Creating a TLS Server Profile
In Cloud Manager, you can configure the profile that is used on the gateway when it acts as a TLS server.
Before you begin
Important: API Connect includes several default TLS profiles to help you get started. The default profiles should not be used in a production environment. It is important to create your own profiles to secure your network.
One of the following roles is required to configure TLS Server Profiles:
- Topology Administrator
- Custom role with the Settings: manage permissions
About this task
The Server profile is for the gateway when it is acting as the TLS server.
Perform the following steps to create a TLS Server profile:
- In the Cloud Manager, click Resources.
- Select TLS.
- Click Create in the TLS Server Profile table.
- Enter the fields to configure the TLS Server Profile:
Field Description Title (required) Enter a Title for the profile. The title is displayed on the screen. Name (required) The Name is auto-generated. The value in the Name field is a single string that can be used in developer toolkit CLI commands.
To view the CLI commands to manage TLS Server Profiles, see apic tls-server-profiles.
Version (required) Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1. Summary (optional) Enter a description of the profile. Protocols (required) Select one or more supported TLS protocol versions. The default is 1.2. Mutual Authentication (required) Determines the level of two-way authentication for the server profile. In two-way authentication, the server responds to a client by sending a request for the client certificate.
- None (default) No support for mutual authentication.
- Request Enable this option to request client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the certificate is not checked on the gateway.
- Require Enable this option to require client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the TLS handshake fails and the request is blocked.
Limit Renegotiation (optional) Client-initiated renegotiation allows the connection to be retried. The default is to prevent renegotiation. Remove the checkmark to allow renegotiation. Keystore (required) A keystore is a repository containing a public and private key pair. The Server Profile requires a keystore in order to securely identify the system. When an application sends an API request, the keystore is used to verify a matching certificate. Truststore (optional) A truststore is a repository containing certificates. The certificates are used to verify the peer during a TLS handshake. If, in addition to a keystore, a truststore is specified, the certificate is further checked for validity by ensuring that is signed by the root certificate, which must be in the truststore. Ciphers (required) Cipher suites are encryption/decryption algorithms used to secure HTTPs communication within the API Connect ecosystem. Select the ciphers that the profile supports.Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
- Click Save.