Dynamic outbound selection of Secure Sockets Layer configurations
WebSphere Application Server provides dynamic outbound selection that enables us to choose a specific Secure Sockets Layer (SSL) configuration and certificate alias for each outbound protocol, target host, target port, or any combination of these attributes. We can specify the dynamic selection information for outbound connections from a pure client or from a server that is acting as a client.
Before the SSL runtime for WebSphere Application Server starts an outbound connection, the runtime attempts to match the outbound protocol, target host, and target port attributes with the dynamic outbound selection information that is associated with an SSL configuration and certificate alias in the configuration.
The runtime caches both selection misses and selection hits, so the impact on performance can be minimal. However, a relationship exists between the amount of dynamic outbound selection information and its impact on the initial connection performance.
Dynamic selection information for outbound administrative SOAP connections
The default dynamic outbound selection configuration specifies that all outbound administrative SOAP connections use the same SSL configuration and certificate alias within the entire cell.
The management scope of the SSL configuration is at the cell level so every process in the cell sees this configuration. When an administrative SOAP client makes an outbound connection, the client provides protocol, target host, and target port information to the SSL runtime, as shown in the following sample code:
<dynamicSSLConfigSelections xmi:id="DynamicSSLConfigSelection_1" name="AdminSSLOutbound" description="Uses the AdminSSL configuration for all outbound SOAP calls." dynamicSelectionInfo="ADMIN_SOAP,*,*" certificateAlias="default" sslConfig="SSLConfig_2" managementScope="ManagementScope_1"/>
The SSL runtime checks the configuration and confirms that certificateAlias="default" and sslConfig="SSLConfig_2" for the ADMIN_SOAP protocol when you enable client certificate authentication.The configured target host and port are represented by the * character because both the host and the port attributes can be any value.
Target information during outbound connections
The dynamic outbound selection configurations are only effective when the outbound protocol uses the JSSEHelper (API) when you select an SSL configuration with a specified connectionInfo hash map. This hash map must contain the following properties:
- com.ibm.ssl.direction
- The value for outbound connections is OUTBOUND.
- com.ibm.ssl.remoteHost
- The format should match what the protocol provides. Typically this is the canonical Domain Name Space (DNS), but it also could be the IP address.
The name comparison is performed as a case-insensitive comparison. There is no name resolution processing performed during the string comparison.gotcha
- com.ibm.ssl.remotePort
- The port is target port.
- com.ibm.ssl.endPointName
- The value for an outbound connection must be one of the following protocol strings:
- IIOP
- HTTP
- SIP
- LDAP
- ADMIN_IPC
- ADMIN_SOAP
- BUS_TO_BUS
- BUS_CLIENT
- BUS_TO_WEBSPHERE_MQ
- WEBSPHERE_MQ_CLIENT