Dynamic configuration updates in SSL


During the SSL runtime, dynamic configuration updates affect both inbound and outbound SSL endpoints. For inbound SSL endpoints, the changes that are implemented by the SSL channel are only affected by dynamic changes. For outbound SSL endpoints, all outbound connections inherit the new configuration changes.

In this release, dynamic update functionality provides you with greater flexibility and efficiency. We can change SSL configurations without restarting WAS for the changes to take effect.

To make dynamic changes, in the admin console click Security > SSL certificates and key management, then select the Dynamically update the runtime when SSL configuration changes occur check box. Save the changes and then synchronize security.xml with remote systems. A remote system must be able to confirm that dynamicallyUpdateSSLConfig=true is in security.xml.

The SSL runtime reloads the modified SSL configuration and creates a new SSLEngine for the modified connections that are associated with inbound endpoints. New outbound connections use the new configuration while existing connections continue to use the old SSLEngine object and are not affected.

Tip: Make dynamic changes to the SSL configuration during off-peak hours. Synchronization delays can negatively affect connections when you update SSL configurations during peak hours.

We can turn on and off the dynamicallyUpdateSSLConfig attribute in security.xml to ensure successful updates by doing the following actions:

  1. Set dynamicallyUpdateSSLConfig=On.

  2. Save the updated configuration.

  3. Synchronize security.xml with remote systems.

  4. Set the dynamicallyUpdateSSLConfig attribute to Off.
You must verify that all of the nodes receive the changes before turning off the dynamicallyUpdateSSLConfig attribute. Test the changes in a test environment before updating WAS NDion environment.

Tip: Some SSL changes, especially admin SSL changes, can cause server outages if we fail to test them first. When a change prevents trust between two endpoints, the endpoints cannot communicate with each other. Additionally, if administrative SSL connection updates cause system outages, we might need to disable the nodes after you make corrective changes using the dmgr. From the command line, we can manually synchronize the server to retrieve the new SSL changes, then restart the nodes.



 

Related concepts


Secure communications using SSL