The default configuration of the API Gateway allows handling messages in the range of 1 KB to 50 KB. A several specific changes are required for tuning the Gateway appliance to handle larger messages.

This article talks about several settings and configuration files that need changes in order to meet this use case:

• The amount of system memory allocated to Java application.
• Cluster-wide properties that negotiate various maximum data sizes.
• Certain policy changes to limit message sizes.
• Listen Ports

Java memory allocation

To check the memory allocation to java for the gateway use this command:

ps -efa | grep Gateway.jar | grep --color Xmx

The following configuration file has the multiplication factor for the memory. By default its ½.

/opt/SecureSpan/Gateway/runtime/etc/profile.d/appliancedefs.sh

Change the multiplication factor to a higher number than 1/2. Example 2/3 or 4/5

For more information on this change, please see: https://knowledge.broadcom.com/external/article?articleId=12306

Cluster-Wide Properties

Log in to the API Gateway Policy Manager as an administrative user. Open the Manage Cluster-Wide Properties task and then add or edit the following properties:

• io.signedPartMaxBytes = 0
• io.xmlPartMaxBytes = 0
• request.compress.gzip.allow = true
• response.compress.gzip.allow = true

The additional cluster-wide properties that need to be set with customized values:

• template.partBodyMaxSize
• attachment.diskThreshold
• io.httpParamsMaxFormPostBytes

template.partBodyMaxSize: specifies the maximum amount of memory to use for storing message parts. The value of this property should meet or exceed the maximum expected size of an individual message part. Setting this property to a value that exceeds the total size of the message should be sufficient.

attachment.diskThreshold: specifies the maximum size of a message attachment to store in memory before stashing it to disk. If a message attachment exceeds this value in size, the gateway saves the attachment to disk. This value should meet or exceed the maximum total size of any individual message attachments for MTOM or Soap with Attachments.

io.httpParamsMaxFormPostBytes: maximum number of bytes to buffer when processing an HTTP form POST.  Technical Note:  The io.httpParamsMaxFormPostBytes cluster property replaces the former com.l7tech.message.httpParamsMaxFormPost system property.  However if the system property is set, it overrides this cluster property.

Policy Changes

In some circumstances, it may be necessary to change one or more service policies or global policy fragments to minimize the risk of globally increasing the maximum message and attachment thresholds. A few factors are at play with respect to this behavior and that needs change. The following items are for consideration:

• The current value of io.xmlMaxPartBytes
• The current use of the Limit Message Size assertion
• Is Perform WS-Security Processing is enabled for a particular service?
• Is the service policy acts upon the request or response message?

If the service policy acts upon a request or response message that exceeds io.xmlMaxPartBytes then the request will fail. "Acts upon" includes but is not limited to: Any threat protection assertion, XPath evaluation, regular expression evaluation, message transformation. The Limit Message Size assertion will overwrite this limit. The Gateway will enforce the message size on a per-service basis as long as that assertion is used. The assertion is overridden by enabling "Perform WS-Security Processing..." within the Service Properties dialog.  If this is enabled then io.xmlMaxPartBytes overrides the value of Limit Message Size assertion. This occurs because the WS-Security processing specified above occurs before the service policy itself (and before Limit Message Size would take over as the authority).

Below are some examples to illustrate the interaction of these changes:

• If a service policy streams the request or response and does not act upon the message then the Gateway does not limit the size of a message. Assertions are only necessary to shield a protected service from attack relying upon message size.
• If a service policy performs message transformation or evaluation then the policy should use the Limit Message Size assertion to set the maximum size on a per-service basis.
• If a Gateway will always handle large messages and inspect, evaluate, or transform the request or response--regardless of the published service being consumed—then set io.xmlMaxPartBytes to an adequately large number.
• If a service on the Gateway requires WS-Security processing then set io.xmlMaxPartBytes to an adequately large number.
• If multiple services on the Gateway require WS-Security processing then publish a "pre-security" global policy fragment and add the Limit Message Size assertion.

Listen Ports

This is specific to incoming Gateway requests that would be passed through to a backend or processed by Gateway and stopping there. Complete the [Advanced] tab of the Listen Port Properties as follows:

If you need to support large uploads (>2GB), select the "Override maximum message size" check box and specify a new limit or allow unlimited message size.