Send Docs Feedback

Configuring TLS for the management UI

Edge for Private Cloud v. 4.17.01

By default, you access the Edge management UI over HTTP by using the IP address of the Management Server node and port 9000. For example:

http://ms_IP:9000

Alternatively, you can configure TLS access to the management UI so that you can access it in the form:

https://ms_IP:9443

In this example, you configure TLS access to use port 9443. However, that port number is not required by Edge - you can configure the Management Server to use other port values. The only requirement is that your firewall allows traffic over the specified port. 

Ensure that your TLS port is open

The procedure in this section configures TLS to use port 9443 on the Management Server. Regardless of the port that you use, you must ensure that the port is open on the Management Server. For example, you can use the following command to open it:

$ iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose 

This example uses port 9443 for the TLS port, and not the more common port 443. The reason is that ports below 1024 are typically protected by the operating system and require the process that accesses them to have root access. The Edge UI runs as the "apigee" user and therefore typically does not have access to ports below 1024.

 

One alternative it to use a load balancer with the Edge UI and terminate TLS on the load balancer on port 443. You can then use either HTTP or HTTPS between the load balancer and the Edge UI. 

 

Another alternative is to use iptables to forward requests to port 443 to port 9443. For example:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443 

Configure TLS

Use the following procedure to configure TLS access to the management UI:

  1. Generate the keystore JKS file containing your TLS certification and private key and copy it to the Management Server node. For more information, see Configuring TLS/SSL for Edge On Premises.
  2. Run the following command to configure TLS:
    $ /opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl
  3. Enter the HTTPS port number, for example, 9443.
  4. Specify if you want to disable HTTP access to the management UI. By default, the management UI is accessible over HTTP on port 9000. 
  5. Enter the keystore algorithm. The default is JKS.
  6. Enter the absolute path to the keystore JKS file. 

    The script copies the file to the /opt/apigee/customer/conf directory on the Management Server node, and changes the ownership of the file to apigee.
  7. Enter the keystore password.
  8. The script then restarts the Edge management UI. After the restart, the management UI supports access over TLS.
    You can see these settings in /opt/apigee/etc/edge-ui.d/SSL.sh.

You can also pass a config file to the command instead of responding to prompts. The config file takes the following properties:

HTTPSPORT=9443
DISABLE_HTTP=y
KEY_ALGO=JKS
KEY_FILE_PATH=/opt/apigee/customer/application/mykeystore.jks
KEY_PASS=keystorePWord

Then use the following command to configure TLS of the Edge UI:

/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile

Configure the Edge UI when TLS terminates on the load balancer

If you have a load balancer that forwards requests to the Edge UI, you might choose to terminate the TLS connection on the load balancer, and then have the load balancer forward requests to the Edge UI over HTTP. This configuration is supported but you need to configure the load balancer and the Edge UI accordingly.

The additional configuration is required when the Edge UI sends users emails to set their password when the user is created or when the user request to reset a lost password. This email contains a URL that the user selects to set or reset a password. By default, if the Edge UI is not configured to use TLS, the URL in the generated email uses the HTTP protocol, and not HTTPS. You must configure the load balancer and Edge UI to generates an email address that uses HTTPS.

To configure the load balancer, ensure that it sets the following header on requests forwarded to the Edge UI:

X-Forwarded-Proto: https

To configure the Edge UI:

  1. Open the /opt/apigee/customer/application/ui.properties file in an editor. If the file does not exist, create it:
    > vi /opt/apigee/customer/application/ui.properties
  2. Set the following property in ui.properties:
    conf/application.conf+trustxforwarded=true
  3. Save your changes to ui.properties.
  4. Restart the Edge UI:
    > /opt/apigee/apigee-service/bin/apigee-service edge-ui restart

 

Help or comments?