Secure Socket Layer communication with DataPower
Based on the default installations of the application server and the DataPower® appliance manager, secure sockets layer (SSL) communication is used to send commands and receive events. The default SSL configuration used by the DataPower appliance manager can be strengthened by customizing the SSL connection. Modifying the default SSL configuration is optional and only needs to be done if the default configuration is not sufficient for your requirements.
SSL is used to send commands to each known appliance manager. In this scenario, the application server and the DataPower appliance manager behave as the SSL client and the DataPower appliances are acting as the SSL servers. This SSL connection uses the ibmPKIX trustmanager to do some verification of the DataPower appliance. Neither the certificate chain nor the revocation list for the certificate of the DataPower appliance are checked. The default configuration also does not do any SSL client validation for this scenario.
The DataPower root certificate, located at app_server_root/profiles/profile_name/etc/DataPower-root-ca-cert.pem,
is shipped as part of the default keystore. During profile creation, this
certificate is automatically added to file-based keystores. Since SAF keyrings
are not file-based, the certificate must be added to the RACF® keystore
manually.
SSL is also used for the events received by the application server and the DataPower appliance manager from each DataPower appliance being managed. In this scenario, the application server and the DataPower appliance manager is the SSL server and the DataPower appliances are the SSL client. SSL client validation is also not performed in this scenario by default.