Configuring TLS between a Router and a Message Processor

By default, TLS between the Router and Message Processor is disabled.

To enable TLS encryption between a Router and a Message Processor:

1. Ensure that port 8082 on the Message Processor is accessible by the Router.
2. Generate the keystore JKS file containing your TLS certification and private key. For more, see Configuring TLS/SSL for Edge On Premises.
3. Copy the keystore JKS file to a directory on the Message Processor server, such as /opt/apigee/customer/application.
4. Change permissions and ownership of the JKS file:

   chown apigee:apigee /opt/apigee/customer/application/keystore.jks
   chmod 600 /opt/apigee/customer/application/keystore.jks

   Where keystore.jks is the name of your keystore file.

5. Edit the /opt/apigee/customer/application/message-processor.properties file. If the file does not exist, create it.
6. Set the following properties in the message-processor.properties file:

   conf_message-processor-communication_local.http.ssl=true
   conf/message-processor-communication.properties+local.http.port=8443
   conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks
   conf/message-processor-communication.properties+local.http.ssl.keystore.path=/opt/apigee/customer/application/keystore.jks
   conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest
   # Enter the obfuscated keystore password below.
   conf/message-processor-communication.properties+local.http.ssl.keystore.password=OBF:obsPword

   Where keystore.jks is your keystore file, and obsPword is your obfuscated keystore and keyalias password.

   Note: The value of

   conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest

   must be the same as the value provided by the -alias option to the keytool command, described at the end of the section Creating a JKS file.

   See Configuring TLS/SSL for Edge On Premises for information on generating an obfuscated password.

7. Ensure that the message-processor.properties file is owned by the 'apigee' user:

   chown apigee:apigee /opt/apigee/customer/application/message-processor.properties

8. Stop the Message Processors and Routers:

   /opt/apigee/apigee-service/bin/apigee-service edge-message-processor stop
   /opt/apigee/apigee-service/bin/apigee-service edge-router stop

9. On the Router, delete any files in the /opt/nginx/conf.d directory:

   rm -f /opt/nginx/conf.d/*

10. Start the Message Processors and Routers:

    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor start
    /opt/apigee/apigee-service/bin/apigee-service edge-router start

11. Repeat this process for each Message Processor.

After TLS is enabled between the Router and Message Processor, the Message Processor log file contains this INFO message:

MessageProcessorHttpSkeletonFactory.configureSSL() : Instantiating Keystore of type: jks

This INFO statement confirms that TLS is working between the Router and Message Processor.

The following table lists all of the available properties in message-processor.properties:

conf_message-processor-communication_local.
  http.host=localhost_or_IP_address

conf/message-processor-communication.
  properties+local.http.port=8998

conf_message-processor-communication_local.
  http.ssl=[ false | true ]

conf/message-processor-communication.
  properties+local.http.ssl.keystore.path=

conf/message-processor-communication.
  properties+local.http.ssl.keyalias=

conf/message-processor-communication.
  properties+local.http.ssl.keyalias.password=

OBF:obsPword

conf/message-processor-communication.
  properties+local.http.ssl.keystore.type=jks

conf/message-processor-communication.
  properties+local.http.ssl.keystore.password=

OBF:obsPword

conf_message-processor-communication_local.
  http.ssl.ciphers=cipher1,cipher2