Create or update a security profile

Purpose

Creates or updates a security profile. A security profile is used by an endpoint to define Transport Layer Security (TLS) and the authentication method for that endpoint.

URI

Use the Eclipse Amlen REST API POST method with the following Eclipse Amlen configuration URI:

http://<admin-endpoint-IP:Port>/ima/v1/configuration/

Object configuration data

Provide SecurityProfile object configuration data in the payload of the POST method by using the following schema. Content-type is set to application/json:


{   
  "SecurityProfile": {
    "<NameOfSecurityProfile>": {
      "TLSEnabled": true|false,
      "MinimumProtocolMethod": "string",
      "UseClientCertificate": true|false,
      "UsePasswordAuthentication": true|false,
      "AllowNullPassword": true|false,
      "Ciphers": "string",
      "CertificateProfile": "string",
      "UseClientCipher": true|false,
      "LTPAProfile": "string",
      "OAuthProfile": "string"
     }
   }
}

Where:

NameOfSecurityProfile

Required.

Specifies a name for the certificate profile.

The maximum length of the name is 32 alphanumeric characters. The first character must not be a number.

After the profile is created, this name cannot be changed.

TLSEnabled: true|false

Specifies whether to use (true) or not use (false) TLS on the endpoints that use the security profile.

The default value is true.

If TLSEnabled is true, you must first create a certificate profile to use with this security profile.

MinimumProtocolMethod

Specifies the lowest level of protocol that is allowed when a client connects to Eclipse Amlen.

The value can be one of the following values:

TLSv1
TLSv1.1
TLSv1.2

The default value is TLSv1.2

UseClientCertificate: true|false

Specifies whether to use (true) or not use (false) client certificate authentication.

The default value is false.

UsePasswordAuthentication: true|false

Specifies whether to authenticate the user ID and password (true) or not (false).

The default value is true.

AllowNullPassword: true|false

Specifies whether authentication of a NULL or empty password is allowed (true) or not (false).

If you specify this option, UsePasswordAuthentication must be set to true.

The default value is false.

Ciphers

Specifies the encryption algorithm that is used by the security policy.

The value can be one of the following values:

Best: The most secure cipher that is supported by the server and the client.
Medium: The fastest high security cipher that is supported by the server and the client.
Fast: The fastest medium or high security cipher that is supported by server and the client.; The default value is Fast.

The default value is Medium.

CertificateProfile

Specifies the name of the certificate profile to use with this security profile. The certificate profile must exist and is required when TLSEnabled is true.

UseClientCipher: true|false

Specifies whether to use (true) or not use (false) the cipher setting of the client when it connects to Eclipse Amlen.

The default value is false.

LTPAProfile

Specifies the LTPA profile to use with this security profile. The LTPA profile must exist.

If you specify this option, UsePasswordAuthentication must be set to true. If you omit the UsePasswordAuthentication parameter from the command, it is automatically set to true.

If you specify an LTPA profile, you cannot specify an OAuth profile in the same security profile.

OAuthProfile

Specifies the OAuth profile to use with this security profile. The OAuth profile must exist.

If you specify this option, UsePasswordAuthentication must be set to true. If you omit the UsePasswordAuthentication parameter from the command, it is automatically set to true.

If you specify an OAuth profile, you cannot specify an LTPA profile in the same security profile.

Usage Notes®

Capitalization and double quotation marks must be used as shown.

Related REST Administration APIs

Example

The following example fails to create a security profile as no certificate profile is provided when TLS is enabled:


curl -X POST \
   -H 'Content-Type: application/json'  \
   -d '{
          "SecurityProfile": {
            "KCSecProfile": {
          }
         }
        }
      ' \
http://127.0.0.1:9089/ima/v1/configuration/

An example response to the POST method:


{        
  "Version": "v1",
  "Code": "CWLNA0186",
  "Message": "The certificate profile must be set if TLSEnabled is true."
}

The following example creates a security profile without providing a certificate profile by setting TLSEnabled to false:


curl -X POST \
   -H 'Content-Type: application/json'  \
   -d '{
          "SecurityProfile": {
            "KCSecProfile": {
              "TLSEnabled":false
          }
         }
        }
      ' \
http://127.0.0.1:9089/ima/v1/configuration/

An example response to the POST method:


{        
  "Version": "v1",
  "Code": "CWLNA6011",
  "Message": "The requested configuration change has completed successfully."
}