Enable TLS between Router and MP - custom keystore not being used

Question

I 'm trying to enable TLS between Routers and Message Processor by following the documentation. However when I restart the message processor (after having deleted the router configuration files), the certificate being presented by the Message Processor is not my custom self-signed certificate, but it's an autogenerated cert by Apigee (CN=apigee.com).

When checking the logs of the MP I can see the following:

2021-01-19 17:03:45,733  main INFO  c.a.u.h.SelfSignedKeystore - SelfSignedKeystore.generateSelfSignedKeystore() : Initializing generated keystore: /opt/apigee/message-processor_tmp_1419300215736522237.jks
2021-01-19 17:03:47,644  main INFO  c.a.u.h.SelfSignedKeystore - SelfSignedKeystore.createKeystore() : created keystore: /opt/apigee/message-processor_tmp_1419300215736522237.jks
2021-01-19 17:03:48,842  main INFO  A.HTTP.CONFIGURATION - MessageProcessorHttpSkeletonFactory.configureSSL() : Instantiating Keystore of type: JKS from the location: /opt/apigee/message-processor_tmp_1419300215736522237.jks

Anyone can point me to why it is refusing to use the cert from the keystore I provided in the configuration?

Thanks!

Extra:

Configuration file for the MP:

conf_message-processor-communication_local.http.ssl=true
conf/message-processor-communication.properties+local.http.port=8443
conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks
conf/message-processor-communication.properties+local.http.ssl.keystore.path=/opt/apigee/customer/application/apigee-mp-1.jks
conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-mp-1
# Enter the obfuscated keystore password below.
conf/message-processor-communication.properties+local.http.ssl.keystore.password=OBF:obsPword

Answer 1

Best Answer

Answer by Piet Jacobs · Jan 29 at 01:32 PM

This was a bug within Apigee that got fixed with patch v4.50.00.06, found it thanks to Apigee Support.

Add comment · Link

10 |5000 characters needed characters left characters exceeded

Answer 2

Answer by Priyadarshi Ajitav Jena · Jan 19 at 07:27 PM

I would suggest to try the below options.

before doing anything restart the RMPs and try. If that doesn't work then try further.

1. try with keystore name without "-"

2. if doesn't work then try step 4,7, 9 from below.

https://docs.apigee.com/private-cloud/v4.18.01/configuring-ssl-between-router-and-message-processor

Add comment Show 6 · Link

10 |5000 characters needed characters left characters exceeded

Piet Jacobs · Jan 20 at 10:14 AM 0

Link

Thanks for the reply, I tried all your suggestions but nothing worked. The MP still refuses to use my keystore. Despite following the documentation... The logs also don't give me any further insights in why it creates its own keystore instead.

Priyadarshi Ajitav Jena Piet Jacobs · Jan 20 at 05:09 PM 0

Link

can you try making this false. just for try, not sure it will work or not.

conf_message-processor-communication_local.http.ssl=true

Piet Jacobs Priyadarshi Ajitav Jena · Jan 21 at 10:19 AM 0

Link

Unfortunately this disables SSL completely.

Show more comments

Get answers, ideas, and support from the Apigee Community

Enable TLS between Router and MP - custom keystore not being used

2 Answers

Follow this Question

Related Questions