The default configuration of the CA API Gateway is optimized for handling messages in the range of 1 to 50 kilobytes. There are a several specific changes that are required for tuning the Gateway appliance to handle larger messages.
Several settings and configuration files must be changed in order to meet this use case:
- The amount of system memory allocated to Java application.
- Cluster-wide properties that negotiate various maximum data sizes.
- Certain policy changes to limit message sizes.
Java memory allocation
- Log in to the API Gateway appliance as the ssgconfig user.
- Select Option #3: Use a privileged shell (root).
- Open /opt/SecureSpan/Gateway/runtime/etc/profile.d/appliancedefs.sh in a text editor.
- Modify the file to appear as below (starting at line #29 as of version 8.0.0 of the Gateway):
#if [ `expr $java_ram \> 2074412` == 1 ] ; then
# ? ?if [ $usebigmemory -eq 1 ]; then?
# ? ? ? ? ? ?# we have more ram than java can use?
# ? ? ? ? ? ?# FIXME: when we start running 64 bit JVM?
# ? ? ? ? ? ?java_ram=2074412;
# ? ? ? ? ? ?# CAP at 2 gigs
# ? ?else ? ?
# ? ? ? ?java_ram=4194304;
# ? ?fi
- Save the file and exit the text editor
- Restart the Gateway application
Log in to the CA API Gateway Policy Manager as an administrative user.
Open the Manage Cluster-Wide Properties task
Add or edit the following properties:
There are also three additional cluster-wide properties that need to be set with customized values:
- io.signedPartMaxBytes = 0
- io.xmlPartMaxBytes = 0
- request.compress.gzip.allow = true
- response.compress.gzip.allow = true
template.partBodyMaxSize specifies the maximum amount of memory to use for storing message parts. The value of this property should meet or exceed the maximum expected size of an individual message part. Setting this property to a value that exceeds the total size of the message should be sufficient.
attachment.diskThreshold specifies the maximum size of a message attachment to store in memory before stashing it to disk. If a message attachment exceeds the size of this value then the attachment will be stashed to disk. This value should meet or exceed the maximum total size of any individual message attachments for MTOM or Soap With Attachments.
io.httpParamsMaxFormPostBytes maximum number of bytes to buffer when processing an HTTP form post. Technical Note: The io.httpParamsMaxFormPostBytes cluster property replaces the former com.l7tech.message.httpParamsMaxFormPost system property. However if the system property is set, it overrides this cluster property.
In some circumstances, it may be necessary to change one or more service policies or global policy fragments to minimize the risk of globally increasing the maximum message and attachment thresholds.?There are a few factors that are at play with respect to this behavior and what should be changed. The following items must be taken into consideration:
- The current value of io.xmlMaxPartBytes?
- The current use of the Limit Message Size assertion?
- Whether or not Perform WS-Security Processing is enabled for a particular service?
- Whether or not the service policy acts upon the request or response message?
If the service policy acts upon a request or response message that exceeds io.xmlMaxPartBytes then the request will fail. Acts upon includes but is not limited to: Any threat protection assertion, XPath evaluation, regular expression evaluation, message transformation. This limitation is overridden by using Limit Message Size assertion. The Gateway will enforce the message size on a per-service basis as long as that assertion is used. The assertion is overridden by enabling "Perform WS-Security Processing..." within the Service Properties dialog. If this is enabled then io.xmlMaxPartBytes overrides the value of Limit Message Size assertion. This occurs because the WS-Security processing specified above occurs before the service policy itself (and before Limit Message Size would take over as the authority).?
Below are some examples to illustrate the interaction of these changes:
- If a service policy streams the request or response and does not act upon the message then the Gateway does not limit the size of a message. Assertions?are only necessary to shield a protected service from attack relying upon message size.
- If a service policy performs message transformation or evaluation then the policy should?use the Limit Message Size assertion to set the maximum size on a per-service basis.?
- If a Gateway will always handle large messages and inspect, evaluate, or transform the request or response--regardless of the published service being consumed--then?set io.xmlMaxPartBytes to an adequately large number.?
- If a service on the Gateway requires WS-Security processing then set io.xmlMaxPartBytes to an adequately large number.?
- If multiple services on the Gateway?require WS-Security processing then publish a "pre-security" global policy fragment and add the Limit Message Size assertion.?