Creating a TLS client profile

Create a TLS client profile to secure communication within your API Connect deployment and to external services.

Before you begin

One of the following roles is required to configure TLS profiles:

  • Organization Administrator
  • Owner
  • Custom role with the Settings: Manage permissions

About this task

API Connect provides pre-configured TLS client profiles that are created at installation, and which can be used for testing and demonstration purposes. For production deployments, it is recommended to create new client profiles with your own TLS certificates.
Note: For information on generating TLS certificates and keys, see Using OpenSSL to generate and format certificates.
Note: If you update a TLS profile that is associated with a Gateway service, the updates are not automatically propagated to Gateway servers. For instructions on configuring the toolkit command-line tool to use TLS certificates when connecting to API Manager, see Configuring the command-line tool to use TLS certificates.

Procedure

To create a TLS profile, complete the following steps:

  1. In the API Manager, click Resources Resources.
  2. Select Crypto Material.
  3. Click Create in the TLS client profile table.
  4. Enter the fields to configure the TLS client profile:
    Field Description
    Title Enter a title for the profile.
    Name The name is auto-generated and based on the title (with spaces and other URL unsafe characters replaced).

    To view the CLI commands to manage a TLS client profile, see the toolkit CLI reference documentation.

    Important: The name of the TLS client profile as saved on the DataPower® Gateway, depending on the gateway type, is as follows:
    • DataPower API Gateway:
      provider-org-name_catalog-name_tlsp-tls-profile-nameV1.0.0
    • DataPower Gateway (v5 compatible):
      provider-org-name-tls-profile-nameV1.0.0
    where
    • tls-profile-name is the value of the auto-generated name field for the TLS client profile in API Connect.
    • provider-org-name is the name of the provider organization that contains the TLS client profile.
    • catalog-name is the name of the catalog, in that provider organization, that contains the TLS client profile.
    Version Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Summary Enter a description of the profile.
    Protocols Select one or more supported TLS protocol versions. The default is 1.2 and 1.3
    Server Connection Specify whether to support weak or insecure credentials.
    • Allow insecure server connections - Insecure server connections can mean connections that use self-signed, expired, corrupted, or are from an unknown or untrusted source. Check this box to allow the connection to proceed with an insecure connection. The default is to not allow insecure server connections.
    • Support Server Name Indication (SNI) - Check this box to enable SNI. SNI allows support for multiple certificates that are presented on the same IP address using different hostnames. The client profile sends the name of a virtual domain as part of the TLS negotiation. The default is to enable SNI.
    Keystore

    The keystore is a repository containing public and private key pairs. Select the keystore where you store the certificates for the profile.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Truststore

    The truststore is a repository containing verified public keys. Truststores contain the list of certificates that your TLS client profile trusts.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Ciphers Cipher suites are encryption algorithms that are used to secure TLS communication. Select the ciphers that the profile supports.
    Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
  5. Click Save.