Update api-mediation-multi-tenancy.md

Signed-off-by: ShobhaJayanna <[email protected]>
zowe · Dec 18, 2024 · 75cb1e0 · 75cb1e0
1 parent ef562fc
commit 75cb1e0
Showing 1 changed file with 42 additions and 49 deletions.
diff --git a/docs/user-guide/api-mediation/api-mediation-multi-tenancy.md b/docs/user-guide/api-mediation/api-mediation-multi-tenancy.md
@@ -3,14 +3,14 @@
 Zowe supports management of multiple tenants, whereby different tenants can serve different purposes or different customers. The use case for multi-tenant support is when a service provider manages sysplexes/monoplexes for multiple customers. This configuration makes it possible to have a single access point for all customers, and properly route and authenticate across different domains.
 
 - [Multitenancy Configuration](#multitenancy-configuration)
-  - [Overview of Central and Domain API MLs](#overview-of-central-and-domain-api-mls)
+  - [Overview of API MLs in Multitenancy Configuration](#overview-of-api-mls-multitenancy-configuration)
   - [Multitenancy component enablement settings](#multitenancy-component-enablement-settings)
-  - [Onboarding a Domain Gateway service to the Discovery service in Central API ML](#onboarding-a-domain-gateway-service-to-the-discovery-service-in-central-api-ml)
+  - [Onboarding a Gateway service to the Discovery service of another API ML in Multitenancy Configuration](#onboarding-a-gateway-service-to-the-discovery-of-another-api-ml-in-multitenancy-configuration)
     - [Dynamic configuration via zowe.yaml](#dynamic-configuration-via-zoweyaml)
     - [Dynamic configuration via Environment variables](#dynamic-configuration-via-environment-variables)
     - [Validating successful configuration](#validating-successful-configuration)
-  - [Establishing a trust relationship between Domain API ML and Central API ML](#establishing-a-trust-relationship-between-domain-api-ml-and-central-api-ml)
-    - [Commands to establish trust between Domain and Central API MLs](#commands-to-establish-trust-between-domain-and-central-api-mls)
+  - [Establishing a trust relationship between API MLs in Multitenancy Configuration](#establishing-a-trust-relationship-between-api-mls-in-multitenancy-configuration)
+    - [Commands to establish trust between API MLs in Multitenancy Configuration](#commands-to-establish-trust-between-api-mls-in-multitenancy-configuration)
   - [Using the `/registry` endpoint in the Gateway](#using-the-registry-endpoint-in-the-gateway)
     - [Configuration for `/registry`](#configuration-for-registry)
     - [Authentication for `/registry`](#authentication-for-registry)
@@ -24,31 +24,31 @@ Zowe supports management of multiple tenants, whereby different tenants can serv
     - [ZWESG100W](#zwesg100w)
     - [No debug messages similar to apiml1 completed with onComplete are produced](#no-debug-messages-similar-to-apiml1-completed-with-oncomplete-are-produced)
 
-## Overview of Central and Domain API MLs
+## Overview of API MLs in Multitenancy Configuration
 
-The following diagram illustrates communication between the "central" API Mediation Layer and Zowe in multiple domains. Note that some API MLs may be running in a sysplex (HA), while others may be in a monoplex (non-HA).
+The following diagram illustrates communication between the API Mediation Layer and Zowe in multiple domains. Note that some API MLs may be running in a sysplex (HA), while others may be in a monoplex (non-HA).
 
 ![Multi-domain architecture diagram](./diagrams/multi-domain_architecture_V2.svg)
 
-Domain-Central is where the "central" API ML is running, and may be on z/OS, or off z/OS, for example in Kubernetes. This API ML is referred to as the Central API ML.
-The Central API ML serves as a single point of access to all API Mediation Layers registered in this Central API ML and, by extension, to all services registered in those secondary API MLs.
+Domain-1 API ML is running may be on z/OS, or off z/OS, for example in Kubernetes. This API ML acts as the Central API ML in our example where all the other domain API MLs are registered.
+This API ML serves as a single point of access to all API Mediation Layers registered in this and, by extension, to all services registered in those secondary API MLs.
 
-Domain-1 to Domain-N are z/OS systems with the standard Zowe API ML running either in HA (sysplex) or non-HA (monoplex). These API MLs are referred to as Domain API MLs.
+Domain-2 to Domain-N are z/OS systems with the standard Zowe API ML running either in HA (sysplex) or non-HA (monoplex). These API MLs are registered to  Domain-1 API ML.
 
 ## Multitenancy component enablement settings
 
-In the multitenancy environment, certain Zowe components may be enabled, while others may be disabled. The multitenancy environment expects one Central API ML that handles the discovery and registration as well as routing to the API ML installed in specific domains. 
+In the multitenancy environment, certain Zowe components may be enabled, while others may be disabled. The multitenancy environment expects one API ML (Domain-1 APIML in our example) that handles the discovery and registration as well as routing to the API ML installed in any other specific domains. 
 
-## Onboarding a Domain Gateway service to the Discovery service in Central API ML
+## Onboarding a Gateway service to the Discovery service of another API ML in Multitenancy Configuration
 
-The Central API ML can onboard Gateways of all domains. This service onboarding can be achieved similar to additional registrations of the Gateway. This section describes the dynamic configuration of the yaml file and environment variables, and how to validate successful configuration.
+The Domain-1 API ML can onboard Gateways of all other domains. This service onboarding can be achieved similar to additional registrations of the Gateway. This section describes the dynamic configuration of the yaml file and environment variables, and how to validate successful configuration.
 
 - [Dynamic configuration via zowe.yaml](#dynamic-configuration-via-zoweyaml)
 - [Dynamic configuration via Environment variables](#dynamic-configuration-via-environment-variables)
 
 ### Dynamic configuration via zowe.yaml 
 
-1. Set the following property for the Domain Gateway to dynamically onboard to the  Discovery service in Central API ML.
+1. Set the following property for the Domain(2-N) Gateway to dynamically onboard to the  Discovery service in Domain-1 API ML.
 
     `components.gateway.apiml.service.additionalRegistration`
 
@@ -72,7 +72,7 @@ The Central API ML can onboard Gateways of all domains. This service onboarding
     :::
 
 2. (Optional) Configure the Gateway to forward client certificates.   
-Use this step to enable the domain gateway to use this client certificate for authentication. .  
+Use this step to enable the domain(2-N) gateway to use this client certificate for authentication. .  
 Set the `certificatesUrl` property to ensure that only  Gateway-forwarded certificates are used for client certificate authentication. This URL returns a certificate chain from the gateway.
 
     ```
@@ -108,45 +108,45 @@ This Zowe configuration transforms the zowe.yaml configuration file into the env
 
 ### Validating successful configuration
 
-The corresponding Gateway service should appear in the Eureka console of the Discovery service in Central API ML. 
+The corresponding Gateway service(domain 2-N) should appear in the Eureka console of the Discovery service in the domain-1 API ML. 
 
-To see details of all instances of the ‘GATEWAY’ application, perform a **GET** call on the following endpoint of the Discovery service in central API ML:
+To see details of all instances of the ‘GATEWAY’ application, perform a **GET** call on the following endpoint of the Discovery service in domain-1 API ML:
 
 ```
 /eureka/apps
 ```
 
-## Establishing a trust relationship between Domain API ML and Central API ML
+## Establishing a trust relationship between the API MLs in Multitenancy Configuration
 
-For routing to work in a multitenancy configuration, the Central API Mediation Layer must trust the Domain API Mediation Layers for successful registration into the Discovery Service component.
-The Domain API Mediation Layers must trust the Central API Mediation Layer Gateway to accept routed requests.
-It is necessary that the root and, if applicable, intermediate public certificates be shared between the Central API Mediation Layer and Domain API Mediation Layers. 
+For routing to work in a multitenancy configuration, the API Mediation Layer which registers the other API Mediation Layers must trust them for successful registration into the Discovery Service component.
+The API Mediation Layers which are registered must trust the API Mediation Layer Gateway where they are registed to, to accept routed requests.
+It is necessary that the root and, if applicable, intermediate public certificates be shared between the these API Mediation Layers. 
 
-The following diagram shows the relationship between the Central API ML and Domain API MLs. 
+The following diagram shows the relationship between the API MLs. 
 
 ![Trust relation diagram](./diagrams/mt-trust-relations.png)
 
-As presented in this example diagram, the Central API ML is installed on system X. Domain API MLs are installed on systems Y and Z.
+As presented in this example diagram, The API MLs are installed on systems X, Y and Z.
 
-To establish secure communications, "Domain APIML 1" and "Domain APIML 2" are using different private keys signed with different public keys. These API MLs do not trust each other.
+To establish secure communications, "APIML 1" and "APIML 2" are using different private keys signed with different public keys. These API MLs do not trust each other.
 
-In order for all Domain API MLs to register with the Central API ML, it is necessary that the Central API ML have all public keys from the certificate chains of all Domain API MLs:
+In order for all API MLs to register with an API ML (domain-1) in multitenancy set up, it is necessary that the domain-1 API ML has all public keys from the certificate chains of all registered API MLs:
 * DigiCert Root CA
 * DigiCert Root CA1
 * DigiCert CA
 
-These public keys are required for the Central API ML to establish trust with "Domain APIML 1" and "Domain APIML 2". 
+These public keys are required for the domain-1 API ML to establish trust with "Domain APIML 2" and "Domain APIML 3". 
 
-The Central API ML uses a private key which is signed by the Local CA public key for secure communication. 
+The domain-1 API ML uses a private key which is signed by the Local CA public key for secure communication. 
 
-"Domain APIML 1" and "Domain APIML 2" require a Local CA public key in order to accept the routing requests from the Central API ML, otherwise the Central API ML requests will not be trusted by the Domain API MLs.
+"Domain APIML 2" and "Domain APIML 2" require a Local CA public key in order to accept the routing requests from the domain-1 API ML, otherwise the domain-1  API ML requests will not be trusted by the registered API MLs.
 The diagram indicates all of the added certificates inside the red dashed lines.
 
-### Commands to establish trust between Domain and Central API MLs
+### Commands to establish trust between the API MLs in Multitenancy Configuration
 
-The following commands are examples of establishing a trust relationship between a Domain API ML and the Central API ML for both PKCS12 certificates and when using keyrings.
+The following commands are examples of establishing a trust relationship between a API MLs in Multitenancy Configuration for both PKCS12 certificates and when using keyrings.
 
-1. Import the root and, if applicable, the intermediate public key certificate of Domain API MLs running on systems Y and Z into the truststore of the Central API ML running on system X.
+1. Import the root and, if applicable, the intermediate public key certificate of registered API MLs running on systems Y and Z into the truststore of the API ML running on system X.
 
     - **PKCS12**
   
@@ -163,7 +163,7 @@ The following commands are examples of establishing a trust relationship between
 
     - **Keyring**
       
-      For keyrings, use the following examples of commands specific to your ESM to add certificates from the dataset and connect these certificates to the keyring used by the Central API ML:
+      For keyrings, use the following examples of commands specific to your ESM to add certificates from the dataset and connect these certificates to the keyring used by the domain-1 API ML:
 
       <details>  
       <summary>Click here for command details for RACF. </summary>
@@ -228,7 +228,7 @@ The following commands are examples of establishing a trust relationship between
         ```
       </details>
 
-2. Import root and, if applicable, intermediate public key certificates of the Central API ML running on system X into the truststore of the Domain API MLs running on systems Y and Z.
+2. Import root and, if applicable, intermediate public key certificates of the API ML running on system X into the truststore of the API MLs running on systems Y and Z.
 
     - **PKCS12**
 
@@ -245,7 +245,7 @@ The following commands are examples of establishing a trust relationship between
 
     - **Keyring**
 
-      For keyring certificates, use the following examples of commands specific to your ESM to add certificates from the dataset, and connect these certificates to the keyrings used by Domain API MLs:
+      For keyring certificates, use the following examples of commands specific to your ESM to add certificates from the dataset, and connect these certificates to the keyrings used by registered API MLs:
 
       <details>
       <summary>Click here for command details for RACF.</summary>
@@ -306,11 +306,11 @@ The following commands are examples of establishing a trust relationship between
 
       </details>
 
-You completed certificates setup for multitenancy configuration, whereby Domain API MLs can trust the Central API ML and vice versa.
+You completed certificates setup for multitenancy configuration, whereby registered API MLs can trust the API ML where they are registered and vice versa.
 
 ## Using the `/registry` endpoint in the Gateway
 
-The `/registry` endpoint provides information about services onboarded to all Domain Gateways (all domains and the central one). This section describes the configuration, authentication, authorization, example of requests, and responses when using the `/registry` endpoint. 
+The `/registry` endpoint provides information about services onboarded to all registered Gateways. This section describes the configuration, authentication, authorization, example of requests, and responses when using the `/registry` endpoint. 
 
 ### Configuration for `/registry`
 
@@ -335,16 +335,16 @@ Unsuccessful authorization returns a 403 error code.
 
 ### Requests with `/registry`
 
-There are two endpoints that provide information about services registered to the API ML. One endpoint is for all domains, and the other endpoint is for the specific domain. Choose from the following **GET** calls:
+There are two endpoints that provide information about services registered to the API ML. One endpoint is for all APIMLs, and the other endpoint is for the specific APIML. Choose from the following **GET** calls:
 
 * `GET /gateway/api/v1/registry`  
-This request lists services in all domains.
+This request lists services in all APIMLs.
 
 * `GET /gateway/api/v1/registry/{apimlId}`  
-This request lists services in the apimlId domain.
+This request lists services in the APIML of the specific apimlId given.
 
 * `GET /gateway/api/v1/registry/{apimlId}?apiId={apiId}&serviceId={serviceId}`  
-  This request gets the specific service in the specific apimlId domain.
+  This request gets the specific service from the APIML in the specific apimlId.
 
 ### Response with `/registry`
 
@@ -405,7 +405,7 @@ This request lists services in the apimlId domain.
 
 ### Response with `/registry{apimlId}`
 
-This response should contain information about all services in a specific domain.
+This response should contain information about all services in an APIML with the specific apimlId.
 
 <details>
 <summary>Click here for an example response with `/registry{apimlId}`.</summary>
@@ -450,7 +450,7 @@ This response should contain information about all services in a specific domain
 
 ### Response with `GET /gateway/api/v1/registry/{apimlId}?apiId={apiId}&serviceId={serviceId}`
 
-This response should contain information about a specific service in a specific domain.
+This response should contain information about a specific service in an APIML with the specific apimlId.
 
 <details>
 <summary>Click here for an example of a response with `GET /gateway/api/v1/registry/{apimlId}?apiId={apiId}&serviceId={serviceId}`. </summary>
@@ -484,7 +484,7 @@ This response should contain information about a specific service in a specific
 
 ## Validating successful configuration with `/registry`
 
-Use the `/registry` endpoint to validate successful configuration. The response should contain all Domain API MLs represented by `apimlId`, and information about onboarded services.
+Use the `/registry` endpoint to validate successful configuration. The response should contain all the API MLs represented by `apimlId`, and information about onboarded services.
 
 
 ## Troubleshooting multitenancy configuration
@@ -499,10 +499,3 @@ Cannot connect to the Gateway service.
 **Action**  
 Make sure that the external Gateway service is running and the truststore of the both Gateways contains the corresponding certificate.
 
-### No debug messages similar to apiml1 completed with onComplete are produced
-
- **Reason**  
- Domain Gateway is not correctly onboarded to Discovery Service in Central API ML. 
- 
- **Action**  
- Review Gateway static definition. Check the  Discovery Service dashboard in Central API ML if the domain Gateway is displayed.