Dynamic outbound selection of SSL configurations


WAS provides dynamic outbound selection that enables you to choose a specific SSL configuration and certificate alias for each outbound protocol, target host, target port, or any combination of these attributes. We can specify the dynamic selection information for outbound connections from a pure client or from a server that is acting as a client.

Before the SSL runtime for WAS starts an outbound connection, the runtime attempts to match the outbound protocol, target host, and target port attributes with the dynamic outbound selection information that is associated with an SSL configuration and certificate alias in the configuration.

The runtime caches both selection misses and selection hits, so the impact on performance can be minimal. However, a relationship exists between the amount of dynamic outbound selection information and its impact on the initial connection performance.

 

Dynamic selection information for outbound admin SOAP connections

The default dynamic outbound selection configuration specifies that all outbound administrative SOAP connections use the same SSL configuration and certificate alias within the entire cell. The management scope of the SSL configuration is at the cell level so every process in the cell sees this configuration. When an admin SOAP client makes an outbound connection, the client provides protocol, target host, and target port information to the SSL runtime, as shown in the following sample code:

<dynamicSSLConfigSelections xmi:id="DynamicSSLConfigSelection_1"  name="AdminSSLOutbound" description="Uses the AdminSSL configuration  for all outbound SOAP calls." dynamicSelectionInfo="ADMIN_SOAP,*,*"  certificateAlias="default" sslConfig="SSLConfig_2"  managementScope="ManagementScope_1"/>
The SSL runtime checks the configuration and confirms that certificateAlias="default" and sslConfig="SSLConfig_2" for the ADMIN_SOAP protocol when you enable client certificate authentication.

The configured target host and port are represented by the * character because both the host and the port attributes can be any value.

 

Target information during outbound connections

The dynamic outbound selection configurations are only effective when the outbound protocol uses the JSSEHelper API when you select an SSL configuration with a specified connectionInfo hash map. This hash map must contain the following properties:

com.ibm.ssl.direction

The value for outbound connections is OUTBOUND.

com.ibm.ssl.remoteHost

The format should match what the protocol provides. Typically this is the canonical Domain Name Space (DNS), but it also could be the IP address.

com.ibm.ssl.remotePort

The port is target port.

com.ibm.ssl.endPointName

The value for an outbound connection must be one of the following protocol strings:

  • IIOP

  • HTTP

  • SIP

  • LDAP

  • ADMIN_IPC

  • ADMIN_SOAP

  • BUS_TO_BUS

  • BUS_CLIENT

  • BUS_TO_WEBSPHERE_MQ





 

Related concepts


Secure communications using SSL