Configuring TLS between a Router and a Message Processor

Edge for Private Cloud v. 4.17.01

By default, TLS between the Router and Message Processor is disabled.

Use the following procedure to enable TLS encryption between a Router and the Message Processor:

  1. Ensure that port 8082 on the Message Processor is accessible by the Router.
  2. Generate the keystore JKS file containing your TLS certification and private key. For more, see Configuring TLS/SSL for Edge On Premises.
  3. Copy the keystore JKS file to a directory on the Message Processor server, such as /opt/apigee/customer/application.
  4. Change permissions and ownership of the JKS file:
    > chown apigee:apigee /opt/apigee/customer/application/keystore.jks
    > chmod 600 /opt/apigee/customer/application/keystore.jks

    where keystore.jks is the name of your keystore file.
  5. Edit the file /opt/apigee/customer/application/message-processor.properties. If the file does not exist, create it.
  6. Set the following properties in the message-processor.properties file:
    conf_message-processor-communication_local.http.ssl=true
    conf/message-processor-communication.properties+local.http.port=8443
    conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks
    conf/message-processor-communication.properties+local.http.ssl.keystore.path=/opt/apigee/customer/application/keyStore.jks
    conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest
    # Enter the obfuscated keystore password below.
    conf/message-processor-communication.properties+local.http.ssl.keystore.password=OBF:obsPword

    where keyStore.jks is your keystore file, and obsPword is your obfuscated keystore and keyalias password. See Configuring TLS/SSL for Edge On Premises for information on generating an obfuscated password.
  7. Ensure that the message-processor.properties file is owned by the 'apigee' user:
    > chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
  8. Stop the Message-Processors and Routers:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor stop
    /opt/apigee/apigee-service/bin/apigee-service edge-router stop
  9. On the Router, delete any files in /opt/nginx/conf.d:
    > rm -f /opt/nginx/conf.d/*
  10. Start the Message-Processors and Routers:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor start
    /opt/apigee/apigee-service/bin/apigee-service edge-router start
  11. Repeat for any additional Message Processors.

After TLS is enabled between the Router and Message Processor, the Message Processor log file contains this INFO message:

MessageProcessorHttpSkeletonFactory.configureSSL() : Instantiating Keystore of type: jks

This INFO statement confirms that TLS is working between the Router and Message Processor.

The following table lists all of the available properties in message-processor.properties:

Properties

Description

conf_message-processor-communication_local.http.host=<localhost or IP address>

Optional. Hostname to listen on for router connections. This will override the host name configured at registration.

conf/message-processor-communication.properties+local.http.port=8998

Optional. Port to listen on for router connections. Default is 8998.

conf_message-processor-communication_local.http.ssl=<false | true>

Set this to true to enable TLS/SSL. Default is false. When TLS/SSL is enabled, you must set local.http.ssl.keystore.path and local.http.ssl.keyalias.

conf/message-processor-communication.properties+local.http.ssl.keystore.path=

Local file system path to the keystore (JKS or PKCS12). Mandatory when local.http.ssl=true.

conf/message-processor-communication.properties+local.http.ssl.keyalias=

Key alias from the keystore to be used for TLS/SSL connections. Mandatory when local.http.ssl=true.

conf/message-processor-communication.properties+local.http.ssl.keyalias.password=

Password used for encrypting the key inside the keystore. Use an obfuscated password in this format: OBF:xxxxxxxxxx

conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks

Keystore type. Only JKS and PKCS12 are currently supported. Default is JKS.

conf/message-processor-communication.properties+local.http.ssl.keystore.password=

Optional. Obfuscated password for the keystore. Use an obfuscated password in this format: OBF:xxxxxxxxxx

conf_message-processor-communication_local.http.ssl.ciphers=<cipher1,cipher2>

Optional. When configured, only the ciphers listed are allowed. If omitted, use all ciphers supported by the JDK.