TLS profiles, keystores, and truststores can be created, updated, and deleted in the
Cloud Manager UI.
Before you begin
Review the TLS profiles overview to understand the
concepts of TLS profiles, keystores, and truststores, and the purpose of the default profiles that
are created at installation.
To view TLS server profiles, keystores, and truststores, one of the following roles is
required:
- Viewer
- Custom role with the Settings: view permissions
To view, create, edit, or delete TLS server profiles, keystores, and truststores, one of the
following roles is required:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings: Manage permissions
About this task
The Crypto Material section in the Cloud Manager UI contains the TLS
profiles, keystores, and truststores configured for your cloud.
API Connect provides
pre-configured keystores and truststores that are created at installation, and which can be used for
testing and demonstration purposes. For production deployments, it is recommended to create new
keystores and truststores with your own TLS certificates.
Important: Do not modify the
default keystores and truststores that are created at installation.
If you create your own TLS profiles, keystores, and truststores, API Connect verifies all
certificates you upload, but does not continuously monitor them for expiry. You are responsible for
monitoring and updating your certificates before they expiry. Certificate expiration dates are
displayed in the keystores and truststores that contain them.
Certificate files that you upload must be in PEM or P12 format.
Procedure
-
In the Cloud Manager, click
Resources.
-
Select Crypto Material.
-
From the Crypto Material section you can add, edit, and delete your TLS
profiles, keystores, and truststores.
-
TLS server profiles. Configure the TLS profiles used to secure the API invocation endpoints on
your gateways. If you want to update keys and certificates, then view the TLS server profile to
identify the keystore and truststore that contains them.
-
TLS client profiles. Configure the TLS profiles used to initiate client connections to other
systems. If you want to update keys and certificates, then view the TLS client profile to identify
the keystore and truststore that contains them.
You can manage the visibility of TLS client profiles for provider organization members. Select
Edit visibility from the
options menu next to the name of the profile. The following visibility settings
are available:
- Private - the profile is visible only in the Cloud Manager UI and cannot be used by
any provider organization.
- Public - the profile can be used by all provider organizations.
- Custom - the profile can be used by the provider organizations you
specify.
-
Keystores. Upload the private and public key pairs that your TLS profiles use.
The certificate's subject, finger print, and expiration date are displayed. Click
> to view more certificate details.
Note: You cannot download your uploaded keys and certificates from API Connect.
-
Truststores. Upload the certificates that your TLS profiles trust.
-
JWK sets. The JWK sets in the Crypto Material section are not related to
TLS profiles. See the Config sync feature.