+

Search Tips   |   Advanced Search

 

Associating Secure Sockets Layer configurations centrally with inbound and outbound scopes

 

After creating an SSL configuration, associate a secure inbound or outbound management scope with the new configuration. You can manage the association centrally so that you can easily make changes that affect all the scopes that are lower on the topology and that are associated with the configuration. Beginning with WebSphere Application Server version 6.1, the recommended and the default configuration method is centrally managed SSL configurations. You can simplify the number of associations that make for an SSL configuration by associating the configuration with the highest level management scope requiring a unique configuration. SSL configuration associations manifest inheritance behaviors. Because of the inheritance behaviors, all of the scopes that are lower on the topology inherit this SSL configuration. For example, an association you make at the cell level affects nodes, servers, clusters, and endpoints. For more information, see Central management of Secure Sockets Layer configurations.

A precedence rule determines which SSL configuration association is used at a particular scope. The highest precedence is given to endpoints on the topology. If you establish an association at the endpoint, this association overrides any prior association that you made higher up on the management scope topology.

 

Overview

Complete the following steps in the console:

 

Procedure

  1. Click Security > SSL certificate and key management.

  2. Select the Dynamically update the runtime when SSL configuration changes check box if you want changes that you make to an existing SSL configuration to occur dynamically. All outbound SSL communications honor the dynamic SSL changes. Protocols that do not use the channel frameworks SSL channel for inbound communications, including Object Request Broker (ORB) and administrative SOAP protocols, do not honor dynamic updates. For more information, see Dynamic configuration updates.

  3. Click Manage endpoint security configurations.

  4. Select either the inbound or the outbound tree. After finishing the selected tree, you can return to this step to repeat the following steps for the other tree.

  5. Click the link for the selected cell, node, node group, server, cluster, or endpoint on the topology tree. If the scope already has an associated SSL configuration and alias, these objects display in parentheses immediately following the scope name... Node01(NodeDefaultSSLSettings,default). If the deployment manager has federated a node, the node scope SSL configuration overrides the cell scope configuration above it in the topology.

  6. Decide whether to override the inherited values that display in the read-only fields. Read-only fields include the management scope name, the direction, and the inherited SSL configuration name and certificate alias.

    • If you are satisfied with these values, do not override them.

    • To override the inherited values, select the Override inherited values check box.

  7. Select an SSL configuration from the list.

  8. Click Update certificate alias list. The certificate alias list comes from the key store that is referenced by the new SSL configuration.

  9. Click Manage certificates if you want to manage the personal certificates that are contained in the key store that is referenced in the SSL configuration.

  10. Click Update certificate alias list to refresh the list of aliases.

  11. Select a certificate alias in the key store to represent the identity of the endpoint.

  12. Click OK to save your changes.

  13. Click Manage endpoint security configurations and trust zones to return to the topology tree.

  14. Configure the opposite direction on the topology tree using the steps in this task. You can also select additional scopes to associate with the SSL configuration, as needed.

 

Results

Each SSL configuration at the selected scope and at scopes beneath it on the topology tree have the same SSL configuration properties. The following SSL configuration methods override the centrally managed configurations that you associate in the tree view:

 

What to do next

At any management scope, you can configure the following objects: dynamic outbound endpoint SSL configurations, key stores, key sets, key set groups, key managers, and trust managers. Like SSL configurations, these objects are scoped automatically so that they are not visible higher up in the tree nor are they loaded during runtime by processes that are higher up in the tree.



Central management of Secure Sockets Layer configurations
Dynamic configuration updates
Secure Sockets Layer configurations

 

Related tasks


Creating a Secure Sockets Layer configuration

 

Related Reference


SSLConfigGroupCommands group for the AdminTask object