Layer7 API Management

We are working on deploying the API GW for the first time. It's using the Virtual Appliance with the CA provided MySQL database.

What was found that SSL is NOT enabled in their database. With a requirement to have secure traffic this is a pretty big issue for us - especially when data going out to multiple data centers is over the internet.

Has anyone else run into this? Or have recommendation on mitigations for not having a properly secured TLS implementation for the databases?

I'm a pretty big database newb, so we were relying on the deployed one from CA hoping to have to do minimal configs. Just keep that in mind with any recommendations ....My personal knowledge of MySQL is about 1/10 lol.

Hi,

You can enable SSL when installing/ upgrading the Gateway Database. Here are the instructions on enabling SSL in MYSQL.

https://docops.ca.com/ca-api-gateway/9-1/en/install-configure-upgrade/configure-the-appliance-gateway/gateway-configuration-menu-appliance

Hope this helps

Thanks

Abs

I must be missing something because I don't see where to setup the MySQL for SSL in the instructions. Generate the SSL for the cluster, but that's not applied to the MySQL DB?

@ CBertagnolli
The Gateway does not support an SSL DB connection to it's database
Kemal 

So CA has no recommendation on mitigations? This is a show stopper from a security standpoint and don't see how we could it for replications etc across networks.

Throwing unencrypted traffic across systems is just not allowed.

Chris, 

I would suggest if you havent already to open a support case on this question. Besides giving the details of what you are trying to accomplish reference DE207887. And let them know its a show stopper for you. 
That way we can either engage engineering to see if we can provide a detailed tested process. Or if its deemed its an enhancement since there is really no documentation or out of the box way to implement this. Then it might require a communities idea. (I would likely say to open the idea regardless) as well as the support case. 

Thanks.

We got a sev 2 ticket and escalated to our CA account guys. I

Got some instructions from CA support on setting up the SSL. Going through that and will see how it goes.

So we enabled the TLS per CA Support's instructions, and it worked. Of course it's MySQL 5.5 and only supports TLSv1.0, which is bad too.

Man, kind of regretting going with the Virtual Appliance. Would have been better to go with software gateway + standing up our own database.

Hi Chris,

Further to our support case I created a Communities Document to outline the MySQL SSL configuration instructions for Gateway Clusters. I'll be working on a KB article for this as well. In the meantime our Security Team is also reviewing how we will handle MySQL SSL moving forward in so far as support and documentation.

Configure MySQL Replication to use SSL 

Regards, 

Kevin Russell 

Support Engineer, Global Customer Success 

Email: CATechnicalSupport@ca.com 

Phone: +1 800 225 5224 

Outside of North America - ca.com/us/worldwide.aspx 

CA API Management Community: ca.com/talkapi

Awesome, thank you. Steps were very clear and easy to follow. Definitely appreciate the quick response from CA!

Hi Kevin,

I am also looking for the actual instructions to enable SSL with gateway ssg db by updating node.properties file. Do you have any information regarding this? 

Also I am auto provisioning gateway node using headless configuration script as documented in Auto-Provision a Gateway Node - CA API Gateway - 9.3 - CA Technologies Documentation. But don't see settings to use SSL in the sample Headless config create template properties file. Using AWS RDS MySQL database for this deployment and SSL is turned on the RDS instance.

Do you have any details about enabling SSL and connect to gateway SSG DB?