Can we expose APIs developed on Gateway at port 443 rather than 8443?
Check this Allowing the CA API Gateway to accept message traffic on ports 80 (HTTP) and 443 (HTTPS)
Did all the settings mentioned in document, however still not working. Do we need to make some changes in default config as well?
When you make a change through the UI to add in the redirects it creates dynamic firewall rules that do a redirect to the port. When you run the command "service iptables status| grep 443" your output should look like the following:27 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:844329 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:94433 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443
If the iptables service has been disabled this will not function.
Director, CA Support
Getting this after running command:
29 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:844331 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9443
No mention of port 443. Do I need to add that entry manually? Please suggest.
Please provide what version of the gateway, form factor of the gateway (virtual, hardware, software, AWS, etc), and also if you can provide the /etc/sysconfig/iptables file for review. The steps in the guide should be all that you need to get this to work across all nodes in the cluster.
Form factor : Virtual Appliance
iptables file : attached.
iptables file has been attached to Support CASE#00745283.
We added following in ipatbles file:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
and took iptables restart. It seems to be working. thanks for your prompt suggestions. Please let me know if anything else need to be added.
I've reviewed the iptables that was uploaded in the case and it is not a standard one delivered with any of our appliances so that is why it is not working. We look for certain portions of the file and the order of the load to insert our rules so the gateway is unable to add the rule dynamically. I would suggest that you add back in our default iptables file and use the Manage Firewall Rules through the Manage Listen Port interface. This will allow you to control it centrally through the Policy Manager or upload it through restman and all nodes in the cluster would get them right away without having to touch the file.
We will surely check it. However I couldn't get any document explaining why port 443 is not available by default for Gateway; whereas it is a default port for HTTPS exposure? Can there be some repercussions in terms of Gateway performance or security, once we enable 443 port ?
Usually there is a load balancer in front of the gateway cluster, expose port 443 can be done on LB.