Configuring Edge Management API TLS

Not applicable

Hi Everyone

I have enabled TLS on the Edge Management API as explained in the documentation. However after turning off the Management API web server HTTP port:

conf_webserver_http.turn.off=true

I can see the Edge UI API Calls are failing.

3098-ui-error.jpg

I can see Apigee explicitly mentioned that this cause an issue, due to HTTP traffic towards this component, however due to our security requirements, I need to turn off all HTTP traffic cross my edge components including CS, ZK and UI, Router, MP and Management.

Please share your experiement with me on this topic.

Thank you

Solved Solved
1 6 685
2 ACCEPTED SOLUTIONS

adas
Participant V

@Reza Motevallizadeh Did you change your ui config to point to https:// instead of http ?

You need to update the following property in apigee.conf file:

apigee.mgmt.baseUrl="https://mgmtIP:443/v1"

If you look at the browser's console, you might be able to see what the actual error is. Looking at the error it seems that your UI is able to talk to management server just fine, but the issue seems to be related to users and userroles which comes from LDAP. So, if you can get the management server logs, it would be helpful.

View solution in original post

Not applicable

Hi @Reza Motevallizadeh

This is the issue with self sign certs and play ws proxy will not allow to call a upstream https endpoint without passing the ssl validation. To avoid the ssl validation, you need to add the following property to application.conf in edge-ui to make it work:

ws.acceptAnyCertificate=true

To add this property, follow the below steps:

1. cd /opt/apigee/customer/application

2. Create a file called ui.properties (Make sure it is owned by 'apigee:apigee' user)

3. Add conf/application.conf+ws.acceptAnyCertificate=true in ui.properties file and save it

4. Restart the edge-ui using apigee-service (apigee-service edge-ui restart)

Hope this helps.

Thanks,

Archendra

View solution in original post

6 REPLIES 6

adas
Participant V

@Reza Motevallizadeh Did you change your ui config to point to https:// instead of http ?

You need to update the following property in apigee.conf file:

apigee.mgmt.baseUrl="https://mgmtIP:443/v1"

If you look at the browser's console, you might be able to see what the actual error is. Looking at the error it seems that your UI is able to talk to management server just fine, but the issue seems to be related to users and userroles which comes from LDAP. So, if you can get the management server logs, it would be helpful.

Thanks for the comment and the apigee.conf was incorrect.

I am using a self-signed certificate and I am getting SSL engine error.

The issue is about the API Calls from UI to the Edge and I can see any call is failing.

Not applicable

ssl-error.txtUpdated the apigee.conf and it looks like the call is going to the https port configured on the edge.

I am using the self signed cert and getting the following error message, not sure if I can set an option to ignore the ssl error.

[root@ip-10-160-139-176 conf]# apigee-service edge-ui start
The file conf/apigee.conf was changed,
New:
New: apigee.mgmt.baseurl="https://10.160.139.176:9443/v1"


The file conf/apigee.conf was changed,
New:
New: apigee.mgmt.baseurl="https://10.160.139.176:9443/v1"


apigee-configutil: edge-ui: # OK
apigee-configutil: edge-ui: # OK
apigee-service: edge-ui: Not running (NO_LOCKFILE)
apigee-service: edge-ui: status=2, continuing
# in pid 12714, pgrp=12633 -> 12714
Play server process ID is 12714
apigee-service: edge-ui: OK
apigee-service: edge-ui: edge-ui is running
[root@ip-10-160-139-176 conf]# [info] play - Application started (Prod)
[info] play - Listening for HTTPS on port /0:0:0:0:0:0:0:0:7777


[root@ip-10-160-139-176 conf]#
[root@ip-10-160-139-176 conf]#



! @70jh1k4kb - Internal server error, for (GET) [/ws/proxy/organizations/nonprod/apis/?includeRevisions=true&includeMetaData=true] ->


play.api.Application$$anon$1: Execution exception[[ConnectException: General SSLEngine problem to https://10.160.139.176:9443/v1/organizations/nonprod/apis?includeMetaData=true&includeRevisions=true]]
        at play.api.Application$class.handleError(Application.scala:296) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at play.api.DefaultApplication.handleError(Application.scala:402) [com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at scala.Option.map(Option.scala:145) [org.scala-lang.scala-library-2.11.1.jar:na]
Caused by: java.net.ConnectException: General SSLEngine problem to https://10.160.139.176:9443/v1/organizations/nonprod/apis?includeMetaData=true&includeRevisions=true
        at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:104) ~[com.ning.async-http-client-1.8.15.jar:na]
        at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:431) ~[io.netty.netty-3.9.9.Final.jar:na]
        at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:417) ~[io.netty.netty-3.9.9.Final.jar:na]
        at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:384) ~[io.netty.netty-3.9.9.Final.jar:na]
        at org.jboss.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1578) ~[io.netty.netty-3.9.9.Final.jar:na]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) ~[na:1.8.0_91]








The API calls are failing due to the SSL error.

Not applicable

Hi @Reza Motevallizadeh

This is the issue with self sign certs and play ws proxy will not allow to call a upstream https endpoint without passing the ssl validation. To avoid the ssl validation, you need to add the following property to application.conf in edge-ui to make it work:

ws.acceptAnyCertificate=true

To add this property, follow the below steps:

1. cd /opt/apigee/customer/application

2. Create a file called ui.properties (Make sure it is owned by 'apigee:apigee' user)

3. Add conf/application.conf+ws.acceptAnyCertificate=true in ui.properties file and save it

4. Restart the edge-ui using apigee-service (apigee-service edge-ui restart)

Hope this helps.

Thanks,

Archendra

Again thank you. Working good.

sgilson
Participant V

I have added these steps to the doc here:

http://docs.apigee.com/api-services/latest/configuring-ssl-management-api

Stephen