Skip to content
CA API Developer Portal - 4.2
Documentation powered by DocOps

Enroll a CA API Gateway

Last update October 10, 2018

This article provides information about enrolling a CA API Gateway after the tenant record is created.

After a tenant record is created, you must enroll an API Gateway to handle API run-time traffic for example, managing and creating services. The API Gateway is a component that exposes, secures, and manages back-end applications, network systems, or infrastructure through services and APIs.

This article contains the following information:

Before You Begin

Before enrolling an API Gateway, ensure that the following requirements are met:

  • The tenant record must be created. See Create the API Portal Tenant

  • The following tools are correctly installed, configured, secured, and tested:

    • CA API Gateway 9.2.00 CR05 to CR07 or 9.3
    • OAuth Toolkit (OTK) version 3.6, 4.x
  • The OTK installation has the following properties:
    • No instance modifier.
    • The Shared Portal and Internal, Portal solution kits are installed. These solution kits, available when installing the OAuth Solution Kit, are required for integrating with the API Portal.
    • The default JDBC connection named OAuth is used.
  • Ensure that no global policies are configured on the API Gateway.
  • Have the API Portal hostname (for example, apim.mycompany.com) mapped in your DNS server or in the hosts file of your Gateway
  • The time on the API Gateway is synchronized with the API Portal. Typically, both entities point to the same NTP server.

Before enrolling the API Gateway, take a snapshot of the API Portal as a backup.

Enroll a Gateway

To enroll a Gateway on API Portal, perform the following steps:

  1. In a browser, navigate to the new tenant URL that you defined in enroll.json.
  2. Log in to the API Portal as the API Portal administrator using the following default credentials:

    • User: admin

    • Password: 7layer
    Change the default password upon login.
  3. Select the Services icon.
  4. Select Publish, Proxies.
    The API Proxy page displays.
  5. Select Add Proxy.
  6. Enter a name in the Proxy Name field.
  7. Select Automatic, On Demand, or Scripted deployment type. For more information, see Deployment Types.
  8. Select Create.
    The Proxy Enrollment page displays.
  9. In Enrollment URL, select Select URL and copy the value.
  10. Using the CA API Gateway Policy Manager, connect to your CA API Gateway.
  11. After you are logged in, select Tasks, Extensions and Add-Ons, Enroll with Portal.
  12. Paste the enrollment URL in the Enroll with SaaS Portal window and select Apply.
  13. Log in to your new tenant Portal, for example, mytenant.mycompany.com and validate that the external tenant displays.
  14. Restart the API Gateway by running service ssg restart on the API Gateway server.

Deployment Types

When enrolling a proxy, select one of the following deployment types:

  • Automatic – Gateway published APIs must use the automatic deployment type.
  • On-demand
  • Scripted

 See Manage API Deployments for more information about selecting a deployment type.

Post Deployment

After the administrator deploys the API Portal, the following functionalities are available for the users:

  • Publish an API, and view the details of the API from API Catalog page
  • Create and manage users
  • Self-register to Portal and view the APIs
  • Create Organizations and Account Plans
  • Approve or reject requests from the Requests page
  • Perform configurations from the Settings page
  • Only view APIs in the API explorer. 
    Because you are not enrolled with API Proxy, you cannot test the APIs from the API Explorer option.

Integrate with API proxy clusters to perform the following tasks:

  • Publish APIs
  • Manage API keys
  • View the analytics data in the Analytics dashboard
  • Test the APIs on Proxy using the API Explorer

Failed Gateway Deployment?

If you tried to enroll an API Gateway with an API Portal but the enrollment failed, clean up the API Gateway and Portal before you try again.

Note:  Use the following procedures whether you set up the API Gateway on AWS or on another cloud or network.

To clean up the API Gateway:

  1. In the Policy Manager, log in to the Gateway as a Gateway administrator.
  2. On the Tasks menu, select Certificates, Keys and Secrets and Manage Certificates. Use the dialog to remove the TSSG, PSSG and DSSG certificates. Note: Do not delete the API Gateway self-signed SSL certificate.
  3. On the Tasks menu, select Certificates, Keys and Secrets and Manage Private Keys. Use the dialog to remove the portalman private key.
  4. On the Tasks menu, select Global Settings and Manage Scheduled Tasks. Use the dialog to remove the following tasks:
    • Portal Sync Application 
    • Portal Sync API 
    • Portal Tenant Sync Policy Template 
    • Portal Sync Account Plan 
    • Portal Bulk Sync Application 
    • Portal Check Bundle Version 
    • Delete Portal Entities 
    • Move Metrics Data Off Box Task 
    • Portal Sync SSO Configuration
  5. On the Tasks menu, select Global Settings and Manage Cluster-wide Properties. Use the dialog to remove all properties that begin with portal.
  6. Restart Gateway service.

To remove the Portal:

  1. Log in to the API Portal as an API Portal administrator.
  2. On the navigation bar, select the Services icon and select Proxies.
  3. On the API Proxy page, select Add Proxy to add new API proxy, enter a different name, and select Create
  4. Copy the enrollment URL. 
  5. Connect to the API Gateway with the Policy Manager.
  6. In the Policy Manager, select Tasks on the top menu bar. 
  7. On the menu, select Extensions and Add-Ons, Enroll with Portal
  8. Paste the enrollment URL in the Enroll with SaaS Portal window. 
  9. On the API Proxy page, delete the old API proxy which is enrolled with the same API gateway.

Update Portal Integration

To enroll Portal or to update the enrollment bundle:

  1. Log in as admin. 
  2. After you are logged in, select Tasks on the top menu bar.
  3. On the menu, select Extensions and Add-Ons
  4. Select Enroll with Portal or Update Portal Integration.


Was this helpful?

Please log in to post comments.

  1. Alex Forsyth
    2017-12-19 01:50

    Portal created URL which starts with https://enroll.mycompany.com and not my PAPI tenant apim.mycompany.com so this has to be what is added to the /etc/hosts file of the gateway for it to work in the enrollment.

  2. Alex Forsyth
    2018-01-17 05:05

    We should add back documentation on how to unenroll that was in Portal 4.1 documentation. One customer has already had an issue and did not know how to clean-up the gateway before trying again. It also happens with people that have a previous installed Classic 3.5 Portal so may need to know what has to be removed/checked before enrolling with Portal 4.x. Thanks!

    1. Jennifer L Hajee
      2018-01-18 09:13

      Hi Alex,

      Can you create doc ticket for this? I'd to track this enhancements to ensure they are confirmed by development.

       

      Thank you

      1. Alex Forsyth
        2018-02-20 07:28

        Sure, will do.

        1. Tahar Sayagh
          2018-05-02 06:16

          Hello Alex,

          Can you tell me the reference for your ticket please? I'm facing this issue with a previous 3.5 Portal.

          Thanks!

          1. Andrea Tejokusumo
            2018-05-02 02:02

            Hi Tahar and Alex, are you able to find the needed information from this page

  3. CRISTIANO D'ANDREA
    2018-03-22 02:28

    Please include a "5. Restart Gateway Service" as last step under [Step 1. Clean up the API Gateway] section. If the service is not restarted, removed certificates still cached and that would create a conflict if a new tenant Gateway is enrolled.

    Thanks!

    1. Andrea Tejokusumo
      2018-04-25 05:22

      Thanks Cristiano, this step has been added.

  4. CRISTIANO D'ANDREA
    2018-03-22 08:26

    In step 3 under [Step 1. Clean up the API Gateway] we should correct "Use the dialog to remove ALL scheduled tasks" to

    "Use the dialog to remove the following tasks":

    Portal Sync Application Portal Sync API Portal Tenant Sync Policy Template Portal Sync Account Plan Portal Bulk Sync Application Portal Check Bundle Version Delete Portal Entities Move Metrics Data Off Box Task Portal Sync SSO Configuration"

    The above is more accurate and will avoid confusion where user may delete tasks not relevant to Portal enrolment as those generated by the OTK installation.

    1. Andrea Tejokusumo
      2018-04-25 05:22

      Thank you for your clarification, Cristiano.

  5. Kevin Russell
    2018-07-20 06:48

    Please see my comments from 7/20 on DE373987. Clean up Gateway enrollment documentation requires modification.

    1. Christine Heywood
      2018-07-23 05:42

      Thanks, Kevin, for your input. I've contacted the dev team lead to confirm the instructions you provided in DE373987 and will update this page soon.

    1. Christine Heywood
      2018-08-02 02:43

      Hello Kevin,

      To follow up, Rally item US525951 has been created to figure out the SaaS Portal specific steps/instructions. Docops will document once these steps/instructions have been identified.

  6. Nicolas Mayer
    2018-07-27 08:38

    In the section Failed deployment, section 2, you miss to remove the tssg certificate, can you add it please ?

    1. Christine Heywood
      2018-07-27 12:05

      Hello Nicolas,

      Thanks for your comment. I've updated this page to include TSSG in the remove certificate section. 

  7. Oleksii Donets
    2018-08-02 05:26

    How can I delete the API Proxy which is enrolled to the older Dev Portal version (4.2.0-final), which is not running/existing more? We upgraded the Dev Portal to 4.2.7.7 and want to enroll our API Proxy(our existing Gateway), but the Policy Manager says, that this is already enrolled to a dev portal and cannot be enrolled to the new one.

    1. Christine Heywood
      2018-08-02 02:56

      Hello Oleksii,

      Thanks for your comment. I've reached out to the Dev team for an answer and will get back to you shortly.

      1. Oleksii Donets
        2018-08-23 04:17

        Hello Christine, is there any news no my question from the Dev team? Thank you!

        1. Christine Heywood
          2018-08-23 11:31

          Hello Oleksii, 

          I received a reply from Dev. You can follow the failed deployment steps described on this page. These steps outline how to clean the gateway from any enrollment certs and keys from a previous enrollment which in their case clearly exist and point to an old portal. However, you don't mention if your gateway has any APIs on it or not and how those were created (via old portal or via gateway policy manager) - those details are important.

  8. Wesley Nyamangwanda
    2018-08-06 04:09

    On the prerequisites for enrolling a gateway, it says "Ensure no Global Policies are configured", is there a work-around if we already have global policies in our current gateway? Also can we remove the global policy prior to enrollment and then re-add it afterwards as a work around?

    We currently have the WSDL Query Handler enabled per security policy which uses a global fragment so we are trying to figure out a way around this prerequisite.

    1. Simon Crum
      2018-08-13 08:07

      Hi Wesley. The limitation exists because the enrollment creates global policies on the gateway and only one of each type can be created. More details to come.

      https://docops.ca.com/ca-api-gateway/9-2/en/published-services-and-policies/working-with-policies/policy-fragments/global-policy-fragments#GlobalPolicyFragments-TypesofGlobalPolicies


      UPDATE: The types of global policies created on enrollment are: 

      • message-received
      • message completed.

      Only Gateways with existing global policies of these two types prevent enrollment. 




  9. KOICHI IKARASHI
    2018-09-18 12:45

    As for "Enroll a Gateway", in the step 2, Login account and password to the API Portal should be changed to: - User: admin - Password: 7layereyal7

    1. Simon Crum
      2018-09-21 05:53

      Thanks Kocichi. The password should be 7layer. I will see about changing this.

  10. Evan Ng
    2018-11-08 10:26

    Hi Would like to know is the portal compatible with CA API Gateway9.4?

    1. Lucie Stehnova
      2019-01-04 03:00

      Hi Evan, 

      Thank you for your comment. At the moment, Portal version 4.2 does not officially support Gateway version 9.4 as the testing hasn't been finalized yet.

      Lucie

  11. Nathan Blumenthal
    2019-01-03 11:16

    How do you check the NTP server on the portal running on Docker?