After upgrading to Gateway 9.4 and above the below error is seen when trying to create or modify a listen port.

The server private key uses RSA crypto, but at least one TLS_ECDH_ECDSA/TLS_ECDHE_ECDSA/TLS_ECDH_RSA cipher suite is enabled.

API Gateway 9.4+

This occurs because you are using an RSA private key with elliptic curve ciphers. 

When a RSA key is chosen, the following cipher suite combo -TLS_ECDH_ECDSA/TLS_ECDHE_ECDSA/TLS_ECDH_RSA are not supported by a RSA key which results in this error.

To fix this you would need to deselect all elliptic curve ciphers. As they will not even be negotiated on the handshake this should not have any negative impact. 

Note: This can happen even if you are not explicitly changing any ciphers on the listen port. Any modification to a listen port properties will enforce this check

Details about changing the cipher suits can be found here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/security-configuration-in-policy-manager/tasks-menu-security-options/manage-listen-ports/listen-port-properties.html