Before you begin

This section describes additional tasks (beyond the requirements that you must perform before you can install Apigee mTLS. These tasks include:

  • Ensuring that you have not disabled localhost.
  • Replacing your default firewall service (in many cases, firewalld) with iptables on all nodes in your cluster.
  • Backing up your Cassandra, ZooKeeper, and Postgres data

Each of these tasks is described in the sections that follow.

Back up your Cassandra, Zookeeper, and Postgres data

During the installation and configuration of Apigee mTLS, you will reinstall Cassandra and Postgres on their respective nodes. As a result, you should back up the data for the following components:

  • apigee-cassandra
  • apigee-postgresql
  • apigee-zookeeper

While you do not reinstall ZooKeeper in your cluster, Apigee recommends that you back up its data prior to installing Apigee mTLS.

For instructions on how to back up the data for these components, see How to back up.

Ensure that the loopback address is enabled

Apigee mTLS requires that the localhost loopback address is enabled. The IP address 127.0.0.1 must be routable and it must resolve to localhost on every node in the cluster. The Consul proxy servers in the service mesh depend on this.

If you have previously disabled the localhost loopback address, you must re-enable it on all nodes in your cluster.

Replace the default firewall

The default firewall on CentOS and RedHat Enterprise Linux (RHEL) is firewalld. However, Apigee mTLS requires that you use iptables as your firewall instead. As a result, you must:

  1. Disable and remove firewalld, if installed.

    AND

  2. Install iptables on each node and ensure that it's running.

This section describes how to perform these tasks.

The order of the nodes on which you do this does not matter.

To uninstall firewalld and ensure iptables is installed and running:

  1. Log in to the node as the root user.
  2. Stop all components by executing the following command:
    /opt/apigee/apigee-service/bin/apigee-all stop
  3. Disable and uninstall firewalld:
    1. Stop the firewalld service by executing the following command:
      systemctl stop firewalld
    2. Disable the firewalld service and mask it by executing the following commands:
      systemctl disable firewalld
      systemctl mask --now firewalld
    3. Remove the firewalld service with yum by executing the following command:
      yum remove firewalld
    4. Reset all services that have a failed status by executing the following command:
      systemctl reset-failed
    5. Reload all services by executing the following command:
      systemctl daemon-reload
  4. Install iptables:
    1. Install the iptables and iptables-services packages by executing the following command:
      yum install iptables iptables-services
    2. Reload running services by executing the following command:
      systemctl daemon-reload
    3. Enable iptables by executing the following command:
      systemctl enable iptables ip6tables
    4. Start the iptables and ip6tables services by executing the following command:
      systemctl start iptables ip6tables
  5. Repeat this process for each node in the cluster.