Create a TLS client profile to secure communication within your API Connect deployment
and to external services.
Before you begin
One of the following roles is required to configure TLS profiles:
- Organization Administrator
- Owner
- Custom role with the Settings: Manage permissions
About this task
API Connect provides
pre-configured TLS client profiles that are created at installation, and which can be used for
testing and demonstration purposes. For production deployments, it is recommended to create new
client profiles with your own TLS certificates.
Note: If you update a TLS profile that is associated with a
Gateway service, the
updates are not automatically propagated to
Gateway
servers. For instructions on configuring the toolkit command-line tool to use TLS
certificates when connecting to
API
Manager, see
Configuring the command-line tool to use TLS certificates.
Procedure
To create a TLS profile, complete the following steps:
-
In the API
Manager, click
Resources.
-
Select Crypto Material.
-
Click Create in the TLS client profile table.
-
Enter the fields to configure the TLS client profile:
Field |
Description |
Title |
Enter a title for the profile. |
Name |
The name is auto-generated and based on the title (with spaces and other URL unsafe
characters replaced). To view the CLI commands to manage a TLS client profile, see the toolkit CLI reference documentation.
Important: The name of the TLS client profile as saved on the DataPower® Gateway, depending on the gateway
type, is as follows:
where
- tls-profile-name is the value of the auto-generated name field for the TLS
client profile in API Connect.
- provider-org-name is the name of the provider organization that contains the
TLS client profile.
- catalog-name is the name of the catalog, in that provider organization, that
contains the TLS client profile.
|
Version |
Assign a version number for the profile. Using version numbers allows you to create
multiple server profiles with the same name and different configurations, for example,
MyProfile 1.0 and MyProfile 1.1 . |
Summary |
Enter a description of the profile. |
Protocols |
Select one or more supported TLS protocol versions. The default is 1.2 and 1.3 |
Server Connection |
Specify whether to support weak or insecure credentials.
- Allow insecure server connections - Insecure server connections can mean connections that use
self-signed, expired, corrupted, or are from an unknown or untrusted source. Check this box to allow
the connection to proceed with an insecure connection. The default is to not allow insecure server
connections.
- Support Server Name Indication (SNI) - Check this box to enable SNI. SNI allows support for
multiple certificates that are presented on the same IP address using different hostnames. The
client profile sends the name of a virtual domain as part of the TLS negotiation. The default is to
enable SNI.
|
Keystore |
The keystore is a repository containing
public and private key pairs. Select the keystore where you store the certificates for the
profile.
Important: API Connect verifies certificates when you upload them, but does not
continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded
certificates before they expire.
|
Truststore |
The truststore is a repository containing
verified public keys. Truststores contain the list of certificates that your TLS client profile
trusts.
Important: API Connect verifies certificates when you upload them, but does not
continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded
certificates before they expire.
|
Ciphers |
Cipher suites are encryption algorithms that are used to secure TLS communication. Select
the ciphers that the profile supports. Note: The TLS 1.3 ciphers are clearly indicated. If you select
TLS version 1.3 as one of the protocols for the profile but do not select any
TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the
profile. If you do not select TLS version 1.3 but select one or more TLS 1.3
ciphers, those ciphers are not added to the list of ciphers supported by the
profile.
|
-
Click Save.