Understand Gateway Patches

The gateway provides a patch management feature to help you organize all the patches for the Gateway. These patches are issued by CA Technologies to update functionality on the Gateway, including installing new versions of the Gateway.
gateway92
The
Layer7 API Gateway
provides a patch management feature to help you organize all the patches for the Gateway. These patches are issued by CA Technologies to update functionality on the Gateway, including installing new versions of the Gateway.
Patch States
The state of a patch is displayed when you run the
list
action. A patch can be in any of these states:
State
Description
NONE
The patch is unknown to the Gateway. This state is returned if you query an unknown patch_ID or query a patch that was uploaded and then deleted without being installed. It is also the result of deleting a ROLLED_BACK patch.
UPLOADED
The patch has been uploaded to the Gateway and its signature has been verified. The patch is available for other operations, but it is not installed yet.
INSTALLED
The patch has been installed successfully. Note that only UPLOADED patches may be installed.
ERROR
The patch installation has failed. Contact CA Support if this happens and have the patch log files available (see "Viewing Patch Log Files" below).
Patch File Nomenclature
This section helps you understand the different types of patch files and is of interest to advanced users.
There are currently five types of patch files for the Gateway appliance:
  • (Appliance Gateway only)
    Incremental Platform Update Patches (also known as "Security Patches")
    This type of patch contains RPM files for the underlying operating system (OS). These files patch security vulnerabilities and include updates to the OS-level RPM files, but they are not intended to modify the behavior of the Gateway software.
    These patches can be found in the Download section of the Support Portal with names that follow this syntax:
    CA_API/Layer7_PlatformUpdate_
    <architecture>
    _
    <gatewayVersion>
    .L7P
    There are both x32 and x64 versions of each of these patches. These patches contain all the modifications since the last minor version release, effectively containing all Monthly Platform Updates from the previous version, as well as any RPM files added for the core minor version release.
  • (Appliance Gateway only)
    Monthly Platform Updates (these are also referred to as "Security Patches")
    These patches are periodic updates to the Incremental Platform Update Patches. They serve the same function, but are created to provide the most-up-to-date security for the OS pending the next major or minor release.
    These patches can be found in the Download section of the Support Portal with names that follow this syntax:
    CA_API/Layer7_PlatformUpdate_
    <architecture>
    _
    <GatewayVersion>
    -
    <date>.
    L7P
    There are both x32 and x64 versions of each of these patches. These patches are cumulative for their version release. They do not contain the core version release patch.
  • Core Application Patches
    The Application Patch is intended to update the
    Layer7 API Gateway
    and
    Layer7 API Gateway
    -
    Enterprise Service Manager
    software. These patches do not update the underlying operating system.
    These patches can be found in the Download section of the Support Portal with names that follow this syntax:
    CA_API_Gateway/Layer7_
    <version>
    .L7P
  • Application Update, Cumulative Release Patches
    These patches are periodic updates to the Gateway application, pending the release of the next patch. They are typically used to resolve any issues that arose as a result of the deployment of the Core Application Patch. These patches provide quick responses to new security threats at the application level (for example, updating the default cipher suite list to combat CBC attacks). They also provide enhancements to functionality pending the next major/minor release.
  • Other Patches
    These include hot fixes, extended functionality for a niche project, cumulative Platform Updates, and other items that do not fall in any of the above categories.
Monitor the Release Notes for all patching information. These notes discuss any security vulnerabilities or hot fixes handled by the application patches. When deciding on when to update your Gateway software, be sure to take into account factors such as: functionality, security features, and end-of-life timelines on the versions.
Patching Best Practices
CA Technologies recommends the following best practices for patching your Gateway:
Platform Update Patches (all "Security Patches")
Apply these patches as soon as possible to keep your Gateway appliance patched against any OS-level security vulnerabilities. To do this, install the most recent Monthly Platform Updates for your Gateway version after deploying the appliance. When new versions are released, apply the Incremental Platform Update Patch for that new version, and then keep up to date on the latest Monthly Platform Update for that version.
If you are deploying an appliance that is not the most recent version:
  1. Install the Incremental Platform Update Patches for each version since your appliance was released in the correct order.
  2. Install the most recent Monthly Platform Update for the newest appliance version.
    When installing any platform patch, consult the Release Notes for that version to ensure that the patches are correctly deployed.
    Some patches require a
    mysql_upgrade
    from the command line, or a similar additional action; for more information, see the respective mysql Release Notes.
    These patches should be applied one at a time on all nodes in the cluster and require a reboot after every incremental patch is installed.
When installing any platform patch, consult the Release Notes for that version to ensure that the patches are correctly deployed (for example, some patches require a
mysql_upgrade
from the command line, or a similar additional action). These patches should be applied one at a time on all nodes in the cluster and require a reboot after every incremental patch is installed.
Application Patches
It is typically best practice to monitor the Release Notes for all patching information. These notes discuss any security vulnerabilities or hot fixes handled by the application patches. When deciding on when to update your Gateway software, be sure to take into account factors such as: functionality, security features, and end-of-life timelines on the versions.
Restarting the Gateway
The Gateway needs to be restarted during the patching process. The recommended method is using the "Restart" command in the Gateway main menu, it invokes the correct sequence of commands in the background. Advanced users who understand the underlying commands may opt to use the command line.
To avoid data loss, never power cycle the physical or virtual machine (by using the power button or any of the power control functionality in the ILOM for a physical machine, or by using the Reset command in the vSphere Client). Instead, access the root shell and run the
poweroff
command.
Reboot the Gateway after each Platform and Gateway patch to ensure that you get all the Gateway service updates. Failure to reboot can result in missing functionality in the Gateway main menu.
Patch Log Files
Log files for the patching process are located here:
/opt/SecureSpan/Controller/var/logs/patches.log
/opt/SecureSpan/Controller/var/logs/patch_cli*.log