KB Article #177887
Workaround to Expose Custom SSL Certificate on Admin Node Manager Port
Overview
Some customers do not wish to expose our internal SSL management certificates to their web browsers, i.e. for API Gateway Manager UI. This is a workaround solution which introduces another port into the Admin Node Manager which has a custom SSL server-side certificate. The custom SSL certificate is most likely signed by a customer specific CA. This CA certificate is already known and trusted by the browser.
With this solution, there are 2 ports exposed by the Admin Node Manager. One SSL port is used by the web browser, this is the client-facing port. The other port is used by other Node Managers, API Manager and scripts like managedomain, this is the topology port.
Two options for setting up this workaround are described here. In Option 1, the topology port is changed to be something other than 8090, and the client facing port remains at 8090. This may be a preferable solution due to firewall configuration. In Option 2, the topology port is set to the default 8090 port, and the client facing port is set to something else, e.g. 8092.
The instructions below apply to product version 7.5.0.
Option 1 - Setup a Custom Certificate on Port 8090 for Admin Node Manager
The client-facing port will be setup to be 8090 in the example below, while the topology port will be setup to be 8091. Neither port requires SSL mutual authentication.
Step 1: Setup Topology to use a non-default Port for Admin Node Manager
Create a New Topology
If you do not have an existing topology create a topology with an Admin Node Manager that has a non-default topology port (i.e. not 8090). See below for how to edit an existing topology. The following describes how to setup a new topology comprising of 2 nodes, namely NodeA and NodeB. NodeA runs the Admin Node Manager on a non-default topology port of 8091. The non-Admin Node Manager on NodeB can run with the default topology port 8090 port. The 8090 port on NodeB is not exposed to any client applications.
Create a new topology as follows:-
On NodeA:
./managedomain -i --host nodea --port 8091
./nodemanager
./managedomain -c -n APIGateway1 -g Group1
./startinstance -n APIGateway1 -g Group1
On NodeB:
./managedomain -a --host nodeb --anm_host nodea --port 8090 --anm_port 8091 --username admin --password changeme
./nodemanager
./managedomain -c -n APIGateway2 -g Group1
./startinstance -n APIGateway2 -g Group1
Edit Existing Topology
If there is any existing topology, you may edit the topology port running the following command on the Admin Node Manager host NodeA:-
./managedomain --edit_host --host nodea --newport 8091 --username admin --password changeme
Restart the Admin Node Manager.
Verify System Running with Non-Default Topology Port
Run the API Manager UI and confirm all processes are live:-
Run managedomain on NodeA to confirm a script on NodeA can connect:-
./managedomain --print_topology --username admin --password changeme
Ensure Node Manager ports are as expected.
Run managedomain on NodeB to confirm a script on NodeB can connect:-
./managedomain --print_topology --username admin --password changeme
Step 2: Add a Client Facing Port 8090 to Admin Node Manager
Create a new project based on the Admin Node Manager configuration from NodeA, use the “From existing configuration” option and point at the 7.5.0-install-dir/apigateway/conf/fed directory.
Import a certificate and key into Policy Studio, or, for test purposes, create a certificate and key via Policy Studio.
Create a new HTTPS listener for the client facing port 8090 using the imported/generated custom certificate.
Copy the files from the project directory into the 7.5.0-install-dir/apigateway/conf/fed directory on NodeA.
Restart the Admin Node Manager on NodeA.
Verify System Running with Topology Port and Client Facing Port
Carry out verification steps above.
Also test that API Manager Gateway UI is now available on:-
Verify the topology port and client-facing ports are accessible and use different server certificates by using Policy Studio option “New Project from an API Gateway instance” for 8090 and 8091.
Note on Topology Port and Mutual Authentication
Note that we cannot make the topology port (8091) require mutual SSL (without product changes) as the all the client-side scripts will default to using topology port. Scripts can do mutual SSL but this is more awkward and probably rarely used by customers. API Manager will also call the Admin Node Manager on the topology port as a client when importing REST APIs created in Policy Studio. It may not be a requirement to make the topology port require mutual SSL in any case. If the topology port is not exposed through the firewall anyway it may not be an issue.
Option 2 - Setup a Custom Certificate on Port 8092 for Admin Node Manager
With this option the topology port remains as the default port 8090, and a new port is simply added to the Admin Node Manager configuration for the client-facing port, e.g. 8092.
Step 1: Setup Topology
A topology is created as normal. Take the 2 node example from above:-
On NodeA:
./managedomain -i --host nodea
./nodemanager
./managedomain -c -n APIGateway1 -g Group1
./startinstance -n APIGateway1 -g Group1
On NodeB:
./managedomain -a --host nodeb --anm_host nodea --username admin --password changeme
./nodemanager
./managedomain -c -n APIGateway2 -g Group1
./startinstance -n APIGateway2 -g Group1
Step 2: Add a Client Facing Port 8092 to Admin Node Manager
Follow the steps described above, but use a port number other than 8090, e.g. use 8092.
After restarting the Admin Node Manager on NodeA, verify that 8090 and 8092 are accessible by client application and expose different certificates as described above.