In the IBM® API
Connect
API Manager interface, TLS
profiles are used to secure transmission of data between the management server and other API Connect subsystems and
external services. TLS and SSL certificates guarantee that information you submit will not be stolen
or tampered with. In this topic, you learn how to create a TLS profile in API Manager.
Before you begin
One of the following roles is required to configure TLS Profiles:
- Organization Administrator
- Owner
- Custom role with the Settings: Manage permissions
About this task
API Connect supports
the use of TLS and SSL certificates, but does not itself produce strong encryption keys or manage
your encryption keys. Encryption keys should be created and managed according to your own
procedures. For more information, see Viewing certificate details and adding certificates to a keystore or truststore and
Generating a PKCS#12 file for Certificate Authority.
Note: If you update a TLS profile that is associated with a
Gateway service, the
updates are not automatically propagated to
Gateway servers. For
instructions on configuring the toolkit command-line tool to use TLS certificates when connecting to
API Manager, see
Configuring the command-line tool to use TLS certificates.
Procedure
To create a TLS profile, complete the following steps:
-
In the API Manager, click
Resources.
-
Select TLS.
-
Click Create in the TLS Client Profile table.
-
Enter the fields to configure the TLS Client Profile:
Field |
Description |
Title (required) |
Enter a Title for the profile. The title is displayed on the screen. |
Name (required) |
The Name is auto-generated. The value in the Name field is a single string that can be used
in developer toolkit CLI commands. To view the CLI commands to manage a TLS Client Profile, see
the toolkit CLI reference documentation.
Important: The name of the TLS Client Profile as saved on the DataPower® Gateway, depending on the gateway type, is as
follows:
where
- tls-profile-name is the value of the auto-generated Name field for the TLS
client profile in API Connect.
- provider-org-name is the name of the provider organization containing the TLS
client profile.
- catalog-name is the name of the Catalog, in that provider organization,
containing the TLS client profile.
|
Version (required) |
Assign a version number for the profile. Using version numbers allows you to create
multiple server profiles with the same name and different configurations, for example, MyProfile
1.0 and MyProfile 1.1. |
Summary (optional) |
Enter a description of the profile. |
Protocols (required) |
Select one or more supported TLS protocol versions. The default is 1.2. |
Server Connection (optional) |
Specify whether to support weak or insecure credentials.
- Allow insecure server connections - Insecure server connections may result from self-signed
certificates, expired or corrupted certificates, or certificates from an unknown or untrusted
source. Check this box to allow the connection to proceed with an insecure connection. The default
is to not allow insecure server connections.
- Support Server Name Indication (SNI) - Check this box to enable SNI. SNI allows support for
multiple certificates presented on the same IP address using different host names. The client
profile sends the name of a virtual domain as part of the TLS negotiation. The default is to enable
SNI.
|
Keystore (optional) |
A Keystore is a repository containing public and private key pairs. Select the keystore where you
will store the certificates for the profile. Default keystores are provided, and you can also create
your own.
API Connect verifies certificates when you upload them, but does not continuously monitor them
for expiry. You are responsible for monitoring and updating your uploaded certificates before they
expire.
|
Truststore (optional) |
A Truststore is a repository containing verified public keys, which are usually obtained from a
third-party certificate authority. Truststores provide list of certificates to verify a peer's
certificate. If used in a TLSServerProfile, a truststore is used when mutual authentication is
enabled. Select a truststore for the profile. Default truststores are provided, and you can also
create your own.
API Connect verifies certificates when you upload them, but does not continuously monitor them
for expiry. You are responsible for monitoring and updating your uploaded certificates before they
expire.
|
Ciphers (required) |
Cipher suites are encryption/decryption algorithms used to secure HTTPs communication
within the API Connect ecosystem. Select the ciphers that the profile supports. Note: The TLS 1.3
ciphers are clearly indicated. If you select TLS version 1.3 as one of the
protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are
added to the list of ciphers supported by the profile. If you do not select TLS version
1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the
list of ciphers supported by the profile.
|
-
Click Save.