Layer7 API Gateway: Unable to create or manage listen ports

book

Article ID: 126731

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

After upgrading to Gateway 9.4 the below error is seen when trying to create or modify a listen port.

The server private key uses RSA crypto, but at least one TLS_ECDH_ECDSA/TLS_ECDHE_ECDSA/TLS_ECDH_RSA cipher suite is enabled.

 

Environment

Release:
Component: APIESM

Resolution

This occurs because you are using an RSA private key with elliptic curve ciphers. 

When a RSA key is chosen, the following cipher suite combo -TLS_ECDH_ECDSA/TLS_ECDHE_ECDSA/TLS_ECDH_RSA are not supported by a RSA key which results in this error.

To fix this you would need to deselect all elliptic curve ciphers. As they will not even be negotiated on the handshake this should not have any negative impact. 

 

Additional Information

Note: This can happen even if you are not explicitly changing any ciphers on the listen port. Any modification to a listen port properties will enforce this check

Details about changing the cipher suits can be found here:

https://docops.ca.com/ca-api-gateway/9-4/en/security-configuration-in-policy-manager/tasks-menu-security-options/manage-listen-ports/listen-port-properties