Configure Apigee API Hub for Private Cloud connector

This section details the configuration steps for the Apigee API Hub for Private Cloud connector, including network, authentication, and organization-specific settings.

Network and authentication setup

Allowlist ports: The Apigee API Hub for Private Cloud connector needs to connect to management server in order to obtain the required API Metadata, hence the management server ports 8080 and 443 need to be reachable by the connector.
Key-based authentication for Google Cloud Platform services: The Apigee API Hub for Private Cloud connector communicates with Google Cloud services and requires tokens for authentication. This is achieved using a service account key to create impersonated tokens.
- Service account for token generation: Create a new service account dedicated to generating tokens. This service account must have the Token Creator role.
- Generate and download service account key:
  - Follow the steps in Create service account Key to generate a JSON key for the token-generating service account.
  - Download this key file (for example, to /opt/apigee/keys/uapim.key on the Apigee API Hub for Private Cloud connector VM).
- Set GOOGLE_APPLICATION_CREDENTIALS: When starting the Apigee API Hub for Private Cloud connector you will need to provide the path to this file via the environment variable:
```
export $GOOGLE_APPLICATION_CREDENTIALS=/opt/apigee/keys/uapim.key
```
Management API authentication (UAPIM_MGMT_AUTH): The Apigee API Hub for Private Cloud connector requires credentials to call the Apigee Management API. For security and automation, use a machine user in Apigee, not a human user.
Create a machine user in Apigee:
1. Create user:
  - In the Apigee console, create a machine user (or system user). Learn more about users and roles here Automate the token generation process.
  - Assign an email (for identification) and a descriptive name (e.g., uapim-connector-user).
2. Assign roles: Assign the following role to the machine user:
  - Apigee API admin: This role provides access to the management API, allowing the Apigee API Hub for Private Cloud connector to interact with Apigee's management system (for example, to fetch metadata or manage API configurations).

Generate Base64 encoded credentials:

Generate the username:password pair for the machine user.
Base64 encode the credentials: echo -n 'username:password' | base64
Set the environment variable $UAPIM_MGMT_AUTH with the base64-encoded value:
```
export UAPIM_MGMT_AUTH=USERNAME_PASSWORD
```
Where USERNAME_PASSWORD is the base64-encoded value of the username and password pair.

Make sure this environment variable is set before starting the Apigee API Hub for Private Cloud connector.

Configure the Apigee API Hub for Private Cloud connector

Open the configuration file /opt/apigee/customer/application/uapim-connector.properties to specify the Apigee organizations for which data needs to be uploaded to API Hub. You might have multiple plugin instances or multiple API Hub instances.

Note: Typically one Apigee organization is associated with one plugin instance. The conf_uapim_connector.uapim.settings.json property allows you to integrate multiple organizations.

  conf_uapim.settings.json={\
    "connectorConfig" : { \
      "org1" : { \
        "runtimeDataPubsub" : "", \
        "metadataPubsub":"", \
        "serviceAccount": "mysa1@in.myfirstProject",\
        "pluginInstanceId":"aaaa" \
      },\
      "org2" : { \
        "runtimeDataPubsub" : "", \
        "metadataPubsub":"",\
        "serviceAccount": "mysa2@in.mySecondProject",\
        "pluginInstanceId":"bbbbb", \
      } 
    },
    "runtimeDataPath":"/the/nfs/mounted/path", \    
    "managementServer": "hostname"
  }

Explanation of settings JSON

connectorConfig Section:
- This is a map where each key is an Apigee organization name (e.g., org1, org2).
- Each organization entry contains the following fields, which you received during the Plugin creation step:
  - runtimeDataPubsub: The Pub/Sub topic for runtime (analytics) data for this organization.
  - metadataPubsub: The Pub/Sub topic for API metadata for this organization.
  - serviceAccount: The service account (e.g., mysa1@in.myfirstProject.iam.gserviceaccount.com) used to authenticate for data writes to Pub/Sub for this organization.
  - pluginInstanceId: The unique instance ID of the plugin associated with this organization.
runtimeDataPath Section: Provide the path to the NFS mount where the Analytics (AX) data will be written by the message processors. This must be the same path configured on the message processors.
managementServer Section: The hostname or IP address of your Apigee management server URL.
environment variable UAPIM_MGMT_AUTH: This environment variable, set externally, contains the base64 encoded username:password to access the management server.

Add the forward proxy configurations

Add forward proxy configurations in the same file /opt/apigee/customer/application/uapim-connector.properties

conf_http_client_service_jetty.proxy.enabled=true

conf_http_client_service_jetty.proxy.host=
conf_http_client_service_jetty.proxy.port=
conf_http_client_service_jetty.proxy.user=
conf_http_client_service_jetty.proxy.password=

For the connector to work properly, it needs to connect to the following external sources:

pubsub.googleapis.com:443
oauth2.googleapis.com:443
iamcredentials.googleapis.com:443

In case if the connector is not allowed to directly connect to the external sources but via forward proxy then user need to provide forward proxy configurations through below configs and make sure the above called out external sources are allowlisted.

Starting the Apigee API Hub for Private Cloud Connector

Once all configurations are set, start the Apigee API Hub for Private Cloud connector using the Apigee service command:

apigee-service edge-uapim-connector start