Create a TLS client profile to secure communication within your API Connect deployment and to external services.
Before you begin
One of the following roles is required to configure TLS profiles:
- Organization Administrator
- Owner
- Topology Administrator
About this task
A TLS client profile defines the TLS version, keystore, truststore, and ciphers used when making a client connection to a TLS-secured endpoint.
Procedure
-
Access the tab.
-
Navigate to .
-
Select the TLS client profile tab.
-
Click the Create button.
- Enter the fields to configure the TLS client profile:
| Field |
Description |
| Title |
Enter a title for the profile. |
| Name |
The name is auto-generated and based on the title, with spaces and other URL-unsafe
characters replaced. |
| Summary |
Enter a description of the profile. |
| Version |
Assign a version number for the profile. Using version numbers allows you to create
multiple server profiles with the same name and different configurations, for example,
MyProfile 1.0 and MyProfile 1.1. |
| Protocols |
Select one or more supported TLS protocol versions. The default is 1.2 and 1.3. |
| Server connection |
Specify whether to support weak or insecure credentials.
- Allow insecure server connections - Insecure server connections can mean connections that use
self-signed, expired, or corrupted certificates, or certificates from an unknown or untrusted
source. Select this option to allow the connection to proceed with an insecure connection. The
default is to not allow insecure server connections.
- Support Server Name Indication (SNI) - Select this option to enable SNI. SNI allows support for
multiple certificates that are presented on the same IP address using different hostnames. The
client profile sends the name of a virtual domain as part of the TLS negotiation. The default is to
enable SNI.
|
| Keystore |
The keystore is a repository that
contains public and private key pairs. Select the keystore where you store the certificates for the
profile.
Important: API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your uploaded certificates before they expire.
|
| Truststore |
The truststore is a repository that
contains verified public keys. Truststores contain the list of certificates that your TLS client
profile trusts.
Important: API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your uploaded certificates before they expire.
|
| Ciphers |
Cipher suites are encryption algorithms that are used to secure TLS communication. Select
the ciphers that the profile supports. Note: The TLS 1.3 ciphers are clearly indicated. If you select
TLS version 1.3 as one of the protocols for the profile but do not select any
TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the
profile. If you do not select TLS version 1.3 but select one or more TLS 1.3
ciphers, those ciphers are not added to the list of ciphers supported by the
profile.
|
-
Click Save.