By default, you access the Edge UI over HTTP by using the IP address of the Management Server node and port 9000. For example:
http://ms_IP:9000
Alternatively, you can configure TLS access to the Edge UI so that you can access it in the form:
https://ms_IP:9443
In this example, you configure TLS access to use port 9443. However, that port number is not required by Edge - you can configure the Management Server to use other port values. The only requirement is that your firewall allows traffic over the specified port.
Ensure that your TLS port is open
The procedure in this section configures TLS to use port 9443 on the Management Server. Regardless of the port that you use, you must ensure that the port is open on the Management Server. For example, you can use the following command to open it:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose
Configure TLS
Use the following procedure to configure TLS access to the management UI:
- Generate the keystore JKS file containing your TLS certification and private key and copy it to the Management Server node. For more information, see Configuring TLS/SSL for Edge On Premises.
- Run the following command to configure TLS:
/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl
- Enter the HTTPS port number, for example, 9443.
- Specify if you want to disable HTTP access to the management UI. By default, the management UI is accessible over HTTP on port 9000.
- Enter the keystore algorithm. The default is JKS.
- Enter the absolute path to the keystore JKS file.
The script copies the file to the
/opt/apigee/customer/conf
directory on the Management Server node, and changes the ownership of the file to "apigee". - Enter the clear text keystore password.
- The script then restarts the Edge management UI. After the restart, the management UI
supports access over TLS.
You can see these settings in
/opt/apigee/etc/edge-ui.d/SSL.sh
.
Using a config file to configure TLS
As an alternative to the above procedure, you can pass a config file to the command in step 2 of the procedure. You'll need to use this method if you want to set optional TLS properties.
To use a config file, create a new file and add the following properties:
HTTPSPORT=9443 DISABLE_HTTP=y # Set type to PKCS12 if you are using a PKCS12 keystore KEY_ALGO=JKS KEY_FILE_PATH=/opt/apigee/customer/application/mykeystore.jks KEY_PASS=clearTextKeystorePWord
Save the file in a local directory with any name you want. Then use the following command to configure TLS:
/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
where configFile is the full path to the file you saved.
Using a PKCS12 keystore for FIPS-enabled operating systems
If you are using Edge for Private Cloud on a FIPS-enabled operating system, you should use a PKCS12 keystore. You can generate a PKCS12 keystore using standard OpenSSL commands. When using a PKCS12 keystore, set KEY_ALGO=PKCS12
in the configuration file.
Configure the Edge UI when TLS terminates on the load balancer
If you have a load balancer that forwards requests to the Edge UI, you might choose to terminate the TLS connection on the load balancer, and then have the load balancer forward requests to the Edge UI over HTTP. This configuration is supported but you need to configure the load balancer and the Edge UI accordingly.
The additional configuration is required when the Edge UI sends users emails to set their password when the user is created or when the user request to reset a lost password. This email contains a URL that the user selects to set or reset a password. By default, if the Edge UI is not configured to use TLS, the URL in the generated email uses the HTTP protocol, and not HTTPS. You must configure the load balancer and Edge UI to generates an email address that uses HTTPS.
To configure the load balancer, ensure that it sets the following header on requests forwarded to the Edge UI:
X-Forwarded-Proto: https
To configure the Edge UI:
- Open the
/opt/apigee/customer/application/ui.properties
file in an editor. If the file does not exist, create it:vi /opt/apigee/customer/application/ui.properties
- Set the following property in
ui.properties
:conf/application.conf+trustxforwarded=true
- Save your changes to
ui.properties
. - Restart the Edge UI:
/opt/apigee/apigee-service/bin/apigee-service edge-ui restart
Setting optional TLS properties
The Edge UI supports optional TLS configuration properties that you can use to set the following:
- Default TLS protocol
- List of supported TLS protocols
- Supported TLS algorithms
- Supported TLS ciphers
These optional parameters are only available when you set the following configuration property in config file, as described in Using a config file to configure TLS:
TLS_CONFIGURE=y
The following table describes these properties:
Property | Description |
---|---|
TLS_PROTOCOL
|
Defines the default TLS protocol for the Edge UI. By default, it is TLS 1.2. Valid values are TLSv1.2, TLSv1.1, TLSv1. |
TLS_ENABLED_PROTOCOL
|
Defines the list of enabled protocols as a comma-separated array. For example: TLS_ENABLED_PROTOCOL=[\"TLSv1.2\", \"TLSv1.1\", \"TLSv1\"] Notice that you have to escape the " character.
By default all protocols are enabled. |
TLS_DISABLED_ALGO
|
Defines the disabled cipher suites and can also be used to prevent small key sizes from being used for TLS handshaking. There is no default value. The values passed to the
TLS_DISABLED_ALGO=EC\ keySize\ <\ 160,RSA\ keySize\ <\ 2048 |
TLS_ENABLED_CIPHERS
|
Defines the list of available TLS ciphers as a comma-separated array. For example: TLS_ENABLED_CIPHERS=[\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA\", \"TLS_DHE_DSS_WITH_AES_128_CBC_SHA\"] Notice that you have to escape the " character.
The default list of enabled ciphers is: "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "SSL_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_MD5", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" Find the list of available ciphers here. |
Disabling TLS protocols
To disable TLS protocols, you need to edit the config file, described in Using a config file to configure TLS, as follows:
- Open the config file in an editor.
- To disable a single TLS protocol—for example, TLSv1.0—add the following
to the config file:
TLS_CONFIGURE=y TLS_DISABLED_ALGO="tlsv1"
To disable multiple protocols—for example, TLSv1.0 and TLSv1.1— add the following to the config file:
TLS_CONFIGURE=y TLS_DISABLED_ALGO="tlsv1, tlsv1.1"
- Save your changes to the config file.
- Run the following command to configure TLS:
/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
where configFile is the full path to the config file.
- Restart the Edge UI:
/opt/apigee/apigee-service/bin/apigee-service edge-ui restart
Use secure cookies
Apigee Edge for Private Cloud supports adding the secure
flag to the Set-Cookie
header for
responses from the Edge UI. If this flag is present, then the cookie can only be sent over
TLS-enabled channels. If it is not present, then the cookie can be sent over any channel, whether
it is secure or not.
Cookies without the secure
flag can potentially allow an attacker to capture and
reuse the cookie or hijack an active session. Therefore, best practice is to enable this
setting.
To set the secure
flag for Edge UI cookies:
- Open the following file in a text editor:
/opt/apigee/customer/application/ui.properties
If the file does not exist, create it.
- Set the
conf_application_session.secure
property totrue
in theui.properties
file, as the following example shows:conf_application_session.secure=true
- Save your changes.
- Restart Edge UI by using the
apigee-serice
utility, as the following example shows:/opt/apigee/apigee-service/bin/apigee-service edge-ui restart
To confirm the change is working, check the response headers from the Edge UI by using
a utility such as curl
; for example:
curl -i -v https://edge_UI_URL
The header should contain a line that looks like the following:
Set-Cookie: secure; ...
Disable TLS on the Edge UI
To disable TLS on the Edge UI, use the following command:
/opt/apigee/apigee-service/bin/apigee-service edge-ui disable-ssl