+

Search Tips   |   Advanced Search

Central management of SSL configurations

By default, SSL configurations for servers are managed from a central location in the topology view of the console. We can associate an SSL configuration and certificate alias with a specific management scope. This method is the most efficient method to manipulate and modify configurations when the server topology changes.

Management control of the SSL configurations offers more options and additional flexibility. We are able to make coarse-grained changes for the entire topology using the cell-scope and also make fine-grained changes using a particular endpoint name for a specific application server process. Because the SSL configuration associations manifest an inheritance behavior, we can simplify the number of associations by referencing only the highest level management scope that needs a unique configuration.

The topology view provides the scoping mechanism. The SSL configuration inherits its scope, which can be seen as its display in the topology. The scope encompasses the level where created the configuration and all the subsequent levels that point. For example, when creating an SSL configuration at a specific node, that configuration can be seen by that node agent and by every application server that is part of that node. Any application server or node that is not part of this particular node can not see this SSL configuration.

Your security environment influences issues such as the uniqueness of the SSL configurations, as well as the SSL configuration and the certificate alias placement in the topology. We are also able to configure different certificate aliases and different SSL configurations for inbound connections versus outbound connections.

To configure the inbound and outbound topologies, which must be done separately in the console, click...


Default centrally managed SSL configuration

It is simpler to manage SSL configurations centrally in the topology view of the console, but we can also use wsadmin scripting within AdminTasks to manage SSL configurations.

The configuration element of security.xml can be used to manage SSL configuration associations. The sslConfigGroup configuration object is the mechanism used to associate a connection direction and management scope with a specific SSL configuration and certificate alias. The default sslConfigGroups cell attribute has a predefined inbound and outbound cell-scoped configuration that each endpoint in the cell inherits.

<sslConfigGroups xmi:id="SSLConfigGroup_1"  
                      name="myhostCell01" 
                      direction="inbound" 
                      certificateAlias="default"  
                      sslConfig="SSLConfig_1" 
                      managementScope="ManagementScope_1"/>
<sslConfigGroups xmi:id="SSLConfigGroup_2" 
                    name="myhostCell01"  
                    direction="outbound" certificateAlias="default" 
                    sslConfig="SSLConfig_1"  
                    managementScope="ManagementScope_1"/>
 <managementScopes xmi:id="ManagementScope_1"  
                   scopeName="(cell):myhostCell01" 
                   scopeType="cell"/>

In the previous sample code, the sslConfigGroups attribute references the cell management scope. For that example, if a different scope was intended the following list shows the precedence order for selecting management scopes, from the highest order of precedence to the lowest. Each time an endpoint scope is defined, it uses the specified SSL configuration and certificate alias.

Endpoint scope

<managementScopes xmi:id="ManagementScope_1" 
                  scopeName="(cell):myhostCell01:(node):myhostNode01:(server):server1:(endpoint):ENDPOINT_NAME_IN_SERVERINDEX"  
                  scopeType="endpoint"/>

Server scope

<managementScopes xmi:id="ManagementScope_1" 
                  scopeName="(cell):myhostCell01:(node):myhostNode01:(server):server1" 
                  scopeType="server"/>

Cluster scope

<managementScopes xmi:id="ManagementScope_1" 
                  scopeName="(cell):myhostCell01:(cluster):myCluster" 
                  scopeType="cluster"/>

Node scope

<managementScopes xmi:id="ManagementScope_1" 
                  scopeName="(cell):myhostCell01:(node):myhostNode01" 
                  scopeType="node"/>

Nodegroup scope

<managementScopes xmi:id="ManagementScope_1" 
                  scopeName="(cell):myhostCell01:(nodegroup):DefaultNodeGroup" 
                  scopeType="nodegroup"/>

Cell scope

<managementScopes xmi:id="ManagementScope_1" 
                  scopeName="(cell):myhostCell01"
                  scopeType="cell"/>


Related concepts

  • Secure communications using SSL
  • SSL configurations