Configuring TLS for the management UI

Edge for Private Cloud v. 4.16.05

By default, you access the Edge management UI over HTTP by using the IP address of the Management Server node and port 9000. For example:

http://ms_IP:9000

Alternatively, you can configure TLS access to the management UI so that you can access it in the form:

https://ms_IP:9443

In this example, you configure TLS access to use port 9443. However, that port number is not required by Edge - you can configure the Management Server to use other port values. The only requirement is that your firewall allows traffic over the specified port.

Ensure that your TLS port is open

The procedure in this section configures TLS to use port 9443 on the Management Server. Regardless of the port that you use, you must ensure that the port is open on the Management Server. For example, you can use the following command to open it:

$ iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose 

Configure TLS

Use the following procedure to configure TLS access to the management UI:

  1. Generate the keystore JKS file containing your TLS certification and private key and copy it to the Management Server node. For more information, see Configuring TLS/SSL for Edge On Premises.
  2. Run the following command to configure TLS:
    $ /<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl
  3. Enter the HTTPS port number, for example, 9443.
  4. Specify if you want to disable HTTP access to the management UI. By default, the management UI is accessible over HTTP on port 9000.
  5. Enter the keystore algorithm. The default is JKS.
  6. Enter the absolute path to the keystore JKS file.

    The script copies the file to the /<inst_root>/apigee/customer/conf directory on the Management Server node, and changes the ownership of the file to apigee.
  7. Enter the clear text keystore password.
  8. The script then restarts the Edge management UI. After the restart, the management UI supports access over TLS.
    You can see these settings in /<inst_root>/apigee/etc/edge-ui.d/SSL.sh.

You can also pass a config file to the command instead of responding to prompts. The config file takes the following properties:

HTTPSPORT=9443
DISABLE_HTTP=y
KEY_ALGO=JKS
KEY_FILE_PATH=/tmp/mykeystore.jks
KEY_PASS=clearTextKeystorePWord

Then use the following command to configure TLS of the Edge UI:

/<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile