Portal Enrollment fails due to 'UniqueKeyConflict' Certificate error

Document ID : KB000107541
Last Modified Date : 27/09/2018
Show Technical Document Details
Issue:
During enrollment of a Tenant Gateway to a SaaS API Portal enrollment fails and results in a 'Unable to enroll: RESTMAN' error. In particular the error will cite a 'UniqueKeyConflict' as seen below:
Unable to enroll: RESTMAN failed with result=<class com.l7tech.policy.assertion.AssertionStatus: 0=FINE:No Error> httpStatus=409: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

            <l7:Mapping action="NewOrExisting" errorType="UniqueKeyConflict" srcId="72f4f7b3163310e735f460b5daba111d" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="ErrorMessage">
                        <l7:StringValue>(thumbprintSha1)  must be unique</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>
Environment:
CA API Gateway 9.X
CA API Management SaaS Portal
Resolution:

Gateway cleanup will be required to ensure the conflicting certificates are not present during enrollment.

To Clean up the API Gateway:

  1. In the Policy Manager, log in to the Gateway as a Gateway administrator.
  2. On the Tasks menu, click Certificates, Keys and Secrets and Manage Certificates. Use the dialog to remove the apim-ssg (subject DN will contain a wildcard), PSSG and DSSG certificates. Note: Do not delete the API Gateway’s self-signed SSL certificate (Subject DN = hostname-ssg.dev.ca.com).  Make sure to backup (export) the wildcard cert before removing it.  In most cases this file should auto repopulate, but if anything goes wrong it's best to have a backup. 
  3. On the Tasks menu, click Certificates, Keys and Secrets and Manage Private Keys. Use the dialog to remove the portalman private key.
  4. On the Tasks menu, click Global Settings and Manage Scheduled Tasks. Use the dialog to remove the following tasks:
    • Portal Sync Application 
    • Portal Sync API 
    • Portal Tenant Sync Policy Template 
    • Portal Sync Account Plan 
    • Portal Bulk Sync Application 
    • Portal Check Bundle Version 
    • Delete Portal Entities 
    • Move Metrics Data Off Box Task 
    • Portal Sync SSO Configuration
  5. On the Tasks menu, click Global Settings and Manage Cluster-wide Properties. Use the dialog to remove all properties that begin with portal.

To Enroll the Portal:

  1. Log in to the API Portal as an API Portal administrator.
  2. On the navigation bar, open the Settings menu and click API Proxy.
  3. On the API Proxy page, click Add Proxy to add new API proxy, enter a different name, and click Create
  4. Copy the enrollment URL. 
  5. Connect to the API Gateway with the Policy Manager.
  6. In the Policy Manager, click Tasks on the top menu bar. 
  7. On the menu, click Extensions and Add-Ons, Enroll with Portal
  8. Paste the enrollment URL in the Enroll with SaaS Portal window. 
  9. On the API Proxy page, delete the old API proxy which is enrolled with the same API gateway.