TLS configuration properties

These properties configure the TLS settings for secure communication between clients and the API Connect for GraphQL Software.

The configuration argument specifies the configuration entry from the configurationset. These configuration values serve as a secure and private database of values that can be used in endpoints, request bodies, and headers.

If the endpoint requires certificate-based authentication, you can provide the certificate and its associated private key using the certificate and certificatekey configuration values, respectively. For endpoints that use a self-signed certificate or a private certificate authority, you can specify the root certificate by setting the rootcertificateauthority configuration value.

To enable these configuration values, you must set stepzen.tls to true.

Specification Property Description Required
Configuration name Name of the TLS configuration that contains the TLS-specific values. Required
stepzen.tls Enables the use of the certificate, certificatekey, and rootcertificateauthority in the configuration. While TLS is always enabled for outgoing connections, this flag serves as a trigger to specify and use the custom keys for the TLS configuration. Optional
certificate The contents of the client certificate in PEM format, including line breaks. This certificate is used to identify the client in mutual TLS (mTLS) authentication. Optional
certificatekey The contents of the certificate private key in PEM format, including line breaks. This private key is used for mutual TLS (mTLS) authentication.

Best practice: For enhanced security, avoid embedding the private key directly in the configuration file. Use an environment variable to reference the value as described in the section below.

Optional
rootcertificateauthority The contents of the root certificate chain in PEM format, used to validate the trust chain of the certificate presented by the endpoint. If you use self-signed certificates, you must specify the rootcertificateauthority. Optional
Note: The certificate and certificatekey should be specified in PEM format and are combined into an X509 key pair, which identifies the IBM API Connect for GraphQL server to the endpoint. The rootcertificateauthority consists of one or more PEM-encoded certificates and overrides the default system CA pool.

API security best practices

Use environment variables:Instead of embedding sensitive data directly in your configuration, store sensitive data in environment variables (.env file) and reference them in your configuration file.

For example, set an environment variable to store the secret key:
STEPZEN_CACERT_KEY="-----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDRABpoLsvfd+D3 ... -----END PRIVATE KEY-----"
Then, reference the environment variable in config.yaml as:
certificatekey: STEPZEN_CACERT_KEY