Create a new TLS server profile to configure secure communication for your API Connect gateways.
Before you begin
Before you begin, ensure you have:
- Administrative access to API Connect
- At least one keystore configured
- At least one truststore configured
About this task
A TLS server profile defines how your gateway presents itself to clients and which certificates
it trusts. Follow these steps to create a new profile.
Procedure
-
Access the tab.
-
Navigate to .
-
Ensure the TLS server profile tab is selected.
-
Click the Create button.
-
Enter the fields to configure the TLS server profile:
| Field |
Description |
| Title |
Enter a title for the profile. |
| Name |
The name is auto-generated and based on the title, with spaces and other URL-unsafe characters replaced. |
| Summary |
Enter a description of the profile. |
| Version |
Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1. |
| Protocols |
Select one or more supported TLS protocol versions. The default is 1.2 and 1.3. |
| Mutual authentication |
Determines the level of two-way authentication for the server profile. In two-way authentication, the server responds to a client by sending a request for the client certificate.
- None (default) - No support for mutual authentication.
- Request - Enable this option to request client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the certificate is not checked on the gateway.
- Require - Enable this option to require client authentication during the TLS handshake. When the application sends the request, the gateway requests that the application sends the certificate. If the client does not send the certificate, the TLS handshake fails and the request is blocked.
|
| Limit renegotiation |
Client-initiated renegotiation allows the connection to be retried. The default is to prevent renegotiation. Clear the check box to allow renegotiation. |
| Keystore |
The keystore is a repository that
contains public and private key pairs. Select the keystore where you store the certificates for the
profile.
Important: API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your uploaded certificates before they expire.
|
| Truststore |
The truststore is a repository that
contains verified public keys. Truststores contain the list of certificates that your TLS client
profile trusts.
Important: API Connect verifies
certificates when you upload them, but does not continuously monitor them for expiry. You are
responsible for monitoring and updating your uploaded certificates before they expire.
|
| Ciphers |
Cipher suites are encryption algorithms that are used to secure TLS communication. Select the ciphers that the profile supports. Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
|
-
Click Save.
Results
A new TLS server profile is created and ready to be associated with gateways.
What to do next
After creating the profile, associate it with the appropriate gateways and test the configuration.