Start the Policy Manager
There are two ways to start the Policy Manager:
gateway83
There are two ways to start the Policy Manager:
- Desktop client: The standard desktop client provides maximum functionality and better performance, but it requires the Policy Manager application to be installed on the client computer.
- Browser client: The browser-based client provides flexibility—you can run the Policy Manager from virtually any computer with an Internet connection and a compatible web browser with a Java Runtime Environment (JRE) installed. However, not all features are available.
Contents:
Running the Desktop Client
Do the following to start the Policy Manager as a standard client:
- Linux: Navigate to the directory where the Policy Manager is installed and then either run ./Manager.sh or double click the .sh icon.
- Windows: Click [Start] >All Programs>Policy Manager>Policy Manager
Once the Policy Manager is started, you can connect to the
API Gateway
. Start the Browser Client
Prerequisites:
- For a list of the supported browsers and Java environment, see the Readme.txt file which accompanies the Policy Manager (Note: Other browsers may work but their performance is not guaranteed.)
- Browser should have any JavaScript blockers disabled
- Operator running the browser client must have least one assigned role in the Policy Manager
- Policy Manager URL added to the Java exceptions list (see "Special note about Java Security" below)
Browser client access can be disabled by clearing the Enable web-based administration check box in the Listen Port Properties ([
Endpoints
] tab) for the SSL endpoint.To run the Policy Manager from a browser
:- Start the browser and type the following URL in the address bar:https://<gatewayHostName>:9443/ssg/webadmin
- When presented with security or authentication prompts, accept the certificates after verifying the certificate information and thumbprint in accordance with your organization's security policy.
Special note about Java Security
Beginning with Java 7 Update 51, you must add the Policy Manager web URL to the Java "Exception Site List" before the browser client can run. For more information, see: https://www.java.com/en/download/faq/exception_sitelist.xml
Special note for Internet Explorer users
The security built into Internet Explorer may require special handling to eliminate warning messages if your
API Gateway
SSL certificate is not signed by a certificate authority that your browser is configured to trust.- You will see a browser tab with the words:There is a problem with this website's security certificate. Disregard the warning and click [Continue to this website]. You are then prompted to log into theAPI Gateway.
- Enter yourUser nameandPassword, just as if you were logging into the Policy Manager standard client.
- Next to the address bar, there will be a [Certificate Error] button. Click this button and then selectView Certificates.
- Click [Install Certificate]. The Certificate Import Wizard appears.
- Click [Next] to proceed to theCertificate Storestep of the wizard.
- SelectAutomatically select the certificate store based on the type of certificateand then click [Next]. The successful completion screen should now appear.
- Click [Finish]. A confirmation dialog tells you that the SSL certificate was imported successfully.
- Click [OK] to dismiss the confirmation.
- Next, import the CA root certificate by selecting the [Certification Path] tab on the Certificates dialog.
- Select the root certificate on the tree of the Certificate Path and then click [View Certificate]. The certificate information is displayed.
- Click [Install Certificate] and run the Certificate Import Wizard. At the security warning, carefully verify the certificate according to your organization's security policies. Contact your network administrator if unsure.
- If the certificate is satisfactory, click [Yes] to proceed with the installation.
- Click [OK] to dismiss the Certificate dialog.The browser will continue to display [Certificate Error] until it is restarted, at which point it becomes a padlock icon. To confirm that the certificates are correctly installed: click the error button, select [View certificates], and then select the [Certificate Path] tab. The certificate status should show: "This certificate is OK.").
Special note for Firefox users
The security built into Firefox may require special handling to eliminate warning messages if your
API Gateway
SSL certificate is not signed by a certificate authority that your browser is configured to trust.- You will see a browser tab with the words:Secure Connection Failed. Disregard the warning and click "Or you can add an exception..." at the bottom. Two new buttons will appear.
- Click the button labelledAdd Exception... The Add Security Exception dialog appears.
- Verify that theAPI GatewayURL is correct and then clickGet Certificate.
- Select thePermanently store this exceptioncheck box and then click Confirm Security Exception. The Policy Manager login screen appears.
- Enter your User name and Password when prompted, then click [Login].
Once the connection to the
API Gateway
is established, the Policy Manager checks your user permissions as defined by your role, and then enables the appropriate features within the systemIf you encounter any problems relating to field focus in the browser client (in other words, you cannot get the cursor to enter a text field), disable any third party tool bars that may be installed in your browser. Note that some browsers require a mouse click to switch focus to the browser applet first, before subsequent mouse clicks are interpreted by the Policy Manager.
Connect to the Gateway
This topic applies only to the desktop client version of the Policy Manager. In the browser client version, you are connected to the
API Gateway
when Policy Manager interface appears.Each time you start the Policy Manager, the Login dialog automatically appears. Use this dialog to:
- Connect to an existingAPI Gatewayor cluster by selecting its URL from the drop-down list on the Login dialog, or
- Connect to a newAPI Gatewayor cluster by typing its URL in the Login dialog.
You can also display the Login dialog from within the Policy Manager by doing either of the following:
- Click [Connect] on the Main Tool Bar (if currently connected, you must first Disconnect before connecting to a differentAPI Gateway)
- Select [File] > Connect from the Main Menu
Once the connection to the
API Gateway
is established, the Policy Manager checks your user permissions as defined by your role, and then enables the appropriate features within the system.CA Technologies recommend using separate account for administrative access (i.e., connecting to the
API Gateway
) and for message processing (i.e., adding a user to a service policy). To simplify using separate user accounts, you may consider using different identity providers for administration/message traffic. For more information, see Identity Providers.Complete the Login dialog as follows:
Option | Description |
|---|---|
User Name/Password | To log in using a password, enter your User Name and Password. Your account may be configured to remember your user name. For security, the administrative user account will be locked for 20 minutes after five unsuccessful login attempts. No further login attempts may be made during the lockout period. The settings can be changed using the Manage Administrative User Account Policy dialog. |
Client certificate | To log in using a client certificate, select from the Certificate drop-down list. To add or remove certificates from the list, click Manage and choose a task. Users with client certificates are required to use their certificates during login. The 'CN' value in the certificate must match the username. |
Gateway | Select the API Gateway to connect to from the drop-down list. If the correct API Gateway is not listed, type the URL in the Gateway field, in the format machinename.domain.com. The URL is saved to the list.After connecting to a new API Gateway , you will need to install the license file.Connecting to a non-default port To connect to a port other than the default 8443, you must append the SSL Endpoint port number to the API Gateway name; for example: mygateway.domain.com:8445.IPv6 Support The API Gateway field supports IPv6 literals for the API Gateway host. The following formats are supported:[2222::7] [2222::7]:8443 Note that IPv6 literals must be enclosed within square brackets ("[ ]") to be interpreted correctly. |
To edit the list of client certificates:
To... | Do this... |
|---|---|
Add a client certificate to the list |
|
Remove a client certificate from the list |
|
Connecting via Proxy
If you need to connect to the
CA API Gateway
via a proxy server, make the following modifications before using the connection instructions above.The modifications shown here are required only for the desktop client. The browser client version of the Policy Manager automatically recognizes any proxies.
To configure the Policy Manager to use a proxy (Windows):
- Locate the fileLayer 7 Policy Manager.iniand open it in a text editor.
- Add the following string before the "-jar" section of the file. For example, if your .INI file ends with "-jar Manager.jar", then add the string before "-jar".-Dhttp.proxyHost=<Proxy_host>-Dhttp.proxyPort=<Proxy_port>-Dhttp.proxyUsername=<User_name>-Dhttp.proxyPassword=<User_password>
- Save and exit. The Policy Manager now uses the proxy when connecting to the Gateway.
To configure the Policy Manager to use a proxy (Linux):
- Locate the fileManager.iniand open it in a text editor.
- Add the following to the "extra" variable declaration.extra="...-Dhttp.proxyHost=<Proxy_host>-Dhttp.proxyPort=<Proxy_port>-Dhttp.proxyUsername=<User_name>-Dhttp.proxyPassword=<User_password>"
- Save and exit and then runManager.sh. The Policy Manager now uses the proxy host when connecting to the Gateway.