Creating a TLS client profile

Create a TLS client profile to secure communication within your API Connect deployment and to external services.

Before you begin

One of the following roles is required to configure TLS profiles:

  • Organization Administrator
  • Owner
  • Topology Administrator

About this task

A TLS client profile defines the TLS version, keystore, truststore, and ciphers used when making a client connection to a TLS-secured endpoint.

Procedure

  1. Access the TLS client profile tab.
    1. Navigate to Instance settings > Gateways > Configure TLS.
    2. Select the TLS client profile tab.
    3. Click the Create button.
  2. Enter the fields to configure the TLS client profile:
    Field Description
    Title Enter a title for the profile.
    Name The name is auto-generated and based on the title, with spaces and other URL-unsafe characters replaced.
    Summary Enter a description of the profile.
    Version Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Protocols Select one or more supported TLS protocol versions. The default is 1.2 and 1.3.
    Server connection Specify whether to support weak or insecure credentials.
    • Allow insecure server connections - Insecure server connections can mean connections that use self-signed, expired, or corrupted certificates, or certificates from an unknown or untrusted source. Select this option to allow the connection to proceed with an insecure connection. The default is to not allow insecure server connections.
    • Support Server Name Indication (SNI) - Select this option to enable SNI. SNI allows support for multiple certificates that are presented on the same IP address using different hostnames. The client profile sends the name of a virtual domain as part of the TLS negotiation. The default is to enable SNI.
    Keystore

    The keystore is a repository that contains public and private key pairs. Select the keystore where you store the certificates for the profile.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Truststore

    The truststore is a repository that contains verified public keys. Truststores contain the list of certificates that your TLS client profile trusts.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Ciphers Cipher suites are encryption algorithms that are used to secure TLS communication. Select the ciphers that the profile supports.
    Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
  3. Click Save.