Containerizing Layer 7
search cancel

Containerizing Layer 7

book

Article ID: 261055

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

As our team continues to work with utilizing Layer 7 API Gateway as a container, we are finding ourselves struggling to develop a solution that is fully managed ‘as-code’.  We are revisiting an issue which was previously discussed where the API Gateway requires a restart in order to pick up the correct keystore.  From our previous discussions, we implemented a solution that uses key aliases and sets the policies accordingly to use them. What appears to be happening now is…

  1. We form our policy bundle using a set of init-containers, which drops the bundle into /opt/SecureSpan/…
  2. We start the gateway service so we can then access Restman
  3. We publish our policy to Restman API and configure out Keystore and Truststore. 
    1. The bundle created above references key_aliases that are not present at start up
  4. We attempt to connect to an endpoint (/getJwt) via the gateway
    1. We get an error stating the SSL Socket Factory cannot be null

 

Environment

Release : 10.1

Cause

Need dynamic updates doing one call/update to work around they needed to touch the policy or restart  (simulates load/active from PM) 

Resolution

New Feature

Using the new feature added in Gateway 10.1 CR2

Use dynamic private key

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/security-configuration-in-policy-manager/tasks-menu-security-options/manage-private-keys/select-a-custom-private-key.html

Use dynamic private key -> Use Dynamic Private Key -> Key Alias (variable) 

 

Allows for the use of a context variable