Edge for Private Cloud v4.19.01
TLS (Transport Layer Security, whose predecessor is SSL) is the standard security technology for ensuring secure, encrypted messaging across your API environment, from apps to Apigee Edge to your back-end services.
Regardless of the environment configuration for your management API—for example, whether you're using a proxy, a router, and/or a load balancer in front of your management API (or not); Edge lets you enable and configure TLS, giving you control over message encryption in your on-premise API management environment.
For an on-premises installation of Edge Private Cloud, there are several places where you can configure TLS:
- Between a Router and Message Processor
- For access to the Edge management API
- For access to the Edge management UI
- For access to the New Edge experience
- For access from an app to your APIs
- For access from Edge to your backend services
For a complete overview of configuring TLS on Edge, see TLS/SSL.
Creating a JKS file
For many TLS configurations, you represent the keystore as a JKS file, where the keystore contains your TLS certificate and private key. There are several ways to create a JKS file, but one way is to use the openssl and keytool utilities.
For example, you have a PEM file named server.pem
containing your TLS certificate
and a PEM file named private_key.pem containing your private key. Use the following commands to
create the PKCS12 file:
openssl pkcs12 -export -clcerts -in server.pem -inkey private_key.pem -out keystore.pkcs12
You have to enter the passphrase for the key, if it has one, and an export password. This
command creates a PKCS12 file named keystore.pkcs12
.
Use the following command to convert it to a JKS file named keystore.jks:
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks
You are prompted to enter the new password for the JKS file, and the existing password for the PKCS12 file. Make sure you use the same password for the JKS file as you used for the PKCS12 file.
If you have to specify a key alias, such as when configuring TLS between a Router and Message
Processor, include the -name
option to the openssl
command:
openssl pkcs12 -export -clcerts -in server.pem -inkey private_key.pem -out keystore.pkcs12 -name devtest
Then include the -alias
option to the keytool
command:
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -alias devtest
Generating an obfuscated password
Some parts of the Edge TLS configuration procedure require you to enter an obfuscated password in a configuration file. An obfuscated password is a more secure alternative to entering your password in plain text.
You can generate an obfuscated password by using the following command on the Edge Management Server:
/opt/apigee/apigee-service/bin/apigee-service edge-management-server generate-obfuscated-password
Enter the new password, and then confirm it at the prompt. For security reasons, the text of the password is not displayed. This command returns the password in the form:
OBF:58fh40h61svy156789gk1saj MD5:902fobg9d80e6043b394cb2314e9c6
Use the obfuscated password specified by OBF when configuring TLS.
For more information, see this article.