Layer7 API Management

Hi,

 Can we expose APIs developed on Gateway at port 443 rather than 8443?

Thanks,

Sid

Hi Sid,

Check this Allowing the CA API Gateway to accept message traffic on ports 80 (HTTP) and 443 (HTTPS) 

Hi,

 Did all the settings mentioned in document, however still not working. Do we need to make some changes in default config as well?

Thanks,

Siddharth

Siddharth,

When you make a change through the UI to add in the redirects it creates dynamic firewall rules that do a redirect to the port. When you run the command "service iptables status| grep 443" your output should look like the following:
27   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8443
29   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9443
3    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 redir ports 8443

If the iptables service has been disabled this will not function.

Sincerely,

Stephen Hughes

Director, CA Support

Getting this after running command:

29 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
31 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9443

No mention of port 443. Do I need to add that entry manually? Please suggest.

Thanks,

Siddharth

Siddharth,

Please provide what version of the gateway, form factor of the gateway (virtual, hardware, software, AWS, etc), and also if you can provide the /etc/sysconfig/iptables file for review. The steps in the guide should be all that you need to get this to work across all nodes in the cluster.

Sincerely,

Stephen Hughes

Director, CA Support

Hi Stephen,

Version:9.0

Form factor : Virtual Appliance

iptables file : attached.

Hi,

 iptables file has been attached to Support CASE#00745283.

Thanks,

Sid

Hi,

 We added following in ipatbles file:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

and took iptables restart. It seems to be working. thanks for your prompt suggestions. Please let me know if anything else need to be added.

Thanks,

Siddharth

Siddharth,

I've reviewed the iptables that was uploaded in the case and it is not a standard one delivered with any of our appliances so that is why it is not working. We look for certain portions of the file and the order of the load to insert our rules so the gateway is unable to add the rule dynamically.  I would suggest that you add back in our default iptables file and use the Manage Firewall Rules through the Manage Listen Port interface. This will allow you to control it centrally through the Policy Manager or upload it through restman and all nodes in the cluster would get them right away without having to touch the file.

Sincerely,

Stephen Hughes

Director, CA Support

Hi Stephen,

We will surely check it. However I couldn't get any document explaining why port 443 is not available by default for Gateway; whereas it is a default port for HTTPS exposure? Can there be some repercussions in terms of Gateway performance or security, once we enable 443 port ?

Thanks,

Sid

Hi,

Usually there is a load balancer in front of the gateway cluster, expose port 443 can be done on LB.

Regards,

Mark