0-9@._-{3,30}$
A regular expression to validate usernames. By default, strings have a length of 5 to 30. Only non-empty characters are allowed. You can provide ranges of alphabets, numbers and also ranges of ASCII values in the RegEx properties.
UsernameJavaScriptRegEx
string Required
^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$
The regular expression used by the front-end components for username validation.
SCIMEnabled
boolean Required
FALSE
true,false
This is to configure whether the user store is supported for SCIM provisioning.
IsBulkImportSupported
boolean Required
FALSE
true,false
This is to configure whether the user store is supported for bulk imports.
LeadingOrTrailingSpaceAllowedInUserName
boolean Required
FALSE
true,false
This is to configure whether the username can contain leading or trailing spaces.
UsernameWithEmailJavaScriptRegEx
string Required
^[\S]{3,30}$
A regular expression to validate usernames that contain an email address. By default, strings have a length of 3 to 30. Only non-empty characters are allowed. You can provide ranges of alphabets, numbers and also ranges of ASCII values in the RegEx properties.
Authorization manager¶
[authorization_manager]
class = "org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"
[authorization_manager]
Required
This includes the configurations related to the authorization manager.
class
string Required
org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager
The Authorization Manager for your server.
Authorization manager properties¶
[authorization_manager.properties]
AdminRoleManagementPermissions = "/permission"
AuthorizationCacheEnabled = true
GetAllRolesOfUserEnabled = false
[authorization_manager.properties]
Required
AdminRoleManagementPermissions
string Required
/permission
Sets the registry path where the authorization information (role-based permissions) are stored.
AuthorizationCacheEnabled
boolean Required
TRUE
true,false
To enable authorization cache.
GetAllRolesOfUserEnabled
boolean Required
FALSE
true,false
Enable this if there are any performance issues in the production environment. Enabling this property affects the performance when the user logs in. This depends on the users, roles and permission stats.
Shared database configurations¶
[database.shared_db]
url = "jdbc:mysql://localhost:3306/openbank_govdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
[database.shared_db]
Required
Configurations related to the databases shared between nodes.
url
string Required
jdbc:mysql://localhost:3306/openbank_govdb?autoReconnect=true&useSSL=false
The database connection URL that your DBMS JDBC driver uses to connect to the openbank_govdb database.
username
string Required
root
The username used for the database connection
password
string Required
root
The password used for the database connection
driver
string Required
com.mysql.jdbc.Driver
com.mysql.jdbc.Driver, com.microsoft.sqlserver.jdbc.SQLServerDriver, oracle.jdbc.driver.OracleDriver, org.postgresql.Driver
The name of the JDBC driver.
Shared database connection pool configurations¶
[database.shared_db.pool_options]
maxActive = "150"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
#Use below for oracle
#validationQuery="SELECT 1 FROM DUAL"
validationInterval="30000"
defaultAutoCommit=false
[database.shared_db.pool_options]
Required
maxActive
string Required
150
Tuning parameters. Change according to the preferred database.
maxWait
string Required
60000
Tuning parameters. Change according to the preferred database.
minIdle
string Required
5
Tuning parameters. Change according to the preferred database.
testOnBorrow
boolean Required
TRUE
true,false
Tuning parameters. Change according to the preferred database.
validationQuery
string Required
SELECT 1
SELECT 1,SELECT 1 FROM DUAL
Tuning parameters. Change according to the preferred database. For Oracle DBMS, use "SELECT 1 FROM DUAL".
validationInterval
string Required
30000
Tuning parameters. Change according to the preferred database.
defaultAutoCommit
boolean Required
FALSE
true,false
Tuning parameters. Change according to the preferred database.
API Manager database configurations¶
[database.apim_db]
url = "jdbc:mysql://localhost:3306/openbank_apimgtdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
[database.apim_db]
Required
Database configurations related to API Manager.
url
string Required
jdbc:mysql://localhost:3306/openbank_apimgtdb?autoReconnect=true&useSSL=false
The database connection URL that your DBMS JDBC driver uses to connect to the openbank_apimgtdb database.
username
string Required
root
The username used for the database connection
password
string Required
root
The password used for the database connection
driver
string Required
com.mysql.jdbc.Driver
com.mysql.jdbc.Driver, com.microsoft.sqlserver.jdbc.SQLServerDriver, oracle.jdbc.driver.OracleDriver, org.postgresql.Driver
The name of the JDBC driver.
API Manager database connection pool configurations¶
[database.apim_db.pool_options]
maxActive = "150"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
#Use below for oracle
#validationQuery="SELECT 1 FROM DUAL"
validationInterval="30000"
defaultAutoCommit=false
[database.apim_db.pool_options]
Required
maxActive
string Required
150
Tuning parameters. Change according to the preferred database.
maxWait
string Required
60000
Tuning parameters. Change according to the preferred database.
minIdle
string Required
5
Tuning parameters. Change according to the preferred database.
testOnBorrow
boolean Required
TRUE
true,false
Tuning parameters. Change according to the preferred database.
validationQuery
string Required
SELECT 1
SELECT 1,SELECT 1 FROM DUAL
Tuning parameters. Change according to the preferred database. For Oracle DBMS, use "SELECT 1 FROM DUAL".
validationInterval
string Required
30000
Tuning parameters. Change according to the preferred database.
defaultAutoCommit
boolean Required
FALSE
true,false
Tuning parameters. Change according to the preferred database.
API Manager config registry database¶
[database.config]
url = "jdbc:mysql://localhost:3306/openbank_am_configdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
[database.config]
Required
Configurations related to the API Manager config registry database.
url
string Required
jdbc:mysql://localhost:3306/openbank_am_configdb?autoReconnect=true&useSSL=false
The database connection URL that your DBMS JDBC driver uses to connect to the openbank_am_configdb database.
username
string Required
root
The username used for the database connection
password
string Required
root
The password used for the database connection
driver
string Required
com.mysql.jdbc.Driver
com.mysql.jdbc.Driver, com.microsoft.sqlserver.jdbc.SQLServerDriver, oracle.jdbc.driver.OracleDriver, org.postgresql.Driver
The name of the JDBC driver.
Config registry database connection pool configurations¶
[database.config.pool_options]
maxActive = "150"
maxWait = "60000"
minIdle ="5"
testOnBorrow = true
validationQuery="SELECT 1"
#Use below for oracle
#validationQuery="SELECT 1 FROM DUAL"
validationInterval="30000"
defaultAutoCommit=false
[database.config.pool_options]
Required
maxActive
string Required
150
Tuning parameters. Change according to the preferred database.
maxWait
string Required
60000
Tuning parameters. Change according to the preferred database.
minIdle
string Required
5
Tuning parameters. Change according to the preferred database.
testOnBorrow
boolean Required
TRUE
true,false
Tuning parameters. Change according to the preferred database.
validationQuery
string Required
SELECT 1
SELECT 1,SELECT 1 FROM DUAL
Tuning parameters. Change according to the preferred database. For Oracle DBMS, use "SELECT 1 FROM DUAL".
validationInterval
string Required
30000
Tuning parameters. Change according to the preferred database.
defaultAutoCommit
boolean Required
FALSE
true,false
Tuning parameters. Change according to the preferred database.
User Manager datasource¶
[[datasource]]
id="WSO2UM_DB"
url = "jdbc:mysql://localhost:3306/openbank_userdb?autoReconnect=true&useSSL=false"
username = "root"
password = "root"
driver = "com.mysql.jdbc.Driver"
jmx_enable=false
pool_options.maxActive = "150"
pool_options.maxWait = "60000"
pool_options.minIdle = "5"
pool_options.testOnBorrow = true
pool_options.validationQuery="SELECT 1"
#Use below for oracle
#validationQuery="SELECT 1 FROM DUAL"
pool_options.validationInterval="30000"
pool_options.defaultAutoCommit=false
[datasource]
Required
Configurations related to the user manager datasource.
id
string Required
WSO2UM_DB
The datasource used by user manager.
url
string Required
jdbc:mysql://localhost:3306/openbank_userdb?autoReconnect=true&useSSL=false
The database connection URL that your DBMS JDBC driver uses to connect to the openbank_userdb database.
username
string Required
root
The username used for the database connection
password
string Required
root
The password used for the database connection
driver
string Required
com.mysql.jdbc.Driver
com.mysql.jdbc.Driver, com.microsoft.sqlserver.jdbc.SQLServerDriver, oracle.jdbc.driver.OracleDriver, org.postgresql.Driver
The name of the JDBC driver.
jmx_enable
boolean Required
FALSE
true,false
Use this parameter to enable JMX for the database connection.
pool_options.maxActive
string Required
150
Tuning parameters. Change according to the preferred database.
pool_options.maxWait
string Required
60000
Tuning parameters. Change according to the preferred database.
pool_options.minIdle
string Required
5
Tuning parameters. Change according to the preferred database.
pool_options.testOnBorrow
boolean Required
TRUE
true,false
Tuning parameters. Change according to the preferred database.
pool_options.validationQuery
string Required
SELECT 1
SELECT 1,SELECT 1 FROM DUAL
Tuning parameters. Change according to the preferred database. For Oracle DBMS, use "SELECT 1 FROM DUAL".
pool_options.validationInterval
string Required
30000
Tuning parameters. Change according to the preferred database.
pool_options.defaultAutoCommit
boolean Required
FALSE
true,false
Tuning parameters. Change according to the preferred database.
Tenant management¶
[tenant_mgt]
enable_email_domain = true
[tenant_mgt]
Required
Configurations related to tenant users.
enable_email_domain
boolean Required
TRUE
true,false
Enable email login for tenant users.
Keystore TLS¶
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[keystore.tls]
Required
Configurations related to the keystore that contains the TLS certificate.
file_name
string Required
wso2carbon.jks
The filename of the Transport Layer Security (TLS) keystore.
type
string Required
JKS
TRUE
The type of the keystore file.
password
string Required
wso2carbon
The password of the keystore file.
alias
string Required
wso2carbon
The alias of the keystore file.
key_password
string Required
wso2carbon
The password of the private key.
Primary keystore¶
#[keystore.primary]
#file_name = "wso2carbon.jks"
#type = "JKS"
#password = "wso2carbon"
#alias = "wso2carbon"
#key_password = "wso2carbon"
[keystore.primary]
Configurations related to the primary keystore. Primary Keystore is used for signing and encrypting data that is externally exposed.
file_name
string
wso2carbon.jks
The filename of the primary keystore.
type
string
JKS
The type of the primary keystore file.
password
string
wso2carbon
The password of the keystore file.
alias
string
wso2carbon
The alias of the primary keystore file.
key_password
string
wso2carbon
The password of the private key.
Internal keystore¶
#[keystore.internal]
#file_name = "wso2carbon.jks"
#type = "JKS"
#password = "wso2carbon"
#alias = "wso2carbon"
#key_password = "wso2carbon"
[keystore.internal]
Configurations related to the internal keystore. The Internal Keystore is used for encrypting internal critical data including passwords and other confidential information in configuration files.
file_name
string
wso2carbon.jks
The filename of the primary keystore.
type
string
JKS
The type of the primary keystore file.
password
string
wso2carbon
The password of the keystore file.
alias
string
wso2carbon
The alias of the primary keystore file.
key_password
string
wso2carbon
The password of the private key.
API Manager Gateway environment configurations¶
[[apim.gateway.environment]]
name = "Default"
type = "hybrid"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "https://localhost:${mgt.transport.https.port}/services/"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
http_endpoint = "http://localhost:${http.nio.port}"
https_endpoint = "https://localhost:${https.nio.port}"
websub_event_receiver_http_endpoint = "http://localhost:9021"
websub_event_receiver_https_endpoint = "https://localhost:8021"
[apim.gateway.environment]
Required
Configuring the gateways used by API Manager.
name
string Required
Production and Sandbox
The name of the gateways used by the API Manager. Use any preferred value.
type
string Required
hybrid
Type of the gateway.
display_in_api_console
boolean Required
TRUE
true,false
Displays the environment under 'Try it' in the API Developer Portal, in the API console.
description
string Required
This is a hybrid gateway that handles both production and sandbox token traffic.
Describe the function of the gateway.
show_as_token_endpoint_url
string Required
TRUE
true,false
This is used to construct the sample cURL request in the API Developer Portal.
service_url
string Required
https://localhost:${mgt.transport.https.port}/services/
APIs will be published using this URL
username
string Required
${admin.username}
The credentials used to publish APIs.
password
string Required
${admin.password}
The credentials used to publish APIs.
ws_endpoint
string Required
ws://localhost:9099
The WebSocket (WS) endpoint.
wss_endpoint
string Required
wss://localhost:8099
The WebSocket Secure (WSS) endpoint.
http_endpoint
string Required
http://localhost:${http.nio.port}
The Hypertext Transfer Protocol (HTTP) endpoint.
https_endpoint
string Required
https://localhost:${https.nio.port}
The Hypertext Transfer Protocol Secure (HTTPS) endpoint.
Configure the Gateway environment¶
[apim.sync_runtime_artifacts.gateway]
skip_list.sequences = ["jsonConverter.xml"]
gateway_labels =["Default"]
[apim.sync_runtime_artifacts.gateway]
Required
skip_list.sequences
string Required
["jsonConverter.xml"]
The list of artifacts to skip during runtime.
gateway_labels
string Required
["Default"]
Gateway token cache¶
#[apim.cache.gateway_token]
#enable = true
#expiry_time = "900s"
[apim.cache.gateway_token]
Configurations related to Gateway token cache.
enable
boolean
TRUE
true,false
Enable the gateway token cache. WSO2 recommends enabling this feature by default. The token validation request checks with the cached value.
expiry_time
string
900s
Set the cache expiry time in seconds. The recommended value is 900 seconds.
Gateway cache resource¶
#[apim.cache.resource]
#enable = true
#expiry_time = "900s"
[apim.cache.resource]
enable
boolean
TRUE
true,false
Enable the gateway resource cache.
expiry_time
string
900s
Set the cache expiry time in seconds. The recommended value is 900 seconds.
Key Manager token cache¶¶
#[apim.cache.km_token]
#enable = false
#expiry_time = "15m"
[apim.cache.km_token]
enable
boolean
TRUE
true,false
Enable the Key Manager token cache. The token validation request checks with the value cached at the Key Manager. At any given time you should only have one cache enabled, which is either the Key Manager cache or the API Gateway cache. WSO2 does not recommend using both caches at the same time.
expiry_time
string
15m
Set the cache expiry time in minutes.
Cache recent APIs¶
#[apim.cache.recent_apis]
#enable = false
[apim.cache.recent_apis]
enable
boolean
FALSE
true,false
Enable cache for recently added APIs in the API Developer Portal. This expires in 15 minutes by default.
Cache scopes¶
#[apim.cache.scopes]
#enable = true
[apim.cache.scopes]
enable
boolean
TRUE
true,false
Enable cache for scopes. This expires in 15 minutes by default.
Cache publisher roles¶
#[apim.cache.publisher_roles]
#enable = true
[apim.cache.publisher_roles]
enable
boolean
TRUE
true,false
Enable cache for publisher roles. Expires in 15 minutes by default
Cache JWT claims¶
#[apim.cache.jwt_claim]
#enable = true
#expiry_time = "15m"
[apim.cache.jwt_claim]
enable
boolean
TRUE
true,false
Enable JWT claim cache. The user's claims used to create the JWT are cached.
expiry_time
string
15m
Set the cache expiry time. Would be the same as the JWT expiry time.
Cache tags¶
#[apim.cache.tags]
#expiry_time = "2m"
[apim.cache.tags]
expiry_time
string
2m
Set when the tag cache expires. This option is disabled when not defined.
API Manager Analytics configurations¶
[apim.analytics]
enable = true
config_endpoint = "https://analytics-event-auth.st.choreo.dev/auth/v1"
auth_token = ""
properties.'publisher.reporter.class' = "com.wso2.openbanking.accelerator.gateway.reporter.OBAnalyticsMetricReporter"
[apim.analytics]
Required
enable
boolean Required
TRUE
true,false
Use this to enable data publishing in the API Manager.
config_endpoint
string Required
https://analytics-event-auth.st.choreo.dev/auth/v1
auth_token
string Required
properties.'publisher.reporter.class'
string Required
com.wso2.openbanking.accelerator.gateway.reporter.OBAnalyticsMetricReporter
A mandatory config for OB analytics. Defines the metric reporter implementation of WSO2 Open Banking.
API Manager - Key Manager configurations¶
[apim.key_manager]
service_url = "https://localhost:9446${carbon.context}services/"
type = "WSO2-IS"
key_manager_client_impl = "org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl"
#username = "$ref{super_admin.username}"
#password = "$ref{super_admin.password}"
#pool.init_idle_capacity = 50
#pool.max_idle = 100
#key_validation_handler_type = "default"
#key_validation_handler_type = "custom"
#key_validation_handler_impl = "org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler"
[apim.key_manager]
Required
service_url
string Required
https://localhost:9446${carbon.context}services/
The URL that offers services of the Key Manager.
type
string Required
WSO2-IS
key_manager_client_impl
string Required
org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl
username
string
$ref{super_admin.username}
Credentials of the super admin user in the Key Manager node.
password
string
$ref{super_admin.password}
Credentials of the super admin user in the Key Manager node.
pool.init_idle_capacity
string
50
The minimum number of clients created, to connect to the key manager.
pool.max_idle
string
100
The maximum number of clients created, to connect to the key manager.
key_validation_handler_type
string
default
default, custom
If the type is set to `custom`, then provide the `key_validation_handler_impl` value.
key_validation_handler_impl
string
org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler
Provide a custom key validation handler implementation. To do this, set `key_validation_handler_type` to `custom`.
API Manager - Key Manager URLs¶
[apim.key_manager.configuration]
ServerURL = "https://localhost:9446${carbon.context}services/"
Username = "${admin.username}"
Password = "${admin.password}"
TokenURL = "https://localhost:${https.nio.port}/token"
RevokeURL = "https://localhost:${https.nio.port}/revoke"
[apim.key_manager.configuration]
Required
Configure URLs related to the Key Manager server.
ServerURL
string Required
https://localhost:9446${carbon.context}services/
Username
string Required
${admin.username}
Password
string Required
${admin.password}
TokenURL
string Required
https://localhost:${https.nio.port}/token
RevokeURL
string Required
https://localhost:${https.nio.port}/revoke
OAuth configurations¶
[apim.oauth_config]
enable_outbound_auth_header = true
white_listed_scopes = ["^device_.*", "openid", "^OB_.*", "^TIME_.*"]
#auth_header = "Authorization"
#revoke_endpoint = "https://localhost:${https.nio.port}/revoke"
#enable_token_encryption = false
#enable_token_hashing = false
[apim.oauth_config]
Required
Contains OAuth-related configurations.
enable_outbound_auth_header
boolean Required
TRUE
true,false
If `TRUE`, sends the Auth header to the backend as received from the client.
white_listed_scopes
string Required
["^device_.*", "openid", "^OB_.*", "^TIME_.*"]
To skip role validation for a scope in an API's request, add the scope to the white list.
auth_header
string
Authorization
A valid authorization header for OAuth configurations.
revoke_endpoint
string
https://localhost:${https.nio.port}/revoke
The token revocation endpoint used in the API Developer Portal
enable_token_encryption
string
FALSE
If set to TRUE, the token stored in the database will be encrypted/decrypted when reading and storing. For more information, see Extension Points for OAuth.
enable_token_hashing
string
FALSE
Set to TRUE to enable hashing. For more information, see Setting Up OAuth Token Hashing.
Developer Portal configurations¶
[apim.devportal]
#url = "https://localhost:${mgt.transport.https.port}/devportal"
#enable_application_sharing = false
#if application_sharing_type, application_sharing_impl both defined priority goes to application_sharing_impl
#application_sharing_type = "default" #changed type, saml, default #todo: check the new config for rest api
#application_sharing_impl = "org.wso2.carbon.apimgt.impl.SAMLGroupIDExtractorImpl"
display_multiple_versions = true
#display_deprecated_apis = false
enable_comments = false
enable_ratings = false
enable_forum = false
#enable_anonymous_mode=true
[apim.devportal]
Required
Configurations related to the API Developer Portal.
url
string
https://localhost:${mgt.transport.https.port}/devportal
true,false
The public API Developer Portal URL
enable_application_sharing
boolean
FALSE
true,false
Enable application sharing according to the claims.
application_sharing_type
string
default
true,false
Use the `application_sharing_impl` as the default implementation.
application_sharing_impl
string
org.wso2.carbon.apimgt.impl.SAMLGroupIDExtractorImpl
true,false
Need to define if the application_sharing_type is custom. If both `application_sharing_type` and `application_sharing_impl` are defined, take value from application_sharing_impl.
display_multiple_versions
boolean Required
TRUE
true,false
If TRUE, displays all API versions under the API listing.
display_deprecated_apis
boolean
FALSE
true,false
If TRUE displays all the deprecated APIs under the API listing.
enable_comments
boolean Required
FALSE
true,false
To enable adding comments on the API.
enable_ratings
boolean Required
FALSE
true,false
To enable rating the API with a star-based rating.
enable_forum
string
TRUE
enable_anonymous_mode
boolean
TRUE
true,false
If set to `TRUE`, you can access the Developer Portal anonymously.
CORS configurations¶
[apim.cors]
allow_origins = "*"
allow_methods = ["GET","PUT","POST","DELETE","PATCH","OPTIONS"]
allow_headers = ["authorization","Access-Control-Allow-Origin","Content-Type","SOAPAction","apikey"]
allow_credentials = false
[apim.cors]
Required
Configures CORS headers on the Publisher and the Gateway.
allow_origins
string
*
Denotes "Access-Control-Allow-Origin" response header. Specify an origin to share the response with.
allow_methods
string
GET,PUT,POST,DELETE,PATCH,OPTIONS
Configures the methods allowed by the access control.
allow_headers
string
authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction
Configures the type of headers allowed by the access control.
allow_credentials
string
FALSE
Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests. It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*)
Throttling configurations¶
[apim.throttling]
username = "[email protected]@carbon.super"
#enable_data_publishing = true
#enable_policy_deploy = true
#enable_blacklist_condition = true
#enable_persistence = true
#throttle_decision_endpoints = ["tcp://localhost:5672","tcp://localhost:5672"]
[apim.throttling]
Required
Configurations related to API Manager traffic control.
username
string Required
[email protected]@carbon.supe
enable_data_publishing
boolean
TRUE
true,false
Enable publishing of requests and throttling data.
enable_policy_deploy
boolean
TRUE
true,false
Enable deployment of throttling policies.
enable_blacklist_condition
boolean
TRUE
true,false
Enable blocking conditions from the admin portal.
enable_persistence
boolean
TRUE
true,false
Enable persisting current counter state of the Traffic Manager.
throttle_decision_endpoints
boolean
["tcp://localhost:5672","tcp://localhost:5672"]
Define a set of JMS connections as an array.
Consent validation service¶
[open_banking.gateway.consent.validation]
endpoint = "https://localhost:9446/api/openbanking/consent/validate"
[open_banking.gateway.consent.validation]
Required
endpoint
string
https://localhost:9446/api/openbanking/consent/validate
Configure a custom Consent Validation service.
Dynamic Client Registration¶
[open_banking.dcr]
#jwks_endpoint_name = ""
#app_name_claim = " "
token_endpoint = "https://localhost:9443/oauth2/token"
use_softwareIdForAppName = true
[open_banking.dcr]
Required
Configurations related to Dynamic Client Registration.
jwks_endpoint_name
string
Configure the name of the claim regarding the jwks endpoint that is issued for the SSA. You can refer to the SSA for this value.
app_name_claim
string
Configure the claim name in the SSA that mentions the software. If the use_softwareIdForAppName configuration is set to false, the name of the application is set using the value of the given claim.
token_endpoint
string Required
https://<APIM_HOST>:9443/oauth2/token
The hostname of the API Manager server for the token endpoint.
use_softwareIdForAppName
boolean Required
TRUE
To set the software id as the name of the application. By default, this configuration is set to true.
DCR - JWKS endpoint connection timeout¶
#[open_banking.dcr.jwks_retriever]
#connection_timeout = 3000
#read_timeout = 3000
[open_banking.dcr.jwks_retriever]
Configure the timeout value, when validating the signature of the request.
connection_timeout
string
3000
The timeout values when validating the signature of the request.
read_timeout
string
3000
The timeout values when validating the signature of the request.
DCR - Regulatory APIs configurations¶
[[open_banking.dcr.regulatory_api]]
api_name = "CDR-DynamicClientRegistration"
roles = "AISP,PISP"
[[open_banking.dcr.regulatory_api]]
api_name = "AccountandTransactionAPI"
roles = "AISP"
[open_banking.dcr.regulatory_api]
Required
api_name
string Required
CDR-DynamicClientRegistration
The regulatory APIs, which should be subscribed to by DCR applications.
roles
string Required
AISP,PISP
The roles in the SSA that the API consumer application will be playing.
API Manager internal REST APIs¶
[[open_banking.dcr.apim_rest_endpoints]]
app_creation = "api/am/devportal/v2/applications"
key_generation = "api/am/devportal/v2/applications/application-id/map-keys"
api_retrieve = "api/am/devportal/v2/apis"
api_subscribe = "api/am/devportal/v2/subscriptions/multiple"
[open_banking.dcr.apim_rest_endpoints]
If you want to change the internal REST API endpoints of the API Manager, configure the following tags. By default, the API Manager 4.1 endpoints are configured.
app_creation
string
api/am/devportal/v2/applications
key_generation
string
api/am/devportal/v2/applications/application-id/map-keys
api_retrieve
string
api/am/devportal/v2/apis
api_subscribe
string
api/am/devportal/v2/subscriptions/multiple
Data publishing configurations¶
[open_banking.data_publishing]
enable = false
username="$ref{super_admin.username}@carbon.super"
password="$ref{super_admin.password}"
server_url = "{tcp://localhost:7612}"
#auth_url = "{ssl://localhost:7612}"
protocol = "Thrift"
pool_size = 10
queue_size = 32768
worker_thread_count = 10
pool_wait_time_Ms = 60000
[open_banking.data_publishing]
Required
Configurations related to the data publishing in API Manager.
enable
boolean Required
FALSE
To enable the data publishing feature.
username
string Required
$ref{super_admin.username}@carbon.super
Credentials to access WSO2 Streaming Integrator.
password
string Required
$ref{super_admin.password}
Credentials to access WSO2 Streaming Integrator.
server_url
string Required
{tcp://<SI_HOST>:7612}
The TCP port of Open Banking Business Intelligence Worker.
auth_url
string
{tcp://<SI_HOST>:7612}
The SSL authentication URL of Open Banking Business Intelligence Worker. This is an optional configuration.
protocol
string Required
Thrift
Thrift
The protocol used to publish Open Banking data.
pool_size
string Required
10
Defines the maximum numer of instances that can reside in the pool.
queue_size
string Required
32768
worker_thread_count
string Required
10
pool_wait_time_Ms
string Required
60000
Defines the maximum waiting time to retrieve an instance from the pool.
Data publishing stream¶
[[open_banking.data_publishing.thrift.stream]]
name="APIInputStream"
[open_banking.data_publishing.thrift.stream]
Required
name
string
Define a stream for publishing data.
Data publishing attributes¶
[[open_banking.data_publishing.thrift.stream.attributes]]
name="consentId"
priority=1
[[open_banking.data_publishing.thrift.stream.attributes]]
name="consumerId"
priority=2
[[open_banking.data_publishing.thrift.stream.attributes]]
name="clientId"
priority=3
[[open_banking.data_publishing.thrift.stream.attributes]]
name="userAgent"
priority=4
required=true
[open_banking.data_publishing.thrift.stream.attributes]
Required
name
string
Define an attribute for publishing data.
priority
string
Define the priority for a data publishing attribute.
Gateway Executors¶
[[open_banking.gateway.openbanking_gateway_executors.type]]
name = "DCR"
[open_banking.gateway.openbanking_gateway_executors.type]
Required
name
string Required
Default
Default, DCR, Accounts, Payments
The Gateway Executors will engage in the configured API flow.
Gateway Executor configurations¶
[[open_banking.gateway.openbanking_gateway_executors.type.executors]]
name = "com.wso2.openbanking.accelerator.gateway.executor.impl.mtls.cert.validation.executor.MTLSEnforcementExecutor"
priority = 1
[[open_banking.gateway.openbanking_gateway_executors.type.executors]]
name = "com.wso2.openbanking.accelerator.gateway.executor.impl.api.resource.access.validation.APIResourceAccessValidationExecutor"
priority = 2
[[open_banking.gateway.openbanking_gateway_executors.type.executors]]
name = "com.wso2.openbanking.accelerator.gateway.executor.dcr.DCRExecutor"
priority = 3
[[open_banking.gateway.openbanking_gateway_executors.type.executors]]
name = "com.wso2.openbanking.accelerator.gateway.executor.impl.error.handler.OBDefaultErrorHandler"
priority = 1000
[open_banking.gateway.openbanking_gateway_executors.type.executors]
Required
name
string Required
For example, \"com.wso2.openbanking.accelerator.gateway.executor.impl.tpp.validation.executor.DCRTPPValidationExecutor\",\"com.wso2.openbanking.accelerator.gateway.executor.impl.mtls.cert.validation.executor.MTLSEnforcementExecutor\",\"com.wso2.openbanking.accelerator.gateway.executor.impl.api.resource.access.validation.APIResourceAccessValidationExecutor\",\"com.wso2.openbanking.accelerator.gateway.executor.impl.mtls.cert.validation.executor.CertRevocationValidationExecutor\"
Configure Gateway Executors for a particular API flow.
priority
string Required
Set the priority of the executor.
Gateway certificate management¶
[open_banking.gateway.certificate_management.certificate]
cache_expiry = 3600
[open_banking.gateway.certificate_management.certificate]
Required
cache_expiry
integer Required
3600
Set the cache expiry time.
Certificate revocation validation¶
[open_banking.gateway.certificate_management.certificate.revocation]
enabled = true
retry_count = 3
[open_banking.gateway.certificate_management.certificate.revocation]
Required
Configurations related to certificate revocation validation
enabled
boolean Required
TRUE
To enable certificate revocation validation, set the value to true.
retry_count
integer Required
3
Certificate revocation validation - proxy¶
[open_banking.gateway.certificate_management.certificate.revocation.proxy]
enabled = false
host = "PROXY_HOSTNAME"
port = 8080
[open_banking.gateway.certificate_management.certificate.revocation.proxy]
Required
Configurations related to the proxy that performs certificate revocation validation.
enabled
boolean Required
FALSE
By default, WSO2 Open Banking API Manager executes the certificate revocation validation. However, you can set a proxy and execute the certificate revocation validation. In that case, set the value to true.
host
string Required
PROXY_HOSTNAME
The certificate revocation validations will happen via this proxy host.
port
integer Required
8080
The certificate revocation validations will happen via this proxy port.
API consumer validation configurations¶
[open_banking.gateway.tpp_management.tpp_validation]
enabled = false
implementation_path = ""
cache_expiry = 3600
[open_banking.gateway.tpp_management.tpp_validation]
Required
Configurations related to the validation of API consumer applications.
enabled
boolean Required
FALSE
Configure a custom API Consumer Validation Executor.
implementation_path
string
The FQN of your custom API Consumer Validation Executor.
cache_expiry
string Required
3600
The expiry duration of the cache.
API consumer role validation¶
[open_banking.gateway.tpp_management.psd2_role_validation]
enabled = true
[open_banking.gateway.tpp_management.psd2_role_validation]
Required
enabled
boolean Required
TRUE
true,false
Set this to true, to compare the PSD2 roles against the certificate of API consumer applications.
Allowed scopes for API consumer applications¶
[[open_banking.gateway.tpp_management.allowed_scopes]]
name = "accounts"
roles = "AISP, PISP"
[[open_banking.gateway.tpp_management.allowed_scopes]]
name = "payments"
roles = "PISP"
[open_banking.gateway.tpp_management.allowed_scopes]
Required
name
string Required
accounts, payments
Defines an allowed scope for API consumer applications.
roles
string Required
AISP, PISP
The roles of API consumer applications are matched against these roles.
HTTP connection pool¶
[open_banking.http_connection_pool]
max_connections = 2000
max_connections_per_route = 1500
[open_banking.http_connection_pool]
Configure the maximum number of connections for the HTTP connection pool.
max_connections
integer
2000
If not configured, the default value of 2000 will be used.
max_connections_per_route
integer
1500
If not configured, the default value of 1500 will be used.