SSL handshake and authentication process

To use SSL, both the client (the IMS TM resource adapter) and the server (IMS Connect) must be configured for SSL handshake.

At run time, when the Java™ client application executes an interaction with IMS, the interaction flows on a secure (SSL) connection between the SSL client, the IMS TM resource adapter, and the SSL server, IMS Connect. To open an SSL connection between the client and the server, an SSL handshake process occurs. This SSL handshake, which is transparent to the Java client application, occurs as follows:
  1. The SSL client, the IMS TM resource adapter, initiates a connection by sending a client hello message. The server, IMS Connect, replies with a server hello message and its certificate that contains its public key.
  2. If this certificate is authenticated successfully by the server, a session key is established at both ends and a cipher specification is negotiated that determines the type of encryption to be used on the connection. The cipher can be STRONG, WEAK, or ENULL. The SSL handshake is then completed if the server does not require client authentication.
  3. If the server requires client authentication, the client authenticates the server's certificate by using the server's public key from its certificate. If this authentication is successful, a client certificate is sent from the client's keystore. If this certificate is authenticated successfully by the server, a session key is established at both ends, and a cipher specification is negotiated that determines the type of encryption to be used on the connection. The SSL handshake is then completed.
  4. The client and server are ready to send and receive encrypted data.
Important: When the client applications run in a managed environment, which is particularly preferred with SSL connections, the IMS TM resource adapter must use persistent socket connections to communicate with IMS Connect. However, in a non-managed environment, these persistent connections are disconnected by the application after each use rather than being made available for reuse by another application.

When the WebSphere® Application Server Connection Manager is used, connections can be serially reused by other client applications. The connection manager creates connections if necessary, and provides them to the applications as needed. When an application is finished using a connection, the connection manager returns that connection to the free pool, making it available for reuse by any other application that requires that type of connection. However, client and server authentication only occurs one time for each socket during the handshake that occurs when that socket is first created and initialized as an SSL socket. When a socket is reused, the SSL client, the IMS TM resource adapter, and the server, IMS Connect, do not change. Consequently, it is not necessary to re-authenticate the client and the server (go through the handshake process again) when a socket is reused. The client ID that identifies a socket remains the same each time a socket is reused.

If the SSLEncryption value is set to ENULL, performance is faster than SSL connections that use Strong or Weak encryption. The level of performance improvement depends on several factors, including whether hardware or software encryption is used. In general, hardware encryption is faster than software encryption.