Configuring TLS/SSL for Edge On Premises

Edge for Private Cloud v. 4.17.09

TLS (Transport Layer Security, whose predecessor is SSL) is the standard security technology for ensuring secure, encrypted messaging across your API environment, from apps to Apigee Edge to your back-end services.

Regardless of the environment configuration for your management API—for example, whether you’re using a proxy, a router, and/or a load balancer in front of your management API (or not)— Edge lets you enable and configure TLS, giving you control over message encryption in your on-premise API management environment.

For an on-premises installation of Edge Private Cloud, there are several places where you can configure TLS:

  1. Between a Router and Message Processor
  2. For access to the Edge management API
  3. For access to the Edge management UI
  4. For access from an app to your APIs
  5. For access from Edge to your backend services

Configuring TLS for the first three items is described below. All of these procedures assume that you have created a JKS file containing your TLS certification and private key.

To configure TLS for access from an app to your APIs, #4 above, see Configuring TLS access to an API for the Private Cloud. To configure TLS for access from Edge to your backend services, #5 above, see Configuring TLS from Edge to the backend (Cloud and Private Cloud).

For a complete overview of configuring TLS on Edge, see TLS/SSL.

Creating a JKS file

You represent the keystore as a JKS file, where the keystore contains your TLS certificate and private key. There are several ways to create a JKS file, but one way is to use the openssl and keytool utilities.

For example, you have a PEM file named server.pem containing your TLS certificate and a PEM file named private_key.pem containing your private key. Use the following commands to create the PKCS12 file:

> openssl pkcs12 -export -clcerts -in server.pem -inkey private_key.pem -out keystore.pkcs12

You have to enter the passphrase for the key, if it has one, and an export password. This command creates a PKCS12 file named keystore.pkcs12.

Use the following command to convert it to a JKS file named keystore.jks:

> keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks

You are prompted to enter a new password for the JKS file, and the existing password for the PKCS12 file. Make sure you use the same password for the JKS file as you used for the PKCS12 file.

If you have to specify a key alias, such as when configuring TLS between a Router and Message Processor, include the "-name" option to the openssl command:

>  openssl pkcs12 -export -clcerts -in server.pem -inkey private_key.pem -out keystore.pkcs12 -name devtest

Then include the "-alias" option to the keytool command:

> keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -alias devtest

Generating an obfuscated password

Some parts of the Edge TLS configuration procedure require you to enter an obfuscated password in a configuration file. An obfuscated password is a more secure alternative to entering your password in plain text.

You can generate an obfuscated password by using the following command on the Edge Management Server:

> /opt/apigee/apigee-service/bin/apigee-service edge-management-server generate-obfuscated-password

Enter the new password, and then confirm it at the prompt. For security reasons, the text of the password is not displayed. This command returns the password in the form:


Use the obfuscated password specified by OBF when configuring TLS.

For more information, see this article.