WAS v8.5 > Secure applications > Secure communications > Create an SSL configuration > Associate an SSL configuration dynamically with an outbound protocol and remote secure endpoint

Associate Secure Sockets Layer configurations centrally with inbound and outbound scopes

After creating a SSL configuration, you must associate a secure inbound or outbound management scope with the new configuration. We can manage the association centrally so that we can make changes that affect all the scopes that are lower on the topology and associated with the configuration. Beginning with WebSphere Application Server version 6.1, the recommended and the default configuration method is centrally managed SSL configurations.

We can simplify the number of associations needed to make for an SSL configuration by associating the configuration with the highest level management scope requiring a unique configuration. SSL configuration associations manifest inheritance behaviors. Because of the inheritance behaviors, all of the scopes that are lower on the topology inherit this SSL configuration. For example, an association you make at the cell level affects nodes, servers, clusters, and endpoints. For more information, see Central management of SSL configurations.

A precedence rule determines which SSL configuration association is used at a particular scope. The highest precedence is given to endpoints on the topology. If we establish an association at the endpoint, this association overrides any prior association made higher up on the management scope topology. Complete the following steps in the dmgr console:

  1. Click Security > SSL certificate and key management.

  2. Select the Dynamically update the runtime when SSL configuration changes check box if you want changes that you make to an existing SSL configuration to occur dynamically. All outbound SSL communications honor the dynamic SSL changes. Protocols that do not use the channel frameworks SSL channel for inbound communications, including Object Request Broker (ORB) and administrative SOAP protocols, do not honor dynamic updates. For more information, see Dynamic configuration updates in SSL.

  3. Click Manage endpoint security configurations.

  4. Select either the inbound or the outbound tree. After finishing the selected tree, we can return to this step to repeat the following steps for the other tree.

  5. Click the link for the selected cell, node, node group, server, cluster, or endpoint on the topology tree. If the scope already has an associated SSL configuration and alias, these objects display in parentheses immediately following the scope name, for example: Node01(NodeDefaultSSLSettings,default). If the deployment manager has federated a node, the node scope SSL configuration overrides the cell scope configuration above it in the topology.
  6. Decide whether to override the inherited values that display in the read-only fields. Read-only fields include the management scope name, the direction, and the inherited SSL configuration name and certificate alias.

    • If we are satisfied with these values, do not override them.

    • To override the inherited values, select the Override inherited values check box.

  7. Select an SSL configuration from the list.

  8. Click Update certificate alias list. The certificate alias list comes from the key store referenced by the new SSL configuration.

  9. Click Manage certificates to manage the personal certificates that are contained in the key store referenced in the SSL configuration.

  10. Click Update certificate alias list to refresh the list of aliases.

  11. Select a certificate alias in the key store to represent the identity of the endpoint.

  12. Click OK to save your changes.

  13. Click Manage endpoint security configurations and trust zones to return to the topology tree.

  14. Configure the opposite direction on the topology tree using the steps in this task. We can also select additional scopes to associate with the SSL configuration, as needed.


Results

Each SSL configuration at the selected scope and at scopes beneath it on the topology tree have the same SSL configuration properties. The following SSL configuration methods override the centrally managed configurations that you associate in the tree view:

At any management scope, we can configure the following objects: dynamic outbound endpoint SSL configurations, key stores, key sets, key set groups, key managers, and trust managers. Like SSL configurations, these objects are scoped automatically so they are not visible higher up in the tree nor are they loaded during runtime by processes that are higher up in the tree.


Related concepts:

Central management of SSL configurations
Dynamic configuration updates in SSL
SSL configurations


Related


Create an SSL configuration


Reference:

SSLConfigGroupCommands group for AdminTask


+

Search Tips   |   Advanced Search