Layer7 API Management

I want to use the gatewayManagementClient.sh script to manage a few things in our CA API Gateway (v9.2.0).  I have found the WS Management API page in the documentation and it provides some examples of using the ./gatewayManagementClient.sh script that makes use of the WS-Man interface (I followed the steps in Auto-Provisioning a Service to make it available).

But when I execute the script I get the following error:  Server TSL/SSL certificate not trusted.  This is whether I am doing this on a remote machine or the gateway machine itself. 

I can create a csr and a signed cert from it.  My two questions right now are:

1) How do I give the CA API Gateway the signed certificate so it knows to trust calls with the WS Management API?

2) When I use the gatewayManagementClient.sh how do I associate my signed certificate with it?

Is there some documentation I just haven't found that can help me through all this?

EDIT:  I was misunderstanding what was happening here:  The CLIENT is not trusting the cert from the server.  So the real question is, how do I add an exception or create a trusted cert store on the client machine?  In the meantime I just turned off verification of the server.

But now I just get a "Policy Falsified" error no matter what I send to the server (unless I take the server down...then I get connection refused, so my calls are at least getting to the server).  All I'm trying to do is make some non-invasive calls to learn how to use the client.  But even just asking it to enumerate types gives this error.  Is there some documentation or a lab or something to get you started?

Good morning. From reviewing through your post, the first thing that popped up is that the gateway migration utility should be using the Restman service not the WS-Man so you will need to publish the correct internal service. As for the other components, this link will help associate an administrator user to the certificate (https://docops.ca.com/ca-api-gateway/9-3/en/gateway-migration/configure-gmu-and-gateways-for-migration#ConfigureGMUandGatewaysforMigration-MapMigrationAdministratorstoGMUClientCertificate -> Map Migration Administrators to GMU Client Certificate section) and then how to use the certificate in the GMU commands (https://docops.ca.com/ca-api-gateway/9-3/en/gateway-migration/prepare-for-migrations/determine-security-for-migrations#DetermineSecurityforMigrations-MutualAuthentication -> Mutual Authentication section).

For your update: The client side will need to have the certificate of the gateway or the trusted CA added to the JAVA truststore. Please review the Troubleshoot Migrations - CA API Gateway - 9.3 - CA Technologies Documentation section to review the error being seen.

Sincerely,

Stephen Hughes

Director, CA Support

I did get this working.  I am not trying to use the migration utility.  I'm trying to use the WS Management API.  I found two things:

1) You can just deploy the wsman and restman services from the Policy Manager through Tasks->Services and APIs->Publish Internal Service.  From there you can just publish both services.  You do need both for the gatewayManagementClient.sh tool to work.

2) I think when I was trying to load the services from the command line by following the instructions, I think I probably just had the permissions on the directory it tells you to create to be incorrect.  That's just a hunch, though.

But no matter...I have it working now.