By default, TLS between the Router and Message Processor is disabled.
To enable TLS encryption between a Router and a Message Processor:
- Ensure that port 8082 on the Message Processor is accessible by the Router.
- Generate the keystore JKS file containing your TLS certification and private key. For more, see Configuring TLS/SSL for Edge On Premises.
- Copy the keystore JKS file to a directory on the Message Processor server, such
as
/opt/apigee/customer/application
. - Change permissions and ownership of the JKS file:
chown apigee:apigee /opt/apigee/customer/application/keystore.jks
chmod 600 /opt/apigee/customer/application/keystore.jks
Where
keystore.jks
is the name of your keystore file. - Edit the
/opt/apigee/customer/application/message-processor.properties
file. If the file does not exist, create it. - Set the following properties in the
message-processor.properties
file:conf_message-processor-communication_local.http.ssl=true conf/message-processor-communication.properties+local.http.port=8443 conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks conf/message-processor-communication.properties+local.http.ssl.keystore.path=/opt/apigee/customer/application/keystore.jks conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest # Enter the obfuscated keystore password below. conf/message-processor-communication.properties+local.http.ssl.keystore.password=OBF:obsPword
Where
keystore.jks
is your keystore file, and obsPword is your obfuscated keystore and keyalias password.Note: The value of
conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest
must be the same as the value provided by the-alias
option to thekeytool
command, described at the end of the section Creating a JKS file.See Configuring TLS/SSL for Edge On Premises for information on generating an obfuscated password.
- Ensure that the
message-processor.properties
file is owned by the 'apigee' user:chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
- Stop the Message Processors and Routers:
/opt/apigee/apigee-service/bin/apigee-service edge-message-processor stop
/opt/apigee/apigee-service/bin/apigee-service edge-router stop
- On the Router, delete any files in the
/opt/nginx/conf.d
directory:rm -f /opt/nginx/conf.d/*
- Start the Message Processors and Routers:
/opt/apigee/apigee-service/bin/apigee-service edge-message-processor start
/opt/apigee/apigee-service/bin/apigee-service edge-router start
- Repeat this process for each Message Processor.
After TLS is enabled between the Router and Message Processor, the Message Processor log file
contains this INFO
message:
MessageProcessorHttpSkeletonFactory.configureSSL() : Instantiating Keystore of type: jks
This INFO
statement confirms that TLS is working between the Router and Message
Processor.
The following table lists all of the available properties in
message-processor.properties
:
Properties | Description |
---|---|
conf_message-processor-communication_local. http.host=localhost_or_IP_address |
Optional. Hostname to listen on for router connections. This overrides the host name configured at registration. |
conf/message-processor-communication. properties+local.http.port=8998 |
Optional. Port to listen on for router connections. Default is 8998. |
conf_message-processor-communication_local. http.ssl=[ false | true ] |
Set this to true to enable TLS/SSL. Default is false . When
TLS/SSL is enabled, you must set local.http.ssl.keystore.path and
local.http.ssl.keyalias .
|
conf/message-processor-communication. properties+local.http.ssl.keystore.path= |
Local file system path to the keystore (JKS or PKCS12). Mandatory when
local.http.ssl=true . |
conf/message-processor-communication. properties+local.http.ssl.keyalias= |
Key alias from the keystore to be used for TLS/SSL connections. Mandatory when
local.http.ssl=true . |
conf/message-processor-communication. properties+local.http.ssl.keyalias.password= |
Password used for encrypting the key inside the keystore. Use an obfuscated password
in the following format:
OBF:obsPword |
conf/message-processor-communication. properties+local.http.ssl.keystore.type=jks |
Keystore type. Only JKS and PKCS12 are currently supported. Default is JKS. |
conf/message-processor-communication. properties+local.http.ssl.keystore.password= |
Optional. Obfuscated password for the keystore. Use an obfuscated password in the
following format:
OBF:obsPword |
conf_message-processor-communication_local. http.ssl.ciphers=cipher1,cipher2 |
Optional. When configured, only the ciphers listed are allowed. If omitted, use all ciphers supported by the JDK. |