Layer7 API Management

Has anyone attempted to migrate policies, that include API portal assertions, with Enterprise Service Manager?  When we try it with a policy containing 'Set As Portal Managed Service' and the like we usually get the following error, though I've also seen "permission denied".  We don't use any Cassandra for OAuth, so I'm not sure why this is happening.  Any ideas?  As we move more and more to portal deployed services this is rendering ESM useless.

"Error when processing entity:
SERVICE, EMailService (#a571d78373ced9c062672360f365653e)
due to:
Error retrieving Cassandra connection: OAuth_Cassandra ()"

Hello,

I'm sorry to hear that but GMU has been recommended for policy migration instead of ESM recently.

https://docops.ca.com/ca-api-gateway/9-3/en/gateway-migration/migration-tools-at-a-glance#MigrationToolsataGlance-FrequentlyAskedQuestions

Could you please consider switching to GMU?

Best regards,
Seiji

Hi Pete,

We have a known issue (DE287025) where we have seen this type of behaviour before in ESM. There was a workaround noted but I'm not confident if this is still accurate and I have not tested this myself yet. You can change the following policies and change it to "NoSQL", according to the workaround:

OTK Token Get (token) line 22 replace with continue processing for the assertion OTK Token NoSQL Get
OTK Token Get (temporary) line 23 replace with continue processing for the assertion OTK Token NoSQL Get
OTK Token Delete line 17 replace with continue processing for the assertion OTK Token NoSQL Delete
OTK Token Disable line 18 with continue processing for the assertion OTK Token NoSQL Disable
OTK Token Revocation line 18 replace with continue processing for the assertion OTK Token NoSQL Revocation

Hopefully the workaround above will work for you so you can continue to use ESM, if that is your preferred tool for migrations. It should be noted though that our Product team does note that GMU is the preferred tool for migrations going forward and should be used if the ESM won't do the trick for you in this case. 

There's a couple things wrong with this instruction.  At least in our version, OTK 4.0, these EA's are indicated "Read Only".  Unless you know of a workaround, it won't let me change it.  Also, the line numbers don't match up as described.  Line 22 of OTK Token Get, for example, is a compare statement.  Line 23 is an OTK Token DB GET.

I see where this is headed, and it had already occurred to me that we may be able to dig into policies somewhere and correct this, but as a customer, we shouldn't have to.  If CA is saying GMU (which is very complicated to use and we haven't had any better luck with than ESM) is the way to go, why do you still bill us for maintenance of ESM?  Shouldn't paying maintenance imply CA is maintaining and fixing the product?

Hi Pete,

Sorry for the late response.

The line numbers may change as the policies change from version to version (in some cases), so that would make sense. The instructions I had were what worked for one customer but you are likely using a different version of OTK than they were using. The lines needed though should be close to the original though - so it could still be as easy as just looking for the assertion names (listed at the end of each line) and replacing it with the Continue Processing assertion. I can't speak to the read-only part, that may be a new roadblock in this workaround that used to work previously.

I cannot speak to why CA still invoices you for maintenance of ESM as I am not privy to that information and contractual stuff, that is a completely different department. It's a fair question though and one that you can probably bring up with your account representative. If I were to hazard a guess, it's because ESM does migrations but not just migrations as it also monitors the status of all nodes in unlimited number of clusters, allows for alerting of various items if exceeding any kind of threshold, for example. GMU only does the migration part of what ESM did, they are two different tools with different roles to play, only overlapping a bit on migration functionality. For what it's worth though, under Broadcom, all of the licensing and contracts will be changing and so it may be a moot point very soon.

Hi
I believe your questions has been answered, I will mark this as the correct answer.
When your question is not answered or you still have additional questions please let us know.
With Kind Regards

Dirk