Solved: How can i add cert to trust store of Apigee UI?

gnanasekaran · 04-15-2015 09:27 AM

I get an error when i import a wsdl from a https endpoint saying 'peer not verified'. Looks like the truststore in UI needs to be configured to accept this cert. How can i do it? This is a on-prem deployment.

UPDATE: It looks like UI has a different truststore than the runtime

Thanks,

Mukundha

DChiesa

@Mukundha Madhavan - Have you resolved this problem?

I can use a custom cert on a secure virtual host in Apigee Edge.

I have the keystore set up properly and can successfully invoke APIs on that vhost, using curl from an external client, as long as I configure curl to trust that certificate.

To configure the Trace UI to trust the cert, I needed to add it to the list of certs trusted by the OS, on the server where edge-ui is running. For RHEL >=6 and Centos >=6, this means:

 sudo yum install ca-certificates
 sudo update-ca-trust force-enable
 sudo cp mycert.pem /etc/pki/ca-trust/source/anchors/
 sudo update-ca-trust extract
 /opt/apigee/apigee-service/bin/apigee-service  edge-ui restart

I did this on 16.09, and it worked nicely.

View solution in original post

Report Inappropriate Content

@Mukundha,

Have you reviewed

http://apigee.com/docs/api-services/content/configuring-ssl-edge-backend-service - this, of course, highlights the connectivity to the backend.

Does http://apigee.com/docs/api-services/content/keystores-and-truststores#createatruststore show you how can update the truststore?

gnanasekaran

Thanks Rajeev, yeah i looked at the docs, but this is for the UI, I don't have problems at runtime, only during the import. So looks like UI maintains a different truststore

DChiesa

@Mukundha Madhavan - Have you resolved this problem?

I can use a custom cert on a secure virtual host in Apigee Edge.

I have the keystore set up properly and can successfully invoke APIs on that vhost, using curl from an external client, as long as I configure curl to trust that certificate.

To configure the Trace UI to trust the cert, I needed to add it to the list of certs trusted by the OS, on the server where edge-ui is running. For RHEL >=6 and Centos >=6, this means:

 sudo yum install ca-certificates
 sudo update-ca-trust force-enable
 sudo cp mycert.pem /etc/pki/ca-trust/source/anchors/
 sudo update-ca-trust extract
 /opt/apigee/apigee-service/bin/apigee-service  edge-ui restart

I did this on 16.09, and it worked nicely.

imesh

This helped @Dino Thanks!!

michaelveit

Edge UI fails with this error message, as there isn't any option in the documentation to configure the truststore used by Edge UI when opening SSL tunnel to management server:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This was expected, as we need to provide the truststore provided by our company, we cannot use the standard JDK truststores.

Trying to import our certificate chain to the Java cacerts, keytool tells us that it's already present.

Any option to configure truststores for Edge UI?

We use Apigee 4.19.01.00.