WSO2 Micro Integrator on Ubuntu 24.04 on Azure User Guide
Overview
WSO2 Micro Integrator is a lightweight, cloud native integration runtime in the enterprise service bus and enterprise application integration tradition. It runs integration artifacts such as REST APIs, proxy services, message mediation sequences and scheduled tasks to connect applications, APIs, databases and messaging systems, routing and transforming messages through a fast Synapse passthrough engine. This cloudimg image runs a single node from the official Apache 2.0 licensed WSO2 Micro Integrator 4.6.0 distribution into /opt/wso2mi, on OpenJDK 21, as a dedicated wso2 system user, and rotates a unique Management API administrator password into the runtime on first boot. Backed by 24/7 cloudimg support.
What is included:
- WSO2 Micro Integrator 4.6.0 from the official OSS distribution, on OpenJDK 21
- The Synapse data plane: HTTP passthrough on
8290and HTTPS passthrough on8253 - A sample REST API (context
/health) deployed on the data plane, so the runtime answers on first boot - The Management API on HTTPS
9164, restricted to the loopback interface by a host firewall and fronted by nginx on port80 - A unique per VM Management API admin password generated on first boot (no shared default credential)
- 24/7 cloudimg support
Only the Apache 2.0 open source runtime is shipped. There is no commercial WSO2 subscription component, and the separate WSO2 Micro Integrator Dashboard is not bundled. The Management API and the internal API (9164 and 9201) are reachable only from the loopback interface, so administrators reach the Management API through the nginx front on port 80 or over an SSH tunnel.
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2ms (2 vCPU / 8 GiB RAM) is a good starting point for a Java integration runtime. NSG inbound: allow 22/tcp from your management network, 80/tcp for the Management API front, and 8290/tcp (and 8253/tcp) if you want your deployed integration endpoints reachable from clients. Restrict every port to trusted networks.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for WSO2 Micro Integrator by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name wso2mi \
--image <marketplace-image-urn> \
--size Standard_B2ms \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the runtime is installed and running
Check the release on disk, the Java runtime, and that the services are active:
echo "WSO2 Micro Integrator $(basename $(readlink -f /opt/wso2mi) | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')"
java -version 2>&1 | head -1
systemctl is-active wso2mi nginx wso2mi-loopback-guard
You should see the 4.6.0 release, OpenJDK 21 and three active services:
WSO2 Micro Integrator 4.6.0
openjdk version "21.0.11" 2026-04-21
active
active
active

Step 5 - Confirm the data plane and the listening ports
The Synapse data plane listens on 8290 (HTTP) and 8253 (HTTPS); the Management API on 9164 and the internal API on 9201; nginx on 80. Confirm the ports and hit the deployed sample API on the data plane:
ss -tln | grep -E ':8290 |:8253 |:9164 |:9201 |:80 '
curl -s http://127.0.0.1:8290/health
The sample API answers with a JSON payload, proving a request flows end to end through the passthrough transport:
{"status":"healthy","runtime":"wso2-micro-integrator","cloudimg":true}

Step 6 - Retrieve your per VM admin password
Each VM generates its own unique Management API administrator password on first boot and writes it, along with the resolved URLs, to a root only credentials file:
sudo cat /root/wso2mi-credentials.txt
The file contains WSO2MI_ADMIN_USERNAME (admin), WSO2MI_ADMIN_PASSWORD, the Management API front URL and the data plane URL. Store the password in your secrets manager. In the steps below, <WSO2MI_ADMIN_PASSWORD> stands for the value of WSO2MI_ADMIN_PASSWORD.
Step 7 - Log in to the Management API for a token
The Management API is driven by the WSO2 command line tool and dashboard, and authenticates against the per VM administrator password. Request a token with HTTP Basic authentication (this block reads the password straight from the credentials file, so it runs as is):
PW=$(sudo grep '^WSO2MI_ADMIN_PASSWORD=' /root/wso2mi-credentials.txt | cut -d= -f2-)
curl -sk -u "admin:$PW" https://127.0.0.1:9164/management/login
A successful login returns a JSON AccessToken you can present as a bearer token to the other Management API resources:
{"AccessToken":"eyJraWQiOiJlOWVmMGU4Mi0wY2Y1..."}
You can also reach the Management API through the nginx front on port 80, which reverse proxies to the loopback bound listener. Substitute the real password for <WSO2MI_ADMIN_PASSWORD>:
curl -s -u admin:<WSO2MI_ADMIN_PASSWORD> http://<vm-public-ip>/management/login

Step 8 - The authentication wall
The default admin/admin credential is replaced with a unique per VM password on first boot, before the runtime ever starts, so neither the default password nor any wrong password authenticates. You can confirm the rejection: both return HTTP 401, while your per VM password returns 200 with a token.
echo "admin/admin -> $(curl -sk -o /dev/null -w '%{http_code}' -u admin:admin https://127.0.0.1:9164/management/login)"
echo "wrong pw -> $(curl -sk -o /dev/null -w '%{http_code}' -u admin:wrong-pw https://127.0.0.1:9164/management/login)"
admin/admin -> 401
wrong pw -> 401
Step 9 - Deploy your own integration artifacts
Integration artifacts (REST APIs, proxy services, sequences, scheduled tasks) are hot deployed from the Synapse configuration directory. Drop a Carbon Application (.car) into the carbonapps directory, or a raw Synapse configuration into the synapse-configs tree, and the runtime picks it up. For example, list the deployed APIs directory that holds the shipped sample:
sudo ls /opt/wso2mi/repository/deployment/server/synapse-configs/default/api/
Build Carbon Applications with the WSO2 Integration Studio or the MI for VS Code extension, copy them to /opt/wso2mi/repository/deployment/server/carbonapps/, and confirm deployment through the Management API or the runtime logs at /opt/wso2mi/repository/logs/.
Step 10 - Reach the Management API remotely over an SSH tunnel
The Management API (9164) and internal API (9201) are dropped off box by a host firewall (nftables), so they are reachable only from the loopback interface. Use the nginx front on port 80, or open an SSH tunnel and point a local client at the loopback listener:
# On your workstation:
ssh -L 9164:127.0.0.1:9164 azureuser@<vm-public-ip>
# Then log in through the tunnel (self signed certificate, so -k):
# curl -sk -u admin:<WSO2MI_ADMIN_PASSWORD> https://127.0.0.1:9164/management/login
For production remote administration, front the Management API with a trusted TLS certificate on nginx and restrict access with your NSG. Never expose 9164 directly to the internet.
Maintenance
- Configuration: edit
/opt/wso2mi/conf/deployment.toml(transports, users, mediation settings), thensudo systemctl restart wso2mi. - Password: the per VM password is written into
deployment.tomlon first boot. To rotate it later, update the[[internal_apis.users]]password indeployment.toml, restart the runtime, and update your credentials store. - Logs: runtime and access logs are under
/opt/wso2mi/repository/logs/. - Loopback guard: the nftables table
cloudimg_wso2_guard(servicewso2mi-loopback-guard) restricts9164and9201to loopback; adjust it if you deliberately want the Management API reachable off box behind TLS. - Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.
WSO2 and WSO2 Micro Integrator are trademarks of WSO2 LLC. This image is provided by cloudimg and is not affiliated with or endorsed by WSO2 LLC. Only the Apache 2.0 licensed open source Micro Integrator runtime is included.