Unable to connect to Policy Manager after upgrade from 7.x series to 9.1 or 9.2 due to Listen Port Cipher Suite Issue

Document ID : KB000005318
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Inability to establish Policy Manager connectivity after upgrading a CA API Gateway from version 7.x CA API Gateway appliance to version 9.1 or 9.2. Initial investigations will show the Gateway in a running status and SSPC logs indicating the processController started. 

---------------------------------------------------------------------- 
CA API Gateway Status 
---------------------------------------------------------------------- 

Configuration: 
Node Status = RUNNING 
Node Status Timestamp = 2017-01-16 12:02:01 
Node Status Since = 2017-01-16 11:41:27 

SSPC Logs:

2017-01-16T11:40:51.931-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:40:56.946-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:01.967-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:06.982-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:11.996-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:17.016-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:22.031-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: /opt/SecureSpan/Gateway/node/default/var/processControllerPort does not exist yet, will try default port 
2017-01-16T11:41:27.046-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: Getting API port from /opt/SecureSpan/Gateway/node/default/var/processControllerPort 
2017-01-16T11:41:27.839-0600 INFO 1 com.l7tech.server.processcontroller.q: default started successfully 
2017-01-16T11:41:27.839-0600 INFO 1 com.l7tech.server.processcontroller.ProcessController: default started 

Cause:

Ports 8443 and 9443 respectively, necessary for software and web client access respectively, have not started correctly due to deprecated cipher suites enabled whilst running CA API Gateway version 7.x.

Resolution:

Manually update the supported cipher suites via the commands below:

  1. mysql ssg -e “update connector_property set value="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" where name="cipherList"” 

  2. service ssg restart