SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a web client, such as a browser or app. An encrypted link ensures that all data passing between the web server and the client remains private. To use SSL, a client makes a secure request to the web server by using the secure https:// protocol, instead of the insecure http:// protocol.

You can configure the portal to use SSL. The SSL configuration procedure for the portal depends on how you have deployed the portal:

  • Cloud: Configure SSL from Pantheon, the cloud-based hosting service for the portal. 
  • OPDK: Configure SSL on-premises on the server hosting the portal. 

SSL and the portal

The following image show the two places where the portal uses SSL:

  1. For communication between the portal and the Edge management API.

    The portal does not function as a stand-alone system. Instead, much of the information used by the portal is actually stored on Edge, where Edge can be deployed either in the cloud or on-premises as an OPDK installation. When necessary, the portal makes an HTTP or HTTPS request to the Edge management API to retrieve information or to send information.

    When you create your portal, one of the first steps you must perform is to specify the URL of the Edge management API. Depending on how the Edge management API is configured, that URL can use SSL. See Creating a developer portal for more.
     
  2. For communication between developers and the portal.

    When you use the Developer Services portal to deploy your APIs, your developers log in to the portal to register apps and receive API keys. The login credentials and the API key are proprietary information that you want to send over HTTPS to ensure their security. This type of proprietary information should be sent over HTTPS. 

    The way you configure SSL for this scenario depends on how you have deployed the portal: cloud or OPDK. The following sections describe both scenarios.

Configuring communication between the portal and the Edge management API

The configuration of the Edge management API determines whether or not communication can use SSL. If the Edge management API is configured to use SSL, then the portal can use HTTPS. Otherwise, the portal communicates with Edge over HTTP. Therefore, as a portal developer, you only need to know how Edge is configured to set the connection between the portal and Edge. 

Apigee recommends that you configure the OPDK version of the Edge management API to use SSL, unless you have deployed both Edge and the portal behind a firewall with no public access. For information on configuring Edge to use SSL, see the Edge Operations Guide.

For the procedure that you use to configure the connection to the Edge management API, see Creating a developer portal.

Cloud-based version of Edge

If your portal connects to the cloud-based version of Edge, then the URL for the Edge management API is preconfigured by Apigee to use SSL. When configuring the portal, you access the Edge management API by using the URL https://api.enterprise.apigee.com/v1.

OPDK installation of Edge

For an OPDK installation of Edge, the URL of the Edge management API is in the form:

http://EdgeOpdkIp:8080/v1​

or:

https://EdgeOpdkIp:SSLport/v1

where EdgeOpdkIp is the IP address of the Edge Management Server server and SSLport is the SSL port for the OPDK Edge management API. For example, the port number could be 8443 or even 8080 based on the Edge configuration.

Configuring communication between developers and the portal

The way you configure SSL between developers and the portal depends on how you deployed the portal: cloud or OPDK. 

However, in both instances you must obtain your own SSL certificate before you can deploy the portal to a production environment. 

Cloud-based portals

Portals deployed in the cloud on Pantheon are preconfigured with three environments: development, test, and production. The way you configure and use SSL depends on the environment:

  • Development and test environments: Requests can use http:// or https://. Requests over https:// use the Apigee SSL certificate so that you can build and test your portal. However, you must obtain your own SSL certificate to move to a production environment.
  • Production environment: If you want to encrypt portal data transfers, then you require your own SSL certificate. 

You use the Pantheon UI to configure SSL for the portal. Before starting this process, you should be familiar with the Pantheon documentation:

http://helpdesk.getpantheon.com/customer/portal/articles/385443

To configure SSL for the portal in Pantheon:

  1. Obtain an SSL certificate.
  2. Log in to Pantheon at https://dashboard.getpantheon.com/login.
  3. Use the instructions at http://helpdesk.getpantheon.com/customer/portal/articles/385443 to:
    • Generate the RSA Key (.key) and CSR (certificate signing request).
    • Enable SSL.
    • Enter the RSA Key and CSR.
  4. In Pantheon, select Domains > Domain Setup.
  5. Ensure that the IP address generated when you registered your SSL certificate appears as a record type of A, references the generated IP directly, and does not use a redirect.

OPDK portals

All Apigee recommended OPDK installations of the portal require the portal to be behind a load balancer, as shown below:

Therefore, for on-premises installations, you have two options for configuring SSL:

  • Configure SSL on the load balancer: Configure SSL on the load balancer itself, and not on the portal. The procedure that you use to configure SSL is therefore dependent on the load balancer. See the documentation on your load balancer for more information.
  • Configure SSL on the portal itself: If necessary, you can configure SSL on the web server that hosts the portal. By default, Apigee installs the Apache web server. For information on configuring SSL for Apache, see https://www.drupal.org/https-information

Configuring SSL with Load Balancers

For better performance, load balancers are sometimes configured to perform SSL termination. With SSL termination, load balancers decrypt messages sent over https:// and forward the messages to backend servers over http://. That saves backend servers the overhead of decrypting https:// messages themselves.

If load balancers forward unencrypted http messages to servers in the same data center, security is not an issue. However, if load balancers forward messages over http:// to servers outside the data center, such as your Apigee developer portal, the messages are unencrypted, which opens a security hole.

If your developer portal sits behind load balancers that are using SSL termination, and you want all traffic served over https://, the website pages will need to contain https:// links only and you will need to add the following code to your developer portal sites/default/settings.php file. Because the load balancer does not automatically transform the content of the HTML pages, the code ensures that all links passed to the client start with https://.

To configure SSL with load balancers, add the following lines to the sites/default/settings.php file:

$_SERVER['HTTPS'] = 'on'; 
$base_url = "https://myurl.com";
$can_detect_ssl = FALSE;

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')) {
 $can_detect_ssl = TRUE;
}

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
 $_SERVER['HTTPS'] = 'on';
}

if ($can_detect_ssl && $_SERVER['HTTPS'] != 'on') {
 header('Location: https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
 exit;
} 

For more information, see:

 

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)