Dynamic outbound endpoint SSL configuration settings

Use this page to set properties for dynamic outbound endpoint SSL configurations, which represent associations between SSL configurations and their target protocol, host, and port.

To view this administrative console page, click Security > SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration. Under Related items, click Dynamic [inbound | outbound] endpoint SSL configurations. Then, click the New button.

When an outbound connection is attempted, this association is checked ahead of the Secure Sockets Layer (SSL) configuration scope association. Therefore, based on the target protocol,host,port, the outbound SSL configuration that is used can be different than the default specified in the SSL scope configuration.

Name

Specifies the unique name of the dynamic endpoint configuration.

Information Value
Data type: Text

Description

Specifies text that describes the purpose of this dynamic selection criteria.

Information Value
Data type: Text

Add connection information

Specifies select information in the form protocol,host,port for the outbound connection. Multiple selection criteria can be entered. All of the connection information for dynamic outbound selection might not be available. You might need to adjust the dynamic outbound selection connection filter and enter an asterisk (*) for the missing part of the connection information. An asterisk (*) can be used to mean all protocols, hosts, or ports. You can use an asterisk(*) for any field.

Information Value
Data type: Text
An example of selection criteria is: 
*,www.ibm.com,*
In this example, anytime the target host is www.ibm.com, you must use the SSL configuration that is specified here.
Another example selection criteria is: 
IIOP,*,*
In this example, any outbound IIOP request uses the SSL configuration that is specified in the SSL configuration field. When there is a conflict between two selection criteria, the application server uses the first match. The following protocols are valid:
  • IIOP
  • HTTP
  • SIP
  • JMS
  • BUS_CLIENT
  • BUS_TO_BUS
  • BUS_TO_WEBSPHERE_MQ
  • CLIENT_TO_WEBSPHERE_MQ
  • LDAP
  • ADMIN_IIOP
  • ADMIN_SOAP
  • ADMIN_IPC
  • WEBSERVICES_HTTP
  • WEBSERVICES_JMS
CAUTION:
A text comparison is performed between the SSL Dynamic configuration and connection information that is obtained from the runtime. Although HTTP connections use hostnames, IIOP connection information is usually the IP address of the target host instead of the hostname of the target host. The only exception is if you do IIOP HTTP tunneling. For more information, see the topic on enabling HTTP tunneling. Create a configuration with the IP address for IIOP requests, unless you are doing tunneling.

When user written applications are expecting to take advantage of dynamic outbound selections, know that not all connection information might be available. For example, the openConnection() call on a URL object ultimately calls createSocket(java.net.Socket socket, String host, int port, boolean autoClose). The connection information can be built with the host and port provided, but there is no protocol provided. In this case, a wildcard, an asterisk (*), can be used for the protocol part of the dynamic selection connection information.

Add

Specifies to add the selected information from the Add select information menu to the list.

Remove

Specifies to remove the selection from the list.

SSL Configuration

Specifies the SSL configuration to be used by requests at this scope when a match occurs for the given selection criteria.

Information Value
Data type: Text

Get certificate alias

When selected, the keystore within the selected SSL configuration is queried for a list of personal certificates from which to choose.

Certificate alias

Specifies the certificate alias that is used as the identity for the connection.

If you select None, the Java™ Secure Sockets Extension (JSSE) key manager determines which certificate is used. If multiple certificates exist in the keystore, the key manager might not consistently select the same certificate.

Information Value
Data type: Text
Default: (none)