Associating Secure Sockets Layer configurations centrally with inbound and outbound scopes

After you create a Secure Sockets Layer (SSL) configuration, you must associate a secure inbound or outbound management scope with the new configuration. You can manage the association centrally so that you can easily make changes that affect all the scopes that are lower on the topology and that are associated with the configuration. Beginning with WebSphere® Application Server version 6.1, the recommended and the default configuration method is centrally managed SSL configurations.

Before you begin

You can simplify the number of associations that you need to make for an SSL configuration by associating the configuration with the highest level management scope requiring a unique configuration. SSL configuration associations manifest inheritance behaviors. Because of the inheritance behaviors, all of the scopes that are lower on the topology inherit this SSL configuration. For example, an association you make at the cell level affects nodes, servers, clusters, and endpoints. For more information, see Central management of SSL configurations.

A precedence rule determines which SSL configuration association is used at a particular scope. The highest precedence is given to endpoints on the topology. If you establish an association at the endpoint, this association overrides any prior association that you made higher up on the management scope topology.

About this task

Complete the following steps in the administrative console:

Procedure

  1. Click Security > SSL certificate and key management.
  2. Select the Dynamically update the runtime when SSL configuration changes check box if you want changes that you make to an existing SSL configuration to occur dynamically. All outbound SSL communications honor the dynamic SSL changes. Protocols that do not use the channel frameworks SSL channel for inbound communications, including Object Request Broker (ORB) and administrative SOAP protocols, do not honor dynamic updates. For more information, see Dynamic configuration updates in SSL.
  3. Click Manage endpoint security configurations.
  4. Select either the inbound or the outbound tree.
    After finishing the selected tree, you can return to this step to repeat the following steps for the other tree.
  5. Click the link for the selected cell, node, node group, server, cluster, or endpoint on the topology tree.
    If the scope already has an associated SSL configuration and alias, these objects display in parentheses immediately following the scope name, for example: Node01(NodeDefaultSSLSettings,default). If the deployment manager has federated a node, the node scope SSL configuration overrides the cell scope configuration above it in the topology.
  6. Decide whether to override the inherited values that display in the read-only fields.
    Read-only fields include the management scope name, the direction, and the inherited SSL configuration name and certificate alias.
    • If you are satisfied with these values, do not override them.
    • If you want to override the inherited values, select the Override inherited values check box.
  7. Select an SSL configuration from the list.
  8. Click Update certificate alias list.
    The certificate alias list comes from the key store that is referenced by the new SSL configuration.
  9. Click Manage certificates if you want to manage the personal certificates that are contained in the key store that is referenced in the SSL configuration.
  10. Click Update certificate alias list to refresh the list of aliases.
  11. Select a certificate alias in the key store to represent the identity of the endpoint.
  12. Click OK to save your changes.
  13. Click Manage endpoint security configurations and trust zones to return to the topology tree.
  14. Configure the opposite direction on the topology tree using the steps in this task.
    You can also select additional scopes to associate with the SSL configuration, as needed.

Results

Each SSL configuration at the selected scope and at scopes beneath it on the topology tree have the same SSL configuration properties. The following SSL configuration methods override the centrally managed configurations that you associate in the tree view:
  • Direct selection at the endpoint
  • Dynamic outbound SSL configuration associations
  • Programmatic specifications

What to do next

At any management scope, you can configure the following objects: dynamic outbound endpoint SSL configurations, key stores, key sets, key set groups, key managers, and trust managers. Like SSL configurations, these objects are scoped automatically so that they are not visible higher up in the tree nor are they loaded during runtime by processes that are higher up in the tree.