Create a TLS server profile in the Cloud Manager UI to secure the API invocation endpoint
on your registered gateways.
Before you begin
Review the TLS profiles overview to understand the
concepts of TLS profiles, keystores, and truststores, and the purpose of the default profiles that
are created at installation.
Create the keystores and truststores for your TLS server profile.
One of the following roles is required to configure TLS server profiles:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings: manage permissions
About this task
When you register a gateway service, you select a TLS
server profile that contains the TLS certificate that is used to secure the API invocation endpoint
on the gateway. It is recommended to create your own TLS server profile to secure your API
invocation endpoints. The procedure in this topic covers how to create this TLS server profile.
Procedure
Complete the following steps to create a TLS server profile:
-
In the Cloud Manager, click
Resources.
-
Select Crypto Material.
- Click Create in the TLS server profile table.
- Enter the fields to configure the TLS server profile:
Field |
Description |
Title |
Enter a title for the profile. |
Name |
The name is auto-generated and based on the title (with spaces and other URL unsafe
characters replaced). |
Version |
Assign a version number for the profile. Using version numbers allows you to create
multiple server profiles with the same name and different configurations, for example,
MyProfile 1.0 and MyProfile 1.1 . |
Summary |
Enter a description of the profile. |
Protocols |
Select one or more supported TLS protocol versions. The default is 1.2 and 1.3. |
Mutual Authentication |
Determines the level of two-way authentication for the server profile. In two-way
authentication, the server responds to a client by sending a request for the client certificate.
- None (default) No support for mutual authentication.
- Request Enable this option to request client authentication during the
TLS handshake. When the application sends the request, the gateway requests that the application
sends the certificate. If the client does not send the certificate, the certificate is not checked
on the gateway.
- Require Enable this option to require client authentication during the
TLS handshake. When the application sends the request, the gateway requests that the application
sends the certificate. If the client does not send the certificate, the TLS handshake fails and the
request is blocked.
|
Limit Renegotiation |
Client-initiated renegotiation allows the connection to be retried. The default is to
prevent renegotiation. Remove the checkmark to allow renegotiation. |
Keystore |
A keystore is a repository that contains a public and
private key pair that are used to secure the endpoint. Important: If you create your own TLS profiles, API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your certificates before they expire.
|
Truststore |
A truststore is a repository that contains TLS
certificates which the endpoint secured by your TLS server profile trusts. When a client connects to
your endpoint, it must present a certificate that is signed by a certificate in your
truststore. Important: If you create your own TLS profiles, API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your certificates before they expire.
|
Ciphers |
Cipher suites are encryption algorithms that are used to secure the TLS communication.
Select the ciphers that the profile supports. Note: The TLS 1.3 ciphers are clearly indicated. If you
select TLS version 1.3 as one of the protocols for the profile but do not
select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers
supported by the profile. If you do not select TLS version 1.3 but select one
or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the
profile.
|
-
Click Save.