Creating a TLS server profile

Create a new TLS server profile to configure secure communication for your API Connect gateways.

Before you begin

Before you begin, ensure you have:

  • Administrative access to API Connect
  • At least one keystore configured
  • At least one truststore configured

About this task

A TLS server profile defines how your gateway presents itself to clients and which certificates it trusts. Follow these steps to create a new profile.

Procedure

  1. Access the TLS server profile tab.
    1. Navigate to Instance settings > Gateways > Configure TLS.
    2. Ensure the TLS server profile tab is selected.
    3. Click the Create button.
  2. Enter the fields to configure the TLS server profile:
    Field Description
    Title Enter a title for the profile.
    Name The name is auto-generated and based on the title, with spaces and other URL-unsafe characters replaced.
    Summary Enter a description of the profile.
    Version Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Protocols Select one or more supported TLS protocol versions. The default is 1.2 and 1.3.
    Mutual authentication Determines the level of two-way authentication for the server profile. In two-way authentication, the server responds to a client by sending a request for the client certificate.
    • None (default) - No support for mutual authentication.
    • Request - Enable this option to request client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the certificate is not checked on the gateway.
    • Require - Enable this option to require client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the TLS handshake fails and the request is blocked.
    Limit renegotiation Client-initiated renegotiation allows the connection to be retried. The default is to prevent renegotiation. Clear the check box to allow renegotiation.
    Keystore

    The keystore is a repository that contains public and private key pairs. Select the keystore where you store the certificates for the profile.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Truststore

    The truststore is a repository that contains verified public keys. Truststores contain the list of certificates that your TLS client profile trusts.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Ciphers Cipher suites are encryption algorithms that are used to secure TLS communication. Select the ciphers that the profile supports.
    Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
  3. Click Save.

Results

A new TLS server profile is created and ready to be associated with gateways.

What to do next

After creating the profile, associate it with the appropriate gateways and test the configuration.