API Gateway: Policy manager shows hostname certificate warning
search cancel

API Gateway: Policy manager shows hostname certificate warning

book

Article ID: 187711

calendar_today

Updated On:

Products

CA API Gateway API SECURITY

Issue/Introduction

When I log on to the gateway using policy manager I see a warning message.  "The hostname entered for the gateway is Gateway1name but the Gateway presented a certificate claiming the hostname is Gateway2name. Do you want to login to the Gateway?"

Which certificate is used by the policy manager?  

 

Environment

Component : API GATEWAY

Cause

The reason you get this warning message is that the default SSL name is different from the one you specify when you log into the gateway. 

Resolution

The following steps may need to be done depending on how you wish to have the name set for the cluster:
 
If you changed the cluster hostname (i.e., the hostname of the virtual interface used by a load balancer), you will need to create a new default SSL key. The default SSL key created during the initial deployment of the Gateway database uses the cluster hostname as the CN value. When you change the cluster hostname, the CN value of the presented certificate will not match. Some applications (including the Layer 7 Gateway and Layer 7 Policy Manager) force hostname validation with certificate authentication. 
 
To create a new private key for the new cluster hostname: 
  1. Log into the Policy Manager as an administrative user. 
  2. Select the "Manage Cluster-Wide Properties" task from the "Tasks" menu. 
  3. Set "cluster.hostname" to the new cluster hostname specified in the Gateway configurator menu previously. 
  4. Close the Manage Cluster-Wide Properties dialog. 
  5. Select the "Manage Private Keys" task from the "Tasks" menu. 
  6. Select the "Create" button. Ensure the CN value matches the new cluster hostname. Add other certificate attributes as necessary. 
  7. Select the "Mark as Special Purpose" button. 
  8. Choose the "Set as Default SSL Key" option. 
  9. Restart the Layer 7 Gateway service on all nodes in the cluster. 
 
Please note that the generation of a new private key will require existing trust relationships to be re-established. Keys may need to be re-signed, if applicable, and certificate trust chains re-imported.

Additional Information

Please review our Tech Docs for more information on creating and setting your default SSL key: Create a Private key, Set your default SSL Private key