Unable to get gateway to use HSM connect for certicate and key storage .
Article ID: 145596
Updated On:
Products
CA API Gateway
API SECURITY
CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7)
CA API Gateway Enterprise Service Manager (Layer 7)
STARTER PACK-7
CA Microgateway
Issue/Introduction
When setting up the gateway to use HSM connect or Thales modules following the steps in the documentation.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/install-configure-upgrade/configure-the-appliance-gateway/configure-hardware-security-modules-hsm/configure-thales-hardware-security-modules/configure-the-nshield-connect.html
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/install-configure-upgrade/configure-the-appliance-gateway/configure-hardware-security-modules-hsm/configure-thales-hardware-security-modules/configure-the-nshield-connect.html
The gateway continue to use the default internal key-store after the ssg restart , despite the configuration steps completed successful without errors .
The ssg log on startup says :
2019-08-15T15:28:14.600+0100 INFO 1 com.l7tech.server.security.keystore.SsgKeyStoreManagerImpl: ignoring keystore_file row with a format of hsm.Ncipher because this Gateway node is not configured to use an nCipher HSM
While the HSM status in the ssg menu says :
The gateway is now configured to use the HSM Thales module.
Environment
Release :
Component : API GTW
Resolution
After adding some debug , the problem was caused by the instructions to use BouncyCastle as Jce provider to enable SSL for mysql server jdbc connections as documented in
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/tasks-menu-security-options/manage-jdbc-connections/set-jdbc-connection-properties.html
The Thales security modules require nCipher as Jce provider this will not work with BouncyCastle .
If this set you have to remove the following line in system.properties to enable HSM ,then restart the Gateway:
com.l7tech.common.security.jceProviderEngineName=bc
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/tasks-menu-security-options/manage-jdbc-connections/set-jdbc-connection-properties.html
The Thales security modules require nCipher as Jce provider this will not work with BouncyCastle .
If this set you have to remove the following line in system.properties to enable HSM ,then restart the Gateway:
com.l7tech.common.security.jceProviderEngineName=bc
Attachments
Feedback
Yes
No
Powered by
