Create TLS client profiles in the Cloud Manager UI to secure client connections in your
API Connect environment.
Before you begin
Review the TLS profiles overview to understand the
concepts of TLS profiles, keystores, and truststores, and the purpose of the default profiles that
are created at installation.
One of the following roles is required to configure TLS client profiles:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings: Manage permissions
About this task
A TLS client profile defines the TLS version, keystore, truststore, and ciphers used when making
a client connection to a TLS secured endpoint.
Procedure
Complete the following steps to create a TLS client profile:
-
In the Cloud Manager, click
Resources.
-
Select Crypto Material.
-
Click Create in the TLS client profile table.
-
Enter the fields to configure the TLS Client Profile:
Field |
Description |
Title |
Enter a title for the profile. |
Name |
The name is auto-generated and based on the title (with spaces and other URL unsafe
characters replaced). |
Version |
Assign a version number for the profile. Using version numbers allows you to create
multiple server profiles with the same name and different configurations, for example,
MyProfile 1.0 and MyProfile 1.1 . |
Summary |
Enter a description of the profile. |
Protocols |
Select one or more supported TLS protocol versions. The default is 1.2 and 1.3. |
Server Connection |
Specify whether to support weak or insecure credentials.
- Allow insecure server connections - Insecure server connections can mean connections that use
certificates that are self-signed, expired, corrupted, or from an unknown or untrusted source. Check
this box to allow the connection to proceed with an insecure connection. The default is to not allow
insecure server connections.
- Support Server Name Indication (SNI) - Check this box to enable SNI. SNI allows support for
multiple certificates presented on the same IP address using different hostnames. The client profile
sends the name of a virtual domain as part of the TLS negotiation. The default is to enable
SNI.
|
Keystore |
A keystore is a repository that contains public and
private key pairs. The keystore has the public key that the client presents when it initiates
communication with a TLS secured endpoint.
Important: If you create your own TLS profiles, API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your certificates before they expire.
|
Truststore |
A truststore is a repository that contains
verified public keys. Truststores contain the list of certificates that your TLS client profile
trusts.
Important: If you create your own TLS profiles, API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your certificates before they expire.
|
Ciphers |
Cipher suites are encryption algorithms that are used to secure the TLS communication.
Select the ciphers that the profile supports. Note: The TLS 1.3 ciphers are clearly indicated. If you
select TLS version 1.3 as one of the protocols for the profile but do not
select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers
supported by the profile. If you do not select TLS version 1.3 but select one
or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the
profile.
|
-
Click Save.