During enrollment of a Tenant Gateway to a SaaS API Portal enrollment fails and results in a 'Unable to enroll: RESTMAN' error. In particular the error will cite a 'UniqueKeyConflict' as seen below:
Unable to enroll: RESTMAN failed with result=<class com.l7tech.policy.assertion.AssertionStatus: 0=FINE:No Error> httpStatus=409: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<l7:Mapping action="NewOrExisting" errorType="UniqueKeyConflict" srcId="72f4f7b3163310e735f460b5daba111d" type="TRUSTED_CERT">
<l7:StringValue>(thumbprintSha1) must be unique</l7:StringValue>
CA API Gateway 9.X
CA API Management SaaS Portal
Gateway cleanup will be required to ensure the conflicting certificates are not present during enrollment.
To Clean up the API Gateway:
- In the Policy Manager, log in to the Gateway as a Gateway administrator.
- On the Tasks menu, click Certificates, Keys and Secrets and Manage Certificates. Use the dialog to remove the apim-ssg (subject DN will contain a wildcard), PSSG and DSSG certificates. Note: Do not delete the API Gateway’s self-signed SSL certificate (Subject DN = hostname-ssg.dev.ca.com).
- On the Tasks menu, click Certificates, Keys and Secrets and Manage Private Keys. Use the dialog to remove the portalman private key.
- On the Tasks menu, click Global Settings and Manage Scheduled Tasks. Use the dialog to remove the following tasks:
- Portal Sync Application
- Portal Sync API
- Portal Tenant Sync Policy Template
- Portal Sync Account Plan
- Portal Bulk Sync Application
- Portal Check Bundle Version
- Delete Portal Entities
- Move Metrics Data Off Box Task
- Portal Sync SSO Configuration
- On the Tasks menu, click Global Settings and Manage Cluster-wide Properties. Use the dialog to remove all properties that begin with portal.
Restart Gateway service.
To Enroll the Portal:
- Log in to the API Portal as an API Portal administrator.
- On the navigation bar, open the Settings menu and click API Proxy.
- On the API Proxy page, click Add Proxy to add new API proxy, enter a different name, and click Create.
- Copy the enrollment URL.
- Connect to the API Gateway with the Policy Manager.
- In the Policy Manager, click Tasks on the top menu bar.
- On the menu, click Extensions and Add-Ons, Enroll with Portal.
- Paste the enrollment URL in the Enroll with SaaS Portal window.
- On the API Proxy page, delete the old API proxy which is enrolled with the same API gateway.