| Author |
Message
|
| kash3338 |
 Posted: Fri Apr 13, 2018 2:50 am Post subject: Push REST API to API Connect |
 |
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
Hi,
I am trying to create a sample REST API in IIB and push it to IBM API Connect. In the API Connect, I have done the following,
Created and configured a Secured Gateway (using IBM Secure Gateway)
Created a Destination in the Secure Gateway in API Connect
The Gateway lists the Client (connected from my PC)
Now I got the Host Name of the Management server from the API Connect Dashboard URL (au.apiconnect.ibmcloud.com).
I have deployed my REST API in Integration Node and when I try to "Connect to IBM API Connect" (by providing the Host Name), I get,
| Quote: |
| Unable to connect to IBM API Connect at host 'au.apiconnect.ibmcloud.com' port '443' |
The same Host Name when given in Browser works (opens the API connect home page). Is there any setting within the broker to be done here?
I have tried this using Toolkit, Web User Interface and mqsipushapis. In all cases I get the same kind of error. The error when running the mqsipushapis command is,
| Quote: |
| BIP9353E: An error occurred while connecting to IBM API Connect using the mqsipushapis command. The following error was reported: 'Failure sending request to IBM API Connect: Host 'au.apiconnect.ibmcloud.com' Port '443'.' |
|
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Apr 14, 2018 12:14 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did you provide the cert signer chain to IIB's truststore? Did you setup IIB for SSL?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kash3338 |
| Posted: Sat Apr 14, 2018 2:25 am Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| fjb_saper wrote: |
| Did you provide the cert signer chain to IIB's truststore? Did you setup IIB for SSL? |
My REST service is just HTTP and not HTTPS. From where do I get the cert signer in API connect? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Apr 15, 2018 12:19 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| kash3338 wrote: |
| fjb_saper wrote: |
| Did you provide the cert signer chain to IIB's truststore? Did you setup IIB for SSL? |
My REST service is just HTTP and not HTTPS. From where do I get the cert signer in API connect? |
It should get flowed to your browser... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kash3338 |
| Posted: Sun Apr 15, 2018 5:32 am Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| fjb_saper wrote: |
| It should get flowed to your browser... |
Even tried getting the cert from Browser and setting it up in Broker. Still no luck. Same issue. I don't think that is required in any case as it is not mentioned in any documentations.
Also, I tried setting the Broker SSLProtocol to 'TLSv1.2' (since the cert info has the protocol mentioned as TLS v1.2 in browser for 'au.apiconnect.ibmcloud.com').
Still no documentation says anything about these settings in Broker for "Pushing REST API to API Connect'. Is there something else to be taken care of? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Apr 15, 2018 8:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You get
| Quote: |
Unable to connect to IBM API Connect at host 'au.apiconnect.ibmcloud.com' port '443'
|
which tells me you are trying to call API Connect from the broker.
For this you will need
- To connect to the datapower appliance endpoint, not the management server
- Have the signer chain in the truststore on the broker (hint the port is 443 so the conversation is SSL/ TLS
- If 2 way SSL/TLS, you will also need to provide the broker with its own SSL/TLS key
Good luck
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kash3338 |
| Posted: Sun Apr 15, 2018 10:31 pm Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| fjb_saper wrote: |
You get
| Quote: |
Unable to connect to IBM API Connect at host 'au.apiconnect.ibmcloud.com' port '443'
|
which tells me you are trying to call API Connect from the broker.
For this you will need
- To connect to the datapower appliance endpoint, not the management server
- Have the signer chain in the truststore on the broker (hint the port is 443 so the conversation is SSL/ TLS
- If 2 way SSL/TLS, you will also need to provide the broker with its own SSL/TLS key
Good luck |
I have gone through many articles on "How to push API's from IIB Broker to API connect" and none of them have mentioned about using Datapower. As per all the links, the procedure is very simple. The Management server Host should be taken from the API Connect service URL (which is 'au.apiconnect.ibmcloud.com').
Some of the articles in IBM developerWorks which explains the procedure to connect to API connect,
Even the Infocenter does not mention about using the Datapower URL and it just says Enter the connection details for your IBM API Connect server in the Host and Port fields and nothing related to Datapower gateways.
I checked the same on An Architectural and Practical Guide to IBM Hybrid Integration Platform Redbook, even there it is mentioned that,
| Quote: |
The Push REST APIs to IBM API Connect window is displayed, in which you define your connection to the API Connect instance in your Bluemix organization. Enter the connection details for your IBM API Connect server in the Host and Port fields. The Host depends on which region of Bluemix you are using (Table 5-9). The port is 443.
The table values are,
US South - us.apiconnect.ibmcloud.com
Sydney - au.apiconnect.ibmcloud.com
United Kingdom - eu.apiconnect.ibmcloud.com |
|
|
| Back to top |
|
|
| abhi_thri |
| Posted: Mon Apr 16, 2018 12:07 am Post subject: |
|
|
Knight
Joined: 17 Jul 2017
Posts: 516
Location: UK
|
| Have you checked whether the firewall allows the connection from the IIB server in the first place? i.e does 'telnet au.apiconnect.ibmcloud.com 443' work from the IIB node? |
|
| Back to top |
|
|
| kash3338 |
| Posted: Mon Apr 16, 2018 12:15 am Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| abhi_thri wrote: |
| Have you checked whether the firewall allows the connection from the IIB server in the first place? i.e does 'telnet au.apiconnect.ibmcloud.com 443' work from the IIB node? |
Telnet from IIB Server works for 'au.apiconnect.ibmcloud.com 443'. Even I am able to access the IBM Cloud server (au.apiconnect.ibmcloud.com) from my Web Browser.
The issue comes only when I try to connect from my IIB Node. I tried using the Toolkit, Web User Interface and mqsipushapis command. All 3 options gives the same error:
| Quote: |
| Unable to connect to IBM API Connect at host 'au.apiconnect.ibmcloud.com' port '443' |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 16, 2018 7:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You are right for the push / publish. It goes to the management server.
But we're not talking about the publish of the API now are we? We are talking about invoking it once it's been published!
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kash3338 |
| Posted: Mon Apr 16, 2018 7:46 pm Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| fjb_saper wrote: |
You are right for the push / publish. It goes to the management server.
But we're not talking about the publish of the API now are we? We are talking about invoking it once it's been published! |
I thought I was clear in my query
My problem is in Push / Publish of REST API from on-premise IIB 10.0.0.11 to API Connect. My question in my first post in this thread was,
| Quote: |
Hi,
I am trying to create a sample REST API in IIB and push it to IBM API Connect.
......
......
I have deployed my REST API in Integration Node and when I try to "Connect to IBM API Connect" (by providing the Host Name), I get,
| Quote: |
Unable to connect to IBM API Connect at host 'au.apiconnect.ibmcloud.com' port '443' |
|
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 16, 2018 8:03 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| kash3338 wrote: |
| fjb_saper wrote: |
You are right for the push / publish. It goes to the management server.
But we're not talking about the publish of the API now are we? We are talking about invoking it once it's been published! |
I thought I was clear in my query
My problem is in Push / Publish of REST API from on-premise IIB 10.0.0.11 to API Connect. My question in my first post in this thread was,
| Quote: |
Hi,
I am trying to create a sample REST API in IIB and push it to IBM API Connect.
......
......
I have deployed my REST API in Integration Node and when I try to "Connect to IBM API Connect" (by providing the Host Name), I get,
| Quote: |
Unable to connect to IBM API Connect at host 'au.apiconnect.ibmcloud.com' port '443' |
|
|
my bad I thought the push was done and you were trying to invoke it.
Obviously you are required to use SSL / TLS (port 443). Verify the default truststore for the java running the deploy to cloud process. You might want to check it, running it with -Djavax.net.debug=all and see where it looks for the truststore. Then make sure the truststore has the cert chain of the management server.
Hope it helps
_________________
MQ & Broker admin
Last edited by fjb_saper on Tue Apr 17, 2018 2:24 am; edited 2 times in total |
|
| Back to top |
|
|
| kash3338 |
| Posted: Mon Apr 16, 2018 10:48 pm Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| fjb_saper wrote: |
my bad I thought the push was done and you were trying to invoke it.
Obviously you are required to use SSL / TLS (port 443). Verify the default truststore for the java running the deploy to cloud process. You might want to check it, running it with -Djavax.net.debug=all and see where it looks for the truststore. Then make sure the truststore has the cert chain of the management server.
Hope it helps |
I have set the SSL cert of API Connect Management server (by exporting the cert from browser when accessing the site 'au.apiconnect.ibmcloud.com').
The mqsireportproperties on my BrokerRegistry looks like below,
| Quote: |
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='C:\Program Files\IBM\IIB\10.0.0.7\TESTNODE_Kashyap.jks'
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile='C:\Program Files\IBM\IIB\10.0.0.7\common\jdk\jre\lib\security\cacerts'
brokerTruststorePass='brokerTruststore::password'
brokerCRLFileList=''
httpConnectorPortRange=''
httpsConnectorPortRange=''
brokerKerberosConfigFile=''
brokerKerberosKeytabFile=''
allowSSLv3=''
allowSNI=''
reenableTransportAlgorithms=''
reenableCertificateAlgorithms=''
mqCCDT=''
modeExtensions=''
operationMode='advanced'
adminMessageLogging=''
productFunctionality=''
mqKeyRepository=''
dataCapturePolicyUri='/apiv1/policy/DataCapture/default'
shortDesc=''
longDesc=''
|
The Broker SSL Protocol is set to TLS. But still same issue. Also, I do not see any of these SSL cert configurations mentioned in any of the links I had pointed above. Is there something else that I am missing? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 17, 2018 2:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You may not be setting it where you need. The broker is not your push tool. It is either the toolkit or the broker's web api. So the broker's web api server needs to have the cert chain in it's cert store which might be different from the broker's cert store!
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kash3338 |
| Posted: Tue Apr 17, 2018 5:20 am Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| fjb_saper wrote: |
| You may not be setting it where you need. The broker is not your push tool. It is either the toolkit or the broker's web api. So the broker's web api server needs to have the cert chain in it's cert store which might be different from the broker's cert store! |
Finally! Looks like the problem is because of using my IBM Intranet ID rather than an IBM ID. I tried creating another IBM Cloud Account using my IBM ID (personal mail id) and when I tried to "Push" the API to that account, it worked!
But for some reason, when I try to "Push" the API to the API Connect cloud account (created from my IBM Intranet ID), it fails with this error. So, will this be the actual problem? Should I raise a PMR for this? |
|
| Back to top |
|
|
|
|
