API Connect

 View Only

APIConnect internal and external certificates / end points explained.

By Mark Parzygnat posted Mon February 15, 2021 02:36 PM


APIConnect internal and external certificates / end points explained.


You might wonder how does APIConnect define and internal vs an external end point. In the documentation you will see examples and explanations of internal and external certificates and/or endpoints. In this document, I will try to help clarify this, and point you to some additional information for specific authentication types they require.


External endpoints are all the end points that are exposed outside the individual component (not cluster). Example are all endpoints exposed via ingress. If they don’t go via ingress, they are internal. These endpoints can be easily mapped to certificates. This is important if you want to use your own certificates instead of using the IBM Certificate manager which is made available via the common services.


The endpoints exposed by ingress (external endpoints):

  • 4 end points for manager (Cloud admin UI, API Manager, Consumer API, provider API)
  • 2 for analytics(Ingestion and consumption end point)
  • 2 for portal (Application and management end point)
  • 2 Gateway (Application and management end point)


You may find some documentation that states the above are internal end points. The reasoning is that the user should never have to use the end point, and only API connect has a need to call the end point. So, intra-cluster but not intra-component.


However, there may be a case such as, if someone wants to put analytics in a different cloud you still need to change the cert.


Please see Chris Phillips’ information on authentication for APIConnect Component endpoint interactions for more information.








1 comment



Tue March 14, 2023 06:07 PM

This helps, thanks Mark. So the traffice between APIC and ACE are considered external, now that they are from separate components? Thanks.