Setting TLS protocol for Router and Message Processor

By default, the Router and Message Processor support TLS versions 1.0, 1.1, 1.2 However, you might want to limit the protocols supported by the Router and Message Processor. This document describes how to set the protocol globally on the Router and Message Processor.

For the Router, you can also set the protocol for individual virtual hosts. See Configuring TLS access to an API for the Private Cloud for more.

For the Message Processor, you can set the protocol for an individual TargetEndpoint. See Configuring TLS from Edge to the backend (Cloud and Private Cloud) for more.

Set the TLS protocol on the Router

To set the TLS protocol on the Router, set properties in the router.properties file:

  1. Open the router.properties file in an editor. If the file does not exist, create it:
    vi /opt/apigee/customer/application/router.properties
  2. Set the properties as desired:
    # Possible values are space-delimited list of: TLSv1 TLSv1.1 TLSv1.2
    conf_load_balancing_load.balancing.driver.server.ssl.protocols=TLSv1.2
  3. Save your changes.
  4. Make sure the properties file is owned by the "apigee" user:
     chown apigee:apigee /opt/apigee/customer/application/router.properties
  5. Restart the Router:
    /opt/apigee/apigee-service/bin/apigee-service edge-router restart
  6. Verify that the protocol is updated correctly by examining the NGINX file /opt/nginx/conf.d/0-default.conf:
    cat /opt/nginx/conf.d/0-default.conf

    Ensure that the value for ssl_protocols is TLSv1.2.

  7. If you re using two-way TLS with a virtual host, you must also set the TLS protocol in the virtual host as described in Configuring TLS access to an API for the Private Cloud.

Set the TLS protocol on the Message Processor

To set the TLS protocol on the Message Processor, set properties in the message-processor.properties file:

  1. Open the message-processor.properties file in an editor. If the file does not exist, create it:
    vi /opt/apigee/customer/application/message-processor.properties
  2. Configure the properties using the following syntax:
    # Possible values are a comma-delimited list of TLSv1, TLSv1.1, and TLSv1.2
    conf/system.properties+https.protocols=[TLSv1][,TLSv1.1][,TLSv1.2]
    # Possible values are a comma-delimited list of SSLv3, TLSv1, TLSv1.1, TLSv1.2
    # SSLv3 is required
    conf/jvmsecurity.properties+jdk.tls.disabledAlgorithms=SSLv3[,TLSv1][,TLSv1.1][,TLSv1.2]
    
    # Specify the ciphers that the Message Processor supports. (You must separate ciphers with a comma.):
    conf_message-processor-communication_local.http.ssl.ciphers=cipher[,...]

    Possible values for conf_message-processor-communication_local.http.ssl.ciphers are:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    For example:

    conf/system.properties+https.protocols=TLSv1.2
    conf/jvmsecurity.properties+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1
    conf_message-processor-communication_local.http.ssl.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    For a complete list of related properties, see Configuring TLS between a Router and a Message Processor.

  3. Save your changes.
  4. Make sure the properties file is owned by the "apigee" user:
    chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
  5. Restart the Message Processor:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor restart
  6. If you are using two-way TLS with the backend, set the TLS protocol in the virtual host as described in Configuring TLS from Edge to the backend (Cloud and Private Cloud).