10 How to deploy Plato-Apigateway Router
This topic provides the systematic instructions to deploy the plato-apigateway router.
Router deployment steps
- Deploy plato-config-service
- Set placeholder -Dflyway.domain.placeholders.plato-apigateway-router.server.port=<new server port for plato-apigateway-router>
- Deploy plato-ui-config-service
- set -Dflyway.domain.placeholders.apigateway.port=<new server port for plato-apigateway-router>
- set -Dflyway.domain.placeholders.apigateway.host=<server host for plato-apigateway-router>
- Deploy plato-api-gateway
- Migrate existing OAuth
users:
API for migration - /api-gateway/migrateOauthUsers Example: http://hostname:8080/api-gateway/migrateOauthUsers Authorization - jwtToken Headers: appId,userId,entityId Body (Json): ["client1", "client2"] - Migrate selected list of clients or Body (Json): ["ALL"] -Migrate all clients.
- Migrate existing OAuth
users:
- Deploy plato-apigateway-router
java -jar plato-apigateway-router.jar --plato.services.config.uri=http://hostname:8001--plato.service.logging.path=/logfilePath
--plato.services.config.uri - Config server URI which is referred by all other services.
--plato.service.logging.path - Path where log file(plato-apigateway-router.log) must be created. Specify the same path as that of other services.
We can enable SSL for plato-apigateway-router by providing:
--server.ssl.enabled=true
--server.ssl.key-store=C:/Users/KEYS/keytool/keystore.jks
--key-store-password=xxxx
--server.ssl.trust-store=C:/Users/KEYS/keytool/truststore.jks
--trust-store-password=xxxxx
--salt=xxxxx
Note: Passwords and salt must be encrypted value generated using respective toolkits.
Provide ssl certs of plato-api-gateway required for validation call when plato-api-gateway is deployed in different server.:
--apigateway.useServerSSLKeys=false
--apigateway.ssl.key-store=C:/Users/KEYS/keytool/keystore.jks
--apigateway.ssl.key-store-password=xxxx
--apigateway.ssl.trust-store=C:/Users/KEYS/keytool/truststore.jks
--apigateway.ssl.trust-store-password=xxxxx
Note: Above certificates can be different than that of plato-apigateway-route
we must also provide trust certificates as
--spring.cloud.gateway.httpclient.ssl.trusted-x509-certificates=C:/Users/KEYS/keytool/keystore1.pem, C:/Users/KEYS/keytool/keystore2.pem
Note: Run this service with nohup command to that process will run on background
App-shell must point to plato-apigateway-router service. Update 'apigateway.url' by correcting it to "http://hostname:8080" - here 8080 is the port is configured for plato-apigateway-router.
Generation pem file and encryption of secrets:
Use plato-security-toolkit to encrypt secrets ---key-store-password, --trust-store-password, --apigateway.ssl.key-store-password, --apigateway.ssl.trust-store-password and these encrypted values must be passed to router service.
To encrypt the passwords as per Oracle Standards, we recommend toolkit - plato-security-toolkit
Encrypted Password: m4Q1rbtegkWse2s7D2jKfw==
Usage: java -jar plato-security-toolkit-9.1.0.jar
Enter pass phrase: Test123
Enter Salt: 0.9412345671234567
To encrpt –salt value used while generating encrypted secret. This encrypt salt must be passed to router service.
To encrypt the salt as per Oracle Standards, we recommend toolkit - plato-security-salt-encryption-toolkit
Usage: java -jar plato-security-salt-encryption-toolkit-9.1.0.jar
Enter Salt: 0.9412345671234567
Encrypted Password: VmtjMWQxTnJOVlpPV0VaWFZrVndUMWxYTVU1bFJsSlpZMFZLYTFaVVZrWldWbWgzVkRGS1JsWnFVVDA9
keytool -exportcert -alias localhost -keystore keystore.jks -rfc -file keystore.pem
Timeout parameters
spring.cloud.gateway.httpclient.connect-timeout= 3000 //seconds
spring.cloud.gateway.httpclient.response-timeout= 360s
spring.cloud.gateway.httpclient.pool.acquire-timeout=6000 //milliseconds
spring.cloud.gateway.httpclient.pool.max-connections=10000
webclient.http.max.connections=1000
webclient.http.acquire.timeout.millisec=5000
webclient.http.connection.timeout.millisec=20000
webclient.http.read.timeout.seconds=20000
webclient.http.write.timeout.seconds=20000