API Gateway 10.11 | Administering API Gateway | Security Configuration | Securing API Gateway Communication using TLS | How do I Secure API Gateway User Interface Communication?
 
How do I Secure API Gateway User Interface Communication?
Secure API Gateway UI (web application), one of the API Gateway components in an API Management setup, to enable users to access the API Gateway UI securely over HTTPS. This section explains how to secure API Gateway communication using HTTPS protocol.
You must have API Gateway administrator privileges to perform this operation. Also, ensure that the required client and server certificates are available.
To configure API Gateway user interface for secure communication
1. Locate the keystore and truststore files in the file system.
The default keystore and truststore files are available in the Installation_Dir\common\conf folder.
Note:
If you want to use a custom keystore with self-signed certificates, see Creating a Custom Keystore with Self-Signed Certificates for details on how to create a keystore and generate the required self-signed certificate.
2. Configure the keystore and the HTTPS port on which you want to expose API Gateway UI.
a. Navigate to Installation_Dir\profiles\IS_default\configuration\com.softwareag.platform.config.propsloader and search for files that begin with the following file name pattern com.softwareag.catalina.connector.https.pid-*.properties. If there are more than one file in the selected folder that match this pattern, then the first file that matches thepattern is selected.
Note:
The file name by default is com.softwareag.catalina.connector.https.pid-apigateway.properties
b. Open the file and modify the following properties by providing the keystore, passsword, and port details.
keystoreFile=generated_keystore_file_path/https_keystore.jks
port=9073 (https port in which you want to expose webApp)
@secure.keystorePass=password (password used while creating the keystore file)
For details about the configurations, see https://documentation.softwareag.com/webmethods/wmsuites/wmsuite10-5/Cross_Product/10-5_Software_AG_Infrastructure_Administrators_Guide.pdf and https://tomcat.apache.org/tomcat-7.0-doc/config/http.html.
Harden TLS configuration of the API Gateway UI port
To harden the TLS configuration of the API Gateway UI port, perform the following:
1. Enable TLSv1.2 or TLSv1.3 protocol as follows:
a. Navigate to Installation_Dir\profiles\IS_default\configuration\com.softwareag.platform.config.propsloader and search for files that begin with the following file name pattern com.softwareag.catalina.connector.https.pid-*.properties. If there are more than one file in the selected folder that match this pattern, then the first file that matches thepattern is selected.
Note:
The file name, by default, is com.softwareag.catalina.connector.https.pid-apigateway.properties
b. Open the file and add the following line in the properties file.
sslEnabledProtocols=TLSversion number
For example, if you want to enable TLSv1.3 protocol, the sample code is a s follows:
sslEnabledProtocols=TLSv1.3
2. Specify a list of secure cipher suites by adding the following line to the above properties file.
ciphers="List of Secure Cipher_Suites"
For details about the recommended cipher suites, see the cipher suite recommendation by IANA organization ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) or the https://documentation.softwareag.com/webmethods/integration_server/pie10-5/10-5_Integration_Server_Administrators_Guide.pdf
3. Set the size of Ephemeral Diffie-Hellman Keys to 2048 depending on the configured cipher suites. You can do this by adding the following line to the custom_wrapper.conf file located in the directory SAG_root /profiles/IS_default/configuration:
wrapper.java.additional.401=-Djdk.tls.ephemeralDHKeySize=2048
You can verify the resulting TLS configuration using tools such as testTLS.sh that checks for vulnerable TLS configurations.