Layer7 API Management

 View Only
  • 1.  CA API Gateway suddenly stopped responding for Get API Calls.

    Posted Dec 28, 2017 12:04 AM

    Hi,

     

    We are running API gateway in a 4 node cluster. All the API calls were working fine but suddenly they have stoppe and throwing time out at the SoapUi (testing) and Mobile apps.

    I tried starting the Gateway and it started fine with some entry like

     

    "mag manager oauth 2.0 client" (#cbeedf1e2650e80f4d660a7fdb8ffd42) contains an unlicensed assertion: Unknown assertion: RetrieveOAuth2Token

    known assertion: RetrieveOAuth1Token
    2017-12-28T15:59:59.244+1100 WARNING 1 com.l7tech.server.policy.PolicyCacheImpl: 3255: Policy "enterprise oauth 2.0 client" (#cbeedf1e2650e80f4d660a7fdb8ff078) contains an unlicensed assertion: Unknown assertion: RetrieveOAuth2Token
    2017-12-28T15:59:59.274+1100 WARNING 1 com.l7tech.server.policy.PolicyCacheImpl: 3255: Policy "SalesForce oauth 2.0 client" (#cbeedf1e2650e80f4d660a7fdb8ff050) contains an unlicensed assertion: Unknown assertion: RetrieveOAuth2Token
    2017-12-28T15:59:59.297+1100 WARNING 1 com.l7tech.server.policy.PolicyCacheImpl: 3255: Policy "facebook oauth 2.0 client" (#cbeedf1e2650e80f4d660a7fdb8ff03c) contains an unlicensed assertion: Unknown assertion: RetrieveOAuth2Token
    2017-12-28T16:00:00.293+1100 WARNING 1 com.l7tech.server.policy.PolicyCacheImpl: 3255: Policy "mag manager oauth 2.0 client" (#cbeedf1e2650e80f4d660a7fdb8ffd42) contains an unlicensed assertion: Unknown assertion: RetrieveOAuth2Token
    2017-12-28T16:00:00.570+1100 WARNING 1 com.l7tech.server.policy.PolicyCacheImpl: 3255: Policy "Policy for service #f7370df418628b0f050789e387987de5, MAS Messaging v1.3" (#c1851beb96ee1f67ed539e89f83e9a7f) contains an unlicensed assertion: Unknown assertion: MQTTConnectionAssertion
    2017-12-28T16:00:00.978+1100 WARNING 1 com.l7tech.server.policy.PolicyCacheImpl: 3255: Policy "MAG Authenticate via Social Login" (#cbeedf1e2650e80f4d660a7fdb8ff08c) contains an unlicensed assertion: Unknown assertion: RetrieveOAuth1Token.

     

    I tried testing the interface with curl cmd and it hangs in between, as shown in log below:

     

    curl -v -k -X GET --header 'Accept: application/json' --header 'X-Message-From: MOBTECH' --header 'X-Rfa-Code: 01' --header 'Authorization: Bearer 1342a033-a5f5-4b3c-b51b-f9582d8e36a6' --header 'X-Rfa-Desc: KFJG' --header 'X-Transaction-ID: TEST' --header 'X-User-ID: VP12345' 'https://10.13.104.21:8443/firearms/v2/licences?id=717773&source=LARS'


    * About to connect() to 10.13.104.21 port 8443 (#0)
    *   Trying 10.13.104.21... connected
    * Connected to 10.13.104.21 (10.13.104.21) port 8443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * warning: ignoring value of ssl.verifyhost
    * skipping SSL peer certificate verification
    * NSS: client certificate not found (nickname not specified)
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=uatapi.vicpolice.nonprod
    *       start date: Feb 08 03:37:55 2017 GMT
    *       expire date: Feb 06 03:37:55 2027 GMT
    *       common name: uatapi.vicpolice.nonprod
    *       issuer: CN=uatapi.vicpolice.nonprod
    > GET /firearms/v2/licences?id=717773&source=LARS HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: 10.13.104.21:8443
    > Accept: application/json
    > X-Message-From: MOBTECH
    > X-Rfa-Code: 01
    > X-Rfa-Desc: KFJG
    > X-Transaction-ID: TEST
    > X-User-ID: VP12345
    >



  • 2.  Re: CA API Gateway suddenly stopped responding for Get API Calls.

    Broadcom Employee
    Posted Dec 28, 2017 10:59 AM

    Hi,

    I would suggest a couple of things.

    1) The errors you note all point to an Oauth License. Is it only mobile APIs having issues? Meaning if you create a test "echo" service with a simple return template response does that work?

    2) This likely warrants a support case so we can see the full logs.

    3) You should also go into policy manager and view Help -> Manage Gateway Licenses and make sure that your licenses are not expired or provide those in the CA Support case you open.

     

    Thanks..



  • 3.  Re: CA API Gateway suddenly stopped responding for Get API Calls.
    Best Answer

    Posted Dec 28, 2017 05:59 PM

    Thanks for your response. The issue was due to Gateway (9.2.0) running out of resource (Memory, CPU). We got it increased to 8GB and 4 cpu.



  • 4.  Re: CA API Gateway suddenly stopped responding for Get API Calls.

    Broadcom Employee
    Posted Dec 29, 2017 08:22 AM

    Rudra, 

    Yeah that can do it. The ssg_log (full logs I mentioned in bullet 2) would have an indication of that. As well the sspc logs would show that its restarting it. The Gateway SSG has a parent process "process controller" sspc which monitors it and ensures its responsive. If it stops responding then it will restart it. If you are running 9.2 base you should also ensure,

    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties file, please set the below:
    com.l7tech.server.policy.assertion. ServerHttpRoutingAssertion.statePool.enable=true