TLS configuration properties
These properties configure the TLS settings for secure communication between clients and the API Connect for GraphQL Software.
The configuration
argument specifies the configuration entry from the
configurationset
. These configuration values serve as a secure and private database
of values that can be used in endpoints, request bodies, and headers.
If the endpoint requires certificate-based authentication, you can provide the certificate and
its associated private key using the certificate
and
certificatekey
configuration values, respectively. For endpoints that use a
self-signed certificate or a private certificate authority, you can specify the root certificate by
setting the rootcertificateauthority
configuration value.
To enable these configuration values, you must set stepzen.tls
to
true
.
Specification | Property | Description | Required |
---|---|---|---|
Configuration |
name |
Name of the TLS configuration that contains the TLS-specific values. | Required |
stepzen.tls |
Enables the use of the certificate , certificatekey , and
rootcertificateauthority in the configuration. While TLS is always enabled for
outgoing connections, this flag serves as a trigger to specify and use the custom keys for the TLS
configuration. |
Optional | |
certificate |
The contents of the client certificate in PEM format, including line breaks. This certificate is used to identify the client in mutual TLS (mTLS) authentication. | Optional | |
certificatekey |
The contents of the certificate private key in PEM format, including line breaks. This
private key is used for mutual TLS (mTLS) authentication. Best practice: For enhanced security, avoid embedding the private key directly in the configuration file. Use an environment variable to reference the value as described in the section below. |
Optional | |
rootcertificateauthority |
The contents of the root certificate chain in PEM format, used to validate the trust chain of
the certificate presented by the endpoint. If you use self-signed certificates, you must specify the
rootcertificateauthority . |
Optional |
certificate
and certificatekey
should be specified in
PEM format and are combined into an X509 key pair, which identifies the IBM API Connect for GraphQL
server to the endpoint. The rootcertificateauthority
consists of one or more
PEM-encoded certificates and overrides the default system CA pool.API security best practices
Use environment variables:Instead of embedding sensitive data directly in your
configuration, store sensitive data in environment variables (.env
file) and
reference them in your configuration file.
STEPZEN_CACERT_KEY="-----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDRABpoLsvfd+D3 ... -----END PRIVATE KEY-----"
config.yaml
as:certificatekey: STEPZEN_CACERT_KEY