SSLInfo

SSL information.

Schema

SSLInfo
ciphers

array

Edge for Private Cloud version 4.15.07 and earlier only.

Specifies the ciphers supported by the virtual host. If no ciphers are specified, then all ciphers available for the JVM will be permitted.

To restrict ciphers, add the following elements: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

clientAuthEnabled

string

Flag that specifies whether to enable two-way, or client, TLS between Edge (server) and the app (client) making the request. Enabling two-way TLS requires that you set up a truststore on Edge that contains the cert from the TLS client.

enabled

string

Flag that specifies whether to enable one-way TLS/SSL. You must have defined a keystore containing the cert and private key.

For Edge for Public Cloud:

  • You must have a cert signed by a trusted entity, such as Symantec or VeriSign. You cannot use a self-signed cert, or leaf certificates signed by a self-signed CA.
  • If your existing virtual host is configured to use a port other than 443, you cannot change the TLS setting. That means you cannot change the TLS setting from enabled to disabled, or from disabled to enabled.
ignoreValidationErrors

string

Flag that specifies whether to ignore TLS certificate errors. This is similar to the -k option to curl.

This option is valid when configuring TLS for Target Servers and Target Endpoints, and when configuring virtual hosts that use 2-way TLS.

When used with a target endpoint/target server, if the backend system uses SNI and returns a cert with a subject Distinguished Name (DN) that does not match the hostname, there is no way to ignore the error and the connection fails.

keyAlias

string

Alias specified when you uploaded the cert and private key to the keystore. You must specify the alias name literally; you cannot use a reference. See Options for configuring TLS for more.

keyStore

string

Name of the keystore on Edge. Apigee recommends that you use a reference to specify the keystore name so that you can change the keystore without having to restart Routers. See Options for configuring TLS for more.

protocols

array

Edge for Private Cloud version 4.15.07 and earlier only.

Specifies the protocols supported by the virtual host. If no protocols are specified, then all protocols available for the JVM will be permitted.

To restrict protocols, add the following elements: TLSv1, TLSv1.2, and SSLv2Hello

trustStore

string

Name of the truststore on Edge that contains the certificate or certificate chain used for two-way TLS. Required if clientAuthEnabled is true.

Apigee recommends that you use a reference to specify the truststore name so that you can change the truststore without having to restart Routers. See Options for configuring TLS for more.