In this document:
An APS application connector (or simply APS connector) can be deployed in the following environments:
On service provider premises, that is, in the same infrastructure where the APS controller is deployed
Externally, on the Internet
The deployment requires two steps:
Deployment of the APS connector
Installation of the APS application instance
An APS connector must be a web server with scripts from the APS application package. It should comply with the following requirements:
It must expose the application services to accept APS REST requests from the APS controller.
For security reasons, the APS connector must only accept HTTPS packets which come from the APS controller.
It must accept REST requests addressed to service URLs and redirect them to proper package scripts.
For details on installation of an APS connector in the platform, refer to Setting an APS Connector.
An application must have an APS resource based on the APS Application type.
The resource is used for installing and managing an application instance.
Like other APS resources, it has its own service (root service) exposed on the APS application endpoint.
For example, if the base APS application endpoint is https://endpoints.apsdemo.org/app1/
and
the root service is cloud, the APS controller will interact with the APS application instance
through https://endpoints.apsdemo.org/app1/cloud.
Otherwise, the resource is similar to other resources of this application. When using a multitenant
application shared with all customers, the APS application is usually instantiated only once per application deployment.
The life cycle of the resource is bound to application deployment.
Semantically, operations applied to this resource should be treated by the application as operations for the whole application. Examples of such operations are:
Application backup
Application management
An APS application instance should be created after deployment of the an APS connector. During the instance deployment, the APS controller must generate a unique certificate and private key and then send them along with global application configuration properties in the POST request to the root service exposed on the APS application endpoint.
For step-by-step instructions on installing an APS application instance in the platform, please refer to Application Instance Installation.
Interaction between the APS controller and an APS application is based on the following security model:
For each APS application instance, the APS controller generates an X.509
certificate and a private key pair
under the aps/x509/self node of the certificate tree.
The pair is represented as a PEM
Base64 encoded
DER certificate and a private key.
It is provided to the APS application instance in order for it to connect to the APS controller.
If the application is going to access the APS controller, it should store this certificate in a safe place
and use it as the client certificate when connecting to the APS controller.
If the certificate is changed for an application, the APS controller will notify the application by sending
a Resource Configuration request with the aps/x509/self
node.
The APS controller has its own X.509 certificate under the aps/x509/controller
node.
The certificate is represented as a PEM Base64 encoded DER certificate of the controller
chained with the CA root certificate.
It is provided to the application so that it can validate incoming connections from the APS controller.
This public key is the same for all applications talking with the APS controller.
If the certificate is changed for the controller, the APS controller will notify the application by
sending a Resource Configuration request with the aps/x509/controller node.
The following example illustrates the POST request sent to an APS application endpoint to install an APS application instance.
Request:
POST /wordpress HTTP/1.0
{
"aps": {
"type": "http://www.odin.com/web/wordpress/1.0",
"id": "80a4b75e-58a7-40e4-a148-dff560e5fa4a",
"x509": {
"self": "-----BEGIN RSA PRIVATE KEY-----\n ... \n-----END CERTIFICATE-----",
"controller": "-----BEGIN CERTIFICATE-----\n ... \n-----END CERTIFICATE-----"
},
"package": {
"id": "b6d35786-8a3b-4931-8122-342aa2130320",
"href": "/aps/2/packages/b6d35786-8a3b-4931-8122-342aa2130320"
}
},
"admin_name": "admin",
"admin_email": "admin@example.com",
"title": "The test blog",
"locale": "en",
"environment": {
"aps": {
"link": "strong",
"href": "/aps/2/resources/1203e863-e68f-400c-b06c-f4d15323e160"
}
}
}
Response:
HTTP/1.0 200 OK
Content-Type: application/json; charset=UTF-8