During the Secure Sockets Layer (SSL) runtime, dynamic
configuration updates affect both inbound and outbound SSL endpoints.
For inbound SSL endpoints, the changes that are implemented by the
SSL channel are only affected by dynamic changes. For outbound SSL
endpoints, all outbound connections inherit the new configuration
changes.
In this release, dynamic update functionality provides you with
greater flexibility and efficiency. You can change SSL configurations
without restarting WebSphere® Application Server
for the changes to take effect.
To make dynamic changes, in the administrative console click , then select the Dynamically
update the runtime when SSL configuration changes occur check
box. You must save your changes and then synchronize the security.xml file
with remote systems. A remote system must be able to confirm that dynamicallyUpdateSSLConfig=true is
in the security.xml file.
The SSL runtime reloads the modified SSL configuration and creates
a new SSLEngine for the modified connections that are associated with
inbound endpoints. New outbound connections use the new configuration
while existing connections continue to use the old SSLEngine object
and are not affected.
Tip: Make dynamic changes to the SSL configuration
during off-peak hours. Synchronization delays can negatively affect
connections when you update SSL configurations during peak hours.
You can turn on and off the dynamicallyUpdateSSLConfig attribute
in the
security.xml file to ensure successful
updates by doing the following actions:
- Set dynamicallyUpdateSSLConfig=On.
- Save the updated configuration.
- Synchronize the security.xml file with remote
systems.
- Set the dynamicallyUpdateSSLConfig attribute to Off.
You must verify that all of the nodes receive the changes before
turning off the dynamicallyUpdateSSLConfig attribute. Test the changes
in a test environment before updating the production environment.
Tip: Some SSL changes, especially administrative SSL
changes, can cause server outages if you fail to test them first.
When a change prevents trust between two endpoints, the endpoints
cannot communicate with each other. Additionally, if administrative
SSL connection updates cause system outages, you might need to disable
the nodes after you make corrective changes using the deployment manager.
From the command line, you can manually synchronize the server to
retrieve the new SSL changes, then restart the nodes.