Layer7 API Management

  • 1.  Does Private key changes require gateway restart?

    Posted Jan 11, 2018 11:17 AM

    Hello,

     

    Do we need to restart api gateway after a change in private key? Earlier we used to restart gateway, when there is a change in default SSL key. I looked at the new documentation and I don't see anything mentioned about gateway restart.

    Reference: Private Key Properties - CA API Gateway - 9.2 - CA Technologies Documentation 

    There are multiple scenarios, below are some i could think of.

    1. Adding a new private key on routing assertion.

    2. Replacing an existing key.

    3. Replace Certificate Chain in Manage Private Keys properties.

    4. Mark as special purpose 

     

     

    Thanks & regards,

    Anand Rudran



  • 2.  Re: Does Private key changes require gateway restart?
    Best Answer

    Broadcom Employee
    Posted Jan 11, 2018 05:24 PM

    Anand,

     

    The short answer to your specific question in regards to changing a key is yes you need a restart the gateway  for 2 reasons.

    1. If you are changing a key that means you are deleting the old key and for the deletion to be recognized a restart is required

    2.When creating the new key, if you configure the "Mark as special purpose" options on a new key that also requires the nodes to be restarted

    For scenario #1, adding a new private key to the route assertion does not require a restart if you are using a key that already exists, but if you are replacing a key during the process then it takes you back to scenario #2 replacing a key which requires a restart.



  • 3.  Re: Does Private key changes require gateway restart?

    Posted Aug 01, 2018 04:13 AM

    Is it really required to have a restart of the gateway especially for scenario #3? Here we are using:

    - the existing private key, means no deletion and re-creation is required

    - the same link and alias in the Routing Assertion, which will not be broken due to deletion of the key

    Yes, I can confirm that deleting a private key will brake the link in the Routing Assertion ("Unrecognized") and re-creating it with the same alias will NOT automatically restore it.

    But if the renewal will be done based on the existing key and just a "Replace Certificate Chain" is required, I would expect that here no restart is required and that the new certificate will be used automatically for any new Connection.

    Can someone confirm this?

    And as Anand already asked, isn't there any official documentation and best practices available how to handle such private key renewals?

    Thank you!

     

    Ciao Stefan



  • 4.  Re: Does Private key changes require gateway restart?

    Posted Aug 01, 2018 12:00 PM

    Hello Stefan,

     

    I tested scenario 3, and we had to perform a gateway restart after replace certificate chain.

     

    Regards,

    Anand