By default, the Router and Message Processor support TLS protocols 1.0, 1.1, 1.2. Based on your operating system and Java version, your router and message processor might support TLS protocol 1.3 as well. However, you might want to limit some of the lower protocols based on your needs and security practices. This document describes how to set the protocol globally on the Router and Message Processor.
For the Router, you can also set the protocol for individual virtual hosts. See Configuring TLS access to an API for the Private Cloud for more.
For the Message Processor, you can set the protocol for an individual TargetEndpoint. See Configuring TLS from Edge to the backend (Cloud and Private Cloud) for more.
Set the TLS protocol on the Router
To set the TLS protocol on the Router, set properties in the router.properties
file:
- Open the
router.properties
file in an editor. If the file does not exist, create it:vi /opt/apigee/customer/application/router.properties
- Set the properties as desired:
# Possible values are space-delimited list of: TLSv1 TLSv1.1 TLSv1.2 conf_load_balancing_load.balancing.driver.server.ssl.protocols=TLSv1.2
- Save your changes.
- Make sure the properties file is owned by the "apigee" user:
chown apigee:apigee /opt/apigee/customer/application/router.properties
- Restart the Router:
/opt/apigee/apigee-service/bin/apigee-service edge-router restart
- Verify that the protocol is updated correctly by examining the Nginx file
/opt/nginx/conf.d/0-default.conf
:cat /opt/nginx/conf.d/0-default.conf
Ensure that the value for
ssl_protocols
is TLSv1.2. - If you re using two-way TLS with a virtual host, you must also set the TLS protocol in the virtual host as described in Configuring TLS access to an API for the Private Cloud.
Set the TLS protocol on the Message Processor
To set the TLS protocol on the Message Processor, set properties in the
message-processor.properties
file:
- Open the
message-processor.properties
file in an editor. If the file does not exist, create it:vi /opt/apigee/customer/application/message-processor.properties
- Configure the properties using the following syntax:
# Possible values are a comma-delimited list of TLSv1, TLSv1.1, and TLSv1.2 conf/system.properties+https.protocols=[TLSv1][,TLSv1.1][,TLSv1.2] # Possible values are a comma-delimited list of SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSLv3 is required conf_jvmsecurity_jdk.tls.disabledAlgorithms=SSLv3[,TLSv1][,TLSv1.1][,TLSv1.2] # Specify the ciphers that the Message Processor supports. (You must separate ciphers with a comma.): conf_message-processor-communication_local.http.ssl.ciphers=cipher[,...]
Possible values for
conf_message-processor-communication_local.http.ssl.ciphers
are:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
For example:
conf/system.properties+https.protocols=TLSv1.2 conf_jvmsecurity_jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1 conf_message-processor-communication_local.http.ssl.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
For a complete list of related properties, see Configuring TLS between a Router and a Message Processor.
- Save your changes.
- Make sure the properties file is owned by the "apigee" user:
chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
- Restart the Message Processor:
/opt/apigee/apigee-service/bin/apigee-service edge-message-processor restart
- If you are using two-way TLS with the backend, set the TLS protocol in the virtual host as described in Configuring TLS from Edge to the backend (Cloud and Private Cloud).