In Cloud Manager, you can
configure the profile that is used on the gateway when it acts as a TLS server.
Before you begin
Important: API Connect includes several default TLS profiles to help you get started.
The default profiles should not be used in a production environment. It is important to create your
own profiles to secure your network.
One of the following roles is required to configure TLS Server Profiles:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings: manage permissions
About this task
The Server profile is for the gateway when it is acting as the TLS server.
Procedure
Perform the following steps to create a TLS Server profile:
-
In the Cloud Manager, click
Resources.
-
Select TLS.
- Click Create in the TLS Server Profile table.
- Enter the fields to configure the TLS Server Profile:
Field |
Description |
Title (required) |
Enter a Title for the profile. The title is displayed on the screen. |
Name (required) |
The Name is auto-generated. The value in the Name field is a single string that can be used
in developer toolkit CLI commands. To view the CLI commands to manage TLS Server Profiles, see the
toolkit CLI reference documentation.
|
Version (required) |
Assign a version number for the profile. Using version numbers allows you to create
multiple server profiles with the same name and different configurations, for example, MyProfile
1.0 and MyProfile 1.1. |
Summary (optional) |
Enter a description of the profile. |
Protocols (required) |
Select one or more supported TLS protocol versions. The default is 1.2. |
Mutual Authentication (required) |
Determines the level of two-way authentication for the server profile. In two-way
authentication, the server responds to a client by sending a request for the client certificate.
- None (default) No support for mutual authentication.
- Request Enable this option to request client authentication during the
TLS handshake. When the application sends the request, the gateway requests that the application
sends the certificate. If the client does not send the certificate, the certificate is not checked
on the gateway.
- Require Enable this option to require client authentication during the
TLS handshake. When the application sends the request, the gateway requests that the application
sends the certificate. If the client does not send the certificate, the TLS handshake fails and the
request is blocked.
|
Limit Renegotiation (optional) |
Client-initiated renegotiation allows the connection to be retried. The default is to
prevent renegotiation. Remove the checkmark to allow renegotiation. |
Keystore (required) |
A keystore is a repository containing a public and private key pair. The Server Profile
requires a keystore in order to securely identify the system. When an application sends an API
request, the keystore is used to verify a matching certificate. Important: API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your certificates before they expire.
|
Truststore (optional) |
A truststore is a repository containing certificates. The certificates are used to verify
the peer during a TLS handshake. If, in addition to a keystore, a truststore is specified, the
certificate is further checked for validity by ensuring that is signed by the root certificate,
which must be in the truststore. Important: API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your certificates before they expire.
|
Ciphers (required) |
Cipher suites are encryption/decryption algorithms used to secure HTTPs communication
within the API Connect ecosystem. Select the ciphers that the profile supports. Note: The TLS 1.3
ciphers are clearly indicated. If you select TLS version 1.3 as one of the
protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are
added to the list of ciphers supported by the profile. If you do not select TLS version
1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the
list of ciphers supported by the profile.
|
-
Click Save.