Layer7 API Management

Expand all | Collapse all

Migrating APIs using GMU

  • 1.  Migrating APIs using GMU

    Posted May 24, 2018 09:19 AM

    Hello, I need some help for something I cannot see where is the problem.

     

    I'm trying to execute some command line for migration, but what I got is the following message: 

    Reason: Migrate in failed: Bad Request Resource validation failed due to 'INVALID_VALUES' Failed to decrypt password

     

    But If I use migrateOut for testing, it goes fine:

     

    Metallica:GatewayMigrationUtility-1.5.00-479 gilson$ ./GatewayMigrationUtility.sh migrateOut -z li3426.properties --folderName / --dest all.xml

    Warning: TLS hostname verification has been disabled

    Warning: TLS server certificate check has been disabled

    Running............................................................................................................................................................................................

    Done

     

    This happen when I try migrateIn, with other xml but same properties file:

     

    Metallica:GatewayMigrationUtility-1.5.00-479 gilson$ ./GatewayMigrationUtility.sh migrateIn -z li3426.properties --destFolder / --bundle get.xml --results result.xml

    Warning: TLS hostname verification has been disabled

    Warning: TLS server certificate check has been disabled

    Running...........

    Execution failed. Reason: Migrate in failed: Bad Request Resource validation failed due to 'INVALID_VALUES' Failed to decrypt password

     

    Gateway version is 9.3… any thoughts?



  • 2.  Re: Migrating APIs using GMU

    Broadcom Employee
    Posted May 24, 2018 10:33 AM

    Do you have an encryption passphrase in the properties file? 

     

    Also, look at the gmu.log that is generated by default in the same location as the GMU script, and look the results.xml that was generated to see if any helpful information was created there (search for error). 

     

    When you migrateOut you send the bundle to all.xml but when you migrateIn you use get.xml. What actions did you take before migratingIn? 



  • 3.  Re: Migrating APIs using GMU

    Posted May 24, 2018 11:42 AM

    Yes, it has…

     

    host=li3426
    port=8443
    clientCert=li3426.p12
    password=MQBoIntUk7U.vEOW7M1OZ3gSVo96bIdTZPfspcZA20wZusQMBgir6qU
    encryptionPassphrase=CjylMDoKOmY.Hos7cHl_MeaQxmUY8W3fG9L3JdinmVU5yX9lCt7Fnks
    trustCertificate
    trustHostname

     

    In gmu.log I don't find more useful information…

     

    May 24, 2018 10:17:18 AM com.ca.gateway.rest.commandline.command.MigrateInCommand run
    WARNING: Migrate in failed: Bad Request Resource validation failed due to 'INVALID_VALUES' Failed to decrypt password
    May 24, 2018 10:17:18 AM com.ca.gateway.rest.commandline.command.Command runCommand
    WARNING: Error executing command
    java.lang.IllegalArgumentException: Migrate in failed: Bad Request Resource validation failed due to 'INVALID_VALUES' Failed to decrypt password
    at com.ca.gateway.rest.commandline.command.MigrateInCommand.run(Unknown Source)
    at com.ca.gateway.rest.commandline.command.GatewayCommand.run(Unknown Source)
    at com.ca.gateway.rest.commandline.command.Command.runCommand(Unknown Source)
    at com.ca.gateway.rest.commandline.Main.main(Unknown Source)

     

    While using migrateOut, my idea was test properties getting any information, only that.

     

    Then I tried migrateIn using same properties. This get.xml was generated in other server (./GatewayMigrationUtility.sh migrateOut -z li3384.properties --folderName /GET --dest get.xml)



  • 4.  Re: Migrating APIs using GMU

    Broadcom Employee
    Posted May 24, 2018 12:51 PM

    Is the encryption passphrase the same for both li3384.properties and li3246.properties? 

     

    Can you try rerunning the migrateOut and migrateIn with --plaintextEncryptionPassphrase <plaintext_phrase> and see if you get the same result?



  • 5.  Re: Migrating APIs using GMU

    Posted May 24, 2018 01:57 PM

    No, they're not the same. User and certificates are different for each server (li3384 and li3246).

     

    But same scenario using --plaintextEncryptionPassphrase… migrateOut is fine and migrateIn same error.

     

    I also tried before recreate user for migration and regenerate certificates.



  • 6.  Re: Migrating APIs using GMU

    Broadcom Employee
    Posted May 24, 2018 02:57 PM

    Can you encrypt a new passphrase and put the same one in both of your properties files. When doing a migrateOut the encryptionPassphrase used needs to be used on migrateIn to successfully decrypt any encrypted secrets.



  • 7.  Re: Migrating APIs using GMU

    Posted May 24, 2018 03:16 PM

    This make sense, because some days ago I tried with same user, his password and certificate password all the same for both server and if I'm not wrong, it works. Does it mean should I create internal users in both server with same password? Is it the same for certificate? 



  • 8.  Re: Migrating APIs using GMU

    Broadcom Employee
    Posted May 24, 2018 04:19 PM

    The authentication piece is different. GMU utilizes the Restman service which requires mutual auth, or username/password for authentication; and if either one of these are present and correct it will continue to do the migration. The username/password combos do not need to be the same for all servers but correct in the args file depending on your destination server. 

     

    Here is the link for configuring the gateways, both for mutual auth and using username password. 

    Configure GMU and Gateways for Migration - CA API Gateway - 9.3 - CA Technologies Documentation 



  • 9.  Re: Migrating APIs using GMU

    Posted May 24, 2018 04:30 PM

    Well, then probably is step "Establish Server Trust" wasn't told me. I'll try it.



  • 10.  Re: Migrating APIs using GMU

    Broadcom Employee
    Posted May 24, 2018 09:16 PM

    Hello,

    The encryptionPassphrase or plaintextEncryptionPassphrase is used to encrypt/decrypt password entities in the bundle, you just need to keep the same encryptionPassphrase for both migrateOut and migrateIn.

     

    Regards,

    Mark



  • 11.  Re: Migrating APIs using GMU
    Best Answer

    Posted May 29, 2018 02:17 PM

    The only way it works (or I could make it work) is with username/password all the same in all servers... I don't like it but I'm tired of trying.