Dynamic outbound selection of Secure Sockets Layer configurations
WebSphere® Application Server provides dynamic outbound selection that enables you to choose a specific Secure Sockets Layer (SSL) configuration and certificate alias for each outbound protocol, target host, target port, or any combination of these attributes. You can specify the dynamic selection information for outbound connections from a pure client or from a server that is acting as a client.
Before the SSL runtime for WebSphere Application Server starts an outbound connection, the runtime attempts to match the outbound protocol, target host, and target port attributes with the dynamic outbound selection information that is associated with an SSL configuration and certificate alias in the configuration.
The runtime caches both selection misses and selection hits, so the impact on performance can be minimal. However, a relationship exists between the amount of dynamic outbound selection information and its impact on the initial connection performance.
Dynamic selection information for outbound administrative SOAP connections
The default dynamic outbound selection configuration specifies that all outbound administrative SOAP connections use the same SSL configuration and certificate alias within the entire cell.
<dynamicSSLConfigSelections xmi:id="DynamicSSLConfigSelection_1"
name="AdminSSLOutbound" description="Uses the AdminSSL configuration
for all outbound SOAP calls." dynamicSelectionInfo="ADMIN_SOAP,*,*"
certificateAlias="default" sslConfig="SSLConfig_2"
managementScope="ManagementScope_1"/>
The SSL runtime checks
the configuration and confirms that certificateAlias="default" and sslConfig="SSLConfig_2" for the ADMIN_SOAP
protocol when you enable client certificate authentication. Target information during outbound connections
- com.ibm.ssl.direction
- The value for outbound connections is OUTBOUND.
- com.ibm.ssl.remoteHost
- The format should match what the protocol provides. Typically
this is the canonical Domain Name Space (DNS), but it also could be
the IP address.Avoid trouble: The name comparison is performed as a case-insensitive comparison. There is no name resolution processing performed during the string comparison.
- com.ibm.ssl.remotePort
- The port is target port.
- com.ibm.ssl.endPointName
- The value for an outbound connection must be one of the following protocol strings:
- IIOP
- HTTP
- SIP
- JMS
- BUS_CLIENT
- BUS_TO_BUS
- BUS_TO_WEBSPHERE_MQ
- CLIENT_TO_WEBSPHERE_MQ
- LDAP
- ADMIN_IIOP
- ADMIN_SOAP
- ADMIN_IPC
- WEBSERVICES_HTTP
- WEBSERVICES_JMS