Before you can install Apigee mTLS, you must ensure that you have not disabled
localhost
and that you have replaced a default firewall service (in many cases,
firewalld
) with iptables
on the nodes in your cluster.
Back up your Cassandra, Zookeeper, and Postgres data
Before installing Apigee mTLS, you should back up the data for the following components:
apigee-cassandra
apigee-zookeeper
apigee-postgresql
For instructions on how to back up the data for these components, see How to back up.
Ensure that the loopback address is enabled
Apigee mTLS requires that the localhost
loopback address is enabled. The IP address
127.0.0.1
must be routable and it must resolve to localhost
on every node
in the cluster. The Consul proxy servers in the service mesh depend on this.
If you have previously disabled the localhost
loopback address, you must re-enable
it on all nodes in your cluster.
Replace the default firewall
The default firewall on CentOS and RedHat Enterprise Linux (RHEL) is firewalld
.
However, Apigee mTLS requires that you use iptables
as your firewall instead. As a
result, you must:
- Disable and remove
firewalld
, if installed.AND
- Install
iptables
on each node and ensure that it's running.
This section describes how to perform these tasks.
The order of the nodes on which you do this does not matter.
To uninstall firewalld
and ensure iptables
is installed and
running:
- Log in to the node as the root user.
- Stop all components by executing the following command:
/opt/apigee/apigee-service/bin/apigee-all stop
- Disable and uninstall
firewalld
:- Stop the
firewalld
service by executing the following command:systemctl stop firewalld
- Disable the
firewalld
service and mask it by executing the following commands:systemctl disable firewalld
systemctl mask --now firewalld
- Remove the
firewalld
service withyum
by executing the following command:yum remove firewalld
- Reset all services that have a failed status by executing the following command:
systemctl reset-failed
- Reload all services by executing the following command:
systemctl daemon-reload
- Stop the
- Install
iptables
:- Install the
iptables
andiptables-services
packages by executing the following command:yum install iptables iptables-services
- Reload running services by executing the following command:
systemctl daemon-reload
- Enable
iptables
by executing the following command:systemctl enable iptables ip6tables
- Start the
iptables
andip6tables
services by executing the following command:systemctl start iptables ip6tables
- Install the
- Repeat this process for each node in the cluster.