Defining elliptic curve cryptographic schemes for a TLS client profile
You define the elliptic curve cryptographic schemes for a TLS client profile by using the developer toolkit CLI.
About this task
elliptic_curveproperties in a YAML file definition for the TLS client profile. The
elliptic_curveproperty lists the required elliptic curve cryptographic schemes. For example:
elliptic_curve_auto_negotiation: false elliptic_curve: - secp521r1 - secp384r1 - prime256v1
You then use the developer toolkit CLI to create the TLS client profile in API Connect.
elliptic_curve_auto_negotiation is set to
true, the system
negotiates the Elliptic-curve Diffie-Hellman (ECDH) key agreement automatically with its peer, and
elliptic_curve property settings are ignored.
type: tls_client_profile name: my-tls-client-profile version: 1.0.0 title: My TLS client profile protocols: - tls_v1.2 ciphers: - ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 elliptic_curve_auto_negotiation: false elliptic_curve: - sect163k1 insecure_server_connections: false server_name_indication: true
elliptic_curve_auto_negotiationoption is not supported by any of the API Connect gateway types. If the TLS client profile is targeted for an API Connect gateway; this setting is ignored by the gateway.
- The elliptic curve cryptographic schemes shown in each row of the following table are
equivalent. However, API Connect recognizes only one or the other depending on how the TLS profile is used, as indicated in the table.
Table 1. API enforcement on the gateway API Connect server access security secp192r1 prime192v1 secp256r1 prime256v1
Therefore, if you want to use either of these schemes and are unsure whether you are targeting the TLS client profile to the API Connect gateway for API enforcement, whether you are using it to secure user access to the API Connect servers, or whether it will be used for both purposes, specify both equivalent schemes; API Connect will simply ignore the non-relevant scheme. For example:
elliptic_curve: . . . - secp256r1 - prime256v1 . . .
To create a TLS client profile with elliptic curve cryptographic schemes defined. complete the following steps:
Create a YAML file definition for your TLS client profile, with the required
- Log in to the management server from the developer toolkit CLI. Log in either as a member of the cloud administration organization or as a member of a provider organization, depending on where you want to create the TLS client profile. For details, see Logging in to a management server.
Create the TLS client profile by using the following command:
apic tls-client-profiles:create --server mgmt_endpoint_url --org organization_name tls_client_profile_yaml_file
Note: When you install IBM® API Connect, the API Connect gateway has a pre-supplied default TLS client profile that is used for API enforcement if you do not configure a TLS client profile; you cannot configure this default TLS client profile on the gateway.
- mgmt_endpoint_url is the platform API endpoint URL, and is the same as that which was used when you logged in at step 2.
- organization_name is either
admin, for the cloud administration organization, or the name of your provider organization, and is the same as that which was used when you logged in at step 2.
- tls_client_profile_yaml_file is the name of the YAML file that contains the definition for your TLS client profile.
For reference details of all the
apic tls-client-profilescommands, see apic tls-client-profiles.
You can also complete the operations described in this topic by using the API Connect REST APIs; see the API Connect REST API documentation.