Associate a Secure Sockets Layer configuration dynamically with an outbound protocol and remote secure endpoint
After creating an SSL configuration, we must associate a secure outbound management scope with the new configuration. In this release, we can associate one SSL configuration with one remote secure endpoint and a different SSL configuration to another remote secure endpoint. Both endpoints can use the same outbound protocol, if appropriate. This task describes how to create the association dynamically.
Dynamic outbound selection requires that we provide only the outbound protocol name, the target host, and the target port so that WebSphere Application Server can make a connection between the SSL configuration and the outbound protocol or remote secure endpoint. The dynamic outbound selection method takes precedence over other selection methods, such as central management and direct selection, but is second to the programmatic method, that is, setting an SSL configuration on the running thread. For more information about the selection types and precedence rules, see Secure communications using SSL.
Tasks
- Click Security > SSL certificate and key management > Manage endpoint security configurations > Outbound.
- Select the management scope to associate with an SSL configuration on the topology tree.
- Under Related Items, click Dynamic outbound endpoint SSL configurations. The default dynamic outbound configuration name, the target protocol, host, and port connection information, and the SSL configuration name display.
- Click New to create a new dynamic outbound configuration.
- Type a dynamic outbound configuration name. Use a name that is descriptive of the purpose of the dynamic selection configuration.
- Optionally, type a dynamic selection configuration description.
- Type the connection information to associate with the configuration displayed in the SSL configuration drop-down list. The connection information must be in the format protocol name, target host, target port. We can substitute an asterisk (*) for any value, as in the following examples, where 443 is a port, www.mycompany.com is a host, HTTP is a protocol, and .hometown.mycompany.com is a target host. We can add multiple connections, but each additional connection can affect outbound performance.
- *,*,443
- *,www.mycompany.com,443
- HTTP,.hometown.mycompany.com,*
- *,*,*
Do not use this configuration because it matches all outbound specifications. Therefore, no other SSL configuration is used for outbound connections..
- Unless the intention is to set the protocol property through the JSSEHelper API, the protocol filter should be set to * (as in the first two examples). See "Dynamic Selection" in Secure communications using SSL for more information.
- The connection protocols used for dynamic outboud SSL configuration selection, that are illustrated in the preceding examples, which are not corresponding the protocol name of the URL. To use one of these protocols from a user-written application, programmatic SSL configuration selection must be implemented.
- Click Add to add the new connection to the set of SSL configuration connections. To remove a connection, select it and click Remove.
- Select an SSL configuration from the list.
- Click Get certificate aliases to refresh the certificate aliases contained in the associated key store.
- Choose a certificate alias from the list.
- Click OK and Save.
WAS is ready to connect one or more SSL configurations to one or more remote secure endpoints.
What to do next
We can return to the outbound tree and select another management scope to associate with the same or a new outbound configuration.
Subtopics
- Programmatically specifying an outbound SSL configuration using JSSEHelper API
WAS provides a way to specify programmatically which SSL configurations to use prior to making an outbound connection. The com.ibm.websphere.ssl.JSSEHelper interface provides a complete set of APIs for handling SSL configurations.- Associating Secure Sockets Layer configurations centrally with inbound and outbound scopes
After creating an SSL configuration, we must associate a secure inbound or outbound management scope with the new configuration. We can manage the association centrally so that we can make changes that affect all the scopes that are lower on the topology and associated with the configuration. Beginning with WAS version 6.1, the recommended and the default configuration method is centrally managed SSL configurations.- Select an SSL configuration alias directly from an endpoint configuration
We can associate a secure outbound endpoint with a new SSL configuration directly. If we are migrating from a release prior to version 6.1, WAS still supports configurations that were selected directly at an endpoint. Direct selection always overrides centrally managed configurations and preserves migrated configurations.- Enable Secure Sockets Layer client authentication for a specific inbound endpoint
When we establish an SSL configuration, we can enable client authentication for a specific inbound endpoint.- Manage endpoint security configurations
Select a Secure Socket Layer (SSL) configuration from the Local Topology hierarchy, which includes cells, nodes, node groups, servers, and clusters.- Dynamic inbound and outbound endpoint SSL configurations collection
Manage dynamic endpoint SSL configurations, which represent associations between Secure Socket Layer (SSL) configurations and their target protocol, host, and port.- Dynamic outbound endpoint SSL configuration settings
Set properties for dynamic outbound endpoint SSL configurations, which represent associations between SSL configurations and their target protocol, host, and port.
Related:
Secure communications using SSL Dynamic outbound selection of Secure Sockets Layer configurations Central management of SSL configurations SSL configurations ssl.client.props client configuration file