Configuring TLS between a Router and a Message Processor

Edge for Private Cloud v. 4.16.09

By default, TLS between the Router and Message Processor is disabled.

Use the following procedure to enable TLS encryption between a Router and the Message Processor:

  1. Ensure that port 8082 on the Message Processor is accessible by the Router.
  2. Generate the keystore JKS file containing your TLS certification and private key. For more, see Configuring TLS/SSL for Edge On Premises.
  3. Copy the keystore JKS file to the a directory on the Message Processor server, such as /opt/apigee/customer/application.
  4. Change permissions and ownership of the JKS file:
    > chown apigee:apigee /opt/apigee/customer/application/keystore.jks
    > chmod 600 /opt/apigee/customer/application/keystore.jks

    where keystore.jks is the name of your keystore file.
  5. Edit the file /opt/apigee/customer/application/ If the file does not exist, create it.
  6. Set the following properties in the file:
    # Enter the obfuscated keystore password below.

    where keyStore.jks is your keystore file, and obsPword is your obfuscated keystore and keyalias password. See Configuring TLS/SSL for Edge On Premises for information on generating an obfuscated password.
  7. Ensure that the file is owned by the 'apigee' user:
    > chown apigee:apigee /opt/apigee/customer/application/
  8. Stop the Message-Processors and Routers:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor stop
    /opt/apigee/apigee-service/bin/apigee-service edge-router stop
  9. On the Router, delete any files in /opt/nginx/conf.d:
    > rm -f /opt/nginx/conf.d/*
  10. Start the Message-Processors and Routers:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor start
    /opt/apigee/apigee-service/bin/apigee-service edge-router start
  11. Repeat for any additional Message Processors.

The following table lists all of the available properties in


Description<localhost or IP address>

Optional. Hostname to listen on for router connections. This will override the host name configured at registration.


Optional. Port to listen on for router connections. Default is 8998.

conf_message-processor-communication_local.http.ssl=<false | true>

Set this to true to enable TLS/SSL. Default is false. When TLS/SSL is enabled, you must set local.http.ssl.keystore.path and local.http.ssl.keyalias.


Local file system path to the keystore (JKS or PKCS12). Mandatory when local.http.ssl=true.


Key alias from the keystore to be used for TLS/SSL connections. Mandatory when local.http.ssl=true.


Password used for encrypting the key inside the keystore. Use an obfuscated password in this format: OBF:xxxxxxxxxx


Keystore type. Only JKS and PKCS12 are currently supported. Default is JKS.


Optional. Obfuscated password for the keystore. Use an obfuscated password in this format: OBF:xxxxxxxxxx


Optional. When configured, only the ciphers listed are allowed. If omitted, use all ciphers supported by the JDK.