Associating SSL configurations centrally with inbound and outbound scopes
After you create an SSL configuration, associate a secure inbound or outbound management scope with the new configuration. We can manage the association centrally so that we can make changes that affect all the scopes that are lower on the topology and that are associated with the configuration. Beginning with WAS version 6.1, the recommended and the default configuration method is centrally managed SSL configurations.
We can simplify the number of associations that we need to make for an SSL configuration by associating the configuration with the highest level management scope requiring a unique configuration. SSL configuration associations manifest inheritance behaviors. Because of the inheritance behaviors, all of the scopes that are lower on the topology inherit this SSL configuration. For example, an association you make at the cell level affects nodes, servers, clusters, and endpoints.
See Central management of SSL configurations.
A precedence rule determines which SSL configuration association is used at a particular scope. The highest precedence is given to endpoints on the topology. If we establish an association at the endpoint, this association overrides any prior association that you made higher up on the management scope topology.
Complete the following steps in the admin console:
- Click Security > SSL certificate and key management.
- Select the Dynamically update the runtime when SSL configuration changes check box if we want changes that you make to an existing SSL configuration to occur dynamically. All outbound SSL communications honor the dynamic SSL changes. Protocols that do not use the channel frameworks SSL channel for inbound communications, including (ORB) and admin SOAP protocols, do not honor dynamic updates. For more information, see Dynamic configuration updates in SSL.
- Click Manage endpoint security configurations.
- Select either the inbound or the outbound tree. After finishing the selected tree, we can return to this step to repeat the following steps for the other tree.
- Click the link for the selected cell, node, node group, server, cluster, or endpoint on the topology tree. If the scope already has an associated SSL configuration and alias, these objects display in parentheses immediately following the scope name... Node01(NodeDefaultSSLSettings,default). If the dmgr has federated a node, the node scope SSL configuration overrides the cell scope configuration above it in the topology.
- Decide whether to override the inherited values that display in the read-only fields. Read-only fields include the management scope name, the direction, and the inherited SSL configuration name and certificate alias.
- If satisfied with these values, do not override them.
- To override the inherited values, select the Override inherited values check box.
- Select an SSL configuration from the list.
- Click Update certificate alias list. The certificate alias list comes from the key store that is referenced by the new SSL configuration.
- Click Manage certificates to manage the personal certificates that are contained in the key store that is referenced in the SSL configuration.
- Click Update certificate alias list to refresh the list of aliases.
- Select a certificate alias in the key store to represent the identity of the endpoint.
- Click OK to save the changes.
- Click Manage endpoint security configurations and trust zones to return to the topology tree.
- Set the opposite direction on the topology tree using the steps in this task. We can also select additional scopes to associate with the SSL configuration, as needed.
ResultsEach SSL configuration at the selected scope and at scopes beneath it on the topology tree have the same SSL configuration properties.
The following SSL configuration methods override the centrally managed configurations that you associate in the tree view:
- Direct selection at the endpoint
- Dynamic outbound SSL configuration associations
- Programmatic specifications
Next stepsAt any management scope, we can configure the following objects: dynamic outbound endpoint SSL configurations, key stores, key sets, key set groups, key managers, and trust managers. Like SSL configurations, these objects are scoped automatically so that they are not visible higher up in the tree nor are they loaded during runtime by processes that are higher up in the tree.
Central management of SSL configurations
Dynamic configuration updates in SSL
Create an SSL configuration
SSLConfigGroupCommands group for AdminTask