Best practices for enabling TLS in API Connect peer groups and managing certificate expiry

Learn best practices for enabling TLS in API Connect peer groups, ensuring secure communication between gateways, and managing certificate expiration to prevent disruptions.

When enabling peer groups with Transport Layer Security (TLS) enabled in IBM® API Connect, it's crucial to configure peering objects on all gateways with certificates from a common issuer. This means that the certificates should either be identical across all gateways or signed by the same Certificate Authority (CA). The CA's public certificate should be included in the validation credential (valcred) object used by the peering objects.
If the individual certificates (idcred) are nearing their expiration date, replace them with new certificates signed by the same CA. This ensures a seamless transition without disruptions.
However, if the CA's certificate itself is nearing its expiration date, additional steps are required. You'll need to add the new CA's public certificate to the valcred object on all gateways. Subsequently, update the peering objects' idcred object to utilize certificates signed by the new CA. Finally, remove the old CA's public certificate from the valcred objects. This process ensures continuous, secure communication between gateways while maintaining the integrity of the TLS configuration

Summary

Certificates: Use a common CA for all gateways to ensure mutual trust.
Certificate Rotation: Replace expiring certificates with new ones from the same CA without disruption.
CA Rotation: If the CA itself is being replaced, follow a structured process to update the valcred and idcred objects across all gateways.
TLS Implications: If TLS is enabled for peering, ensure that the certificates are consistently managed and updated as described.

Configuring a gateway with TLS enabled peering

First configure idcred and valcred.

crypto
      key         peering_key     cert:///peering-key.pem
      certificate peering_cert    cert:///peering-cert.pem
      certificate peering_ca      cert:///peering-ca.pem
      idcred      peering_idcred  peering_key peering_cert ca peering_ca
      valcred     peering_valcred ; certificate peering_ca ; exit
    exit

Then, add the following configuration to each gateway-peering object:

enable-ssl on
      idcred peering_idcred
      valcred peering_valcre

The priority should be set differently on each gateway. Set the lowest priority for the gateway that will run as primary.
persistence should be set to memory for all configured peering objects.

The following example configures gateway (1.1.1.1) with TLS enabled peering.

    gateway-peering subs
      admin enabled
      local-address 1.1.1.1
      local-port 15222
      monitor-port 26222
      priority 100
      enable-ssl on
      idcred peering_idcred
      valcred peering_valcred
      enable-peer-group on
      peer 2.2.2.2
      peer 3.3.3.3
      persistence memory
    exit

    gateway-peering rate-limit
      admin enabled
      local-address 1.1.1.1 
      local-port 15223
      monitor-port 26223
      priority 100
      enable-ssl on
      idcred peering_idcred
      valcred peering_valcred
      enable-peer-group on
      peer 2.2.2.2
      peer 3.3.3.3
      persistence memory      
    exit