I Cannot Enroll My On-Premise ("Proxy") API Gateway with SaaS API Portal. Receiving SSL-related Errors.
search cancel

I Cannot Enroll My On-Premise ("Proxy") API Gateway with SaaS API Portal. Receiving SSL-related Errors.

book

Article ID: 7325

calendar_today

Updated On:

Products

CA API Management SaaS CA API Gateway

Issue/Introduction

An on-premise API Gateway node (or cluster) may report an SSL-related error during the enrollment process with API Management SaaS (aka "SaaS API Portal").

An example of such an error may look like the following:

Unable to enroll: java.security.cert.CertificateException: No name matching <hostname.dev.ca.com> found. 

Environment

This issue most often occurs in a Proof Of Concept (POC) / Trial environment, but may be experienced elsewhere.

Cause

This issue is typically caused by an SSL configuration incompatibility between the engine used on the Gateway and engine used on the SaaS API Portal side.

Resolution

Edit the system.properties file on the API Gateway node to change the SSL library. This is a temporary change just needed for enrollment. Once enrollment succeeds, it can be removed from the system.properties file.

  1. Edit system.properties located here: /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add the following line to the file, and save the changes: com.l7tech.common.security.jceProviderEngineName=rsa
  3. Restart the API Gateway service: service ssg restart

Next, the previous enrollment attempt must be cleaned up before trying the enrollment process again. If the enrollment was never attempted, then the following steps can be skipped.

  1. Delete API Gateway from API Portal:
    1. Login to API Management SaaS instance as admin.
    2. Go to Settings > API Proxy
    3. Click the "Delete" button of the target proxy which is in the state of "Cluster is currently pending completion".
  2. Cleanup the failed API Gateway:
    1. Login to the API Gateway as admin via Policy Manager.
    2. Under Manage Certificates & Keys, delete the certificates created from the previous enrollment attempt. Note: Do not delete the API Gateway's self-signed certificate.
    3. Under Manage Scheduled Tasks, delete all scheduled tasks.
    4. Under Certificates, Keys, and Secrets, delete the Portalman private key.
    5. Under Cluster-Wide Properties, delete all properties that begin with "portal".

Attempt the enrollment process again.

If it succeeds, the system property added earlier in the workaround should be removed and the API Gateway restarted one more time. If the same SSL failure during enrollment is encountered, contact CA Support for further assistance.

Additional Information

Powered by Wolken Software