Associate SSL configurations centrally with inbound and outbound scopes

After creating an SSL configuration, associate a secure inbound or outbound management scope with the new configuration. We can manage the association centrally so that we can make changes that affect all the scopes that are lower on the topology and associated with the configuration. Beginning with WebSphere Application Server version 6.1, the recommended and the default configuration method is centrally managed SSL configurations.

We can simplify the number of associations needed to make for an SSL configuration by associating the configuration with the highest level management scope requiring a unique configuration. SSL configuration associations manifest inheritance behaviors. Because of the inheritance behaviors, all of the scopes that are lower on the topology inherit this SSL configuration. For example, an association we make at the cell level affects nodes, servers, clusters, and endpoints. See Central management of SSL configurations.

A precedence rule determines which SSL configuration association is used at a particular scope. The highest precedence is given to endpoints on the topology. If we establish an association at the endpoint, this association overrides any prior association that we made higher up on the management scope topology.

Tasks

1. To make changes to an existing SSL configuration occur dynamically, click check box...
   Security > SSL certificate and key management > Dynamically update the runtime when SSL configuration changes

   All outbound SSL communications honor the dynamic SSL changes. Protocols that do not use the channel frameworks SSL channel for inbound communications, including ORB and administrative SOAP protocols, do not honor dynamic updates.

2. Click...
   Manage endpoint security configurations > [Inbound | outbound] tree

   After finishing the selected tree, we can return to this step to repeat the following steps for the other tree.

3. Click the link for the selected cell, node, node group, server, cluster, or endpoint on the topology tree. If the scope already has an associated SSL configuration and alias, these objects display in parentheses immediately following the scope name, for example:
   Node01(NodeDefaultSSLSettings,default)

   If the deployment manager has federated a node, the node scope SSL configuration overrides the cell scope configuration above it in the topology.

4. Decide whether to override the inherited values that display in the read-only fields. Read-only fields include the management scope name, the direction, and the inherited SSL configuration name and certificate alias.
   • If we are satisfied with these values, do not override them.

   • To override the inherited values, select the Override inherited values check box.

5. Select an SSL configuration from the list.

6. Click...
   Update certificate alias list

   The certificate alias list comes from the key store referenced by the new SSL configuration.

7. Click Manage certificates if we want to manage the personal certificates contained in the key store referenced in the SSL configuration.

8. Click Update certificate alias list to refresh the list of aliases.

9. Select a certificate alias in the key store to represent the identity of the endpoint.

10. Click OK to save the changes.

11. Click Manage endpoint security configurations and trust zones to return to the topology tree.

12. Configure the opposite direction on the topology tree using the steps in this task. We can also select additional scopes to associate with the SSL configuration, as needed.

Each SSL configuration at the selected scope and at scopes beneath it on the topology tree have the same SSL configuration properties. The following SSL configuration methods override the centrally managed configurations that you associate in the tree view:

• Direct selection at the endpoint
• Dynamic outbound SSL configuration associations
• Programmatic specifications

What to do next

At any management scope, we can configure the following objects: dynamic outbound endpoint SSL configurations, key stores, key sets, key set groups, key managers, and trust managers. Like SSL configurations, these objects are scoped automatically so that they are not visible higher up in the tree nor are they loaded during runtime by processes that are higher up in the tree.

Related:

Central management of SSL configurations

Dynamic configuration updates in SSL

SSL configurations

Create a Secure Sockets Layer configuration

SSLConfigGroupCommands group for the AdminTask object