Create a Gateway Node on Oracle Cloud Infrastructure
You can use Terraform to create a new gateway node on Oracle Cloud Infrastructure.
Before You Begin Creating a Gateway on Oracle Cloud Infrastructure
Before you create API Platform Cloud Service Gateway on Oracle Cloud Infrastructure, complete the prerequisites.
Complete the following prerequisites whether or not you encrypt passwords:
Complete the following additional prerequisites if you want to encrypt passwords:
Understand Service Requirements
Learn the service requirements for creating a gateway.
You must fulfill certain requirements before you complete setup prerequisites and use Terraform to create the API Platform Cloud Service gateway instance on Oracle Cloud Infrastructure.
Basic Essentials
You require the following basic Oracle Cloud Infrastructure essentials:
-
Tenancy
-
User
-
Group
-
Compartment
Create a compartment in Oracle Cloud Infrastructure for your API Platform Cloud Service gateway resources, or use an existing compartment.
Required Access
You require permissions to access to several Oracle Cloud Infrastructure components and services in order to use API Platform Cloud Service Gateway setup.
-
Compute
-
Resource Manager
-
Load Balancing
-
Virtual Cloud Networks
-
Custom Images
-
Block Volumes
If you want to encrypt passwords, you must also have permissions to access to the following:
-
Key Management
-
Dynamic Groups
Check the service limits for these components in your Oracle Cloud Infrastructure tenancy and, if necessary, request a service limit increase. See Service Limits in the Oracle Cloud Infrastructure documentation.
Encrypt Passwords
Note:
Encryption is strongly recommended, especially for production, but is not required.Encrypt the following passwords that you will supply to the Terraform package for setting up the API Platform Cloud Service gateway using a key from the Oracle Cloud Infrastructure Key Management service:
-
Gateway Weblogic Administrator Password
-
Client Secret associated with desired API Management Platform
-
Gateway Runtime User Password
-
Gateway Manager User Password
See Key Management FAQ and Encrypt Passwords.
Authorization
This prerequisite is required if you encrypt passwords.
Note:
Encryption is strongly recommended, especially for production, but is not required.Authorize the compute instance to use Oracle Cloud Infrastructure services.
-
The compute instance created during API Platform Cloud Service gateway setup requires access to Key Management service to decrypt the encrypted passwords passed to the Terraform project using the Resource Manager.
-
You must set up the required Dynamic Group and Policies for using the compute instance as principal.
See Calling Services from an Instance in the Oracle Cloud Infrastructure documentation, and Provide Access to Required Oracle Cloud Infrastructure Resources in a Compartment.
Provide Access to Required Oracle Cloud Infrastructure Resources in a Compartment
Provide access to Oracle Cloud Infrastructure resources in a compartment through policies.
Note:
You must complete this prerequisite regardless of whether you encrypt passwords.When you create API Platform Cloud Service Gateway setup in Oracle Cloud Infrastructure, by default the compute instance, block storage volume, virtual cloud network, subnets, security lists, route tables, load balancer, and so on, are all created within a single compartment.
Access to Oracle Cloud Infrastructure resources in a compartment are controlled through policies. Your Oracle Cloud Infrastructure user must have management access to the these resources. The policies are written with respect to the group in which the user belongs.
Allow group MyGroup to manage instance-family in compartment
MyCompartment
Allow group MyGroup to manage virtual-network-family in compartment
MyCompartment
Allow group MyGroup to manage volume-family in compartment
MyCompartment
Allow group MyGroup to manage load-balancers in compartment
MyCompartment
Allow group MyGroup to manage orm-stacks in compartment
MyCompartment
Allow group MyGroup to manage orm-jobs in compartment
MyCompartment
Allow group MyGroup to manage app-catalog-listing in compartment
MyCompartment
If you plan to encrypt keys, you also need the following policies:
Allow group MyGroup to manage vaults in compartment
MyCompartment
Allow group MyGroup to manage keys in compartment
MyCompartment
As an alternative to creating individual policies, you can use one manage all-rources
policy:
Allow group MyGroup to manage all-resources in compartment
MyCompartment
Create an Encryption Key
Create an encryption key in Oracle Cloud Infrastructure Key Management. This will allow you to encrypt and decrypt the various passwords required for APICS Gateway setup.
Note:
Encryption is strongly recommended, especially for production, but is not required.An encryption key created in Oracle Cloud Infrastructure Key Management enables you to encrypt and decrypt the passwords required for API Platform Cloud Service Gateway setup.
First, create a vault and encryption key in Key Management, or use an existing vault and key.
After you create the key, note the following information:
- Cryptographic Endpoint of the vault
- OCID of the key
See Managing Keys in the Oracle Cloud Infrastructure documentation.
Encrypt Passwords
Use Oracle Cloud Infrastructure Key Management to encrypt the passwords that you need to create and join a API Platform Cloud Service Gateway Node.
Note:
Encryption is strongly recommended, especially for production, but is not required.You can encrypt the following passwords:
-
Gateway Weblogic Admin Password
-
Client Secret associated with desired API Management Platform
-
Gateway Runtime User Password
-
Gateway Manager User Password
You cannot use the console to encrypt or decrypt sensitive data in Key Management. You must use the Oracle Cloud Infrastructure command line interface (CLI) or API.
See CLI Quickstart in the Oracle Cloud Infrastructure documentation to setup the Oracle Cloud Infrastructure CLI or API.
See Using Keys in the Oracle Cloud Infrastructure documentation.
Create a Dynamic Group
Create a group in Oracle Cloud Infrastructure whose members are the compute instances that you will create with API Platform Cloud Service Gateway Node setup.
Note:
Dynamic groups are needed only if you encrypt passwords. Encryption is strongly recommended, especially for production, but is not required.To create a dynamic group:
Create a Policy for the Dynamic Group
Create a policy in Oracle Cloud Infrastructure so that the compute instances in the API Platform Cloud Service gateway node can access your encryption key.
Note:
Dynamic groups and policies are needed only if you encrypt passwords. Encryption is strongly recommended, especially for production, but is not required.To create a policy:
Create the Gateway Instance on Oracle Cloud Infrastructure
Use a Terraform project you download from Oracle to create the logical gateway instance on Oracle Cloud Infrastructure.
To create the gateway instance:
Resolve Issues with the New Gateway Node
Resources are available to you to help you resolve any issues you may have with the new gateway node.
About Login Basics
Learn how to log in to the gateway compute instance and change users.
Log In to the Gateway Node Compute Instance
Open a command window and enter the following:
ssh -i private_key opc@public_ip_address
For example:
ssh -i opc_private_key opc@192.0.2.254
You are logged in as the opc
user.
Change Users
After you have logged in as the opc
user, you can switch users if needed.
To switch to the oracle
user:
sudo su - oracle
To switch back to the opc
user before switching to a different user:
exit
To switch to the root
user:
sudo su -
Locate Log Files
Locate the log files that are available to help you in debugging and troubleshooting.
Gateway Actions Log Files
Check the gateway actions log files first when you are debugging an issue.
Location:
/u01/gateway/install/logs
Log files:
checkJavaDbStatus.log
gatewayDomainCreation.log
gatewayInstall.log
java_version_check.log
main.log
scsgPatch.log
registerNode.log
status.log
Administration Server and Managed Server Log Files
You can access log files that are related to starting and stopping the Adminstration Server, Managed Server, and Node Manger.
Location:
/u01/gateway/install/domain/gateway1
Log files:
startDb.out
startMServer.out
startNodeManager.out
startWls.out
stopDb.out
stopMServer.out
stopNodeManager.out
stopWls.out
You can also use diagnostic and access log files for the Administration Server and Managed Server.
Administration Server log location:
/u01/gateway/install/domain/gateway1/servers/AdminServer/logs
Managed Server log location:
/u01/gateway/install/domain/gateway1/servers/managedServer1/logs
APICS Log Files
The APICS log files are related to the APICS controller (deployment, polling, and analytics, for example).
Location:
/u01/gateway/install/domain/gateway1/apics/logs
Log files:
apics.log
analytics.log
Customize the Hostname Verifier for Gateway Restart
You can customize the Hostname Verifier before you restart the gateway.
Note:
Terraform sets the Hostname Verifier automatically, so you are not required to customize it yourself.To customize the Hostname Verifier:
Enable and Customize the HTTP Access Log
Learn how to enable and customize the HTTP access log to provide detailed information for the gateway.
Stop, Start, or Check the Status of the Gateway Node
Learn how to stop, start, or check the status of the gateway.
- First, ssh into the gateway node compute instance:
ssh -i private_key opc@public_ip
- Switch to
oracle
user:sudo su - oracle
- Navigate to the installer directory:
cd /u01/installer
The JSON property file
SilentInstall.json
is located inside theinstaller
directory.Note:
For security reasons, you can delete theSilentInstall.json
file, then recreate later. To learn about the contents of theSilentInstall.json
file, see the information about thegateway-props.json
file in Install a Gateway Node.
Use the JSON file when you check the status of the gateway, or stop or start the Administration Server and Managed Servers.
- To check the current status:
./APIGateway -f SilentInstall.json -a status
- To stop the gateway Administration Server and Managed Servers:
./APIGateway -f SilentInstall.json -a stop
- To start the gateway Administration Server and Managed Servers:
./APIGateway -f SilentInstall.json -a start