Question:
We are trying to secure our Apigee Edge against the SSLv3 Poodle security vulnerability. How do I ensure that our secure connections go via a TLS protocol?
Answer:
For secure connections to the Apigee Routers, you can specify the protocol to use in the virtual host configuration to use TLS and this would restrict the list of supported protocols to what you specifically configure. If no protocols are listed in your virtual host configuration, then Apigee Edge will default to the supported protocols of the JVM that you are using.
Note: Install Apigee Edge to use JDK 7 for TLSv1.1 support. Also, JDK 8 is required for supporting the TLSv1.2 protocol and Apigee Edge version 4.15.01 and older does not currently support JDK 8. Please see our Supported Software document to find out what is supported.
Here is a simple example of how you can configure TLS for your secure virtualhost:
- get your secure virtualhost definition using: curl -u admin@email.com http://management:8080/v1/o/{org}/e/{env}/virtualhosts/{virtualhost-name} -H “Accept: application/xml”
the output should be something like this:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VirtualHost name="secure">
<HostAliases>
<HostAlias>example-prod.apigee.net</HostAlias>
</HostAliases>
<Interfaces/>
<Port>443</Port>
<SSLInfo>
<Ciphers/>
<ClientAuthEnabled>false</ClientAuthEnabled>
<Enabled>true</Enabled>
<IgnoreValidationErrors>false</IgnoreValidationErrors>
<KeyAlias>freetrial</KeyAlias>
<KeyStore>freetrial</KeyStore>
<Protocols/>
</SSLInfo>
</VirtualHost>
- Put the output into a file, vhost.xml, and add the Protocol for TLSv1, like below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VirtualHost name="secure">
<HostAliases>
<HostAlias>example-prod.apigee.net</HostAlias>
</HostAliases>
<Interfaces/>
<Port>443</Port>
<SSLInfo>
<Ciphers/>
<ClientAuthEnabled>false</ClientAuthEnabled>
<Enabled>true</Enabled>
<IgnoreValidationErrors>false</IgnoreValidationErrors>
<KeyAlias>freetrial</KeyAlias>
<KeyStore>freetrial</KeyStore>
<Protocols>
<Protocol>TLSv1</Protocol>
</Protocols>
</SSLInfo>
</VirtualHost>
- Next, post the changes back to the virtual host with this management call:
curl -u admin@email.com -X POST http://management:8080/v1/o/{org}/e/{env}/virtualhosts/{virtualhost-name} -H “Content-type: application/xml” -d @vhost.xml
-
Repeat the steps above for each org/env that has a secure virtual host.
-
The Apigee Routers will need to be restarted to enable the new Protocols configuration on your virtual host.
For secure connections made via your Message Processor to your target servers, you would make the changes inside your API Proxy bundle where you define your TargetEndpoint definition. For more information regarding the TargetEndpoint definition, see the API Proxy Configuration Reference.
Here is a simple example of what the TargetEndpoint would look like with TLSv1 configured as the secure protocol:
<HTTPTargetConnection>
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>myKeystore</KeyStore>
<KeyAlias>myKey</KeyAlias>
<TrustStore>myTrustStore</TrustStore>
<Protocols>
<Protocol>TLSv1</Protocol>
</Protocols>
</SSLInfo>
<URL>https://myservice.com</URL>
</HTTPTargetConnection>