Layer7 API Gateway: Changing the Cluster Hostname
search cancel

Layer7 API Gateway: Changing the Cluster Hostname

book

Article ID: 42886

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

By changing the cluster host name (i.e., the host name of the virtual interface used by a load balancer), you will need to create a new default SSL key. The default SSL key created during the initial deployment of the Gateway database uses the cluster host name as the CN value. When you change the cluster host name, the CN value of the presented certificate will not match. Some applications (including the CA API Gateway and CA API Gateway Policy Manager) force host name validation with certificate authentication.

Environment

Release:
Component: APIGTW

Resolution

To change the cluster host name of the Gateway cluster and change the private key of the CA API Gateway:

  1. Log into the Policy Manager as an administrative use
  2. Select the "Manage Cluster-Wide Properties" task from the "Tasks" menu.
  3. Set "cluster.hostname" to the new cluster host name specified in the Gateway configurator menu previously.
  4. Close the Manage Cluster-Wide Properties dialog.
  5. Select the "Manage Private Keys" task from the "Tasks" menu.
  6. Select the "Create" button. Ensure the CN value matches the new cluster host name. Add other certificate attributes as necessary.
  7. Select the "Mark as Special Purpose" button.
  8. Choose the "Set as Default SSL Key" option.
  9. Restart the CA API Gateway service on all nodes in the cluster.

Please note that the generation of a new private key will require existing trust relationships to be re-established. Keys may need to be re-signed, if applicable, and certificate trust chains re-imported. If you require assistance with these topics, please contact CA Support.