Creating a TLS Server Profile

In Cloud Manager, you can configure the profile that is used on the gateway when it acts as a TLS server.

Before you begin

Important: API Connect includes several default TLS profiles to help you get started. The default profiles should not be used in a production environment. It is important to create your own profiles to secure your network.

One of the following roles is required to configure TLS Server Profiles:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings: manage permissions

About this task

The Server profile is for the gateway when it is acting as the TLS server.

Procedure

Perform the following steps to create a TLS Server profile:

  1. In the Cloud Manager, click Resources Resources.
  2. Select TLS.
  3. Click Create in the TLS Server Profile table.
  4. Enter the fields to configure the TLS Server Profile:
    Field Description
    Title (required) Enter a Title for the profile. The title is displayed on the screen.
    Name (required) The Name is auto-generated. The value in the Name field is a single string that can be used in developer toolkit CLI commands.

    To view the CLI commands to manage TLS Server Profiles, see apic tls-server-profiles.
    Version (required) Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Summary (optional) Enter a description of the profile.
    Protocols (required) Select one or more supported TLS protocol versions. The default is 1.2.
    Mutual Authentication (required) Determines the level of two-way authentication for the server profile. In two-way authentication, the server responds to a client by sending a request for the client certificate.
    • None (default) No support for mutual authentication.
    • Request Enable this option to request client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the certificate is not checked on the gateway.
    • Require Enable this option to require client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the TLS handshake fails and the request is blocked.
    Limit Renegotiation (optional) Client-initiated renegotiation allows the connection to be retried. The default is to prevent renegotiation. Remove the checkmark to allow renegotiation.
    Keystore (required) A keystore is a repository containing a public and private key pair. The Server Profile requires a keystore in order to securely identify the system. When an application sends an API request, the keystore is used to verify a matching certificate.
    Truststore (optional) A truststore is a repository containing certificates. The certificates are used to verify the peer during a TLS handshake. If, in addition to a keystore, a truststore is specified, the certificate is further checked for validity by ensuring that is signed by the root certificate, which must be in the truststore.
    Ciphers (required) Cipher suites are encryption/decryption algorithms used to secure HTTPs communication within the API Connect ecosystem. Select the ciphers that the profile supports.
  5. Click Save.