Configuring TLS/SSL

TLS (Transport Layer Security, whose predecessor is SSL) is the standard security technology for ensuring secure, encrypted messaging across your API environment, from apps to Apigee Edge to your back-end services.

NOTE: Because Edge originally supported SSL, you will see some instances in the Edge UI, Edge XML, and Edge properties that use the term "SSL". For example, the menu entry in the Edge UI that you use to view certs is called SSL Certificates, the XML tag that you use to configure a virtual host to use TLS is named <SSLInfo>, and the property to set the SSL port for the management API is conf_webserver_ssl.port.

Regardless of the environment configuration for your management API—for example, whether you're using a proxy, a router, and/or a load balancer in front of your management API (or not); Edge lets you enable and configure TLS, giving you control over message encryption in your on-premise API management environment.

For an on-premises installation of Edge Private Cloud, there are several places where you can configure TLS:

For a complete overview of configuring TLS on Edge, see TLS/SSL.

Creating a JKS file

For many TLS configurations, you represent the keystore as a JKS file, where the keystore contains your TLS certificate and private key. There are several ways to create a JKS file, but one way is to use the openssl and keytool utilities.

For example, you have a PEM file named server.pem containing your TLS certificate and a PEM file named private_key.pem containing your private key. Use the following commands to create the PKCS12 file:

openssl pkcs12 -export -clcerts -in server.pem -inkey private_key.pem -out keystore.pkcs12

You have to enter the passphrase for the key, if it has one, and an export password. This command creates a PKCS12 file named keystore.pkcs12.

Use the following command to convert it to a JKS file named keystore.jks:

keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks

You are prompted to enter the new password for the JKS file, and the existing password for the PKCS12 file. Make sure you use the same password for the JKS file as you used for the PKCS12 file.

If you have to specify a key alias, such as when configuring TLS between a Router and Message Processor, include the -name option to the openssl command:

openssl pkcs12 -export -clcerts -in server.pem -inkey private_key.pem -out keystore.pkcs12 -name devtest

Then include the -alias option to the keytool command:

keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -alias devtest

Generating an obfuscated password

Some parts of the Edge TLS configuration procedure require you to enter an obfuscated password in a configuration file. An obfuscated password is a more secure alternative to entering your password in plain text.

You can generate an obfuscated password by using the following command on the Edge Management Server:

/opt/apigee/apigee-service/bin/apigee-service edge-management-server generate-obfuscated-password

Enter the new password, and then confirm it at the prompt. For security reasons, the text of the password is not displayed. This command returns the password in the form:

OBF:58fh40h61svy156789gk1saj
MD5:902fobg9d80e6043b394cb2314e9c6

Use the obfuscated password specified by OBF when configuring TLS.

For more information, see this article.