Before you begin

Before you can install Apigee mTLS, you must ensure that you have not disabled localhost and that you have replaced a default firewall service (in many cases, firewalld) with iptables on the nodes in your cluster.

Back up your Cassandra, Zookeeper, and Postgres data

Before installing Apigee mTLS, you should back up the data for the following components:

apigee-cassandra
apigee-zookeeper
apigee-postgresql

For instructions on how to back up the data for these components, see How to back up.

Ensure that the loopback address is enabled

Apigee mTLS requires that the localhost loopback address is enabled. The IP address 127.0.0.1 must be routable and it must resolve to localhost on every node in the cluster. The Consul proxy servers in the service mesh depend on this.

If you have previously disabled the localhost loopback address, you must re-enable it on all nodes in your cluster.

Replace the default firewall

The default firewall on CentOS and RedHat Enterprise Linux (RHEL) is firewalld. However, Apigee mTLS requires that you use iptables as your firewall instead. As a result, you must:

Disable and remove firewalld, if installed.
AND
Install iptables on each node and ensure that it's running.

This section describes how to perform these tasks.

The order of the nodes on which you do this does not matter.

To uninstall firewalld and ensure iptables is installed and running:

Log in to the node as the root user.
Stop all components by executing the following command:
```
/opt/apigee/apigee-service/bin/apigee-all stop
```
Disable and uninstall firewalld:
NOTE: If your cluster node doesn't use firewalld, then you can skip to step 4.
1. Stop the firewalld service by executing the following command:
```
systemctl stop firewalld
```
2. Disable the firewalld service and mask it by executing the following commands:
```
systemctl disable firewalld
systemctl mask --now firewalld
```
3. Remove the firewalld service with yum by executing the following command:
```
yum remove firewalld
```
4. Reset all services that have a failed status by executing the following command:
```
systemctl reset-failed
```
5. Reload all services by executing the following command:
```
systemctl daemon-reload
```
Install iptables:
1. Install the iptables and iptables-services packages by executing the following command:
```
yum install iptables iptables-services
```
2. Reload running services by executing the following command:
```
systemctl daemon-reload
```
3. Enable iptables by executing the following command:
```
systemctl enable iptables ip6tables
```
4. Start the iptables and ip6tables services by executing the following command:
```
systemctl start iptables ip6tables
```
NOTE: This command starts both the iptables and ip6tables services.
Repeat this process for each node in the cluster.