Layer7 API Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Changing default SSL certificate on gateway creation

  • 1.  Changing default SSL certificate on gateway creation

    Posted May 07, 2019 04:44 PM

    How would I go about changing the "Default SSL Key" from the default self-signed SSL private key to another key upon creation of a gateway without having to restart it for the changes to go into effect? I tried importing a new private key marked as the "Default SSL Key" and deleting the self-signed SSL key in a bundle file while the gateway was being built, however, it required restarting the gateway for the changes to go into effect. Is there a Gateway System Property where the default self-signed SSL certificate can be changed to use a different default certificate upon creation of a gateway?   



  • 2.  Re: Changing default SSL certificate on gateway creation
    Best Answer

    Broadcom Employee
    Posted May 07, 2019 06:24 PM

    Dear zasche ,

    Restarting gateway is a "must" step to let the change of default ssl key take effect.

     

    Regards,

    Mark



  • 3.  RE: Re: Changing default SSL certificate on gateway creation

    Posted Jul 05, 2019 11:32 AM
      |   view attached
    Hello Zhijun,

    I accidentally enabled the Make Default SSL Key setting on another private key that I have in the gateway. Due to this, I'm unable to login to the policy manager through port 9443 and I am currently blocked from working on the gateway.
    Can you please help reset the default SSL key to its original. Attaching a screenshot that I get on the policy manager while logging in.

    Thanks,
    Chaya.
    Original Message


  • 4.  RE: Re: Changing default SSL certificate on gateway creation

    Broadcom Employee
    Posted Jul 07, 2019 07:09 PM
    Dear Chaya Pothuraju,
    Change default private key should not stop the ssl connection between policy manager and gateway.
    Did you restart gateway? Is it up and running fine? 
    You may ssh/putty  to the gateway server to check its current status.

    Regards,
    Mark
    Original Message


  • 5.  RE: Re: Changing default SSL certificate on gateway creation

    Posted Jul 08, 2019 10:26 AM
      |   view attached
    Hello Zhijun,

    Thank you for your reply.
    I have restarted the server and still facing the same issue while connecting to the policy manager. However, I'm able to use Putty to SSH into the server and it is working fine.
    Also, I came across an article that I believe is the issue that needs to be resolved.

    WARNING: Do not use the default CA key to also be the default SSL key. Doing so causes the Policy Manager to fail to connect to the CA API Gateway.

    Currently, due to the change, the Gateway server is returning a CA signed cert instead of a self signed certificate that existed earlier on an SSL connection. Attaching a screenshot with the prompt that displays while logging in.
    So, will creating a self signed certificate and deploying it onto the gateway server through the command line fix this issue?
    If not, kindly suggest any alternatives.

    Thanks,
    Chaya.
    Original Message


  • 6.  RE: Re: Changing default SSL certificate on gateway creation

    Broadcom Employee
    Posted Jul 08, 2019 09:29 PM
    As I said, changing default private key should not stop the ssl connection between policy manager and gateway. 
    The warning message in your screenshot just indicates the hostname you used to login gateway doesn't match the hostname(CN) of the certificate. It's just a warning, you can click the OK button to continue login the gateway.

    Regards,
    Mark
    Original Message


  • 7.  RE: Re: Changing default SSL certificate on gateway creation

    Posted Jul 09, 2019 09:46 AM
      |   view attached
    Hello Zhijun,

    On clicking OK button, it throws an error to contact the network administrator.  Attaching the screenshot with this reply.
    I guess there is some setting which can be tweaked to ignore this issue. Can you kindly help.

    Thanks,
    Chaya.
    Original Message


  • 8.  RE: Re: Changing default SSL certificate on gateway creation

    Broadcom Employee
    Posted Jul 09, 2019 09:32 PM
    This is another problem (not related to private key/certificate).
    It's because the "policy manager access"  is disabled on the port,
    port settings
    As shown in the screenshot, please ensure the "Policy Manager Access" option is checked on the port your policy manager connects to gateway.

    Regards,
    Mark
    Original Message


  • 9.  RE: Re: Changing default SSL certificate on gateway creation

    Posted Jul 10, 2019 01:29 PM
      |   view attached
    Hello Zhijun,

    Thank you for your suggestion.
    I am unable to access the Listen Port Properties Popup as the policy manager isn't logging into the Gateway Server. (Attached the screenshot).
    Currently, I am trying with ports: 8443, 9443 which are throwing the same exceptions.

    Since I have access to the Server via Putty, is there a way to turn the flag on from the Gateway's server directly.

    Thanks,
    Chaya.
    Original Message


  • 10.  RE: Re: Changing default SSL certificate on gateway creation

    Broadcom Employee
    Posted Jul 10, 2019 07:56 PM
    It doesn't make sense, as the policy manager cannot change the port it currently logged in, so the port of last successful login should have right permission.

    We don't recommend update the database manually, if you want to continue, please open a support ticket.
    Original Message


  • 11.  RE: Re: Changing default SSL certificate on gateway creation

    Posted Jul 17, 2019 10:55 AM
    Hello Zhijun,

    I normally use the 9443 port to connect to API gateway.
    Now that I can't use ports 9443 and 8443, can I use any other ports to connect to the gateway server.

    Thanks,
    Chaya,
    Original Message


  • 12.  RE: Re: Changing default SSL certificate on gateway creation

    Broadcom Employee
    Posted Jul 21, 2019 08:29 PM
    Hello Chaya Pothuraju,
    It may need kind of data recovery on database. Please open a support ticket for that.

    Regards,
    Mark
    Original Message