AppLogic29 Web
AppLogic 2.9 Documentation The latest production release is AppLogic 3.0.30 WS_API - AppLogic Web Services API Application.
Latest Version: 1.0.4-1 BETA (available for AppLogic 3.0.x+ grids only) The Web Service API is only available in the AppLogic 2.9 limited availability release and later versions.
Functional Overview
The WS_API application provides a web service interface to one or multiple AppLogic grids through a Representational State Transfer (REST) based service. Any one of the following access methods can be used with the WS_API REST interface:- HTTP : Simple HTTP based REST API calls.
- HTTPS : Secure HTTP based REST API calls.
- VPN : HTTP requests are sent through a secure VPN tunnel.
AppLogic Web Services 'WS_API' Application Boundary Properties
| Property Name | Type | Description |
|---|---|---|
usr_ip | IP | This is the IP address at which the WS_API application provides services to users through HTTP or HTTPS based requests. This property is mandatory |
net_ip | IP | This is the IP address that is used by the WS_API application to access any public network address. This property is mandatory. |
netmask | IP | Network mask for the network on which vpn_ip, usr_ip and net_ip reside. This property is mandatory. |
gateway | IP | Address of IP gateway to be used to route traffic. This property must be specified in order to access the WS_API application from hosts outside of the IP network on which WS_API is running (i.e., most cases). Use 0.0.0.0 to disable. This property is mandatory. |
dns1 | IP | IP address of a DNS server for host name resolutions. This property is mandatory. |
dns2 | IP | IP address of a backup DNS server for host name resolutions. Default: 0.0.0.0. |
allowed_hosts | String | Allowed IP address or range of IP address's in CIDR format. Default: 0.0.0.0/0; (allow all) |
http_mode | String | This specifies what kind of HTTP requests are served by the API on the usr_ip. Valid values: https, http, both. If set to http, simple HTTP based requests are served by the API. When set to https only Secure HTTP requests based on SSL v3.0 encryption are served by the REST API. If set to both all HTTP and HTTPS requests are served. Default: https. This property is effective only for requests that are served using the in appliance (i.e. has no effect when VPN is used). If the mode is set to http, please be aware that all the traffic is plaintext. It is highly recommended to set allowed_hosts property for the IPs that will be issuing API requests. |
opts | String | Parameters for SSL configuration may be provided to the application through the opts property. Additionally, number of days for which completed jobs should be retained can also be specified. The parameters are specified as a comma-separated name=value pairs. It is not required to set this property in simple HTTP mode i.e. when http_mode=http. Default: empty (not used). If any of the arguments are not specified, then an empty value is assumed. ssl_country - The name of the country to be used in the generated SSL certificate. ssl_state_province - The name of the state or province to be used in the generated SSL certificate. ssl_locality - The name of the locality to be used in the generated SSL certificate. ssl_org_name - The name of the organization to be used in the generated SSL certificate. ssl_org_unit - The name of the organization unit to be used in the generated SSL certificate. ssl_common_name - The name or the URL to be used in the Common Name field in the generated SSL certificate. ssl_email_address - The email address to be used in the generated SSL certificate. ssl_export_pass - The password to be used for pkcs12 formatted client certificate to be imported into client Web Browser. max_job_age - The maximum number of days for which completed jobs should be retained by the API before removing them. These are the jobs for which either job info has not been executed after they have completed or noautocomplete=1 was specified in the job info request. Default: 3 days |
vpn_ip | IP | This is the IP address at which the WS_API application provides services to the users through a secure VPN tunnel. Default: empty. |
vpn_ports | String | List of ports to access the web services API. These ports will be allowed through the VPN tunnel and firewall rules. Ports 80,443 are typically all that is needed Default: 80,443 |
vpn_type | String | Type of the VPN tunnel to establish. Possible values are:certificate - A VPN tunnel is established using SSL client and server certificates for authentication and encryption with OpenVPN. The server certificate is generated automatically if not present; the client certificate must be generated manually with the /appliance/security.sh script located on the in_vpn appliance in the /server/ subdirectory of the conf volume and copied into the remote VPN client appliance inside the /client/ subdirectory on the data volume or nfs-mounted volume. shared secret - A VPN tunnel is established using a shared secrets file with OpenVPN. This file is automatically generated on the in_vpn appliance if not already present and is located in the /server/ subdirectory of the conf volume as secret.key. This file must be copied on the remote client VPN appliance into the /client/ subdirectory on the data volume or nfs-mounted volume. ssh key - An SSH tunnel is established using OpenSSH key files for authentication. Key files are generated on the in_vpn appliance in the /server/ subdirectory of the conf volume. The client key file must be copied into the /client/ subdirectory of the data volume or nfs-mounted storage in the remote VPN client appliance. ipsec shared secret - IPSec tunnel is established between the in_vpn and the remote VPN client appliance. The first line of the file specified by the vpn_authpath property is used as a shared key. ipsec certificate - IPSec tunnel using certificates is established between instances of the in_vpn and remote VPN client appliance. The server certificate is generated automatically if not present or may be generated with the /appliance/security.sh script in the /server/ subdirectory of the conf volume; the client certificate must be generated manually with the /appliance/security.sh script located on the in_vpn appliance and copied into the /client/ subdirectory on the data volume or nfs-mounted volume of the remote VPN client appliance. Default: certificate. |
vpn_authpath | String | Authentication information for the tunnel. For the shared secret mode of operation, this is a relative path to the shared secrets file on the data volume (ex. "secret.key" for a "client/secret.key" file). If the tunnel is ssh key, this property indicates the path, including filename, to the ssh public (for VPN server) or private (for VPN client) key file (e.g. "/1/ssh.key" for a /client/1/ssh.key public key file). Default: empty |
vpn_standby | Int | Specifies whether VPN access is enabled on application start. If non-zero, VPN access is disabled, otherwise it is enabled. The VPN access can be enabled/disabled at runtime by manually starting/stopping the VPN appliance. Default: 1 (VPN access is disabled). |
in_standby | Int | Specifies whether access to the REST API is permitted through regular HTTP or HTTPS based connections. When this property is set to 1 and vpn_standby is set to 0 only VPN tunnel based access is permitted. Access through in can be enabled/disabled at runtime by manually starting/stopping the in appliance. Default 0 (regular HTTP and HTTPS access is enabled). |
mon_standby | Int | Determines whether application monitoring is disabled upon application start for the application. If non-zero, monitoring is enabled, otherwise monitoring is disabled. The monitoring can be enabled at runtime by manually starting the mon appliance. Default: 1 (monitoring is disabled). |
The IP addresses configured in the vpn_ip, usr_ip and net_ip properties must be IP addresses available on your AppLogic grid. You can find them, together with the netmask, gateway and dns servers on the dashboard of your grid. We are working to make it possible for AppLogic to provide these addresses automatically.
Application Resources
"WS_API" Application
| Resources | Min | Max | Default |
|---|---|---|---|
| CPU | 0.55 | 76 | 1.1 |
| Memory | 104 MB | 134 GB | 1.562 GB |
| Bandwidth | 7 Mbps | 12.5 Gbps | 730 Mbps |
Application Volumes
The application itself uses several volumes. They are part of the application and are already configured into the appliance instances. There are no volumes that need to be configured on the application boundary.| Volume | Size | Description |
|---|---|---|
code | 50M | This volume is used to store the API application's code and scripts. This volume is assigned to the WEB5 appliance. By default, a populated volume called 'code' is supplied for this application to use. |
log_data | 50M | This volume is used to store logging data for the API server. It is also used to store temporary files required by the API application. This volume is assigned to the NAS appliance. By default, a populated volume called 'log_data' is supplied for this application to use. |
conf | 50M | This volumes is used to store all the configuration data for the Web Service API application. This includes the "vdcs.conf" that is populated by the user to contain information about remote grids, ssh key created by the user used to access the remote grid, SSL certificates generated by the API application used to access the API through the HTTPS interface, and VPN server side certificates created by user used to access the API through the VPN interface. This volume is assigned to a NAS appliance. By default, a populated volume called 'conf' is supplied for this application to use. |
mon | 50M | This volume is used to store monitoring data for the application. There is no reason for the user to access/modify this volume; this volume is used internally by the MON appliance. By default, a volume called 'mon' is supplied to store the application monitoring data. |
Operation
Before starting the WS_API application, it needs to be configured to access the grids that are going to be managed through the web service interface. This involves creating avdcs.conf file inside the data sub-directory on the conf volume. A pair of private/public keys need to be created and a user needs to be setup on the targeted grid controller with the generated public key. For information on how to populate vdcs.conf and how to setup ssh keys and create a grid user for the web service API please see the configure section.
The WS_API can be configured to work in one or a combination of the following modes:
Using HTTP
In this mode, the AppLogic REST API can be accessed through the regular HTTP based interface.E.g.
curl "http://usr_ip/api/v1/app/list?vdc=controller_name".To start the application to work in this mode, it is required to set the mandatory properties to appropriate values and the
http_mode property to http. For more information on how to set the application up to work in this mode please refer to the configure section.
Using HTTPS
In this mode, the AppLogic REST API can be accessed through the Secure HTTP based interface.E.g.
curl -k -E /path/to/client_key.pem "https://usr_ip/api/v1/app/list?vdc=controller_name".To start the application to work in this mode, it is required to set the mandatory properties to appropriate values and the
http_mode property to https. You may also set the ssl_opts property with the options shown in the properties table above in order for your certificate to be signed accordingly. After the application is started successfully, the client certificates must be copied from the ssl_keys/keys subdirectory within the conf volume to the client application or browser to be used to access the WS_API. For more information on how to set the application up to work in this mode please refer to the configure section.
Using vpn tunnel
In this mode, a secure VPN tunnel is created between thein_vpn VPN server within the application and a VPN client on the client side. Once the tunnel is successfully created using one of the different VPN tunneling types available, the AppLogic REST API can be accessed through the regular HTTP based interface. E.g.
curl "http://usr_ip/api/v1/app/list?vdc=controller_name".To start the application to work in this mode, it is required to set the mandatory properties to appropriate values, set the
vpn_ip property and set the vpn_standby to 0. By default, vpn_ports is set to 80,443 in order to allow connections to ports 80 and 443 (http and https respectively) and vpn_type is set to certificate to allow a VPN client to connect to the VPN server in the application using a SSL certificate based tunnel. You may also set the in_standby property to 1 so that only requests through the VPN tunnel are allowed. Any API requests from outside of the VPN tunnel are dropped. For more information on how to set the application up to work in this mode please refer to the configure section.
Application Architecture
AppLogic Web Services 'WS_API' application infrastructure is show below:
It has the following components:
- one firewaled input gateways - supports HTTP and HTTPS based requests
- one VPN server - serves API requests through a secure tunnel to the VPN client on the client side
- a web server - serves REST API requests
- a centralized configuration file storage
- a centralized log - collects log and stores temporary data
- a firewalled net gateway to connect with grids
- a monitoring appliance
Configure
This section describes how to configure the WS_API application to start in one of the three different modes of operation. Provision the WS_API using theapp provision wizard in the AppLogic GUI or use the app provision command in the shell, do not set any properties yet. Make sure the wizard is configured not to start the application after provisioning or use the --skipstart option if the command line is used. app provision WS_API ws_api_instance --skipstart
Next, manage the conf volume of the application:vol manage ws_api_instance:conf
In the data sub-directory, make sure a file called vdcs.conf exists.cd /mnt/vol/data
ls vdcs.conf
This file consists of information necessary to access the grids that will be managed through the REST API. Open the file using the vi text editor:vi vdcs.conf
Edit the file using the template as a reference:
vdcs
{
vdc controller_name : host = controller_ip or FQDN
{
location = "city, state, country"
latitude = latitude
longitude = longitude
}
# vdc controller_name : host = controller_ip or FQDN
# {
# location = "city, state, country"
# latitude = latitude
# longitude = longitude
# }
}
Simply enter the relevant information for the grids that will be accessed with the API. To add information for an additional grid, uncomment the lines (remove the #) and add the information for the second grid. More grids can be added by repeating vdc block within the vdcs {...} section. Also note that setting values for latitude and longitude is optional. Save and exit the text editor.
Next, generate a public/private key pair for ssh access to the grids configured in the vdcs.conf. To generate the key pair:
ssh-keygen -t dsa -f /mnt/vol/data/gridkey
When prompted to enter a password press enter. DO NOT ENTER A PASSWORD.
chmod 600 /mnt/vol/data/gridkey*
chown 99:99 /mnt/vol/data/gridkey*
Using the public key created above i.e. gridkey.pub create a user on each of the grids configured in vdcs.conf. Copy the public key:cat /mnt/vol/data/gridkey.pub
On each of the grids, create an API user with this key as sshkey:user create api@domain.com pwd=- sshkey="ssh-dsa AAA.................xyz"
After the user is created exit the volume manager. The application boundary can now be configured to work in either one of the three operating modes:
HTTP mode
To configure the application in HTTP mode, set thehttp_mode property to http along with setting the mandatory properties to appropriate value. E.g.app config ws_api_instance usr_ip=usr-ip net_ip=net-ip netmask=netmask gateway=gateway dns1=dns1 dns2=dns2 http_mode=http
The application may now be started using the app start command or by using the "Start Application" button in the GUI.
Note - This mode should be used with utmost caution. There is no security check involved in this mode and anybody can create an API request without any authentication. Also all the traffic between the client and the ws_api_instance application is in plaintext.
HTTPS mode
To configure the application in HTTPS mode, thehttp_mode property is set to https (default) and the mandatory properties are set to appropriate values. Additionally, the ssl_opts property may be set to generate a custom SSL certificate. If ssl_opts is left blank then, a generic SSL certificate is generated on application start. The http_mode and the allowed_hosts property settings can be left set to their default values. E.g.app config ws_api_instance usr_ip=usr-ip net_ip=net-ip netmask=netmask gateway=gateway dns1=dns1 dns2=dns2 ssl_opts=ssl_country=Country,ssl_state=State,ssl_local=City,ssl_org_name=Organization,ssl_org_unit=Unit,ssl_common_name=Common Name,ssl_email_address=company@domain.com,ssl_export_pass=Passkey
The application may now be started using the app start command or by using the "Start Application" button in the GUI.
The first time the application is started, a PEM formatted client key consisting of the client certificate and private key called api_client.pem and a PKCS12 formatted equivalent key for browsers called api_client.p12 is created in the ssl_keys/keys sub-directory of the conf volume. The api_client.p12 key file can be used for any browser
based API access amd the api_client.pem key for any non-browser based API accesss.
To generate any additional client certificates, please follow the steps below: - Log in to the
main.api_srvcomponent of runningws_api_instance. - Change directory to
/mnt/config/ssl_keys - Generate a private key for a 'api' user account.
openssl genrsa -out keys/api_client2_privkey.pem 2048 - Generate a certificate signing request for the CA to sign.
openssl req -new -key keys/api_client2_privkey.pem -out keys/api_client2_request.csr - Sign the CSR with our CA.
openssl x509 -req -days 365 -in keys/api_client2_request.csr -CA CA/CA_cert.pem -CAkey CA/private/CA_key.pem -CAserial CA/CA_cert.srl -out keys/api_client2.cer -
catthe api_client2_a.pem and cert into one for use as a command line SSL/PEM key.cat keys/api_client2_privkey.pem keys/api_client2.cer > keys/api_client2.pem - Export the key in a format that can be used by common web browsers.
openssl pkcs12 -export -in keys/api_client2.cer -inkey keys/api_client_privkey2.pem -out keys/api_client2.p14
VPN mode
To configure the application in VPN mode, thevpn_ip is set to a desired IP address and the vpn_standby is disabled i.e. set to 0. Further, in order to restrict access through VPN set in_standby to 1. E.g. app config ws_api_instance usr_ip=usr-ip vpn_ip=vpn-ip net_ip=net-ip netmask=netmask gateway=gateway dns1=dns1 dns2=dns2 vpn_standby=0 in_standby=1
The application may now be started using the app start command or by using the "Start Application" button in the GUI.
After the application starts, the VPN server appliance generates necessary server certificates and key files if these files are not already present. Log in to the appliance and execute the security.sh script located in /appliance directory to generate the client certificates and key.
[ws_api_instance:main.in_vpn appliance]# ./security.sh generate_client
Generated client SSL cerfiticate and key file.
==============================================
These files, with CA certificate file, should be copied to VPN server into
/client/ subdirectory of data volume or fs-mounted volume.
Path to client files (client.a1c65e2bae3d0b57) should be specified in auth_path property.
Location of files:
client certificate: /mnt/fs/server/client.a1c65e2bae3d0b57.crt
client key file: /mnt/fs/server/client.a1c65e2bae3d0b57.key
CA certificate file located at /mnt/fs/server/ca.crt
conf volume. These may be copied into the remote VPN client appliance inside the /client/ subdirectory on the data volume or nfs-mounted volume.
Notes
Open source and 3rd party software used
The following open source 3rd party software is installed on theconf volume.
| Software | Version | Modified | License | Notes |
|---|---|---|---|---|
| JSON | 2.15 | No | Artistic | N/A |
| IPC-Run | 0.82 | No | Artistic | N/A |
| XML-Simple | 1.40 | No | Artistic | N/A |
| Sort-Naturally | 1.02 | No | Artistic | N/A |
Related Documents
Questions and Comments
To post questions and/or comments for the WS_API application, visit our forum.
-- ApoorvaKulkarni - 06 Aug 2010 |
|
Copyright © CA 2005-2012. All Rights Reserved.