Configuring Edge UI TLS

Not applicable

Hi Everyone

I have configured edge UI to listen on TLS port 9443, and also disabled the HTTP traffic towards my 9000 port, but I have the following questions which I couldn't find in my apigee OPS manual:

1- The Edge UI service fails when tried to use standard HTTPS port 443,

[info] play - Application started (Prod)
Oops, cannot start the server.
org.jboss.netty.channel.ChannelException: Failed to bind to: /0.0.0.0:443
        at org.jboss.netty.bootstrap.ServerBootstrap.bind(ServerBootstrap.java:272)
        at play.core.server.NettyServer$$anonfun$9.apply(NettyServer.scala:147)
        at play.core.server.NettyServer$$anonfun$9.apply(NettyServer.scala:144)
        at scala.Option.map(Option.scala:145)
        at play.core.server.NettyServer.<init>(NettyServer.scala:144)
        at play.core.server.NettyServer$.createServer(NettyServer.scala:252)
        at play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:289)
        at play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:284)
        at scala.Option.map(Option.scala:145)
        at play.core.server.NettyServer$.main(NettyServer.scala:284)
        at play.core.server.NettyServer.main(NettyServer.scala)
Caused by: java.net.SocketException: Permission denied
        at sun.nio.ch.Net.bind0(Native Method)
        at sun.nio.ch.Net.bind(Net.java:433)
        at sun.nio.ch.Net.bind(Net.java:425)
        at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
        at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
        at org.jboss.netty.channel.socket.nio.NioServerBoss$RegisterTask.run(NioServerBoss.java:193)
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.processTaskQueue(AbstractNioSelector.java:391)
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:315)
        at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42)
        at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
        at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)




2- The path shown by Apigee in Ops manual document is not valid and the http-key.conf doesn't exist.

Reference: 
http://docs.apigee.com/api-services/latest/configuring-ssl-management-ui


The script encrypts that password and stores it, along with the other TLS configuration information, to the file named https-key.conf in the/<install_dir>/apigee/share/ui/conf directory on the Management Server node.


3- The documentation doesn't say if there is an option for silent configuration? and how to roll back this modification (only HTTP)

Thanks for your comments in advance.

Solved Solved
1 6 1,116
1 ACCEPTED SOLUTION

Not applicable

Hi there!

Please find the comments inline:

1. The Edge UI service fails when tried to use standard HTTPS port 443

On Unix systems, ports below 1024 (IIRC) can only be used by privileged

processes. Given that edge-ui process is owned by 'apigee' user, hence the issue. You should be able to achieve this using the several ways, change the run user to 'root' or have a reverse proxy doing the magic or have iptables port forwarding, etc

2. The path shown by Apigee in Ops manual document is not valid and the http-key.conf doesn't exist

You are right. We'll have the documentation corrected to capture the right information. If you want to look what changed when you enable ssl, Look at the below properties:

1. /opt/apigee/edge-ui/conf/apigee-base.conf ( you will see apigee.feature.useHTTPS=“true”)

2. /opt/apigee/etc/edge-ui.d/SSL.sh

FYI, @Floyd Jones

3. The documentation doesn't say if there is an option for silent configuration? and how to roll back this modification (only HTTP)

You are right. You can use the silent-conf to setup edge-ui SSL. You need to add the following contents in your silent-conf:

HTTPSPORT=9443

DISABLE_HTTP=y

KEY_ALGO=JKS

KEY_FILE_PATH=/tmp/mykeystore.jks

KEY_PASS=xxxxxx

and then use: /<inst_root>/<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f silent-conf

We'll have the procedure documented to revert it back to HTTP as well.

Hope this helps.

Thanks,

Archendra

View solution in original post

6 REPLIES 6

Not applicable

Hi there!

Please find the comments inline:

1. The Edge UI service fails when tried to use standard HTTPS port 443

On Unix systems, ports below 1024 (IIRC) can only be used by privileged

processes. Given that edge-ui process is owned by 'apigee' user, hence the issue. You should be able to achieve this using the several ways, change the run user to 'root' or have a reverse proxy doing the magic or have iptables port forwarding, etc

2. The path shown by Apigee in Ops manual document is not valid and the http-key.conf doesn't exist

You are right. We'll have the documentation corrected to capture the right information. If you want to look what changed when you enable ssl, Look at the below properties:

1. /opt/apigee/edge-ui/conf/apigee-base.conf ( you will see apigee.feature.useHTTPS=“true”)

2. /opt/apigee/etc/edge-ui.d/SSL.sh

FYI, @Floyd Jones

3. The documentation doesn't say if there is an option for silent configuration? and how to roll back this modification (only HTTP)

You are right. You can use the silent-conf to setup edge-ui SSL. You need to add the following contents in your silent-conf:

HTTPSPORT=9443

DISABLE_HTTP=y

KEY_ALGO=JKS

KEY_FILE_PATH=/tmp/mykeystore.jks

KEY_PASS=xxxxxx

and then use: /<inst_root>/<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f silent-conf

We'll have the procedure documented to revert it back to HTTP as well.

Hope this helps.

Thanks,

Archendra

@archendra Is there a similar guideline to setup TLS/SSL for BaaS portal ?

and I guess the comment of

...achieve this using the several ways, change the run user to 'root' or have a reverse proxy doing the magic or have iptables port forwarding, etc

...refers to this kind of thing:

sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443

Like this.

As described above 443 is a privileged. If you use it you require root to start the processes and you want to avoid that. You can use 9443 on the UI and expose it via 443 on the Load Balancer.

Not applicable

Where can we find the the procedure to revert it back to HTTP?

michaelveit
Participant III

I know that your post is quite old, but I still ran into the very same issue

Using another port (e.g. 29443) is working well with the config. Only standard HTTPS port 443 is causing this issue. Might help you or anyone else in further analysis.

In another post, I found a Linux restriction:

You need to be root (superuser) to bind to ports under 1024. That's why 9443 works, but 443 doesn't.

https://serverfault.com/questions/610117/failed-to-bind-to-0-0-0-0443

In the Apigee documentation, they mention how to use port 443:

https://docs.apigee.com/private-cloud/v4.19.06/configuring-ssl-management-ui

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443