In Cloud Manager, you can
configure the profile that is used on the gateway when it acts as a TLS server.
Before you begin
Important: API Connect includes several default TLS profiles to help you get started.
The default profiles should not be used in a production environment. It is important to create your
own profiles to secure your network.
One of the following roles is required to configure TLS Server Profiles:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings: manage permissions
About this task
The Server profile is for the gateway when it is acting as the TLS server.
Procedure
Perform the following steps to create a TLS Server profile:
-
In the Cloud Manager, click
Resources.
-
Select TLS.
- Click Create in the TLS Server Profile table.
- Enter the fields to configure the TLS Server Profile:
| Field |
Description |
| Title (required) |
Enter a Title for the profile. The title is displayed on the screen. |
| Name (required) |
The Name is auto-generated. The value in the Name field is a single string that can be used
in developer toolkit CLI commands. To view the CLI commands to manage TLS Server Profiles, see
apic tls-server-profiles.
|
| Version (required) |
Assign a version number for the profile. Using version numbers allows you to create
multiple server profiles with the same name and different configurations, for example, MyProfile
1.0 and MyProfile 1.1. |
| Summary (optional) |
Enter a description of the profile. |
| Protocols (required) |
Select one or more supported TLS protocol versions. The default is 1.2. |
| Mutual Authentication (required) |
Determines the level of two-way authentication for the server profile. In two-way
authentication, the server responds to a client by sending a request for the client certificate.
- None (default) No support for mutual authentication.
- Request Enable this option to request client authentication during the
TLS handshake. When the application sends the request, the gateway requests that the application
sends the certificate. If the client does not send the certificate, the certificate is not checked
on the gateway.
- Require Enable this option to require client authentication during the
TLS handshake. When the application sends the request, the gateway requests that the application
sends the certificate. If the client does not send the certificate, the TLS handshake fails and the
request is blocked.
|
| Limit Renegotiation (optional) |
Client-initiated renegotiation allows the connection to be retried. The default is to
prevent renegotiation. Remove the checkmark to allow renegotiation. |
| Keystore (required) |
A keystore is a repository containing a public and private key pair. The Server Profile
requires a keystore in order to securely identify the system. When an application sends an API
request, the keystore is used to verify a matching certificate. |
| Truststore (optional) |
A truststore is a repository containing certificates. The certificates are used to verify
the peer during a TLS handshake. If, in addition to a keystore, a truststore is specified, the
certificate is further checked for validity by ensuring that is signed by the root certificate,
which must be in the truststore. |
| Ciphers (required) |
Select the ciphers for the profile.
|
-
Click Save.