CA Developer Portal: Renewing pssg, dssg and tssg certificates on Tenant Gateway
search cancel

CA Developer Portal: Renewing pssg, dssg and tssg certificates on Tenant Gateway

book

Article ID: 199168

calendar_today

Updated On:

Products

CA API Developer Portal CA API Gateway

Issue/Introduction

How to renew pssg, dssg and tssg certificates on tenant gateway integrated with API Portal.

Environment

Release: 4.5 and 5.x
Component: APIPRD

Resolution

Portal self-signed certificates, should have an expiring date of 3 years. 
With that said, in order to re-generate a new set of self-singed certificate:

On the Portal Server:

1. Make a backup/snapshot of the portal.
2. stop portal
    docker stack rm portal
    Remove all certificates from /<PORTAL_FOLDER>/certs folder
3. Run ./portal.sh script to re-generate new certificates

NOTE: If the script end with error "failed to create service portal_tenant-provisioner: Error response from daemon: network portal_private not found", please stop and start Docker service and re-run portal.sh script

On the Tenant Gateway enrolled with Portal

1 Go to Policy Manager > Tasks > Global Settings > Manage Cluster-Wide Properties
2.Retrieve the value (hostname) for the following 3 cluster-wide properties

portal.config.pssg.sync.host
portal.config.dssg.datalake.host
portal.config.apim.host

3. Go to Policy Manager > Tasks > Certificate, Keys and Secret > Manage Certificate 
4. Delete pssg, dssg and tssg certificates  
5. Click on ADD
6. Select "Retrieve via SSL Connection (HTTPS or LDAPS Url)" and in the URL field, construct the URL by using https:// + hostname retrieved in step 2 + port 9443 (for example https://apim-pssg.local:9443) and click NEXT
7. If a hostname mismatch warning appears, click Accept.
8. Click NEXT and in the "Select one or more certificate usage options", check Outbound SSL Connections then click NEXT
9.Check "Certificate is a Trust Anchor" and finally click FINISH
10. Repeat step from 5 to 9 for the remaining 2 certificates.

How to update tls-automator template if needed 

Version [2.0.3] mentioned in the build pipeline. After we changed it to 2.1.1, the certs got updated successfully.

The process would be to update the helm chart to get the latest templates. The process will depend on how they are using them.

  • Helm Repo
  • $ helm repository update
  • Git Repo (cloned repo)
  • Backup any changes made (values file is most important)
  • $ git pull - you could also clone the latest repo to a different folder and review the changes manually.