In the docs:
http://docs.apigee.com/private-cloud/latest/configuring-ssl-between-router-and-message-processor
it explains how to enable TLS encryption between a Router and the Message Processor but does not explain why or when this is necessary.
In a topology where the Router and the Message Processor are on the same node, is this necessary?
In such a topology, are the R and MP talking to each other via a localhost address, and if so, does this mean that traffic will go via the loopback device? As such there is no risk of a packet capture on another host from picking up this traffic 'in the clear'.
I would also point out that none of the topologies mentioned in the docs have R and MP on different nodes so there must be a reason for enabling TLS that I'd like to understand:
http://docs.apigee.com/private-cloud/latest/installation-topologies
Solved! Go to Solution.
I think your premise is not valid. You wrote:
In a topology where the Router and the Message Processor are on the same node, is this necessary?
Have you had a chance to look at the port diagram - http://docs.apigee.com/private-cloud/latest/installation-requirements#hardwarerequirements ? In general, the R and MP communicate on more than local loopback. In typical installations we do not recommend just a single R + MP, and as you expand number of R's and MP's they communicate with each other, obviously across the network.
Therefore your question is moot. There is a need to secure the R-> MP link with TLS.
Hope this explains better for you. I'm more than happy to add more details if needed.
@Rohan Cragg as Christin mentioned above, a typical Edge installation will have two or more Routers and Message Processors (MP). Routers will be sending traffic to all available MPs on the Gateway Pod. So not all traffic will be local within the same machine.
TLS between Router and MP can be enable if you have requirements for end-to-end (Client > LB > Router > MP > Backend) encryption. The requirement will be driven by your security practices, adherence to certifications and/or regulatory constrains.
I think your premise is not valid. You wrote:
In a topology where the Router and the Message Processor are on the same node, is this necessary?
Have you had a chance to look at the port diagram - http://docs.apigee.com/private-cloud/latest/installation-requirements#hardwarerequirements ? In general, the R and MP communicate on more than local loopback. In typical installations we do not recommend just a single R + MP, and as you expand number of R's and MP's they communicate with each other, obviously across the network.
Therefore your question is moot. There is a need to secure the R-> MP link with TLS.
Hope this explains better for you. I'm more than happy to add more details if needed.
@Rohan Cragg as Christin mentioned above, a typical Edge installation will have two or more Routers and Message Processors (MP). Routers will be sending traffic to all available MPs on the Gateway Pod. So not all traffic will be local within the same machine.
TLS between Router and MP can be enable if you have requirements for end-to-end (Client > LB > Router > MP > Backend) encryption. The requirement will be driven by your security practices, adherence to certifications and/or regulatory constrains.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |