Managing TLS profiles, keystores, and truststores

TLS profiles, keystores, and truststores can be created, updated, and deleted in the Cloud Manager UI.

Before you begin

Review the TLS profiles overview to understand the concepts of TLS profiles, keystores, and truststores, and the purpose of the default profiles that are created at installation.

To view TLS server profiles, keystores, and truststores, one of the following roles is required:
  • Viewer
  • Custom role with the Settings: view permissions
To view, create, edit, or delete TLS server profiles, keystores, and truststores, one of the following roles is required:
  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings: Manage permissions

About this task

The Crypto Material section in the Cloud Manager UI contains the TLS profiles, keystores, and truststores configured for your cloud.

API Connect provides pre-configured keystores and truststores that are created at installation, and which can be used for testing and demonstration purposes. For production deployments, it is recommended to create new keystores and truststores with your own TLS certificates.
Important: Do not modify the default keystores and truststores that are created at installation.

If you create your own TLS profiles, keystores, and truststores, API Connect verifies all certificates you upload, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your certificates before they expiry. Certificate expiration dates are displayed in the keystores and truststores that contain them.

Certificate files that you upload must be in PEM or P12 format.
Note: For information on generating TLS certificates and keys, see Using OpenSSL to generate and format certificates.

Procedure

  1. In the Cloud Manager, click Resources Resources.
  2. Select Crypto Material.
  3. From the Crypto Material section you can add, edit, and delete your TLS profiles, keystores, and truststores.
    • TLS server profiles. Configure the TLS profiles used to secure the API invocation endpoints on your gateways. If you want to update keys and certificates, then view the TLS server profile to identify the keystore and truststore that contains them.

    • TLS client profiles. Configure the TLS profiles used to initiate client connections to other systems. If you want to update keys and certificates, then view the TLS client profile to identify the keystore and truststore that contains them.

      You can manage the visibility of TLS client profiles for provider organization members. Select Edit visibility from the options menu icon options menu next to the name of the profile. The following visibility settings are available:
      • Private - the profile is visible only in the Cloud Manager UI and cannot be used by any provider organization.
      • Public - the profile can be used by all provider organizations.
      • Custom - the profile can be used by the provider organizations you specify.
    • Keystores. Upload the private and public key pairs that your TLS profiles use.

      The certificate's subject, finger print, and expiration date are displayed. Click > to view more certificate details.

      Note: You cannot download your uploaded keys and certificates from API Connect.
    • Truststores. Upload the certificates that your TLS profiles trust.

    • JWK sets. The JWK sets in the Crypto Material section are not related to TLS profiles. See the Config sync feature.