In Cloud Manager, TLS profiles secure transmission of data through web sites. TLS certificates guarantee that information submitted to web sites will not be stolen or tampered with. In this topic, you learn how to create TLS profiles in Cloud Manager.
Before you begin
About this task
There are instances in API Connect where data is transmitted across an untrusted network, for example, when accessing a website, a mail server, or an LDAP server. TLS (Transport Layer Security) profiles provide public key certificates, either from a Keystore or a Trust Store, to secure communication with external services.
API Connect uses both TLS Server and TLS Client profiles. A TLS Server profile is presented when a communication request is received. The Server profile validates the request against the Keystore and protocol version to determine whether the connection is secure. The Client profile is presented to initiate communication with another system.
The Cloud Manager and API Connect both support and use TLS certificates but do not themselves produce strong encryption keys or manage your encryption keys. Encryption keys are generated and managed according to your own procedures. For more information, see Updating a TLS profile and Generating a PKCS#12 file for Certificate Authority.
Perform the following steps to create a TLS Server profile:
- In the Cloud Manager, click TLS Profiles.
- Click Add, and enter values in the Display Name, Name, and optionally, Description fields.
- Select Public if the TLS profile will be associated with a registry that is used to authenticate access to APIs, otherwise the TLS connection will fail.
- In the Present Certificate section, click the Upload Certificate icon .
Click Select File, browse for the certificate file that you want to present for authentication, and click Open.
- API Connect supports only the P12 (PKCS12) format file for the present certificate.
- Your P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
- Your P12 file can contain a maximum of 10 intermediate certificates.
In the Password text field, enter the password for the certificate file.
Note: The present certificate must be password protected.
The certificate is populated.
To enable validation of the certificate presented by the connecting client, move the
Request and validate the certificate against the supplied CAs in the
truststore slider to the On position.
Important: When validation is enabled, the client must send a certificate that is in the trust store, or access is denied to resources including the Cloud Manager Console. The certificate can be an intermediate CA or a root CA.
- In the Trust Store window section, click the Upload Certificate icon .
- Click Select File, browse for the certificate file that you want to present for authentication, and click Open.
- In the Password text field, enter the password for the certificate file.
The certificate is populated.Note:
- If the trust store certificate is expired, you must upload the entire certificate bundle to replace all current certificates.
- API Connect supports only the P12 (PKCS12) and PEM certificate formats for the trust store.
- The Trust Store can contain CA and client certificates for TLS Profiles associated with the Gateway Cluster. API Connect supports exact matching of the certificate or matching on the immediate issuers. The Cloud Manager uses the IBM Global Security Kit (GSKit) for typical certificate management tasks such as self-signed certificate generation, creation of a Certificate Authority (CA), requesting a certificate from a third-party CA and installing certificates for use in SSL protocols.
- Optional: Repeat steps 9 to 12 to add further trust store certificates.
- Expand the Protocols section to display the TLS versions.
Use the check boxes to indicate the version of the TLS protocol. The TLS protocol version
determines which ciphers are available for encryption/decryption.
Note: For instructions on enabling or disabling ciphers, see Setting the ciphers for a TLS server profile
To enable or disable SNI, select or clear the Use SNI check box that is found under , or depending on the version of IBM® API
Connect that you are using.
Server Name Indication (SNI) is an extension to the TLS protocol. SNI is enabled by default, allowing clients to access multiple virtual domains on a single HTTPS server's IP address and port number. The TLS client injects the SNI extension with the desired host name in its initial handshake with the server. The server replies with the appropriate certificate to continue the interaction. Servers that do not support SNI often ignore this extension, but if you encounter compatibility issues, you can disable SNI.
To enable the TLS server to support TLS mutual authentication, complete the following steps:
- In the Present Certificate section, enable Request and validate the certificate against the supplied CAs in the trust store.
- Provide a list of certificates that TLS server will use to verify the client certificate. This field must contain one or more certificates.
When you define a TLS profile in the Cloud Manager user interface, two profiles are created, client and server. When the profile is used as a TLS server profile, the Present Certificate must be provided, because this is used to provide the identity of the TLS server.
To allow or not allow a TLS client to initiate renegotiation with this TLS profile, expand
Server Feature and select or clear Allow TLS Client
TLS client renegotiation enables a client to request the establishing of a new TLS session when a TLS session has already been established. TLS client renegotiation is allowed by default in a TLS profile.Restriction: TLS renegotiation cannot be changed through the API Connect v5 UI. This is because only one SSL SNI Server Profile is created in DataPower Gateway for the API Connect domain. This SNI profile has the default value of allowing (not limiting) TLS Client Renegotiation. Any values for TLS Client renegotiation in the corresponding SSL Server profile (from API Connect) are overwritten by the default value from the SNI Server profile.
Note: Once uploaded, private keys cannot be downloaded from API Connect.