This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OPDK Support for TLSv1.1 and TLSv1.2

on ‎04-10-2015 02:22 PM

jghunt
Staff
4 4 1,534

Question:

We are trying to secure our Apigee Edge against the SSLv3 Poodle security vulnerability. How do I ensure that our secure connections go via a TLS protocol?

Answer:

For secure connections to the Apigee Routers, you can specify the protocol to use in the virtual host configuration to use TLS and this would restrict the list of supported protocols to what you specifically configure. If no protocols are listed in your virtual host configuration, then Apigee Edge will default to the supported protocols of the JVM that you are using.

Note: Install Apigee Edge to use JDK 7 for TLSv1.1 support. Also, JDK 8 is required for supporting the TLSv1.2 protocol and Apigee Edge version 4.15.01 and older does not currently support JDK 8. Please see our Supported Software document to find out what is supported.

Here is a simple example of how you can configure TLS for your secure virtualhost:

1. get your secure virtualhost definition using: curl -u admin@email.com http://management:8080/v1/o/{org}/e/{env}/virtualhosts/{virtualhost-name} -H "Accept: application/xml"

the output should be something like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VirtualHost name="secure">
    <HostAliases>
        <HostAlias>example-prod.apigee.net</HostAlias>
    </HostAliases>
    <Interfaces/>
    <Port>443</Port>
    <SSLInfo>
        <Ciphers/>
        <ClientAuthEnabled>false</ClientAuthEnabled>
        <Enabled>true</Enabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <KeyAlias>freetrial</KeyAlias>
        <KeyStore>freetrial</KeyStore>
        <Protocols/>
    </SSLInfo>
</VirtualHost>

2. Put the output into a file, vhost.xml, and add the Protocol for TLSv1, like below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VirtualHost name="secure">
    <HostAliases>
        <HostAlias>example-prod.apigee.net</HostAlias>
    </HostAliases>
    <Interfaces/>
    <Port>443</Port>
    <SSLInfo>
        <Ciphers/>
        <ClientAuthEnabled>false</ClientAuthEnabled>
        <Enabled>true</Enabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <KeyAlias>freetrial</KeyAlias>
        <KeyStore>freetrial</KeyStore>
        <Protocols>

		<Protocol>TLSv1</Protocol>

	</Protocols>
    </SSLInfo>
</VirtualHost>

3. Next, post the changes back to the virtual host with this management call:

curl -u admin@email.com -X POST http://management:8080/v1/o/{org}/e/{env}/virtualhosts/{virtualhost-name} -H "Content-type: application/xml" -d @vhost.xml

4. Repeat the steps above for each org/env that has a secure virtual host.

5. The Apigee Routers will need to be restarted to enable the new Protocols configuration on your virtual host.

For secure connections made via your Message Processor to your target servers, you would make the changes inside your API Proxy bundle where you define your TargetEndpoint definition. For more information regarding the TargetEndpoint definition, see the API Proxy Configuration Reference.

Here is a simple example of what the TargetEndpoint would look like with TLSv1 configured as the secure protocol:

<HTTPTargetConnection> 

	<SSLInfo> 

		<Enabled>true</Enabled> 

		<ClientAuthEnabled>true</ClientAuthEnabled> 

		<KeyStore>myKeystore</KeyStore> 

		<KeyAlias>myKey</KeyAlias> 

		<TrustStore>myTrustStore</TrustStore> 

		<Protocols> 

			<Protocol>TLSv1</Protocol> 

		</Protocols> 

	</SSLInfo> 

	<URL>https://myservice.com</URL> 

</HTTPTargetConnection>
Topic Labels
Comments
Not applicable
‎04-23-2015 10:29 AM

@Janice Hunt "Also, JDK 8 is required for supporting the TLSv1.2 protocol and Apigee Edge version 4.15.01 and older does not currently support JDK 8"

Are you saying that we don't support TLSv1.2 ? and what about Apigee Edge version 4.15.04 ?

sarthak
New Member
‎10-07-2015 09:16 AM

@Janice Hunt Can you please clarify regarding TLS 1.2 ? According to this article it looks like we can support TLS 1.2 , but this article makes me believe we don't ?

adas
New Member
‎10-07-2015 10:05 AM

TLS1.2 is supported as long as you are running on Java 7. Customers on 1501 may not have java 7 unless they upgraded the java version later on after the OPDK install. For 1504 and onwards this should be fine.

cfrias
New Member
‎09-07-2016 11:36 AM

In addition, we can also add TLSv1.1 and TLSv1.2 for protocols.

Version history
Last update:
‎04-10-2015 02:22 PM
Updated by: