API Developer Portal: Enrollment on Gateway fails due to 'UniqueKeyConflict' error

book

Article ID: 107541

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Developer Portal CA API Management SaaS

Issue/Introduction

During enrollment of the Gateway to the Portal, enrollment may fail and result in an 'Unable to enroll: RESTMAN' error. In particular the error will cite a 'UniqueKeyConflict' as seen below (as one such example):

Unable to enroll: RESTMAN failed with result=<class com.l7tech.policy.assertion.AssertionStatus: 0=FINE:No Error> httpStatus=409: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
            <l7:Mapping action="NewOrExisting" errorType="UniqueKeyConflict" srcId="72f4f7b3163310e735f460b5daba111d" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="ErrorMessage">
                        <l7:StringValue>(thumbprintSha1)  must be unique</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>

Cause

There are a few different possible root causes, depending on the situation. The most common causes are (but not limited to):

  • SSL-related or DNS-related
  • Requirements not being met
  • Leftover data after a failed import causing conflicts

Environment

This impacts all API Gateway versions that can be enrolled with supported versions of the API Developer Portal and API Management SaaS.

Resolution

Cleaning up the Gateway will be required to ensure the conflicts are resolved. 

To clean up the API Gateway after a failed enrollment:

  1. In Policy Manager, log in to the Gateway as an administrator user.
  2. On the Tasks menu, click Certificates, Keys and Secrets and Manage Certificates. Use the dialog to remove the apim-ssg (subject DN will contain a wildcard), PSSG and DSSG certificates. Note: Do not delete the API Gateway’s self-signed SSL certificate (Subject DN = hostname-ssg.dev.ca.com).  Make sure to backup (export) the wildcard cert before removing it.  In most cases this file should auto repopulate, but if anything goes wrong it's best to have a backup. 
  3. On the Tasks menu, click Certificates, Keys and Secrets and Manage Private Keys. Use the dialog to remove the portalman private key.
  4. On the Tasks menu, click Global Settings and Manage Scheduled Tasks. Use the dialog to remove the following tasks:
    • Portal Sync Application 
    • Portal Sync API 
    • Portal Tenant Sync Policy Template 
    • Portal Sync Account Plan 
    • Portal Bulk Sync Application 
    • Portal Check Bundle Version 
    • Delete Portal Entities 
    • Move Metrics Data Off Box Task 
    • Portal Sync SSO Configuration
  5. On the Tasks menu, click Global Settings and Manage Cluster-wide Properties. Use the dialog to remove all properties that begin with portal.
  6. Finally, review the list of service folders in Policy Manager and remove any of the following if they are present in the system:
    • API Portal Integration
    • API Portal SSO
    • APIs Deleted from Portal

To enroll the Gateway with Portal again after the cleanup steps are completed:

  1. Log in to the API Portal as an API Portal administrator.
  2. On the navigation bar, open the Settings menu and click API Proxy.
  3. On the API Proxy page, click Add Proxy to add new API proxy, enter a different name, and click Create
  4. Copy the enrollment URL. 
  5. Connect to the API Gateway with the Policy Manager.
  6. In the Policy Manager, click Tasks on the top menu bar. 
  7. On the menu, click Extensions and Add-Ons, Enroll with Portal
  8. Paste the enrollment URL in the Enroll with SaaS Portal window. 
  9. On the API Proxy page, delete the old API proxy which is enrolled with the same API Gateway.