One-way SSL using truststore to connect to target endpoint timing out

Not applicable

We are trying to implement one-way SSL from Apigee Edge proxy to the target endpoint. We created a truststore and uploaded the individual .pem files and mentioned the truststore name in target end point http connection ssl info as described in http://docs.apigee.com/api-services/content/keystores-and-truststores

When we try to access the proxy endpoint, the target endpoint flow is timing out with error message "503 Service unavailable".

{"fault":{"detail":{"errorcode":"messaging.adaptors.http.flow.ServiceUnavailable"},"faultstring":"The Service is temporarily unavailable"}}

Should the message processor in the cloud environment be restarted when a new keystore or truststore is created?

0 5 596
5 REPLIES 5

sarthak
Participant V
@Gokulakrishnan

No, no restart of MPs are needed.

I would assume the service is just not reachable? Maybe it is blocked by a firewall? Need IP based whitelisting?

Dear @Gokulakrishnan,

Yes the message processors associated with your org have to be restarted when a new keystore or truststore is created or even if the existing keystore/truststore is updated with new certificates. Can you please provide the org and environment names ?

Regards,

Amar

Thanks @AMAR DEVEGOWDA . Is this requirement documented? Where?

@Dino and @sgilson,

On a couple of issues that I had worked sometime back, I had to restart the Message Processors to get the new keystore picked up. It is possible that it might be very few cases, where we had to do this. But I suggested this so that we don't rule out that totally.

Having said that, I understand that there have been many improvements related to Keystore/Truststore areas in Edge code in the last few months. So it would be better to do some testing before we conclude that if the restart of MPs is required or not for Keystore/Truststore creation. Infact, we should also re-check if it is required to do the restart of MPs for keystore updates or not.

Once we have sufficient information, we can make appropriate modifications to the docs, if required.

sgilson
Participant V

I have never heard that you have to restart MPs when you create a keystore/truststore, but when you update one it is doc'd that you have to restart them:

http://docs.apigee.com/api-services/content/update-or-replace-ssl-certificate

I'll look into the creation issue.

Stephen