Management scope configurations
Inbound and outbound management scopes represent opposing directions during the connection handshake process. To view inbound and outbound management scopes, use the topology tree view in the admin console. We can define SSL configurations to distinguish the connection requirements for each direction inbound or outbound.
When expanded, the topology tree represents inbound and outbound connections for each management scope, cell, node group, node, server, cluster, and endpoint. Inbound endpoints require a server certificate. The SSL configuration specifies the server certificate for server authentication. Outbound endpoints require validated signers. Outbound endpoints connect to one or more target servers; inbound endpoints receive requests from one or more clients. The set of peer endpoints for outbound connections is typically a subset of the set of peer endpoints for inbound connections, which means define different requirements for inbound and outbound connections.
The following figure shows an example of two nodes: Node1 and Node2. These two nodes are isolated from one another because their SSL configurations, truststore files, and keystore files are different.
In the example of two nodes, note that Node1 cannot communicate with Node2, but each of the two nodes must be able to communicate with the dmgr and its admin functions. With dynamic outbound selection, we can choose an SSL configuration and a certificate alias that reference a common truststore. When a process requires the ADMIN_SOAP protocol for an outbound connection, the server uses this single SSL configuration. Because all of the scopes under the cell level inherit this configuration, all outbound connections can communicate with the dmgr. See additional information about dynamic outbound selection of SSL configurations.
Another way to accomplish this same result is to associate the SSL configuration with the ADMIN_SOAP endpoint for each individual process, dmgr, Node1, Node2, Node1Server1, Node1Server2, Node2Server1, and Node2Server2. However, IBM recommends that you use dynamic outbound selection because it is more efficient when defining a basic SSL configuration, its keystores, and its truststores at the cell scope. The example shows how to apply the node scope association, but the same principles apply for node groups, clusters, servers, and endpoints.
If the topology includes clusters that span nodes or if the applications need to communicate between nodes, the configuration that is shown in the example does not work.
Dynamic configuration updates in SSL
Dynamic outbound selection of SSL configurations
Secure communications using SSL
Associating SSL configurations centrally with inbound and outbound scopes