CA API Portal 3.5 - Impossible to add an Application into an existing Organisation - Get Key failed: null

book

Article ID: 200898

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

Portal 3.5

We have tried with different users (with admin profile) and we have the following problem with Portal 3.5.

1. login to the portal GUI

2. go to Organizations / applications

"All"

Filtrer on organisation : XXX Solutions INEO - CDC SAP

Clic Add application

Fill in the different fields 

Once completed clic “save”

Error :

The action could not be completed due to a failure on the Gateway. Please contact your gateway administrator

Please see the attached catalina.out 

As per the catalina.out, we found a number of problems with keystore ..

Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: Get Key failed: null



Environment

Release : 3.5

Component : API PORTAL

Resolution

The error 'Caused by: java.security.UnrecoverableKeyException: Get Key failed: null' implies that the cmsencrypedvalues table does not have a value for the property 'KeystorePassword'

The error 'Caused by: java.io.IOException: keystore password was incorrect' implies that the cmsencrypedvalues table does not have a correct value for the property 'KeystorePassword' based on the specified p12 file.

Confirm that openssl can read the p12 file referenced by the lrsgateway-conf.xml using the following command.
You will be prompted for the password used to generate the p12.
>> openssl pkcs12 -in /opt/Deployments/lrs/server/conf/keys/l7apiportal_key.p12 -nodes
>> Reenter the password for the p12 using Update Portal Keystore Password form of the Layer7 Gateway plugin. A restart of the apiportal service is not required for 3.5 CR9 or later.

If you don't know the password, you will need to export the private key again using the Policy Manager.
For more information see :
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-portal-legacy/3-5/set-up-the-api-portal/prepare-the-gateway-for-the-api-portal/prepare-ssl-dependencies.html

Additional Information

1. Check the private key path and filename specified in the configuration file is valid.

Configuration file is here:
/opt/Deployments/lrs/server/webapps/ROOT/plugins/lrsgateway-conf.xml

2. Check the permissions and ownership of the private key (.p12 file) is correct. This private key should be placed in this directory:

/opt/Deployments/lrs/server/conf/keys/

Permissions should be: chmod 640

Ownership should be: chown root:portalusers

However, the chances of those 2 being the issue aren't as likely since the script should take care of it.

The third and most likely reason:

3. The keystore password was not entered, or was not entered correctly in the API Portal CMS. This results in the API Portal application to be unable to access/use the private key. When you exported the private key from the Policy Manager, you were prompted to give it a password and confirm the password. This is the password you need to use for the following steps:

-Navigate to the CMS of the API Portal: http://<portal hostname>/admin

-Click on "Plugin Administration" on the left

-Click on "Layer 7 Gateway"

-In the text field under "Update Portal Keystore Password", enter the keystore password (same password used to export private key).

-Click "Submit" right underneath it.

-Restart the API Portal service from the command line: service apiportal restart

-Test connectivity again.

4. Additionally, we ran this command to change 

/opt/jdk/bin/keytool -list -keystore trustedCerts.ks -storepass changeit