Layer7 API Management

Expand all | Collapse all

Change CA API Gateway port from 8443 to 443

  • 1.  Change CA API Gateway port from 8443 to 443

    Posted Sep 05, 2018 04:47 PM

    We're trying to change the default listening ports of the CA API Gateway from 8443 to 443 following this guide:

    CA API Gateway: Configure Gateway to Accept Traffi - CA Knowledge 

     

    But when we navigate through the sample pages of the appliance, such as the OAuth Client and the OAuth Manager, they go back to 8443.

     

    What is your recommendation about this?

    Is there another way to do it without going to every policy and changing the harcoded 8443?

     

    Thanks in advance.



  • 2.  Re: Change CA API Gateway port from 8443 to 443

    Posted Sep 05, 2018 05:13 PM

    Hello,

     

    For OAuth policies on the Gateway, they should be typically pointing to localhost on 8443, so the traffic generated in those policies won't even go through the firewall rules or outside of the appliance, they'll stay local.

     

    Can you please clarify if you're experiencing an issue specifically with the OAuth policies when going over 8443, or are you just thinking you'll need to change 8443 to 443 proactively?



  • 3.  Re: Change CA API Gateway port from 8443 to 443

    Posted Sep 06, 2018 09:58 AM

    Hello Dustin,

    At this time we are experiencing this just with the OAuth policies, let me show you what happens with the OAuth Manager:

    These are the firewall rules configured as the guide sugested:

    Firewall Rules

     

    Then we are able to access to the OAuth Manager through port 443:

    OAuth Manager

     

    But when we login, we are redirected to 8443 again:

    OAuth Manager Main Page

     

    So, the question is: what is your recommendation about this behavior? Which are the best practices?

     

    Thanks in advance!



  • 4.  Re: Change CA API Gateway port from 8443 to 443

    Broadcom Employee
    Posted Sep 06, 2018 10:10 AM

    Hi Hugo,

     

    I think the option at this point is unfortunately the one you wanted to avoid, changing of the hard-coded ports.

    This can be changed following the below.

     

    Set an Alternative HTTPS Port - CA API Management OAuth Toolkit - 4.3 - CA Technologies Documentation 

     

    Regards,

    Joe



  • 5.  Re: Change CA API Gateway port from 8443 to 443

    Posted Sep 07, 2018 12:02 PM

    We followed the instructions and configured the mentioned policies. When we go to the OAuth 2 test client, we could not obtain a token. We could see the following error in the logs:

     

    Problem routing to https://magprueba.***.com.ar/auth/oauth/v2/token. Error msg: Unable to obtain HTTP response from https://magprueba.***.com.ar/auth/oauth/v2/token: Connection to https://magprueba.tecnopro.com.ar refused. Caused by: Connection refused (Connection refused)

     

    The URL is ok, but the API Gateway is trying to connect to the localhost to the 443 port

    If we see the ports opened in the API Gateway:

     

    [root@magprueba ~]# netstat -na | grep 443
    tcp        0      0 0.0.0.0:9443                0.0.0.0:*                   LISTEN
    tcp        0      0 0.0.0.0:8443                0.0.0.0:*                   LISTEN
    tcp        0      0 10.4.1.221:8443             10.2.1.159:63155            ESTABLISHED

     

    So, after the configuration the API Gateway is trying to connect itself to localhost:443 and that port is not opened.

    We tried from the root shell to NAT local traffic from 8443 to 443.

    We run the following command:

     

     iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8443

     

    after inserting the nat firewall rule.

    oauth work ok!.

     

    We do not used "Advanced Firewall rules" from the "Policy Manager" because it dont allow to create that rule-

    We tried also to change the "Default HTTPS Port" in "Manage Listen Ports".

    but Policy Manager show the following error "The port field must be a number betweem 1025 and 65535"

     

    Do you think that the config with the NAT is ok?

    is there another configuration to do?



  • 6.  Re: Change CA API Gateway port from 8443 to 443

    Posted Oct 02, 2018 12:32 PM

    The Advanced Firewall Rules in Policy Manager will certainly allow the redirect of 443, so if you aren't able to do that then it sounds like you may have the software Gateway form factor rather than the appliance. The Advanced Firewall Rules only apply to the appliance. In the software form factor, it is the Linux administrators responsibility to edit iptables or other firewall software rules to apply the redirect. Since you had to add it manually, it sounds like the software form factor is in use, in which case this is all expected behaviour for the firewall rules part. You can see this related note in the documentation here by the way: Manage Firewall Rules - CA API Gateway - 9.3 - CA Technologies Documentation 



  • 7.  Re: Change CA API Gateway port from 8443 to 443

    Posted Sep 10, 2018 10:19 AM

    I think I'm missing something... is there an actual problem with it redirecting to 8443 after the initial login screen? From your screenshots, it looks like it's loading correctly.

     

    I'm wanting to sort out if we have a use-case which we need to account for in the future for the product or if this is more of a unique want as opposed to an actual problem/bug with the product configuration parameters.



  • 8.  Re: Change CA API Gateway port from 8443 to 443

    Broadcom Employee
    Posted Sep 07, 2018 03:06 PM

    Just quick comment here. Tech Docs is following this thread and we will incorporate any changes necessary to the existing procedure.

     

    The KB article instructions (using the firewall to redirect) and the "Set an Alternate HTTPS port" instructions (changing the default port number in policies) are mutually exclusive. That is you do either one or the other.



  • 9.  Re: Change CA API Gateway port from 8443 to 443

    Posted Sep 24, 2018 10:51 AM

    We have a software gateway. We use the SaaS Developer portal. All latest versions. Gateway runs at 8443 behind a load Balancer listening on 443. Portal sees gateway (it calls it a proxy) on 8443, so API Explorer sends to 8443. That obviously fails. How do we make this work? Software gateways rely on Linux firewall rules for NAT. There is no advanced gateway as on the appliance. That doesn't help. Policy Manager wont let me change the port to one below 1024. I can't runt the gateway on 443 and can't seem to let the portal know gateway is  not at 8443..



  • 10.  Re: Change CA API Gateway port from 8443 to 443

    Posted Sep 27, 2018 06:01 PM

    Michael,

     

    This is a bit of a different topic from the original one so this may be better asked stand-alone, but here are my initial thoughts:

     

    • If you have a load balancer fronting the API Gateways, then I believe you should have configured your Portal to integrate with the Gateway via the VIP of the load balancer and it's port number. I can't say I've tried this, my interactions have all been without a load balancer in between, but I believe this should work. Because when there is a VIP in front of the Gateway nodes, then that is the sort of "front-facing" hostname to use for anything needing to ultimately connect to the Gateway nodes.
    • Policy Manager won't let lower-level port numbers be assigned, but this is where you can use firewall rules to achieve the redirects from 443 to 8443. On an appliance, you'd use the firewall rules via Policy Manager which make everything easier to do. In a software Gateway form factor, setting the firewall rules are up to the admin of the machine but the same firewall rules can still apply at that level too to redirect 443 to 8443. Here's an example I found via Google which can help redirect 443 to 8443 in iptables: frickjack: iptables NAT port forward 443 (https) to 8443 


  • 11.  Re: Change CA API Gateway port from 8443 to 443

    Posted Oct 01, 2018 11:09 AM

    Thanks for the input. 

    This is what we did - used the load balancer hostname as the cluster name in Global Properties. The way we got SaaS portal to use port 443 was to add :443 to that property. This messes up some of the user interface (which now say :443:8443 but actually gets it working. 

    We used Linux firewall to do the 443->8443 NAT as you suggested.