Creating a TLS client profile

Create TLS client profiles in the Cloud Manager UI to secure client connections in your API Connect environment.

Before you begin

Review the TLS profiles overview to understand the concepts of TLS profiles, keystores, and truststores, and the purpose of the default profiles that are created at installation.

One of the following roles is required to configure TLS client profiles:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings: Manage permissions

About this task

A TLS client profile defines the TLS version, keystore, truststore, and ciphers used when making a client connection to a TLS secured endpoint.

Procedure

Complete the following steps to create a TLS client profile:

  1. In the Cloud Manager, click Resources Resources.
  2. Select Crypto Material.
  3. Click Create in the TLS client profile table.
  4. Enter the fields to configure the TLS Client Profile:
    Field Description
    Title Enter a title for the profile.
    Name The name is auto-generated and based on the title (with spaces and other URL unsafe characters replaced).
    Version Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Summary Enter a description of the profile.
    Protocols Select one or more supported TLS protocol versions. The default is 1.2 and 1.3.
    Server Connection Specify whether to support weak or insecure credentials.
    • Allow insecure server connections - Insecure server connections can mean connections that use certificates that are self-signed, expired, corrupted, or from an unknown or untrusted source. Check this box to allow the connection to proceed with an insecure connection. The default is to not allow insecure server connections.
    • Support Server Name Indication (SNI) - Check this box to enable SNI. SNI allows support for multiple certificates presented on the same IP address using different hostnames. The client profile sends the name of a virtual domain as part of the TLS negotiation. The default is to enable SNI.
    Keystore

    A keystore is a repository that contains public and private key pairs. The keystore has the public key that the client presents when it initiates communication with a TLS secured endpoint.

    Important: If you create your own TLS profiles, API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your certificates before they expire.
    Truststore

    A truststore is a repository that contains verified public keys. Truststores contain the list of certificates that your TLS client profile trusts.

    Important: If you create your own TLS profiles, API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your certificates before they expire.
    Ciphers Cipher suites are encryption algorithms that are used to secure the TLS communication. Select the ciphers that the profile supports.
    Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
  5. Click Save.