Removing an existing Enterprise Service Manager certificate from a Gateway cluster

Document ID : KB000057629
Last Modified Date : 14/02/2018
Show Technical Document Details

Solution

Background

The Layer 7 Gateway requires an explicit one-to-one trust relationship between the itself and the Enterprise Service Manager. A Gateway can only be managed remotely by one instance of ESM at any given point in time. The certificate for the Enterprise Service Manager will eventually expire and need to be replaced. Once the trusted certificate is replaced on the ESM console, the Gateway will need the new trusted certificate to be added. The Gateway will not automatically remove the previous (now expired) certificate without operator intervention. Attempts to remove it manually may result in an error specifying that the certificate is currently in use.

Presentation

The following error messages or audit records may be generated when attempting to configure trust between a Gateway node or cluster that is already configured to be managed by a different instance of ESM:

  • The specified ESM ID has already been registered with a different ESM certificate.
  • Unable to establish ESM trust: Specified ESM certificate does not match the previously-known certificate for the specified ESM ID

Resolution

The certificate is used by our Manage ESM User Mappings task. In order to remove the certificate from the trust store, the existing user mapping must be removed. Perform the following steps to remove the existing user mapping and (expired) trusted certificate:
  1. Log into the Layer 7 Policy Manager as an administrative user.
  2. Select "Manage ESM User Mappings" from the Tasks menu.
  3. Select the desired ESM ID.
  4. Click "Remove Registration"
  5. Close the dialog.
  6. Select "Manage?Certificates" from the Tasks menu.
  7. Select the preexisting certificate
  8. Click "Remove"
At this point, the Gateway will accept a new trusted certificate and user mapping can proceed