Patches and updates to the API Gateway are signed upon creation to ensure that they are not tampered with or malformed in transit between our engineering site, the customer portal, and a target system. These signatures are based on digital signature principles. These signatures and the permitted signing entity need to be updated periodically. CA Support distributes updates to the API Gateway appliance that updates these signing certificates.
A particular update was issued after version 8.0.0 that updated these trusted certificates for subsequent patches. This patch is referred to as Layer7_UpdateTrustStore.L7P. There are certain changes to this file that may cause conflicts with future updates and must be manually extracted.
In the API Gateway log files (usually found in the sspc_0_0.log file), the following three unique lines can be found in a stack trace generated during the installation of the patch file which fails:
- com.l7tech.server.processcontroller.patching.PatchServiceApiImpl: Output from patch install: Exception in thread "main" java.lang.NoClassDefFoundError: liquibase/exception/LiquibaseException
- com.l7tech.server.processcontroller.patching.PatchServiceApiImpl: Output from patch install: Caused by: java.lang.ClassNotFoundException: liquibase.exception.LiquibaseException
- com.l7tech.server.processcontroller.patching.PatchServiceApiImpl: Output from patch install: Package verification failure when attempting to install patch.
In addition to the above errors, the following properties will be present in the /opt/SecureSpan/Controller/etc/host.properties file:
And additional file is also inserted into the same directory: l7trustedcerts
The presence of all three items listed above (errors, properties, and file) may prevent Gateways running version 8.2.00 and later to be updated with regular monthly Platform Security Updates.
The following procedure can be used to resolve this issue
- Open a terminal session (SSH) to the API Gateway and log in as the ssgconfig user.
- Select the 3) Use a privileged shell (root) option under the main ssgconfig menu.
- Edit the following file using a text editor: /opt/SecureSpan/Controller/etc/host.properties
- Comment out the following properties by prepending a # character:
- Save the changes and exit the editor.
- Rename the?trusted certificate file using the following command: mv l7trustedcerts l7trustedcerts.orig
- Navigate to the /opt/SecureSpan/Controller/var/patches directory.
- Delete the following files applicable to the most recently failed patch installation
- Layer7_PlatformUpdate_64bit_v<Major version>.<Minor version>-<month>-<day>-<year>.L7P
- Reattempt the installation of the patch following the instructions CA API Gateway documentation