Unable to get gateway to use HSM connect for certicate and key storage .

book

Article ID: 145596

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

The gateway continue to use the default internal key-store after the ssg restart , despite the configuration steps completed successful without errors . 


 
The ssg log on startup says :

2019-08-15T15:28:14.600+0100 INFO 1 com.l7tech.server.security.keystore.SsgKeyStoreManagerImpl: ignoring keystore_file row with a format of hsm.Ncipher because this Gateway node is not configured to use an nCipher HSM
 
 
While the HSM status in the ssg menu says :
 
The gateway is now configured  to use the HSM Thales module.

 
 

Environment

Release :

Component : API GTW 

Resolution

After adding some debug , the problem was caused by the instructions to use BouncyCastle as Jce provider to enable SSL for mysql server jdbc connections as documented in 

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/tasks-menu-security-options/manage-jdbc-connections/set-jdbc-connection-properties.html

The Thales security modules require nCipher as Jce provider this will not work with BouncyCastle .

If this set you have to remove the following line in system.properties to enable HSM  ,then restart the Gateway: 
 
com.l7tech.common.security.jceProviderEngineName=bc 

Attachments