TLS profiles overview
Create TLS profiles to manage the TLS communication between subsystems, external systems, and your API invocation endpoint.
Mutual TLS is used to secure communication between API Connect subsystems, and TLS is used for communication with external systems such as email servers.
- Kubernetes and OpenShift: API Connect certificates
- Client certificates for inter-subsystem communication: Communication from your management subsystem to your portal, analytics, and gateway services.
- API invocation endpoint. The certificates that callers of your published APIs see.
- TLS profiles that you create for use in API definitions.
- Communication with third-party systems.
- Client profiles are used to define the client certificate and ciphers that are used for making client connections to other systems.
- Server profiles are used to define the server certificate and ciphers that are used for securing
server endpoints. The only server profile that is created automatically (during installation) is the
Default TLS server profile
, which is used to secure the API invocation endpoint.
- TLS version indicates the version of the Transport Layer Security Protocol that is used by the profile. Options are TLS versions 1.0, 1.1, 1.2, and 1.3.
- Support for mutual authentication and renegotiation for server profiles.
- Support for weak server connections and Server Name Indication for client profiles.
- Supported cipher suites.
- Keystores, which contain the TLS keys that are used for initiating client connections.
- Truststores, which contain the public keys to validate your analytics, portal, and gateway subsystems, and for trusted third-party services that you integrate with.
TLS profiles created during installation
- On OpenShift or Kubernetes, and all subsystems are installed in the same environment and namespace.
TLS profile name | Description |
---|---|
Default TLS server profile |
For testing and demonstration purposes, you can specify this profile as the TLS server
profile when you register your gateway service. For production deployments, best
practice is to create your own TLS server profiles and not use the |
Default TLS client profile |
You can use this profile as a client profile for communication between the management subsystem
and any other system. This profile is set to trust everything ( |
Analytics ingestion TLS client profile |
Default client profile for use when the management or gateway subsystem communicates with the
analytics service:
Select this profile when you register the analytics service. Note: If you want to use a different client certificate for your analytics service, do not edit this
client profile, create a new profile instead.
|
Portal Director TLS client profile |
Default client profile when the management subsystem communicates with the developer portal subsystem. Select this profile when you register the portal service. Note: If you want to use a different client certificate for your portal service, do not edit this
client profile, create a new profile instead.
|
Gateway management client TLS client profile |
Default client profile when the management subsystem communicates with the gateway subsystem. Select this profile when you register the gateway service. Note: If you want to use a different client certificate for your gateway service, do not edit this
client profile, create a new profile instead.
|
Keystores created during installation
Keystore name | Description |
---|---|
Analytics ingestion |
Used by the Kubernetes and OpenShift installations: The default client certificate in this keystore is set from the Kubernetes certificate analytics-ingestion-client. Do not edit this keystore. If you want to use a different client certificate for analytics ingestion, then create a new client profile and keystore for it. |
Portal director |
Used by the Kubernetes and OpenShift installations: The default client certificate in this keystore is set from the Kubernetes certificate portal-admin-client. |
Gateway mgmt |
Used in the Kubernetes and OpenShift installations: The default client certificate in this keystore is set from the Kubernetes certificate gateway-client-client or gw-dr-client. |
Default TLS server keystore |
Used in the
Default TLS server profile , this keystore contains the server
certificate that secures the API invocation endpoint on your gateway.Note: It is recommended to use
the
Default TLS server profile only for testing and demonstrations. Best practice
is to create a new keystore and server profile for your API invocation certificate. |
Default keystore for id_token signing key |
Used for signing ID tokens that API Connect generates. You must update the certificate in this keystore manually before it expires. Upload a replacement certificate in the Cloud Manager UI. |
Default keystore for self signed token signing key |
Used for signing self-signed tokens that API Connect generates. You must update the certificate in this keystore manually before it expires. Upload a replacement certificate in the Cloud Manager UI. |
Default keystore for temporary token signing key |
Used for signing temporary tokens that API Connect generates. You must update the certificate in this keystore manually before it expires. Upload a replacement certificate in the Cloud Manager UI. |
Default keystore for access_token signing key |
Used for signing access tokens that API Connect generates. You must update the certificate in this keystore manually before it expires. Upload a replacement certificate in the Cloud Manager UI. |
Truststores created during installation
Truststore name | Description |
---|---|
Analytics ingestion |
Used by the |
Portal director |
Used by the |
Gateway management client truststore |
Used by the |