Previous topic

Application Instances

Next topic

Upgrade

Deployment

Overview

An APS application connector (or simply APS connector) can be deployed in the following environments:

  1. On service provider premises, that is, in the same infrastructure where the APS controller is deployed

  2. Externally, on the Internet

../../../../_images/application-api.png

The deployment requires two steps:

  1. Deployment of the APS connector

  2. Installation of the APS application instance

APS Connector Deployment

An APS connector must be a web server with scripts from the APS application package. It should comply with the following requirements:

  1. It must expose the application services to accept APS REST requests from the APS controller.

  2. For security reasons, the APS connector must only accept HTTPS packets which come from the APS controller.

  3. It must accept REST requests addressed to service URLs and redirect them to proper package scripts.

For details on installation of an APS connector in the platform, refer to Setting an APS Connector.

APS Application Instance Deployment

An application must have an APS resource based on the APS Application type. The resource is used for installing and managing an application instance. Like other APS resources, it has its own service (root service) exposed on the APS application endpoint. For example, if the base APS application endpoint is https://endpoints.apsdemo.org/app1/ and the root service is cloud, the APS controller will interact with the APS application instance through https://endpoints.apsdemo.org/app1/cloud. Otherwise, the resource is similar to other resources of this application. When using a multitenant application shared with all customers, the APS application is usually instantiated only once per application deployment.

The life cycle of the resource is bound to application deployment.

Semantically, operations applied to this resource should be treated by the application as operations for the whole application. Examples of such operations are:

  • Application backup

  • Application management

An APS application instance should be created after deployment of the an APS connector. During the instance deployment, the APS controller must generate a unique certificate and private key and then send them along with global application configuration properties in the POST request to the root service exposed on the APS application endpoint.

For step-by-step instructions on installing an APS application instance in the platform, please refer to Application Instance Installation.

Interaction between the APS controller and an APS application is based on the following security model:

  • For each APS application instance, the APS controller generates an X.509 certificate and a private key pair under the aps/x509/self node of the certificate tree. The pair is represented as a PEM Base64 encoded DER certificate and a private key. It is provided to the APS application instance in order for it to connect to the APS controller. If the application is going to access the APS controller, it should store this certificate in a safe place and use it as the client certificate when connecting to the APS controller. If the certificate is changed for an application, the APS controller will notify the application by sending a Resource Configuration request with the aps/x509/self node.

  • The APS controller has its own X.509 certificate under the aps/x509/controller node. The certificate is represented as a PEM Base64 encoded DER certificate of the controller chained with the CA root certificate. It is provided to the application so that it can validate incoming connections from the APS controller. This public key is the same for all applications talking with the APS controller. If the certificate is changed for the controller, the APS controller will notify the application by sending a Resource Configuration request with the aps/x509/controller node.

The following example illustrates the POST request sent to an APS application endpoint to install an APS application instance.

Request:

POST /wordpress HTTP/1.0

{
   "aps": {
     "type": "http://www.odin.com/web/wordpress/1.0",
     "id": "80a4b75e-58a7-40e4-a148-dff560e5fa4a",
     "x509": {
        "self": "-----BEGIN RSA PRIVATE KEY-----\n ... \n-----END CERTIFICATE-----",
        "controller": "-----BEGIN CERTIFICATE-----\n ... \n-----END CERTIFICATE-----"
     },
     "package": {
        "id": "b6d35786-8a3b-4931-8122-342aa2130320",
        "href": "/aps/2/packages/b6d35786-8a3b-4931-8122-342aa2130320"
     }
   },

   "admin_name": "admin",
   "admin_email": "admin@example.com",
   "title": "The test blog",
   "locale": "en",

   "environment": {
     "aps": {
       "link": "strong",
       "href": "/aps/2/resources/1203e863-e68f-400c-b06c-f4d15323e160"
     }
   }
}

Response:

HTTP/1.0 200 OK
Content-Type: application/json; charset=UTF-8