The Jitterbit Private API Gateway is a local gateway for running custom APIs using our API Manager directly from your own servers. This provides for additional security and control beyond the standard security functions described in our Jitterbit Security and Architecture White Paper.
Using a Jitterbit Private API Gateway provides these advantages:
- Domain Name: The base API endpoint URL can be configured to be a subdomain of a domain name you control, rather than a subdomain of jitterbit.net.
- Internal Network: The Private API Gateway and its Agents can be restricted solely to an internal network behind a firewall and not be accessible from the Internet.
- Payload Security: All API request and response payloads—including the HTTP body, headers, and URL parameters—never pass through Jitterbit's systems.
- Control: You have control over the Private API Gateway’s hardware and software environment, ensuring that it meets your company's standards.
For information on custom APIs, see API Manager.
To properly support the Private API Gateway, hardware and software must meet these requirements:
Linux server running 64-bit Redhat/CentOS 7, Amazon Linux AMI (Amazon EC2 supported), or Ubuntu 16NOTE: It may be possible to use other Linux distributions, but these are not supported by Jitterbit at this time. As each distribution of Linux can vary, the instructions for installing the Private API Gateway on other Linux distributions may be different than shown here.
Minimum server hardware specifications:
NOTE: Hard drive speed and space are critical components of the Private API Gateway since request and response payloads are stored on the server during API transactions.
- Quad-core processor
- 8 GB RAM
- 50 GB hard drive space free
- 50 megabytes/second transfer rate on the hard drive
High-speed Internet connection
- Either direct hardware installation, or installation on a virtual machine from VMWare, VirtualBox, Amazon AWS, or Rackspace that is configured for the specific Linux version outlined above
Optimal configuration of the system and overall environment running the Private API GatewayNOTE: If not optimally configured, sporadic and unpredictable problems can result from network issues, poor disk I/O, limited or out of memory issues, limited or out of disk space, power failures, or abrupt system restarts.
- Sub-domain/domain name, pointed to the server (for example,
- Valid SSL certificate for the sub-domain, from a recognized certificate authority:
- Do not use a self-signed certificate
- Certificate should consist of two files: a CRT file (
.crt) for the signed certificate and KEY (
.key) for the private key
- These certificate files should be in the PEM format that an NGINX server can understand
- Sometimes the extension of the files are different; often CRT, PEM, and CER extensions are interchangeable
- It is also possible that the two files are combined into a single PFX file; in that case, use OpenSSL to extract the two files
- Remember to monitor certificate expiration dates!
- Contact your certificate provider for additional information
- Free SSL certificates are available from providers such as Let's Encrypt
- As of Jitterbit Harmony version 10.3, by default the Private API Gateway no longer supports Transport Layer Security (TLS) 1.0. For concerns or to change this default setting, contact Jitterbit Support.
After confirming the above requirements are met, follow these instructions to set up the Private API Gateway.
Step 1: Obtain a Private Gateway Account
- Contact Jitterbit Support and submit a support request for obtaining access to the Jitterbit Private API Gateway software
- We recommend that you request a dedicated account (not tied to a person) for the Gateway, as any changes to the account (password, enabling SSO or TFA) can impact the operation of the Gateway
- Download information (including the URL to the download file location for the software) will be included in a response from Jitterbit Support. The download files are also available through the Management Console Downloads page.
- During configuration of the Private API Gateway, you'll need to know which region your Jitterbit Org is located in: NA, EMEA, or APAC. See Finding My Region if you are unsure.
Step 2: Set Up the API Gateway Machine
Set up a new Linux machine. It is recommended that the machine be dedicated for use by the Private API Gateway only.NOTE: If installing CentOS from scratch, we recommend using the Compute Node with these options included:
NOTE: If installing Ubuntu or Debian, install with the defaults and include the OpenSSH server so that you can log into the machine remotely.
- Debugging Tools
- Hardware Monitoring Utilities
- Compatibility Libraries
- Development Tools
- Security Tools
In many Linux environments, the firewall automatically blocks the HTTPS port (443) required for the Private API Gateway.
To open the HTTPS port, use these commands as appropriate:
- Point the sub-domain/domain to the machine's IP address.
- Confirm that you can SSH into the machine using an SSH client.
Step 3: Install the Private API Gateway Software
To install the Private API Gateway software, log into your machine via SSH and run the commands appropriate for your version of Linux. Note that the actually download link and downloaded file will vary depending on the release and will be in your registration information. The download files are also available through the Management Console Downloads page. Adjust the paths and filename accordingly:
Step 4: Install the SSL Certificate Files
The Private API Gateway requires that the certificate files for the machine be named
nginx.key and be copied to these locations:
Step 5: Configure the Private API Gateway
To complete the installation, run this command (as
root) to configure the Private API Gateway:
The Private API Gateway provides help on the command line:
You can either provide all of the required information on the command line or, by starting the command without any options, enter into an interactive session that will prepare the Private API Gateway configuration file and then offer to start the Gateway.
Output from the configuration utility output will be similar to the following. Answer the questions as prompted, with your username for the Private API Gateway account, its password, region (NA, EMEA, or APAC), services URL (if different than the default), org ID (if different than the default for that account), and desired configuration for DNS:
Installation and configuration of the Private API Gateway is now complete. If you answered
"Y" to the last question, the Gateway should be up and running.
If the installation was successful, you can now access your APIs using the Private API Gateway. No further configuration is necessary; all APIs in the organization should now be accessible using the Private API Gateway.
Step 6: Successful Private API Gateway Startup
A successful Private API Gateway startup will look similar to this:
Testing the Private API Gateway
Once the Private API Gateway is installed, you'll want to test it out.
Before testing the Private API Gateway, create a valid Jitterbit Custom API (or use a pre-existing one). Test the API using the Jitterbit-based URL first.
A Cloud-based URL will be similar to:
Once that API is confirmed to be working properly, you can use it to test a Private API URL. Using your subdomain/domain, replace the Jitterbit domain and subdomain, retaining the same path.
The equivalent Private API URL for the subdomain (
mysubdomain) and domain (
example) such as
mysubdomain.example.com will be similar to:
Private API Gateway Self-test
The Private API Gateway includes a self-test accessible using the
--test option on the command line. After a successful login, the self-test runs through a battery of automatic tests that includes importing a built-in project and API and then calling the API through the gateway to ensure proper configuration.
Restarting the Private API Gateway
You may need to stop, start, or restart the Private API Gateway and to make additional configuration changes, upgrade, or troubleshoot. To do so, use the configuration utility and these options:
Last updated: Feb 13, 2020
- No labels