This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to specify additional jvm option parameters for Message Processor?

Posted on 05-18-2018 01:42 AM
taka-t
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

We want to customize jvm options of Message Processor, becase we need to specify truststore other than the default.

We can edit the start script directly, but it's not good.

Are there any other ways to do it, by editing customer/application properties for example?

Regards,

Takashima

0 6 604
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
rmishra
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Could you elaborate on your use case? Why do you want to specify a different trust store?

There are other ways to configure trust stores which are used by Message Processors in the API invocation flow ..

Do your API's need to invoke Target API's over HTTPS and you need to add CA's to your trust store?

Knowing more about your use case will help you get a suitable answer.

Posted on --/--/---- --:-- AM
taka-t
New Member
In response to rmishra
Reply posted on --/--/---- --:-- AM

Hi @rmishra,

What I want to do is to add ca certificate for syslog through tls using MessageLogging policy.

To achieve it, we have to make jvm load the truststore that contains ca certificate for those syslog destination nodes. So, we add "-Djavax.net.ssl.trustStore" jvm option directory to the start script of MP.

Regards,

Takashima


0 Likes

Posted on --/--/---- --:-- AM
rmishra
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I am not aware if there is a specific property which will let you specify a custom TrustStore. Even if it did, unless its "additive" , you would have to end up specifying all CA's which are loaded in the default Truststore.

Have you considered?

- Importing your CA into the default Truststore? This should be the default Java cacerts. I am not sure if a java/apigee update will override your change. You will need to verify that

- Running a local unsecure syslog forwarder which can work with your existing secure forwarders/receivers. This is acceptable to most Security teams since the traffic is always encrypted when it leaves the host.

Not sure if there are better solutions, but i keen to see more answers as well..

Posted on --/--/---- --:-- AM
taka-t
New Member
In response to rmishra
Reply posted on --/--/---- --:-- AM

Hi @rmishra

Thanks for your inputs.

There is a function named "create_jvm_argslist" in:

/opt/apigee4/apigee/edge-message-processor-4.18.01-0.0.1553/bin/lib.sh

And it builds a "sys_props" variable which is used as system properties for MP JVM.

I just think I can customise the variable by customizing conf/system.properties.

What do you think?

Regards,

Takashima

0 Likes

Posted on --/--/---- --:-- AM
rmishra
Bronze 2
Bronze 2
In response to taka-t
Reply posted on --/--/---- --:-- AM

Nothing technically wrong with that.

As you had said earlier, the general recommendation is to make changes only to /opt/apigee/customer/application properties

But you should get some input from Apigee support by raising a ticket, when i have attempted such customizations, it's typically only after running it by someone in Apigee, knowing i have exhausted all my "regular" options.They can think through the upgrade paths and recommend other options if someone else ran into a similar problem.

0 Likes

Posted on --/--/---- --:-- AM
taka-t
New Member
In response to rmishra
Reply posted on --/--/---- --:-- AM

Hi @rmishra,

> But you should get some input from Apigee support by raising a ticket

Well, that's true. I'll ask the support at first.

0 Likes