search cancel

Updating a statically assigned IP address for a single Gateway node


Article ID: 42497


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


An IP address change should not impact the API Gateway appliance negatively when it is configured correctly. This article will check several configuration values to ensure that they are not set in such a manner that a static IP address change may cause an issue. The following items can cause complications when updating the static IP address of a Gateway appliance when set impropertly:

  1. Gateway database connection properties
  2. Database replication grants
  3. Remote node management configuration
  4. Inbound TCP listeners
  5. Hosts file


Component: APIGTW


This section will provide instructions on verifying these configuration items and determining if they need to be adjusted. If the adjustment is required then instructions for adjustment will be provided.

Gateway database connection properties

The Gateway database connection properties should use fully qualified domain names that are resolvable via DNS or via a Hosts file. IP addresses should not be used in this space. This procedure will check for the use of IP addresses.

  1. Log in to the API Gateway as the ssgconfiguser
  2. Select Option #3: Use a privileged shell (root)
  3. Open /opt/SecureSpan/Gateway/node/default/etc/conf/ in a text editor
  4. Ensure no IP addresses are set for the following lines:

If these values are set to IP addresses then they should be changed to fully qualified domain names. Save the file and exit the editor. Restart the Gateway in order to force the changes to take effect.

Database replication grants

The Gateway database contains a set of unique grants for replication that provide unprivileged access to a specific user account. These grants should have been created using fully qualified domain names but may be set to IP addresses. This procedure will check for the use of IP addresses.

  1. Log in to the API Gateway as the ssgconfiguser
  2. Select Option #3: Use a privileged shell (root)
  3. Access the MySQL client: mysql
  4. Execute the following SQL query: SELECT user,host FROM mysql.user;
  5. Verify that no IP addresses are set for the host column

If IP addresses are present in the host column then it can be changed via these SQL queries:
UPDATE mysql.user SET host = "" WHERE host = "<IP for gw1>";
UPDATE mysql.user SET host = "" WHERE host = "<IP for gw2>";


Remote node management configuration

The API Gateway can be managed via the CA Enterprise Service Manager. This integration requires configuration of a specific management setting. This setting may be set to a specific IP address that should reflect the IP address assigned to an existing interface on the API Gateway. This address will need to be changed if the applicable IP address has been set.

  1. Log in to the API Gateway as the ssgconfig user
  2. Select Option #5: Display Remote Management configuration menu
  3. Set the value for Option #1 (Listener IP Address) to an asterisk (*)
  4. Select Option S: Save changes and exit
  5. Restart the API Gateway appliance

Inbound TCP Listeners

Listen ports used by the API Gateway for inbound requests can be bound to one or all interfaces. A listen port should be bound to all interfaces or a specific interface range using CIDR. The default listen ports for the Gateway are always assigned to all interfaces but that may have been changed by an administrator prior to the IP address change event. Perform the following procedure to check if a listen port is bound to a specific interface or interface range:

  1. Log in to the Policy Manager as an administrative user
  2. Open the Manage Listen Ports task
  3. Review the Interface column of the displayed ports

All ports should display (ALL) as the current assigned interface. If an interface displays an IP address or name then the port configuration should be inspected to ensure it will be valid after changing the Gateway's IP address. That can be done as follows:

  1. Select Interfaces from the Manage Listen Ports task
  2. Select an Interface from the Manage Interfaces dialog
  3. Ensure value of Address Patterns for Selected Interfaces reflects a valid IP range or address

If an address or pattern would be invalidated by an IP address change then select the pattern or address and click Edit Address Pattern. A dialog will appear and the change can be supplied. The Gateway will need to be restarted for this change to take effect.

Hosts file

The Hosts file provides a DNS-less method of mapping IP addresses to hostnames. Verify this file contains valid IP addresses for any new interfaces as follows:

  1. Log in to the API Gateway as the ssgconfig user
  2. Select Option #3: Use a privileged shell (root)
  3. Open /etc/hosts in a text editor
  4. Review the contents of the file and make any applicable changes