search cancel

API Gateway: Policy manager shows hostname certificate warning

book

Article ID: 187711

calendar_today

Updated On:

Products

CA API Gateway API SECURITY STARTER PACK-7 CA Microgateway CA API Developer Portal

Issue/Introduction

When I logon to the gateway using policy manager I see a warning message.  "The hostname entered for the gateway is Gateway1name but the Gateway presented a certificate claiming the hostname is Gateway2name. Do you want to login to the Gateway?" Which certificate is used by the policy manager?  

 

Cause

The reason you get this warning is that the default SSL name is different to the one you specify when you log into the gateway. 

Environment

Component : API GATEWAY

Resolution

The following steps may need to be done depending on how you wish to have the name set for the cluster :
if you changed the cluster host name (i.e., the host name of the virtual interface used by a load balancer), you will need to create a new default SSL key. The default SSL key created during the initial deployment of the Gateway database uses the cluster host name as the CN value. When you change the cluster host name, the CN value of the presented certificate will not match. Some applications (including the Layer 7 Gateway and Layer 7 Policy Manager) force host name validation with certificate authentication. 
To create a new private key for the new cluster host name: 
1. Log into the Policy Manager as an administrative user. 
2. Select the "Manage Cluster-Wide Properties" task from the "Tasks" menu. 
3. Set "cluster.hostname" to the new cluster host name specified in the Gateway configurator menu previously. 
4. Close the Manage Cluster-Wide Properties dialog. 
5. Select the "Manage Private Keys" task from the "Tasks" menu. 
6. Select the "Create" button. Ensure the CN value matches the new cluster host name. Add other certificate attributes as necessary. 
7. Select the "Mark as Special Purpose" button. 
8. Choose the "Set as Default SSL Key" option. 
9. Restart the Layer 7 Gateway service on all nodes in the cluster. 
 
Please note that the generation of a new private key will require existing trust relationships to be re-established. Keys may need to be re-signed, if applicable, and certificate trust chains re-imported.

Additional Information

Please review our Tech Doc's for more information on creating and setting your default SSL key: Create a Private key, Set your default SSL Private key

Attachments