Configuring TLS between a Router and a Message Processor

By default, TLS between the Router and Message Processor is disabled.

To enable TLS encryption between a Router and a Message Processor:

  1. Ensure that port 8082 on the Message Processor is accessible by the Router.
  2. Generate the keystore JKS file containing your TLS certification and private key. For more, see Configuring TLS/SSL for Edge On Premises.
  3. Copy the keystore JKS file to a directory on the Message Processor server, such as /opt/apigee/customer/application.
  4. Change permissions and ownership of the JKS file:
    chown apigee:apigee /opt/apigee/customer/application/keystore.jks
    chmod 600 /opt/apigee/customer/application/keystore.jks

    Where keystore.jks is the name of your keystore file.

  5. Edit the /opt/apigee/customer/application/message-processor.properties file. If the file does not exist, create it.
  6. Set the following properties in the message-processor.properties file:
    conf_message-processor-communication_local.http.ssl=true
    conf/message-processor-communication.properties+local.http.port=8443
    conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks
    conf/message-processor-communication.properties+local.http.ssl.keystore.path=/opt/apigee/customer/application/keystore.jks
    conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest
    # Enter the obfuscated keystore password below.
    conf/message-processor-communication.properties+local.http.ssl.keystore.password=OBF:obsPword

    Where keystore.jks is your keystore file, and obsPword is your obfuscated keystore and keyalias password.

    Note: The value of

    conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-devtest
    must be the same as the value provided by the -alias option to the keytool command, described at the end of the section Creating a JKS file.

    See Configuring TLS/SSL for Edge On Premises for information on generating an obfuscated password.

  7. Ensure that the message-processor.properties file is owned by the 'apigee' user:
    chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
  8. Stop the Message Processors and Routers:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor stop
    /opt/apigee/apigee-service/bin/apigee-service edge-router stop
  9. On the Router, delete any files in the /opt/nginx/conf.d directory:
    rm -f /opt/nginx/conf.d/*
  10. Start the Message Processors and Routers:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor start
    /opt/apigee/apigee-service/bin/apigee-service edge-router start
  11. Repeat this process for each Message Processor.

After TLS is enabled between the Router and Message Processor, the Message Processor log file contains this INFO message:

MessageProcessorHttpSkeletonFactory.configureSSL() : Instantiating Keystore of type: jks

This INFO statement confirms that TLS is working between the Router and Message Processor.

The following table lists all of the available properties in message-processor.properties:

Properties Description
conf_message-processor-communication_local.
  http.host=localhost_or_IP_address
Optional. Hostname to listen on for router connections. This overrides the host name configured at registration.
conf/message-processor-communication.
  properties+local.http.port=8998
Optional. Port to listen on for router connections. Default is 8998.
conf_message-processor-communication_local.
  http.ssl=[ false | true ]
Set this to true to enable TLS/SSL. Default is false. When TLS/SSL is enabled, you must set local.http.ssl.keystore.path and local.http.ssl.keyalias.
conf/message-processor-communication.
  properties+local.http.ssl.keystore.path=
Local file system path to the keystore (JKS or PKCS12). Mandatory when local.http.ssl=true.
conf/message-processor-communication.
  properties+local.http.ssl.keyalias=
Key alias from the keystore to be used for TLS/SSL connections. Mandatory when local.http.ssl=true.
conf/message-processor-communication.
  properties+local.http.ssl.keyalias.password=
Password used for encrypting the key inside the keystore. Use an obfuscated password in the following format:
OBF:obsPword
conf/message-processor-communication.
  properties+local.http.ssl.keystore.type=jks
Keystore type. Only JKS and PKCS12 are currently supported. Default is JKS.
conf/message-processor-communication.
  properties+local.http.ssl.keystore.password=
Optional. Obfuscated password for the keystore. Use an obfuscated password in the following format:
OBF:obsPword
conf_message-processor-communication_local.
  http.ssl.ciphers=cipher1,cipher2
Optional. When configured, only the ciphers listed are allowed. If omitted, use all ciphers supported by the JDK.