After you create a Secure
Sockets Layer (SSL) configuration, you
must associate a secure inbound or outbound management scope with
the new
configuration. You can manage the association centrally so that you
can easily
make changes that affect all the scopes that are lower on the topology
and
that are associated with the configuration. Beginning with WebSphere® Application
Server version 6.1, the recommended and the default configuration
method is
centrally managed SSL configurations.
Before you begin
You can simplify
the number of associations that you need to make
for an SSL configuration by associating the configuration with the
highest
level management scope requiring a unique configuration. SSL configuration
associations manifest inheritance behaviors. Because of the inheritance
behaviors,
all of the scopes that are lower on the topology inherit this SSL
configuration.
For example, an association you make at the cell level affects nodes,
servers,
clusters, and endpoints. For more information, see Central management of SSL configurations.A
precedence rule determines which SSL configuration
association is used at a particular scope. The highest precedence
is given
to endpoints on the topology. If you establish an association at the
endpoint,
this association overrides any prior association that you made higher
up on
the management scope topology.
About this task
Complete the
following steps in the administrative console:
Procedure
- Click Security > SSL certificate and key management.
- Select the Dynamically update the runtime when
SSL configuration
changes check box if you want changes that you make to an existing
SSL
configuration to occur dynamically. All outbound SSL communications
honor
the dynamic SSL changes. Protocols that do not use the channel frameworks
SSL channel for inbound communications, including Object Request Broker
(ORB)
and administrative SOAP protocols, do not honor dynamic updates. For
more
information, see Dynamic configuration updates in SSL.
- Click Manage endpoint
security configurations.
- Select either
the inbound or the outbound tree.
After
finishing the selected tree, you can return to this step to repeat
the following
steps for the other tree.
- Click the link for
the selected cell, node, node group, server,
cluster, or endpoint on the topology tree.
If the scope
already
has an associated SSL configuration and alias, these objects display
in parentheses
immediately following the scope name, for example: Node01(NodeDefaultSSLSettings,default).
If the deployment manager has federated a node, the node scope SSL
configuration
overrides the cell scope configuration above it in the topology.
- Decide whether to override the inherited values
that display in
the read-only fields.
Read-only fields include the management
scope
name, the direction, and the inherited SSL configuration name and
certificate
alias.
- If you are satisfied with these values,
do not override them.
- If you want to override the
inherited values, select the Override
inherited values check box.
- Select
an SSL configuration from the list.
- Click Update
certificate alias list.
The certificate
alias list comes from the key store that is referenced by the new
SSL configuration.
- Click Manage certificates if
you want to manage the personal
certificates that are contained in the key store that is referenced
in the
SSL configuration.
- Click Update certificate
alias list to refresh the list
of aliases.
- Select a certificate alias in the
key store to represent the identity
of the endpoint.
- Click OK to save your
changes.
- Click Manage endpoint security
configurations and trust zones to
return to the topology tree.
- Configure the
opposite direction on the topology tree using the
steps in this task.
You can also select additional scopes
to associate
with the SSL configuration, as needed.
Results
Each
SSL configuration at the selected scope and at scopes beneath
it on the topology tree have the same SSL configuration properties.
The following
SSL configuration methods override the centrally managed configurations
that
you associate in the tree view:- Direct selection at the endpoint
- Dynamic outbound SSL configuration associations
- Programmatic
specifications
What to do next
At any management scope,
you can configure the following objects:
dynamic outbound endpoint SSL configurations, key stores, key sets,
key set
groups, key managers, and trust managers. Like SSL configurations,
these objects
are scoped automatically so that they are not visible higher up in
the tree
nor are they loaded during runtime by processes that are higher up
in the
tree.