api platform cloud service best practice - oow17

Oracle Open World 2017Oracle API Platform Best Practices & Lessons LearntSan Francisco, October 2017

Luis [email protected]

uk.linkedin.com/in/lweir @luisw19

www.soa4u.co.uk /APIPlatform.cloud

Phil [email protected] uk.linkedin.com/in/philWilkins

@PhilAtCapgemini / @MP3Monster

Oracle-integration.cloud /APIPlatform.cloud /

Blog.mp3monster.org

2Copyright © Capgemini and Sogeti 2017. All Rights Reserved

About us :: Luis

I am very passionate about technology. I have be the lead authored of two books (Oracle SOA Governance 11g Implementation and Oracle API Management 12c

Implementation), I am a regular blogger and speaker in major conferences and events. A well-known industry expert especially when it comes to Oracle middleware

technologies I am also an OTN certified SOA black belt.

Luis Weir

Oracle Ace Director – Chief Architect at Capgemini UK

I am an Oracle Ace Director, Cloud Principal and a Thought Leader specialised in Oracle Fusion Middleware & Oracle PaaS. With more than 15

years of experience implementing IT solutions across the globe, I have been exposed to a wide wide variety of business problems many of which

I’ve helped solved by adopting SOA architectural styles such as traditional SOA, API management and now Microservices. My current focus is in

assisting organisations define and implement solutions and strategies that can help them realise the benefits that such technologies have to offer.

2nd Place

1st OTN Cloud

Hackathon

June, 2016

Cloud

Contribution Award

PaaS Community

March, 2016

Best New UK Speaker

UKOUG

December, 2016

API

Contribution Award

PaaS Community

April, 2017

https://www.packtpub.com/application-development/oracle-api-management-12c-implementation


https://www.packtpub.com/application-development/oracle-soa-governance-11g-implementation


https://blogs.oracle.com/soacommunity/entry/fusion_middleware_partner_community_awards2









About us :: Phil

I believe knowledge & experience is only of value when shared. So, I have co-authored a book on iPaaS, along with contributing to the development of more than a

dozen other titles ranging from Apache Camel to Oracle Integration Cloud Service, Cloud Computing Design Patterns to Next Generation SOA. Additionally I am an

active blogger have had a number of articles published in various journals. Additionally I have presented at a number of conferences and events.

Phil Wilkins

Oracle Ace – Senior Consultant at Capgemini UK

I am a Technical Enterprise Architect specializing in integration and cloud technologies. I started out as a developer working on mission critical

real time systems such as Radar and Air Traffic Control before moving into integration solutions (in consultant, software vendor and customer

roles) and using open source technologies such as JBoss app Server, FuseSource (now JBoss Fuse) among others. I have been working with

Oracle middleware tech-stack for the last 8 years both for on-premises solutions, hybrid and pure cloud scenarios. I’m a great believer in the right

tool for the right job and using technology to solve a problem.

Supported the

development of a

variety of books

Packt – Erl et al

Articles published in a

range of Journals

Published 1st Oracle

iPaaS Book

Implementing ICS

PaaS Community

Jan, 2017

TOGAF 9 Certified

2013


API Platform Book

Goes to Print Q1 2018

… Available as Alpha (download chapters as we

finish them)

Order from …

• http://bit.ly/APIP-CS

• http://bit.ly/APIP-CS-Amazon

http://APIPlatform.cloud

http://bit.ly/APIP-CS

http://bit.ly/APIP-CS-Amazon


3 Membership Tiers

• Oracle ACE Director

• Oracle ACE

• Oracle ACE Associate

bit.ly/OracleACEProgram

500+ Technical

Experts Helping

Peers Globally

Connect:

Nominate yourself or someone you know: acenomination.oracle.com

@oracleace

Facebook.com/oracleaces

[email protected]

mailto:[email protected]


API Platform Cloud Service *new cloud service (not the previous solution)Cloud and on-premise API creation, publishing and management

Key Features• API visibility in the cloud: API Platform provides visibility to APIs

through a cloud-based portal

• Protects backend services : API Gateways deployed on-prem or on any cloud protects backend systems and services by providing a robust security layer

• Supports on-premise and cloud-based services : APIs can virtualise both cloud and on-premise services

Benefits• Easily expose APIs to internal and external consumers

• Provides security to protect backend systems

• Rapid and fully automated provisioning

• Secure, highly available with clustering

API Platform


Steps to success!

1) Discover2) Architecture &

Lifecycle3) Installation & Configuration

4) Conclusions


API Platform Component Architecture

Gateway – Deployable almost anywhere:

• On-Premises

• Oracle Cloud

• 3rd party clouds including AWS, Azure,

IBM

API-P Management –

runs in Oracle Cloud


Steps to success

Discovery: identify the needs and drivers for API management. Conduct discovery workshops with

business t& IT. Idea is to create a backlog of needs and identify existing assets1

1 2 3 4


Discovery workshops and outcomes

Business Stakeholders

• Identify key stake holders (i.e. Finance, HR, etc)

• Prepare questions to understand their needs i.e.

• Need to access up to date data in real time?

• Mobile apps or web-apps need access to backend data?

• Need to understand who access the data?

• Partners need access to data (i.e. product info?)

• Volumes (from business point of view)

IT Stakeholders

• Understand what related infrastructure is available (i.e. SOA Suite, OSB, etc)

• Identify what APIs (SOAP or REST) exists and their usage

• Understand connectivity challenges specially around access to data from different places (i.e. cloud to on-premises)

• Understand non-functional requirements

Outcomes

• Gather all needs and classify them –basically a backlog

• Create a catalogue of existing APIs (spreadsheet nothing fancy) if not already available

• Expected business value of APIs. This should be used as a success factor of the initiative

1 2 3 4


Steps to success


business t& IT. Idea is to create a backlog of needs and identify existing assets

Architecture and SDLC: Create a reference architecture (conceptual, logical, physical) and define your

environment strategy as well. Also define your SDLC (process / tools / roles)

1

2

1 2 3 4


Clo

ud

On-premises

Oracle APIPCS Implementation Architecture

External Firewall

Internal Firewall

External API

Gateway

Internal API

Gateway

Internet ProxyExternal API

Gateway

Internal API

Gateway

Existing SOA

Infrastructure

API Applications &

Microservices

External Load Balancer


Registry

Register, de-

register, health

check, etc

Get endpoints

IP

i.e.

ADFS/LDAP

IP

i.e.

ADFS/LDAP

Pa

aS

DB

aa

S

iPa

aS

Exte

rna

l AP

I

Ga

tew

ay

Exte

rna

l AP

I

Ga

tew

ay

Load B

ala

ncer

Identity as a Service

Sa

aS

Clo

ud

Fire

wall


LG

Clo

ud

AP

I Applic

atio

ns &

Mic

roserv

ices

Sends stats

Pulls deployments

Cloud PaaS

Management

ConsoleDeveloper Portal

API Platform

Discover, Try,

Use

Application

Developers

API Platform

Admins

Install,

manage

gateways,

manage

users &

grants

API Designers &

Developers

Publish &

discover,

manage,

monitor

APIs

LG = Logical gateway

SP = Single purpose

IP = Identity provider

Mobile BackendMobile (SP)

API

Business

API

Business

API

Mobile

App

LG Ext.

LG Int.

1 2 3 4


Clo

ud

CDN (i.e. AKAMI)

On-premises

Oracle APIPCS Implementation Architecture

External Firewall

Internal Firewall

External API

Gateway

Internal API

Gateway

Cloud PaaS

Management

Console

Internet ProxyExternal API

Gateway

Internal API

Gateway

Existing SOA

Infrastructure

API Applications &

Microservices



Registry

Register, de-

register, health

check, etc

Get endpoints

IP

i.e.

ADFS/LDAP

IP

i.e.

ADFS/LDAP

Pa

aS

DB

aa

S

Exte

rna

l AP

I

Ga

tew

ay

Exte

rna

l AP

I

Ga

tew

ay

Load B

ala

ncer

Identity as a Service

Sa

aS

Clo

ud

Fire

wall


LG Ext.

LG Int.

LG

Clo

ud

AP

I Applic

atio

ns &

Mic

roserv

ices

Developer Portal

API Platform

Sends stats

Pulls deployments

Discover, Try,

Use

Application

Developers

LG = Logical gateway

SP = Single purpose

IP = Identity provider

Business

Partners

Public (SP)

API

iPa

aS

Community

Apps

Partner (SP)

API

API Platform

Admins

Install,

manage

gateways,

manage

users &

grants

API Designers &

Developers

Publish &

discover,

manage,

monitor

APIs

1 2 3 4


Deployment Framework

Environment Strategy & Deployment Process

Tools

Dreed,

Circle CI,

API Foretress

Development/Test

Management


API Platform Instance 1 (non-prod)

Platform APIs

Development Logical

gatewaysTest Logical gateways

Management


API Platform Instance 1 (pre-prod)

Platform APIs

Pre-production

Pre-production

Logical gateways

Management


API Platform Instance 1 (prod)

Platform APIs

Production

Production Logical

gateways

Retrieve API details Version Control API Check outDeploy (create new

API)

Change properties

(ie. Endpoints)Test

1 2 3 4


Steps to success





1

2

Installation/configuration tips: recommendations based on lessons learnt3

1 2 3 4


Installation Steps

Purchase/Create APIPCS and

Apiary instances

Create your user accounts

Download gateway binaries

Install/configure the gateways

Post-configuration in management

service

1 2 3 4


Step 3: Instantiate

API-Platform

Servers

Installation Tip 1: When setting up the cloud – ensure DB sized

for requirement

The management cloud requires you to go

through the steps of:

• Creating Oracle Storage,

• Creating the Database as a Service – using the storage

created,

• Instantiate API-P Platform.

This does mean you need to determine the size

of database needed:

• Development environments can be small,

• Production sizing will depend on your API volumes

(number of APIs and API invocations) and analytical

needs.

Can expect this process to be simplified in the

future

Compute NodeCompute Node

REST APIs

Management Services

WebLogic Managed Server

Management Portal

Developer Portal

Public Cloud- API Platform Cloud Service


Management Portal

Developer Portal

WLS Cluster

Compute Node

DatabaseCloud

REST APIs

Management Services

Management Portal

Developer Portal

Load Balancer

Ora

cle

Iden

tity

C

lou

d S

ervi

ce

IaaS Storage

Step 1: Create

Storage

Step 2: Create

DB on storage

1 2 3 4


Installation Tip 2: Ensure you have permissions & storage

In production environments OS can be locked down ensure you have

suitable permissions in advance

• Deployment if Gateway a little different to traditional WLS

If you wish to use Port 80 & 443 for API traffic then permissions will need

to be setup on Linux

• API Platform does not support port mapping

Ensure you have plenty of storage – recommend min 5GB

• Each part of the tree suggested should have 1GB, plus allow additional 1GB for log files

• Provides space to unpack deployment

• Structure suggested means ability to rollback

You will want to link the Gateway start-up to the OS start-up for

production

1 2 3 4


Installation Tip 3: Simplify download of the gateway

Gateways are likely to be installed on Servers without a Graphical UI – makes the retrieval of the Gateway

binary more fiddly as you need to have intermediary step(s) OR script …

wget --keep-session-cookies --save-cookies cookies.txt --post-

data='j_username=######&j_password=########' --no-check-certificate

https://1.2.3.4/apiplatform/public/j_security_check

Get cookie session first…

wget --load-cookies cookies.txt --no-check-certificate

https://1.2.3.4/apiplatform/downloads/ApicsGatewayInstaller.zip

Get zip file passing session cookie …

1 2 3 4

This does take advantage of how API Platform is built – a change could disrupt this


Installation Tip 4: Installations takes too long and times out

This is usually caused because there isn’t enough entropy

(randomness) in the operating systems to complete the WebLogic

domain creation/configuration. To fix this:

I. Check entropy level with command:

tail -f /proc/sys/kernel/random/entropy_avail

II. If result is low(i.e. <100) then there isn’t enough randomness

hence why it’s taking low. To fix this you can run following

command:

export CONFIG_JVM_ARGS=-Djava.security.egd=file:/dev/./random

NOTE: This shouldn’t be done in production environments. So if your production

instances have low entropy levels contact your OS admins so issue can be

resolved. Good article below on how this issue can be resolved (thanks to Martien

van den)

1 2 3 4

https://www.certdepot.net/rhel7-get-started-random-number-generator/


Installation Tip 7: Get the gateway-props.json values right

Getting the value settings of gateway-props.json wrong can result in a number of issues (i.e. wrong ports

being used, wrong IPs, etc)

Most importantly, there are several properties that can be entered in gateway-props.json. Try and include the

minimum as required as any value entered will override the default values available in gateway-master.json

which can result in conflicts later on.

Below a sample that worked for us:

{

"gatewayInstallDir" : "/opt/oracle/gateway>",

"logicalGateway" : “<logical gateway name“,

"gatewayNodeName" : “<physical gateway name> ”,

"managementServerHost" : "http://<management portal host name>",

"managementServerPort" : "<management portal port>",

"proxyHost" : "<proxy host>" ,

"proxyPort" : "<proxy port>" ,

"nonProxyHosts" : "localhost",

"oauthProfileLocation" : "<oauth profil file name location>",

"listenIpAddress" : "<listen ip address>",

"publishAddress" : "<publish ip address>",

"phoneHomeProxy":["http://<proxy host>:<proxy port>","https://<proxy

host>:<proxy port>"],

"nodeProxy" : ["http://<proxy host>:<proxy port>","https://<porxy

host>:<proxy port>"],

"analyticsManagementUrl" : "http://<analytics host>:<port>",

"registryManagementUrl" : "http://<registry host>:<port>",

"gatewayExecutionMode": "Development",

"loadBalancerUrl": ["<lburl1>","<lburl2>"]

}

1 2 3 4


Installation Tip 8: Create all gateway admin users prior installing

and have credentials at hand!

Be aware of the users required during installation:

• Weblogic user (for local gateway -not management service) : the WebLogic administrator user of the gateway node.

This user is created when you run this action. The user is stored in the gateway domain’s local LDAP. When running

other actions on this node, you must supply these credentials

• Gateway manager (in management service): the Gateway Manager user that is responsible for managing this

gateway. This user must already exist on the Management Portal. This user is issued the Manage Gateway grant when

the gateway is created

• Gateway runtime user (in management service): the Gateway Runtime user that is used to download configuration

from and upload statistics to the gateway. This user must already exist on the Management Portal. This user is issued

the Node Service Account grant when the gateway is created

1 2 3 4

Create the gateway manager and gateway runtime

users before starting installation


Installation Tip 9: Start with step by step installation and then

automate

It is possible to do a full installation of a gateway by simply running the command:

./APIGateway -f gateway-props.json -a install-configure-start-create-join

However doing so will prevent you from fully understanding the installation process and trouble shoot

effectively if you run into issues. Better to execute the commands in the following order:

I. Install gateway binaries: ./APIGateway -f gateway-props.json -a install

II. Configure gateway Weblogic domain: ./APIGateway -f gateway-props.json -a configure

III. Start the gateway: ./APIGateway -f gateway-props.json -a start

IV. Create a new logical gateway in the management service: ./APIGateway -f gateway-props.json -a create

V. Join a logical gateway in the management service: ./APIGateway -f gateway-props.json -a join

If you are joining an existing Logical Gateway make sure you have the right Id in the config file

1 2 3 4


Installation Tip 10: Join won’t happy due to certificate issues

This can happen if the certificate used by the management service is not trusted by your local keystore (i.e. in

a BETA version our management service URL was an IP and not a standard cloud URI)

This issue can be resolved by manually downloading the certificate of the management service and then

adding it to the local keystore (in our case we added it to the main JRE keystore but there might be a better

way)

We did this as following:

To obtain the server certificate:

openssl s_client -connect <URL to API platform management service> -showcerts > api.cert

To add the certificate into the keystore:

keytool -keystore </path to JRE keystore> -import -file ./api.cert

Then restart the gateway and try to join again

1 2 3 4


Installation Tip 11: Don’t lockdown the gateway unless you’re sure is

right!

Once the lockdown command is executed (below) there is no straight forward way to

unlock

./APIGateway -f gateway-props.json -a lockdown

For development and test instances perhaps best not to lockdown

1 2 3 4


Gateway Node

API Gateway


Derby DB

Bundled Software

Installation Tip 12: Monitoring & API logging policies

We expect the Gateway to run without issue,

but it isn’t a perfect world, when things go wrong

you need to know what is happening

Gateways will generate log files for…

• Log Policies (separated for different API Apps)

• Gateway component

• WebLogic Managed Server

• Deployment Logs

• Platform Logs

If you have multiple gateways, with multiple API

calls in a client App transaction – no guarantee

going thru same gateway

When building APIs consider applying tracking

Ids are used, in the same way as SOA Suite &

Insights tools do with eCID or Kabana does with

X-B3-TraceId header attributes

1 2 3 4

Gateway Node

API Gateway


Derby DB

Bundled Software

API Consumers

API Consumers

API Consumers

Service Endpoint

Service Endpoint

Service Endpoint

API calls Service calls

http(s)

http(s)

http(s)

http(s)

http(s)

http(s)


Steps to success

Conclusions4





1

2

Installation/configuration tips: recommendations based on lessons learnt3

1 2 3 4


Define the right architecture for your requirements

Get inspiration from other architectures (OMESA), but one size doesn’t fit all. Define an architecture right for your needs

Define your environment strategy suitable for your landscape including process/tools to promote APIs

Define a clear SDLC –APIfirst based

Size You Requirement

You need to ensure your cloud management database has the necessary storage and capacity

Your gateway needs space to manage archiving & patching of the gateway along with logging API logging

Tune the gateway to make most of memory

Don’t Forget To Make Operations Easy

If you have a central monitoring tool, hook up all the gateway component logs

Make API Policy logs easy to see

Consider adding into header Trace Ids to allow invocation tracing end to end

Conclusions

1 2 3 4


Thank you!! … and remember:

“With great APIs

comes great

responsibility”

1 2 3 4 5


API Platform Book

Goes to Print Q1 2018

… Available as Alpha (download chapters as we

finish them)

Order from …

• http://bit.ly/APIP-CS

• http://bit.ly/APIP-CS-Amazon

http://APIPlatform.cloud

http://bit.ly/APIP-CS

http://bit.ly/APIP-CS-Amazon

The information contained in this presentation is proprietary.

Copyright © 2016 Capgemini and Sogeti. All rights reserved.

Rightshore® is a trademark belonging to Capgemini.

www.capgemini.com

www.sogeti.com

About Capgemini and Sogeti

With more than 180,000 people in over 40 countries, Capgemini is a global leader in

consulting, technology and outsourcing services. The Group reported 2015 global

revenues of EUR 11.9 billion. Together with its clients, Capgemini creates and delivers

business, technology and digital solutions that fit their needs, enabling them to achieve

innovation and competitiveness. A deeply multicultural organization, Capgemini has

developed its own way of working, the Collaborative Business Experience™, and

draws on Rightshore®, its worldwide delivery model.

Learn more about us at www.capgemini.com.

Sogeti is a leading provider of technology and software testing,

specializing in Application, Infrastructure and Engineering Services.

Sogeti offers cutting-edge solutions around Testing, Business

Intelligence & Analytics, Mobile, Cloud and Cyber Security. Sogeti

brings together more than 23,000 professionals in 15 countries and has

a strong local presence in over 100 locations in Europe, USA and India.

Sogeti is a wholly-owned subsidiary of Cap Gemini S.A., listed on the

Paris Stock Exchange.

http://www.capgemini.com/

http://www.sogeti.com/

http://www.capgemini.com/about/how-we-work/the-collaborative-business-experiencetm

http://www.capgemini.com/about/how-we-work/the-collaborative-business-experiencetm

http://www.capgemini.com/about/how-we-work/rightshorer

http://www.capgemini.com/about/how-we-work/rightshorer



api platform cloud service best practice - oow17

Technology