To configure TLS, you have to configure the following on Edge:
- Repositories for TLS keys and certs:
- Keystores: Contains an TLS certificate and private key used to identify the entity during TLS handshaking. When you create the keystore and upload the TLS cert, you specify an alias name used to reference the cert/key pair.
- Truststores: contains certificates used to verify certificates received as part of TLS handshaking. A truststore is usually not required. It is used when you have to validate self-signed certificates received from the TLS server, or certificates that are not signed by a trusted CA. It is also required when performing two-way TLS when Edge acts as the TLS server.
- API proxies to use the certs in keystores and truststores:
- Virtual Hosts: defines the domains and ports on which an API proxy is exposed, and, by extension, the URL that apps use to access an API proxy. As part of configuring a virtual host, you optionally specify a keystore and truststore as part of configuring TLS.
- Target Endpoints/Target Servers: defines endpoint of the backend system accessed by an API proxy. As part of configuring a target endpoints/target servers, you configure it to support the TLS requirements of the backend system, including specifying a keystore and truststore.
- Keystores and Truststores
- Configuring TLS access to an API for the Cloud
- Configuring TLS access to an API for the Private Cloud
- Configuring TLS from Edge to the backend (Cloud and Private Cloud)
- API proxy configuration reference
Cloud vs. Private Cloud configuration differences
Both Edge cloud and Edge for Private Cloud let you create and configure keystores and truststores.
The biggest difference between the two is that in a Cloud-based installation of Edge, only paid customers with a support plan can create and modify virtual hosts to configure TLS. Free and trial accounts are limited to the virtual hosts created for them at Edge registration time. Also, you must have a cert signed by a trusted entity, such as Symantec or VeriSign. You cannot use a self-signed cert, or leaf certificates signed by a self-signed CA. For more information on Edge pricing plans, see https://apigee.com/api-management/#/pricing.
Both cloud and Private Cloud customers can create and configure target endpoints and target servers.