Creating a TLS Client Profile

In Cloud Manager, TLS profiles are configured as a Resource to provide secure transmission of data over HTTPs.

Before you begin

One of the following roles is required to configure TLS Profiles:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings: Manage permissions

About this task

API Connect uses both TLS Server and TLS Client profiles. A TLS Server profile is presented when a communication request is received. The Server profile validates the request against the Keystore and protocol version to determine whether the connection is secure. The Client profile is presented to initiate communication with another system. Client Profiles may be made visible for use by provider organizations in policies in API Manager. See Setting visibility for a TLS Client Profile.

Procedure

Perform the following steps to create a TLS Client profile:

  1. In the Cloud Manager, click Resources Resources.
  2. Select TLS.
  3. Click Create in the TLS Client Profile table.
  4. Enter the fields to configure the TLS Client Profile:
    Field Description
    Title (required) Enter a Title for the profile. The title is displayed on the screen.
    Name (required) The Name is auto-generated. The value in the Name field is a single string that can be used in developer toolkit CLI commands.

    To view the CLI commands to manage a TLS Client Profile, see apic tls-client-profiles.

    Version (required) Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Summary (optional) Enter a description of the profile.
    Protocols (required) Select one or more supported TLS protocol versions. The default is 1.2.
    Server Connection (optional) Specify whether to support weak or insecure credentials.
    • Allow insecure server connections - Insecure server connections may result from self-signed certificates, expired or corrupted certificates, or certificates from an unknown or untrusted source. Check this box to allow the connection to proceed with an insecure connection. The default is to not allow insecure server connections.
    • Support Server Name Indication (SNI) - Check this box to enable SNI. SNI allows support for multiple certificates presented on the same IP address using different host names. The client profile sends the name of a virtual domain as part of the TLS negotiation. The default is to enable SNI.
    Keystore (optional) A Keystore is a repository containing public and private key pairs. Select the keystore where you will store the certificates for the profile. Default keystores are provided, and you can also create your own.
    Truststore (optional) A Truststore is a repository containing verified public keys, which are usually obtained from a third-party certificate authority. Truststores provide secure identification for peer systems. A truststore is usually used when mutual authentication is enabled. Select a truststore for the profile. Default truststores are provided, and you can also create your own.
    Ciphers (required) Cipher suites are encryption/decryption algorithms used to secure HTTPs communication within the API Connect ecosystem. Select the ciphers that the profile supports.
    Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
  5. Click Save.