Creating a TLS client profile

In the IBM® API Connect API Manager interface, TLS profiles are used to secure transmission of data between the management server and other API Connect subsystems and external services. TLS and SSL certificates guarantee that information you submit will not be stolen or tampered with. In this topic, you learn how to create a TLS profile in API Manager.

Before you begin

One of the following roles is required to configure TLS Profiles:

  • Organization Administrator
  • Owner
  • Custom role with the Settings: Manage permissions

About this task

API Connect supports the use of TLS and SSL certificates, but does not itself produce strong encryption keys or manage your encryption keys. Encryption keys should be created and managed according to your own procedures. For more information, see Viewing certificate details and adding certificates to a keystore or truststore and Generating a PKCS#12 file for Certificate Authority.

Note: If you update a TLS profile that is associated with a Gateway service, the updates are not automatically propagated to Gateway servers. For instructions on configuring the toolkit command-line tool to use TLS certificates when connecting to API Manager, see Configuring the command-line tool to use TLS certificates.

Procedure

To create a TLS profile, complete the following steps:

  1. In the API Manager, click Resources Resources.
  2. Select TLS.
  3. Click Create in the TLS Client Profile table.
  4. Enter the fields to configure the TLS Client Profile:
    Field Description
    Title (required) Enter a Title for the profile. The title is displayed on the screen.
    Name (required) The Name is auto-generated. The value in the Name field is a single string that can be used in developer toolkit CLI commands.

    To view the CLI commands to manage a TLS Client Profile, see apic tls-client-profiles.

    Important: The name of the TLS Client Profile as saved on the DataPower® Gateway, depending on the gateway type, is as follows:
    • DataPower API Gateway:
      provider-org-name_catalog-name_tlsp-tls-profile-nameV1.0.0
    • DataPower Gateway (v5 compatible):
      provider-org-name-tls-profile-nameV1.0.0
    where
    • tls-profile-name is the value of the auto-generated Name field for the TLS client profile in API Connect.
    • provider-org-name is the name of the provider organization containing the TLS client profile.
    • catalog-name is the name of the catalog, in that provider organization, containing the TLS client profile.
    Version (required) Assign a version number for the profile. Using version numbers allows you to create multiple server profiles with the same name and different configurations, for example, MyProfile 1.0 and MyProfile 1.1.
    Summary (optional) Enter a description of the profile.
    Protocols (required) Select one or more supported TLS protocol versions. The default is 1.2.
    Server Connection (optional) Specify whether to support weak or insecure credentials.
    • Allow insecure server connections - Insecure server connections may result from self-signed certificates, expired or corrupted certificates, or certificates from an unknown or untrusted source. Check this box to allow the connection to proceed with an insecure connection. The default is to not allow insecure server connections.
    • Support Server Name Indication (SNI) - Check this box to enable SNI. SNI allows support for multiple certificates presented on the same IP address using different host names. The client profile sends the name of a virtual domain as part of the TLS negotiation. The default is to enable SNI.
    Keystore (optional)

    A Keystore is a repository containing public and private key pairs. Select the keystore where you will store the certificates for the profile. Default keystores are provided, and you can also create your own.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Truststore (optional)

    A Truststore is a repository containing verified public keys, which are usually obtained from a third-party certificate authority. Truststores provide list of certificates to verify a peer's certificate. If used in a TLSServerProfile, a truststore is used when mutual authentication is enabled. Select a truststore for the profile. Default truststores are provided, and you can also create your own.

    Important: API Connect verifies certificates when you upload them, but does not continuously monitor them for expiry. You are responsible for monitoring and updating your uploaded certificates before they expire.
    Ciphers (required) Cipher suites are encryption/decryption algorithms used to secure HTTPs communication within the API Connect ecosystem. Select the ciphers that the profile supports.
    Note: The TLS 1.3 ciphers are clearly indicated. If you select TLS version 1.3 as one of the protocols for the profile but do not select any TLS 1.3 ciphers, all the TLS 1.3 ciphers are added to the list of ciphers supported by the profile. If you do not select TLS version 1.3 but select one or more TLS 1.3 ciphers, those ciphers are not added to the list of ciphers supported by the profile.
  5. Click Save.