Virtual Server Installation
Apinizer ships as self-contained standalone packages with bundled OpenJDK 25 — no host Java required. Sensitive configuration (MongoDB connection URI, etc.) is encrypted in place via a Jasypt master key; the JVM never sees ciphertext and the master key never leaves the host filesystem.
The installer needs root privileges via sudo, but no interactive root login is required. This is compatible with hardened environments where direct root SSH is disabled (common in finance and regulated sectors).
Installation Flow
Install modules in this order:
- MongoDB — Required, must be pre-configured and reachable
- API Manager — Required, the management console
- API Gateway (Worker) — Required, the API Gateway runtime
- Optional: Cache, Integration, API Portal
General Requirements
Common requirements for all modules:
- Linux x86-64 (glibc) — Ubuntu 20.04+, RHEL/Rocky/Alma 8+, Debian 11+, Oracle Linux 8+
- An operator with
sudoprivilege (no root login required) openssl,systemd,tar,curl(typically pre-installed)- A reachable Apinizer MongoDB instance (replica set recommended for production)
MongoDB is mandatory; all other modules depend on it. Elasticsearch is optional.
Pre-installation: Decide which optional modules you need (Cache for quota state, Integration for task flows, API Portal for end-users). This determines which download steps to prepare in advance.
API Manager Installation
The Apinizer Management Console (API Manager) is the component through which Apinizer is managed. It is the central hub for proxy configuration, environment management, user access control and monitoring.
1. Download
Download the latest tarball from packages.apinizer.com:
VERSION=2026.04.2
curl -fSLO "https://packages.apinizer.com/apinizer-packages/apimanager/${VERSION}/apinizer-apimanager-${VERSION}-linux-x64.tar.gz"
curl -fSLO "https://packages.apinizer.com/apinizer-packages/apimanager/${VERSION}/checksums.sha256"
sha256sum -c checksums.sha256
2. Extract
sudo mkdir -p /opt
sudo tar -xzf apinizer-apimanager-${VERSION}-linux-x64.tar.gz -C /opt
sudo mv /opt/apinizer-apimanager-${VERSION} /opt/apinizer-manager
The package layout is:
/opt/apinizer-manager/
├── bin/ # start / stop / install / encrypt scripts and systemd unit
├── conf/ # application.env (master.key generated by installer)
├── lib/ # Spring Boot fat jar + lib/jasypt/ helper jar
├── runtime/ # Bundled OpenJDK 25 (Temurin)
└── logs/ # Runtime logs (created on first start)
3. Configure
Edit conf/application.env and provide the required parameters:
sudo vi /opt/apinizer-manager/conf/application.env
| Key | Description |
|---|---|
SPRING_DATA_MONGODB_URI | MongoDB connection string (e.g. mongodb://user:pass@host:25080/?replicaSet=rs0&authSource=admin) |
SPRING_DATA_MONGODB_DATABASE | Database name (e.g. apinizer) |
Optional sections cover SSL, server port, JVM tuning, and logging path.
Plaintext values are accepted at this point — do not start the service yet. The next step encrypts them in place.
4. Run the Installer
The installer creates a dedicated apinizer system user, sets file permissions, generates a random Jasypt master key in conf/master.key, and registers the systemd service.
sudo /opt/apinizer-manager/bin/apimanager-install.sh
To delegate this to a non-root operator without granting full root, add a sudoers entry:
apinizer-admin ALL=(root) NOPASSWD: /opt/apinizer-manager/bin/apimanager-install.sh
After install, the master key is owned by apinizer:apinizer and is mode 400 — only the service user can read it.
5. Encrypt Sensitive Values
Run the encrypt helper with no arguments to encrypt the standard fields in conf/application.env in place. Already-encrypted (or empty) values are skipped, and a timestamped backup is written next to the file.
sudo -u apinizer /opt/apinizer-manager/bin/apimanager-encrypt.sh
The standard fields it encrypts are:
SPRING_DATA_MONGODB_URISPRING_DATA_MONGODB_DATABASE
After it runs, the env file looks like this (values quoted so bash source does not choke on the parentheses):
SPRING_DATA_MONGODB_URI="ENC(eXq1J9z...kTu4=)"
SPRING_DATA_MONGODB_DATABASE="ENC(zMv3K7p...lQw9=)"
6. Start the Service
sudo systemctl start apinizer-apimanager
sudo systemctl status apinizer-apimanager
sudo journalctl -u apinizer-apimanager -f
The service is enabled at install time, so it will also start automatically after a reboot.
7. Verify
Confirm the API Manager is responding on the configured port (default 8080):
curl -fsS http://127.0.0.1:8080/management/health
Expected: a 200 OK response with health details (visible to authenticated admins; anonymous responses contain only the status).
Operations
sudo systemctl status apinizer-apimanager
sudo systemctl restart apinizer-apimanager
sudo systemctl stop apinizer-apimanager
sudo journalctl -u apinizer-apimanager -f
Manual control (without systemd):
sudo -u apinizer /opt/apinizer-manager/bin/apimanager-start.sh # background
sudo -u apinizer /opt/apinizer-manager/bin/apimanager-start.sh -f # foreground
sudo -u apinizer /opt/apinizer-manager/bin/apimanager-stop.sh
Security Model
apinizeris a system account with/sbin/nologin— no interactive shell.conf/master.keyis mode400, owned byapinizer. Only that user (and root) can read it.conf/application.envis mode600. ENC(...) values are decrypted bybin/apimanager-start.shat boot (using the bundledlib/jasypt/jasypt-*.jar+ the master key) and exported to the JVM as plain values. The JVM never sees the ciphertext; the master key never leaves the host filesystem.- The systemd unit applies hardening flags:
NoNewPrivileges,PrivateTmp,ProtectSystem=strict,ProtectHome,ReadWritePaths=…/logs. Application can only write underlogs/.
Back up conf/master.key to your secrets vault. If the master key is lost, all ENC(...) values are unrecoverable and must be re-entered in plaintext, then re-encrypted with a new key.
For API Manager troubleshooting, see Troubleshooting.
For upgrading or uninstalling this module, see Version Upgrade and Uninstall pages.
Next Step — Gateway Installation (Mandatory)
API Manager is now installed and running. You must now install at least one Gateway and define it as an environment in the Manager — this is Apinizer's actual API Gateway and is mandatory for routing API traffic.
API Gateway (Worker) Installation and Configuration
The Gateway (Worker) is Apinizer's actual API Gateway module — the entry point for API requests and where policies are applied. On a virtual server, the Gateway is installed on a separate host (or the same host) and registered with the Manager as a Remote Environment.
1. Download
Download the latest tarball from packages.apinizer.com:
VERSION=2026.04.2
curl -fSLO "https://packages.apinizer.com/apinizer-packages/worker/${VERSION}/apinizer-worker-${VERSION}-linux-x64.tar.gz"
curl -fSLO "https://packages.apinizer.com/apinizer-packages/worker/${VERSION}/checksums.sha256"
sha256sum -c checksums.sha256
2. Extract
sudo mkdir -p /opt
sudo tar -xzf apinizer-worker-${VERSION}-linux-x64.tar.gz -C /opt
sudo mv /opt/apinizer-worker-${VERSION} /opt/apinizer-worker
The package layout is:
/opt/apinizer-worker/
├── bin/ # start / stop / install / encrypt scripts and systemd unit
├── conf/ # apinizer-worker.env (master.key generated by installer)
├── lib/ # Worker shaded launcher jar + lib/jasypt/ helper jar
├── runtime/ # Bundled OpenJDK 25 (Temurin)
└── logs/ # Runtime logs (created on first start)
3. Configure
Edit conf/apinizer-worker.env and provide the required parameters:
sudo vi /opt/apinizer-worker/conf/apinizer-worker.env
| Key | Description |
|---|---|
SPRING_DATA_MONGODB_URI | MongoDB connection string (e.g. mongodb://user:pass@host:25080/?replicaSet=rs0&authSource=admin) |
SPRING_DATA_MONGODB_DATABASE | Database name (e.g. apinizer) |
APINIZER_ENVIRONMENT_NAME | Name of the Environment to bind this Worker to. Must exactly match an Environment created in API Manager (Server Management → Environments). In Kubernetes the Worker reads this from the pod namespace; in standalone mode you must set it explicitly. Setting this also flips ApiGateway.standalone=true and is logged at startup. |
WORKER_TIMEZONE | Timezone offset (e.g. +03:00) |
Optional sections cover JVM tuning, Undertow thread/buffer sizes, HTTP/2, WebSocket, gRPC, CORS defaults, X-Forwarded-For parsing and multipart upload limits. Recommended defaults for production:
JAVA_OPTS="-server -XX:MaxRAMPercentage=75.0 -Dhttp.maxConnections=4096 -Dlog4j.formatMsgNoLookups=true"
tuneWorkerThreads=1024
tuneWorkerMaxThreads=4096
tuneBufferSize=16384
tuneIoThreads=4
tuneBacklog=10000
tuneRoutingConnectionPoolMaxConnectionPerHost=1024
tuneRoutingConnectionPoolMaxConnectionTotal=4096
tuneReadTimeout=30000
tuneNoRequestTimeout=60000
If the Gateway type will serve HTTP + WebSocket traffic, set http2Enabled=false. Many WebSocket clients do not negotiate HTTP/2 cleanly, so leaving HTTP/2 off avoids handshake regressions.
Plaintext values are accepted at this point — do not start the service yet. The next step encrypts them in place.
4. Run the Installer
The installer creates a dedicated apinizer system user, sets file permissions, generates a random Jasypt master key in conf/master.key, and registers the systemd service.
sudo /opt/apinizer-worker/bin/apiworker-install.sh
To delegate this to a non-root operator without granting full root, add a sudoers entry:
apinizer-admin ALL=(root) NOPASSWD: /opt/apinizer-worker/bin/apiworker-install.sh
After install, the master key is owned by apinizer:apinizer and is mode 400 — only the service user can read it.
5. Encrypt Sensitive Values
Run the encrypt helper with no arguments to encrypt the standard fields in conf/apinizer-worker.env in place. Already-encrypted (or empty) values are skipped, and a timestamped backup is written next to the file.
sudo -u apinizer /opt/apinizer-worker/bin/apiworker-encrypt.sh
The standard fields it encrypts are:
SPRING_DATA_MONGODB_URISPRING_DATA_MONGODB_DATABASE
After it runs, the env file looks like this (values quoted so bash source does not choke on the parentheses):
SPRING_DATA_MONGODB_URI="ENC(eXq1J9z...kTu4=)"
SPRING_DATA_MONGODB_DATABASE="ENC(zMv3K7p...lQw9=)"
6. Start the Service
sudo systemctl start apinizer-apiworker
sudo systemctl status apinizer-apiworker
sudo journalctl -u apinizer-apiworker -f
The service is enabled at install time, so it will also start automatically after a reboot.
7. Verify
The Worker is a non-Spring traffic gateway — it does not expose a /management/health endpoint. To verify it has started, watch the journal log for the listener line:
sudo journalctl -u apinizer-apiworker -f | grep -E 'Listener|started|ApiGateway'
You should see Undertow bind to the configured ports (HTTP/HTTPS/gRPC depending on which Gateway Runtimes you have deployed from the Manager).
Operations
sudo systemctl status apinizer-apiworker
sudo systemctl restart apinizer-apiworker
sudo systemctl stop apinizer-apiworker
sudo journalctl -u apinizer-apiworker -f
Manual control (without systemd):
sudo -u apinizer /opt/apinizer-worker/bin/apiworker-start.sh # background
sudo -u apinizer /opt/apinizer-worker/bin/apiworker-start.sh -f # foreground
sudo -u apinizer /opt/apinizer-worker/bin/apiworker-stop.sh
Security Model
apinizeris a system account with/sbin/nologin— no interactive shell.conf/master.keyis mode400, owned byapinizer. Only that user (and root) can read it.conf/apinizer-worker.envis mode600. ENC(...) values are decrypted bybin/apiworker-start.shat boot (using the bundledlib/jasypt/jasypt-*.jar+ the master key) and exported to the JVM as plain values. The JVM never sees the ciphertext; the master key never leaves the host filesystem.- The systemd unit applies hardening flags:
NoNewPrivileges,PrivateTmp,ProtectSystem=strict,ProtectHome,ReadWritePaths=…/logs. Application can only write underlogs/. - File handle limit (
LimitNOFILE=1048576) and process limit (LimitNPROC=65536) are raised — the Worker terminates a high number of concurrent client sockets and benefits from generous ulimits.
Back up conf/master.key to your secrets vault. If the master key is lost, all ENC(...) values are unrecoverable and must be re-entered in plaintext, then re-encrypted with a new key.
For Gateway (Worker) troubleshooting, see Troubleshooting.
For upgrading or uninstalling this module, see Version Upgrade and Uninstall pages.
Defining the Gateway as an Environment in the Manager
After the Gateway server is installed on Linux and the apinizer-apiworker.service is running, navigate to Manager UI Server Management → Gateway Runtimes → New.

Form Fields
| Field | Value |
|---|---|
| Platform | Virtual Server |
| Management Type | Remote Gateway |
| Environment Type | DEV / TEST / PROD |
| Communication Protocol Type | Matches the service you exposed (HTTP / HTTPS / gRPC / WebSocket) |
| Environment Name | Must exactly match the APINIZER_ENVIRONMENT_NAME env value (case-sensitive) |
| Environment Key | API URL prefix (e.g., prod) |
| Access URL | Gateway external access URL (e.g., https://gateway.example.com) |
Gateway Node List (Manual URL Table)
When Remote Gateway is selected, a Gateway Node List table appears on the form. For each node:
| Field | Description |
|---|---|
| Name | Identifier (e.g., node-1) |
| Gateway Management API URL | http://<NODE_IP>:8091 (Gateway Management API endpoint) |
| Cache Management API URL | http://<CACHE_IP>:8092 (Cache Management API endpoint, if used) |
These URLs must be reachable from Manager. Manager uses these addresses for proxy push, health checks, and diagnostics on the Gateway. Make sure firewall rules and port forwarding allow Manager → Worker 8091 traffic.
Publishing the Environment
Click Create. For a virtual-server Gateway, Apinizer does NOT perform any deployment — the Gateway was already installed on Linux in the steps above. Manager only records the connection metadata and attempts to connect to the Gateway. If successful, the environment is marked as published.
After publishing, you can deploy API Proxies to this Remote Gateway. Manager pushes API Proxy YAMLs to the Gateway's Management API endpoint.
For Gateway additional variables (JVM tuning, gRPC, WebSocket, CORS, security, etc.) and configurations (System Settings, Backup, etc.), see Gateway Settings.
Common Settings
JVM Tuning
API Manager and Gateway both support heap and GC parameter tuning:
For API Manager, edit conf/application.env:
JAVA_OPTS="-Xms1g -Xmx2g -XX:+UseG1GC"
jvmOverride=true
For Gateway, edit conf/apinizer-worker.env:
JAVA_OPTS="-server -XX:MaxRAMPercentage=75.0 -XX:+UseG1GC"
jvmOverride=true
When jvmOverride=true, your JAVA_OPTS take precedence over the auto-detection defaults.