In this document:
An APS application can be deployed in the following environments:
On service provider premises, that is in the same infrastructure where the APS controller is deployed
Externally in the Internet
The deployment requires two steps:
Deployment of APS application endpoint
Installation of APS application instance
An APS application endpoint must be a web server with scripts from the application package. It should comply with the following requirements:
It must expose the application services to accept APS REST requests from the APS controller.
For security reasons, the APS application endpoint must accept only HTTPS packages coming from the APS controller only.
It must accept REST requests addressed to service URIs and redirect them to proper package scripts.
For details on installation of APS application endpoint in the platform, refer to Setting APS Connector.
An application must have a resource based on the APS Application type. The resource is used for installing and managing an application instance. Like other resources, it has own service (root service) exposed on the APS application endpoint. For example, if the base APS application endpoint is https://endpoints.apsdemo.org/app1/ and the root service is cloud, the APS controller will interact with the APS application instance through https://endpoints.apsdemo.org/app1/cloud. Otherwise, the resource is similar to other resources of this application. When using a multitenant application shared for all customers, APS application is usually instantiated only once per application deployment.
The life cycle of the resource is bound to application deployment.
Semantically, operations applied to this resource should be treated by the application as operations for the whole application. Examples of such operations are:
Application backup
Application management
An APS application instance should be created after deployment of the APS application endpoint. During the instance deployment, the APS controller must generate a unique certificate and private key and then send them along with global application configuration properties in the POST request to the root service exposed on the APS application endpoint.
For step-by-step instructions on installing an APS application instance in the platform, refer to Application Instance Installation.
Interaction between the APS controller and an APS application is based on the following security model:
For each APS application instance, the APS controller generates an X.509 certificate and a private key pair under the aps/x509/self node of the certificate tree. The pair is represented as a PEM Base64 encoded DER certificate and a private key. It is provided to the APS application instance in order it can connect to the APS controller. If the application is going to access the APS controller, it should store this certificate in a safe place and use it as the client certificate when connecting to the APS controller. If the certificate is changed for an application, the APS controller will notify the application by sending a Resource Configuration request with the aps/x509/self node.
The APS controller has own X.509 certificate under the aps/x509/controller node. The certificate is represented as a PEM Base64 encoded DER certificate of the controller chained with the CA root certificate. It is provided to the application in order that it can validate incoming connections from the APS controller. This public key is the same for all applications talking with the APS controller. If the certificate is changed for the controller, the APS controller will notify the application by sending a Resource Configuration request with the aps/x509/controller node.
The following example illustrates the POST request sent to an APS application endpoint to install an APS application instance.
Request:
POST /wordpress HTTP/1.0
{
"aps": {
"type": "http://www.odin.com/web/wordpress/1.0",
"id": "80a4b75e-58a7-40e4-a148-dff560e5fa4a",
"x509": {
"self": "-----BEGIN RSA PRIVATE KEY-----\n ... \n-----END CERTIFICATE-----",
"controller": "-----BEGIN CERTIFICATE-----\n ... \n-----END CERTIFICATE-----"
},
"package": {
"id": "b6d35786-8a3b-4931-8122-342aa2130320",
"href": "/aps/2/packages/b6d35786-8a3b-4931-8122-342aa2130320"
}
},
"admin_name": "admin",
"admin_email": "admin@example.com",
"title": "The test blog",
"locale": "en",
"environment": {
"aps": {
"link": "strong",
"href": "/aps/2/resources/1203e863-e68f-400c-b06c-f4d15323e160"
}
}
}
Response:
HTTP/1.0 200 OK
Content-Type: application/json; charset=UTF-8