Application Servers Azure

WSO2 Micro Integrator on Ubuntu 24.04 on Azure User Guide

| Product: WSO2 Micro Integrator on Ubuntu 24.04 LTS on Azure

Overview

WSO2 Micro Integrator is a lightweight, cloud native integration runtime in the enterprise service bus and enterprise application integration tradition. It runs integration artifacts such as REST APIs, proxy services, message mediation sequences and scheduled tasks to connect applications, APIs, databases and messaging systems, routing and transforming messages through a fast Synapse passthrough engine. This cloudimg image runs a single node from the official Apache 2.0 licensed WSO2 Micro Integrator 4.6.0 distribution into /opt/wso2mi, on OpenJDK 21, as a dedicated wso2 system user, and rotates a unique Management API administrator password into the runtime on first boot. Backed by 24/7 cloudimg support.

What is included:

  • WSO2 Micro Integrator 4.6.0 from the official OSS distribution, on OpenJDK 21
  • The Synapse data plane: HTTP passthrough on 8290 and HTTPS passthrough on 8253
  • A sample REST API (context /health) deployed on the data plane, so the runtime answers on first boot
  • The Management API on HTTPS 9164, restricted to the loopback interface by a host firewall and fronted by nginx on port 80
  • A unique per VM Management API admin password generated on first boot (no shared default credential)
  • 24/7 cloudimg support

Only the Apache 2.0 open source runtime is shipped. There is no commercial WSO2 subscription component, and the separate WSO2 Micro Integrator Dashboard is not bundled. The Management API and the internal API (9164 and 9201) are reachable only from the loopback interface, so administrators reach the Management API through the nginx front on port 80 or over an SSH tunnel.

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2ms (2 vCPU / 8 GiB RAM) is a good starting point for a Java integration runtime. NSG inbound: allow 22/tcp from your management network, 80/tcp for the Management API front, and 8290/tcp (and 8253/tcp) if you want your deployed integration endpoints reachable from clients. Restrict every port to trusted networks.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for WSO2 Micro Integrator by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name wso2mi \
  --image <marketplace-image-urn> \
  --size Standard_B2ms \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the runtime is installed and running

Check the release on disk, the Java runtime, and that the services are active:

echo "WSO2 Micro Integrator $(basename $(readlink -f /opt/wso2mi) | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')"
java -version 2>&1 | head -1
systemctl is-active wso2mi nginx wso2mi-loopback-guard

You should see the 4.6.0 release, OpenJDK 21 and three active services:

WSO2 Micro Integrator 4.6.0
openjdk version "21.0.11" 2026-04-21
active
active
active

WSO2 Micro Integrator version, Java runtime and the data plane health API

Step 5 - Confirm the data plane and the listening ports

The Synapse data plane listens on 8290 (HTTP) and 8253 (HTTPS); the Management API on 9164 and the internal API on 9201; nginx on 80. Confirm the ports and hit the deployed sample API on the data plane:

ss -tln | grep -E ':8290 |:8253 |:9164 |:9201 |:80 '
curl -s http://127.0.0.1:8290/health

The sample API answers with a JSON payload, proving a request flows end to end through the passthrough transport:

{"status":"healthy","runtime":"wso2-micro-integrator","cloudimg":true}

WSO2 Micro Integrator services, listening ports and the loopback guard on the management ports

Step 6 - Retrieve your per VM admin password

Each VM generates its own unique Management API administrator password on first boot and writes it, along with the resolved URLs, to a root only credentials file:

sudo cat /root/wso2mi-credentials.txt

The file contains WSO2MI_ADMIN_USERNAME (admin), WSO2MI_ADMIN_PASSWORD, the Management API front URL and the data plane URL. Store the password in your secrets manager. In the steps below, <WSO2MI_ADMIN_PASSWORD> stands for the value of WSO2MI_ADMIN_PASSWORD.

Step 7 - Log in to the Management API for a token

The Management API is driven by the WSO2 command line tool and dashboard, and authenticates against the per VM administrator password. Request a token with HTTP Basic authentication (this block reads the password straight from the credentials file, so it runs as is):

PW=$(sudo grep '^WSO2MI_ADMIN_PASSWORD=' /root/wso2mi-credentials.txt | cut -d= -f2-)
curl -sk -u "admin:$PW" https://127.0.0.1:9164/management/login

A successful login returns a JSON AccessToken you can present as a bearer token to the other Management API resources:

{"AccessToken":"eyJraWQiOiJlOWVmMGU4Mi0wY2Y1..."}

You can also reach the Management API through the nginx front on port 80, which reverse proxies to the loopback bound listener. Substitute the real password for <WSO2MI_ADMIN_PASSWORD>:

curl -s -u admin:<WSO2MI_ADMIN_PASSWORD> http://<vm-public-ip>/management/login

WSO2 Micro Integrator Management API login: default and wrong passwords rejected, per VM password returns a token

Step 8 - The authentication wall

The default admin/admin credential is replaced with a unique per VM password on first boot, before the runtime ever starts, so neither the default password nor any wrong password authenticates. You can confirm the rejection: both return HTTP 401, while your per VM password returns 200 with a token.

echo "admin/admin -> $(curl -sk -o /dev/null -w '%{http_code}' -u admin:admin https://127.0.0.1:9164/management/login)"
echo "wrong pw    -> $(curl -sk -o /dev/null -w '%{http_code}' -u admin:wrong-pw https://127.0.0.1:9164/management/login)"
admin/admin -> 401
wrong pw    -> 401

Step 9 - Deploy your own integration artifacts

Integration artifacts (REST APIs, proxy services, sequences, scheduled tasks) are hot deployed from the Synapse configuration directory. Drop a Carbon Application (.car) into the carbonapps directory, or a raw Synapse configuration into the synapse-configs tree, and the runtime picks it up. For example, list the deployed APIs directory that holds the shipped sample:

sudo ls /opt/wso2mi/repository/deployment/server/synapse-configs/default/api/

Build Carbon Applications with the WSO2 Integration Studio or the MI for VS Code extension, copy them to /opt/wso2mi/repository/deployment/server/carbonapps/, and confirm deployment through the Management API or the runtime logs at /opt/wso2mi/repository/logs/.

Step 10 - Reach the Management API remotely over an SSH tunnel

The Management API (9164) and internal API (9201) are dropped off box by a host firewall (nftables), so they are reachable only from the loopback interface. Use the nginx front on port 80, or open an SSH tunnel and point a local client at the loopback listener:

# On your workstation:
ssh -L 9164:127.0.0.1:9164 azureuser@<vm-public-ip>

# Then log in through the tunnel (self signed certificate, so -k):
#   curl -sk -u admin:<WSO2MI_ADMIN_PASSWORD> https://127.0.0.1:9164/management/login

For production remote administration, front the Management API with a trusted TLS certificate on nginx and restrict access with your NSG. Never expose 9164 directly to the internet.

Maintenance

  • Configuration: edit /opt/wso2mi/conf/deployment.toml (transports, users, mediation settings), then sudo systemctl restart wso2mi.
  • Password: the per VM password is written into deployment.toml on first boot. To rotate it later, update the [[internal_apis.users]] password in deployment.toml, restart the runtime, and update your credentials store.
  • Logs: runtime and access logs are under /opt/wso2mi/repository/logs/.
  • Loopback guard: the nftables table cloudimg_wso2_guard (service wso2mi-loopback-guard) restricts 9164 and 9201 to loopback; adjust it if you deliberately want the Management API reachable off box behind TLS.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.

WSO2 and WSO2 Micro Integrator are trademarks of WSO2 LLC. This image is provided by cloudimg and is not affiliated with or endorsed by WSO2 LLC. Only the Apache 2.0 licensed open source Micro Integrator runtime is included.