Central management of SSL configurations

WAS v8.5 > Secure applications > Secure communications > Secure communications using SSL
Central management of SSL configurations

By default, SSL configurations for servers are managed from a central location in the topology view of the dmgr console. We can make coarse-grained changes for the entire topology using the cell-scope. We can make fine-grained changes using a particular endpoint.
SSL configuration use inheritance, so you only need set the highest level management scope, cell-scope, to have a configuration seen by all nodes and application servers. With a node-scope, the configuration can be seen by that node agent and by every application server that is part of that node. Application servers and nodes not part of this particular node can not see this SSL configuration.
To configure inbound and outbound topologies...
Security | SSL certificates and key management | Manage endpoint security configurations | [Inbound | Outbound]

Default centrally managed SSL configuration

The default management scope is the node scope. When a node is federated into a cell, the default SSL configurations for the node are maintained, as shown in the following sample code for the sslConfigGroups and management scopes attributes:
<sslConfigGroups xmi:id="SSLConfigGroup_1" 
                 name="nodename" 
                 direction="inbound" 
                 certificateAlias="default" 
                 sslConfig="SSLConfig_1" 
                 managementScope="ManagementScope_1"/> 
    <sslConfigGroups xmi:id="SSLConfigGroup_2" 
                     name="nodename" 
                     direction="outbound" 
                     certificateAlias="default" 
                     sslConfig="SSLConfig_1" 
                     managementScope="ManagementScope_1"/> 
<managementScopes xmi:id="ManagementScope_1" 
                  scopeName="(cell):cellname:(node):nodename" 
                  scopeType="node"/>
The SSL configuration xmi:id "SSLConfig_1" is also federated and applicable:
<repertoire xmi:id="SSLConfig_1" 
               alias="NodeDefaultSSLSettings" 
               managementScope="ManagementScope_1"> 
<setting xmi:id="SecureSocketLayer_1"
         clientAuthentication="true" 
         securityLevel="HIGH" 
         enabledCiphers="" 
         jsseProvider="IBMJSSE2" 
         sslProtocol="SSL_TLS" 
         keyStore="KeyStore_1" 
         trustStore="KeyStore_2" 
         trustManager="TrustManager_1" 
         keyManager="KeyManager_1"/> </repertoire>
The keystores associated with the SSLConfig_1 SSL configuration are also federated, and key.p12 is located in the node directory of the configuration repository:
<keyStores xmi:id="KeyStore_1" 
           name="NodeDefaultKeyStore" 
           password="{xor}HRYNFAtrbxEwOzpvbhw6MzM=" provider="IBMJCE" 
           location="${USER_INSTALL_ROOT}/config/cells/cellname/nodes/nodename/key.p12" 
           type="PKCS12" 
           fileBased="true" 
           hostList="" 
           initializeAtStartup="true" managementScope="ManagementScope_1"/> 
<keyStores xmi:id="KeyStore_2" 
           name="NodeDefaultTrustStore" 
           password="{xor}HRYNFAtrbxEwOzpvbhw6MzM=" 
           provider="IBMJCE" 
           location="${USER_INSTALL_ROOT}/config/cells/cellname/nodes/nodename/trust.p12" 
           type="PKCS12" 
           fileBased="true" 
           hostList="" 
           initializeAtStartup="true" managementScope="ManagementScope_1"/>
Related concepts:
Secure communications using SSL
SSL configurations

+
Search Tips | Advanced Search