System administrators can create and update security profiles by using REST Administration APIs.
To enable Transport Layer Security (TLS) for the endpoint, you must enable TLS in the security profile and the security profile must have an associated certificate profile that defines the server certificate that is used to control TLS. The certificate profile defines the server certificate to use in the security profile. To create a security profile with TLS enabled, you must create the certificate profile before you create the security profile. For more information about creating a certificate profile, see Configuring certificate profiles.
You
might want to create an LTPA profile or an OAuth profile to use in
your security profile. For more information about creating an LTPA
profile, see Configuring Lightweight Third Party Authentication. For more information
about creating an OAuth profile, see Configuring OAuth.
The security profile defines the TLS and authentication method that are applied to an endpoint.
You can create a security profile or update an existing security profile by using a REST Administration API, or by using the Amlen WebUI. For more information about using the Amlen WebUI to create or update a security profile, see Configuring security profiles by using the Amlen WebUI.
For
more information about the components that you must specify when you
create security profiles, see Configuring security profiles.
-
To create or update a security profile, use the Eclipse Amlen REST API POST method with the following Eclipse Amlen configuration URI:
http://<admin-endpoint-IP:Port>/ima/v1/configuration/
-
Provide SecurityProfile object configuration data in the payload of the POST method by using the following schema. Content-type is set to application/json. Ensure that capitalization and double quotation marks are used as shown.
{
"SecurityProfile": {
"<NameOfSecurityProfile>": {
"TLSEnabled": true|false,
"MinimumProtocolMethod": "string",
"UseClientCertificate": true|false,
"UsePasswordAuthentication": true|false,
"Ciphers": "string",
"CertificateProfile": "string",
"UseClientCipher": true|false,
"LTPAProfile": "string",
"OAuthProfile": "string"
}
}
}
Where:
- NameOfSecurityProfile
- Required.
- Specifies a name for the certificate profile.
- The maximum length of the name is 32 alphanumeric characters. The first character must not be a number.
- After the profile is created, this name cannot be changed.
- TLSEnabled: true|false
- Specifies whether to use (true) or not use (false) TLS on the endpoints that use the security profile.
- The default value is true.
- If TLSEnabled is true, you must first create a certificate profile to use with this security profile.
- MinimumProtocolMethod
- Specifies the lowest level of protocol that is allowed when a client connects to Eclipse Amlen.
- The value can be one of the following values:The default value is TLSv1.2
- UseClientCertificate: true|false
- Specifies whether to use (true) or not use (false) client certificate authentication.
- The default value is false.
- UsePasswordAuthentication: true|false
- Specifies whether to authenticate the user ID and password (true) or not (false).
- The default value is true.
- Ciphers
- Specifies the encryption algorithm that is used by the security policy.
- The value can be one of the following values:
-
- Best
- The most secure cipher that is supported by the server and the client.
- Medium
- The fastest high security cipher that is supported by the server and the client.
- Fast
- The fastest medium or high security cipher that is supported by server and the client.
The default value is Fast.
- CertificateProfile
- Specifies the name of the certificate profile to use with this security profile. The certificate profile must exist and is required when TLSEnabled is true.
- UseClientCipher: true|false
- Specifies whether to use (true) or not use (false) the cipher setting of the client when it connects to Eclipse Amlen.
- The default value is false.
- LTPAProfile
- Specifies the LTPA profile to use with this security profile. The LTPA profile must exist.
- If you specify this option, UsePasswordAuthentication must be set to true. If you omit the UsePasswordAuthentication parameter from the command, it is automatically set to true.
- If you specify an LTPA profile, you cannot specify an OAuth profile in the same security profile.
- OAuthProfile
- Specifies the OAuth profile to use with this security profile. The OAuth profile must exist.
- If you specify this option, UsePasswordAuthentication must be set to true. If you omit the UsePasswordAuthentication parameter from the command, it is automatically set to true.
- If you specify an OAuth profile, you cannot specify an LTPA profile in the same security profile.
You can check that the configuration of your policy is as expected by using the Eclipse Amlen REST Administration API GET method. For more information about the GET method, see Viewing configuration details of objects that can be named by using REST Administration APIs.
The following example shows the creation of a security profile that is called exampleSecProfile. The security profile uses the certificate profile certProfile, and uses the default values for all other options:
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"SecurityProfile": {
"exampleSecProfile": {
"CertificateProfile": "certProfile"
}
}
}
' \
http://127.0.0.1:9089/ima/v1/configuration/
After you create a security profile, you must associate it
with an endpoint. For more information about creating endpoints and
message hubs, see Configuring message hubs.