Secure Socket Layer communication with DataPower
Based on the default installations of the application server and the DataPower appliance manager, secure sockets layer (SSL) communication is used to send commands and receive events. The default SSL configuration used by the DataPower appliance manager can be strengthened by customizing the SSL connection. Modifying the default SSL configuration is optional and only needs to be done if the default configuration is not sufficient for the requirements.
SSL is used to send commands to each known appliance manager. In this scenario, the application server and the DataPower appliance manager behave as the SSL client and the DataPower appliances are acting as the SSL servers. This SSL connection uses the ibmPKIX trustmanager to do some verification of the DataPower appliance. Neither the certificate chain nor the revocation list for the certificate of the DataPower appliance are checked. The default configuration also does not do any SSL client validation for this scenario.
(zos) The DataPower root certificate, located at app_server_root/profiles/profile_name/etc/DataPower-root-ca-cert.pem, is shipped as part of the default keystore. During profile creation, this certificate is automatically added to file-based keystores. Since SAF keyrings are not file-based, the certificate must be added to the RACF keystore manually.
SSL is also used for the events received by the application server and the DataPower appliance manager from each DataPower appliance being managed. In this scenario, the application server and the DataPower appliance manager is the SSL server and the DataPower appliances are the SSL client. SSL client validation is also not performed in this scenario by default.
Most customizations that are available for SSL connections in WAS can be applied to the connections used by the DataPower appliance manager. To customize the SSL connections used for communication between the DataPower appliance manager and the DataPower appliances, each change made to the SSL connection on the DataPower appliance manager must also be accompanied by a complimentary change on each of the DataPower appliances that it manages. The DataPower appliance manager uses the DataPowerMgr_sslConfig SSL profile to connect with the DataPower appliances to send the appliances commands. You may make changes to this profile to influence the SSL connection used to send commands to the appliances. The DataPower appliance manager uses the DataPowerMgr_inbound_secure inbound endpoint on the Dmgr to receive events from the appliances it manages. You may make changes to the profile used by this endpoint to influence the SSL connection used to send events from the managed appliances.
For instructions on how to modify the AMP XML Management Interface SSL configuration on a DataPower appliance, refer to the DataPower appliance WebGUI Guide section on the XML Management Interface and how to create a custom SSL Proxy profile.
WebSphere DataPower appliance manager overview
(zos) Import a signer certificate from a truststore to a z/OS keyring