Configuring TLS between a Router and a Message Processor

Edge for Private Cloud v4.19.01

By default, TLS between the Router and Message Processor is disabled.

Use the following procedure to enable TLS encryption between a Router and the Message Processor:

1. Ensure that port 8082 on the Message Processor is accessible by the Router.
2. Generate the keystore JKS file containing your TLS certification and private key. For more, see Configuring TLS/SSL for Edge On Premises.
3. Copy the keystore JKS file to a directory on the Message Processor server, such as /opt/apigee/customer/application.
4. Change permissions and ownership of the JKS file:

   chown apigee:apigee /opt/apigee/customer/application/keystore.jks
   chmod 600 /opt/apigee/customer/application/keystore.jks

   Where keystore.jks is the name of your keystore file.

5. Edit the file /opt/apigee/customer/application/message-processor.properties. If the file does not exist, create it.
6. Set the following properties in the message-processor.properties file:

   conf_message-processor-communication_local.http.ssl=true
   conf/message-processor-communication.properties+local.http.port=8443
   conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks
   conf/message-processor-communication.properties+local.http.ssl.keystore.path=/opt/apigee/customer/application/keystore.jks
   conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest
   # Enter the obfuscated keystore password below.
   conf/message-processor-communication.properties+local.http.ssl.keystore.password=OBF:obsPword

   Where keystore.jks is your keystore file, and obsPword is your obfuscated keystore and keyalias password. See Configuring TLS/SSL for Edge On Premises for information on generating an obfuscated password.

7. Ensure that the message-processor.properties file is owned by the 'apigee' user:

   chown apigee:apigee /opt/apigee/customer/application/message-processor.properties

8. Stop the Message-Processors and Routers:

   /opt/apigee/apigee-service/bin/apigee-service edge-message-processor stop
   /opt/apigee/apigee-service/bin/apigee-service edge-router stop

9. On the Router, delete any files in /opt/nginx/conf.d:

   rm -f /opt/nginx/conf.d/*

10. Start the Message-Processors and Routers:

    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor start
    /opt/apigee/apigee-service/bin/apigee-service edge-router start

11. Repeat for any additional Message Processors.

After TLS is enabled between the Router and Message Processor, the Message Processor log file contains this INFO message:

MessageProcessorHttpSkeletonFactory.configureSSL() : Instantiating Keystore of type: jks

This INFO statement confirms that TLS is working between the Router and Message Processor.

The following table lists all of the available properties in message-processor.properties:

conf_message-processor-communication_local.
  http.host=localhost_or_IP_address

conf/message-processor-communication.
  properties+local.http.port=8998

conf_message-processor-communication_local.
  http.ssl=[ false | true ]

conf/message-processor-communication.
  properties+local.http.ssl.keystore.path=

conf/message-processor-communication.
  properties+local.http.ssl.keyalias=

conf/message-processor-communication.
  properties+local.http.ssl.keyalias.password=

conf/message-processor-communication.
  properties+local.http.ssl.keystore.type=jks

conf/message-processor-communication.
  properties+local.http.ssl.keystore.password=

conf_message-processor-communication_local.
  http.ssl.ciphers=cipher1,cipher2