Central management of SSL configurations

By default, Secure Sockets Layer (SSL) configurations for servers are managed from a central location in the topology view of the administrative console. You can associate an SSL configuration and certificate alias with a specific management scope. This method is the most efficient method to manipulate and modify configurations when the server topology changes.

In prior releases, SSL configurations are managed for each process. You have to maintain individual settings for each SSL configuration in the topology. In this release of WebSphere® Application Server, management control of your SSL configurations offers more options and additional flexibility. You are able to make coarse-grained changes for the entire topology using the cell-scope and also make fine-grained changes using a particular endpoint name for a specific application server process. Because the SSL configuration associations manifest an inheritance behavior, you can simplify the number of associations by referencing only the highest level management scope that needs a unique configuration.

The topology view provides the scoping mechanism. The SSL configuration inherits its scope, which can be seen as its display in the topology. The scope encompasses the level where you created the configuration and all the levels below that point. For example, when you create an SSL configuration at a specific node, that configuration can be seen by that node agent and by every application server that is part of that node. Any application server or node that is not part of this particular node can not see this SSL configuration.

Your security environment influences issues such as the uniqueness of the SSL configurations, as well as the SSL configuration and the certificate alias placement in the topology. You are also able to configure different certificate aliases and different SSL configurations for inbound connections versus outbound connections.

To configure the inbound and outbound topologies, which must be done separately in the administrative console, click Security > SSL certificates and key management > Manage endpoint security configurations > Inbound | Outbound.

Default centrally managed SSL configuration

The default management scope is the node scope. When a node is federated into a cell, the default SSL configurations for the node are maintained, as shown in the following sample code for the sslConfigGroups and management scopes attributes:
<sslConfigGroups xmi:id="SSLConfigGroup_1" name="myhostNode01" 
direction="inbound" certificateAlias="default" sslConfig="SSLConfig_1" 
managementScope="ManagementScope_1"/>
<sslConfigGroups xmi:id="SSLConfigGroup_2" name="myhostNode01" 
direction="outbound" certificateAlias="default" sslConfig="SSLConfig_1" 
managementScope="ManagementScope_1"/>

<managementScopes xmi:id="ManagementScope_1" 
scopeName="(cell):myhostNode01Cell:(node):myhostNode01" scopeType="node"/>
The SSL configuration xmi:id "SSLConfig_1" is also federated and applicable:
<repertoire xmi:id="SSLConfig_1" alias="NodeDefaultSSLSettings" 
managementScope="ManagementScope_1">
<setting xmi:id="SecureSocketLayer_1" clientAuthentication="true" 
securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" 
sslProtocol="SSL_TLS" keyStore="KeyStore_1" trustStore="KeyStore_2" 
trustManager="TrustManager_1" keyManager="KeyManager_1"/>
</repertoire>
The keystores that are associated with the SSLConfig_1 SSL configuration are also federated, and key.p12 is located in the node directory of the configuration repository:
<keyStores xmi:id="KeyStore_1" name="NodeDefaultKeyStore" 
password="{xor}HRYNFAtrbxEwOzpvbhw6MzM=" provider="IBMJCE" 
location="${USER_INSTALL_ROOT}/config/cells/myhostNode01Cell/nodes
/myhostNode01/key.p12" type="PKCS12" fileBased="true" hostList="" 
initializeAtStartup="true" managementScope="ManagementScope_1"/>
<keyStores xmi:id="KeyStore_2" name="NodeDefaultTrustStore" 
password="{xor}HRYNFAtrbxEwOzpvbhw6MzM=" provider="IBMJCE" 
location="${USER_INSTALL_ROOT}/config/cells/myhostNode01Cell
/nodes/myhostNode01/trust.p12" type="PKCS12" fileBased="true" 
hostList="" initializeAtStartup="true" managementScope="ManagementScope_1"/>



Related concepts
SSL configurations
Secure communications using Secure Sockets Layer (SSL)
Concept topic Concept topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 4:16:02 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-base-dist&topic=csec_sslcentralmanconfigs
File name: csec_sslcentralmanconfigs.html