CA API Gateway - Upgrading your Gateway Appliance from 10.0 to 10.1
search cancel

CA API Gateway - Upgrading your Gateway Appliance from 10.0 to 10.1

book

Article ID: 240960

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

The information in this document is an example of how to upgrade the API Gateway Appliance from version 10.0 to version 10.1.

This Article is based on the formal upgrade documentation seen here:

 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/install-configure-upgrade/upgrade-the-gateway/upgrade-an-appliance-gateway/standard-upgrade-procedure.html

This document:

  • Does not cover all upgrade scenarios
  • Is not a replacement for contacting Broadcom Professional Services for upgrade assistance,
  • Should only be used as a guide and not full upgrade planning
  • Is applicable to upgrading the Gateway Appliance Form Factor (VMware ESX, AWS AMI, or MS Azure Gateway appliances). 
  • Does not cover upgrading the Container or Software Installs
  • Assumes you are not running the CA Siteminder SDK but if you are you can add the application of the corresponding CA Siteminder SDK that is included in the upgrade zip file to your patch sequence.

 

Environment

CA API Gateway 10.0

Step 1:

First, gather some details about your environment

  1. Gather the Current Gateway Version.  You should be running Gateway 10.0.  It does not matter if you have any Cumulative Release Patches or Monthly Platform Patches applied. You do not have to be at any particular Cumulative Release or Monthly Platform patch level to upgrade from Gateway 10.0 to 10.1.  After upgrading from 10.0 to base 10.1 you will apply the latest 10.1 Cumulative Release patch (CR01) and if necessary the latest Monthly Platform patch. You can determine the current Gateway version by dropping into the Root Shell on your gateway and running rpm -qa ssg
  2. Beginning with Gateway version 10.0 CR1, JSON Schema v2 has been deprecated due to a library upgrade. Users should upgrade their JSON Schema to v4. If you are planning on applying Gateway 10.0 CR01 or CR02 during your Gateway 10.0 to 10.1 upgrade process please ensure that you test for this JSON Schema v2 deprecation before a production upgrade.
  3. Determine if you are running any Broadcom provided Custom Assertions. If your installation includes any custom assertions built with Gateway 10.0 or older, you may need to recreate them using the latest Java 11-compatible Gateway Custom Assertion Software Development Kit. Verify with Broadcom Support before upgrading to ensure that your particular custom assertion will not cause issues during the Gateway upgrade.
  4. Consider if you are running a Standalone Gateway or a Clustered Environment. If you are running a Clustered Gateway environment you must upgrade ALL of the nodes before attempting to use the environment. 
  5. Check to ensure that you have sufficient disk space on the Gateway nodes. You can Delete staged patch files through the Gateway menus as described here.  Please note that this will not roll-back applied patches; rather, it will only remove the patch files that were uploaded to the Gateway.
  6. Check to ensure that MySQL DB Replication is healthy (Between the Primary and Secondary DB nodes) before you proceed with upgrading a multi-node Gateway Cluster. You can run the following command on each DB node to check for Replication health:  mysql -e "show slave status\G"  where you should see Slave_IO_Running and Slave_SQL_Running set to Yes .  If Replication is not functioning properly please reset it with the Gateway 10.x procedure in the following KB Article:  https://knowledge.broadcom.com/external/article?articleId=44402
  7. Check your Java configurations.  With Gateway 10.1 the version of Java is upgraded from Java 8 to Java 11.  With Java 11 some Java 8 arguments have been deprecated which should be checked in the following file:  /opt/SecureSpan/Gateway/runtime/etc/profile.d/appliancedefs.sh .  For more info please see KB @ https://knowledge.broadcom.com/external/article?articleId=224263

Step 2: 

Gather the necessary files for your Gateway 10.1 upgrade

Download and prepare the necessary files you will need to upgrade from Gateway 10.0 to 10.1

Access the Broadcom Download Portal from the link below.

https://support.broadcom.com/download-center/download-center.html

Note: If you are having issues logging into the Broadcom Portal please open an issue with our Support Portal team @ https://ca-broadcom.wolkenservicedesk.com/web-form choosing the CA Support Portal category on the Request Type pull-down field.

Select My Downloads from the Left-hand Pane:

Select the proper category Cyber Security Software from the following Drop-Down 

Search for and click on the category API Gateway 

From here you will see a list of Software Entitlements specific to your contract.  For example you may see something like this in which case you would click into the 10.1 link

The file you will need to upgrade your Gateway 10 Appliance is called:

CA_API_Gateway_Virtual_CentOS_Appliance_Upgrade_10.1.00.zip

This ZIP file contains three files:

  • Layer7_API_PlatformUpdate_64bit_v10.1.00-CentOS.L7P
    • This is the first file you will apply which prepares the underlying Gateway Appliance OS Platform
  • Layer7_API_Gateway_v10.1.00.11620.L7P
    • This is the main Gateway 10.1 upgrade patch that brings your Gateway to version 10.1.  This is applied ONLY after you have successfully applied Layer7_API_PlatformUpdate_64bit_v10.1.00-CentOS.L7P
  • CA_SSO_SDK_Compact_v12.8.03.L7P
    • This is an optional upgrade file if you are running the CA SSO Siteminder integration on your Gateway

Now let's look at the upgrade process in detail:

Cause

General Upgrade Sequence

This is the general flow of the procedure.

First, gather some details about your environment and do some health checks  (Step 1 above)

Gather Files from the Download Portal (Step 2 above)

Copy patch L7P Files to your Gateway and change permissions (Step 3 below)

Enter Patching Menu. Upload and install Patch Layer7_API_PlatformUpdate_64bit_v10.1.00-CentOS.L7P 

Reboot the Gateway 

Enter Patching Menu. Upload and install Patch Layer7_API_Gateway_v10.1.00.11620.L7P

Reboot the Gateway 

Upgrade your Database from the Gateway Menu. 

Reboot the Gateway and when it comes back online your Gateway node should now be at version 10.1

Important:  IN A MULTI-NODE GATEWAY CLUSTER YOU MUST UPGRADE ALL OF THE NODES IN YOUR CLUSTER.  DO NOT ATTEMPT TO USE A PARTIALLY UPGRADED CLUSTER

If you have replication enabled then make sure to upgrade all nodes of the cluster before running the "Upgrade Database" step.

Resolution

Step 3:

Upgrading the Gateway from 10.0 to 10.1

Stop Here:

Before proceeding take all precautions to VMware snapshot your Gateway 10.0 if possible.

Follow this Sequence to upgrade the Gateway Appliance to 10.1

Copy these two files from CA_API_Gateway_Virtual_CentOS_Appliance_Upgrade_10.1.00.zip to your Gateway /home/ssgconfig directory

File 1:  Layer7_API_PlatformUpdate_64bit_v10.1.00-CentOS.L7P
File 2:  Layer7_API_Gateway_v10.1.00.11620.L7P 

Log into the Gateway, drop into the root shell and navigate to the /home/ssgconfig directory and change the file permission to 755 with:

chmod 755 Layer7_API_PlatformUpdate_64bit_v10.1.00-CentOS.L7P
chmod 755 Layer7_API_Gateway_v10.1.00.11620.L7P

Now enter the Gateway Patch Menu with Option 8 Display Patch Management Menu

Choose Option 1 Upload a patch to the Gateway

Choose Layer7_API_PlatformUpdate_64bit_v10.1.00-CentOS.L7P for upload processing

After the Patch has been uploaded Choose Option 2 Install a patch onto the Gateway and choose the Layer7_API_PlatformUpdate_64bit_v10.1.00-CentOS.L7P for installation

After the patch has been successfully uploaded and installed Reboot the Gateway Node.

Run the Patch Upload and Install for patch Layer7_API_Gateway_v10.1.00.11620.L7P similar to the first patch, uploading and installing it through the Gateway Menu.

After the patch has been successfully uploaded and installed Reboot the Gateway Node.

After the application of the second patch Upgrade your Database from the Gateway Menu. Select option 2 (Display Layer7 API Gateway configuration menu) and then Select option 1 (Upgrade the Layer7 API Gateway database) and follow the prompts on the screen.

After the DB is upgraded. Wait for the gateway to restart Or issue # service ssg restart    (so the gateway.jar process picks up the new ssg_version update that the DB is at the right version).

The Gateway node is now at Gateway 10.1 and you can use the same general process for each subsequent node in the cluster.

Important:  IN A MULTI NODE GATEWAY CLUSTER YOU MUST UPGRADE ALL OF THE NODES IN YOUR CLUSTER.  DO NOT ATTEMPT TO USE A PARTIALLY UPGRADED CLUSTER

Note the Additional Information section below if you wish to extend the upgrade for 10.1 to include the latest Cumulative Release (CR) Patch and or the latest Monthly Platform Patch (which includes vulnerability fixes and other updates for the underlying Gateway Appliance platform)

 

 

Additional Information

Policy Manager Installation for Gateway 10.1

Please obtain the following file from your Download Portal and ensure you are using the Policy Manager for Gateway 10.1

CA_API_Gateway_Policy_Manager_10.1.00.zip

Applying Gateway 10.1's latest Cumulative Release Patch and/or the latest Monthly Platform Patch

Please see the following KB article to patch Gateway 10.1 with the latest CR and Monthly Patch.  

Please note that Gateway 10.0 and Gateway 10.1 have SEPARATE Cumulative Release patches so ensure that you are following the instructions for Gateway 10.1.  All Monthly Platform Patches can be applied to both Gateway 10.0 and Gateway 10.1 appliances and are not separate for each version.

https://knowledge.broadcom.com/external/article?articleId=240851

Powered by Wolken Software