Hi Everyone
I have enabled TLS on the Edge Management API as explained in the documentation. However after turning off the Management API web server HTTP port:
conf_webserver_http.turn.off=true
I can see the Edge UI API Calls are failing.
I can see Apigee explicitly mentioned that this cause an issue, due to HTTP traffic towards this component, however due to our security requirements, I need to turn off all HTTP traffic cross my edge components including CS, ZK and UI, Router, MP and Management.
Please share your experiement with me on this topic.
Thank you
Solved! Go to Solution.
@Reza Motevallizadeh Did you change your ui config to point to https:// instead of http ?
You need to update the following property in apigee.conf file:
apigee.mgmt.baseUrl="https://mgmtIP:443/v1"
If you look at the browser's console, you might be able to see what the actual error is. Looking at the error it seems that your UI is able to talk to management server just fine, but the issue seems to be related to users and userroles which comes from LDAP. So, if you can get the management server logs, it would be helpful.
This is the issue with self sign certs and play ws proxy will not allow to call a upstream https endpoint without passing the ssl validation. To avoid the ssl validation, you need to add the following property to application.conf in edge-ui to make it work:
ws.acceptAnyCertificate=true
To add this property, follow the below steps:
1. cd /opt/apigee/customer/application
2. Create a file called ui.properties (Make sure it is owned by 'apigee:apigee' user)
3. Add conf/application.conf+ws.acceptAnyCertificate=true in ui.properties file and save it
4. Restart the edge-ui using apigee-service (apigee-service edge-ui restart)
Hope this helps.
Thanks,
Archendra
@Reza Motevallizadeh Did you change your ui config to point to https:// instead of http ?
You need to update the following property in apigee.conf file:
apigee.mgmt.baseUrl="https://mgmtIP:443/v1"
If you look at the browser's console, you might be able to see what the actual error is. Looking at the error it seems that your UI is able to talk to management server just fine, but the issue seems to be related to users and userroles which comes from LDAP. So, if you can get the management server logs, it would be helpful.
Thanks for the comment and the apigee.conf was incorrect.
I am using a self-signed certificate and I am getting SSL engine error.
The issue is about the API Calls from UI to the Edge and I can see any call is failing.
ssl-error.txtUpdated the apigee.conf and it looks like the call is going to the https port configured on the edge.
I am using the self signed cert and getting the following error message, not sure if I can set an option to ignore the ssl error.
[root@ip-10-160-139-176 conf]# apigee-service edge-ui start The file conf/apigee.conf was changed, New: New: apigee.mgmt.baseurl="https://10.160.139.176:9443/v1" The file conf/apigee.conf was changed, New: New: apigee.mgmt.baseurl="https://10.160.139.176:9443/v1" apigee-configutil: edge-ui: # OK apigee-configutil: edge-ui: # OK apigee-service: edge-ui: Not running (NO_LOCKFILE) apigee-service: edge-ui: status=2, continuing # in pid 12714, pgrp=12633 -> 12714 Play server process ID is 12714 apigee-service: edge-ui: OK apigee-service: edge-ui: edge-ui is running [root@ip-10-160-139-176 conf]# [info] play - Application started (Prod) [info] play - Listening for HTTPS on port /0:0:0:0:0:0:0:0:7777 [root@ip-10-160-139-176 conf]# [root@ip-10-160-139-176 conf]# ! @70jh1k4kb - Internal server error, for (GET) [/ws/proxy/organizations/nonprod/apis/?includeRevisions=true&includeMetaData=true] -> play.api.Application$$anon$1: Execution exception[[ConnectException: General SSLEngine problem to https://10.160.139.176:9443/v1/organizations/nonprod/apis?includeMetaData=true&includeRevisions=true]] at play.api.Application$class.handleError(Application.scala:296) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10] at play.api.DefaultApplication.handleError(Application.scala:402) [com.typesafe.play.play_2.11-2.3.10.jar:2.3.10] at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [com.typesafe.play.play_2.11-2.3.10.jar:2.3.10] at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [com.typesafe.play.play_2.11-2.3.10.jar:2.3.10] at scala.Option.map(Option.scala:145) [org.scala-lang.scala-library-2.11.1.jar:na] Caused by: java.net.ConnectException: General SSLEngine problem to https://10.160.139.176:9443/v1/organizations/nonprod/apis?includeMetaData=true&includeRevisions=true at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:104) ~[com.ning.async-http-client-1.8.15.jar:na] at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:431) ~[io.netty.netty-3.9.9.Final.jar:na] at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:417) ~[io.netty.netty-3.9.9.Final.jar:na] at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:384) ~[io.netty.netty-3.9.9.Final.jar:na] at org.jboss.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1578) ~[io.netty.netty-3.9.9.Final.jar:na] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) ~[na:1.8.0_91]
The API calls are failing due to the SSL error.
This is the issue with self sign certs and play ws proxy will not allow to call a upstream https endpoint without passing the ssl validation. To avoid the ssl validation, you need to add the following property to application.conf in edge-ui to make it work:
ws.acceptAnyCertificate=true
To add this property, follow the below steps:
1. cd /opt/apigee/customer/application
2. Create a file called ui.properties (Make sure it is owned by 'apigee:apigee' user)
3. Add conf/application.conf+ws.acceptAnyCertificate=true in ui.properties file and save it
4. Restart the edge-ui using apigee-service (apigee-service edge-ui restart)
Hope this helps.
Thanks,
Archendra
Again thank you. Working good.
I have added these steps to the doc here:
http://docs.apigee.com/api-services/latest/configuring-ssl-management-api
Stephen