Taxonomy Icon

Cloud

Secure Socket Layer (SSL) is used for security over a network. In IBM® API Connect, Transport Layer Security (TLS) profiles are used to secure transmission of data through websites. TLS and SSL certificates guarantee that information you submit will not be stolen or tampered with. The ability to connect to a secure back-end system is essential, and setting up security correctly is not always an obvious task.

In this tutorial, you learn how to retrieve a certificate and then create a TLS profile in API Manager. By using this profile, you can connect API Connect to SSL-enabled back-end systems. To understand this tutorial, you should have previous knowledge about TLS and API Connect.

What you’ll need for this tutorial

  • API Connect. See the API Connect Deveveloper Center and API Connect on IBM Cloud.
  • An IBM Cloud account
  • OpenSSL
  • Access to the Internet and a browser. This tutorial uses Mozilla Firefox.
  • A certificate that you want to add to the back end. This certificate can be a self-signed certificate or any signer certificate.
1

Retrieve a certificate

In this step, you retrieve your certificate either by using the OpenSSL command-line interface or by accessing the certificate from within your browser. API Connect supports only the P12 (PKCS12) and PEM certificate formats for the truststore.

Option 1: Use OpenSSL

Retrieve your certificate:

  1. Open OpenSSL and view your certificates as follows. Specify your own host name and port.
    openssl sclient -connect {_HOSTNAME}:{PORT} -showcertsopenssl s_client -connect {HOSTNAME}:{PORT} -showcerts Using OpenSSL to view certificates
  2. Copy and paste the information between the BEGIN CERTIFICATE and END CERTIFICATE tags, including the tags, to a text file on your PC. If you have multiple certificates, retrieve each one.
  3. Save the file with a meaningful name that uses the .ctr extension.

Option 2: Use your web browser

If you are using Mozilla Firefox, retrieve your certificate as explained here and shown in the following figure:

  1. Click the SSL certificate icon at the top or Padlock at the bottom.
  2. Click View Certificate.
  3. Click the Details tab.
  4. From the hierarchy of certificates, choose the certificate that you want.
  5. Click Export.
  6. Save the certificate locally. Example of downloading a certificate from Firefox

On an Apple® Mac®, follow these steps:

  1. From the Firefox menu, select Preferences.
  2. From the left menu, select Advanced.
  3. Under Certificates, click View Certificates.
  4. Click Your Certificates.
2

Add the certificate to API Connect

Add the certificate to the API in API Connect:

  1. Open API Connect. Select Admin. IBM API Connect
  2. Click TLS profiles. The API Connect TLS Profiles tab
  3. Create a TLS profile. a. Enter a display name and name for your TLS profile. b. Enter a value in the Description field. c. Add a Trust Store and upload the certificates. d. Click the arrow next to Protocols. Selecting a TLS Protocol
  4. Select TLS version 1.0 (or other version that you are using). The following figure shows an example TLS profile. Example TLS profile
3

Add the TLS profile to your API

Add the profile to your API:

  1. Go back to the API that is using the certificate.
  2. Click the Assemble tab.
  3. Click Invoke.
  4. In the section for the TLS profile, click the arrow and select the profile that you just created. The Assemble section in API Connect
  5. Click Save. As shown in the following figure, the TLS profile is added. An Assemble section with a TLS profile added

Conclusion

This tutorial showed you how to create a simple TLS profile and then add it to an API in API Connect. With the profile, API calls can communicate with SSL-enabled back-end systems for secure transmission of data.