Verify Apigee mTLS installation

This section describes various ways to validate that the Apigee mTLS installation was successful. You can also use the techniques described in this section when troubleshooting issues with the cluster.

Validate the iptables configuration

You can validate that the apigee-mtls installation was successful by checking that the iptables routes are working and that the rules are valid.

Before validating an iptables configuration, be sure that:

  • You uninstalled firewalld from the node and replaced it with iptables, as described in Replace the default firewall.
  • You stopped all Apigee components on the node, including apigee-mtls.

To validate the apigee-mtls configuration was successful with iptables:

  1. Log in to a node in your cluster. The order in which you do this does not matter.
  2. Stop all components on the node, as the following example shows:
    /opt/apigee/apigee-service/bin/apigee-all stop
  3. Execute the validate command, as the following example shows:
    /opt/apigee/apigee-mtls/lib/actions/iptables.sh validate

    iptables sends messages to every port that either Consul or the local Apigee services use. If the script encounters an invalid rule or a failed route, it displays an error.

    If any Apigee services or Consul servers are running on the node, then this command will fail.

  4. Start the apigee-mtls component before all other components on the node by executing the following command:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls start
  5. Start the remaining Apigee components on the node in the start order, as the following example shows:
    /opt/apigee/apigee-service/bin/apigee-service component_name start
  6. Repeat these steps on all nodes in the cluster. Ideally, do this on all nodes within 5 minutes of having started on the first node.

Verify the remote proxy status

You can use Consul on ZooKeeper nodes to check if the ingress and egress proxy services on all nodes are alive, healthy, and have joined the service mesh.

To check the proxy status of your nodes:

  1. Log in to a node that is running ZooKeeper.
  2. Execute the following command:
    systemctl status consul_server

Verify the quorum status

The mTLS installation includes adding the Consul proxy services to all nodes. As a result, you should verify the quorum status of all ZooKeeper nodes.

To check the quorum status, log in to each node running ZooKeeper and execute the following command:

/opt/apigee/apigee-mtls-consul/bin/consul operator raft list-peers

This command displays a list of the Consul instances and their statuses, as the following example shows:

Node             ID                     Address            State     Voter  RaftProtocol
prc-test-0-1619  b59c1f44-6eb0-81d4-42  10.126.0.98:8300   leader    true   3
prc-test-1-1619  a4372a6e-8044-e587-43  10.126.0.146:8300  follower  true   3
prc-test-2-1619  71eb181f-4242-5353-44  10.126.0.100:8300  follower  true   3

For more information, see the following:

In addition, you can get information about the cluster's health, including whether the cluster's quorum has formed and if remote members are impairing functionality. To do this, use the following command:

/opt/apigee/apigee-service/bin/apigee-service apigee-mtls status