We are trying to setup WSO2 API manager cluster with F5 as the load balancer and been having issues with having F5 in the mix. One manager instance is setup on a server (server/Admin port: node1.xyz.com:9443) with F5 (manager.xyz.com that maps to node1.xyz.com:9443).
After several trial and error methods, we found the issue to be with API key manager URL configuration in the worker instance. Using direct server/port URL (i.e. node1.xyz.com:9443) works fine. However, when we use the F5 url (i.e. manager.xyz.com) results in the exception below. Any thoughts as to what may be incorrect or missing?
Eventually we want to have two manager instances running. So, we like to get this F5 setup working such that worker instances can point to F5 instead of individual manager node.
Thanks for the help in advance!
Configuration in the Worker node that works:
<APIKeyManager>
<!--
Server URL of the API key manager
-->
<ServerURL>https://node1.xyz.com:9443${carbon.context}/services/</ServerURL>
Configuration in the Worker node that causes error with F5:
<APIKeyManager>
<!--
Server URL of the API key manager
-->
<ServerURL>https://manager.xyz.com${carbon.context}/services/</ServerURL>
Exception when using F5:
TID: [0] [AM] [2014-12-11 16:03:37,697] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler}
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftAPIDataStore.getAllURITemplates(ThriftAPIDataStore.java:99)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getAllURITemplates(APIKeyValidator.java:516)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetAPIInfo(APIKeyValidator.java:368)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb(APIKeyValidator.java:343)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme(APIKeyValidator.java:172)
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:93)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:92)
Few immediate things you could check -
<HostName>and<MgtHostName>elements inKeyManager_HOME/repository/conf/carbon.xmlare set to the hostname of the F5. ie. "manager.xyz.com"proxyPort=443attribute to the https connector inKeyManager_HOME/repository/conf/tomcat/catalina-server.xml. Configure http connector as well if desired.If you did not set above two settings, then the http 302 redirects fail which might explain your scenario. And, we ask users to configure ProxyPassReverse in addition to ProxyPass when using Apache HTTPD as the reverse proxy. I'm not sure the equivalent config for F5.
If the above didn't help we need to know how your deployment looks like to better help you. ie. how do you cluster the nodes. Do you have separate API gateway, keymanager instances etc.
I think it will worth your while to go through the WSO2 cluster guide to understand the clustering logic better.
With APIM, you can have separate Keymanager, API gateway (and API store, API publisher) nodes. The worker-manager separation only applies to the API Gateway. And, There is no worker-manager separation needed for the keymanager. So, you may think the all the API keymanager nodes are hybrid nodes that provide both manager and worker functionality.
We can see further if you do not have separate keymanagers.