Software AG Products 10.7 | Integrate Software AG Products Using Digital Event Services | API Gateway Configuration Guide | Securing Communication between API Gateway and its Components | How do I Secure the TLS Configuration in API Gateway?
 
How do I Secure the TLS Configuration in API Gateway?
Securing the TLS configuration in API Gateway involves securing the TLS configuration for API Gateway server ports and API Gateway UI ports.
To secure TLS configuration in API Gateway
1. Secure the TLS configuration of the API Gateway server ports..
a. Restrict the TLS version by adding the following setting:
watt.net.jsse.server.enabledProtocols=TLSv1.2
This specifies the SSL protocol versions that API Gateway supports when acting as a server handling inbound requests. Java Secure Socket Extensions (JSSE) is required to support TLS 1.1 or 1.2.
For more information about configuring portsnto use JSSE, see https://documentation.softwareag.com/webmethods/integration_server/pie10-5/10-5_Integration_Server_Administrators_Guide.pdf
b. Reject the client initiated renegotiation by adding the following line to the custom_wrapper.conf file located in the directory SAG_root /profiles/IS_default/configuration.
wrapper.java.additional.402=-Djdk.tls.rejectClientInitiatedRenegotiation=TRUE
c. Specify a list of secure cipher suites.
For details about the recommended cipher suites, see the cipher suite recommendation by IANA organization ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) or the https://documentation.softwareag.com/webmethods/integration_server/pie10-5/10-5_Integration_Server_Administrators_Guide.pdf
d. Set the size of Ephemeral Diffie-Hellman Keys to 2048 depending on the configured cipher suites. You can do this by adding the following line to the custom_wrapper.conf file located in the directory SAG_root /profiles/IS_default/configuration:
wrapper.java.additional.401=-Djdk.tls.ephemeralDHKeySize=2048
2. Secure the TLS configuration of the API Gateway UI ports.
a. Enable TLSv1.2 by adding the following line to the properties file com.softwareag.catalina.connector.https.pid-apigateway.properties located in the directorySAG_root /profiles/IS_default/configuration/com.softwareag.platform.config.propsloader.
sslEnabledProtocols=TLSv1.2
b. Specify a list of secure cipher suites by adding the following line to the properties file com.softwareag.catalina.connector.https.pid-apigateway.properties located in the directorySAG_root /profiles/IS_default/configuration/com.softwareag.platform.config.propsloader.
ciphers="List of Secure Cipher_Suites"
For details about the recommended cipher suites, see the cipher suite recommendation by IANA organization ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) or the https://documentation.softwareag.com/webmethods/integration_server/pie10-5/10-5_Integration_Server_Administrators_Guide.pdf
c. Set the size of Ephemeral Diffie-Hellman Keys to 2048 depending on the configured cipher suites. You can do this by adding the following line to the custom_wrapper.conf file located in the directory SAG_root /profiles/IS_default/configuration:
wrapper.java.additional.401=-Djdk.tls.ephemeralDHKeySize=2048
You can verify the resulting TLS configuration using tools such as testTLS.sh that checks for vulnerable TLS configurations.