Creating a TLS server profile

Create a TLS server profile in the Cloud Manager UI to secure the API invocation endpoint on your registered gateways.

Before you begin

Review the TLS profiles overview to understand the concepts of TLS profiles, keystores, and truststores, and the purpose of the default profiles that are created at installation.

Create the keystores and truststores for your TLS server profile.

One of the following roles is required to configure TLS server profiles:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings: manage permissions

About this task

When you register a gateway service, you select a TLS server profile that contains the TLS certificate that is used to secure the API invocation endpoint on the gateway. It is recommended to create your own TLS server profile to secure your API invocation endpoints. The procedure in this topic covers how to create this TLS server profile.

Procedure

Complete the following steps to create a TLS server profile:

  1. In the Cloud Manager, click Resources Resources.
  2. Select Crypto Material.
  3. Click Create in the TLS server profile table.
  4. Enter the fields to configure the TLS server profile:
    Field Description
    Title Enter a title for the profile.
    Name The name is auto-generated and based on the title (with spaces and other URL unsafe characters replaced).
    Version Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Summary Enter a description of the profile.
    Protocols Select one or more supported TLS protocol versions. The default is 1.2 and 1.3.
    Mutual Authentication Determines the level of two-way authentication for the server profile. In two-way authentication, the server responds to a client by sending a request for the client certificate.
    • None (default) No support for mutual authentication.
    • Request Enable this option to request client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the certificate is not checked on the gateway.
    • Require Enable this option to require client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the TLS handshake fails and the request is blocked.
    Limit Renegotiation Client-initiated renegotiation allows the connection to be retried. The default is to prevent renegotiation. Remove the checkmark to allow renegotiation.
    Keystore A keystore is a repository that contains a public and private key pair that are used to secure the endpoint.
    Important: If you create your own TLS profiles, API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your certificates before they expire.
    Truststore A truststore is a repository that contains TLS certificates which the endpoint secured by your TLS server profile trusts. When a client connects to your endpoint, it must present a certificate that is signed by a certificate in your truststore.
    Important: If you create your own TLS profiles, API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your certificates before they expire.
    Ciphers Cipher suites are encryption algorithms that are used to secure the TLS communication. Select the ciphers that the profile supports.
    Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
  5. Click Save.