search cancel

Migrate from Classic Portal 3.5 to API Portal 4.5 fails.

book

Article ID: 200634

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

I'm trying to migrate from classic 3.5 portal to the 4.5 API Developer portal.

Using  the migration process from the Classic 3.5 Portal to the new 4.5 API Portal:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-portal-legacy/3-5/migrate-to-enhanced-experience-api-portal/migration-prerequisites.html

The classic portal is able to reach the target portal over port 9443

This procedure  fails at step 3 with:

Command:
openssl s_client -servername apim-ssg.portal.domain  -connect apim-ssg.portal.domain:9443 2> /dev/null < /dev/null | openssl x509 > apim-ssg.crt

Result:
unable to load certificate
140328933390224:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

 

Environment

Release : 4.5

Component : API PORTAL

Resolution

The initial problem with getting the certificate from the portal was caused by the wrong apim-ssg fqdn which needs to be apim-ssg.portal.domain .  

This worked after adding this entry to the portal 3.5 local hosts file as apim-ssg.portal.domain.

The second problem Is that the portal migration tool tries to find the certificate for the apim-ssg

by the name provided in the URL , while the default portal certificate CN name is tssg.

To resolve this you need to update the portal tssg certificate with the a certificate with the  correct CN name .

To this you need to do :

create a new certificate for apim-ssg.portal.domain on the new Portal and store the key and certificate in a p12 file.

You will then need to add the following lines to your portal.conf

PORTAL_TSSG_SSL_KEY=/path-to-certs/tssg_new.p12
PORTAL_TSSG_SSL_KEY_PASS=yourpass

to your portal.conf file and restart the Portal.

Sample commands for generating certificate and p12

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem -subj '/CN=apim-ssg.portal.domain'

openssl pkcs12 -export -inkey key.pem -in certificate.pem -out tssg-new.p12 -passout pass:yourpass

copy certificate to the 3.5 portal and add to

/opt/Deployments/lrs/server/conf/keys/trustedCerts.ks using
/opt/jdk/bin/keytool -import -file certificate.pem -keystore trustedCerts.ks -alias tssg -storepass changeit

then restart the 3.5 portal

Now the migration tool should be able to connect correctly to both portals.