micro-gw.conf

The following table explains the runtime configurations that are available in WSO2 API Mircogateway. The configuration file ( micro-gw.conf ) for the Microgateway runtime is located in the <MGW-RUNTIME-HOME>/conf directory. However, you can refer default-micro-gw.conf.template located in <MGW-RUNTIME-HOME>/conf on default configuration values in the Microgateway runtime. If you want to change any default configurations, you have to edit configurations in micro-gw.conf after copying these configurations to micro-gw.conf.

Note

The default-micro-gw.conf.template is a read-only file. The changes you made in default-micro-gw.conf.template will not be considered by the Microgateway. You have to do configurations instead in micro-gw.conf .

Heading Description Sub Heading Description Default value
listenerConfig The transport listener of the Microgateway (MGW) that receives the incoming requests. host Host or IP of the Microgateway that is exposed to the outside. 0.0.0.0
httpPort The port used for HTTP connections 9090
httpsPort The port used for HTTPS connections 9095
keyStore.path Internal Key Store path of the Microgateway ${ballerina.home}/bre/security/ballerinaKeystore.p12
keyStore.password Internal Key Store password ballerina
tokenListenerPort The port where the endpoints (e.g., /token , /authorize etc.) are exposed. 9096
trustStore.path When validating the JWT token, the path of the client trust store where the Microgateway looks for the public certificate of the STS. ${ballerina.home}/bre/security/ballerinaTruststore.p12
trustStore.password The password of the client trust store. ballerina
authConfig The authorization details that the Microgateway uses when enforcing security to the APIs that are exposed by it. authorizationHeader The header Microgateway will look into this header to retrieve security-related details (e.g., If the API is protected by OAuth or JWT it looks for OAuth or JWT token in the specified header. Authorization
removeAuthHeaderFromOutMessage This specifies whether to send the above-mentioned authorization header to the actual back end or not. true
keyManager The Key Manager related information. This information is required when the Microgateway connects with the Key Manager in order to validate the tokens. (for configurations, please check the documentation on Securing APIs Using Opaque Tokens ) serverUrl Connection URL of the Key Manager server. By default, this is WSO2 Identity Server (WSO2 IS). https://localhost:9443
tokenContext The token endpoint context of the Key Manager server. oauth2
timestampSkew The timestamp skew that is added when checking the token validity period for the tokens that are retrieved from the gateway cache. Value is in seconds. 5000
external (Deprecated)To set an external key manager, enable this. false
enableLegacyKM Enable this when Microgateway is configured with older versions of API Manager (3.1.0 or below) to use the key validation service. false
jwksURL The endpoint of the JWT key set url of the key manager server. empty
jwtTokenConfig These details are used by the Microgateway when it validates the JWT present in the request. The Microgateway does the JWT validation itself. It does the signature verification and the validation of the issuer, audience, and validity period as well. issuer The Secure Token Service (STS) that has issued the JWT. If the issuer claim has JWT present in it and the request matches the given value here, then the issuer validation will be successful. https://localhost:9443/oauth2/token
audience The audience claim present in the JWT is matched against the value provided in the configuration. http://org.wso2.apimgt/gateway
certificateAlias The public certificate alias of the STS. wso2apim310
validateSubscription Validate subscribed APIs false
jwtConfig Details related to the JWT that the Microgateway sends to the backend. header The header that the Microgateway uses to include the JWT when forwarding the request to the backend. X-JWT-Assertion
caching The caching config used for OAuth2 token validation. Note that this cache is only for OAuth2 tokens. tokenCache.expiryTime Expiry time of the cache in seconds. 900000
tokenCache.capacity The size of the cache in MB. 100
tokenCache.evictionFactor The factor of the cache that will be cleared when the cache is full. By default 0.25 @5MB of cache will be cleared when the cache is full (i.e. 100 MB). 0.25
analytics Defines the analytics data publishing related configuration streamVersion The analytics stream version to which the events should be published. This should match with the API-M analytics version which is being used. 3.2.0
analytics.fileUpload Configurations for file upload analytics enable This defines whether publishing from the Microgateway to analytics is enabled or not. false
uploadingTimeSpanInMillis The time interval in which the uploading task is run. 600000
uploadingEndpoint The endpoint URL of the web application, to which the file has to be uploaded. This web app is deployed in the Analytics server to retrieve files containing analytics data. https://localhost:9444/analytics/v1.0/usage/upload-file
rotatingPeriod The time interval, after which the file is rotated and compressed. This depends on the Transactions Per Second (TPS) capacity of the environment. 600000
task.uploadFiles This determines whether to enable or disable the file upload task. If this property is disabled, the analytics files are not uploaded to the analytics server, although the files are persisted in the Microgateway system. true
username The username that the analytics server uses. admin
password The password that the analytics server uses. admin
analytics.gRPCAnalytics Analytics configurations for GRPC enable Enable GRPC Analytics false
endpointURL The APIM Analytics endpoint configured to accept gRPC analytics. https://localhost:9806
reconnectTimeInMillies The time interval in milliseconds for gRPC connection recovery task 6000
http2 Http configurations enable Enable HTTP2 true
httpClients HTTP client configuration verifyHostname Hostname verification true
validationConfig Request and response validation configurations enableRequestValidation Enable validating the request false
enableResponseValidation Enable validating the response false
apim.eventHub Configurations for retrieving API and subscription data from API Manager. (This works from API Manager 3.2.0 onwards) enable Enable the data retrieval from API Manager false
serviceUrl The API Manager url https://localhost:9443
internalDataContext The context of the API which is used to retrieve the data during the Microgateway startup /internal/data/v1/
eventListeningEndpoints The message broker endpoint which is used to retrieve the data from subsequent API, Application and Subscription creations. amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:5672
security The opaque token validation configuration validateSubscriptions Validate subscriptions when using opaque tokens. (valid only when the event hub configuration is enabled and using API Manager 3.2.0) false

Template configuration file

The following are the default configurations and default template of configurations in Microgateway runtime. You can also find this file in <MGW-RUNTIME-HOME>/conf/default-micro-gw.conf.template.

# Transport listener Configurations
[listenerConfig]
  # Microgateway exposed IP / Host
  host = "0.0.0.0"
  # HTTP port that is used to make APIs available to the outside.
  httpPort = 9090
  # HTTPs port that is used to make APIs available to the outside and for endpoints(/token, /authorize, /revoke/, userinfo) of Key Manager.
  httpsPort = 9095
  # HTTP port for endpoints(/token, /authorize, /revoke/, userinfo) of Key Manager
  tokenListenerPort = 9096
  # Internal keystore
  keyStorePath = "${mgw-runtime.home}/runtime/bre/security/ballerinaKeystore.p12"
  keyStorePassword = "ballerina"
  # Truststore
  trustStorePath = "${mgw-runtime.home}/runtime/bre/security/ballerinaTruststore.p12"
  trustStorePassword = "ballerina"
  # http1 Settings
  # Can be set to either `AUTO`, which respects the `connection` header, or `ALWAYS`,
  # which always keeps the connection alive, or `NEVER`, which always closes the connection
  keepAlive = "AUTO"
  # Defines the maximum number of requests that can be processed at a given time on a single connection.
  # By default 10 requests can be pipelined on a single connection and user can change this limit appropriately.
  maxPipelinedRequests = 10
  # Maximum allowed length for a URI. Exceeding this limit will result in a `414 - URI Too Long` response.
  maxUriLength = 4096
  # Maximum allowed size for headers. Exceeding this limit will result in a `413 - Payload Too Large` response.
  maxHeaderSize = 8192
  # Maximum allowed size for the entity body. By default it is set to -1 which means there is no
  # restriction `maxEntityBodySize`, On the Exceeding this limit will result in a`413 - Payload Too Large` response.
  maxEntityBodySize = -1


# API Authorization security for the gateway and the backend
[authConfig]
  # Authorization header expected by the Microgateway. Can be overridden at API level using the extension
  authorizationHeader = "Authorization"
  # Remove authorization header from the backend request
  removeAuthHeaderFromOutMessage = true

# API JWT Authorization security for backend
[jwtConfig]
  # JWT header when forwarding the request to the backend
  header = "X-JWT-Assertion"

# Key manager configurations
[keyManager]
  # Connection URL of the Key Manager server
  serverUrl = "https://localhost:9443"
  # The token endpoint context of the Key Manager server
  tokenContext = "oauth2"
  # When Microgateway is used with older APIM versions for subscription validation by using KeyValidation service.
  enableLegacyMode = false
  # Remote User Claim Retrieval Enabled
  remoteUserClaimRetrievalEnabled = false
  # Basic security configurations
  # Issuer
  issuer = "https://localhost:9443/oauth2/token"
  [keymanager.security.basic]
    enabled = true
    username = "admin"
    password = "admin"
  # Oauth2 security configurations
  [keymanager.security.oauth2]
    enabled = false
    # Authentication credentials should be sent via (AUTH_HEADER_BEARER/POST_BODY_BEARER/NO_BEARER)?
    credentialBearer = "AUTH_HEADER_BEARER"
    # Token URL for the authorization endpoint
    tokenUrl = ""
    # Oauth2 security grants
    [keymanager.security.oauth2.clientCredential]
      enabled = false
      clientId = ""
      clientSecret = ""
      scopes = ""
    [keymanager.security.oauth2.password]
      enabled = false
      clientId = ""
      clientSecret = ""
      scopes = ""
      username = ""
      password = ""
    [keymanager.security.oauth2.directToken]
      enabled = false
      accessToken = ""
    [keymanager.security.oauth2.refresh]
      enabled = false
      refreshUrl = ""
      scopes = ""
      refreshToken = ""
      clientId = ""
      clientSecret = ""

# JWT token authorization configurations. You can provide multiple JWT issuers
# Issuer 1
[[jwtTokenConfig]]
  issuer = "https://localhost:9443/oauth2/token"
  certificateAlias = "wso2apim310"
  URL of the JWKs endpoint
  jwksURL = ""
  # Validate subscribed APIs
  validateSubscription = false
  # The claim in which the consumer key of the application is coming
  consumerKeyClaim = "aud"
  #class name of JWT claims value mapper transformer if you need claims mapping.
  claimMapperClassName = "org.wso2.micro.gateway.jwtTransformer.DefaultJwtTransformer"
  # Remote User Claim Retrieval Enabled
  remoteUserClaimRetrievalEnabled = false
  # The key of remote claims and the local claims if you need claims mapping.
  [[jwtTokenConfig.claims]]
    remoteClaim = "scp"
    localClaim = "scope"
  [[jwtTokenConfig.claims]]
    remoteClaim = "FName"
    localClaim = "firstName"
# Issuer 2
[[jwtTokenConfig]]
  issuer = "https://host:port/issuer"
  audience = "http://org.wso2.apimgt/gateway"
  certificateAlias = "alias"
  # Validate subscribed APIs
  validateSubscription = false
  #class name of JWT claims value mapper transformer if you need claims mapping.
  claimMapperClassName = "org.wso2.micro.gateway.jwtTransformer.customJwtTransformer"
  # Remote User Claim Retrieval Enabled
  remoteUserClaimRetrievalEnabled = false
  # The key of remote claims and the local claims if you need claims mapping.
  [[jwtTokenConfig.claims]]
    remoteClaim = "scps"
    localClaim = "scope"
  [[jwtTokenConfig.claims]]
    remoteClaim = "FN"
    localClaim = "firstName"

# JWT token revocation configurations
[tokenRevocationConfig]
# Real time revocation configurations
  [tokenRevocationConfig.realtime]
    enableRealtimeMessageRetrieval = false
    # The JMS Message Broker that identify messages related to revoked tokens
    jmsConnectionTopic = "tokenRevocation"
    # The message broker context factory
    jmsConnectioninitialContextFactory = "wso2mbInitialContextFactory"
    # The message broker connection URL
    jmsConnectionProviderUrl= "amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:5672'"
    # The username used to establish  the message broker connection
    jmsConnectionUsername = ""
    # The password used to establish  the message broker connection
    jmsConnectionPassword = ""
  # Persistent revocation configurations
  [tokenRevocationConfig.persistent]
    enablePersistentStorageRetrieval = false
    # Use APIM as the default persistent storage. Other types are "etcd" and "custom"
    type = "default"
    # The endpoint url of your persistent storage server (e.g.: <etcd-server-access-URL>/<service>/keys/jti/)
    endpointURL = "https://localhost:9443/internal/data/v1"
    # The username of your persistent storage server
    username = "admin"
    # The password of your persistent storage server
    password = "admin"

# token cache configurations
[caching]
  # Expiry time of the cache in seconds
  tokenCacheExpiryTime = 900000
  # The size of the cache in MB
  tokenCacheCapacity = 10000
  # The factor of the cache that will be cleared when the cache is full.
  tokenCacheEvictionFactor = 0.25

# Analytics configurations
[analytics]
  # The configured API Manager analytics stream version
  streamVersion = "3.2.0"
  # Configurations for file upload analytics
  [analytics.fileUpload]
    enable = false
    # Time interval in milliseconds for file uploading task 
    uploadingTimeSpanInMillis = 600000
    # Initial time delay in milliseconds for file upload analytics
    initialDelayInMillis = 5000
    # Endpoint configured to accept file upload analytics
    uploadingEndpoint = "https://localhost:9444/analytics/v1.0/usage/upload-file"
    # File rotating period in milliseconds
    rotatingPeriod = 600000
    # To enable file upload task
    taskUploadFiles = true
    # Username used in analytics server
    username = "admin"
    # Password used in in analytics server
    password = "admin"
  [analytics.gRPCAnalytics]
    enable = false
    # APIM Analytics endpoint configured to accept gRPC analytics
    endpointURL = "https://localhost:9806"
    # Time interval in milliseconds for gRPC connection recovery task
    reconnectTimeInMillies = 6000

# User configuration for Basic auth
[b7a.users]
  # [b7a.users.<username>]
  #   password = <sha1 encrypted password> / <prefix>:<encrypted password>
  #   scopes = <comma_separated_scopes> if scopes are needed
  # Example 1:
  [b7a.users.admin]
    # password should be sha1 encrypted by default
    password = "d033e22ae348aeb5660fc2140aec35850c4da997"
  # Example 2:
  [b7a.users.prometheus]
    # Password. @prefix used to denote that password is hashed with the algorithm (e.g.: @sha256, @sha512)
    password = "@sha256:{5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8}"
    # scopes (e.g. "observability" to enable observability)
    scopes = "observability"

# Request and response validation configurations
[validationConfig]
  enableRequestValidation = false
  enableResponseValidation = false

# Enable http2 for the microgateway listeners.
[http2]
  enable = true

# HTTP client configuration. These are used when gateway connects with the upstream backend endpoints
[httpClients]
  # Hostname verification
  verifyHostname=true
  # Skip validating certificates when ssl is used
  disableSslVerification = false
  # Enable http2 when connecting with upstream backend endpoints.
  enableHttp2 = true
  #Proxy configurations required when microgateway connects to an upstream back end via a corporate proxy.
  [httpClients.proxy]
    #Enable proxy when connecting with backend services.
    enable = false
    #Enable proxy when microgateway communicating with internal components like key manager, analytics and etc
    enableInternalServices = false
    # Host or IP address of the proxy server
    host = ""
    # Port on which proxy server is listening
    port = 0
    # Security credentials if the proxy server is protected.
    username = ""
    password = ""
  # Configurations for managing HTTP client(sender) connection pool
  [httpClients.poolConfig]
    #Max active connections per route(host:port). Default value is -1 which indicates unlimited
    maxActiveConnections = -1
    #Maximum number of idle connections allowed for the pool
    maxIdleConnections = 100
    #Maximum amount of time, the client should wait for an idle connection before it sends an error when the pool is exhausted
    waitTimeInMillis = 30000
    #Maximum active streams per connection. This only applies to HTTP/2.
    maxActiveStreamsPerConnection = 50

# Mutual SSL configuration
[mutualSSLConfig]
  # SSL Protocol to be used
  protocolName = "TLS"
  # SSL/TLS protocols to be enabled
  protocolVersions = "TLSv1.2,TLSv1.1"
  # List of ciphers to be used
  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256  ,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
  # The type of client certificate verification. (e.g.: "require" or "optional")
  sslVerifyClient = "optional"
  # Header name append by the load balancer including the encoded certificate of client after mtls handshake with client.
  certificateHeaderName = "X-WSO2-CLIENT-CERTIFICATE"
  # Is client certificate validation enable. This applies only if the certificate is present in the header. That is
  # in load balancer fronted scenarios. If there is no load balancer in front of gateway, then if mutual ssl is enabled
  # for the API, then irrespective of this config value, certificate will be validated.
  isClientCertificateValidationEnabled = true
    # [[mutualSSLConfig.api.certificates]]
      # name = "API name given in the API Definition"
      # version = "API version given in the API definition"
      # aliasList = "list of aliases for a given API"
    # Examples :
    # API 1
    [[mutualSSLConfig.api.certificates]]
      name = "Swagger Petstore"
      version = "1.0.5"
      aliasList = ["ballerina", "wso2apim310"]
    # API 2
    [[mutualSSLConfig.api.certificates]]
      name = "MyAPI"
      version = "2.0.0"
      aliasList = ["myAlias1", "myAlias2"]


# Throttling configurations
[throttlingConfig]
  # Connect with the central traffic manager
  enabledGlobalTMEventPublishing = false
  # Enable global advanced throttling based on request header conditions
  enableHeaderConditions = false
  # Enable global advanced throttling based on request query parameter conditions
  enableQueryParamConditions = false
  # Enable global advanced throttling based on jwt claim conditions
  enableJwtClaimConditions = false
  # The message broker context factory
  jmsConnectioninitialContextFactory = "wso2mbInitialContextFactory"
  # The message broker connection URL
  jmsConnectionProviderUrl = "amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:5672'"
  # The username used to establish  the message broker connection
  jmsConnectionUsername = ""
  # The password used to establish  the message broker connection
  jmsConnectionPassword = ""
  # The central traffic management solution URL
  throttleEndpointUrl = "https://localhost:9443/endpoints"
  # username:password to create the connection to the central traffic manager
  throttleEndpointbase64Header = "admin:admin"
  #Configurations related to retrieve custom throttle policy related key templates from traffic manager or key manager.
  [throttlingConfig.dataRetriever]
    serverUrl = "https://localhost:9443/internal/data/v1"
    username = "admin"
    password = "admin"
  # Configurations related to node local throttling.
  [throttlingConfig.nodeLocal]
    # Core number of threads in the thread pool.
    processThreadPoolCoreSize = 200
    # Maximum number of threads in the thread pool.
    processThreadPoolMaximumSize = 1000
    # Keep alive time of the threads in seconds
    processThreadPoolKeepAliveTime = 200
    # Throttle data cleanup task frequency in seconds.
    cleanUpFrequency = 3600


  # Throttling configurations related to event publishing using a binary connection
  [throttlingConfig.binary]
    enabled = true
    # Credentials required to establish connection between Traffic Manager
    username = "admin"
    password = "admin"
    # Receiver URL and the authentication URL of the Traffic manager node/nodes
    [[throttlingConfig.binary.URLGroup]]
      receiverURL = "tcp://localhost:9611"
      authURL = "ssl://localhost:9711"
    # Data publisher object pool configurations
    [throttlingConfig.binary.publisherPool]
      maxIdle = 1000
      initIdleCapacity = 200
    # Data publisher thread pool configurations
    [throttlingConfig.binary.publisherThreadPool]
      corePoolSize = 200
      maxPoolSize = 1000
      keepAliveTime = 200
    [throttlingConfig.binary.agent]
      # SSL Protocols
      sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2"
      # ciphers
      ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256  ,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
      # The size of the queue event disruptor which handles events before they are published.
      # The value specified should always be the result of an exponent with 2 as the base.
      queueSize = 32768
      # The maximum number of events in a batch sent to the queue event disruptor at a given time
      batchSize = 200
      # The number of threads that will be reserved to handle events at the time you start
      corePoolSize = 1
      # Socket timeout
      socketTimeoutMS = 30000
      # The maximum number of threads that should be reserved at any given time to handle events
      maxPoolSize = 1
      # The amount of time which threads in excess of the core pool size may remain idle before being terminated.
      keepAliveTimeInPool = 20
      # The time interval between reconnection
      reconnectionInterval = 30
      # TCP connection pool configurations (for data publishing)
      maxTransportPoolSize = 250
      maxIdleConnections = 250
      evictionTimePeriod = 5500
      minIdleTimeInPool = 5000
      # SSL connection pool configurations (for authentication)
      secureMaxIdleTransportPoolSize = 250
      secureMaxIdleConnections = 250
      secureEvictionTimePeriod = 5500
      secureMinIdleTimeInPool = 5000

# Observability configurations
[b7a.observability]
  # Observability metrics monitoring
  [b7a.observability.metrics]
    enabled = false
    # Reporter name that reports the collected Metrics to the remote metrics server
    reporter = "prometheus"
    # Prometheus to scrape the information
    [b7a.observability.metrics.prometheus]
      # port exposing api level metrics
      port=9797
      # port exposing vm level metrics
      jmx_port = 8080
      # secure port for api level and vm level metrics
      secure_port = 9000
  # Observability distributed tracing
  [b7a.observability.tracing]
    enabled = false
    # Tracer name
    name = "jaeger"
    # Jaeger for tracing
    [b7a.observability.tracing.jaeger.reporter]
      # The port which the Jaeger server is listening to
      port = 5775

# API Key authentication configurations
[apikey.tokenConfigs]
  issuer="https://localhost:9095/apikey"
  certificateAlias="ballerina"
  # Validate Allowed/subscribed APIs
  validateAllowedAPIs=false

# API Key Security Token Service(STS) configurations
[apikey.issuer]
  # API Key STS token configurations
  [apikey.issuer.tokenConfig]
    enabled=true
    keyStorePath="${mgw-runtime.home}/runtime/bre/security/ballerinaKeystore.p12"
    keyStorePassword="ballerina"
    issuer="https://localhost:9095/apikey"
    certificateAlias="ballerina"
    # validity time in seconds for the API Key. -1 is to indicate unlimited time 
    validityTime=-1
  # API Key STS Allowed APIs
    # provide the list of allowed APIs by the generated API Key
    # [[apikey.issuer.api]] 
      # name="API name given in the API Definition"
      # versions="Allowed versions" or "*" to allow all versions
    # Examples :
    # API 1
    [[apikey.issuer.api]]
      name="Swagger Petstore New"
      versions="1.0.0, v1, v2"
    # API 2
    [[apikey.issuer.api]]
      name="MyAPI"
      versions="*"

# JWT Generator configurations
[jwtGeneratorConfig]
  # Enable jwt generator
  jwtGeneratorEnabled=false
  # Dialect prefix that can be added to the claims
  claimDialect="http://wso2.org/claims"
  # Signature algorithm used to sign the JWT token (only SHA256withRSA and NONE is supported)
  signingAlgorithm="SHA256withRSA"
  # Certificate alias from the keystore
  certificateAlias="ballerina"
  # Private key alias from the keystore
  privateKeyAlias="ballerina"
  # JWT token expiry time - ms (valid only if the jwt generator caching mechanism is disabled)
  tokenExpiry=900000
  # Restricted claims as an array that should not be included in the backend JWT token
  # Example: restrictedClaims=["claim1","claim2","claim3"]
  restrictedClaims=[]
  # Token issuer standard claim
  issuer="wso2.org/products/am"
  # Token audience standard claim
  audience=["http://org.wso2.apimgt/gateway"]
  # JWT token generator implementation
  generatorImpl="org.wso2.micro.gateway.jwt.generator.MGWJWTGeneratorImpl"
  [jwtGeneratorConfig.claimRetrieval]
      # User claim retriever implementation. This configuration is not applied by default.
      # User needs to mention the class explicitly
      retrieverImpl=""
      [jwtGeneratorConfig.claimRetrieval.configuration]
          custom_config_key = "custom_config_property"
  # JWT Generator cache configurations
  [jwtGeneratorConfig.jwtGeneratorCaching]
    # Enable jwt generator token caching
    tokenCacheEnable=true
    # Token cache expiry time (ms)
    tokenCacheExpiryTime=900000
    # Token cache capacity
    tokenCacheCapacity=10000
    # Token cache eviction factor
    tokenCacheEvictionFactor=0.25

# server configuration
[server]
  # timestamp skew in milliseconds which added when checking the token validity period
  timestampSkew = 5000

# Configurations for retrieving API and subscription data from API Manager.
[apim.eventHub]
  # Enable/ Disable the feature
  enable = false
  # The API Manager URL
  serviceUrl = "https://localhost:9443"
  # The internal data REST API context.
  internalDataContext="/internal/data/v1/"
  # User name and password of the internal data api.
  username="admin"
  password="admin"
  # The message broker connection URL.
  eventListeningEndpoints = "amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:5672'"

# API Manager default credentials
[apim.credentials]
username = "admin"
password = "admin"

# Token validation configuration
[security]
  # Enable/ Disable subscription validation for opaque (reference) tokens.
  validateSubscriptions = false
Top