Setting TLS protocol for Router and Message Processor

Edge for Private Cloud v. 4.17.09

By default, the Router and Message Processor support TLS versions 1.0, 1.1, 1.2 However, you might want to limit the protocols supported by the Router and Message Processor. This document describes how to set the protocol globally on the Router and Message Processor.

For the Router, you can also set the protocol for individual virtual hosts. See Configuring TLS access to an API for the Private Cloud for more.

For the Message Processor, you can set the protocol for an individual TargetEndpoint. See Configuring TLS from Edge to the backend (Cloud and Private Cloud) for more.

Set the TLS protocol on the Router

To set the TLS protocol on the Router, set properties in the router.properties file:

  1. Open the router.properties file in an editor. If the file does not exist, create it::
    > vi /opt/apigee/customer/application/router.properties
  2. Set the properties as desired:
    # Possible values are space-delimited list of: TLSv1 TLSv1.1 TLSv1.2
    conf_load_balancing_load.balancing.driver.server.ssl.protocols=TLSv1.2
  3. Save your changes.
  4. Make sure the properties file is owned by the 'apigee' user:
    > chown apigee:apigee /opt/apigee/customer/application/router.properties
  5. Restart the Router:
    > /opt/apigee/apigee-service/bin/apigee-service edge-router restart
  6. Verify that the protocol is updated correctly by examining the Nginx file /opt/nginx/conf.d/0-default.conf:
    > cat /opt/nginx/conf.d/0-default.conf

    Ensure that the value for ssl_protocols is TLSv1.2.
  7. If you re using two-way TLS with a virtual host, you must also set the TLS protocol in the virtual host as described in Configuring TLS access to an API for the Private Cloud.

Set the TLS protocol on the Message Processor

To set the TLS protocol on the Message Processor, set properties in the message-processor.properties file:

  1. Open the message-processor.properties file in an editor. If the file does not exist, create it:
    > vi /opt/apigee/customer/application/message-processor.properties
  2. Set the properties as desired:
    # Possible values are a comma-delimited list of TLSv1, TLSv1.1, TLSv1.2
    conf/system.properties+https.protocols=TLSv1.2
    # Possible values are a comma-delimited list of SSLv3, TLSv1, TLSv1.1, TLSv1.2
    # Ensure that you include SSLv3.
    conf/jvmsecurity.properties+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1

    #Configure the ciphers that need to be supported by the Message Processor: communication_local.http.ssl.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  3. Save your changes.
  4. Make sure the properties file is owned by the 'apigee' user:
    > chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
  5. Restart the Message Processor:
    > /opt/apigee/apigee-service/bin/apigee-service edge-message-processor restart
  6. If you re using two-way TLS with the backend, set the TLS protocol in the virtual host as described in Configuring TLS from Edge to the backend (Cloud and Private Cloud).