Update Portal integration fails with certificate error
search cancel

Update Portal integration fails with certificate error

book

Article ID: 231125

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

The API Developer Portal was successfully upgraded from 4.5 to 5.x.x

From KB 201757 we replaced the PortalUpgradeAssertion for Gateway 10.0 CR3 on the proxy gateway.

On updating the Portal integration on the proxy gateway it gives us a Certificate error.

<l7:Mapping action="NewOrUpdate" actionTaken="UpdatedExisting" srcId="68f4f7b3162210e735f460b4daba442d" targetId="746fffffc2a328f66d8f09ece547a8ad" targetUri="/1.0/trustedCertificates/746fffffc2a328f66d8f09ece547a8ad" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="MapBy">
                        <l7:StringValue>name</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>
            <l7:Mapping action="NewOrUpdate" errorType="UniqueKeyConflict" srcId="64a93bdd8aeb093dd43fcc616d4ae2c9" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="ErrorMessage">
                        <l7:StringValue>(thumbprintSha1)  must be unique</l7:StringValue>
                    </l7:Property>
                    <l7:Property key="MapBy">
                        <l7:StringValue>name</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>
            <l7:Mapping action="NewOrUpdate" errorType="UniqueKeyConflict" srcId="68f4f7b3162210e735f460b5daba442d" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="ErrorMessage">
                        <l7:StringValue>(thumbprintSha1)  must be unique</l7:StringValue>
                    </l7:Property>
                    <l7:Property key="MapBy">
                        <l7:StringValue>name</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>

These certificates where renewed on the gateway following the procedure :

https://knowledge.broadcom.com/external/article/137793/how-to-update-api-portal-ssl-certificate.html

 

Environment

Release : 5.0, 5.1

Component : API PORTAL

Resolution


The portal integration bundle update was failing because we try to find the pssg certificate by this ID "68f4f7b3162210e735f460b4daba442d "and if it does not exist we try to insert a new one, which is failing because the cert exist already with another id and it fails on the thumbprintSHA1.

To add the pssg certificate with the correct ID "68f4f7b3162210e735f460b4daba442d", perform the following steps:

1.  Load the list of certificates on gateway in RESTMan https://<GATEWAY>:8443/restman/1.0/trustedCertificates
     Locate certificate with name pssg
     Confirm entity id is NOT 68f4f7b3162210e735f460b4daba442d

2. Copy <l7:Encoded> value of the pssg cert from the cert list, eg: Into the new cert.xml bundle below.

  

<l7:Encoded>MIIC8TCCAdmgAwIBAgIJAO2ncW1mElUFMA0GCSqGSIb3DQEBCwUAMA8xDTALBgNVBAMMBHBzc2cwHhcNMjExMDI2MTMxNzE1WhcNMjQxMDI1MTMxNzE1WjAPMQ0wCwYDVQQDDARwc3NnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4U7pcBJ0w9XLDTMoNflZ/qXaiKMvliyDLS+hlD3bfJGmnG8Khhl3czWqLwABMh0ICkpYBqGXyyU/3MaUzFgysNTRMqg29FxGt/t2E6iQ1tEYM2erxea6JPkd8oHSFPS0UJipwF9N0X8YJWKE9DRCg4cTu3PjsbWY7jVhVcnY9HoHq/c6HobfEDzNCoXOXmemxz+RccjcAIs5T+IX6/Kp+lNsJUSS15NZVHjezIoDxQcKk2Hbh3g9hLDWjsxBmDNeKSek1jis8O8/QSK39Jh5ZuAN42LGYXEqz54I2TSrj2R1DsVQ7iAVlvmOLgrQe29kD/EPhmrJ9kYTFSdPop39bQIDAQABo1AwTjAdBgNVHQ4EFgQUPG10DzjDDNELiPKZC1RO4b3ujBgwHwYDVR0jBBgwFoAUPG10DzjDDNELiPKZC1RO4b3ujBgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFOQs6xyezM1ko/GhuKy1rEMK53Fdx+8dc//9+IQgCcmz8TRJiW755cZLvTfOm8o1RggPw3QBDx6PjF+kuVP/BJPebGSdmN+YhA+nyONltmiH+LufSxSl21jHW4DY4ZZ/YiIMHyUKyZvc9IZB7wGtO/4iRBlNYvIdQyilSEjKABb/fCJDLaGeMnvOuRQgZOP0QnsEum6Zx06g3cIknmZC6ZF8hgErvWwseMK4tGeQekn3vzBlMSbjtJhPDO28G4+aDkGA3lEQfcLAfd/5PXZxVy2ut46gvTDqJ4IJdZwbmoeKzNccA2J1cWrZhz1QQx0E0OCjR4olop+HmcEXoxNluA==</l7:Encoded>

Bundle example to upload cert using REST API with the correct ID . 

<?xml version="1.0" encoding="UTF-8"?><l7:Bundle xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">   
<l7:References> 
 <l7:Item>
        <l7:Name>pssg</l7:Name>
        <l7:Id>68f4f7b3162210e735f460b4daba442d</l7:Id>
        <l7:Type>TRUSTED_CERT</l7:Type>
        <l7:TimeStamp>2023-01-19T12:33:12.515Z</l7:TimeStamp>
        <l7:Link rel="self" uri="https://localhost:8443/restman/1.0/trustedCertificates/68f4f7b3162210e735f460b4daba442d"/>
        <l7:Resource>
            <l7:TrustedCertificate id="68f4f7b3162210e735f460b4daba442d" version="0">
                <l7:Name>pssg</l7:Name>
                <l7:CertificateData>
                    <l7:IssuerName>CN%3Dpssg</l7:IssuerName>
                    <l7:SerialNumber>17669611611167821887</l7:SerialNumber>
                    <l7:SubjectName>CN%3Dpssg</l7:SubjectName>
                    <l7:Encoded>!!!! INSERT PSSG ENCODED VALUE COPIED IN STEP 2 HERE!!!!</l7:Encoded>
                </l7:CertificateData>
                <l7:Properties>
                    <l7:Property key="revocationCheckingEnabled">
                        <l7:BooleanValue>true</l7:BooleanValue>
                    </l7:Property>
                    <l7:Property key="trustAnchor">
                        <l7:BooleanValue>true</l7:BooleanValue>
                    </l7:Property>
                    <l7:Property key="trustedAsSamlAttestingEntity">
                        <l7:BooleanValue>false</l7:BooleanValue>
                    </l7:Property>
                    <l7:Property key="trustedAsSamlIssuer">
                        <l7:BooleanValue>false</l7:BooleanValue>
                    </l7:Property>
                    <l7:Property key="trustedForSigningClientCerts">
                        <l7:BooleanValue>true</l7:BooleanValue>
                    </l7:Property>
                    <l7:Property key="trustedForSigningServerCerts">
                        <l7:BooleanValue>true</l7:BooleanValue>
                    </l7:Property>
                    <l7:Property key="trustedForSsl">
                        <l7:BooleanValue>true</l7:BooleanValue>
                    </l7:Property>
                    <l7:Property key="verifyHostname">
                        <l7:BooleanValue>false</l7:BooleanValue>
                    </l7:Property>
                </l7:Properties>
            </l7:TrustedCertificate>
        </l7:Resource>
		 </l7:Item>
</l7:References>
<l7:Mappings>      
 <l7:Mapping action="NewOrUpdate" srcId="68f4f7b3162210e735f460b4daba442d" srcUri="https://localhost:8443/restman/1.0/trustedCertificates/68f4f7b3162210e735f460b4daba442d"
 type="TRUSTED_CERT">
 <l7:Properties>            
 <l7:Property key="MapBy">               
 <l7:StringValue>name</l7:StringValue>            
 </l7:Property>         
 </l7:Properties>      
 </l7:Mapping>   
</l7:Mappings></l7:Bundle>

Save this as cert.xmln file.

3. Delete pssg cert from Policy Manager >> Tasks >> Certificates, Keys and Secrets >> Manage Certificates.

4. Execute the below CURL command.

curl -k -X PUT -u"<USERNAME>:<PASSWORD>" -H"Content-type: application/xml" https://<GATEWAY_HOST>:8443/restman/1.0/bundle --data-binary @cert.xml

5. Verify cert has been reinserted in Tasks >> Certificates, Keys and Secrets >> Manage Certificates.

6. Delete the dssg and tssg certificate.

7. Retry "Update Portal Integration".

This will add the pssg certificate with the correct ID and the update should work.

The pssg certificate is now added with the ID which is mentioned in the failed bundle update and the dssg and tssg certs are recreated.

        <l7:Name>pssg</l7:Name>
        <l7:Id>68f4f7b3162210e735f460b4daba442d</l7:Id>
        <l7:Type>TRUSTED_CERT</l7:Type>

 

Powered by Wolken Software