|
Note
|
Upstream certificates must include the Subject Alternative Name (SAN) extension. The Common Name (CN) field is deprecated. Flex Gateway supports the SAN extension of type |
Flex Gateway implements inbound TLS at the port level, meaning that an inbound TLS context applied to an API instance is also applied to all other instances that share the same port. To learn more about how TLS context is shared across ports, see Inbound TLS Context Applied to Shared Ports.
Port sharing is not a concern for outbound TLS. You can select the outbound TLS context for each individual upstream service.
Before configuring the TLS context for a Flex Gateway Connected Mode, complete the following tasks:
-
Ensure the following permissions are enabled:
-
Grant access to secrets in Secrets Manager
-
Deploy API Proxies in API Manager
Your Anypoint Platform Admin can add these permissions in Access Management. See Manage Team Permissions for more information.
-
-
Create a Secret Group
When adding a secret group, refer to the TLS Configuration Options.
Depending on your desired configuration, either:
-
Add a Keystore
-
Add a Trustore
NotePrivacy Enhanced Mail (PEM) type is required for your Keystore or Truststore.
-
You can apply a TLS context to an API instance either when creating a new instance or by editing an existing instance.
API instance settings configuration has two parts, the downstream configuration and the upstream configuration. Inbound TLS context is a downstream configuration option, and outbound TLS context is an upstream configuration option. When adding a new API instance, the downstream and upstream configuration is on separate pages. When editing an API instance, the downstream and upstream configuration options appear on the same page but are in different sections.
For information about either option, see the relevant tutorial:
-
api-manager::create-instance-task-flex.adoc
-
api-manager::edit-api-endpoint-task.adoc
To apply a TLS context:
-
Go to Anypoint Platform > API Manager.
-
Navigate to either the:
-
Upstream or downstream configuration page, if adding a new API instance.
-
Settings page, if editing an existing API instance.
-
-
Select HTTPS for the Protocol configuration field if configuring an inbound TLS context.
-
Click Add TLS Context.
-
Select a Secret Group.
-
Select a TLS Context.
-
Click Ok.
-
-
Finish creating the API instance or save the configuration edits.
Though a port must have an API instance to have an inbound TLS context applied, the inbound TLS context is applied to the port rather than the API instance.
Applying an inbound TLS context to an API instance that shares its port with other instances applies the inbound TLS context to all instances sharing the port.
When you apply, edit, or remove the inbound TLS context of an API instance sharing a port, API Manager shows a warning with a list of the instances sharing the port. You can then choose to override the inbound TLS context of the listed API instances. Overriding the inbound TLS context of the API instances that share the port applies the inbound TLS context to the instances and then redeploys the instances.
Overriding the inbound TLS context of deployed API instances redeploys the instances. Redeploying causes a brief period of downtime in the API instances.
If you edit the port of an API instance that previously shared a port and an inbound TLS context with other instances, the inbound TLS context remains applied to the instances on the previous port.