How to configure management-server to serve only SSL communication

Not applicable

I am able to configure the management-server to be accessible on both http and https.

So now I have this management-server apis accessible over HTTPS

https://192.168.33.21:8443/v1/servers

I would like to turn off management-server apis access over HTTP.

http://192.168.33.21:8080/v1/servers

My questions:

1> Is modifying /opt/apigee4/conf/apigee/management-server/webserver.properties file property http.turn.off=true correct thing to do?

2> Which components will be affected? 3> As per the documentation, Router, Message Processor, UI, Postgres, and Qpid. need access to port 8080(http communication port) on management-server.

4> How do I change/instruct all the above components to use the HTTPS URL?

5> Will it need a certificate installed somewhere other than the cacerts if using self-signed certs?

6> Any other components call the API Manager’s APIs on 8080? I couldn’t find this info in the Operations Guide. Thanks,

Aravind

--SF908841--

1 8 1,352
8 REPLIES 8

Hello Aravind,

1> Is modifying /opt/apigee4/conf/apigee/management-server/webserver.properties file propertyhttp.turn.off=true correct thing to do?

Yes, thats all is needed

2> Which components will be affected?

Only UI needs to be configured to use ssl for mgmt API

3> As per the documentation, Router, Message Processor, UI, Postgres, and Qpid. need access to port 8080(http communication port) on management-server.

Yes, but this is required only during installation/server registration. I don't think its required during runtime/ post installation

4> How do I change/instruct all the above components to use the HTTPS URL?

Only UI need to be configured

5> Will it need a certificate installed somewhere other than the cacerts if using self-signed certs?

If you do not specify truststore, it should be fine, i think

6> Any other components call the API Manager’s APIs on 8080? I couldn’t find this info in the Operations Guide. Thanks,

Just the UI needs to be changed

Thank you @Mukundha Madhavan

Not applicable

To enable only HTTPS but not HTTP communication on management server:

  1. Modify management-server webserver.properties in /opt/apigee4/conf/apigee/management-server/webserver.properties as per the operations guide. { Need to provide keystore; https port; and set

    http.turn.off to true }

  2. Restart management-server.
  3. Modify UI server configuration in /opt/apigee4/share/ui/conf/apigee.conf. { Need to change the apigee.analytics.baseUrl and apigee.mgmt.baseUrl values to have the https and appropriate port }
  4. Restart UI server.

Not applicable

@Arvind ,

Thanks for posting my support case here

@All,

What about the portal? As far as I know it points to the management's server API.

Thanks

Not applicable

Regarding the UI, after setting the 2 URL properties to HTTPS in the apigee.conf, I get this stack trace.

[ESC[37minfoESC[0m] play - Application started (Prod) [ESC[37minfoESC[0m] play - Listening for HTTP on /0:0:0:0:0:0:0:0:9000 [ESC[31merrorESC[0m] play - Cannot invoke the action, eventually got an error: java.net.ConnectException: General SSLEngine problem to https://chbs-dev-api-manager.app.dev.nibr.novarti... [ESC[31merrorESC[0m] application - ! @6nkdif3d9 - Internal server error, for (POST) [/login] -> play.api.Application$$anon$1: Execution exception[[ConnectException: General SSLEngine problem to https://chbs-dev-api-manager.app.dev.nibr.novarti... at play.api.Application$class.handleError(Application.scala:296) ~[com.typesafe.play.play_2.11-2.3.4.jar:2.3.4] at play.api.DefaultApplication.handleError(Application.scala:402) [com.typesafe.play.play_2.11-2.3.4.jar:2.3.4] at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [com.typesafe.play.play_2.11-2.3.4.jar:2.3.4] at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [com.typesafe.play.play_2.11-2.3.4.jar:2.3.4] at scala.Option.map(Option.scala:145) [org.scala-lang.scala-library-2.11.1.jar:na] Caused by: java.net.ConnectException: General SSLEngine problem to https://chbs-dev-api-manager.app.dev.nibr.novarti... at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:103) ~[com.ning.async-http-client-1.8.8.jar:na] at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:431) ~[io.netty.netty-3.9.3.Final.jar:na] at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:417) ~[io.netty.netty-3.9.3.Final.jar:na] at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:384) ~[io.netty.netty-3.9.3.Final.jar:na] at org.jboss.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1569) ~[io.netty.netty-3.9.3.Final.jar:na] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1348) ~[na:1.7.0_85] at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519) ~[na:1.7.0_85] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:796) ~[na:1.7.0_85] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764) ~[na:1.7.0_85] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.7.0_85] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_85] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1703) ~[na:1.7.0_85] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:281) ~[na:1.7.0_85] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) ~[na:1.7.0_85] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1469) ~[na:1.7.0_85] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) ~[na:1.7.0_85] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.7.0_85] at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.7.0_85] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) ~[na:1.7.0_85] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) ~[na:1.7.0_85] Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) ~[na:1.7.0_85] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) ~[na:1.7.0_85] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ~[na:1.7.0_85] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.7.0_85] at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.7.0_85] java.net.ConnectException: General SSLEngine problem to https://chbs-dev-api-manager.app.dev.nibr.novarti... at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:103) at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:431) at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:417) at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:384) at org.jboss.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1569) at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1371) at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:917) at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1348) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:796) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1285) ... 18 more Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1703) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:281) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1469) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) at sun.security.ssl.Handshaker$1.run(Handshaker.java:853) at sun.security.ssl.Handshaker$1.run(Handshaker.java:851) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1285) at org.jboss.netty.handler.ssl.ImmediateExecutor.execute(ImmediateExecutor.java:31) at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1453) at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1326) ... 18 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1456) ... 27 more

I used the SSLPoke utility

java -Djavax.net.ssl.trustStore=/apps/apigee4/keystore/api-manager-dev-ssl-keystore.jks SSLPoke chbs-dev-api-manager.app.dev.nibr.novartis.net 8443

as described

https://confluence.atlassian.com/display/KB/Unable...

The questions is, where to add

-Djavax.net.ssl.trustStore=/apps/apigee4/... in the UI start scripts or commands?

Or alternatively, where to configure the trust store or put the certificate?

Thanks

@Codrin Bucur Are you using a self signed cert on management-server? In my case I imported the selfsigned cert in to my java default keystore on the host running the UI service.

[host1]$ cd `which java | xargs readlink -f | xargs dirname`/../jre/lib/security #cd to the java cacerts folder

[host1]$ sudo cp cacerts cacerts_java_oob #taking a backup of java out of the box cacerts.

[host1]$ sudo `which java | xargs readlink -f | xargs dirname`/../jre/bin/keytool -keystore cacert -importcert -alias localEvnCert -file /home/vagrant/myEnvCerts/certificate.crt #importing the self-signed cert in to java outofbox keystore.

After importing my self-signed cert in to the cacerts, I find the UI to management-server to working fine.

Not applicable

It is not self signed

@Codrin Bucur Looks like you need to explicitly trust the cert even when it is CA signed cert to have this one working. Please follow the steps outline here to trust the cert in to the java truststore.

host1]$ cd `which java | xargs readlink -f | xargs dirname`/../jre/lib/security #cd to the java cacerts folder

[host1]$ sudo cp cacerts cacerts_java_oob #taking a backup of java out of the box cacerts.

[host1]$ sudo `which java | xargs readlink -f | xargs dirname`/../jre/bin/keytool -keystore cacert -importcert -alias localEvnCert -file /home/vagrant/myEnvCerts/certificate.crt #importing the self-signed cert in to java outofbox keystore.