ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CA API Gateway 10.X Patching Guide

book

Article ID: 240851

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

This document is intended for customers who have already upgraded their Gateway to version 10.0 or 10.1. The purpose of this document is to demystify patching within the Gateway 10.0 or 10.1 space.  If you are looking for assistance upgrading from Gateway 8.x or 9.x please see our formal upgrade documentation here.  

If you are on Gateway 10.0 and need assistance upgrading to Gateway 10.1 please see the Standard Upgrade Procedure for Gateway 10.1 as well as our supplemental 10.1 upgrade Knowledge Base Article here

It is HIGHLY recommended that you review the FAQ including the Additional Information section before proceeding with any patching activity.

This Document will cover:

Note the Color Coding for each section to provide an easier reading experience:

  • Gateway 10.0 Cumulative Release (CR) Patching
  • Gateway 10.1 Cumulative Release (CR) Patching
  • Monthly Platform Patching (for Gateway Appliances and Gateway Docker deployments)
  • Additional information and troubleshooting patching 

Environment

Release : 10.0 and 10.1

Component : API Gateway

Resolution

 

What are the versions of API Gateway 10?

There are currently two major versions of API Gateway 10:  10.0 and 10.1

10.0 FAQs are highlighted in Purple

10.1 FAQs are highlighted in Orange

GATEWAY 10.0 and GATEWAY 10.1 HAVE SEPARATE Cumulative Release (CR) PATCHES FOR EACH VERSION.  PLEASE MAKE SURE YOU NAVIGATE TO THE SECTION APPROPRIATE FOR THE VERSION YOU ARE RUNNING.  YOU CANNOT APPLY A GATEWAY 10.0 CR TO GATEWAY 10.1 AND YOU CANNOT APPLY A GATEWAY 10.1 CR to GATEWAY 10.0.  HOWEVER, MONTHLY PLATFORM PATCHES ARE NOT VERSION SPECIFIC AND CAN BE APPLIED TO EITHER GATEWAY 10.0 OR 10.1

Gateway 10.0 Cumulative Release (CR) Patching

What is a Cumulative Release Patch?

Cumulative Release Patches update the Gateway software/product to introduce bug fixes, features, functionality, updated Java versions. 

I am running Gateway 10.0 what Cumulative Release (CR) patches are available?

Currently Gateway version 10.0 has Cumulative Release Patch CR05 which includes all of the patches from CR01 through CR04.  To see full list of Cumulative Release Patch related info please see the Release Notes for Gateway 10.0

Can I apply CR05 for Gateway 10.0 to my 10.1 Gateway?

No.  There are separate Cumulative release Patches for Gateway 10.0 and 10.1.  Both will be covered in this FAQ

Do I need to apply Cumulative Release patches CR01 through CR04 to my Gateway 10.0 in order to apply the latest CR05?

No.  Cumulative Release Patches (CRs) are cumulative and you need only apply the latest CR to your Gateway.

Where can I get the Gateway 10.0 CR05 Patch?

You can find Gateway 10.0 CR05 Patch on our Solutions and Patches Page. This patch zip file is called: Layer7_API_Gateway_v10.0.00-CR05.zip

After downloading this file please Unzip it to see the contents.

What are the files I see in the Gateway 10.0 CR05 zip file and what do I do with them?

When you unzip the Cumulative Release patch file you will see the following files:

  • Layer7_API_Gateway_v10.0.00.13030-CR05.L7P
    • This is the main Gateway L7P patch file that gets applied to your Gateway 10.0 to bring it to CR05. 
  • Manager-10.0.00.13030-CR05.tar.gz
    • This file is the corresponding MacOS Policy Manager installer to be used with Gateway 10.0 CR05
  • Layer7 API Gateway Policy Manager 10.0.00.13030-CR05 Installer.exe
    • This file is the corresponding Windows Policy Manager installer to be used with Gateway 10.0 CR05 
  • CA_SSO_SDK_Compact_v12.8.06.L7P
    • This file is the latest SSO SDK install if you are using CA Siteminder integration 

How do I apply the Gateway 10.0 CR05 file to my Gateway?

To apply the Gateway 10.0 CR05 cumulative release patch to your Appliance based Gateway please use these steps:  Patch Using The Menu

To apply the Gateway 10.0 CR05 cumulative release patch to your Software based Gateway install please use these steps: Patch The Software Gateway

Gateway 10.1 Cumulative Release (CR) Patching

What is a Cumulative Release Patch?

Cumulative Release Patches update the Gateway software/product to introduce bug fixes, features, functionality, updated Java versions

I am running Gateway 10.1 what patches are available?

Currently Gateway version 10.1 has Cumulative Release Patch CR01.  To see full list of Cumulative Release Patch related info please see the Release Notes for Gateway 10.1

Can I apply CR01 for Gateway 10.1 to my 10.0 Gateway?

No.  There are separate Cumulative release Patches for Gateway 10.0 and 10.1. 

Where can I get Cumulative Release Patch CR01 for Gateway 10.1?

Gateway 10.1 CR01 can be downloaded from the Solutions and Patches Page and is called Layer7_API_Gateway_v10.1.00-CR01.zip 

After downloading this file please Unzip it to see the contents.

What are the files I see in the Gateway 10.1 CR01 zip file and what do I do with them?

  • Layer7_API_Gateway_v10.1.00.12727-CR01.L7P
    • This is the main Gateway L7P patch file that gets applied to your Gateway 10.1 to bring it to CR01
  • Manager-10.1.00.12727-CR01.tar.gz
    • This file is the corresponding MacOS Policy Manager installer to be used with Gateway 10.1 CR01
  • Layer7 API Gateway Policy Manager 10.1.00.12727-CR01 Installer.exe
    • This file is the corresponding Windows Policy Manager installer to be used with Gateway 10.1 CR01 
  • CA_SSO_SDK_Compact_v12.8.06.L7P
    • This file is the latest SSO SDK install if you are using CA Siteminder integration 

How do I apply the Gateway 10.1 CR01 file to my Gateway?

To apply the Gateway 10.0 CR05 cumulative release patch to your Appliance based Gateway please use these steps: Patch Using The Menu

To apply the Gateway 10.0 CR05 cumulative release patch to your Software based Gateway install please use these steps: Patch A Software Gateway

Gateway 10 and 10.1 Monthly Platform Patching:

What is a Monthly Platform Patch?

A Monthly Platform Patch is provided to users running the Gateway Appliance or Container form factor which updates the underlying OS Platform and addresses known CVE Vulnerabilities. 

What is the difference between a Monthly Platform Patch and a Cumulative Release Patch (CR)?

Cumulative Release Patches update the Gateway software/product to introduce bug fixes, features, functionality, updated Java versions.  Monthly Platform Patches update the underlying Appliance CentOS Platform to address CVE Vulnerabilities, OS Library updates and also MySQL version updates. 

Are there separate Monthly Platform Patches for Gateway 10.0 and 10.1?

No.  Unlike the Cumulative Release (CR) patches for Gateway 10.0 and 10.1 there is only one Monthly Platform Patch released for both Gateway 10 and 10.1 appliances 

Do I have to install previous Monthly Platform Patches in order to install the latest?

No.  Like the Cumulative Release (CR) patches the Monthly Platform Patch is also cumulative in nature and you not need to install previous Monthly Platform Patches incrementally  

Where can I find the Monthly Platform Patch for my Gateway 10.0 or Gateway 10.1 Appliance?

You can find the Monthly Platform Patch for the Appliance Gateway on the Solutions And Patches Page

Example:  Layer7_API_PlatformUpdate_64bit_v10.X-CentOS-2022-04-24.L7P  <-- See the Date indicating that this is the April 2022 Monthly Platform Patch.

I am running the Container Gateway.  Can I also get the Monthly Platform patches?

Yes you can pull Monthly Platform Patches according to the Docker Tags Page

I am running the AWS AMI Appliance or the MS Azure Appliance.  Can I also apply a Monthly Platform Patch to these form factors?

Yes you can use the same Monthly L7P Platform patch that is applied to the VMware ESX Based appliance. 

When are Monthly Platform Patches Released?

Typically Monthly Platform Patches are released in the last week of every month.

Is there a special order, prerequisites or dependencies between the Cumulative Release (CR) Patch and Monthly Platform Patch?

No.  The Cumulative Release Patches and Monthly Platform Patches are not dependent on each other. They are totally separate.  For example you could apply Cumulative Release Patches and forgo installing Monthly Platform Patches and vice versa.  

How can I tell what the Monthly Platform Patch is updating?

For every release of the Monthly Platform Patch there is a corresponding downloadable cve-info text file that you an review for changes. You will typically see this file right underneath the main Monthly L7P file on the Solutions and Patches page. 

Example: cve-info-v10.X-CentOS-x86_64-2022-04-24.txt

 

Additional Information

Additional Information:

Where can I read more about Gateway patches

Please see our formal documentation on the subject.  Understanding Gateway Patches

Where can I see the changes, updates and fixes included in the Gateway Cumulative Release Patches?

You can see a full summary of Cumulative Release Patch information and changes from the Release Notes section for each version of the Gateway.  Note the summary of each Cumulative Release Patch 

Gateway 10.0 Release Notes

Gateway 10.1 Release Notes

How to I update my Policy Manager version along with my Gateway Appliance?

Gateway Cumulative Release Patch zip files will always contain a new version of the Gateway Policy Manager installer for MacOS and Windows.  After patching the Gateway with the main L7P file please be sure to also update your workstation with the new Policy Manager that is included in the zip file

What is an L7P file?

An .L7P file is the patch file format that is applied directly to your Gateway appliance.

If you need assistance working with L7P files please see this supplemental material

Working with .L7P Files

Do I have to reboot my Gateway after applying L7P patches?

Yes it is very important to reboot your Gateway after applying an L7P patch file. If you are applying a sequence of L7P patches then you will be required to reboot after EACH patch before you apply the next one

I am getting an error about Disk Space when I try to apply a patch.  What can I do?

Please make sure you check your Gateway file sizes before applying any patches. If you get an error such as Error uploading patch file: No space left on device please see this article for more information and assistance.

Where can I see what patches have already been applied to my Gateway Appliance?

If you would like to see a list of patches that have been applied to your Gateway Appliance you can Select Option 8 from the Gateway Appliance Menu and then Choose Option 4 to List Patches

Can Patches be uninstalled or rolled back?

Patches cannot be uninstalled after they are applied so please ensure that you take a VMware Snapshot of your Gateway Appliance before any patching activity to provide a back-out plan.

If patches cannot be uninstalled then why is there an option to "Delete a Patch from the Gateway"?

This option allows you to clear staged patch files from the staging directories on the Gateway to reclaim space.  This option does NOT Uninstall a patch from the Gateway.  For more on this see see the corresponding section in the main documentation

What is the difference between Uploading a Patch and Installing a Patch?

The application of an L7P Patch file is a two step process after the patch has been copied your Gateway.  The upload process is the first step where the patch is first processes by the patching mechanism and the second step is the actual Installation of the patch top the Gateway.  You will see both the Upload and Install options in the Gateway Patching menu. There is also a similar Upload and Install procedure for patching with the Command Line.

Where can I see patch related logs?

Log files for the patching process are located here:

/opt/SecureSpan/Controller/var/logs/patches.log/opt/SecureSpan/Controller/var/logs/patch_cli*.log