Enable TLS between Router and MP - custom keystore not being used

pietjacobs
Participant II

I 'm trying to enable TLS between Routers and Message Processor by following the documentation. However when I restart the message processor (after having deleted the router configuration files), the certificate being presented by the Message Processor is not my custom self-signed certificate, but it's an autogenerated cert by Apigee (CN=apigee.com).

When checking the logs of the MP I can see the following:

2021-01-19 17:03:45,733  main INFO  c.a.u.h.SelfSignedKeystore - SelfSignedKeystore.generateSelfSignedKeystore() : Initializing generated keystore: /opt/apigee/message-processor_tmp_1419300215736522237.jks
2021-01-19 17:03:47,644  main INFO  c.a.u.h.SelfSignedKeystore - SelfSignedKeystore.createKeystore() : created keystore: /opt/apigee/message-processor_tmp_1419300215736522237.jks
2021-01-19 17:03:48,842  main INFO  A.HTTP.CONFIGURATION - MessageProcessorHttpSkeletonFactory.configureSSL() : Instantiating Keystore of type: JKS from the location: /opt/apigee/message-processor_tmp_1419300215736522237.jks

Anyone can point me to why it is refusing to use the cert from the keystore I provided in the configuration?

Thanks!

Extra:

Configuration file for the MP:

conf_message-processor-communication_local.http.ssl=true
conf/message-processor-communication.properties+local.http.port=8443
conf/message-processor-communication.properties+local.http.ssl.keystore.type=jks
conf/message-processor-communication.properties+local.http.ssl.keystore.path=/opt/apigee/customer/application/apigee-mp-1.jks
conf/message-processor-communication.properties+local.http.ssl.keyalias=apigee-mp-1
# Enter the obfuscated keystore password below.
conf/message-processor-communication.properties+local.http.ssl.keystore.password=OBF:obsPword
Solved Solved
0 8 482
1 ACCEPTED SOLUTION

pietjacobs
Participant II

This was a bug within Apigee that got fixed with patch v4.50.00.06, found it thanks to Apigee Support.

View solution in original post

8 REPLIES 8

Not applicable

I would suggest to try the below options.

before doing anything restart the RMPs and try. If that doesn't work then try further.

1. try with keystore name without "-"

2. if doesn't work then try step 4,7, 9 from below.

https://docs.apigee.com/private-cloud/v4.18.01/configuring-ssl-between-router-and-message-processor

Thanks for the reply, I tried all your suggestions but nothing worked. The MP still refuses to use my keystore. Despite following the documentation... The logs also don't give me any further insights in why it creates its own keystore instead.

can you try making this false. just for try, not sure it will work or not.

conf_message-processor-communication_local.http.ssl=true

Unfortunately this disables SSL completely.

hmm, thats true. can you delete the properties file, create again, restart rmp, see the changes are applied and then try.

I can clearly see it accepts the changes but after starting the MP again it doesn't use the provided configuration and just creates its own keystore. Even tried giving it an invalid keystore path and the MP didn't throw any errors.

its a weird behaviour.

pietjacobs
Participant II

This was a bug within Apigee that got fixed with patch v4.50.00.06, found it thanks to Apigee Support.