How do I Secure API Gateway User Interface Communication?
Secure API Gateway UI (web application), one of the API Gateway components in an API Management setup, to enable users to access the API Gateway UI securely over HTTPS. This section explains how to secure API Gateway communication using HTTPS protocol.
You must have API Gateway administrator privileges to perform this operation. Also, ensure that the required client and server certificates are available.
To configure API Gateway user interface for secure communication
1. Locate the keystore and truststore files in the file system.
The default keystore and truststore files are available in the Installation_Dir\common\conf folder.
2. Configure the keystore and the HTTPS port on which you want to expose API Gateway UI.
a. Navigate to Installation_Dir\profiles\IS_default\configuration\com.softwareag.platform.config.propsloader and open the property file com.softwareag.catalina.connector.https.pid-apigateway.properties.
b. Modify the following properties by providing the keystore, passsword, and port details.
keystoreFile=generated_keystore_file_path/https_keystore.jks
port=9073 (https port in which you want to expose webApp)
@secure.keystorePass=password (password used while creating the keystore file)
To harden TLS configuration of the API Gateway UI port
1. Enable TLSv1.2 by adding the following line to the properties file com.softwareag.catalina.connector.https.pid-apigateway.properties located in the directorySAG_root /profiles/IS_default/configuration/com.softwareag.platform.config.propsloader.
sslEnabledProtocols=TLSv1.2
2. Specify a list of secure cipher suites by adding the following line to the properties file com.softwareag.catalina.connector.https.pid-apigateway.properties located in the directorySAG_root /profiles/IS_default/configuration/com.softwareag.platform.config.propsloader.
ciphers="List of Secure Cipher_Suites"
3. Set the size of Ephemeral Diffie-Hellman Keys to 2048 depending on the configured cipher suites. You can do this by adding the following line to the custom_wrapper.conf file located in the directory SAG_root /profiles/IS_default/configuration:
wrapper.java.additional.401=-Djdk.tls.ephemeralDHKeySize=2048
You can verify the resulting TLS configuration using tools such as testTLS.sh that checks for vulnerable TLS configurations.