Configuring TLS for the management UI

By default, you access the Edge UI over HTTP by using the IP address of the Management Server node and port 9000. For example:

http://ms_IP:9000

Alternatively, you can configure TLS access to the Edge UI so that you can access it in the form:

https://ms_IP:9443

In this example, you configure TLS access to use port 9443. However, that port number is not required by Edge - you can configure the Management Server to use other port values. The only requirement is that your firewall allows traffic over the specified port.

Ensure that your TLS port is open

The procedure in this section configures TLS to use port 9443 on the Management Server. Regardless of the port that you use, you must ensure that the port is open on the Management Server. For example, you can use the following command to open it:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose

NOTE: This example uses port 9443 for the TLS port, and not the more common port 443. The reason is that ports below 1024 are typically protected by the operating system and require the process that accesses them to have root access. The Edge UI runs as the "apigee" user and therefore typically does not have access to ports below 1024.

One alternative it to use a load balancer with the Edge UI and terminate TLS on the load balancer on port 443. You can then use either HTTP or HTTPS between the load balancer and the Edge UI.

Another alternative is to use iptables to forward requests to port 443 to port 9443. For example:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443

Configure TLS

Use the following procedure to configure TLS access to the management UI:

Generate the keystore JKS file containing your TLS certification and private key and copy it to the Management Server node. For more information, see Configuring TLS/SSL for Edge On Premises.

Run the following command to configure TLS:

/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl

Enter the HTTPS port number, for example, 9443.
Specify if you want to disable HTTP access to the management UI. By default, the management UI is accessible over HTTP on port 9000.
Enter the keystore algorithm. The default is JKS.
Enter the absolute path to the keystore JKS file.
The script copies the file to the /opt/apigee/customer/conf directory on the Management Server node, and changes the ownership of the file to "apigee".
Enter the clear text keystore password.
The script then restarts the Edge management UI. After the restart, the management UI supports access over TLS.
You can see these settings in /opt/apigee/etc/edge-ui.d/SSL.sh.

Using a config file to configure TLS

As an alternative to the above procedure, you can pass a config file to the command in step 2 of the procedure. You'll need to use this method if you want to set optional TLS properties.

To use a config file, create a new file and add the following properties:

HTTPSPORT=9443
DISABLE_HTTP=y
# Set type to PKCS12 if you are using a PKCS12 keystore
KEY_ALGO=JKS
KEY_FILE_PATH=/opt/apigee/customer/application/mykeystore.jks
KEY_PASS=clearTextKeystorePWord

Save the file in a local directory with any name you want. Then use the following command to configure TLS:

/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile

where configFile is the full path to the file you saved.

Using a PKCS12 keystore for FIPS-enabled operating systems

If you are using Edge for Private Cloud on a FIPS-enabled operating system, you should use a PKCS12 keystore. You can generate a PKCS12 keystore using standard OpenSSL commands. When using a PKCS12 keystore, set KEY_ALGO=PKCS12 in the configuration file.

Configure the Edge UI when TLS terminates on the load balancer

If you have a load balancer that forwards requests to the Edge UI, you might choose to terminate the TLS connection on the load balancer, and then have the load balancer forward requests to the Edge UI over HTTP. This configuration is supported but you need to configure the load balancer and the Edge UI accordingly.

The additional configuration is required when the Edge UI sends users emails to set their password when the user is created or when the user request to reset a lost password. This email contains a URL that the user selects to set or reset a password. By default, if the Edge UI is not configured to use TLS, the URL in the generated email uses the HTTP protocol, and not HTTPS. You must configure the load balancer and Edge UI to generates an email address that uses HTTPS.

To configure the load balancer, ensure that it sets the following header on requests forwarded to the Edge UI:

X-Forwarded-Proto: https

To configure the Edge UI:

Open the /opt/apigee/customer/application/ui.properties file in an editor. If the file does not exist, create it:
```
vi /opt/apigee/customer/application/ui.properties
```
Set the following property in ui.properties:
```
conf/application.conf+trustxforwarded=true
```
Save your changes to ui.properties.

Restart the Edge UI:

/opt/apigee/apigee-service/bin/apigee-service edge-ui restart

Setting optional TLS properties

The Edge UI supports optional TLS configuration properties that you can use to set the following:

Default TLS protocol
List of supported TLS protocols
Supported TLS algorithms
Supported TLS ciphers

These optional parameters are only available when you set the following configuration property in config file, as described in Using a config file to configure TLS:

TLS_CONFIGURE=y

NOTE: You can only set these optional parameters in a config file passed to the apigee-service edge-ui configure-ssl command. You cannot set these properties using the interactive command.

The following table describes these properties:

Property	Description
`TLS_PROTOCOL`	Defines the default TLS protocol for the Edge UI. By default, it is TLS 1.2. Valid values are TLSv1.2, TLSv1.1, TLSv1.
`TLS_ENABLED_PROTOCOL`	Defines the list of enabled protocols as a comma-separated array. For example: TLS_ENABLED_PROTOCOL=[\"TLSv1.2\", \"TLSv1.1\", \"TLSv1\"] Notice that you have to escape the " character. By default all protocols are enabled.
`TLS_DISABLED_ALGO`	Defines the disabled cipher suites and can also be used to prevent small key sizes from being used for TLS handshaking. There is no default value. The values passed to the `TLS_DISABLED_ALGO` correspond to the allowed values for `jdk.tls.disabledAlgorithms` as described here. However, you must escape space characters when setting `TLS_DISABLED_ALGO`: TLS_DISABLED_ALGO=EC\ keySize\ <\ 160,RSA\ keySize\ <\ 2048
`TLS_ENABLED_CIPHERS`	Defines the list of available TLS ciphers as a comma-separated array. For example: TLS_ENABLED_CIPHERS=[\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA\", \"TLS_DHE_DSS_WITH_AES_128_CBC_SHA\"] Notice that you have to escape the " character. The default list of enabled ciphers is: "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "SSL_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_MD5", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" Find the list of available ciphers here.

Disabling TLS protocols

To disable TLS protocols, you need to edit the config file, described in Using a config file to configure TLS, as follows:

Open the config file in an editor.
To disable a single TLS protocol—for example, TLSv1.0—add the following to the config file:
```
TLS_CONFIGURE=y
TLS_DISABLED_ALGO="tlsv1"
```
To disable multiple protocols—for example, TLSv1.0 and TLSv1.1— add the following to the config file:
```
TLS_CONFIGURE=y
TLS_DISABLED_ALGO="tlsv1, tlsv1.1"
```
Save your changes to the config file.
Run the following command to configure TLS:
```
/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
```
where configFile is the full path to the config file.

Restart the Edge UI:

/opt/apigee/apigee-service/bin/apigee-service edge-ui restart

Use secure cookies

Apigee Edge for Private Cloud supports adding the secure flag to the Set-Cookie header for responses from the Edge UI. If this flag is present, then the cookie can only be sent over TLS-enabled channels. If it is not present, then the cookie can be sent over any channel, whether it is secure or not.

Cookies without the secure flag can potentially allow an attacker to capture and reuse the cookie or hijack an active session. Therefore, best practice is to enable this setting.

To set the secure flag for Edge UI cookies:

Open the following file in a text editor:
```
/opt/apigee/customer/application/ui.properties
```
If the file does not exist, create it.
Set the conf_application_session.secure property to true in the ui.properties file, as the following example shows:
```
conf_application_session.secure=true
```
Save your changes.
Restart Edge UI by using the apigee-serice utility, as the following example shows:
```
/opt/apigee/apigee-service/bin/apigee-service edge-ui restart
```

To confirm the change is working, check the response headers from the Edge UI by using a utility such as curl; for example:

curl -i -v https://edge_UI_URL

The header should contain a line that looks like the following:

Set-Cookie: secure; ...

Disable TLS on the Edge UI

To disable TLS on the Edge UI, use the following command:

/opt/apigee/apigee-service/bin/apigee-service edge-ui disable-ssl