Requirement:
If you are using Oracle API PCS, you must be aware of that it uses two system user as Gateway Manager user and Gateway Runtime user. These users are responsible for API Node polling, API deployment, Analytics date feed, Update sync and other Gateway related actions that we perform from API Platform Cloud Service (PCS) Management Portal.
In classic version, you Management Portal can be configured on system where you have access and users are configured to weblogic realm where Management Portal is running. However if you are using Gen2 version of PCS Management Portal which is completely managed by Oracle then you probably have you Gateway users configured on IDCS.
As a security concern / requirement, Users on IDCS have password expiry policy. Password will expire as per your configuration which may be 60 days, 90 days or 120 days etc.
If your Gateway user password is expired you may face issue in Gateway Node syncing to Management portal, API Deployment will also stuck as Gateway is cutoff due to Gateway Runtime user is no longer validated using existing password.
Solution:
To solve this situation you need to reset Gateway Runtime user password. Additionally you can also reset Gateway Manager password as a password rotation best practice.
Setps:
Its better you do password reset activities before the existing password expiration date to avoid Analytics and API sync issues.
- Hold all Polling from Gateway Nodes (On Individual Node) where user is register. If you are using same Gateway Runtime & Manager user in multiple Nodes then hold polling on all individual Gateway Nodes.
Endpoint: https://nodehostname:port/apiplatform/gatewaynode/v1/config/poller
Method : POST
Type : application/json
Authorization : Bearer Token <<<Auth Token Generated using user have Gateway Manager or Admin role>>>
Body :
{ "state": "inactive"}
Response Code : 204
2. Stop Analytics Agents on all Gateway nodes where gateway users are in use.
Go to Weblogic Deployments –> Control Tab –> oracle_apiplatform_analytics_agent
State must change from Active to Prepared.
3. Run Password Update command
Location mentioned as <<< >>> Replace parameters with your system values
[user@localhost ApicsGatewayInstaller_Gen2]$ ./APIGateway -f gateway-props.json -a updatecredentials
Setting OPATCH_NO_FUSER to true
Please enter user name for weblogic domain,representing the gateway node:
weblogic
Password: <<<provide weblogic user password>>>
INFO Initiating validation checks.
INFO validation complete
INFO Install action logs are located in /u01/app/ApicsGateway/logs
INFO Logging to file /u01/app/ApicsGateway/logs/main.log
INFO Outcomes of operations will be accumulated in /u01/app/ApicsGateway/logs/status.log
Please enter gateway manager user:
gateway-manager-user
Password: <<<provide new password if reset, else give existing password>>>
Please enter gateway runtime client id:
<<<provide client id from Management Portal setting section>>>
Please enter gateway runtime client secret:
<<<provide client secret from Management Portal setting section>>>
Please enter gateway runtime user:
gateway-runtime-user
Password: <<<provide new password>>>
INFO Performing update credentials step.
INFO Logging to file /u01/app/ApicsGateway/logs/updateCredentials.log
INFO Update credentials step complete. Status = UPDATE_EXECUTED .Please refer log file for details.
INFO Execution complete.
[user@localhost ApicsGatewayInstaller_Gen2]$Perform this activity on all Gateway nodes where gateway users are in use.
4. Resume Node Polling for all nodes, once updatecredentials command is executed on all Gateway nodes.
Endpoint: https://nodehostname:port/apiplatform/gatewaynode/v1/config/poller
Method : POST
Type : application/json
Authorization : Bearer Token <<<Auth Token Generated using user have Gateway Manager or Admin role>>>
Body :
{
"state": "active",
"pollingInterval": "120 seconds"
}
5. Start Analytics Agents on all Gateway nodes.
Go to Weblogic Deployments –> Control Tab –> oracle_apiplatform_analytics_agent
State must change from Prepared to Active.
Please note, If any Node polling or Analytic Agent are in running state where Gateway users are used, while you are updating Password, your user will be locked on IDCS with invalid old password attempt.
Hope this will help you !!!
Oracle SOA Tutorials and Solutions 