Configuring TLS 1.3 for northbound traffic

This page explains how to configure TLS 1.3 in Apigee Routers for northbound traffic (traffic between a client and the Router).

See Virtual hosts for more information about virtual hosts.

Enable TLS 1.3 for all TLS-based virtual hosts in a Router

Use the following procedure to enable TLS 1.3 for all TLS-based virtual hosts in a Router:

  1. On the Router, open the following properties file in an editor.
    /opt/apigee/customer/application/router.properties

    If the file doesn't exist, create it.

  2. Add the following line to the properties file:
    conf_load_balancing_load.balancing.driver.server.ssl.protocols=TLSv1 TLSv1.1 TLSv1.2 TLSv1.3

    Add all TLS protocols you want to support. Note that the protocols are space-separated and case sensitive.

  3. Save the file.
  4. Ensure the file is owned by apigee user:
    chown apigee:apigee /opt/apigee/customer/application/router.properties
  5. Restart the Router:
    /opt/apigee/apigee-service/bin/apigee-service edge-router restart
  6. Repeat the steps above on all Router nodes one by one.

Enable TLS 1.3 for specific virtual hosts only

This section explains how to enable TLS 1.3 for specific virtual hosts. To enable TLS 1.3, perform the following steps on the Management server nodes:

  1. On each Management server node, edit the file /opt/apigee/customer/application/management-server.properties and add the following line. (If the file doesn’t exist, create it.)
    conf_virtualhost_virtual.host.allowed.protocol.list=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3

    For this file, the protocols are comma-separated (and case sensitive).

  2. Save the file.
  3. Ensure the file is owned by apigee user:
    chown apigee:apigee /opt/apigee/customer/application/management-server.properties
  4. Restart the Management server:
    /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart
  5. Repeat the steps above on all Management server nodes one by one.
  6. Create (or update an existing) virtual host with the following property. Note that the protocols are space-separated and case sensitive.
    "properties": {
        "property": [
          {
            "name": "ssl_protocols",
            "value": "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
          }
        ]
    }

    A sample vhost with this property is shown below:

    {
      "hostAliases": [
        "api.myCompany,com",
      ],
      "interfaces": [],
      "listenOptions": [],
      "name": "secure",
      "port": "443",
      "retryOptions": [],
      "properties": {
        "property": [
          {
            "name": "ssl_protocols",
            "value": "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
          }
        ]
      },
      "sSLInfo": {
        "ciphers": [],
        "clientAuthEnabled": "false",
        "enabled": "true",
        "ignoreValidationErrors": false,
        "keyAlias": "myCompanyKeyAlias",
        "keyStore": "ref://myCompanyKeystoreref",
        "protocols": []
      },
      "useBuiltInFreeTrialCert": false
    }

    Testing TLS 1.3

    To test TLS 1.3, enter the following command:

    curl -v --tlsv1.3 "https://api.myCompany,com/testproxy"

    Note that TLS 1.3 can only be tested on clients that support this protocol. If TLS 1.3 is not enabled, you will see an error message like the following:

    sslv3 alert handshake failure