Central management of SSL configurations


By default, SSL configurations for servers are managed from a central location in the topology view of the admin console.

To configure the SSL inbound and outbound topologies...

We can associate an SSL configuration and certificate alias with a specific management scope.

We can make coarse-grained changes for the entire topology using the cell-scope and also make fine-grained changes using a particular endpoint name for a specific appserver process. Using inheritance, we can simplify the number of associations by referencing only the highest level management scope that needs a unique configuration.

When creating an SSL configuration at a specific node, that configuration can be seen by that node agent and by every appserver that is part of that node. Any appserver or node not part of this particular node can not see the SSL configuration.

We can configure different certificate aliases and different SSL configurations for inbound connections versus outbound connections.

 

Console vs. wsadmin

It is simpler to manage SSL configurations centrally in the topology view of the admin console, but we can also use wsadmin within AdminTasks using elements within security.xml.

sslConfigGroup is used associate a connection direction and management scope with a specific SSL configuration and certificate alias. The default sslConfigGroups cell attribute has a predefined inbound and outbound cell-scoped configuration that each endpoint in the cell inherits.

Verify rules of precedence before using wsadmin to set SSL configurations.

<sslConfigGroups xmi:id="SSLConfigGroup_1"
                 name="Cell01"
                 direction="inbound"
                 certificateAlias="default"
                 sslConfig="SSLConfig_1"
                 managementScope="ManagementScope_1"/>

<sslConfigGroups xmi:id="SSLConfigGroup_2"
                 name="Cell01"
                 direction="outbound"
                 certificateAlias="default"
                 sslConfig="SSLConfig_1"
                 managementScope="ManagementScope_1"/>

<managementScopes xmi:id="ManagementScope_1"
                  scopeName="(cell):Cell01"
                  scopeType="cell"/>

In the previous sample code, the sslConfigGroups attribute references the cell management scope. For that example, if a different scope was intended the following list shows the precedence order for selecting management scopes, from the highest order of precedence to the lowest. Each time an endpoint scope is defined, it uses the specified SSL configuration and certificate alias.

Endpoint scope

<managementScopes xmi:id="ManagementScope_1"
                  scopeName="(cell):Cell01: (node):Node01:(server):server1:(endpoint):ENDPOINT_NAME_IN_SERVERINDEX"
                  scopeType="endpoint"/>

Server scope

<managementScopes xmi:id="ManagementScope_1"
                  scopeName="(cell):Cell01: (node):Node01:(server):server1"
                  scopeType="server"/>

Cluster scope

<managementScopes xmi:id="ManagementScope_1"
                  scopeName="(cell):Cell01: (cluster):myCluster"
                  scopeType="cluster"/>

Node scope

<managementScopes xmi:id="ManagementScope_1"
                  scopeName="(cell):Cell01: (node):Node01"
                  scopeType="node"/>

Nodegroup scope

<managementScopes xmi:id="ManagementScope_1"
                  scopeName="(cell):Cell01: (nodegroup):DefaultNodeGroup"
                  scopeType="nodegroup"/>

Cell scope

<managementScopes xmi:id="ManagementScope_1"
                          scopeName="(cell):Cell01"
                          scopeType="cell"/>




 

Related concepts


SSL configurations
Secure communications using SSL