CA Developer Portal: Renewing pssg, dssg and tssg certificates on Tenant Gateway
Article ID: 199168
Updated On:
Products
Issue/Introduction
How to renew pssg, dssg and tssg certificates on tenant gateway integrated with API Portal.
Environment
Release: 4.5 and 5.x
Component: APIPRD
Resolution
Portal self-signed certificates, should have an expiring date of 3 years.
With that said, in order to re-generate a new set of self-singed certificates:
On the Portal Server:
1. Make a backup/snapshot of the portal.
2. stop portal
docker stack rm portal
Remove all certificates from /<PORTAL_FOLDER>/certs folder
3. Run ./portal.sh script to re-generate new certificates
NOTE: If the script end with error "failed to create service portal_tenant-provisioner: Error response from daemon: network portal_private not found", please stop and start Docker service and re-run portal.sh script
On the Tenant Gateway enrolled with Portal
1 Go to Policy Manager > Tasks > Global Settings > Manage Cluster-Wide Properties
2.Retrieve the value (hostname) for the following 3 cluster-wide properties
portal.config.pssg.sync.host
portal.config.dssg.datalake.host
portal.config.apim.host
3. Go to Policy Manager > Tasks > Certificate, Keys and Secret > Manage Certificate
4. Before Deleting any certificates Export each of the 3 certificates and when exporting ENSURE NAME column value is used as the certificate filename it will be used later.
5. Delete pssg, dssg and tssg certificates
6. Click on ADD
7. Select "Retrieve via SSL Connection (HTTPS or LDAPS Url)" and in the URL field, construct the URL by using https:// + hostname retrieved in step 2 + port 9443 (for example https://apim-pssg.local:9443) and click NEXT
8. Specify the NAME as it was previously added with if you are unsure you can get this NAME value from Step 4 above.
9. If a hostname mismatch warning appears, click Accept.
10. Click NEXT and in the "Select one or more certificate usage options", check Outbound SSL Connections then click NEXT
11.Check "Certificate is a Trust Anchor" and finally click FINISH
12. Repeat step from 5 to 9 for the remaining 2 certificates.
**Note: This keeping Names in Sync with how they were previous should help with possible future Portal Upgrade issues. A discussion of this is available in the following kb:
Portal Bundle Upgrade issues Unique Key
How to update tls-automator template if needed
Version [2.0.3] mentioned in the build pipeline. After we changed it to 2.1.1, the certs got updated successfully.
The process would be to update the helm chart to get the latest templates. The process will depend on how they are using them.
- Helm Repo
- $ helm repository update
- Git Repo (cloned repo)
- Backup any changes made (values file is most important)
- $ git pull - you could also clone the latest repo to a different folder and review the changes manually.
Feedback
