Configuring TLS for the management API

By default, TLS is disabled for the management API and you access the Edge management API over HTTP by using the IP address of the Management Server node and port 8080. For example:

http://ms_IP:8080

Alternatively, you can configure TLS access to the management API so that you can access it in the form:

https://ms_IP:8443

In this example, you configure TLS access to use port 8443. However, that port number is not required by Edge - you can configure the Management Server to use other port values. The only requirement is that your firewall allows traffic over the specified port.

To ensure traffic encryption to and from your management API, configure the settings in the /opt/apigee/customer/application/management-server.properties file.

In addition to TLS configuration, you can also control password validation (password length and strength) by modifying the management-server.properties file.

Ensure that your TLS port is open

The procedure in this section configures TLS to use port 8443 on the Management Server. Regardless of the port that you use, you must ensure that the port is open on the Management Server. For example, you can use the following command to open it:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT --verbose

Configure TLS

Edit the /opt/apigee/customer/application/management-server.properties file to control TLS use on traffic to and from your management API. If this file does not exist, create it.

To configure TLS access to the management API:

  1. Generate the keystore JKS file containing your TLS certification and private key. For more see Configuring TLS/SSL for Edge On Premises.
  2. Copy the keystore JKS file to a directory on the Management Server node, such as /opt/apigee/customer/application.
  3. Change ownership of the JKS file to the "apigee" user:
    chown apigee:apigee keystore.jks

    Where keystore.jks is the name of your keystore file.

  4. Edit /opt/apigee/customer/application/management-server.properties to set the following properties. If that file does not exist, create it:
    conf_webserver_ssl.enabled=true
    # Leave conf_webserver_http.turn.off set to false
    # because many Edge internal calls use HTTP.
    conf_webserver_http.turn.off=false
    conf_webserver_ssl.port=8443
    conf_webserver_keystore.path=/opt/apigee/customer/application/keystore.jks
    # Enter the obfuscated keystore password below.
    conf_webserver_keystore.password=OBF:obfuscatedPassword

    Where keyStore.jks is your keystore file, and obfuscatedPassword is your obfuscated keystore password. See Configuring TLS/SSL for Edge On Premises for information on generating an obfuscated password.

  5. Restart the Edge Management Server by using the command:
    /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart

The management API now supports access over TLS.

Configure the Edge UI to use TLS to access the Edge API

In the procedure above, Apigee recommended leaving conf_webserver_http.turn.off=false so that the Edge UI can continue to make Edge API calls over HTTP.

Use the following procedure to configure the Edge UI to make these calls over HTTPS only:

  1. Configure TLS access to the management API as described above.
  2. After confirming that TLS is working for the management API, edit /opt/apigee/customer/application/management-server.properties to set the following property:
    conf_webserver_http.turn.off=true
  3. Restart the Edge Management Server by executing the following command:
    /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart 
  4. Edit /opt/apigee/customer/application/ui.properties to set the following property for the Edge UI:
    conf_apigee_apigee.mgmt.baseurl="https://FQ_domain_name:port/v1"

    Where FQ_domain_name is the full domain name, as per your certificate address of the Management Server, and the port is the port specified above by conf_webserver_ssl.port.

    If ui.properties does not exist, create it.

  5. Only if you used a self-signed cert (not recommended in a production environment) when configuring TLS access to the management API above, add the following property to ui.properties:
    conf/application.conf+play.ws.ssl.loose.acceptAnyCertificate=true

    Otherwise, the Edge UI will reject a self-signed certificate.

  6. Restart the Edge UI by executing the following command:
    /opt/apigee/apigee-service/bin/apigee-service edge-ui restart

Using a PKCS12 keystore for FIPS-enabled operating systems

If you are using Edge for Private Cloud on a FIPS-enabled operating system, you must use a PKCS12 keystore. This is required to comply with FIPS standards. In addition to the other standard configurations mentioned in this article, add the following configuration to your management-server.properties file:

conf/webserver.properties+keystore.type=PKCS12

Make sure to apply this change if your environment is FIPS-enabled to ensure compatibility with the required encryption standards.

TLS properties for the Management Server

The following table lists all of the TLS/SSL properties that you can set in management-server.properties:

Properties Description

conf_webserver_http.port=8080

Default is 8080.

conf_webserver_ssl.enabled=false

To enable/disable TLS/SSL. With TLS/SSL enabled (true), you must also set the ssl.port and keystore.path properties.

conf_webserver_http.turn.off=true

To enable/disable http along with https. If you want to use only HTTPS, leave the default value to true.

conf_webserver_ssl.port=8443

The TLS/SSL port.

Required when TLS/SSL is enabled (conf_webserver_ssl.enabled=true).

conf_webserver_keystore.path=path

The path to your keystore file.

Required when TLS/SSL is enabled (conf_webserver_ssl.enabled=true).

conf_webserver_keystore.password=password

Use an obfuscated password in this format: OBF:xxxxxxxxxx

conf_webserver_cert.alias=alias

Optional keystore certificate alias

conf_webserver_keymanager.password=password

If your key manager has a password, enter an obfuscated version of the password in this format:

OBF:xxxxxxxxxx

conf_webserver_trust.all=[false | true]

conf_webserver_trust.store.path=path

conf_webserver_trust.store.password=password

Configure settings for your trust store. Determine whether you want to accept all TLS/SSL certificates (for example, to accept non-standard types). The default is false. Provide the path to your trust store, and enter an obfuscated trust store password in this format:

OBF:xxxxxxxxxx

conf_http_HTTPTransport.ssl.cipher.suites.blacklist=CIPHER_SUITE_1, CIPHER_SUITE_2

conf_http_HTTPTransport.ssl.cipher.suites.whitelist=

Indicate any cipher suites you want to include or exclude. For example, if you discover vulnerability in a cipher, you can exclude it here. Separate multiple ciphers with commas.

Any ciphers you remove via the blacklist will take precedence over any ciphers included via the whitelist.

Note: By default, if no blacklist or whitelist is specified, ciphers matching the following Java regular expression are excluded by default.

^.*_(MD5|SHA|SHA1)$
^TLS_RSA_.*$
^SSL_.*$
^.*_NULL_.*$
^.*_anon_.*$

However, if you do specify a blacklist, this filter is overridden, and you must blacklist all ciphers individually.

For information on cypher suites and cryptography architecture, see Java Cryptography Architecture Oracle Providers Documentation for JDK 8.

conf_webserver_ssl.session.cache.size=

conf_webserver_ssl.session.timeout=

Integers that determine:

  • The TLS/SSL session cache size (in bytes) for storing session information for multiple clients.
  • The amount of time TLS/SSL sessions can last before they time out (in milliseconds).