Unable to connect to Policy Manager after upgrade from 7.x series to 9.1 or 9.2 due to Listen Port Cipher Suite Issue

book

Article ID: 5318

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Inability to establish Policy Manager connectivity after upgrading a CA API Gateway from version 7.x CA API Gateway appliance to version 9.1 or 9.2. Initial investigations will show the Gateway in a running status and SSPC logs indicating the processController started. 

---------------------------------------------------------------------- 
CA API Gateway Status 
---------------------------------------------------------------------- 

Configuration: 
Node Status = RUNNING 
Node Status Timestamp = 2017-01-16 12:02:01 
Node Status Since = 2017-01-16 11:41:27 

SSPC Logs:

2017-01-16T11:40:51.931-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:40:56.946-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:01.967-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:06.982-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:11.996-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:17.016-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:22.031-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:27.046-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: Getting API port from /opt/SecureSpan/Gateway/node/default/var/processControllerPort 
2017-01-16T11:41:27.839-0600 INFO 1 com.l7tech.server.processcontroller.q: default started successfully 
2017-01-16T11:41:27.839-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: default started 

Cause

Ports 8443 and 9443 respectively, necessary for software and web client access respectively, have not started correctly due to deprecated cipher suites enabled whilst running CA API Gateway version 7.x.

Environment

Release: L7SMG299000-7.1-Mobile API Gateway-HARDWARE APPLIANCE DUAL CPU
Component:

Resolution

Manually update the supported cipher suites via the commands below:

  1. mysql ssg -e “update connector_property set value="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" where name="cipherList"” 

  2. service ssg restart