Layer7 API Management

The company I work for has a couple of old Layer 7 instances running v7.1.0 that upper management has not prioritized upgrading or migrating off of (despite repeated warnings over the years).  We currently have no one with SME level knowledge within the company.  My support team has been tasked with "keep the lights on".  While we've done fine for some time, we recently encountered an issue we are not able to figure out. 

Last week we receive a report of an issue with API calls and log in to the Policy Manager and find it reporting the license expired.

License XML invalid: java.security.cert.CertificateExpiredException: NotAfter: Fri Sep 26 05:18:20 UTC 2025

We were able to find a zip of license files (thank goodness for email archives).  These licenses all appear to be valid for an extremely long time.  I tried applying each of the license files we have, but they all returned "That license is invalid and cannot be installed."

    <description>Savvis-PROD-SSG-v7-1</description>    <licenseAttributes>        <attribute>Enterprise</attribute>    </licenseAttributes>    <valid>2012-06-28T23:21:26.342Z</valid>    <expires>2062-06-28T23:21:48.406Z</expires>    <host name="*"/>    <ip address="*"/>    <product name="Layer 7 SecureSpan Suite">        <version major="7" minor="*"/>        <featureset name="set:Profile:Gateway"/>    </product>    <licensee name="Savvis"/>

This expire date matches what is seen (using the Policy Manager) in the other instances that are running without issue.  The first day the issue was noticed, the 01 node of a pair showed the license error message but the 02 node showed valid through 2062.  The next day, the 02 node also showed the license error message.  I assume that database replication carried over whatever the issue is.

However, if I look in the SSG database (select propkey,propvalue from cluster_properties where propkey="license";) I see the same 2062 expiry date on all Layer 7 instances.  So if the application is looking at the database for the license, I'm not sure why it sees it as invalid.

This happened last week on a Layer 7 instance only a single team made use of, so we were content enough to use this as a push to get them to migrate off.  Yesterday, a Dev instance suddenly shows the same license error.  Due to my lack of understanding on why the licenses are seen as invalid and what is triggering the change, I am extremely worried about the remaining instance which is heavily used.

Other relevant bits:

• No patching activities have been done on these servers.  They are old RHEL 5 boxes that our patching team doesn't support.
• The first pair of servers that showed the issue had full server backups.  We restored these to new VMs, but the issue persisted.
• The uptime on all of the servers was over 6 months, so no unexpected reboots.

So I'm looking for any ideas on why these licenses are suddenly seen as invalid and any possible ways to get the application to re-recognize the licenses.  TIA.

Hello @David McFall,

It's possible that this problem is related to the expiry of the cert used to validate the license signature, and not the expiry of the license itself. This is a known issue for gateways older than v9.4. Though v7.1 is particularly old and long out of support, we might be able to help your company if it has active support for Layer7 and extended support for the old version. You should contact your Broadcom or partner account team to discuss your support status.

Regards,

The company I work for has a couple of old Layer 7 instances running v7.1.0 that upper management has not prioritized upgrading or migrating off of (despite repeated warnings over the years).  We currently have no one with SME level knowledge within the company.  My support team has been tasked with "keep the lights on".  While we've done fine for some time, we recently encountered an issue we are not able to figure out. 

Last week we receive a report of an issue with API calls and log in to the Policy Manager and find it reporting the license expired.

License XML invalid: java.security.cert.CertificateExpiredException: NotAfter: Fri Sep 26 05:18:20 UTC 2025

We were able to find a zip of license files (thank goodness for email archives).  These licenses all appear to be valid for an extremely long time.  I tried applying each of the license files we have, but they all returned "That license is invalid and cannot be installed."

    <description>Savvis-PROD-SSG-v7-1</description>    <licenseAttributes>        <attribute>Enterprise</attribute>    </licenseAttributes>    <valid>2012-06-28T23:21:26.342Z</valid>    <expires>2062-06-28T23:21:48.406Z</expires>    <host name="*"/>    <ip address="*"/>    <product name="Layer 7 SecureSpan Suite">        <version major="7" minor="*"/>        <featureset name="set:Profile:Gateway"/>    </product>    <licensee name="Savvis"/>

This expire date matches what is seen (using the Policy Manager) in the other instances that are running without issue.  The first day the issue was noticed, the 01 node of a pair showed the license error message but the 02 node showed valid through 2062.  The next day, the 02 node also showed the license error message.  I assume that database replication carried over whatever the issue is.

However, if I look in the SSG database (select propkey,propvalue from cluster_properties where propkey="license";) I see the same 2062 expiry date on all Layer 7 instances.  So if the application is looking at the database for the license, I'm not sure why it sees it as invalid.

This happened last week on a Layer 7 instance only a single team made use of, so we were content enough to use this as a push to get them to migrate off.  Yesterday, a Dev instance suddenly shows the same license error.  Due to my lack of understanding on why the licenses are seen as invalid and what is triggering the change, I am extremely worried about the remaining instance which is heavily used.

Other relevant bits:

• No patching activities have been done on these servers.  They are old RHEL 5 boxes that our patching team doesn't support.
• The first pair of servers that showed the issue had full server backups.  We restored these to new VMs, but the issue persisted.
• The uptime on all of the servers was over 6 months, so no unexpected reboots.

So I'm looking for any ideas on why these licenses are suddenly seen as invalid and any possible ways to get the application to re-recognize the licenses.  TIA.

Hi Ben!

What you suggest makes sense for what I'm seeing.  Is there a way I can verify that that is the issue?  We have another Layer7 instance that shows a license that's valid for a long time, but if there's another timer that could break it I would like to use that to pressure my higher-ups to take some action.

I will double-check about the support.  If (as I suspect may be the case) the company has dropped support and needs to re-initiate, what is the best way to contact Broadcom about that?

Thanks,

David

Hello @David McFall,

It's possible that this problem is related to the expiry of the cert used to validate the license signature, and not the expiry of the license itself. This is a known issue for gateways older than v9.4. Though v7.1 is particularly old and long out of support, we might be able to help your company if it has active support for Layer7 and extended support for the old version. You should contact your Broadcom or partner account team to discuss your support status.

Regards,

The company I work for has a couple of old Layer 7 instances running v7.1.0 that upper management has not prioritized upgrading or migrating off of (despite repeated warnings over the years).  We currently have no one with SME level knowledge within the company.  My support team has been tasked with "keep the lights on".  While we've done fine for some time, we recently encountered an issue we are not able to figure out. 

Last week we receive a report of an issue with API calls and log in to the Policy Manager and find it reporting the license expired.

License XML invalid: java.security.cert.CertificateExpiredException: NotAfter: Fri Sep 26 05:18:20 UTC 2025

We were able to find a zip of license files (thank goodness for email archives).  These licenses all appear to be valid for an extremely long time.  I tried applying each of the license files we have, but they all returned "That license is invalid and cannot be installed."

    <description>Savvis-PROD-SSG-v7-1</description>    <licenseAttributes>        <attribute>Enterprise</attribute>    </licenseAttributes>    <valid>2012-06-28T23:21:26.342Z</valid>    <expires>2062-06-28T23:21:48.406Z</expires>    <host name="*"/>    <ip address="*"/>    <product name="Layer 7 SecureSpan Suite">        <version major="7" minor="*"/>        <featureset name="set:Profile:Gateway"/>    </product>    <licensee name="Savvis"/>

This expire date matches what is seen (using the Policy Manager) in the other instances that are running without issue.  The first day the issue was noticed, the 01 node of a pair showed the license error message but the 02 node showed valid through 2062.  The next day, the 02 node also showed the license error message.  I assume that database replication carried over whatever the issue is.

However, if I look in the SSG database (select propkey,propvalue from cluster_properties where propkey="license";) I see the same 2062 expiry date on all Layer 7 instances.  So if the application is looking at the database for the license, I'm not sure why it sees it as invalid.

This happened last week on a Layer 7 instance only a single team made use of, so we were content enough to use this as a push to get them to migrate off.  Yesterday, a Dev instance suddenly shows the same license error.  Due to my lack of understanding on why the licenses are seen as invalid and what is triggering the change, I am extremely worried about the remaining instance which is heavily used.

Other relevant bits:

• No patching activities have been done on these servers.  They are old RHEL 5 boxes that our patching team doesn't support.
• The first pair of servers that showed the issue had full server backups.  We restored these to new VMs, but the issue persisted.
• The uptime on all of the servers was over 6 months, so no unexpected reboots.

So I'm looking for any ideas on why these licenses are suddenly seen as invalid and any possible ways to get the application to re-recognize the licenses.  TIA.